BYOD and wifi network conundrum

[Tsonga]

What is your wireless solution? If its anything like Ruckus, make the Apple TV's be tagged from the ruckus box for the guest/staff iPad VLAN, then plug it into the network via its ethernet for the rest of the access you might want.

Also, not thinking of making a third VLAN for BYOD? Get DHCP to dish out appropriate proxy settings so they go through at a certain level of filtering (no auth, wouldn't be able to look at a suer level but at least they would be filtered) or rely on smoothies SSL bypass.

[caffrey]

Its ad-hoc home made solution using off the shelf netgear wnap200s, network consists of netgear smart switches, it's far from ideal but its done the job. If I can get them to stump up some cash I'll got with ubiquiti soon at the moment its an unmanaged wifi network that I can't do a lot with without a lot of work (logging into each AP etc, tagging on switches etc) powers that be don't realise this, busy enough as it is since they got rid of the NM a few weeks ago!

[Tsonga]

Its ad-hoc home made solution using off the shelf netgear wnap200s, network consists of netgear smart switches, it's far from ideal but its done the job. If I can get them to stump up some cash I'll got with ubiquiti soon at the moment its an unmanaged wifi network that I can't do a lot with without a lot of work (logging into each AP etc, tagging on switches etc) powers that be don't realise this, busy enough as it is since they got rid of the NM a few weeks ago!

Woah, bit of a raw deal.

[SYNACK]

Surely the devil is in the detail (aka, I can't come up with any better - can you?). I'm sure you can say the same about just about any VPN connection. The questions would be who as physical access/uses the machine(s) with the VPN connection(s), how does the VPN initiate and what does it have access to once it's connected.

The other answer so far is to put BYOD devices on the domain...

I'd say an internal dmz for simple shared devices like the appletv but I don't think thats possible as it still uses the non-routable bonjour like they toy it is.

With a decent IP6 implementation this may be possible, I don't know if Apple have fixed their ip6 stack yet.

The closest to a remotely secure way would be to have the ipads vpn internally to a dmz where the resources are, putting them on the same subnet and using the vpn system to screen out all but the required traffic.

[IrritableTech]

Funding must be aligned with ambition.

I like what your school is trying to achieve however I'd have to ask the question "how many byod devices, in reality, are going to be sharing with the projector in a room?" If the answer is loads, you need some investment to realise the learning potential. If the answer is one or two every now and then...

I'd suggest pupil owned devices sharing to whiteboards will get limited use, and any BYOD scheme should be device agnostic. Before you can successfully access the learning potential of BYOD, you need to get your infrastructure sorted.

It's Bring Your Own Device, not Bring Your Own Apple. I actually prefer Prof Stephen Heppell's term "Bring a Browser". Students could collaborate on Google Docs using their own devices (not just apples), and easily show their work from the windows pc at the front of class. Dropbox, wallwisher, evernote, sketch, prezi etc.... all browser tools. That's where a BYOD scheme really starts to take off.

I'd separate the two schemes. iPads for teachers is a very different scheme to pupils bringing in devices.

For more thoughts on BYOD in schools, take a look at my blog. This is a good starting point... BYOD: Wifi, Network, Internet, Proxies | IrritableTech

[caffrey]

I totally agree, however it's SLT decision not mine - personally I'd get the infrastructure sorted first - but no one is listening. SLT are very apple centric, and very quick to jump in regardless of infrastructure, I've just read the half term letter about byod and it only mentions apple, we recently advertised a job for an Ipad technician...
Don't get me wrong I'm not against this idea at all just under pressure to deliver what I can't do with no budget!
Projectors aren't totally important to this, even though they do need replacing badly, apps like Socrates are generating a lot of interest here.

Anyway that's veered ever so slightly off topic ;p

So basically without chew it can't really be done - I'll recommend against any domain joining (which is what I told them in the first place!)

[caffrey]

Thrashed out a possible working idea,
Move all teaching machines to the guest vlan, it's a tonne of work and a there's few kinks to work out but might just be a possibility.

[Tsonga]

You need to have a good sit down with the SLT. If you start messing about too much you might start to compromise sensitive data just to get an iPad working.

Should direct them this way, see what all of us have said about what you're trying to do

[caffrey]

Indeed but I don't get much choice in the matter, i'm employed to come up with solutions cheaper the better!, but plan is to move all teacher / classroom pc's off the main domain (the MIS is cloud based anyway).
Plan :-
Have domain only for resources and support / admin.
mail / teacher resources / home drives will eventually be all on gapps soon hopefully.
So classroom pc's will have no logon to domain options - just a standalone pc that can connect to the internet.
I've got a lot of work ahead of me it seems ! But this seems the only way, especially seeing SLT want rid of desktops from the classroom eventually.
Maybe this is the future?

Just weighing up pros and cons now.

[DMcCoy]

Remember to keep an eye on licensing with BYOD. such things aren't covered by the standard EES (but there *is* a student option). Not that this should be a problem with all Apple stuff! As long as you aren't using dhcp, dns or AD credentials, windows file servers etc.

[SwedishChef]

Just to add my two pennies.

We had something simular, in order to get one vlan to recognise the airplay/airserver to the other vlan we used an UBUNTU gateway, which can act as a bonjour gateway.

http://www.cisco.com/en/US/products/...ml#deploysteps

Would that help you ?

[caffrey]

Hrrm thanks for that, that may just work, just got to dig out some old hardware now to test with (and some time)
wonder if a raspberry pi would work.

[caffrey]

Got the bonjour gateway set up, I can see the device across networks, however the mirroring isn't working

[SwedishChef]

Got the bonjour gateway set up, I can see the device across networks, however the mirroring isn't working

Is there anything to route between the networks that may block the connection?

[caffrey]

I'm starting to suspect that's what it is, just not sure where to start looking, it's either one of the two smoothwalls I have or something on the ubuntu install, not even sure what logs to look at!