I place these devices into a separate network and mac lock the port to the device. I then control access to these networks with firewall rules, and make them as specific as I can. IE I have printers network, the printers are connected to the switch port assigned to that vlan only. I use DHCP reservations to assign IP to the printers. I then setup rules fro inbound and outbound traffic to and from that network. IE rule that allows only our print servers port 9100 bidirectional, allows port 80 and 443 bidirectional to our IT workstations network., allow  587 to our o365 exchange and use email auth using a printers service account. Log all the traffic so you can easily identify if someone is trying to do something they shouldnt or traffic is getting somewhere it shouldnt. Hope this helps ... View more

You could move your DHCP to MS DHCP and intergrate the DNS with MS DNS.  This has worked for me in the past   ... View more