Of course there’s another mechanism as well, which would be to use 802.1x authentication on your wifi network and have entire VLANs dedicated to either a holding tank/no internet policy with no enablers, vs approved use with enablers.
If you’re a unifi shop, this may be helpful: https://help.ui.com/hc/en-us/articles/360015169854-UniFi-Configuring-Access-Policies-for-Wireless-Clients