Every form factor and OS class issued to staff today. Multi-platform postures are the norm (Windows for most staff, Macs for IT, iPads for select roles). Distinct from the management platforms that govern them — those live in EUC-MGT F1. Empty selection here is incomplete data, not a finding.

Whether the device standard varies by job function — IT staff on Macs, classroom teachers on standard Windows laptops, custodial/maintenance on different hardware. No hard finding here; small districts can defensibly run a single standard, and ad-hoc assignment is operational immaturity rather than a security failure.

Whether and how personal devices are permitted to reach district resources. The maturity question isn't whether to permit BYOD — every defensible posture (none, mobile-only, full MAM) is workable at the right scale — but whether the posture is documented and enforced. Unmanaged personal devices accessing district resources without policy is a hard finding. Cross-ref legacy-cyber IAM (forthcoming): conditional access on personal devices is the IAM-side mechanism that makes BYOD limitation enforceable.

Whether staff have a defined fallback path when their primary device fails, is lost, or is in repair. No hard finding — even "no loaner pool" is a service-availability gap rather than a security failure, and small offices can defensibly operate without one. The discipline question is whether the pool (if it exists) is managed with documented check-in/check-out, or runs informally on individual relationships with IT.

Whether staff retain local administrator on their own assigned devices. Standard non-admin for most staff (with IT as the documented exception) is the modern floor — any phished or malware-laden email runs at admin if the user holds it. “Most or all staff have local admin” is a hard finding: privilege escalation surface, malware persistence at the OS layer, unmanaged installations that bypass baselines from EUC-MGT.

Whether staff devices are encrypted at rest. Staff laptops carry FERPA-relevant data (gradebook caches, student records in email, OneDrive sync), so a lost or stolen unencrypted device is a reportable breach. Cross-ref EUC-MGT F6 / F7: encryption is one of the baselines deployed and enforced from the management platform — an inconsistency between this field's answer and MGT F6/F7's enforcement-mode answer is a documentation gap worth following.

How staff reach district resources when working off-network. MFA is the modern floor — client VPN without MFA is a credential-stuffing target. Cross-ref NET-FW F8 (VPN access pattern): the two fields capture the same posture from different angles (firewall edge vs. staff fleet), so inconsistency between them is a documentation gap worth following.

How staff get help when a device misbehaves. The "no formal helpdesk" option is a hard finding — staff lose hours or days to issues that internal IT, a regional ESC, or an MSP would resolve quickly. Mixed postures with documented escalation paths are the typical TX K-12 mature model; ESC / co-op primary is also defensible (especially in smaller districts where internal headcount is too thin to staff tier-1 alone).