School Managed Chromebooks
Discussion
Am I right in thinking that if a Chromebook is enrolled as school managed, that I no longer control how it's used and the school could, in theory, prevent me putting a personal account on it? Also that it becomes more hassle removing school's presence on it should that ever be required?
We bought devices just as lockdown was starting...the kids have been using school accounts on them ever since with no issues, and we have parent managed personal accounts for out of school use...school now want to enrol them in a school managed chromebook scheme...apparently to ensure the device itself has security policies/safeguarding/filtering/monitoring policies applied. They acknowledge that the school accounts themselves are fully managed by school, which is the level I thought most of these policies were applied.
We bought devices just as lockdown was starting...the kids have been using school accounts on them ever since with no issues, and we have parent managed personal accounts for out of school use...school now want to enrol them in a school managed chromebook scheme...apparently to ensure the device itself has security policies/safeguarding/filtering/monitoring policies applied. They acknowledge that the school accounts themselves are fully managed by school, which is the level I thought most of these policies were applied.
Shrugging for victory said:
Surely the school should be providing devices if they want to go down this road?
I'd be saying "poke off" about trying to enforce policies on my personal device, as I'm pretty sure that you have to flatten the Chromebook and enroll it fresh (I am a bit rusty on this).
As things stand, that is what I have told them.I'd be saying "poke off" about trying to enforce policies on my personal device, as I'm pretty sure that you have to flatten the Chromebook and enroll it fresh (I am a bit rusty on this).
However I suspect this will come to a head and my lad will end up out on a limb, which I don't want. Only choices provided are to buy a school "bundle" Chromebook, or provide my own device and go down this route (for which I also get charged £33
).Irritating thing is that the way it's currently set up has been working great for 2yrs...and I see little to no benefit in going this route (I manage his device; parental controls cover filtering/safeguarding on his personal account; school controls his school account...so I'm struggling to see the risk that the school managing the device will mitigate).
I'm scratching my head at their logic here. What's the actual risk that they are trying to mitigate? Forcing parents to cough up for their "good idea" on a personal device is bonkers IMHO.
What about signing into the school Google account from any other device? How does it work with that?
What about signing into the school Google account from any other device? How does it work with that?
Shrugging for victory said:
I'm scratching my head at their logic here. What's the actual risk that they are trying to mitigate? Forcing parents to cough up for their "good idea" on a personal device is bonkers IMHO.
What about signing into the school Google account from any other device? How does it work with that?
Also my question....we can use their school Google account on other devices What about signing into the school Google account from any other device? How does it work with that?
I suspect the "justification" will be down to connecting the device to the school network. But I fail to see how this is any sort of issue in this day and age.
I think part of the "problem" is there are few/no other parents who question this sort of thing.
Is the school actually proposing to manage the whole device , or as I read have more control of the school account on the device.
If it is the latter, I don't see the problem. It is no different than me logging into business accounts with Office 365 etc, You get the warning that they will create a device admin for that account which can restrict what that account can do. They can nuke that account for example when I leave. Doesn't affect my personal or other use of my device.
To me (having worked in school IT systems), it seems that they are proactively managing access to school systems via devices accessing with school accounts.
If they are proposing to take full device management of your personally bought device (and locking you out) then as others have said, tell them to FRO, and buy into the school bundle.
IMHO
If it is the latter, I don't see the problem. It is no different than me logging into business accounts with Office 365 etc, You get the warning that they will create a device admin for that account which can restrict what that account can do. They can nuke that account for example when I leave. Doesn't affect my personal or other use of my device.
To me (having worked in school IT systems), it seems that they are proactively managing access to school systems via devices accessing with school accounts.
If they are proposing to take full device management of your personally bought device (and locking you out) then as others have said, tell them to FRO, and buy into the school bundle.
IMHO
FunkyGibbon said:
Is the school actually proposing to manage the whole device , or as I read have more control of the school account on the device.
If it is the latter, I don't see the problem. It is no different than me logging into business accounts with Office 365 etc, You get the warning that they will create a device admin for that account which can restrict what that account can do. They can nuke that account for example when I leave. Doesn't affect my personal or other use of my device.
To me (having worked in school IT systems), it seems that they are proactively managing access to school systems via devices accessing with school accounts.
If they are proposing to take full device management of your personally bought device (and locking you out) then as others have said, tell them to FRO, and buy into the school bundle.
IMHO
They already have full control of the school account on the device. They can delete it, control what the kids see etc etc.If it is the latter, I don't see the problem. It is no different than me logging into business accounts with Office 365 etc, You get the warning that they will create a device admin for that account which can restrict what that account can do. They can nuke that account for example when I leave. Doesn't affect my personal or other use of my device.
To me (having worked in school IT systems), it seems that they are proactively managing access to school systems via devices accessing with school accounts.
