mjhjmtu

Question

My kid is starting 6th grade and the school requires him to get a laptop and bring it to school. Now the school IT department wants to install some software on the laptop and is asking for administrative access. They want to install Office, Outlook, an AV and some site certificates.

I feel that on principle this is not right, as it's not the school's device, so school staff shouldn't have access. Additionally, I don't have any sense of how good the school's security practices are. What if they inadvertently install malware? However, if I refuse then I risk being "that parent" and I'm setting myself up for a few years of headaches as any time the school wants to add new software, I'll have to do it myself.

What would you do?

Update
Wow, this certainly blew up! Thanks to everyone for reading and commenting.

We ended up letting the school have access, for a couple reasons:

The clock was ticking and our child was the only one whose laptop
wasn't set up, so he wasn't able to fully participate in lessons and
was missing out on emails sent to the students.

I'm traveling and am not at home, so remotely installing the software myself would add another layer of complexity and require someone at home to prep the laptop for remote admin, while adding more delay to the device being ready.

It came down to what's best for the child and at the moment it seemed to us parents that it was letting the school have its way. I can check the device myself later and if there is anything that compromises the device's security or the child's privacy, then I have a better argument against the school's approach. In the meantime I'm letting them know that they could have communicated more about their plans and given us time to have a conversation about it rather than springing it on us at the last minute (though from their point-of-view this worked out just fine).

Comments are not for extended discussion; all extended comment threads on this question and answers have been moved to chat. — Aug 30 at 18:53
Comments have been removed, did any of them ask or answer important questions, like 1. What country 2. Private or public school? — Sep 5 at 16:56
What school and what country? I find it hard to believe that a USA public school, as an example, would be allowed to required each student to provide such expensive gear. What other expensive items do schools in your area routinely require of students? — Sep 5 at 17:49
OT, but my concern would also be that they seem to require a specific OS .. — Sep 5 at 19:20
Point of clarification: Is this computer going to be continued to be owned by your child until they grow out of it or decide they want a new one? I've had my computer since I was in high school. Had something been put on my computer there is nothing stopping them from spying on me through college and even now as a graduated person in the workforce. I am curious if the same thing is likely to occur with your child's laptop. — Sep 6 at 1:09

score 137 · Accepted Answer · 2018-08-30 10:09:35Z

Needing to install things is kind of the point of needing the laptop, so it makes perfect sense that they want to install Office, AV, and certificates. There are no surprises there. To do that, they need admin access, but I would want to revoke that access once they were done.

I would want to know the list of everything they want to install, and if they have central control over the AV (and if they do, why they want that).

If your worry is that they might install malware, then download a Live CD of an anti-malware program and run it on the laptop after they are done.

If the laptop is only used for school work, then there is really no harm here. If your child will be using it for other things, then there might be some privacy conflicts.

The onslaught of comments and the split in votes highlights a difference in understanding of the operating model here. This is not a situation where the school wants sudden control of a personal device. This is a situation where the school is asking the parent to purchase a device for the school to control and this answer is meant to be applied in this model. The school needs to be able to control the device as a part of due care (and remember that the child in this case is a minor; 12 or 13). In terms of protecting the child's privacy, my advice to make sure that the device is only used for school work holds.

The fact that the parent can retain admin control is a great thing for the protection of the child, something that would not be possible if the school owned the device. The parent can inventory, patch, and uninstall.

This operating model means that the school can ensure consistency of software, which would be required for teaching consistency, it lowers the cost to the school (yes, it increases direct costs to the parents, but does offer cost efficient options) and it offers due care controls for the protection of the child. You just have to shift your mindset that just because you bought the device does not mean that you should have 100% control of the device.

And again, with the new onslaught of comments, I say: consider the idea of a "burner" device. You own it, but it is meant to be, at least in part, out of your control and properly classified for certain activities.

If the operating model was that the school wanted sudden control of a personal device, my answer would be very different (more like AviD's).

Comments are not for extended discussion; this conversation has been moved to chat. Any further comments here will be deleted. — Aug 30 at 18:53

AviDâ™¦ 56.9k18117194 · Answer 2 · 2018-08-28 22:56:55Z

It might just be because I am already "that parent", but it would be a strong NO from me - and the school administration would get a strong talking to about this. I would push to have that policy changed (though without much hope), for everyone and not just my own child.

There are privacy issues. Security issues. Potentially legal issues - is the software licensed? Cracked? Are they logging all traffic from the laptop, or more? Do they want to install custom software?

And, why are they even asking for all this? What justification could they have.

They want to ensure the children are safe online.

Fine, require some form of parental control. It's your laptop, it's your child - it's your responsibility. (E.g. my son's school requires content filtering on smartphones brought into school. They "demand" some dodgy app by a local fellow. I declined and installed a proper app.)

They want to ensure children's laptops are secure.
Great, first lesson "how to stay safe online". Require Windows Defender (or some other AV/AM) is active and updated, etc. Though this really shouldn't matter to their network...

They want to ensure children are not accessing illegal / inappropriate sites.

First of all, it only concerns them inside/during school. None of their business at home... And they can easily set up a locked down proxy for the school network.

And again, at home they should still have the parental control / filtering software anyway.

They want to educate your children.

Oh do they? Because this sounds like the opposite of that. This is an educational opportunity, a veritable goldmine for several topics, and they are going the other way.

