Developing A Safe BYOD Policy

Recent updates to internet encryption standards, including TLS 1.3, Encrypted Client Hello (ECH), and Secure DNS (DoH/DoT) are designed to protect user privacy. However, they also pose challenges when students connect their own devices (BYOD) to the school’s network, as schools are traditionally unable to make fundamental changes to devices settings. 

BYOD devices can also be left unmanaged, meaning the school cannot install filtering software, enforce policies, or inspect traffic on them. 

Impact on Online Safety

• Students using encrypted DNS or VPNs on their own devices may bypass school filters entirely, accessing inappropriate or unsafe content
• Schools may lose visibility into student activity online, breaching safeguarding responsibilities outlined in Keeping Children Safe in Education (KCSiE).
• Without intervention, schools risk non-compliance with DfE filtering and monitoring standards.

Recommended Actions

• In light of new encryption standards, if you already have a BYOD policy, you should review this and consider limiting internet access to approved, school-managed devices only, unless your Internet Service Provider can provide a methodology to manage encrypted traffic.
• Where BYOD is permitted:
  – Use segregated guest networks with strict firewall and DNS controls
  – Block known DoH/DoT and VPN endpoints at the network level
  – Require device registration and enforce Acceptable Use Agreements
• Work with your filtering provider to understand:
  – How they handle encrypted traffic
  – What filtering solutions they offer for BYOD
  – What visibility and reporting they can still provide

Schools Broadband deploys DNS servers which removes the ability for some devices to request ECH to be enabled. To ensure that you are as protected as possible, you should run the following checks:

Decryption Certificates

Check you have a decryption certificate installed on all managed and BYOD devices to decrypt web browsing requests.

Schools Broadband customers should use the Schools Broadband DNS Server

Ensure you are using the Schools Broadband DNS servers only (85.92.188.226 & 85.92.168.104).

Disable ECH in browser settings

Prevent ECH directly within the web browser and on all managed devices. Common guides on how to do this can be found here 

While BYOD can support flexible learning, it also introduces serious safeguarding challenges in the age of encrypted web traffic. Schools must ensure filtering systems remain effective and that students stay protected, regardless of the device they use. 

For more information, help and advice on how the Schools Broadband network can help protect your school’s BYODs please contact us.

Filtering and Monitoring in your school 
If you need advice about online safety, filtering and monitoring in your school, and how to meet the DfE’s ‘appropriate filtering and monitoring standards’ set out in the regulatory guidance “Keeping Children Safe in Education” (KCSiE), please contact us. We help over 3,000 schools protect over one million students online every single day.