Privacy for Education Users

Protecting student data and privacy can mean many things for learning in classrooms and at home. Students and teachers often ask what MDM solutions can see, worrying it interferes with their privacy. This blog post summarises what data privacy means in the context of education institutions and explains how Apple and Jamf help support.

June 21 2022 by

Aaron Webb

The education sector, like other critical industries, are subject to regulations due to the sensitive nature of the information that is collected and utilized, often permeating into processes and workflows used by stakeholders. Much of the information collected about employees and students is classified as Personally Identifiable Information (PII), requiring institutions to take great care in how privacy data is gathered, transmitted, stored and shared with governing bodies and third-party partnerships.

Additionally, the modern computing era which has seen the adoption of technology as not only an essential teaching and learning tool for educators and students respectively, but has also seen these technological advancements augment how schools perform day-to-day operations. From creating and presenting lessons in physical and virtual classrooms around the globe to serving as a student’s “do everything” tool — computers serve as the de facto standard in processing the copious amounts of data that keep all aspects of a school operating without fail.

The key attribute to all this data is: Privacy.

Ensuring that this information remains away “from public attention”, as the definition states, requires that PII be handled securely.

This means that:

  • Only those who are authorized to handle PII are able to do so
  • Any handling of PII occurs within secure workflows to prevent data leakage or minimize unintended exposure

To ensure the security of your data and that privacy information remains, well, private, no vendor is arguably more adamant about security and end-user privacy than Apple. They have a known history of baking in the latest security technology into their products, as well as taking great measures to make certain that PII is tied to the user — not the owner of the device — ensuring that end users retain the rights to any privacy data they generate by placing control over how PII is handled squarely in the their hands — no one else.

How does Apple protect PII?

Apple has created frameworks, or a collection of processes that serve as blueprints for developers that create apps and services that run on Apple hardware. These frameworks not only provide guidance as to how apps will make use of hardware resources, but also outlines how apps interact with other resources, including what data can be accessed, how that data is used and where that data is stored.

For the purposes of this article, we single out two frameworks in particular that serve the goal of maintaining a safe, secure environment for working with PII. First up, is Apple’s security framework. This works by providing the following criteria that developers must adhere to, securing the data your app manages, and controlling access to your app by:

  • Establish a user’s identity (authentication) and then selectively grant access to resources (authorization)
  • Secure data, both on disk and in motion across a network connection
  • Ensure the validity of code to be executed for a particular purpose

Second, yet equally as important is Apple’s privacy framework. This framework can be easier explained by looking at it as two halves of one whole. Apple specifies that the App Tracking Transparency (ATT) framework must be used when data is collected about the end user and/or shared with third-parties to provide a clear, concise explanation as to what the developer can and cannot do with the PII gathered.

The second half of the equation deals with the requirements with which Apple’s App Store imposes on developers relating to student privacy and data use for apps distributed from the App Store. Holistically, the combination provides end-user’s the information necessary for them to make a decision as to whether they feel comfortable (or not) when selecting apps to use.

When combined, they represent a collection of policies that work collectively to deliver privacy by:

  • Limiting access to which types of data apps can access
  • Placing restrictions on what developers can do with information that is collected
  • Providing transparency into app tracking methods and practices.

How does Jamf work with Apple to keep privacy data safeguarded?

In order to provide a safe, secure management platform for students and educators alike, Jamf designs its products with privacy and security as a cornerstone by weaving adherence to Apple’s security and privacy frameworks into each product for maximum protection of data, upholding the principles established by Apple for end-user privacy.

Jamf’s commitment to empowering end-users ability to maintain their privacy and keep their data safe extends across the product line. Specifically as it pertains to EDU, the following solutions have been highlighted for their support of Apple’s newest technologies, implementing them on day one of their availability, so that Jamf users can reap the benefits of the latest security and privacy advancements, such as:

  • Transparency Consent and Control (TCC): Support for managed devices using the Privacy Preferences Policy Control payload. TCC gives students control over how apps interface with devices, including which resources apps can utilize, as well as how and when they are authorized to use them. Such as granting a collaboration app access to the built-in camera to take photos, but only when the app is open instead of at all times.
  • New User Data Protections: With each new release of macOS and iOS-based operating systems, Apple introduces new features alongside expanded protections for all stakeholders. With same day support, Jamf ensures users that any new features are available to them on the first day.
  • User-initiated Enrollment: Device choice programs, such as BYOD, allow the flexibility of educators using their personally owned devices to get work done from anywhere, at anytime — whether the classroom is at school or virtual. Enrolling personal devices into an institutionally-owned MDM does not require educators to give up their right to privacy nor does the school need to compromise on securing access to sensitive data.
  • FileVault 2 support: Encrypting data is a table-stakes feature for both security- and privacy-conscious stakeholders. Enabling and managing recovery keys on macOS, school IT make certain that data stored on devices remains unreadable by anyone except authorized staff and students. On iOS-based devices, encryption is enabled by default when a passcode is set, ensuring that data on mobile devices remain secure — even if devices are lost or stolen.
  • User Approved MDM: Regardless of whether devices are institutionally or personally owned, privacy remains intact when a device is enrolled by any means other than through automation. The reason? User Approved MDM verifies that non-automated device enrollments occur with the knowledge of the end-user. It does so by limiting the management scope of the MDM over a device until the end-user has manually approved their device’s enrollment into the school MDM.

What more does Jamf do to help privacy in EDU?

Jamf pledge to privacy is apparent in its approach to it, as explained within a Jamf Trust Center webpage devoted entirely to privacy. Here, Jamf outlines its privacy policy, provides timely updates to privacy as they occur and most importantly underscores its commitment to privacy whereby we “foster an organization-wide culture of ‘Privacy by Design.’”

This belief is extended to EDU by maintaining compliance with General Data Protection Regulation and the Student Privacy Pledge, among all other applicable privacy regulations.

Shifting gears back to the focus on privacy within educational institutions and how Jamf does more to help them achieve and maintain privacy, Jamf School and Pro solutions both help EDU meet their compliance regulation goals, by designing Jamf MDM solutions with powerful, yet easy to use controls that allow school-based IT and educators alike meet compliance with EDU-specific regulations from around the world, including:

  • Children's Online Privacy Protection Act (COPPA)
  • Family Educational Rights and Privacy Act (FERPA)
  • California Consumer Privacy Act (CCPA)
  • General Data Protection Regulation (GDPR)

Each of the regulations above state specific requirements that educational institutions and organizations that do business with or otherwise interface with privacy data from schools must comply with, lest they find themselves in violation of the regulations, which may include civil and/or criminal penalties. Additionally, violation of federal regulations in the US, for example, may sometimes include a penalty of forfeiture of federal funding programs for a determined number of years, which can negatively affect a school district’s ability to provide the best level of education and care for students.

In addition to helping schools succeed with Apple, Jamf School provides the following breakdown of what data the MDM can and cannot see, in addition to modifying or interacting with:

What can MDM see in education:

Device name

Phone number

Serial number

Model name and number

Capacity and space available

iOS version number

Installed apps

User data is not visible to the MDM

What MDM cannot see in education:

Personal data (i.e., data not placed on the device by the MDM)

Personal or work mail, calendars, contacts

SMS or iMessages

Safari browser history

Face Time or phone call logs

Personal reminders and notes

Frequency of app use

Device location

Privacy data is sensitive and should remain private from any unauthorized use or access.

Contact Jamf, or your preferred reseller to implement Jamf School and start protecting privacy information today.

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.

Tags: