tag line

moving school IT to the cloud with service not servers

Saturday, 19 November 2016

Using Google G Suite to manage BYOD in Schools

One problem that schools often face when they introduce a Bring Your Own Device (BYOD) strategy is that it can be too successful.

Students have a lot of personal devices and discovering that the senior year groups have just dumped several hundred devices on your wireless network only days after posting the key code on the staff notice board can come as a bit of surprise.

The normal response is to try and impose some order on the chaos by employing Mobile Device Management  (MDM) software.  Unfortunately most MDM’s come with a price that matches the feature set and while a school can justify an annual licence fee to manage it’s own devices it’s more difficult to make that argument when the devices are personally owned.

The cost justification is made even more difficult by the fact that you don’t really need all the extra features of a ‘full fat’ MDM to manage BYOD, just a version with a few key components that doesn't attract a licence  - MDM ‘lite’ in fact.


Other than the ability to protect your valuable wireless resource and being free  - what other features of MDM ‘lite’ would be useful in managing personal devices in school?
  • A method of connecting or on-boarding devices to the wireless network that doesn't involve standing in a queue outside the IT support office.
  • A system that matches the device with a user account for tracking purposes along with the ability to restrict access to users and devices that are misbehaving in some way.
  • Protection of school data on the device with the ability to delete it if the device is lost or compromised
Fortunately these elements are part of the Mobile Management section in Google's G Suite for Education. The basic features are licence free and capable of managing personal Android tablets, iPhones and Microsoft devices - MDM 'lite'.

So what exactly do you get for nothing? Quite a lot as it turns out.
  • The ability to install a management profile on the device that will allow an administrator to wipe the device if compromised.
  • Password and pincode controls.
  • The ability to remotely configure and install a wireless profile.
  • Collect basic inventory information.
  • An approval mechanism with an ability to bar devices.
  • Reporting of the user to device relationships.
  • Ability to identify and block compromised devices
  • Disable camera function
  • The ability to require device encryption.
There’s no application control but of course since we’re all using SaaS that‘s not an issue !

The onboarding process is fairly simple. The user is required to accept a management profile to access any resource that requires a Google organisational logon. The installed profile also contains the information to join the school's wireless network.

The user has the ability to remove the profile at any time but this also removes rights to the network and organisational resources.  An administrator has the rights to deny or revoke access at any stage.

The profile can be very minimal and still deliver the key element of access control and just because a particular policy is available that doesn't mean it has to be turned on.

Supervising a personal device is an process that must be agreed and understood by all parties especially in an EDU environment. It can mistrusted so it’s best to keep things simple.

The operational and technical considerations are outlined in a separate post which should be fully understood before proceeding.

So in addition to Chromebook control, G Suite for Education can provide a method for managing BYOD devices with a tub of MDM 'lite’.

Spread it thickly.