You might need to discuss with the teachers, the principal, the school board... You might need to reeducate them about this. And you might even lose, but fighting this is the right thing to do - as @Mike and some of the commenters mentioned, best chance to teach your kids about safeguarding your own privacy and preventing onerous demands from misguided authority. :-)

Comments are not for extended discussion; this conversation has been moved to chat. — Aug 30 at 18:52
In Australia, Microsoft give schools free software licenses for use by students and staff. Coincidentally (?) staff essentially only learn how to teach the use of Microsoft software, and students only learn how to use Microsoft software. This practice may better explain why the school has access to MS products to install on student laptops. — Sep 1 at 1:32
@RyanTheLeach It may be that the state education department was charged for the use of the software in schools - I don't have any details. My short observation was that in the school environment it was apparently free - teachers were able to install MS software made available to the school on their personal laptops and home PCs if they chose to do so. — Sep 3 at 2:20
Also: Do you want a child to become interested in hacking things? Then try to limit/lock down their internet access or computer usage. But hey, that's actually educational! — Sep 3 at 7:00
@NathanMerrill this is different because a library computer (or a computer lab) is owned and managed by the school. In the school only. During school hours. With expectation of school involvement. My laptop, that I've bought and paid for, there is no such expectation or limitation. The child would be using the laptop at home, outside of school hours, in the their bedroom, and not just for school work - their entire online digital lives. — Sep 4 at 7:51

DoubleD 1,872118 · Answer 3 · 2018-08-28 23:01:45Z

I wouldn't.

You have no real way to tell exactly what they've changed. Some schools are excessively nosy or controlling.

And even if the district is being respectful of your privacy, they could have a rogue admin in their ranks.

Others have been bitten.

There have been lawsuits because of blatant misconduct before. They have alternatives, so administrative access should not be necessary.

How should they do it?

Cloud-based software requires no installation. As long as you have a modern OS and web browser, you're ready to go. While I dislike cloud apps in a number of scenarios, it's perfect for bring-your-own-device (BYOD) scenarios. Obviously, they did not choose this if they're asking for admin rights. You might suggest it to them.

With volume-licensed software, they should able to provide a product key or setup a license server on their network. (The stuff that requires license servers is more common for university-level applications, but I've heard of it in technically-oriented college prep schools, too.)

What would I do?

I would install the applications myself. It doesn't take a lot of time, and typically they don't change over the course of the year.

Certificates can be installed very easily on Windows, but I'd have to see them first before I could say whether or not that's a good idea.

Comments are not for extended discussion; this conversation has been moved to chat. — Aug 31 at 12:16
I don't know what you want to inspect the certificates for. I think we can take it 99.9% for granted that it is a CA cert to allow their proxy to MITM all https traffic. (It would really surprise me if it were "only" the code signing certificate needed to accept their Word macros in a secure configuration ...) — Sep 5 at 19:19
Throwing their CA directly into the Trusted Root store is exactly what I would oppose. They can filter web content at the proxy/firewall without HTTPS decryption, and they have no business seeing private data. — Sep 5 at 20:16
Just in case people skim over that link and don't realize what it was about - and it's the only reason I was planning on commenting here, so it's disappointing it barely got a mention in any of the answers - a school district was already caught spying on kids bedrooms through their webcams. — Sep 6 at 15:22
@Izkata That link is immensely relevant, and I was going to post an answer myself if it hadn't already been brought up. For additional context, the school district in question is in a very affluent area, and nationally both schools involved are listed among the best public schools in the country (at least they were when I attended). Lest anyone think "well, my school is too good to do something as dumb as this". — Sep 6 at 17:54

score 64 · Answer 4 · 2018-09-04 00:43:28Z

Others have already stated why this is a bad idea and I fully agree, don't let them install those stuff (certificates??, no way), now, you don't have to be that parent if you present some options:

Multi-booting: this way your kid can have a school OS and a home OS, he just need to let them install all the stuff on the school OS and remember not to do any private stuff while using it (and always boot that one while on class). Add encryption on each OS for better results.

VirtualBox: almost the same as in the previous scenario, but the school may have some concerns regarding network access

GoogleDocs: if that is all they need this is a good option, unless some advanced docs features are used that may not work properly (or if it's more work for the teacher to teach the same in many platforms)

Good luck and let us know how you handled it.

Comments are not for extended discussion; this conversation has been moved to chat. — Aug 31 at 12:17
+1 for being the first answer I saw that mentioned the absolutely enormous problem of them wanting to install certificates. You can sail an aircraft carrier through that security hole... especially if the school system doesn't have a particularly advanced IT department... which they usually don't. — Sep 6 at 3:04

Ruadhan2300 51113 · Answer 5 · 2018-08-29 15:02:30Z

Under these circumstances, the ideal case is simple.

Get a "burner" laptop for schoolwork only.

Use standard tech and low specs suitable for the work at hand (contact their IT dept to find out what they feel is suitable) and let the school do whatever they want with it.

The burner should cost at most a few hundred dollars and save a lot of hassle.

If your kid has a personal laptop already, this isn't a work device and will only be a source of distraction at school anyway.

This side-steps and compartmentalises the issues of personal-data and Info-security by keeping the personal and work lives separate in the first place.

It's clear enough to me and evidently to yourself that a personal device's security measures should never leave your personal control.

With any due respect to your school's IT dept, schools don't have a good reputation for information-security.

With hundreds of kids of all ages exploring what can and can't be done, they're generally overtaxed and loopholes are found in school IT systems all the time.

Never mind that School IT Departments are rarely information-security specialists, their chief job is maintenance of the huge network across the school and monitoring to make sure the system isn't being misused.

If their Info-sec game was strong enough for me to trust them with free access to my data, they'd probably not be working in a school.

I tend to agree. The right way of thinking about what's happening here is the school is requiring you to pay for a work-only laptop for the child that they administer. You have a good argument against paying for it, but not a good argument against them administering it. Adults don't expect their work laptop to be usable as a full-time personal device either. (Of course if you can get them to agree not to install anything, that's even better.) — Aug 29 at 19:28
Well yes, though if possible I'd argue for the isolated work hardware. I remember how devious I was when I wanted to do something my parents didn't allow, giving me a dual-boot laptop with my games on one and my work on the other? I'd just boot up on my personal system at every opportunity, it'd be far too tempting. — Aug 30 at 8:27
Great idea, it will also teach the kid the difference between "my computer" and "computer of my employer" that many adults lack. — Aug 30 at 9:18
@Agent_L As usul points out, the huge difference between "my computer" and "work computer" is that $EMPLOYER paid for the latter. It's the idea that the school can mandate that you pay for it and then they act like its their property that sticks in my craw. If the school bought the laptops and issued them to the students, I'd say "School property, so they write the rules. Put a piece of electrical tape over the web cam so they don't spy on you, and live with the rest of it." — Sep 6 at 18:50

Lie Ryan 20.3k24370 · Answer 6 · 2018-08-29 04:25:30Z

Now the school IT department wants to install some software on the laptop and is asking for administrative access.

