Prevent end-users from purchasing apps on iOS

The way to to this is to generate a number of AppleIDs with no credit card associated, to which the end-users do not have access, and use an MDM (and possibly Configurator) to push the profiles to the devices. As long as the end-user doesn't know the password to the AppleID they won't be able to access the App store at all and apps authorized to that ID won't run elsewhere.

THEN you need to prevent the user from modifying/deleting that that profile, that's actually the tricky part. Apple's IOS MDM framework supports password locks etc. on profiles, but not all MDMs make it obvious (or possible). You can do this with supervised Configurator but then you have to be hands-on with every device.

Here's a somewhat outdated list of MDM providers. This might be a good place to start.

Here's a link on generating AppleIDs in bulk:

http://www.enterpriseios.com/wiki/Batch_Apple_ID_Creator

If you're running a BYOD configuration (as opposed to you providing the devices) I think it's quite a bit more difficult, but not impossible (some MDMs support policy agents on the device).

Here's a link to parameters available in a profile (Apple Developer registration required). This should give an idea of what's possible: https://developer.apple.com/library/ios/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html

I don't have an Apple Developer Enterprise account so I don't have access to the full MDM API documentation.