I have a situation that I would think many sys admins have encountered before and so I seek the expertise of you, the kali community, and any suggestions you may have.

I have laptops that my employees will be issued in order to do their jobs. Kali was the obvious choice because of its security and that it is Debian (one of, if not THE most documented OS's on earth). I have been using Kali for YEARS since the backtrack days, but never had the issue I do now of having to restrict the OS (because i was the only guy using it).

I need the following things:

Users cannot change wallpaper
Users dont get sudo (obvious)
Users cannot change or create the config of certain things (like the window manager) but still need to write to the config directory (for like firefox and various other programs)
Whole disk encryption is not going to be implemented (all users having the same password to each laptop defeats the point) but the home directories of each user must be encrypted (like ubuntu)
Users cannot change the window manager or customize the system (make it look pretty) in any way.
Users cannot suspend or hibernate the system, its either on or off

What i've thought of so far:
Use openbox as wm and set feh in the autostart script of the openbox config that is NOT in the home directory (/etc/something)
Remove all other window managers besides openbox

Problem I have is:
how do I get openbox to ignore a user config if they make one.
how to lock down the config of certain programs but not others
how to implement ubuntu's transparent home directory encryption without the user having to do anything but login
remove the ability to suspend and hibernate

Thank you for your time