I work for a school district (not CPS) with about 2000 deployed Chromebooks and you're likely running into one of two things.
1) You somehow 'enrolled' the device into the Chromebook management. This is hard to do by mistake but if you do, essentially puts the device under the control of the school district. It also uses up a license on their end. We only allow particular IT only accounts to enroll devices.
2) You're logging in with their CPS account. Once a person logs in with their managed account it can deploy user level policies that include everything you described: extensions, filtering, and blocking signing into another account in the browser. You'll also find some random pages are blocked to keep students from bypassing the restrictions.
That you can wipe the machine makes me think you didn't enroll it - if you wipe an enrolled device it will prompt/force you to re-enroll.
You should be able to reboot the device so you land at the login screen and hit "Add Person" down at the bottom. From there sign in with a different Google account and it should be completely unaffected by any policy the school is deploying. Unless you enroll it, the policies are deployed to the Google account, not the device.
Its likely the CPS Help Desk Staffer you reached doesn't have the power to fix things for you if you've enrolled things - that usually requires permissions that are restricted to a few admins.
Feel free to shoot me a message via the email in my profile - I'm happy to give you some of the inside perspective and help you figure it out.
This response should be higher instead of the useless armchair lawyering :)
With GoGuardian, though, I think device level management is common? It's BYOD but it essentially becomes the district's device (and all the other accounts disabled) until you remove the managed account. It can't happen by accident, though, it tells you very clearly you're making it a managed device.
It sucks that schools are using enterprise management to monitor every thing a student does on their machine, but it's not a rootkit or something. If it's not the district's device just remove the account.
I think GoGuardian is normally full device, but on Chromebooks it is installed via extensions. Extensions in on Chromebooks are 'user' policies so they are applied to entire OUs of users. (docs here for anyone who is interested : https://support.google.com/chrome/a/answer/6177431?hl=en#zip...)
These types of solutions are really common for schools because under CIPA you must filter your network to receive e-rate funding. Deploying it to the device meets these requirements and also extends filtering off site which is a commonly requested feature.
If it is just being managed at the user level - then creating a second account is exactly the way to go.
^ This guy is correct. OP is vastly overstating the situation or uninformed.
Unless it was school provided hardware, management is done at the account level and accounts are fully isolated.
Powerwash (https://support.google.com/chromebook/answer/183084?hl=en) the device, login with a personal account to make it the primary, and then login with your kids school account. Yes they will be monitored when logged in to the school account, but that is for compliance with the law. If you don't like it, write your representative.
Not the device, the student district-managed account that is logging into the device. Districts are bound by law (varying from state to state) at a basic level to filter content and restrict access in the broadest sense, on or off the district network. I've worked in multiple states for various districts they all had similar compliance requirements.
I don't see how the mere fact of someone being logged into a school account could create such a requirement. If I log into the school account from a normal desktop computer, I don't believe that the school even has the ability to restrict what webpages can subsequently be accessed. Is the school then failing to meet its responsibilities? If not, then how could they be required to enforce this on a chromebook that they do not own?
We run Chromebooks. I'm logged into one right now, on my personal account. There is no way for me, the GSuite admin of my company, to fuck with that personal account.
I can't read anything from it, I can't manage it in any way, I can do nothing. Some things in the personal account aren't accessible (you can only have one account on Chromebooks with a Linux VM), that's it.
If a kid or parent can log in from offsite, it is not technically possible to force all browsers or systems to monitor and restrict activity. I can log in through Firefox (or curl, for that matter) and not have my activity sent to the school.
Also, there is absolutely no legal way the school could force the monitoring of activity from an offsite computer (unless it were school-owned), even if it were technically possible. To secretly and silently install spyware on a parent's computer when the parent logs into the child's account would violate so many laws and constitutional protections I can't even list them.
Yeah seconding this both as a parent and someone who has worked in education IT (K12 and higher ed) for almost 15 years. I'm not familiar with GoGuardian but I do recall with certain 3rd party Google apps that did similarly there were ways within the admin console for said app to exclude monitoring devices (regardless if managed account that's logged in) unless they were on the district network(s) by adding CIDR blocks to a whitelist. Of course, if someone were to use the device on a BYOD network in district you could then get scooped up in that dragnet though we excluded even those networks to prevent this as all district devices should be connected to the proper LAN.
I've personally forbade my kids from logging into devices we own with their school accounts (O365). I've also gone so far as to relegate them to only connecting to a segmented guest network (internet only) with their district issued devices. I no longer work for a district but provide various levels of support for districts in my county as a state employee and let me tell you, no one really knows what they're doing. A district I used to work for uses a product called Aristotle essentially logging key strokes of every staff member and student. There are, or were, certain school admins that made it their business disciplining bored-ass students for things 99% of the time they may have said in jest to a fellow student. On the flip side it was instrumental in catching a couple staff members that were doing some pretty heinous things, one of which who is currently serving 35 years on federal charges.
No, it should only be the district's device while the district student's login is being used. There's still very much a legally-enforceable expectation of privacy for the other possible users of the machine.
That the user is the actual owner of the equipment makes it pretty important that someone at the school system defined the MDM policies properly so as not to violate other user's privacy rights. ...but considering the way most of them are staffed, they probably screwed up and need to be shown the right way to do it before they land themselves in court.
Why is it ever the "district's device?" It's owned by the parent, it's being used at home. What justification does the district have to monitor anything that's happening not at school using equipment that they do not own that does not involve any of their servers?
