We discussed that scenario and opted against it because students would be constantly downloading games etc only to have it uninstall after download. With over 6k iPads that's a lot of unnecessary traffic.  This deployment was a refresh of 11,000 iPad 2 so losing the app store was a big shocker to the kids.  And they're not happy.  ha!

@Diane I am going to do some more investigating later on, I believe with that we could use some of the newer configurations released to only allow only apps that’s are in the catalog to be installed from the App Store, basically preventing people from installing anything else besides updates and cataloged apps, but still have the App Store open.

It would be nice if there was a restriction to only allow updates from the App Store. I believe you can do this on the Mac App Store with a Configuration profile.

@Diane I did some more investigating with my test devices and realized that what I am proposing is not possible. The only thing I could think of is to set up the whitelist and also create a policy that looks for unauthorized apps that would trigger a config to install. Here is what it would do:

Student device would have a whitelist of apps, have the app store available to update apps and download any whitelisted apps (the ones in your Meraki App/Catalog). Let's say a student installs a "blacklisted" app, it will look like it is about to install and then it will just pop away (as expected with the whitelist profile). The next time the device inventory updates in Meraki they will be considered non-compliant with the whitelist policy. I would have a configuration profile that removes the camera, safari, any anything else you want to remove to force them to have to see you. You would have to exclude them from the configuration and remove the app. 

Until Meraki updates and allows you to push mass updates there are only two options. It would be nice if it was something we could set to occur at a specific time (midnight for example). 

Jared