If they are proposing to take full device management of your personally bought device (and locking you out) then as others have said, tell them to FRO, and buy into the school bundle.
IMHO
What they are proposing is to "powerwash" the device to enrol it in their school managed chromebook program. I'm talking to them today about what that then means afterwards.
Buying their device...when I have a perfectly good device that's been working perfectly for schooling during lockdown and beyond etc, seems a complete waste for the zero benefit to anyone that would result.
Murph7355 said:
seems a complete waste for the zero benefit to anyone that would result.
Apart from perhaps whoever is managing the school network and IT infrastructure. Whilst it does seem overkill as they already MDM in place, they may have reason - be interesting to see what that is. Could be a new 3rd party solution that will only work with "clean devices" to guarantee SLAs etc.Could even be a simple of a way of raising funds for the school to pay for the IT infrastructure. Buy our bundle or we will power-wash your device and still charge a fee.
Keep us posted on how you get on.
I'm also interested as to what reasons they provide for implementing MDM on a privately owned device.
Could be as simple as they are afraid of possible use of the Guest account or unauthorized access to a Parent account which would circumvent some of the access and browsing restrictions they have in place. But there are more appropriate ways to handle such issues.
Let us know how you fare.
Could be as simple as they are afraid of possible use of the Guest account or unauthorized access to a Parent account which would circumvent some of the access and browsing restrictions they have in place. But there are more appropriate ways to handle such issues.
Let us know how you fare.
Corso Marche said:
I'm also interested as to what reasons they provide for implementing MDM on a privately owned device.
Could be as simple as they are afraid of possible use of the Guest account or unauthorized access to a Parent account which would circumvent some of the access and browsing restrictions they have in place. But there are more appropriate ways to handle such issues.
Let us know how you fare.
Guest account is disabled (as is logging in with new ones unless I authorise it) and the only person getting access to mine is me Could be as simple as they are afraid of possible use of the Guest account or unauthorized access to a Parent account which would circumvent some of the access and browsing restrictions they have in place. But there are more appropriate ways to handle such issues.
Let us know how you fare.
The Family app, whilst not perfect, also works well for control.The device actually connects to the school network seamlessly as is....
Will post back with details. "Raising funds for the school"... Quite possibly...which will irritate me more (fee paying).
OH thought it may be that they don't want kids logging onto personal accounts at school... But I can prevent that.
Overkill.
What risk does the device pose... Especially as it's already connected to their network.
vaud said:
Murph7355 said:
What risk does the device pose... Especially as it's already connected to their network.
A bit like enterprise policy, blanket MDM for "Bring Your Own Device" is less risky than assuming a user can manage theirs, even if they can. Step back for a second and leave the "but my device!!!" histrionics at the door.
The primary purpose of the device is, presumably, to help your kids with their schoolwork. The school will have their own infrastructure and their own preferred setups, and it is hugely easier for them to control the whole device both to avoid connecting lesser-controlled and potentially malicious devices to their network. Having a single known configuration makes their IT department's jobs much easier and avoids a whole lot of "but I've got XYZ not ABC and now I've lost my history project" shenanigans.
Nobody is trying to pull a fast one on you here. This is being done for the good of the school and, by extension, the good of your kids. Is it, strictly speaking, necessary? Probably not. Do they have good, non-sinister reasons for asking you to let them take over the device? Absolutely yes.
The primary purpose of the device is, presumably, to help your kids with their schoolwork. The school will have their own infrastructure and their own preferred setups, and it is hugely easier for them to control the whole device both to avoid connecting lesser-controlled and potentially malicious devices to their network. Having a single known configuration makes their IT department's jobs much easier and avoids a whole lot of "but I've got XYZ not ABC and now I've lost my history project" shenanigans.
Nobody is trying to pull a fast one on you here. This is being done for the good of the school and, by extension, the good of your kids. Is it, strictly speaking, necessary? Probably not. Do they have good, non-sinister reasons for asking you to let them take over the device? Absolutely yes.
deckster said:
Step back for a second and leave the "but my device!!!" histrionics at the door.
The primary purpose of the device is, presumably, to help your kids with their schoolwork. The school will have their own infrastructure and their own preferred setups, and it is hugely easier for them to control the whole device both to avoid connecting lesser-controlled and potentially malicious devices to their network. Having a single known configuration makes their IT department's jobs much easier and avoids a whole lot of "but I've got XYZ not ABC and now I've lost my history project" shenanigans.
Nobody is trying to pull a fast one on you here. This is being done for the good of the school and, by extension, the good of your kids. Is it, strictly speaking, necessary? Probably not. Do they have good, non-sinister reasons for asking you to let them take over the device? Absolutely yes.
