Blocking by IP would be risky.
Most people have multiple devices they will access from, and potentially from multiple locations - a student could have a laptop and phone or tablet in use on campus, that's two IP's at least straight away, then if they access from home that's another one immediately (assuming they're using NAT at home). Then if they go to a friends place, or a cafe, they will run out of IP's straight away.
Those IP's often rotate too, the rotation time can be short in the order of a day or two, or longer in the order of weeks, depending on a number of factors, none of which are in the control of the school.
The point I'm trying to get to is that IP restrictions are not likely to be successful and will likely cause more problems than they solve.
It should be more of a policy thing stating that only the owner of an account can access that account, and anyone else doing so would be reprimanded. Forcing password changes, while ultimately reducing security in a number of instances, could be one way to help.