We have students who switch Chromebooks Wi-Fi to other SSIDs. They are by policy set to join s specific SSID, but not locked into it. We can't lock them in because on occasion we manually need to join a maintenance SSID for power washing or configuring. We currently reboot an access point to have them join the SSID they are set to by policy to rectify this issue.

I would suggest that you check the timeout values in WLC rather than doing it manually. 

Session Timeout - This will make sure that the Wireless client is deauthenticated after the set timer even it is actively transmitting and receiving data.

Idle Timeout - This is there to make sure that the wireless client is deauthenitcated after client is idle for certain time, where the time is defined in the WLC.

Web Authentication Timeout - If the user has not completed the web auth he will be prompted a new login page after the defined timer.

Sleeping client - Once the user complete the web auth how long controller has to remember the client. Sleeping client doesnt work for CWA.

There is a dependency on the Authentication mechanism as well. If you use Dot1X you can have the radius server assign some of this timeout values per client. 

In order to prevent Students connecting to other SSID's 

If devices are managed enforce policies to prevent them from joining other SSID's. Configuration may vary depending on your management platform. Another option is targeted deauth using wips mechanism (this may be illegal in certain regulatory) and this would be very difficult to maintain. You can also try creating custom mac block lists attached to each SSID (even though authentication is PSK you can do MAC auth) since Chromebooks doesnt support MAC randomization natively.