Build a Secure BYOD Environment
Applies To: Windows 8.1
Bring Your Own Device (BYOD) deployments in education need to consider security issues like physcial device security, personal data access, and controlled resource access.
BYOD has an inherent security risk: Devices are no longer fully controlled by the security policies and infrastructure available within the school environment. When students are allowed to take devices home or bring their own devices from home, there’s an increased chance of malware infection. Therefore, maintaining security in a BYOD environment becomes more challenging for IT.
For devices running a Windows operating system, IT can implement a solution such as Dynamic Host Configuration Protocol (DHCP) Network Access Protection. Another way to mitigate the risk of untrusted devices is to create an isolated network for them. The isolated network treats the BYOD devices as external, untrusted entities and therefore limits their access to internal resources.
Certain BYOD deployments can benefit from virtualization technologies such as Microsoft Virtual Desktop Infrastructure (VDI) or even a native Windows operating system through Windows To Go. These deployments use the virtualized or Windows To Go desktop to provide a secure, consistent, managed desktop for students and teachers, even from an untrusted network. However, the ability to boot into Windows To Go, and to a lesser degree use VDI, is limited in certain BYOD deployments where non-Windows devices are used.
Other considerations for BYOD security include:
Physical device security. Screen locking should be enabled for devices where possible. IT should have the ability to wipe sensitive data if the device is lost or stolen.
Personal data access. IT should not have access to any personal data on the device, and policies should be in place to control such access.
Controlled resource access. Users should be given a named account with authentication and authorization control to gain access to institution-based resources.