@JRM, I believe the OP was talking about iOS, not OS X.
@jplace, unfortunately there is no easy answer to this or easy way to break it. iOS devices are nowhere as easily controlled as Macs. Apple has not provided the same level of tools for locking down these devices. They still see them as personally managed, not IT controlled. Although they continue to trickle in new management functions with each release of iOS, its still a far cry from what you can do with a Mac & the Casper Suite.
JRM's last bit of advice is the best though. Provide something in your MDM environment, such as access to a hidden/secured WiFi network, email or VPN settings, etc to make it "undesirable" to unmanage their device since they will lose access to all of the above. Also consider implementing a type of "3 strikes and you're out" policy. If a user un-enrolls the device, IT will fix it so they can regain access, but only a certain amount of times before they lose privilege to use the device.
What you're going to find is that managing iOS devices is more about written policies that end users (or their parents if you're in a school) must sign and agree to than it is a about configuration profiles. The technology will only get you so far.
