By design from Apple, only supervised DEP devices can have profiles locked by any third-party MDM/EMM solutions so that device end-users cannot remove the profiles at will. 

 

The MobiControl agent in such supervised DEP devices can then be protected from un-installation  with "Disable App Removal"option of a "Restrictions" profile.  Alternatively, the agent can be forced to be re-installed automatically by setting it as a mandatory application in an app-catalog rule.  After all, any MDM/EMM policy already deployed on an iOS device is not affected if the device agent is not installed.

 

All the above behaviors have been defined by Apple, and are applicable to all third-party MDM/EMM solutions.   You don't need to waste time to find any alternate solution.  In all, if you want enterprise-grade protection, make each of your devices a DEP device.   Though Apple doesn't want to admit for so many years, the truth is that non-DEP devices are meant for personal use from the very beginning.  Leaving MDM profile non-lockable is probably the most absurd and ridiculous design decision made by Apple.  For many years, I have been telling many of my governmental customers not to waste money to buy any MDM/EMM solution if their devices are/remain non-DEP devices.  Of course, migration of device to supervised DEP device involving the painful processes of factory resetting the device plus backing-up and restoration of end-user data, which are the major hurdle to overcome when deciding to switch.