Handling of auto-updates on iOS and Android devices

Hi NielsScheffers , I'm jumping in 😉

onax_pf Let me see if I understand your question:

1. you want to install and update apps automatically on supervised iOS devices
2. you want to block (certain) apps from installing or from being used.

Hopefully this will clear things up a bit. I'm only talking about iOS, since I believe your Android devices do update.

VPP/ABM=Apple Business Manager

VPP does not mean you'll have to buy licenses (spend money) for every app you sync through VPP. You can acquire both free and paid apps that are available in the App Store.
When dealing with free apps, it looks like you are buying licenses in VPP, but the costs will be $0.00. I know this can be confusing. Finally when you assign the apps to user/devices with a device license. The apps (assigned with license type "device licensing") will automatically update.

However, when you select "user licensing" for "license type" the apps store should not be blocked. Otherwise, apps will not update. Users need access to the app store to update.

For more info on VPP check out:
https://docs.microsoft.com/en-us/mem/intune/apps/vpp-apps-ios 
Have a look at the table "How are purchased apps licensed?" as it also provides info on updates.

App store
Apps that are installed from the store should update automatically (provided the store is available). You can only assign free apps using this method.
Like NielsScheffers mentioned, you should hide the store app, not block it. When you block the store app, your users have no option to update apps. In this case, you should use VPP.

https://docs.microsoft.com/en-us/mem/intune/apps/apps-add 
https://docs.microsoft.com/en-us/mem/intune/apps/store-apps-ios 
https://docs.microsoft.com/en-us/mem/intune/apps/apps-deploy 

Restricting apps
As far as I know, there is no easy way to block apps from being installed to iOS devices when users have access to the app store.
Create a Device configuration profile and configure restricted apps to stay informed about apps install status. It's a reporting feature and does not block app installs! You could use "Restricted apps" from within a compliance policy to mark devices non compliant when a certain app is installed, and block access to M365 using a conditional access policy.

What you could do:

1. Use VPP/ABM and block access to the app store. Assign the apps with a device license to enable automatic updates for apps.
2. Use VPP/ABM- Setup federation between AAD and ABM and have users sign-in with their business accounts to the app store (this way you don't have to block the app store) 
3. Continue to deploy apps using the app store, and hide the app store instead of blocking it.

If you ask me, option 1 is the best way to go, but that's just my opinion.

Hope this helps.