© 2018 Edinburgh Communications Ltd
  • Facebook App Icon
  • LinkedIn Social Icon
  • Twitter App Icon
  • J Warrington

BYOD in Schools: 5 Questions Affecting Your Implementation

Updated: Dec 7, 2018

Still one of the most pressing issues for ICT teams across all sectors, Bring Your Own Device, or BYOD, generates its own particular set of challenges for schools. Read on for the 5 most critical questions about BYOD in schools—and how to best respond.

By its very nature, BYOD is something that cannot be easily controlled in schools, where its implementation has unfolded in almost the opposite direction of BYOD in most corporate IT settings. I mean, it started with odd exec or two requesting that their PDAs (remember those?!) be attached to email, file, and app servers. Then, suddenly, everyone had a smartphone and needed to use network resources. I don’t remember any official change in policy, but change it did.

British youngsters are now the world’s second most prolific group of child web users. On average, they spend over 3 hours of the school day on their devices! Whether they are connecting with school network resources or surfing with their own mobile data, the impact on staff must be significant. That is, of course, unless your school has banned smartphones, which leads us to the first question....

1. Do I allow access?

Perhaps a moot point for many of us! You may have already allowed students to connect devices to the wireless network. Or you may just be permitting their use in the classroom.

A better question might be: to what extent do I allow access? If you haven’t already allowed BYOD, the decision will likely come from the school’s governing body. It’s worth deciding in advance what is allowed and what isn’t, preferably as part of a BYOD policy document.

You could, budget permitting, practice CYOD (Choose Your Own Device), instead. Allowing students to choose a device from a pre-approved list and purchasing through the IT team could lessen your support burden and increase security. You may encounter student and/or parent resistance to this, especially if the family has already “invested” in a device not on the list!

2. How should I enable access?

Presuming you have true BYOD, you need an easy way of providing access to whatever resources you’ve included in your policy. This should be via wireless LAN, in most cases, and it should be standards-based, so the majority of devices can connect.

If you don’t already have WiFi coverage throughout your school, that would be the first port of call! After this initial step, few options exist for authenticating authorised BYODers. You could use pre-shared keys (please don’t), accepting a huge potential for leaks as well as the inevitable task of updating all devices with the new details.

Using 802.1x authentication with PEAP is a better idea. In this case, your clients use their school login credentials against an access (usually RADIUS) server. The access server has a trusted digital certificate installed, so both the devices and the wireless network honour its authentication decisions.

Because I’m from a SysAdmin background, I prefer the most secure method, despite its longer initial setup time. 802.1x with EAP-TLS goes one step further by requiring installation of digital certificates on every client device. You can then optionally forego the login-credentials step to access WiFi. Lastly, there is a way to avoid the hassle and expense of managing certificate infrastructure. Instead of building your own or using Verisign’s, for example, simply select a WiFi vendor that has it built in.

Using digital certificates for BYOD authentication is very secure, particularly when installed on every device.

3. How much security should I use?

For the privacy or encryption part, there is really just one feasible option currently available. Provided you’re using an 802.1x method, as above, you’ll need to use WPA2 Enterprise. It comprises the latest security standard (CCMP) and the strongest encryption algorithm available (AES).

Ideally, use a next-generation Internet firewall that supports anti-virus and anti-malware with application visibility/control and content filtering. It is possible to save money by using disparate systems, but they imply a greater administrative burden.

The burning question is: how much content protection do we provide for students? Once they are connected and accessing both the Internet and local resources, the school IT team implicitly takes on some responsibility. Though the U.K., unlike the United States, does not require schools to filter pornographic and radicalisation sites, schools generally do anyway. I advocate filtering those categories, but be wary of “default settings” that appear to do this for you. Always be as granular as possible with configuration (see next question!).

4. What content should I filter?

Despite U.K. legislation in 2017 requiring ISPs to block pornographic websites for customers who haven’t “opted out”, these sites are generally still available. Even when ISPs do block, many students know how to use proxy and VPN tools to circumvent the system. And don’t forget that a student could, provided they have alternate service, detach from school WiFi and just use their mobile data!

For these reasons, we want to allow as much access as we can—then students will be less likely to try to go around our filters. I advise checking content-filter settings for topics that are unnecessarily blocked, remembering that these settings should be reflected in any BYOD policy document. A typical default configuration could cover a multitude of subjects, leaving students unable to research even mildly controversial topics.

Though false positives in filtering systems are few, use the most capable one you can. Some schools even leverage third-party services such as YouTube for Schools and Google SafeSearch. Ultimately, our students live in an unfiltered world, so a strong focus on accurately identifying the most damaging content (rather than “blanket” blocks) might be the best strategy.

Choosing what content to block is critical to project success.

5. How much should students and parents be involved in the project?

That’s definitely a leading question! The answer is a lot—and at an influencer level. I know we can’t ask the opinion of every student and parent about implementing BYOD in schools, but we can at least consult with the PTA. Doing so could reveal support for strategies we might have thought unpopular: for example, installing security software on students’ own personal devices.

With security (and filtering software, in particular) comes monitoring capabilities. Regardless of whether they are linking it with actual BYOD or not, in 2016, around two thirds of schools in England and Wales stated they were monitoring their students with “spying” software. It’s unclear how many students and parents were aware of the monitoring, but only 1 in 6 of these schools were able to produce “acceptable usage” documentation.

Monitoring definitely offers protection, but it shouldn’t be at the cost of transparency. After all, if our students are mature enough to navigate the Internet, shouldn’t they be made aware of how easy it is for “upstream” administrators to see exactly what they’re doing?

There’s another good reason to keep parents in the loop. In some low-income families, the child’s device may be the primary or sole method of Internet access at home. Whether the device is owned or school-issued, monitoring, blocking, and app-management tools could easily impact user privacy and freedom to browse.

In conclusion

The important technical and ethical issues around BYOD in schools necessitate transparency and better communication for an effective decision-making process. The legal grey area around blocking and monitoring doesn’t help matters, and may even create a “best-left-unsaid” environment. Opportunities to save money and reduce staff burden, however, are abundant—if only we’d all talk about it a bit more.

I’d love to hear about your experiences with BYOD. Please share them, and any questions you might have, in the comments section below. For more information call +44 (0)131 608 0095, or start a conversation with our team via the contact page.