The Cyber Essentials Certification requires that you control data access for your users. Privileges must only be given to those who need them, and even what an administrator can do with those accounts has to be controlled.
In doing this, it reduces the risk of user error and limits access to the system if a device is stolen. Staff should be given what they need to carry out their job and nothing more. If someone needs extra permissions it must only be given to them.
It may seem like you are getting a good deal, but buying software from an unauthorised source could cause problems. The best way to ensure devices stay malware-free is to only buy from official sources. You can put rules in place that mean if staff need to download applications to their devices, it can only be from an approved store such as Google Play.
If someone has access to administrative privileges, you must ensure that the accounts are only being used for administrative tasks. Normal accounts should be used for general day-to-day work. Blocking staff from surfing the web and checking emails from and administrative account will reduce the risk of it being compromised.