+ Post New Thread
Results 1 to 5 of 5
Hardware Thread, Managing and configuring student laptops in Technical; We will handout 60 x Y7, 60 x Y8, 60 x Y9 and 35 x Y10/11 laptops next year. each ...
  1. #1

    Join Date
    Jun 2012
    Location
    Italy
    Posts
    10
    Thank Post
    4
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Managing and configuring student laptops

    We will handout 60 x Y7, 60 x Y8, 60 x Y9 and 35 x Y10/11 laptops next year. each year all have different models and Y10/11 a new Mac Book Air.

    Every student has access to 'their' personal laptop 24/7. Previous years and including this one (i started after this years config and handout) have been a disaster allowing students full admin access, installing games, open doors to viruses and spyware, you can imagine the range of repairs the technician thus has had to deal with.

    This year i want them fully 'locked down' with almost no control of user settings, etc and only document creation and management, wireless accounts and passwords, applications, etc. I only have 1 technician, split sites, and 35-50 more machines than last year. students only access a wireless network for the internet, and have no access to visit file servers, printers, etc. I am trying to anticipate avoiding overload for the technician, although i realise we need another!

    I wish to understand the further things we can do, implications of the above, and so on. We have a bit of a low confidence in IT support here so need some help with raising! My technician will take possession of all of them next week so is ready to start hauling through the image ghosting and setup.

    Thanks in advance.

  2. #2

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,084
    Thank Post
    853
    Thanked 2,678 Times in 2,272 Posts
    Blog Entries
    9
    Rep Power
    769
    You could look into having a seporate partition for data and then just doing a reimage over the top if anything went wrong. Managaing them fully and locking them centrally would require a Mac server and full disk encryption to prevent students just messing with them anyway. Unfourtunatly I don't think that Mac's have TPM chips anyway so there is no easy seamless way that I know of like bitlocker for Windows.

    The management side of Macs is no where near as mature as the Windows equivilents so your in for a much more up hill battle.

    If some of your other student laptops are being redone and are Windows 7 Enterprise/Ultimate or even Vista Enterprise a combination of GPOs and full disk encryption could tidy things up a little. You could also look at using something like deepfreeze for ancient XP base machines.

  3. Thanks to SYNACK from:

    dumontict (4th June 2012)

  4. #3

    Join Date
    Jun 2012
    Location
    Italy
    Posts
    10
    Thank Post
    4
    Thanked 1 Time in 1 Post
    Rep Power
    0
    That was quick, many thanks. Every laptop is being redone as far as i know, I'm not too worried about the Macs but the Windows laptops cause me a bit of worry. Y8 and 9 are Win 7 Pro, and the new 7's will be Home Premium.

  5. #4

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,084
    Thank Post
    853
    Thanked 2,678 Times in 2,272 Posts
    Blog Entries
    9
    Rep Power
    769
    Quote Originally Posted by dumontict View Post
    That was quick, many thanks. Every laptop is being redone as far as i know, I'm not too worried about the Macs but the Windows laptops cause me a bit of worry. Y8 and 9 are Win 7 Pro, and the new 7's will be Home Premium.
    Thats unfourtunate, that rules out bitlocker. Without disk level encryption they can override any security settings on the laptops without too much hassle as they have physical access to them. There may be drive encryption built into the laptop bios and hard drives but this could make revocery a challange at some point in the future. You would lock the drive out with an auto entered password and then lock out the bios. There should be an option to allow a master override too.

    Home premium locks out the use of domains and group policy too but you should be able to tweak the settings a bit through the registry.

    I would still be worried about the Macs, they now have malware and the arrogant 'can't be touched' attitude of their users will mean more exploits of both people and code in the future. Their business level features like encryption are also sorely lacking. For instance taking over the admin account of an apple workstation without encryption is simply a matter of holding down a certain key combination and typing in passwd root new-password. Its like a two minute exploit to own them completely, as with any computer the security is very limited with physical access and time. The Macs with their key combos and lack of certain types of encryption makes their security a complete joke.

    I'd look at the seporated partitions for data and OS, locked bios and possibly encrypted drives to stop them from simply installing their own OS over the top or cracking the installed one and any passwords stored on it. I would then implement a policy with regards to fixing them that simple fixes would be implemented by the techs, anything major would mean their OS would simply be wiped back to the original image, their docs should stay safe on the other partiton.

    While this is less user adaptive it is way more time efficient if you have time constraints and involves less pandering to the users so they are less likely to trash their machines in the first place as it will wipe all their mess other than documents. This inconvenience may well deter them more than some of the locouts that they could see as a challange.

  6. #5

    Join Date
    Jun 2012
    Location
    Italy
    Posts
    10
    Thank Post
    4
    Thanked 1 Time in 1 Post
    Rep Power
    0
    There is clearly way more to think about than I previously assumed, thankfully our users are not very exploratory or mischievous. But there are now a few scenarios more than i previously had considered, I will have to translate your responses and send to my technician. Its his first year in a private school as was previously in a commercial role. We are learning far more with every new stage. In terms of data loss i'm not so bothered as almost all is created in and left in Google Apps. We will have to reinforce our user policies to try and prevent some of the customisation that will obviously occur somewhere eventually. Hopefully the x130e Lenovo we are getting has some kind of BIOS setting that is school friendly as thats where they have been designed for. I'll chat with my tech this week, you've given me plenty to think (worry!) about. Thanks again.

SHARE:
+ Post New Thread

Similar Threads

  1. Remote Management - Student Laptops
    By markbayliss in forum Network and Classroom Management
    Replies: 3
    Last Post: 11th October 2010, 09:56 AM
  2. Replies: 9
    Last Post: 19th July 2010, 10:26 AM
  3. Student Laptops, Home Internet and E-Safety
    By Heggy in forum How do you do....it?
    Replies: 7
    Last Post: 14th May 2010, 11:16 AM
  4. MUSAC Student Manager and ENROL changes - new NSN field
    By SYNACK in forum NZ School Management Software
    Replies: 1
    Last Post: 7th October 2008, 05:01 PM
  5. Implementing best practice ICT management and support
    By FITS in forum Courses and Training
    Replies: 16
    Last Post: 8th September 2005, 02:24 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •