Universities, "Bring your own device", and security

October 3, 2022

Bring Your Own Device (BYOD) is perpetually popular within universities for multiple reasons, including the straightforward reason that it saves the university a lot of money to assume that various groups can be required to have (and use) their own devices for some things. However, there is a fundamental difference between BYOD at a university and BYOD in a corporate environment that makes university BYOD more risky in a security sense.

Organizations have a strong interest in making sure that the devices people use to do their work (and access to organization's resources) are secure. When BYOD is in effect, my impression is that the common corporate approach is to require people to put their BYOD devices under some sort of corporate remote management (sometimes called 'Mobile Device Management (MDM)' when it applies to smartphones and the like). This remote management is then used to apply security settings, insure things are up to date, look for signs of compromise (and perhaps remotely wipe the device if they're detected), and often intrusively track what's done on the device in the name of the organization's security.

This is a non-starter in a university environment. If the university was to demand that people enroll personal devices in university MDM, ceding control over them to the university, the responses would probably be rather rude. This isn't necessarily because universities are a hotbed of resistance to authority and support of personal freedom and so on; instead, it's partly because a lot of people at the university don't consider themselves to be working for it. If you're working for someone and you bring your own device, maybe it seems reasonable to give your bosses power over it. But if you're not working for someone and they show up to demand the ability to spy on and control your smartphone, that's another thing entirely. This is especially so if the university refuses to provide you with a smartphone and require you to have and use your own for the organization's purposes.

So as a practical matter, the university on the one hand literally or effectively requires graduate students and various other people to use their own personal smartphones, laptops, and so on for some aspects of university work, and on the other hand can't demand that those personal devices be enrolled in a generally hypothetical organizational device management. This leaves universities with a rather different BYOD security posture than normal organizations. A normal organization can at least hope that there are no compromised devices used by employees on their (internal) networks and it's probably alarming if you detect some. At a (large) university, that's a Tuesday.

(Universities can and do enroll university owned and provided devices in device management, but generally this only really applies to staff, and at that only some staff. In practice a lot depends on who is paying for the staff and their devices.)

(This entry was sparked by reading Matthew Garrett's Bring Your Own Disaster, which raises a lot of good points about problems created by BYOD in general.)

Written on 03 October 2022.
« Universities and their non-employees (part two)
Our unusual traditional /var/mail setup for people's inboxes »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Mon Oct 3 21:52:34 2022
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.