[Spivak]

Look I sympathize with all the k12 network operators that have to apply all these brain-dead content filtering policies -- I used to be one. But surely you recognize that someone external to my device that can inspect, modify, compromise the security of, or block my connection to any part of the public internet is the enemy right?

You're free to do whatever you like with devices that you own and you're also free to have an acceptable use policy on your network but breaking security and privacy to accomplish it is the exact wrong way to go about it.

In my ideal world school BYOD devices would either not be allowed at or be given a private single-device VLAN with a direct unfiltered connection upstream, and made clear in policy that the school doesn't own, support, or control any aspect of them. No different whatsoever than students using their cellular connection.