Band-aid solution that worked pretty well. Very cheap to implement, widely supported and used by many schools.
Our student's data was still private (no emails or passwords being decrypted) and we did the filtering only based on the domain name. It also didn't require an expensive appliance that would be need if did the filtering based on SNI.
A student who really wants to see "the bad" on the internet isn't scared off by blocking some DNS/VPN/proxy traffic. This is wishful thinking.
The easiest work-around for students who want to show their mates some "cool porn" is to just save it at home. Or connect to the free wifi of <random shop> in reach.
When you allow BYOD you give up the ability to control the client, and you allow the mess of kids bringing their family computers to school, as well as this difference where other kids bring their own much-better computer.
