In our school I cast a net with a Smart Mobile Device Group and get an email notification when I catch a fish - AKA anyone that downloads a known VPN app. We also have a config profile installed on all devices that doesn't allow the installation of config profiles, which makes installing any VPN apps worthless as it can't actually set up the VPN. (We also restrict Pairing and Erase All Content and Settings, which might be something for you to consider).
By just attempting to bypass our filter the student is caught, so as soon as I see the email I throw the device into Lost Mode and use the message "Your iPad has been disabled as you have violated the school's Acceptable Use Policy. Bring your device to the Tech Department immediately."
Previously we would just call the student up, but they knew they were caught so they'd delete the app on the way in and then play dumb. Locking it down means it arrives to me intact and I can make sure nothing is off in settings; I then delete the offending app (and all other non-school issued apps) and restrict the App Store before sending the little hoser on their way. Works very well for us, though I'm nobody's favorite person by any means :)
