I have not done much with the school version of ABM, i preface that first
So try this based on my corporate trial and pain.
Since you are not using user afinity, technically the 'system' controls the device. You cannot publish as REQUIRED to a user since the user is not registering the device and there is no company portal to do available applications.
1. Create a dynamic Azure group based on your device enrollment profile
This will capture any device you enroll AND if a device is wiped, simply putting it on WiFi will automatically rebuild it.
2. Use this dynamic group to apply your Compliance and Configuration policies
3. Use this dynamic group to assign your applications as required and validate that they are device licenses since you never really have a user enrollment.
Lastly, (optional) create a Enrollment Profile called STOLEN that does use user afinity and the setup assistant. This effectively does 2 things, prevents the stolen device from ever getting to a HOME screen AND it creates a device ID as 'unknown user' you can geolocate.