Need a better solution for blocking a -device- from using trunks


I have a problem I’m trying to come up with a solution for. I already have one solution, but in my mind it’s sub-par and I’d love to find a better way of doing it.

First, the problem:
I have a FreePBX box at home, and a remote extension for it at work (my work phone). I want to block people from being able to call out on my paid SIP trunks while I’m not at work. My first solution was simply erasing the configuration at the end of each day and reconfiguring the next day. Hardly a solution.
I then learned about restricting outgoing calls using the Outbound Route Permissions module. I figured instead of unconfiguring the phone each night I could just disallow calls every night (I did it manually as I never arrive/leave the office at the same time).
Still not a great solution. Then I switched from extensions to deviceanduser mode and at that point, I was able to come up with a viable (although still limited) solution. At this point, for my phone at work, I give it a deviceID (say, 500) and make it an adhoc device with no default user. I tried calling from the phone and found out that if there is no user logged in, that freepbx defaults to using the deviceID as the user and the phone is able to use the external trunks. Not a good thing. So I made a user that had the same extension # as the deviceID and disallowed that user from using outbound routes. When I dialed a call, it wasn’t allowed through! Perfect! Now, to allow myself to make calls from work I just had to log in with a user that could use the outbound routes. As expected that worked just fine. But that still meant that for each user who was to be able to log in/out of their phones, I needed a total of TWO users. So I was creating twice the amount of users as I really needed!

So, this is where I stand now. I can secure my phone(s) from being used when they’re not logged in to, but it’s inefficient.

My thoughts on the problem:

I can’t use custom contexts (and don’t want to use the custom contexts module) as I can’t set contexts for devices AND users, only for devices. Unless I could possibly put the device in a custom-secure-device context which checks to see if AMPUSER is set? but I have to make sure that if it isn’t, that it won’t automatically get set later on in the dialplan.

Does anyone have any ideas on this? I think what I want is for non-logged in devices to be transfered to a DIFFERENT context automatically, but I don’t know where I should start looking for that (I don’t want to step on freepbx’s toes)