+ Post New Thread
Results 1 to 12 of 12
Netbooks, PDA and Phones Thread, Devices and safeguarding in Technical; How do you deal with safeguarding and devices (tablets / phones / BYOD) etc. ? We had a small incident ...
  1. #1

    Join Date
    May 2010
    Posts
    1,017
    Thank Post
    105
    Thanked 76 Times in 62 Posts
    Rep Power
    47

    Devices and safeguarding

    How do you deal with safeguarding and devices (tablets / phones / BYOD) etc. ?

    We had a small incident yesterday and I had absolutely no audit trail at all, on our windows network I can pretty much track everything if needed but I'm totally in the dark with devices.

    Say we had class sets, and some enterprising child used another childs iPad that was already signed into say a google account and that child created a document and shared it with another child causing a safeguarding issue.

    1. The iPad doesn't belong to the child so we can't trace it on that.
    2. No idea what the IP was nor time it was logged on.
    3. The SSID is open (but filtered) due to BYOD and class sets (WPA Enterprise causes issues)
    4. No logs on the device.
    5. The simple fact that another child can easily pick up another child's device and do what will (I would expect people at workstations to log out / lock them) Yes I'm aware of pin codes but again class sets / BYOD.
    6. No Smoothwall logs as the WIFI is open and IP cannot be traced easily (I can use unifi to get the IP but this changes so is unreliable)
    7. Children bypassing filtering using apps, also filtering level is the same across the whole SSID

    We can only get the datetime the document was created and only after we have to change passwords to gain access to their accounts.

    So basically if a major problem arises I'd have nothing - has anyone solved this ?
    Last edited by caffrey; 19th June 2014 at 03:02 PM.

  2. #2

    Join Date
    Dec 2009
    Location
    UK
    Posts
    36
    Thank Post
    1
    Thanked 3 Times in 3 Posts
    Rep Power
    10
    Welcome to the wonderful world of iPads in schools.

  3. Thanks to Crumpet from:

    SovietRussia (20th June 2014)

  4. #3
    Gibson335's Avatar
    Join Date
    May 2008
    Posts
    930
    Thank Post
    257
    Thanked 133 Times in 106 Posts
    Rep Power
    79
    We force authentication to at least get a filtered connection, but then cannot prevent users bypassing the proxy with software or add-ons. Bad enough not having monitoring on them (as with Impero) but if you can't even guarantee filtering, should it even be allowed if eSafety was adhered to fully?

  5. #4
    Quackers's Avatar
    Join Date
    Jan 2006
    Posts
    1,311
    Thank Post
    40
    Thanked 141 Times in 116 Posts
    Rep Power
    53
    With regards to iPads, we don't use proxies here, but its still a filtered connection. We assign an IP reservation for each iPad on the DHCP server and our router logs all traffic requests to the cloud and we can search those logs by device ip or website. Thats using FortiGate as our router and using their Forticloud service. Best i could come up with , and no worse than what we had 10 years ago on our Windows boxes with regard to internet logging.

  6. Thanks to Quackers from:

    Gibson335 (19th June 2014)

  7. #5

    Join Date
    May 2010
    Posts
    1,017
    Thank Post
    105
    Thanked 76 Times in 62 Posts
    Rep Power
    47
    Been running iPads for a long time here, and are about to maybe go 1:1 - my concern comes from a recent incident and there was nothing I could do, luckily it was mild but it made me realise just how poor the safeguarding actually is on that side.

  8. #6
    IrritableTech's Avatar
    Join Date
    Nov 2007
    Location
    West Yorkshire
    Posts
    795
    Thank Post
    84
    Thanked 172 Times in 141 Posts
    Rep Power
    64
    1. The iPad doesn't belong to the child so we can't trace it on that.
    Staff could document which student is using which device today/this lesson? This might be a bit hit or miss, but you're putting a procedure in place and highlighting the safeguarding element to teaching staff.

    2. No idea what the IP was nor time it was logged on.
    We archive our DHCP leases here. Active directory archives one weeks worth, we copy these off, and I now have over six months at any one time.

    3. The SSID is open (but filtered) due to BYOD and class sets (WPA Enterprise causes issues)
    Where possible an SSID should have an encryption key, it will protect your users from outside MITM attacks. However better still is radius or individual WPA2 passphrases. This will help protect your users from each other, as well as outsiders. If this becomes a wider issue, your schools needs to identify the need for new systems.