The school does it because it's easy for them. Lots of parents are computer illiterate and asking every parents to review and install software every time they needed to and keeping all of them up to date is very laborious.

I feel that on principle this is not right, as it's not the school's device, so school staff shouldn't have access.

I totally agree with you on this. It's your device and it's your child, it should be your right to draw the line on what is and is not acceptable.

On the flip side, the school also has responsibility to other students and parents. If other students come to know that your children's device is not set up with the same security software as the rest and they use your child's device to access or do illegal things or if your child's device is the entry point of a virus infection on the school's network or other security breaches, then you may become partially liable for that and the school may not be able to shirk the entire responsibility to you either as they have a duty of care.

I'm setting myself up for a few years of headache as any time the school wants to add new software, I'll have to do it myself.

You can't have your cake and eat it too. There is no rights without responsibility. If you don't want the school to have full administrative access to the device, you have to be prepared take the responsibility yourself.

What would you do?

You should discuss the issue with the school. If the school has a BYOD policy, you likely won't be the first nor will you be the last person to have such concerns. The school may have a policy to allow you to self administer, you'll have to negotiate what you would or would not accept. In the end, you have to be prepared to either switch to another school or to permit some or full administrative access to the device if the school's BYOD policy does not allow you to self administer.

In such case where you decide to permit the school administrative access to the device, you may want to take some steps to protect your child and yourself from the device. You may want to treat the device like a guest or untrusted device when in your network by putting it in a separate virtual network. You should not forget to wipe the device clean once your children is no longer in that school. You may want to talk with your children on what they should not do with the school laptop, and perhaps to use another device for all their personal needs (e.g. entertainment, personal emails).

If you decide not to allow the school full administrative access, be prepared for the possible consequences. The school may have a policy to not allow devices that does not comply with policy from accessing their internal network and some school resources may only be available from said internal network. You may have to settle with finding another way for your child to access said resources.

How far you want to take this is really up to you. Be flexible and be prepared to compromise. but also have a clear idea on what the line that you won't cross would be.

Comments are not for extended discussion; this conversation has been moved to chat. — Aug 31 at 12:22
+1 for the Switching schools option, this is your last resort but should give you pause to consider just how important it is to you as they may refuse and you will have to change schools. — Sep 8 at 9:22

Blerg 49013 · Answer 7 · 2018-08-29 06:58:06Z

From a sysadmins point of view:

They want to install Office, Outlook, an AV and some site certificates.

If you already have an AV installed, (which you should), then another AV will conflict with yours and be a larger threat to your child's computer. Do a Google search for: "multiple antivirus installed" and you'll see why it's bad.

As for the certificates, I interpret this as a way to spy on your child. A universal certificate can be used to decrypt ALL of the traffic to/from that computer. Lenovo security incident. They should have a basic filter to block bad websites, and if they don't: Smoothwall can help them out.

Tell them to give you the keys to Office, (if they grip about it, there are alternatives out there, such as OpenOffice and LibreOffice), and ignore their requests to install certificates. You don't know anything about their IT department; and they sound/usually are incompetent. They could possibly be perverted as well, (they could install other things which might give them access to the cameras).

Tell your child to never give them their laptop. There are ways to extract passwords and if push comes to shove, you can simply: backup the password file, wipe the passwords, install whatever, and then restore the password file, (it's called the SAM file).

Parents should give GNU+Linux laptops to their children with encrypted LVM in place. Should a shady IT dept choose to take the laptop anyway, that will be a great way to say "screw you". Using LibreOffice over MS Office should be suggested to schools... why are kids being "educated" into getting locked-in with a the product of a specific company? — Aug 29 at 20:25
@code_dredd because that's how Microsoft ensures the next generation of customers. — Aug 30 at 3:36
@barbecue I know, hence "educated" being in quotes. The really dumb part is schools paying for licenses when they could've saved the resources for other things. — Aug 30 at 3:43
@code_dredd Microsoft gifts licenses to schools, or at least gives huge discounts. So unfortunately, they're not really "paying for licenses [the money for which could be used differently]." I do not understand how this is any different from a bribe. If someone emailed the school and went "could you train your kids in using our software and in exchange I'll give you tens of thousands of dollars worth of licenses", how should parents hope the school responds? Apparently the software is so prohibitively expensive that people need to be given licenses to get them started... It should be illegal — Aug 30 at 17:26
@Luc You're probably right. I guess to avoid getting locked-in into MS you actually need parents to do the "marketing" themselves, i.e. I don't think school admins are necessarily aware of the fact that there are good alternatives that do a better job at following standards and respecting the freedom of their users. — Aug 30 at 18:01

Mike Ounsworth 36.2k1485128 · Answer 8 · 2018-08-28 20:51:07Z

Let's break this down:

Your concerns as a parent

Privacy: You don't want school staff being able to view what sites your kid is visiting, what files they have on their laptop, and other things that would come with admin access.

Security: You don't really trust the school having the ability to install software; you're worried about viruses getting onto the laptop because of the school's sloppy security.

Their concerns as the school

Accountability: The school wants to monitor what the students are doing online, I assume, while in the building (I assume that's what the installed certificates are for). This could also have legal repercussions on the school if students are doing illegal things from their IP addresses or via software for which the school is paying the licencing fees (Office, Outlook, etc). This could also have repercussions on your kid if they're caught doing something very illegal.

