Bring your own device the future?

[CyberNerd]

Fantastic, finally found someone whos done it Tell me more please:

How well does it work?

Pretty good. We put in a lot of effort and had been directing things this way for the last 3-4 yrs.
It needs a lot of support from SLT and there (as always) are people against it. You really need to work on the infrastructure before contemplating BYOD,.
Biggest issue is out of date drivers on student machines

How do you monitor the devices?

They aren't our devices - so we are not entitled to monitor what people do on them. We do monitor authentication requests against the proxy of course, and with WiFi system (Meru) has a very good diagnostic capability.
[quote]

Does it cause any strain on your normal network

Inevitably there is some additional network usage - we planned for this and upgraded our broadband, internal servers, wireless and network to cope with additional demand.

What do you do about legal requests, file sharing ect

Don't really understand the question. The whole network is blocked from bittorrent and the like. Kids can exchange files between their laptops if they want.

How does the filter work?

THey authenticate to it using username and password - its specified wpad.dat

[Gibson335]

We're about to launch it in our 6 Form - but in a restricted form at the moment. No access to network, so Internet only. I suspect they'll bounce between ours and their own 3G or whatever simply because through ours they are filtered, so no Facebook, etc. However, it's currently seen as an addition to our facilities rather than the baseline, which is ideal. We were initially asked to provide a cluster of i-Pads, so once the infrastructure went in there was no good reason not to also try BYOD. My only concern at the moment is the impact on our broadband bandwidth, as we're already hitting our existing cap several times a day, but with us moving from 60mbps to 100 in December, we see BYOD as a bit of an experiment.

[GrumbleDook]

They aren't our devices - so we are not entitled to monitor what people do on them. We do monitor authentication requests against the proxy of course, and with WiFi system (Meru) has a very good diagnostic capability.

How do you complete your statutory Duty of Care to ensure that devices are not used, whilst in school, for bullying, sharing illegal materials, sexting, or other activities which may cause harm to children?

[CyberNerd]

How do you complete your statutory Duty of Care to ensure that devices are not used, whilst in school, for bullying, sharing illegal materials, sexting, or other activities which may cause harm to children?

They only connect to the internet, Through a filtered proxy. We advise students about using a firewall, AV and password security. Everything else is done by the teachers following non-ict policies.

[GrumbleDook]

They only connect to the internet, Through a filtered proxy. We advise students about using a firewall, AV and password security. Everything else is done by the teachers following non-ict policies.

You mentioned that they can share files directly with one another though (but not via bittorrent, etc) ... how are the students protected from malicious or offensive actions of others?

[CyberNerd]

You mentioned that they can share files directly with one another though (but not via bittorrent, etc) ... how are the students protected from malicious or offensive actions of others?

education.

[zag]

education.

Love it

[Jamo]

Surely the licensing issue would depend entirely on how the user is connecting? If I were going to offer BYOD i think i would be tempted to actually really offer RDS Session based, which would make the licensing less complicated.

If the BYOD are connecting fully, they the CALs are different again. If the BYOD are using VDI pools then you need different licensing again, but this is a strangely grey area again and you will probably get different answers from different specialists.

What do yuo mean RDS session based?

Microsofts licencing when it comes to terminal clients is strange. For instance VDi.

If you have 500 users in your 6th form, and you want them to be able to connect to VDi using your school owned laptops. Its legal to use your Software Assurance to 'upgrade' to VDA licences for your physical laptops so that they can connect to the virtual clients.

If your users are using their OWN laptops to connect to your VDi, it is no longer legal. As the OS on thelaptops is not owned by the school, our software assurance no longer covers the 'upgrade' to VDA licencing which means that you have to individually purchase VDA licences per DEVICE for each 6th former. As usual licences cannot be transferred between devices for 3 months (standard MS stuff)

[IrritableTech]

We are on the verge of launching a second attempt at BYOD. Our first attempt with our sixth form failed mainly because many users found the LEA proxy server a struggle to deal with. Entering details, constantly authenticating, blocked services slowing down devices etc.

Our second (yet to be launched) system will utilise a non-authenticating transparent proxy. Users connect to a SSID for their year group, which is in it's own VLAN. Our captive portal authenticates them onto the network and logs the device MAC and user details. Each device is given it's own unique pre-shared key. These subnets are filtered at the standard LEA filtering level for their age. Devices are isolated using access lists, and can only communicate with our DHCP, DNS and Moodle servers, and of cause the gateway.

I will be happy for users to use phones, tablets, laptops or anything else. If it's got a browser in it, it's all right with me. If they are using devices in the wrong place or time; It is a behaviour issue, rather than a technology issue. If the technology is causing an otherwise compliant student to become disruptive, we could obviously revoke keys and disable further access.

@GrumbleDook Students are already bringing these devices into schools. Banning them, just puts them under the desk rather than on top of it. Devices still in use but the educational potential lost. Bullying, sexting and all the other online activities which do harm children could already be happening within the school fence. Education is key to stopping these activities, however monitoring internet use will also identify when students go off the rails. Schools can not monitor 3G connections. So to my mind, allowing BYOD should help reduce these risks rather than increase them.

Before launch I hope to get various members of the school community together to write a suitable user policy. It is my belief that if we involve students in the decision making, they will more likely stick to its outcomes.

[Gibson335]

We are on the verge of launching a second attempt at BYOD. Our first attempt with our sixth form failed mainly because many users found the LEA proxy server a struggle to deal with. Entering details, constantly authenticating, blocked services slowing down devices etc.

Our second (yet to be launched) system will utilise a non-authenticating transparent proxy. Users connect to a SSID for their year group, which is in it's own VLAN. Our captive portal authenticates them onto the network and logs the device MAC and user details. Each device is given it's own unique pre-shared key. These subnets are filtered at the standard LEA filtering level for their age. Devices are isolated using access lists, and can only communicate with our DHCP, DNS and Moodle servers, and of cause the gateway.

I will be happy for users to use phones, tablets, laptops or anything else. If it's got a browser in it, it's all right with me. If they are using devices in the wrong place or time; It is a behaviour issue, rather than a technology issue. If the technology is causing an otherwise compliant student to become disruptive, we could obviously revoke keys and disable further access.

@GrumbleDook Students are already bringing these devices into schools. Banning them, just puts them under the desk rather than on top of it. Devices still in use but the educational potential lost. Bullying, sexting and all the other online activities which do harm children could already be happening within the school fence. Education is key to stopping these activities, however monitoring internet use will also identify when students go off the rails. Schools can not monitor 3G connections. So to my mind, allowing BYOD should help reduce these risks rather than increase them.

Before launch I hope to get various members of the school community together to write a suitable user policy. It is my belief that if we involve students in the decision making, they will more likely stick to its outcomes.

We have a similar setup, with transparent proxy, so once the user connects to the signal they enter their usual username and password to then gain access to the wireless network itself.

Regards the Duty of Care issue, we took the view that, whilst we acknowledge they will use their own devices on their own connections, if we provide the facility we are obliged to provide the care.

[zag]

Now that's a good idea!

We are using a transparent proxy as well. I didn't think about setting them all up as individual users. Isn't that a huge amount of admin for you?

[Gibson335]

Now that's a good idea!

We are using a transparent proxy as well. I didn't think about setting them all up as individual users. Isn't that a huge amount of admin for you?

Was that Q for me? If so, sorry for the confusion...the wireless network is integrated with their Curric AD and so they enter their usual network passwords.

[IrritableTech]

If it was directed at me, our controller too links to AD and generates a unique PSK on the fly. It's the Ruckus Dynamic PSK feature.

[zag]

Thanks for both your answers, seems our aruba system doesn't have that functionality.

We have the captive portal but there isnt any option to connect it to AD

[Jamo]

Thanks for both your answers, seems our aruba system doesn't have that functionality.

You can use radius with an IAS server, using PEAP MS-CHAPv2 you can authenticate with usernames and passwords and push them to different VLANS.