But installing a root CA on people own hardware, don't you think that is a step too far.
If you participate in a BYOD scheme then you can expect the network owner to take steps to keep their network secure (whether you're at a school or an employer). This may well include installing certificates so that they can filter web content for malware, etc. If you don't like it, then don't agree to the BYOD scheme and use your own internet connection.
I also struggle to believe that the school didn't have an internet usage policy that would have been signed by either the student or their parents (if they were a minor), which would have said that the school reserves the right to monitor the internet traffic.
It is not as if it is really easy to circumvent anyway. I have ssh running on port 80 and just tunnel everything through that to beat the schools surveillance.
You won't get a simple ssh session out through an intercepting proxy. However, you're missing the point here - this isn't about implementing a system that can't be circumvented (this is impossible) - it is about implementing a system that automatically filters _normal_ traffic without breaking too much stuff (whether that filtering be for malware or porn or whatever). Circumventing these systems is always possible, and when staff find a student has gone to lengths to circumvent these systems then they will discipline the student for breaking the internet usage policy.