BYOD causes significant network and data security concerns, but used in tandem with cloud services it could make your network safer than ever.

A few weeks ago I was talking to a salesman from Capita who was trying to convince me that I needed his company’s new product. The software he was selling was a customised, cross-platform “desktop” which could be used across iPad, Android, Windows, and Mac.

Whether or not the product has any merit is for another article, but one of the points he raised to strengthen his case that I should buy his product was that it enabled “true BYOD”. I hadn’t heard this before despite having looked into BYOD extensively.  His assertion was that separating personal devices from the core school network prevents students and teachers from using many school ICT resources, and as such BYOD should be tied in to the main school ICT systems to enable use of local printers, and file storage etc.

Most schools keep BYOD devices away from the core of the school network by requiring that they use a separate VLAN — a network that is physically the same as the main school network, but logically separated out. This type of configuration is relatively cheap to set up, assuming you also ready have managed switches in place, and doesn’t require any additional cabling. What the salesman was suggesting seemed to go against this concept entirely.

This got me thinking. Are schools right to be separating out on the ground of security BYOD devices? How many local services are students missing out on by separating out their personal tablets, phones, and laptops?

My conclusion: none.

Local document access, unless you’re using a Windows tablet, is clumsy and confusing. Printing can be done via Google’s Cloud Print service. It’s much more effective to provide — or rather for students to provide — a user interface with which they are familiar with rather than lumber them with another layer of complexity.

Using a system, such as Google Apps for Education along with a separate VLAN for BYOD devices, allows:

  1. Teachers and students to use a popular and safe cloud service.
  2. The school to maintain control of data.
  3. Keep BYOD devices segregated from the core network.

By streamlining the services available on your BYOD network to the essentials (DNS, DHCP, Proxy) there is less to manage and also less “surface area” open to abuse. Preventing Wi-Fi clients from communicating peer-to-peer also means there is very little scope for network issues.

As long as you are comfortable that your data is secure and centrally manageable in services such as Google Apps, I argue BYOD in combination with cloud services can, contrary to popular opinion, be an extremely secure environment within which your users can work.

What do you think? Let me know in the comments, or on the forum.


About Author

Profile photo of Karl Rivers

Karl is an award winning Director of IT for the Royal Grammar School Guildford, based near London, England. He has been working in education for more than ten years and founded ClassThink in 2013 to share technology best practice with other schools. In 2014 he won the NAACE Impact Award for support services in schools, and writes edtech articles for Education Executive Magazine.


  1. Profile photo of Jamie Thompson

    I’ve been careful to avoid referring to guest devices as BYOD devices. I take BYOD to mean employee-owned devices which the IT department manage in the usual way, usually arranged through some sort of formal purchasing scheme. With guest devices, it’s completely wild and unmanaged, so you’d definitely want them isolated.
    Like you, I’m of the opinion that the school need only provide web access (although that’s easier said than done when it comes to non-Windows devices going through a school’s various proxies and filters).

  2. Profile photo of Karl Rivers

    Just dealing with the proxy/filter problem this week. It almost seems an impossible task to allow full transparent proxy including HTTPS and dealing with ISP filtering. There are a few topics on line where people claim to have solved this, but they are few and far between. Let me know if you find a solution!

  3. Profile photo of Jamie Thompson

    As far as I can make out, transparent SSL proxies aren’t possible with any of the free software options (pfSense, Smoothwall, etc.). We’ve got a proxy autoconfiguration file set up, which makes things easier for most end users (although I’ve not come across any support for PAC files in Android yet).

  4. Profile photo of Karl Rivers

    I’ve tried WPAD and DNS redirects which seem to work find for Windows, but iPads just don’t seem work with anything other than manually entering settings. There has to be a solution!

Tell us what you think!