Security: The school doesn't trust teenager-owned laptops to be virus-free (probably a good call). They want to enforce a minimum security standard before letting devices onto their network.

Good for you for being concerned and raising the question. On the whole, it seems like they are taking reasonable security precautions; though there is the risk that your kid's internet browsing history, downloaded files, etc are visible to the school and they get in trouble for it.

There may be a silver-lining here of talking to your kid about internet privacy and being aware of what they do on that machine (a very real-world problem that any adult with a work computer has to learn to navigate!)

I think that most of the school's concerns could be addressed by teaching the kids to use cloud storage and by the school providing laptops for use at school. They should just provide a list of requirements, such as "connect to Exchange server", "create and edit Word/Excel/Powerpoint compatible documents" and leave it at that. Then we could choose what software we wanted to install. Right now the school is getting the best of both worlds and we're getting a loss of privacy and control, which may not be worth the presumably licensed software the school is providing at no cost. — Aug 28 at 22:00
@Sushil I agree that the BYOD nature of it is the sketchy part. It also raises accessibility issues for families that can't easily just buy a laptop, or parents who aren't ready for their kids to have their own computer at home. I agree that there are better ways the school could have designed this, but I can also understand some school board person probably saying "We don't have budget to buy a fleet of laptops, so put it on the materials list" and then the poor IT guy was stuck figuring out how to do BYOD securely. — Aug 28 at 22:22
I don't know, I don't feel comfortable making judgments about what the school should have done without knowing what kind of limitations they're working with, both technical (how their networks are set up, how much budget they have), political (mandates for tech-enabled classrooms coming from higher-level governments), and legal (legal responsibility for protecting children against online threats, and protecting their networks against incompetent kids). I think you're doing the right thing by raising the questions -- you should go talk to someone at the school and get answers. — Aug 28 at 22:26
I would think their primary concern as a school is that the laptop is usable for educational assignments set by the staff, and if they have a 1990s IT mentality as they appear to then that may well include installing Microsoft Office. Another concern may be technical support: they don't want kids asking the teacher about how to use software that the teacher has never encountered. — Aug 29 at 8:36
So you've broken it down into each party's potential concerns, but now what would you advise? I agree with what you wrote so far, but you don't really answer the question. — Aug 30 at 17:30

schroederâ™¦ 65.3k25139176 · Answer 9 · 2018-08-30 08:53:10Z

I don't think anyone else has discussed the certificate issue:

In my experience, a lot of schools use a MITM firewall to intercept HTTP traffic for their filtering policies such as to look at the content of the page. This is a problem for HTTPS because they have to replace the certificate with their own - which is probably what they want to install.

See this vendor for example:
http://www.rm.com/products/online-safety-tools/rm-safetynet/ssl-interception#downloads

I am assuming that is what the certificates are for. There is no reason to give the IT department admin access when you can just install it yourself, it's easy.

Installing will allow you to browse HTTPS but obviously bear in mind that they will be able to intercept and read communications, over any network that is controlled by the owners of that certificate.

To avoid the interception you could probably run an encrypted VPN on one of their open ports 80/443/53 etc. and tunnel all your HTTP traffic through that. Just don't tell them because it is probably against their policy.

"There is no reason to give IT admin access when you can just install it yourself, its easy." This shows a total disconnect from the actual reality of parents' technical literacy. I'll wager you're inside the "tech bubble" and have forgotten how clueless most of the world is. — Aug 30 at 2:26
Sorry i think you have misunderstood my point, you are completely right that is why IT are asking for admin to make it easy for people who don't know how. But clearly the OP does not want to give them admin and I am saying that there is not actually a requirement to do so if they are willing to spend 5 mins learning how to do it themselves. — Aug 30 at 10:18

AAlig 2313 · Answer 10 · 2018-08-29 12:34:30Z

I'm going to provide a situation that I have experience with, and then draw parallels. I am a Software Engineer, and have worked at several shops with a BYOD (bring your own device) mentality. Each of these shops had their own security practices and software requirements that devices were expected to follow, and it was understood that IT would periodically want to verify that your device was compliant. However, this was either done remotely (by the network upon connecting) or in the presence of the developer. Had IT asked for administrative access, that would have been a major red flag because it is NOT their system.

As the owner, user, and maintainer of the system, it's care and upkeep fall on one person: you. In the event that the device is compromised, infected, etc.. as a result of their practices, you are the responsible party. YOU will be the one who spends time and money cleaning or replacing that system, not the school. You already recognize this by coming here and asking if this is a reasonable request on your machine. If they were maintaining and caring for the machine, this would have been a non-issue, they would have just installed the software while they were doing setup or maintenance.

What would be reasonable (in my opinion) is to have the required software listed so that you can install it yourself. If you are expected to purchase and maintain your own device, you should be trusted to make sure it is compliant with their standards (both hardware and software).

Personal opinion: This is a missed teaching opportunity. Your child will be the primary user of the device, and teaching them how to care for and keep it protected (even with your guidance) goes a long way toward learning and using better safety practices online themselves.

Comments are not for extended discussion; this conversation has been moved to chat. — Aug 30 at 18:51

Nemo 1478 · Answer 11 · 2018-08-30 16:23:41Z

Both a burner laptop and a virtual machine are respectable options.
Multiboot is not, as any time the hostile os is running it can modify the clean os, with beyond-admin privileges.

I feel like virtual machine might be superior in more regards than simple cost:

The child might benefit from being able to use a better laptop at school. I am talking about both practical benefits such as better quality keyboard and trackpad, bigger and higher resolution/better finish screen, and psychological benefits (no reason to force them to use a bargain bin laptop in front of their peers, this might give the teacher an in to incite mockery of the child from the "paranoid" family)

The base OS will be clean, so if the laptop is accidentally/necessarily booted in the home/office, the network isn't exposed to the school's dirty installation. It's possible to boot is without network by default.