    4. No logs on the device.
    Bar a bit of browser history, the device is useless unfortunately.

    5. The simple fact that another child can easily pick up another child's device and do what will (I would expect people at workstations to log out / lock them) Yes I'm aware of pin codes but again class sets / BYOD.
    For BYOD you should probably have a policy which explains the need for security, and unauthorised use of devices is a no-no. This helps cover the school, but let's be honest doesn't stop it happening. In a BYOD scheme, the onus is on the owner to ensure their devices is used responsibly.
    For school owned devices the best option is a filter which requires authentication for internet access - with a fairly short time out.

    6. No Smoothwall logs as the WIFI is open and IP cannot be traced easily (I can use unifi to get the IP but this changes so is unreliable)
    Your DHCP logs will help here - each device will have a unique name (right?) and if you were able to cross reference this with the teacher list in point 1 you're quickly narrowing down your search.

    7. Children bypassing filtering using apps, also filtering level is the same across the whole SSID
    I guess apps aren't using your proxy - or can be changed so they aren't? You've got a couple of options - find another filter which doesn't use a proxy to filter traffic, or create an access list, or firewall so the ipads can only talk to your proxy and can't use direct internet access.

    None of these are magic bullets, but each step helps reduce risk and increase your monitoring of individuals.

    With regards to Google Docs, I believe you can take ownership of the documents and see the full history of changes including time and dates things were changed by the 'user'. Obviously the user will be incorrect in this case, but teachers and senior leaders are used to picking these issues apart. It's very similar as a student drawing an offensive image or offensive language on a bit of paper and passing it across the classroom to their victim.

    I hope that helps @caffrey
    Last edited by IrritableTech; 20th June 2014 at 09:08 AM. Reason: I forgot to mention something...

  9. 2 Thanks to IrritableTech:

    caffrey (20th June 2014), le4ne (20th June 2014)

  10. #7
    IrritableTech's Avatar
    Join Date
    Nov 2007
    Location
    West Yorkshire
    Posts
    795
    Thank Post
    84
    Thanked 172 Times in 141 Posts
    Rep Power
    64
    Quote Originally Posted by Gibson335 View Post
    We force authentication to at least get a filtered connection, but then cannot prevent users bypassing the proxy with software or add-ons. Bad enough not having monitoring on them (as with Impero) but if you can't even guarantee filtering, should it even be allowed if eSafety was adhered to fully?
    If there is a route around your filter, you'll fall foul of the safeguarding section of an ofsted inspection - assuming an inspector finds out about it, and understands what that means. Under recent changes, HMI's must put eSafety based questions to the pupils.

    If you can't prevent BYOD users circumventing your filter, it's a serious safeguarding issue. You need to look at your current technology or if there is a better way to implement it - work with your provider, or get a new one!

  11. Thanks to IrritableTech from:

    Gibson335 (20th June 2014)

  12. #8
    Gibson335's Avatar
    Join Date
    May 2008
    Posts
    930
    Thank Post
    257
    Thanked 133 Times in 106 Posts
    Rep Power
    79
    Quote Originally Posted by IrritableTech View Post
    If there is a route around your filter, you'll fall foul of the safeguarding section of an ofsted inspection - assuming an inspector finds out about it, and understands what that means. Under recent changes, HMI's must put eSafety based questions to the pupils.

    If you can't prevent BYOD users circumventing your filter, it's a serious safeguarding issue. You need to look at your current technology or if there is a better way to implement it - work with your provider, or get a new one!
    Yes, I'm fully aware of the safeguarding issue. With ZenMate for Chrome and a whole host of proxy bypass sites - which we currently block either with GPs or Impero - it's almost impossible not to have one slip through the net as they are springing up all the time. So when you're unable to apply GPs or have Impero on student devices, those backdoors only increase.

    But then, when you work at a place where some staff allow students to use their own phone wi-fi where our wi-fi is not available, thereby avoiding both filtering and monitoring, it's no wonder these headaches exist.

    Knowing what you need to do and having your SLT agree are two very different matters, sadly.

  13. Thanks to Gibson335 from:

    IrritableTech (20th June 2014)

  14. #9

    Join Date
    May 2010
    Posts
    1,017
    Thank Post
    105
    Thanked 76 Times in 62 Posts
    Rep Power
    47
    1. I would like this, but I doubt it would be taken seriously.

    2. DHCP is served through smoothwall, I'm not sure it logs any leases - this may change soon.

    3. Radius is in place but isn't possible due to class sets, the iPad needs the wifi adding and re-adding to logoff the previous user - hard to do when you've got 5 minutes between lessons to reset them unless there's something I don't know (Radius is done through smoothwall)

    4. yep!

