Able to remove profile without the need for a password

Why don't you require a password for the removal of all three?

On iOS devices, you can mark a profile as being locked to the device, so when installed it can removed only by wiping the device of all data (or by entering a passcode). Go into your device list, settings for new device, general, security, with authorization, and set password.

Unfortunately you are not doing anything wrong, even with the high end MDM providers such as Airwatch there is not a way to password protect the primary trust certificate to prevent its removal. Once the upper level certificate is removed the rest go with it.

This is an Apple issue, driven by the philosophy that the end user should have ultimate privacy and control. In your case you will have to go in and manually enable restrictions if you want to ensure that controllable settings can't be changed if the profiles are removed. You may also be able to make it so the iPad can't connect to the network if its profiles have been deleted, this might deter students from deleting them.

The one advantage of a higher end MDM is that the system will tell you if a profile has been removed from a device. You may want to use the free Meraki MDM at https://account.meraki.com/secure/login/dashboard_login to use instead of or in addition to Lion.

We have an IT department of 1 (yours truly). Over 600 mobile devices (ipads and laptops) to manage. I feel your pain. I looked at Airwatch and the rep said the end user could delete the profile and the Airwatch MDM agent app unless I went on each iPad and manually enabled restrictions with deleting apps disabled. I may end up doing this just to save time in the long run.

Airwatch has an MDM agent app ( see it in itunes) that works with their console. Some MDM solutions don't use an agent app, just a profile. You should definitely verify and see a demo or trial - this is just based on a question I asked when viewing an Airwatch webinar. I always go in and manually enable restrictions in environments like the middle school to prevent adding and deleting apps. I am probably going to go ahead with Airwatch as soon as budget conditions allow. They have a free trial.

http://www.air-watch.com/solutions/apple-ios

Thank you for the update. I agree with you, Apple needs to make changes, or we will always be facing time consuming issues in educational deployments, especially in middle school type environments.

I've ran into these same issues myself. I'm currently using Meraki to manage our 450+ iPads now, but may be transitioning to Microsoft System Center 2012 once we finish planning and roll out that monster. MDM is supposed to be a decent part of the package.

Just chiming in though because you're not alone in this struggle. What I also found extermely annoying is that I can disable App installs through the MDM which would save teachers time since their students wouldn't install crap (read: games) on the devices, but at the same time I found that it would not even let me sync "install" the Apps which made it a no-go for us.

I wanted to chime in with everyone, we have at this time about 1,600 iPads deployed for 7th-12th. We currently have the Casper Suite from Jamf Software, and we have the same issue. The students can simply remove the MDM profile and this removes all the restrictions we have in place. To make things worse, if a student sync's their iPad with their PC it removed the profiles as well.