The child gets to have their clean personal laptop on their person, which they can use offline/on a mobile connection/wherever, which means they are much less likely to get forced into a situation where they'll do something unfortunate like accessing their personal email account from the school's OS.

It's easy to inspect it, since you can monitor its network usage externally, or take snapshots of the drive and compare them.

However, I wouldn't trust the IT not to mess with the base image. Yet I assume that it wouldn't be ergonomically possible to prevent them from booting the machine unsupervised, on their own time. As such, this is the protocol I would use:

Install linux or other base OS. Don't give the child any administrative access or BIOS/UEFI access, so that they can't boot from an external device.

Install virtualization software, and install the required version of windows inside that.

Create the administrator account on the windows vm in accordance with the requirements.

Ensure that all updates are installed on the vm.

Backup the whole linux os drive, and the vm.

Give the laptop to the school.

When you get it back, don't boot it, copy the drive again, and treat it as hostile.

Overwrite the host drive with your backup.

Extract the vm drive volume (drive volume only, not vm settings) from the hostile image.

Replace the vm volume on the now trusted laptop with the hostile image's vm volume. Be careful, make sure the volume file doesn't allow them to access any host drive partitions, some formats can include symlinks or full access to host disks/partitions.

Now you are basically safe, from the technical standpoint.
For extra credit, you can diff the base disk image and the VM volume image with the old one, to see what the school has been up to.

The second part is explaining this setup to your child. You can't possibly overdo this. While it's good for them to have confidence in your setup, they must understand just how dangerous the school's VM is. Explain that the threat is comprised of both the school staff, who both see them in person and can have a significant effect on their future, and third parties that can compromise the VM or MITM any network activity from the VM. Explain that neither of these parties mean well or are even neutral, as such "power" corrupts people and is always abused very quickly. Give some graphic examples, such as as all of their private chats being distributed to every teacher, parent, and student, or their webcam and microphone being accessed by strange women and men, including to scout out your home for a robbery, invasion, or kidnapping.

Don't forget to include that these consequences can trivially result not only from doing their personal computing inside the VM, but also from not practicing hygiene with the VM, such as running executables from a USB drive that was exposed to the VM.

Finally, you need to consider the needs and desires of the child. If they want to use software such as creative software by Adobe, Ableton, or play games, they may need their own Windows VM or boot option, otherwise they will be tempted to use the school VM.

Also, this assumes that they only want access to the machine once. If they want repeated physical access this complicates things.

Multi boot is fine if you encrypt the os, which you should do anyway. Virtualization sets you up for a whole load of trouble: What happens if they are supposed to use non-standard peripherals (in my secondary school we had CNC machines, Lego Mindstorm and some toy factory equipment like a miniature conveyor belt), does USB passthrough actually work reliably? What if they are supposed to use some 3D graphics program for and art project or CAD for some architecture or technology project? And you don't know about that in advance, something might come up 2 years from now. — Aug 30 at 20:10
@Nobody USB passthrough works almost universally for even the weirdest hardware as long as you pass a whole internal USB controller or an external USB hub to the machine before plugging the actual thing in, vs filtering it on connection event. — Aug 30 at 20:56
@Nobody as for encryption, are you encrypting the bootloader? Yes, your files won't be read in the period since you were attacked until you voluntarily enter the key, but the modified bootloader will be waiting to transmit the key offsite (or just inject a payload into the decrypted system) — Aug 30 at 20:58
That's not the threat scenario here. I seriously doubt there is malware out there trying to attack random (!) people's encrypted non-running os. That would need a significant amount of work for negligible gain. The only way that's a relevant threat is if they are being targeted by a skilled attacker with connections to the school. — Aug 30 at 21:09
I am speaking of this happening in a purely automated fashion, yeah. On one hand, sure, there's lower hanging fruit. On the other hand, you can't really make a judgement on what kind of stuff you'll encounter in that much of a cesspool. — Aug 30 at 22:04

hairydresden 1984 · Answer 12 · 2018-08-29 20:08:45Z

Big No!

While most everything has been covered, there is still the issue of child safety. Every year there are multiple lawsuits about schools spying on kids through their webcams. While you might think that they won't be able to do that with what they plan on installing, there is a good chance that the AV will allow them to.

Take this case for instance: https://www.cbsnews.com/news/610k-settlement-in-school-webcam-spy-case/

In this case the school thought that the kid might be selling drugs and essentially spied on him through his webcam. What if the computer was in your child's room while they changed and an administrator was watching it?

Additionally, you have no idea how safe their system is. Even if they aren't going to, how do you know that they won't be hacked, or are already hacked? Do not let the school install anything on your kids computer.

The best way to prevent that would be to either give them a chromebook for school, and lock it down with parental controls, or prevent their account from installing program and not give them a password for an account that can.

score 9 · Answer 13 · 2018-08-30 08:10:28Z

To add to the others: Have a look at the list:

They want to install Office, Outlook, an AV and some site certificates.

Why?

Installing Office means teaching a dependency on a big vendor early. The teachers themself should teach in a way, that it works in libreoffice as well or even other office programs. Most things done in schools do not use the advanced features of a special office suite anyway. A media compentent teacher should focus on teaching techniques, not programs, which can be applied to different similar programs. It is way more useful to teach how to find out which button makes the text bold than learning by heart how the button looks in a specific MS office version.

Why do they need Outlook? There are several good e-mail programs, some even free*. I would guess Outlook is not the program of choice for most pupils and in my experience most typical users do not use a e-mail program at all but web mail.

AV is disputed anyway, read the lengthy discussions about how AV can be "snake oil", exploits in AV programs and the general concept of making a system more insecure by running a high privileged complex program.

While AVs were often recommended in the past, many experts today recommend to use only what the system brings with it (i.e. Windows Defender for Windows).

Even when you want a possibly better AV, you should decide which one, not the IT person at the school. Especially since some solutions are subscription based and try to sell their subscription after a free trial period and switch themself off if you do not buy it.

"some site certificates" sounds like "Man in the middle tools". What might be okay on their network, is a real security risk when the personal laptop is used somewhere else, because you do not know who may have the keys. For example some MITM security appliances use intermediate CAs, which are not limited to the single appliance, but to all appliances sold by the company. This means with the laptop prepared by the school, the traffic may be sniffed in other networks as well.

Giving admin access is a bad idea anyway (do you know what else they might be installing or if their media are infected?) and teaches the children to give persons access rights just because they insist on it.
The next time the password inspector calls them, they will give admin access as well, because you do so, don't you?

So either they should hand out school laptops or work with what the children have, but do not demand to be admin and install stuff.

* both as in beer and as in freedom

This sounds like a personal opinion, rather than an answer to the question. — Aug 29 at 13:16
These are some arguments for the question in the OP. It is nothing definitive, as there is no definitive answer to a "should I ..." question. If you want to nitpick, you could flag the question as "opinion based", but I think the answers do the best to be general arguments instead of just opinionated suggestions. — Aug 29 at 13:22
I think your answer could be improved by rewording some of your arguments, and leaving out others. For instance, the Office/LibreOffice is argument may not be opinionated, but the question isn't about which one of these should be taught. Outlook was never a good e-mail program is definitely opinionated. AV is disputed anyway (source?). Do you trust teachers: Who said teachers are the ones safeguarding private keys, the question is about the IT department. — Aug 29 at 13:34
At risk of more "opinion based" responses...My experience of school IT departments has been largely unimpressive. Maintenance and monitoring rather than info-sec. There is no way I would grant admin-access to my personal device to a school IT dept in any lasting capacity. By all means provide the software and I'll install it for my kid. Hell, I'll even sit and watch while IT does it on my login. But nobody gets admin-rights over my property but me. That's the first rule of secret-keeping right there. "A secret is only secret if nobody else knows it." — Aug 29 at 14:42
@Berend If the m$ office would be a free, open-source software, it would be acceptable. But it is not. Next time you will be obligated to use exclusively volkswagen cars, it will be indoctrinated in you from early childhood, would it be okay, hm? — Aug 30 at 15:02

score 7 · Answer 14 · 2018-08-30 20:14:04Z

To minimize your hassle, I suggest you inquire about minimum specs and buy your child a "work" laptop to be used only for school. Then you just let them do whatever they want. Then the school is at fault for any problems and you have no further work with it.

If you are budget strapped, then the next best solution which still gives you complete separation and tamper-security of the home os at the cost of some additional work is this:

Backup

Inquire/think about minimum hard disk space for a school OS.

Make a partition that large/shrink the rest.

Install Windows on it.

Encrypt the home os (Veracrypt can encrypt Windows without reinstalling, some Windows versions may have that ability built in and many Linux distributions offer encryption during installation)

Backup again.

Let the school do whatever they want. Maybe put a sticky note on the computer explicitly telling them to leave the partition scheme alone and that the encrypted partition is private data (no need to elaborate - an os is data too). Maybe set up the computer to not display the boot manager but just boot the school os immediately.

If they messed up the encrypted install, use the backup to fix. Enable boot menu again if you disabled it.

I'm not quite sure if you need a second license of Windows for that.

Otherwise you will need to compromise and will probably have much more work in the long term.

VeraCrypt can be installed on all Windows versions.
â€“Â Joshua
Aug 29 at 18:44 — Aug 29 at 18:44

Rob 28716 · Answer 15 · 2018-08-31 18:21:34Z

Should I let my child's school have access to my kid's personal laptop?

No.

My kid is starting 6th grade and the school requires him to get a laptop and bring it to school.

No.

The school can bulk buy books, stationary, tools and computers at a discount and tax free. How is it cheaper or better for each parent to know: what to buy, where to go, how to set it up ...

The school can provide a Lenovo 100e (Windows 10 - S-Mode) or a Chromebook (Chrome OS) for under $200. Perhaps a refundable deposit is appropriate but the cost will be less than having each parent spend the time and money to buy whatever independently.

Much like each student receives the same books and opportunities each should be provided with an equal computer. You don't want some students to be way ahead while others are way behind.

If there is homework the computer can be safely secured in the school's locker and the child can access the same material on their home computer, otherwise much like their books they can bring the computer home with them.

If the parent supplies the computer and it breaks down what does the child do, return home and grab another one?

If the school supplies the computer and there is any problem (including breakage or forgetting it at home) a new computer can be provided and the child can be back to work in a minute (with all their files the same as on the other computer).

Now the school IT department wants to install some software on the laptop and is asking for administrative access.

It is understandable. The child needs to get the same software as everyone and the school has a bulk license. They must also secure Internet and mail access - the school is responsible for your child's education and safety.

That is why the school should provide the equipment and stay out of your child's personal effects unless there's a legitimate safety concern - implementing an unfair and poorly thought out plan with unfair invasions of privacy justifies nothing. On the child's personal computer (and phone) is private information and anything else permitted by the parent, that's the parents responsibility. The school needs to stay on their own side of the firewall.

I feel that on principle this is not right, as it's not the school's device, so school staff shouldn't have access.

True, it's a warrantless search.

Additionally, I don't have any sense of how good the school's security practices are. What if they inadvertently install malware?

True. You also don't know if one particular software has bugs with whichever random hardware you supply. It's an unnecessary multiplication of work with diminished value.

When the school supplies the computer they can just line them up and hand them out. When each computer is parent-supplied they might have a readymade install disk, but you don't know what that will do to existing software or parent installed protections.

If the child doesn't have to supply the key to their home why the key to their computer, their privacy.

However, if I refuse then I risk being "that parent" and I'm setting myself up for a few years of headaches as any time the school wants to add new software, I'll have to do it myself.

Be that parent, the one whom spoke up for their child.

If the school supplies the computer they just hand the old one in and take the new one with the updated software, alternatively it can be installed automatically over the school's WiFi. Handing over the child's personal computer everytime there's an update means hours a month without it. Hardly a better solution.

What would you do?

Speak up. Pay less. Get a better solution that makes sense. Protect your privacy.

You teach your children to say no to adults imposing the wrong thing - you can say no too.

user3674603 611 · Answer 16 · 2018-08-30 00:32:45Z

If I were a parent, I would firmly say no to this. This is mainly because the laptop is paid by the parent. You should have control over what you buy, and I believe that it is already pushing it to require every parent to purchase a laptop for their child and have them bring it to school (especially if you believe that technology doesn't benefit learning).

I understand that they would want certain applications installed on the computer, productivity applications such as Office are reasonable (although, you could install it yourself). With Windows Defender and a good network firewall, another AV shouldn't be needed.

A site certificate is one of the main problems I see in this, since it is by far the most invasive. All usernames, passwords and other personal details submitted through the school network are visible to the school. If a security breach occurs, it is possible that this information could be part of it. Do research on what firewall system the school uses and their past security track record.

If you agree to this, at the very least, ask for a list of software being installed and ask to be kept updated when new software is installed on the system. Do research on the software and their credibility. Regularly check on the Windows programs list.

I am a student, I have seen the way that my school board has dealt with their network security. The network is filled with security problems: accessibility of development servers on the public internet, directory traversal attacks, privilege escalation on certain web services, etc. There is a reason for this: they buy from the lowest bidder. Given this, make sure that all software that they install are from reputable companies.

Another comment: Some courses have a specific requirement to use Microsoft Office, so installing other office software may not be an option.

I do not think windows defender and a good network firewall are sufficient to protect a child. How do you want to configure that firewall? And windows defender isn't the most reliable protection I've ever seen to be polite. — Aug 30 at 5:18
"Some courses have a specific requirement to use Microsoft Office": such courses would be a poor teaching experience and there's no reason for the parent to facilitate such assault on their children's education. — Aug 30 at 16:11
"This is mainly because the laptop is paid by the parent." What difference does that make? If they are being invasive with monitoring software or whatever, I don't care if it's a company system or my system: it's invasive and I don't want that. It could be a (partial) reason to leave the company or school, depending on what they do exactly. It's not hard to not be creepy, and that does not depend on the ownership. — Aug 30 at 17:52
@Ben Those two are a good amount of software protection measures against software attacks. The security impact of additional AV can be either negative or positive depending on whom you ask (I have reason to belief negative). Much more important are human protection measures, like educating the child about common threats and how to avoid them. If you intend to use spyware and/or censorship programs to raise your kid then that's an entirely different topic (I'm in favour of fucking talking to the child and doing computer activities together). — Aug 30 at 20:01
@Ben From my experience at school, there isn't much you would want to do that could give you malware. As long as you don't open random email attachments or download sketchy files, you'll be fine. — Aug 30 at 20:19

score 4 · Answer 17 · 2018-08-30 16:39:48Z

While many answers here outline potential dangers arising from giving someone admin access, it should also be noted that it's also a reasonable tool for the job the school IT is about to do. That's what I would request from parents if I were to do it, since explaining how to properly configure their own system would be a dead end. 80% of them wouldn't even know what a certificate is.

It's true that admin rights can be easily abused, but assuming you trust your school, I wouldn't worry about it too much. Think of it this way: you're asking yourself whether those guys will abuse their access to a laptop, but you have no problem leaving you kid with them for the whole day, every day. Are you sure the laptop is the thing you need to worry about here?

Incidentally, even if you choose to educate school IT about better practices, their Outlook licenses won't transform into Linux seminars for teachers. I agree that it's a noble cause to fight for, but in your situation it's far too late to actually change anything.

JRCharney 872 · Answer 18 · 2018-08-30 17:55:46Z

The school "needs to install certificates"? That definitely is a red flag.

As for installing Office, I would say install a copy on the computer for him rather than let the school do it. While some schools do offer this service (the community college does offer free access to Microsoft Office 365 which can be accessed online although using the apps would be better), again that is a red flag. Install or subscribe to Office 365 yourself (which there is a student discount) or go open source and use Libre Office.

The fact that your school wants to do this seems less of a service to you the parent and more of an invasion of privacy upon the students, something I would seriously not consent to especially if there are ulterior motives which it sounds like there are.

The most access your school should have to get into your child's computer should just be the Wifi Password. Beyond that, get something in writing explaining exactly what they want to put on there.

If they go over the top (which given the paranoia of a lot of school districts) and try to strong arm you or your kids into doing it by getting the student resource officer involved (who is generally employed from the local police department), assert you legally have the right to say no. Tell them to get a warrant.

If an arrest is made to force an illegal search of the device, that is illegal.

Because you have consented to let the school have access to your child's computer, you have given the school or school district the right to let the police access that device via a third party that now has control over the device. (Those certificates can be used by the school to get into the computer.)

In the future, NEVER consent to letting strangers (even if it is your kid's school) to access your computer without thoroughly reading the fine print.

Know your rights so that the school doesn't use local law enforcement or vice versa, against you or your children.

Installing certificates is a SOP in any corporate environment. They probably have self- or PKI-signed certificates for their internal systems, and they might install a certificate to enable SSL-interception (which has its own discussion of merit, but is also SOP). — Sep 5 at 11:26

Chad Horton 211 · Answer 19 · 2018-08-29 14:08:20Z

Your trading control for convenience.
You should use the laptop only for his school use and nothing else as you have no idea what they will put on it. As there will be nothing personal on it now or in the future, I think over reacting to this situation would be bad. Treat it like a burner phone. It might feel wrong, but would it be any better if they gave out school laptops already loaded and your child used it? No. You wouldn't even blink.

It's like letting someone else change the oil in your car. You could do it or you could let someone do it maybe right, wrong, or screw something up with your car. You really don't even know if they changed the oil unless you check or what oil they put in it.

iBug 1616 · Answer 20 · 2018-09-03 06:29:37Z

If anyone wants administrative access to my personal computer, I always require that I acknowledge what they wants to do with that privilege. The degree of detailedness depends on who the person is, and for the IT department of a school, I will demand that I acknowledge the following:

What exact softwares, including versions, they're going to install; What such softwares are intended to be used for; Whether they can be cleanly removed afterwards

What certificates they're going to install; What the purpose of the installation of such certificates is (What they're meant to be); Whether the certificates are signed by a trusted party (VeriSign, etc) or are handcrafted

IMO, some level of monitoring from parents would be good for a kid/child, but digital surveillance from a party that may or may not be directly responsible for the child's activities could be a nightmare.

From my experience, school IT departments usually suck at what they're supposed to master in. I have even hacked into the online management system of my middle school twice (and dropped their database). So as a general advise, it's better to reject request for administrative access to any device you own, by the IT department of a school, or get a "burner device" as suggested in other answers.

If it's not, or hardly, possible to reject the request or get a "burner device", I would consider the applicability of the following options:

Demand that the software be provided for me to perform evaluation and installation on my own

Create a full system backup (also restore points for Windows) for later restoration

Install additional software to monitor / limit / isolate those "school softwares"

Watch the whole setup process

In addition, these factors must be taken into account before proceeding

"Man in the middle" attack made possible by untrusted certificates

AV software conflict

Privacy leak (what software uploads what to where? you don't know)

Summing up, it's important to separate one's "work (or study) environment" and "personal area", and set different trust levels to different governing parties.

RDragonrydr 312 · Answer 21 · 2018-09-01 00:38:42Z

I would add that the child should be told to only use that computer for school purposes (Don't buy things from it, play games, download stuff, or even really use it with other accounts). After they graduate or if it becomes redundant or replaced, reinstall the original OS (with Windows, there's a wipe-disk option on the install media -- use it) to ensure that you do not leave trackers or spyware on the device (though this results in total data loss unless your files are backed up. Be careful if doing such a backup since you'd only want to transfer files that you know are yours.

Aside from the certificates being a huge tip that there's probably MITM going on (snooping on allegedly-encrypted web traffic that SHOULD be protected -- like logins or shopping) or weird/unnecessary "security" features, it is apparently quite possible to install software that cannot be detected or uninstalled (registry hacks can do this, or rootkits can be used, although the latter might be noticeable to another antivirus).

An archive binge through something like TuxedoJack's Reddit posts about tech support will also tell you some of the things that they can do with your devices -- and not just on school grounds. This can include tracking, remote reading of your files, keylogging, and even remote BSOD capability, especially if it also uses a VPN (note also that even independent antivirus scans from alternate boot material may not find commercial versions of such software, for security reasons or because the software may not be aware of all such tools!). There are numerous stories of people who have tracked a stolen computer that was not "nuked" with a fresh install. (And, for that matter, some software can run from the BIOS/UEFI instead, but there's not a good way to prevent that. It is better to hope that they don't have that sort of capability than to try to detect it.)

Zenilogix 1363 · Answer 22 · 2018-09-02 21:36:58Z

As already stated in other answers, creating a virtual machine for the school environment may be the optimal answer. It costs nothing in additional hardware, keeps the school environment isolated from the personal environment, allows the child full-time access to the best hardware you can budget, and allows the school to do as they wish with the VM, over which you/your child can still maintain supervisory control. The host O/S doesn't need to be Linux; it can be whatever you/your child prefers; there are VM solutions (like VMware) that can host Linux or Windows on any other popular O/S (Apple, Windows, Linux). Windows has its own VM solution, although there may be licensing/price considerations - you need at least a Pro edition to be a Hyper-V host. If the guest O/S is Windows, there may again be a licensing consideration. Even with those considerations, it may be your least cost/most expedient solution that satisfies everyone's concerns/requirements.

JonathanReez 1544 · Answer 23 · 2018-09-04 18:49:46Z

The easiest solution (outside of getting a burner laptop) is to do as following:

Re-format the machine

Let the school do whatever they want with the laptop, for however long they want

Re-format the machine again and this time only install the software that you actually need for school work

This lets you have your cake and eat it too: the school's IT department thinks your laptop runs their software while in reality it only runs software approved by yourself.

Tom 4,191628 · Answer 24 · 2018-09-05 11:24:52Z

I am a security professional. There is a very simple answer: If someone else has administrative access to your device, it is not your device anymore.

A relatively easy solution would be to install a "for school" VM and give the school IT team admin access inside that VM.

Some longer explanations:

No, checking afterwards isn't enough against a malicious user. If you trust the school enough that you assume they are not malicious, you can be ok with checking their work. A malicious actor has dozens of ways of hiding rootkits or malware in ways that nothing short of a full forensics will find.

The school request is reasonable as they want to ensure the same environment exists for every kid. They should not have any reason to be opposed to having a seperate (VM) environment.

Unfortunately, most of this answer is already covered in the 24 other answers. — Sep 5 at 12:29

pningia 17 · Answer 25 · 2018-08-30 16:35:28Z

It really boils down to a hard drive.

You can swap out or wipe the HDD/SSD at any point and undo all changes they made. You can probably back up the state of the laptop and restore it within a VM or external drive, then have the kid launch/boot that while doing school work.

I like to use Clonezilla for copying and backing up my drives.

I give -1 to this answer, reason: administrative access can be used to make further changes to the computer, e.g. modifying firmware. While this may be high complexity attack vector, it still is possible that your computer will be compromised even after changed the drive to a physically new drive. — Aug 31 at 8:57
@vakus: Good. If the school pulls that off, call CNN. That school is done for. — Sep 6 at 15:20

score 137 · Accepted Answer · 2018-08-30 10:09:35Z