SSID password changed.
I hard reset all student owned Chromebooks and connected them to our WiFi.
In the google console, made it a “per user” setting and added the new password to automatically connect.
Now students can log into their school issued account but the moment they log into personal accounts the WiFi cuts out.
Worked well for a week
Now students are logging onto personal Google accounts and connecting to VPN extensions installed whilst at home. The moment they connect to VPN their school WiFi access is restored!
Is there any way I can block VPN access on their Chromebooks?
“student owned”- so you have no control- you will be playing a game of whack a mole that you will never win. If they are violating the AUP then it is a discipline issue.
For our BYOD, the current best mitigation against VPNs is to block the CIDR address block. That’s a big of a pain, but it’s been effective. For those kids that just can’t stop, I throttle the personal devices down to 20K up and down. I don’t have time to play whack-a-mole all day, and we offer our BYOD network as a convenience, not a guarantee.
Gets a little sticky when the chromebooks are unmanaged/not district owned. If you don’t manage them, other than blocking on your network, you can’t block the VPN extensions.
You will never get control of the situation if you allow unmanaged student own devices that can use personal accounts. It is impossible. Nearly all policies for security are set at the user level, not the machine level. So allowing them to log into personal account simply bypasses all of your policies.
You can use an on-prem filtering appliance to reduce the issues. At least that will capture all traffic on your network. Then you were going to add to the complexity and overhead of SSL inspection. And at the end of the day, there’s nothing to stop them from simply bypassing all of this by connecting to their phone’s wireless hotspot.
They’re using personal accounts on unmanaged personal devices. I don’t think you can block them. A lot of these vpn extensions are hosted on AWS too, so blocking that is tough.
IIRC a vpn that runs as a browser extension is seen as standard ssl traffic in Firewalls, unless you are doing SSL decrypt the firewall just lets it through. I remember an incident where a teacher caught a student streaming Netflix in class and reported it to us. When I tested the extension the kid was using the firewall just saw it as traffic going to a random website instead of Netflix.
Monitor and log. Make SLT aware of the risks (no filtering, no safeguarding protection, GDPR issues if data is exfiltrated etc) and that this can’t be resolved by technology. It’s SLT’s decision how to handle it, not yours. As long as they’re made aware, they can’t come back at you if things to badly.
Is Securely your only means of filtering traffic? You may want to look into an on-prem supplement. Otherwise, the only other options are making rules in Securely to block that VPN traffic, or find out where those VPNs are pointing to, and block that on your Firewall.
