Start by enabling a restriction profile to disallow "trusting new enterprise app authors" and "installing configuration profiles". Most of the VPN apps install a VPN config profile. I'm not sure if this will remove existing VPN functionality but it should prevent new VPN apps from working.

As for existing VPN apps, you could create a smart group based on devices having the VPN apps installed that you've identified. Then apply a config profile to that smart group that hides all apps and disables Safari. Basically you'll lock the iPad down until the VPN app(s) get removed.

Thanks @cbrewer . I'm assuming I will be able to install additional configuration profiles in the future.

I also use the hide apps function, but never thought about using the block safari. The problem I now have with this is student's are deleting the banned app before they see me (if they see me)

Apps > Storage & iCloud Usage > Manage Storage

and then they then wipe the iPad, and back it up from a previous backup.

These kids - they keep you on your toes.

One last question @cbrewer, will this block manually created VPN profiles, as that is what I am seeing.

In the configuration file, you can uncheck "removing apps" so they will have to come to you to be able to get Safari/apps back.

disabling them from installing configuration profiles is not blocking the VPN at this time. The VPN is now settin gitseelf up under VPN instead of configuration prfiles as it formally was. We really need a way to block this!

Agreed! We too need a way to disable the VPN in Settings. I can search for VPN apps but they are mostly using the Settings to manually configure.

Chrome users can also install VPN and Proxy plugins that are hard to track.

i agree. was just able to test this on my test ipad by configuring a VPN manually and it works to bypass filter. has there been any progress i'm missing since the last post?

Are these iPads used by the students at home, or just on school grounds? If they are just used at school, you might be able to just block the standard ports used by VPN. But if they are taking them home and using VPN to stop you from finding out what they are doing, that trick won't work.

They will be taken home next year.. i think i found that with our off site proxy enabled and the VPN enabled you cannot load any pages.. so i think we are good on the ipad front now (we use lightspeed fyi) but we will see for sure once kids start taking these things home next year.

so I am curious as how to set up a configuration profile to detect the use of a VPN and lock the iPad into a single app mode. We have a couple students working on installing apps that are prohibited in our school. if anyone would have instructions on how to set this up, I would appropriate it.