Poll: Do you allow students personal devices on your Wifi?

+ Post New Thread
Page 2 of 2 FirstFirst 12
Results 16 to 24 of 24
General Chat Thread, Do you let student devices use your Wifi? in General; We don't, but that's more a pastoral decision rather than a "we can't do it" or "we have technical/security objections ...
  1. #16


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,649
    Thank Post
    275
    Thanked 780 Times in 607 Posts
    Rep Power
    224
    We don't, but that's more a pastoral decision rather than a "we can't do it" or "we have technical/security objections to it".

    We'd push them through the same proxy that av filters everyone else and give access to a few printers, authenticated based on their AD credentials + known device and auto-kick any devices causing shenanigans.

    Our setup would be "your device must meet $standards to connect to school Wifi, here's the (tested against a range of kids/staff) guide to connect" and we'd probably refresh the AUP (which already has "for the avoidance of doubt, any device connected to $school_network is considered part of $school_network when assessing breaches of the AUP") to be explicit about BYOD.

  2. #17

    seawolf's Avatar
    Join Date
    Jan 2010
    Posts
    969
    Thank Post
    12
    Thanked 285 Times in 217 Posts
    Blog Entries
    1
    Rep Power
    175
    [QUOTE=shadowx;994886]So I take it your AUP is one which students (and staff) are required to sign before they are given the college owned device?
    /QUOTE]

    Nope, they are presented with a "Use of the college network constitutes acceptance of our Acceptable User Policy (link) and all responsibility lies with YOU for protecting your own device and data. If these terms are not acceptable to you, please leave your device at home or turn it off while at the college" type of message when they access the network. Students know that loss of their assignments due to a technical problem will not be accepted as an excuse - welcome to the real world! Better they learn it now rather than later when mistakes have bigger consequences than in school (like being fired from a job for being irresponsible or incompetent).

  3. #18

    Join Date
    Mar 2010
    Location
    shadowx@AllEvil:/
    Posts
    222
    Thank Post
    12
    Thanked 28 Times in 25 Posts
    Rep Power
    14
    [QUOTE=seawolf;994916]
    Quote Originally Posted by shadowx View Post
    So I take it your AUP is one which students (and staff) are required to sign before they are given the college owned device?
    /QUOTE]

    Nope, they are presented with a "Use of the college network constitutes acceptance of our Acceptable User Policy (link) and all responsibility lies with YOU for protecting your own device and data. If these terms are not acceptable to you, please leave your device at home or turn it off while at the college" type of message when they access the network. Students know that loss of their assignments due to a technical problem will not be accepted as an excuse - welcome to the real world! Better they learn it now rather than later when mistakes have bigger consequences than in school (like being fired from a job for being irresponsible or incompetent).
    Gotcha, we will have to look into making a splash page for unauth'd users!

  4. #19

    seawolf's Avatar
    Join Date
    Jan 2010
    Posts
    969
    Thank Post
    12
    Thanked 285 Times in 217 Posts
    Blog Entries
    1
    Rep Power
    175
    Quote Originally Posted by CyberNerd View Post
    I voted "Yes" before the "guest SSID/VLAN" option was available.
    I don;t think a VLAN in itself is good enough for BYOD, it has to be firewalled from the other networks.
    And how would you achieve that without having an isolated network, which would preclude access to any network resources (servers, printers, etc.)? That would be good for a guest network or WiFi hotspot use case where only access to the Internet is required, but I can't see how that could be very useful in a school environment? Access to other VLANs can be controlled through the router if there are servers or VLANS that users should not be able to access.

  5. #20


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    Quote Originally Posted by seawolf View Post
    And how would you achieve that without having an isolated network, which would preclude access to any network resources (servers, printers, etc.)? That would be good for a guest network or WiFi hotspot use case where only access to the Internet is required, but I can't see how that could be very useful in a school environment? Access to other VLANs can be controlled through the router if there are servers or VLANS that users should not be able to access.
    So the way we did it was to treat the wireless network as if it is part of the internet. There is no access to internal network resources whatsoever. However, all of our learning resources are published on webservers inside the DMZ (web printing too), the students home drive and applications are spread over Google apps and Citrix terminal servers (via a web server). Students have the SAME access to their resources whether they are in school, at home, on their own device in school or in an internet cafe the other side of the planet.

  6. #21

    DaveP's Avatar
    Join Date
    Oct 2006
    Location
    Can't talk now: The mother-ship is calling!
    Posts
    8,973
    Thank Post
    352
    Thanked 1,298 Times in 888 Posts
    Blog Entries
    4
    Rep Power
    1131
    Yes we allow all students to access the WiFi. We are changing the way this works this Summer. In September they will be able to access school WiFi via a transparent proxy [on a separate IP range from our network] but will still be required to authenticate via AD.

  7. #22

    seawolf's Avatar
    Join Date
    Jan 2010
    Posts
    969
    Thank Post
    12
    Thanked 285 Times in 217 Posts
    Blog Entries
    1
    Rep Power
    175
    Quote Originally Posted by CyberNerd View Post
    So the way we did it was to treat the wireless network as if it is part of the internet. There is no access to internal network resources whatsoever. However, all of our learning resources are published on webservers inside the DMZ (web printing too), the students home drive and applications are spread over Google apps and Citrix terminal servers (via a web server). Students have the SAME access to their resources whether they are in school, at home, on their own device in school or in an internet cafe the other side of the planet.
    I see. You have migrated student network resources to "the cloud" a bit more than most schools, and this approach could work in that case. Two resources I see missing though is access to printing and authentication servers (AD or LDAP). How do you achieve that? Are you using Google Cloud Print and LDAP over SSL?

  8. #23
    bondbill2k2's Avatar
    Join Date
    Jan 2011
    Location
    West Midlands
    Posts
    1,015
    Thank Post
    81
    Thanked 66 Times in 51 Posts
    Blog Entries
    2
    Rep Power
    42
    Students have access to just the Citrix gateway, their wifi is on its own ip range as many others here. Then running a vdi as if external the vdi will work as an internal computer simples.

  9. #24


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    Quote Originally Posted by seawolf View Post
    I see. You have migrated student network resources to "the cloud" a bit more than most schools, and this approach could work in that case. Two resources I see missing though is access to printing and authentication servers (AD or LDAP). How do you achieve that? Are you using Google Cloud Print and LDAP over SSL?
    Google apps Single Sign on. Papercut web printing (I'm hoping they'll integrate cloud print at some point). Citrix secure gateway.

SHARE:
+ Post New Thread
Page 2 of 2 FirstFirst 12

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •