+ Post New Thread
Results 1 to 9 of 9
How do you do....it? Thread, BYOD Considerations - What is required? in Technical; Hi All, I have been asked to look into a BYOD scheme for the school I work in and want ...
  1. #1

    Join Date
    Jun 2013
    Posts
    13
    Thank Post
    5
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    BYOD Considerations - What is required?

    Hi All,

    I have been asked to look into a BYOD scheme for the school I work in and want to ensure that I have all my bases covered and have a full understanding of what is required before committing to a timescale. I have searched around at the way that other people on here have done it but not being all that high end technical a lot of it goes over my head. (I more so manage my site and technicians)

    I have spoken with our higher end techs and they have said that realistically the best way of achieving this and keeping the network secure would be to VLAN a BYOD wireless network and then use WPAD/Transparent proxy and have students use Home Access + for there network files which sounds simple enough, until you look at a cab and see the previous ICT never labeled the ports so working out what runs where is always a time consuming exercise.

    We are split over 3 separate buildings, with one building not having a managed solution. (Standard standalone POE APs) - Would I be right in thinking this would need to be replaced to make BYOD a reality?

    Other glaringly obvious questions are:

    How would I give students the ability to print? Is this even possible?
    How would I be able to track which user is browsing which website to ensure child safeguarding?

    Really I would like to know in a more simplistic explaining how your sites are currently achieving this, what technologies you are using, and in which effective way they are being used. :-)

    Thank you for any help/insight you can provide.

  2. #2


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,630
    Thank Post
    275
    Thanked 777 Times in 604 Posts
    Rep Power
    223
    Quote Originally Posted by MrPARRman View Post
    H
    I have spoken with our higher end techs and they have said that realistically the best way of achieving this and keeping the network secure would be to VLAN a BYOD wireless network and then use WPAD/Transparent proxy and have students use Home Access + for there network files which sounds simple enough, until you look at a cab and see the previous ICT never labeled the ports so working out what runs where is always a time consuming exercise.
    If you want to VLAN (you do), you'll have to bite the bullet and work out what goes where. At the very least you'll need to discover which ports your APs are connected to. You should be able to get a lot of that info using CDP on your switches:

    Show what's connected to all ports:
    Code:
    show cdp neighbours
    In more detail:
    Code:
    show cdp neighbours detail
    For a specific port:
    Code:
    show cdp neighbours InterfaceNumber detail
    Note that the info isn't infallible, but it makes verifying much faster.

    We are split over 3 separate buildings, with one building not having a managed solution. (Standard standalone POE APs) - Would I be right in thinking this would need to be replaced to make BYOD a reality?
    If your managed wireless and the standalones are going to ask a RADIUS server or other central source of truth to see if a device or end-user is allowed access, not necessarily, but it would probably be easier to implement.

    How would I give students the ability to print? Is this even possible?
    Print over http/https. Your print management solution may already support it (Papercut does, for example). @CyberNerd on here uses it IIRC

    How would I be able to track which user is browsing which website to ensure child safeguarding?
    How will students authenticate before they can access the BYOD network? Using their normal credentials? Let's assume so.

    A student might connect to BYOD Wifi and get redirected to a captive portal that asks them to identify themselves before they get any further. They provide appropriate credentials and then they're allowed access to the BYOD vlan which gives access to web printing, VLE for file access and the Internet. If your captive portal can pass those credentials or a notification (user X is on IP.AD.DR.ESS) onto your proxy server then you need to do nothing else. Having an IP/User match on two different systems would work, but would make investigating things more annoying.

    If it can't pass those credentials on, you'll need to configure your proxy server to prompt for credentials if it gets requests from the BYOD vlan.

    In addition, you probably want your capitve portal (Microsoft's NAC or open-source PacketFence, for example) to eyeball BYOD clients for anything dodgy before you let them on the network and kick them off if shenanigans are detected. You may wish to configure it so students credentials can only be tied to one device initially to deter them from logging in as another student. For those students with N+1 devices, they can ask IT for additional allocations.
    Last edited by pete; 16th August 2013 at 04:16 PM.

  3. #3

    Ephelyon's Avatar
    Join Date
    Aug 2008
    Location
    Cheshire, England
    Posts
    1,658
    Thank Post
    284
    Thanked 318 Times in 192 Posts
    Rep Power
    141
    Bear in mind that if a child has a data plan on a smartphone or tablet, and has signal, there's nothing you can do about inappropriate browsing or texting while they're not using your WiFi.

  4. #4

    Join Date
    Nov 2008
    Posts
    28
    Thank Post
    1
    Thanked 2 Times in 2 Posts
    Rep Power
    12
    Quote Originally Posted by Ephelyon View Post
    Bear in mind that if a child has a data plan on a smartphone or tablet, and has signal, there's nothing you can do about inappropriate browsing or texting while they're not using your WiFi.
    I've struggled with this one myself....for student AND faculty. Yes, the downside is that they can do inappropriate browsing. However, they shouldn't be able to to anything malicious or accidental to the school's IT / network infrastructure. If they are off the network (and on their own plan), they shouldn't be able to do anything dodgy. Yes?

    As for students looking at inappropriate websites (on their own network), I think that goes into the "nudey magazine hiding in the math book" file and falls under teacher / parent disciplinary actions. It should not impact anything IT related.

    Am I looking at this through the correct prism?

  5. #5

    Ephelyon's Avatar
    Join Date
    Aug 2008
    Location
    Cheshire, England
    Posts
    1,658
    Thank Post
    284
    Thanked 318 Times in 192 Posts
    Rep Power
    141
    You still can't obviate the risk of cyberbullying by text, but this is an issue for the Safeguarding Lead, not the IT Manager. They are therefore the person who should be apprised (don't skimp on it).

  6. #6
    IrritableTech's Avatar
    Join Date
    Nov 2007
    Location
    West Yorkshire
    Posts
    793
    Thank Post
    83
    Thanked 171 Times in 140 Posts
    Rep Power
    64
    There are two sides here... The technical implications and the safety/educational use/policy side of things.

    I talk in brief about both sides on my blog. Perhaps it'll answer some of your questions, but feel free to ask here if I can help further.
    http://irritabletech.co.uk/tag/byod/

  7. #7

    twin--turbo's Avatar
    Join Date
    Jun 2012
    Location
    Carlisle
    Posts
    2,334
    Thank Post
    1
    Thanked 381 Times in 340 Posts
    Rep Power
    150
    We simply give them secure access to our VDI.

    one client can't even talk to another on the wifi ( preventing pupils atacking each other via our system )
    the BYOD device firewalls all connections, a captive portal lets registerd users access VDI and only VDI.

    they get the same desktop , lockdowns etc as using one of our PC's.

    so they are subject to the same security as normal.


    they can't be bothered to use BYOD as the can't use it as a way to get un-filtered internet.

    out of 300 possible 6fm user. 8 signed up , 1 used it.

    Rob

  8. #8

    Ephelyon's Avatar
    Join Date
    Aug 2008
    Location
    Cheshire, England
    Posts
    1,658
    Thank Post
    284
    Thanked 318 Times in 192 Posts
    Rep Power
    141
    We apply subnet rules, such that the only device that can be accessed is the Internet gateway. That provides effective isolation without actually configuring isolation... :P

  9. #9

    Join Date
    Oct 2008
    Location
    Lincolnshire
    Posts
    2,170
    Thank Post
    12
    Thanked 224 Times in 214 Posts
    Rep Power
    66
    As regards printing there is other options to PaperCut, drop me a PM if you are interested.

SHARE:
+ Post New Thread

Similar Threads

  1. What level of functionality is required
    By speckytecky in forum EduGeek Joomla 1.5 Package
    Replies: 2
    Last Post: 3rd April 2009, 06:09 PM
  2. What is your school policy for pupils who access porn?
    By woody in forum School ICT Policies
    Replies: 24
    Last Post: 8th November 2005, 10:47 PM
  3. Replies: 4
    Last Post: 7th October 2005, 10:55 AM
  4. What is....
    By kingswood in forum School ICT Policies
    Replies: 22
    Last Post: 17th July 2005, 04:45 PM
  5. Software What Is In Your Kit
    By russdev in forum General Chat
    Replies: 17
    Last Post: 6th July 2005, 09:25 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •