Put an iPad in a teenager's hands and the adolescent will quickly try to figure out the limits of what can and can't be done with it; send a school-provided iPad home from school with that teenager and there's a good chance it will come back with its security restrictions blown wide open. This is what has happened with students at Theodore Roosevelt High School in Los Angeles, which, according to the LA Times, has suspended its school-wide rollout of iPads after nearly 300 students "hacked" their school-provided devices to remove app and browser limitations.

Based on the information provided in the LA Times article, it appears that the Los Angeles Unified School District relied on simple ActiveSync profile restrictions in order to apply security policies to the students' iPads:

Roosevelt students matter-of-factly explained their technique Tuesday outside school. The trick, they said, was to delete their personal profile information. With the profile deleted, a student was free to surf.

ActiveSync profiles are one of several ways to manage security policies on iOS devices—with them, system administrators can provide not just a connection to an organization's Microsoft Exchange infrastructure, but also enforce passcode and remote wipe standards, limit Web browsing, and enforce remote installation of apps, as well as many other parameters. An ActiveSync profile is easily installed—and it's also easily removed.

One student interviewed by the Times gave a succinct answer when asked why the "hacking" was happening: "[T]hey took them home and they can't do anything with them," said Alfredo Garcia, a senior.

An employee who tampers with or removes a business-mandated ActiveSync profile from their iDevice at the very least limits his access to e-mail and calendering, and at worst faces disciplinary action. Students gifted with locked-down iPads, on the other hand, almost certainly don't care about their school e-mail accounts and they don't have to worry about being fired.

Actually employee-proofing (or student-proofing) a tablet requires a lot more than a simple profile—this is a case where a dedicated mobile device management solution is required. Full MDM solutions typically provide a lot more manageability and security options than are available with ActiveSync profiles, and they are also by design a great deal more difficult to remove or work around. The LA Unified School District's plan was to roll out iPads to every one of the 640,000 students in the district, which is the nation's second-largest; an MDM solution at that scale could cost many millions of additional (unbudgeted) capital and operational dollars.

That level of associated expense, along with either ignorance or crazy optimism about ActiveSync profile capabilities, are almost certainly the reason why mobile device management wasn't included with the iPad program. The district's rollout is currently on hold in the wake of the "hack" as officials evaluate what to do next.