As the former IT manager of a school that made extensive use of centrally managed chromebooks I would completely agree with what you say... except for the fact that the OP bought and paid for the item himself.The primary purpose of the device is, presumably, to help your kids with their schoolwork. The school will have their own infrastructure and their own preferred setups, and it is hugely easier for them to control the whole device both to avoid connecting lesser-controlled and potentially malicious devices to their network. Having a single known configuration makes their IT department's jobs much easier and avoids a whole lot of "but I've got XYZ not ABC and now I've lost my history project" shenanigans.
Nobody is trying to pull a fast one on you here. This is being done for the good of the school and, by extension, the good of your kids. Is it, strictly speaking, necessary? Probably not. Do they have good, non-sinister reasons for asking you to let them take over the device? Absolutely yes.
We provided our students with the CBs they used, managed centrally by us, I wouldn't even have considered asking parents to allow us to control their devices so in the OPs shoes I'd tell the school to take a hike or provide their own CB.
I actually think they're cheeky to even ask!
K50 DEL said:
As the former IT manager of a school that made extensive use of centrally managed chromebooks I would completely agree with what you say... except for the fact that the OP bought and paid for the item himself.
We provided our students with the CBs they used, managed centrally by us, I wouldn't even have considered asking parents to allow us to control their devices so in the OPs shoes I'd tell the school to take a hike or provide their own CB.
I actually think they're cheeky to even ask!
To an extent I agree. But I also live in the real world - and given that schools are struggling to pay their electricity bills and fix their roofs, expecting them to provide Chromebooks for all their pupils just isn't realistic.We provided our students with the CBs they used, managed centrally by us, I wouldn't even have considered asking parents to allow us to control their devices so in the OPs shoes I'd tell the school to take a hike or provide their own CB.
I actually think they're cheeky to even ask!
It's a hard one to get right. But on the whole I don't see the issue with asking parents to provide inexpensive devices that are then managed by the school.
deckster said:
Step back for a second and leave the "but my device!!!" histrionics at the door.
The primary purpose of the device is, presumably, to help your kids with their schoolwork. The school will have their own infrastructure and their own preferred setups, and it is hugely easier for them to control the whole device both to avoid connecting lesser-controlled and potentially malicious devices to their network. Having a single known configuration makes their IT department's jobs much easier and avoids a whole lot of "but I've got XYZ not ABC and now I've lost my history project" shenanigans.
Nobody is trying to pull a fast one on you here. This is being done for the good of the school and, by extension, the good of your kids. Is it, strictly speaking, necessary? Probably not. Do they have good, non-sinister reasons for asking you to let them take over the device? Absolutely yes.
Fair points, to a degree The primary purpose of the device is, presumably, to help your kids with their schoolwork. The school will have their own infrastructure and their own preferred setups, and it is hugely easier for them to control the whole device both to avoid connecting lesser-controlled and potentially malicious devices to their network. Having a single known configuration makes their IT department's jobs much easier and avoids a whole lot of "but I've got XYZ not ABC and now I've lost my history project" shenanigans.
Nobody is trying to pull a fast one on you here. This is being done for the good of the school and, by extension, the good of your kids. Is it, strictly speaking, necessary? Probably not. Do they have good, non-sinister reasons for asking you to let them take over the device? Absolutely yes.
A "single known configuration" - it's a Chromebook. If it was a PC that I could feck around the config with, I'm with you. But it's not.
They already have full control of the school account. It can be blocked/removed instantly making any issues on their network (again, it's a Chromebook. What can it do on their network other than connect to the Google accounts...?) mitigated.
It's been in use in its current configuration for 2yrs. We have never needed any support on the device. And my lad has learnt the hard way about saving documents
It connected to the school network this morning with zero intervention required, school account logged in etc.The primary (only thus far) reason they have given for doing this is around safeguarding (which is obviously something we take seriously). They control this for the school account already. The OH and I control it for the personal account. I am being told that personal accounts can still be applied to the machine (I've asked how, as it will no longer be under my management...along with other questions), so how is safeguarding being improved any more than it is now?
I accept that I am likely being "that parent". But as others have noted, this is a device we purchased and the only other option we're being given is to buy a school provided device - so all the same questions apply, plus in these green times it's an utter waste of resources.
Murph7355 said:
I am being told that personal accounts can still be applied to the machine (I've asked how, as it will no longer be under my management...along with other questions), so how is safeguarding being improved any more than it is now?
Presumably any added personal accounts would be subject to device level policies - hence they can guarantee that any of the device users fall within their safeguarding policies.Ultimately it is their network and their rules.
They have given you 2 options. Use one of their devices, or use you own but they demand full control to enforce policies. Is it overkill - possibly. The third option I guess is they may chuck unauthorised devices off the network.
