I haven't seen this or tried it either, but have you tried using the new Apple Configurator v1.4 which was released yesterday? Wonder if that has some new restrictions that could help prevent this from happening.
Yeah, I'm using 1.4. Plenty of new restrictions, but none applicable to this situation. I'd hoped to not have to make this jump yet, but as I was supervising a new device, configurator had it locked in to performing an OS Update. The option to "never update" was totally greyed out. :/ The kicker is that the requirement for the AppleID is more annoyance than anything else. It's still possible to put the ipad into DFU/Recovery mode, connect to iTunes and totally bypass supervision and erase the iPad. It just takes way, way longer and brings the whole 'mass rollout' thing to a screeching halt.
Yes, you can. But signing in with your Apple ID bypasses it for this purpose. Even though the option is 'greyed out', you can actually see the "Find My" device toggle tick over to green (active). It's just locked in the 'on' state then.
I guess the worst part about it all is that this is just friction to actual theft. Anyone can bypass it with 10-15 minutes of very simple work. The work just makes the management of large numbers of devices time consuming. Unsupervise and resupervise one ipad? 20 minutes. Do the same for 20 ipads? That's the bulk of an 8 hour work day. AND I've not been able to use Configurator to unsupervise/resupervise more than one iPad at a time successfully. It's great for automating image restores, but not so much on other things.
You could disallow changes to accounts in settings, which would stop them from creating any email accounts at all, including iCloud. If they cannot create an iCloud account, they cannot set up find my iPhone and thus cannot initiate the Activation Lock feature.
They would be restricted to using Safari and web email accounts only.
Alternatively, set up your own Library iCloud account on each one first, enable find my phone, thus initiating Activation Lock but now tied to your specific AppleID and Password. Then enable restrictions, and lock down account changes.
Now they cannot change the iCloud account (or any account), they cannot restore the device to override that either.
Yes - This is exactly the way that I used to set up the iPads. The problem was that people primarily used these to send emails, visit websites, and access their iCloud documents. Doing anything that made it more difficult to get documents onto or off of the iPads made them really not particularly useful in an educational environment. Thanks for the thought though. If all else fails, I can return them to this sort of configuration. I'm hoping that I won't have to, though.