Hey folks! An enterprise wiped DEP device just removes the MDM profile, even if it's supposed to be locked in place. My feeling has always been that no one wants to implement a policy that could potentially wipe an entire fleet out by mistake. I've had other MDM's do this by the way and it wasn't fun!
Here is something equally painful to do to devices. Create a single app profile that locks the device to the Hub. Apply that as a compliance policy based on your criteria. They will have to contact you to get the device working again, so it's less destructive and just as annoying lol.