Able to remove profile without the need for a password

Use Apple's Device Enrollment Program, supervise the devices, and lock the MDM profile. The MDM profile can't be removed and even if the device is wiped, it will force the device to enroll into the MDM. https://www.apple.com/education/it/dep/

On iOS devices, you can mark a profile as being locked to the device, so when installed it can removed only by wiping the device of all data (or by entering a passcode). Go into your device list, settings for new device, general, security, with authorization, and set password.

Unfortunately you are not doing anything wrong, even with the high end MDM providers such as Airwatch there is not a way to password protect the primary trust certificate to prevent its removal. Once the upper level certificate is removed the rest go with it.

This is an Apple issue, driven by the philosophy that the end user should have ultimate privacy and control. In your case you will have to go in and manually enable restrictions if you want to ensure that controllable settings can't be changed if the profiles are removed. You may also be able to make it so the iPad can't connect to the network if its profiles have been deleted, this might deter students from deleting them.

The one advantage of a higher end MDM is that the system will tell you if a profile has been removed from a device. You may want to use the free Meraki MDM at https://account.meraki.com/secure/login/dashboard_login to use instead of or in addition to Lion.

We have an IT department of 1 (yours truly). Over 600 mobile devices (ipads and laptops) to manage. I feel your pain. I looked at Airwatch and the rep said the end user could delete the profile and the Airwatch MDM agent app unless I went on each iPad and manually enabled restrictions with deleting apps disabled. I may end up doing this just to save time in the long run.

Airwatch has an MDM agent app ( see it in itunes) that works with their console. Some MDM solutions don't use an agent app, just a profile. You should definitely verify and see a demo or trial - this is just based on a question I asked when viewing an Airwatch webinar. I always go in and manually enable restrictions in environments like the middle school to prevent adding and deleting apps. I am probably going to go ahead with Airwatch as soon as budget conditions allow. They have a free trial.

http://www.air-watch.com/solutions/apple-ios

I've ran into these same issues myself. I'm currently using Meraki to manage our 450+ iPads now, but may be transitioning to Microsoft System Center 2012 once we finish planning and roll out that monster. MDM is supposed to be a decent part of the package.

Just chiming in though because you're not alone in this struggle. What I also found extermely annoying is that I can disable App installs through the MDM which would save teachers time since their students wouldn't install crap (read: games) on the devices, but at the same time I found that it would not even let me sync "install" the Apps which made it a no-go for us.

I wanted to chime in with everyone, we have at this time about 1,600 iPads deployed for 7th-12th. We currently have the Casper Suite from Jamf Software, and we have the same issue. The students can simply remove the MDM profile and this removes all the restrictions we have in place. To make things worse, if a student sync's their iPad with their PC it removed the profiles as well.

I also found that as teachers were trying to save themselves time they did backup/restores which removed MDM profiles. Which caused more work for them in the end because I then asked them to re-register with the MDM. Whether they did that or not I don't know. I don't have the time or energy to verify that they've done that.

I also found the naming of devices very problematic. I had named all devices based on barcode (since the barcode is covered once you put a case on) and they have sinced named them "UserName iPad 1", "UserName iPad 2", etc. That means nothing to me people! My brain works in barcodes.

I cautioned against going with Casper in the beginning because I wanted to test a free product first to see if it would meet my needs. While it's disappointing that the paid services can also be easily removed, it's nice that you chimed in and I can show this post to the powers-that-be when they ask to ramp this program up or look at buying Casper.

If you read this reply, would you be able to let me know if Casper does push-install of Apps or if it does push-suggestions? What I mean is does it install without user interaction or does the user still have to agree to install and then type in Apple ID password?

Hi, I thought I'd put my two cents in as well. We have about 40 iPads set up for student use and we use profile manager on an OSX Server, I have come up against all the restrictions that you're discussing and the only solution we have found is that there is no solution...Yet. It's up to apple to change the spec of the xml profiles so that they include additional features.

Because it's an apple limitation all MDM solutions are basically exactly the same, however there do seem to be a few small differences like Meraki's ability to alert you of profile deletion, and also the ability of a lot of 3rd party MDM's to support other platforms like Windows and Android.

In our IT department we're currently upgrading SCCM to 2012 sp1 so that we can use the mdm features and although I don't know much about it yet we're looking at Windows Intune to give us the cloud based interface and tie it all in together with our existing network.