If you want to be green - just let them wipe the device and re-add the personal accounts. IMHO.
Murph7355 said:
Fair points, to a degree
A "single known configuration" - it's a Chromebook. If it was a PC that I could feck around the config with, I'm with you. But it's not.
They already have full control of the school account. It can be blocked/removed instantly making any issues on their network (again, it's a Chromebook. What can it do on their network other than connect to the Google accounts...?) mitigated.
It's been in use in its current configuration for 2yrs. We have never needed any support on the device. And my lad has learnt the hard way about saving documents It connected to the school network this morning with zero intervention required, school account logged in etc.
The primary (only thus far) reason they have given for doing this is around safeguarding (which is obviously something we take seriously). They control this for the school account already. The OH and I control it for the personal account. I am being told that personal accounts can still be applied to the machine (I've asked how, as it will no longer be under my management...along with other questions), so how is safeguarding being improved any more than it is now?
I accept that I am likely being "that parent". But as others have noted, this is a device we purchased and the only other option we're being given is to buy a school provided device - so all the same questions apply, plus in these green times it's an utter waste of resources.
Thing is, you are IT savvy and clearly taking an active approach to safeguarding. Many parents don't have a clue, and even if they try won't plug up all the gaps to ensure their child isn't exposed to stuff they shouldn't be.A "single known configuration" - it's a Chromebook. If it was a PC that I could feck around the config with, I'm with you. But it's not.
They already have full control of the school account. It can be blocked/removed instantly making any issues on their network (again, it's a Chromebook. What can it do on their network other than connect to the Google accounts...?) mitigated.
It's been in use in its current configuration for 2yrs. We have never needed any support on the device. And my lad has learnt the hard way about saving documents
It connected to the school network this morning with zero intervention required, school account logged in etc.The primary (only thus far) reason they have given for doing this is around safeguarding (which is obviously something we take seriously). They control this for the school account already. The OH and I control it for the personal account. I am being told that personal accounts can still be applied to the machine (I've asked how, as it will no longer be under my management...along with other questions), so how is safeguarding being improved any more than it is now?
I accept that I am likely being "that parent". But as others have noted, this is a device we purchased and the only other option we're being given is to buy a school provided device - so all the same questions apply, plus in these green times it's an utter waste of resources.
Gone are the days when you just install "Net nanny" on the family PC and hope your kids don't work out how easy it is to circumvent.
Murph7355 said:
Fair points, to a degree
A "single known configuration" - it's a Chromebook. If it was a PC that I could feck around the config with, I'm with you. But it's not.
They already have full control of the school account. It can be blocked/removed instantly making any issues on their network (again, it's a Chromebook. What can it do on their network other than connect to the Google accounts...?) mitigated.
It's been in use in its current configuration for 2yrs. We have never needed any support on the device. And my lad has learnt the hard way about saving documents It connected to the school network this morning with zero intervention required, school account logged in etc.
The primary (only thus far) reason they have given for doing this is around safeguarding (which is obviously something we take seriously). They control this for the school account already. The OH and I control it for the personal account. I am being told that personal accounts can still be applied to the machine (I've asked how, as it will no longer be under my management...along with other questions), so how is safeguarding being improved any more than it is now?
I accept that I am likely being "that parent". But as others have noted, this is a device we purchased and the only other option we're being given is to buy a school provided device - so all the same questions apply, plus in these green times it's an utter waste of resources.
Playing devils advocado - as a parent you might be annoyed if your child was exposed to material from another pupils poorly managed device.A "single known configuration" - it's a Chromebook. If it was a PC that I could feck around the config with, I'm with you. But it's not.
They already have full control of the school account. It can be blocked/removed instantly making any issues on their network (again, it's a Chromebook. What can it do on their network other than connect to the Google accounts...?) mitigated.
It's been in use in its current configuration for 2yrs. We have never needed any support on the device. And my lad has learnt the hard way about saving documents
It connected to the school network this morning with zero intervention required, school account logged in etc.The primary (only thus far) reason they have given for doing this is around safeguarding (which is obviously something we take seriously). They control this for the school account already. The OH and I control it for the personal account. I am being told that personal accounts can still be applied to the machine (I've asked how, as it will no longer be under my management...along with other questions), so how is safeguarding being improved any more than it is now?
I accept that I am likely being "that parent". But as others have noted, this is a device we purchased and the only other option we're being given is to buy a school provided device - so all the same questions apply, plus in these green times it's an utter waste of resources.
I understand your frustration, but BYOD means they need to apply consistent controls. Or they risk a bunch of managed schools devices and a bunch that are on a variation of their policy which quickly adds overhead and some (I stress some) risk.
I know I am seeing this through a corporate lens, but I also see why they are doing it and why granting exceptions is hard - easier and probably better to have a blanket policy.
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff