tag line

moving IT to the cloud with service not servers

Friday, 4 August 2017

Why BYOD could soon be BYOC.

Bring Your Own Device (BYOD) has always been an attractive idea for education.

The possibility that students could use personal devices in a learning environment without the school having to make a financial investment sounds beguiling but there are some fundamental problems that have never really been overcome.
  • How to integrate a variety of devices, all with different capabilities into a lesson plan.
  • How to securely manage school data on a range of devices.
  • How to onboard the devices onto the wireless network without a management overhead.
  • How to provide secure web filtering without additional licencing costs.
  • How to answer the question “It’s my device, why can’t I have Facebook”?
Unfortunately the big advantage of BYOD is also it’s biggest weakness.

Because the device remains the property of the pupil or a parent/guardian there’s a reasonable expectation that, outside of school hours the device could shared with other members of the family to access Facebook, eBay, NetFlix and various game sites.

Of course this creates a host of e-safety issues that’s almost too long to list. Therefore the cautious response is to apply the school security policy at all times even though for the majority of the year the device is at home and belongs to somebody else.

So in a BYOD EDU environment how do you answer the question;

“It’s my device, why can’t I have Facebook” ?


Let’s look at this from another angle. Ideally, how would you fix this problem?
  • During school time the device is under management control with all the usual policies applied. 
  • Outside of school hours the device takes on a personal policy which allows access to Facebook.
  • The two worlds must never meet.
Elements of this approach are already possible using web filtering rules that can be updated based on a schedule but this doesn’t address the fundamental problem of device security.

When the device is under personal control how do you ensure security isn’t compromised by malware, keyloggers, trojans, inappropriate software or images which are then brought into school and propagate across the network ?

This problem doesn’t rest with the management platform, it lies with the nature of the user device.

The device has to maintain a set of isolated user profiles without any possibility that information or activity could bleed from one to the other. It would also have to have built-in security that would ensure that the operating system image was clean and verified as secure. Once you throw in the requirement for centralised web based policy control it's clear that the device you describing is a chromebook.

Let's imagine what this new form of BYOD, admittedly limited to Chromebooks, might look like.

Each pupil would need to bring a Chromebook to school. It could be an existing device, newly purchased or sourced through a payment scheme. Any finance schemes would be independent of the school because the device remains the users personal property at all times.
Students would be able to choose a form factor that best suits their requirements (touch / size / price), shop around for the best deals and personalise them as much as they like. I suspect the ‘missing key’ problem will disappear appear overnight.

Personal Chromebooks could be enrolled into the schools Google organisation using the home broadband or a simple phone tether, it’s really not that difficult. The school will be buying a batch of non-recoverable Chromebook management licences but this is small cost when you consider that this would enable a 1:1 programme with very little management overhead.

The big selling point of this approach is that during school hours a policy is applied that restricts access to all the fun stuff and locks down the device. Out of hours this restriction is lifted - hello Facebook.

This could be done in a number of ways. It could be as simple as enabling guest access or lifting the restriction on organisational only logins. As the schedule moves back into school hours the standard policy is re-applied.

This doesn’t mean that the student could access social-media using an organisational login only that the Chromebook would allow a logon using a consumer account to which the filter does not apply. Nor does it mean that an out-of-hours policy would apply to all devices. It could be operated as an opt-in scheme that requires parental consent or be subject to an acceptable use policy
Integrating personal Chromebooks into the classroom is easy because although you might have 57 varieties they will all be running the same OS version and all have the same basic capabilities. Because they remain personal devices the school doesn’t need to get involved with insurance or warranty repairs, although a loan pool of utility Chromebooks all covered in a massively uncool school laminate might encourage careful handling and long term memory.

Expensive trolleys aren’t required. Ad hoc charging could be problem but only until USB C becomes commonplace. There’s no issue with respect to software licencing as this likely to be SaaS based and linked to the organizational account or installed within the user's encrypted profile.

Sounds interesting ?

Unfortunately none of this is possible because the basic mechanism to relax the Chromebook management profile on a timed schedule doesn’t currently exist.

However ChromeUnboxed recently reported a new commit to the Chromium repository described below.
“Allow unrestricted using of parent-funded Chrome OS EDU devices (Chromebooks) that are managed by school, while the device is not at school (“off-hours”).”
While we are unlikely to see this feature until ChromeOS V62 the fact that it’s even in the pipeline is a significant development.

Currently there is little indication how this might work other that the fact that it uses an "Off-Hours" flag in the device policy but it’s clear that this initiative could accelerate the drive towards 1:1 devices in education and be an important new way of getting Chromebooks into the classroom.

BYOC perhaps.