Visual Studio Code on school computers and security

At my school, our teaching staff wants to move from Atom to Visual Studio Code on our lab computers (running MacOS).

Our SysAdmin is telling me that we aren’t allowed to install VSCode because of security policies. Their concern is that VSCode allows remote code execution (through extensions).

I cannot find much information online in respect to security concerns with VSCode. How are other schools doing it? Are there ways to mitigate those security issues? Or are those security concerns mistaken?

If you use VSCode at your school, I would love to hear your thoughts on this.

I also ask students to use VSCode because the extensions provided makes learning and doing faster, but most of the students are using their own notebook PC due to pandemic and learnFromHome.
Also checked with labs’ PC, and VSCode is installed, I don’t think the university has any problem regarding that “security policies” you mentioned

Thanks @irwanphan for sharing this experience!

Out of sheer curiosity, in which way Atom would be safer than VSCode?
There are Atom packages allowing remote execution as well; live-code-runner is just an example.

Aside from this, VSCode is the widest tool used for coding and thus, from an educational as well as a methodological standpoint, students will greatly benefit from learning how to deal with it.

If MS telemetry is a concern, one could consider the following very good alternatives that are very similar to VSCode in the spirit:

• GitHub - VSCodium/vscodium: binary releases of VS Code without MS branding/telemetry/licensing
• GitHub - eclipse-theia/theia: Eclipse Theia is a cloud & desktop IDE framework implemented in TypeScript.

Thanks @pattacini for sharing your thoughts!

From my experience, Atom requires admin user rights for the installation of packages such as “live server”… which from my educational perspective is a disadvantage, but might be a “security feature”.

I didn’t know about VSCodium … I don’t think that MS telemetry is a concern, but good to know about this option!

@ms-studio
From my brief experience using VSCode, the live share plugin is dangerous if not configured correctly.
It allows to change, compile and execute code on the host machine. That is pretty bad if you don’t trust who you are sharing your session.
Another thing is that VSCode is build using electron and there were some problems in the past. (https://betterprogramming.pub/2020-005-electron-apps-are-getting-faster-and-safer-3c045c39f61f)
Besides that, I don’t see much of a higher threat besides using any other IDE, like atom.

Thanks @vhaberkorn for those insights!

It’s not released yet, but GitHub is actually working on Codespaces, which offers a cloud-hosted version of VSCode accessible via a browser.

You can “request early access” now.

After the beta it looks like it will be charged per-hour, but perhaps there will be an exception for education?!

Indeed, that could be an interesting option. Thanks for sharing!