Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now


BYOD in education: How to use devices safely and securely

The Bring Your Own Device trend can be both practically and economically beneficial for schools and colleges, but it needs to be managed effectively if the attendant security threats are to be avoided, writes David Davies

A little over ten years since the term BYOD (Bring Your Own Device) first entered common parlance courtesy of Intel, the trend is now firmly established in public and private organisations around the world. But among the earlier adopters, BYOD has achieved particular traction in education – and it’s not difficult to understand why.

There is no denying that one of the main benefits for schools and colleges is the potential for significant cost-savings during a period when educational spending has been under sustained pressure. While budgetary cutbacks have been an abiding source of pressure, so too has been the need to digitise classrooms and implement Immersive Learning. Such is the profound nature of these changes that schools were predicted to have invested $19 billion globally on classroom technology in 2019 alone (source: Forbes).

All of which means that any opportunity to have parents and children offset some of the costs is likely to be welcomed. But there is also the fact that – due to them having access outside of school hours – pupils will have the opportunity to become more comfortable with their own devices, as well as related software and apps, than would otherwise be the case. It also opens the door to increased learning outside of the school day.

But there are also a few drawbacks – and they are not insignificant. Firstly, by no means all pupils will have access to adequate devices; some may not be sufficient to run current educational software or apps, while some pupils may not have any devices of their own at all. The extent of ‘digital poverty’ and its impact on pupils has, of course, been strongly underlined during the distanced learning required by the Covid-19 pandemic.

Risks of attack

But there is also the matter of security – bringing consumer-level devices into educational environments brings considerable pressures in terms of securely enabling BYOD and therefore avoiding the risk of attacks from malware and ransomware, as well as non-compliance with regulatory requirements. These have been ramped up significantly by the 2018 introduction of the General Data Protection Regulation (GDPR) and its potential for substantial fines against organisations found to be guilty of data breaches.

So, in summary, there is no good alternative to a coordinated and comprehensive plan of implementation for BYOD as part of a wider focus on IT and network security. Alas, this is by no means a universal state of affairs. Alex Pay, security consultant at UK cybersecurity service provider ConnectDS, observes that “all too often, it is still possible to encounter a view of security as being ‘nice to have’ or the attitude that a breach will ‘never happen to us’.”

Andrew Taylor, project manager at video conferencing and AV integration company Kinly, emphasises things thus: “While the technology and tools available to IT security teams are quite mature and well-understood, [and] this gives teams a great platform to support BYOD, the issues with BYOD come from the vast range of devices, operating systems and use cases for these devices. This makes it very hard for institutions to broadly support every aspect they need to.”

Hence with the need for compromises to be made to support “the majority of users and use cases”, it may be necessary for some courses and applications to carry on being “managed by exception,” adds Taylor.


Before going any further, it’s important to make a distinction between home- and school-furnished BYOD. For instance, there are now a number of schemes that allow parents to contribute to the purchase of devices, in which case it can obviously be much easier to ensure that they are equipped
with anti-viral software and precautionary settings.

“There is a lot more you can do if the [devices] are given out by the school, especially in terms of Mobile Device Management (MDM). This allows for far greater device control – for example, the ability to block certain apps or remotely wipe devices if they are stolen,” says Pay.

Taylor also points to the merits of a (CYOD) Choose Your Own Device model, whereby the institution subsidises devices for specialist applications, allowing them to be chosen from a pre-approved list. He also urges schools and colleges to “consider the use of systems” such as Citrix, whose products include the XenMobile software for MDM and MAM (Mobile App Management).

Both MDM- and MAM-oriented solutions can put schools in the driving seat when it comes to monitoring and control over the endpoints on which they have been installed. With nearly all device activity able to be controlled or influenced to some degree, technology managers have the opportunity to enforce data protection policies and restrict certain behaviours and applications.

Of course, on the basis that parents/carers and pupils give their consent, both school and home supplied devices can be installed with these platforms too. Among an increasing myriad of available products, popular choices for the education market at present include: Mobile Guardian, which is a single solution with MDM, classroom management tools, web-filtering and parental controls; Jamf Pro, which is geared towards automating and managing Apple devices; and Hexnode, which provides MDM capabilities for Android-based products.

Defining a BYOD policy

However devices are provided, it’s critical that schools and colleges establish a clear and defined BYOD policy before venturing down this road.

“The first and most important step is to have an official BYOD policy in place from the start,” says Toni Moss, MD of CDEC. ”To achieve this, identify the potential threats you’re facing – both internal and external – and adopt a framework that protects what you have highlighted as valuable to your institution.”

BYOD policies in schools will tend to encompass multiple technological requirements aimed at both usability and device protection. Hence the frequent inclusion of a ‘Device Requirements’ section that, says Moss, will specify “minimum hardware and software parameters” and contain a clause stating that personal devices must be kept secure with a “recommendation to install” an up-to-date anti-virus.

“However, this can be difficult to manage so a simpler solution may be to provide students with a network security application or make them log-in via a separate virtual local area network,” see adds.

A well-rounded BYOD strategy is also bound to encompass remote access to classroom discussions and presentations – something that has obviously become even more relevant during the pandemic. Not surprisingly, ease and consistency of access regardless of location is a critical parameter here.

If remote learners are able to access recorded lectures, join in with online discussions and maintain a dialogue with tutors and students, they will “feel more part of the class and more involved in their learning, thus reducing the dropout rate,” says Moss.

“The expectation, of course, is that they will be able to do this on any device and at any point on campus or elsewhere, so it’s important to ensure this can happen securely.”

Specific security threats

As might be expected, the type of security threats for BYOD in education have much in common
with those in many corporate and domestic environments. Typically, they include some of the ones that no amount of public information campaigns seems to fully dispel – such as using simplistic passwords, not taking advantage of security-related operating system updates, and failing to maintain up-to-date anti-viral software.

Alex Pay points to the impact that cyberattacks can have on operating systems left unpatched for vulnerabilities, such as the Eternal Blue exploit released in 2017 that affected older Windows OS.

“One of the main issues is unpatched devices and the usage of old versions of Windows,” he confirms. “In fact, the majority of vulnerabilities tend to be around not doing updates. There can also be a lot
of issues around user credentials, such as using email addresses to sign-up for everything and the tendency to employ the same password all the time.”

Therefore, security awareness for both staff and pupils has to be an ongoing element of any effective BYOD implementation. In terms of the other main area of concern, the network, a dedicated site-wide wifi infrastructure for BYOD devices will always be preferable to using an existing network on which core servers and storage systems might reside. Opting for a separate network obviously makes it easier to eliminate any risk that sensitive internal resources might be accessed by non school staff.

Key stages with regard to dedicated networks include the implementation of a specific subnet/IP address and the configuration of content filtering – for which there is no shortage of software now available on the market. It is also advisable to clearly document access information for students and have a policy in place by which they can be informed quickly about updates and changes.

While school sites tend to be more compact, the greater distances encountered on universities can present additional challenges, including those related to the use of Eduroam – an international roaming service for users in research, higher education and further education. Moss remarks that “for many universities the issues around BYOD [concern] traceability. [For example] some unis have IT restrictions on Eduroam being able to identify all users of the WiFi, so unless there is a point of log-on many products fall short of requirements. This does differ between different institutions, though.”

Taylor also highlights another scenario in which consistency of usage may be a challenge – an arts-based course at a university where pupils are using MacOS-based applications such as recording software Logic on user-owned Apple devices.

“The institution can’t force the user to keep their OS up to a certain path level or even that their basic apps such as Safari are at a secure level, leaving them open as high-risk clients connected to networks,” he says.

“Fortunately, tools are becoming available that allow network admins to monitor the device version connecting to their networks, and this can allow the organisation to use messaging and continuing cyber security education to encourage users to observe best practice.”

Regulatory requirements

The impetus to protect data has become even greater since 25 May 2018, when the EU-devised GDPR came into effect. Devised to strengthen the safety and security of all data held within an organisation, GDPR has brought further responsibility for schools, which are required to inform pupils and teachers about the way in which their data is used. A Data Protection Officer has to be identified in each institution, and in the event of serious data breaches there is the possibility that the International Commissioner’s Office could impose fines up 4% of an organisation’s annual turnover.

The new regulations are, to put it mildly, sure to sharpen the mind of every school facilities or IT manager about the integrity of data and networks at precisely the time when BYOD is becoming evermore ubiquitous. But although it does herald substantial challenges, the successful implementation of BYOD can bring significant benefits educationally, logistically and financially. As ever with (relatively) new areas of technological endeavour, it makes sense to engage with a specialist provider or consultant who can help steer a path towards a safe and secure BYOD culture.