I spend the whole day installing and configuring a Mac Mountain Lion with the server app to provide some MDM capability to allow pushing of configuration profiles over-the-air to some iPhones to disable some functions like using camera and safari. Everything was set up and running till I encountered a very troubling problem.
Even though I have set a password for the restriction profile, there is no password set for the MDM profile. Effectively, anyone using the phone will be able to remove the MDM profile which would also removes every restrictions as well, rendering the whole process useless. I found out from some old posts that it is not possible to set a password on the MDM profile. Is this even real? What is the point of restrictions if anyone could remove it when they want.
That's specifically designed like it. Apple has this idea thata user should always decide what he/she wants. So, the user may enroll into MDM and unenroll from MDM any time.
However, in the case, if you remove MDM profile you loose both restrictions and access to your enterprise data (your exchange profile will be removed, if it was installed through MDM. The same is true for VPN access, WiFi access and so on).
It's described pretty well in MDM documentation.
Generally speaking, they weren't good in supporting devices which belongs to enterprise and which suppose to be restricted all the time. Now, they are gradually move into this direction.
BTW. Some new changes are coming in iOS 7 for supervised devices. I believe you may get what you are looking for. If you have an access to WWDC 2013 videos, take a look at managing mobile devices session.
Update 1
I haven't tried it, but as I understand, you can installed locked MDM profile on a supervised device, so this MDM profile can't be removed.