I have created a teacher key which is distributed to all computers, and teachers can view and control their classrooms correctly.

However, if a teacher adds a computer with the hostname of one of our admin PCs, they could control our computers remotely - obviously this is wide open to exploitation.

To rectify this I have made an admin key, and set my role as administrator - how can I set it so that admins can view teachers and student PCs, but teachers can't view admins? Is it something to do with private/public keys? IE delete public and I can still view, but not be viewed?