It isn't the district's device. OP just enrolled it in the School's GSuite organization so, obviously, policies got pushed. They can just... not do that.
If they want to log into apps or whatever on the Chromebook, they do need to do that. At that point the device has to follow policies for accessing the school's services or whatever. They still don't own the device, but they can push policy to it. At any time the device can be removed from the organization, but that has to be done by the organization, I believe.
Of course, you can have multiple accounts on the Chromebook, so they could just have the device enrolled for one user, but have a personal account not enrolled.
Have written Chromebook extensions for large school systems. The OP is absolutely correct.
It boggles the mind what some of the posters above this are thinking.
Seriously, no one wants to spy on your home browsing habits - if nothing else because it creates a new workload and a potential liability for the teachers and the institution. Create a new profile, and you're good to go.
So, it sounds like the best advice to OP is to create another 'home' account for their son, on the same device, which won't be monitored or affected by anything the school does.
The son can decide which account to log into based on what they plan to do that day.
Probably better to login (or not) to the chrome OS device as a personal account, and then login in the browser (private mode perhaps?) to the school account to do the classroom stuff. I don't think logging in to the school account in Chrome the browser will trigger the same behavior as logging in to the school account in Chrome the OS.
> The son can decide which account to log into based on what they plan to do that day.
You can log into multiple accounts at once on a Chromebook. ctrl + alt + `.` lets you switch between workspaces across accounts, and you can right click windows to move them across workspaces. I'm doing this right now so I can post on HN from my personal account while I code for work.
I experienced scenario #2 on my son's Chromebook during pandemic school closings. One day he logged in with his school account and about half the apps were disabled, including core stuff he needed to do school work. I got the "we can't control your computer, that's not how computers work" speech from the school. It was one of the most frustrating things I've ever experienced. The policies finally got fixed a few days later, but I'm pretty sure the people I talked to thought I was crazy.
Agree. We have filtering on our kid's Chromebook, but only when they login as user to their school account. They have their separate account which gives them their own space.
Certainly you WANT the school district to do some filtering for the school accounts, right? I mean, I think ours locks it down so tight that students can't get outside emails until they are whitelisted somehow...
> Certainly you WANT the school district to do some filtering for the school accounts, right?
a) No. Filtering (if there is any) should be limited to their own network or a school-issued device, not some device the school system doesn't own. b) Filtering only the school accounts is pointless if the student can just switch to a non-school account (or guest account) and access whatever they want there.
> Filtering only the school accounts is pointless if the student can just switch to a non-school account (or guest account) and access whatever they want there.
From the district's perspective this does have a point: it removes perceived or actual liability for things that the student could be exposed to or experience using their managed services. Being able to tell an offended parent "not our account, not our device, not our problem" versus having to answer for "but he was logged into his district managed Google account, shouldn't you have protected him?"
Your A) is exactly what is happening. Filtering on school account only.
On B) I agree that kids can and will do anything they want on other accounts including just opening their phone! But what happens on school sponsored email, virtual drives, and applications should be controlled I would think. It opens the school to liability if nothing else.
> Your A) is exactly what is happening. Filtering on school account only.
I said "their own network or a school-issued device". Not "on school accounts".
Part of the blame here resides with Google for tying login on Chromebooks to an email address & automatically signing in to various other (possibly managed) services linked to that email when all you really want is some local storage and a web browser. An email address is an identity. A student might not have any other email address—sure you can create a new one pretty easily, but this is how they identify themselves to everyone else they know; inventing an alter ego for non-school activities is a bit much to ask. Facebook and the like don't impose a "managed mode" on your private PC and monitor your access to other sites and apps at the OS level just because you signed up with your school email. To basically anything but a Chromebook your email address is just an arbitrary username which happens to also be a place where you can receive messages.
It should be possible to log in to a Chromebook using an organizational email address without enabling remote management of the Chromebook. You may not be able to access certain managed services as conveniently (though these should also be available as regular web sites, sans device management) but other apps and web sites not linked to the organization should work as usual. And it should be possible to have multiple distinct profiles (e.g. personal and school) with the same email address, and different management settings, if you're going to require an email as the login.
> But what happens on school sponsored email, virtual drives, and applications should be controlled I would think.
So control them—on the server side, which is part of the school's network. They're monitoring all use of the Chromebook while signed in to this account, not just the school's network, services, and applications. Even, apparently, while the device is switched to another account after logging in to the student account.
1) You somehow 'enrolled' the device into the Chromebook management. This is hard to do by mistake but if you do, essentially puts the device under the control of the school district. It also uses up a license on their end. We only allow particular IT only accounts to enroll devices. 2) You're logging in with their CPS account. Once a person logs in with their managed account it can deploy user level policies that include everything you described: extensions, filtering, and blocking signing into another account in the browser. You'll also find some random pages are blocked to keep students from bypassing the restrictions.
That you can wipe the machine makes me think you didn't enroll it - if you wipe an enrolled device it will prompt/force you to re-enroll. You should be able to reboot the device so you land at the login screen and hit "Add Person" down at the bottom. From there sign in with a different Google account and it should be completely unaffected by any policy the school is deploying. Unless you enroll it, the policies are deployed to the Google account, not the device.
Its likely the CPS Help Desk Staffer you reached doesn't have the power to fix things for you if you've enrolled things - that usually requires permissions that are restricted to a few admins.
Feel free to shoot me a message via the email in my profile - I'm happy to give you some of the inside perspective and help you figure it out.