    5. There is a signed AUP but this never gets taken seriously.

    6. We can narrow down to a certain point but like I said its very limited and can be confusing we narrowed this one down, but there was no way the child could've done it which threw doubts.

    7. They use private VPNs to bypass traffic and Smoothwall has proven useless to stop this up to now and I can't rely on teachers to enforce otherwise.

    With regards to Google Docs, I believe you can take ownership of the documents and see the full history of changes including time and dates things were changed by the 'user'. Obviously the user will be incorrect in this case, but teachers and senior leaders are used to picking these issues apart. It's very similar as a student drawing an offensive image or offensive language on a bit of paper and passing it across the classroom to their victim.

    Totally agree but because it's electronic it falls onto us to come up with miracles!

    Thanks for the reply

    We're with ISI so I'm not sure what their safeguarding policy is, we just passed and nothing was mentioned

  15. Thanks to caffrey from:

    IrritableTech (20th June 2014)

  16. #10
    IrritableTech's Avatar
    Join Date
    Nov 2007
    Location
    West Yorkshire
    Posts
    795
    Thank Post
    84
    Thanked 172 Times in 141 Posts
    Rep Power
    64
    Thanks to both @Gibson335 and @caffrey for your answers. I know it's easy for me to suggest measures to reduce risk (and consequences of not doing so) but in practice it's much harder. As pointed out, sometimes the hardest battle is winning the hearts and minds of senior leaders who may think we are obstructing teaching and learning. Keep chipping away and hopefully you'll gain some ground.

    The move from Ofsted (for those who are inspected by them) to improve their inspection of eSafety, and to outline that Leadership and Management cannot achieve outstanding without suitable eSafety standards should speak volumes to our superiors.
    @caffrey - My suggestion of Radius was more to do with BYOD than school owed devices. School iPads might be better served using an MDM to connect to a SSID that has a long and complicated shared pass phrase. Your unifi wireless network may better served by another radius server too - I'm not sure how advanced the smoothwall one gets?

  17. Thanks to IrritableTech from:

    Gibson335 (20th June 2014)

  18. #11
    Gibson335's Avatar
    Join Date
    May 2008
    Posts
    930
    Thank Post
    257
    Thanked 133 Times in 106 Posts
    Rep Power
    79
    Quote Originally Posted by IrritableTech View Post
    Thanks to both @Gibson335 and @caffrey for your answers. I know it's easy for me to suggest measures to reduce risk (and consequences of not doing so) but in practice it's much harder. As pointed out, sometimes the hardest battle is winning the hearts and minds of senior leaders who may think we are obstructing teaching and learning. Keep chipping away and hopefully you'll gain some ground.

    The move from Ofsted (for those who are inspected by them) to improve their inspection of eSafety, and to outline that Leadership and Management cannot achieve outstanding without suitable eSafety standards should speak volumes to our superiors.
    @caffrey - My suggestion of Radius was more to do with BYOD than school owed devices. School iPads might be better served using an MDM to connect to a SSID that has a long and complicated shared pass phrase. Your unifi wireless network may better served by another radius server too - I'm not sure how advanced the smoothwall one gets?
    Agreed - believe me, I may tire of doing so but I won't stop trying to chip away. It's not actually my remit, but I insist that due to the overlap into my role I must point things out and must also advise against developments that put these things at risk if they can't be done correctly. Mostly falls on deaf ears, but every minor victory is welcome.

  19. #12

    Join Date
    May 2010
    Posts
    1,017
    Thank Post
    105
    Thanked 76 Times in 62 Posts
    Rep Power
    47
    Quite surprised this thread hasn't garnered more attention - surely it's affecting all schools with iPads or am I just doing it wrong ?

    Smoothwall hasn't proven very effective with blocking traffic from certain apps , even after experimenting with blocking outgoing ports (the school uses on occasion things like skype)

SHARE:
+ Post New Thread

Similar Threads

  1. Devices and printers empty
    By sidewinder in forum Windows 7
    Replies: 7
    Last Post: 13th May 2014, 04:41 PM
  2. device and printers
    By ful56_uk in forum Windows 7
    Replies: 10
    Last Post: 5th September 2011, 12:52 PM
  3. Replies: 3
    Last Post: 6th May 2010, 09:46 AM
  4. remove "devices" from devices and printers
    By mrbios in forum Windows 7
    Replies: 1
    Last Post: 3rd February 2010, 04:52 PM
  5. Windows 7 and "Devices and Printers" not loading
    By teckedd in forum Windows 7
    Replies: 1
    Last Post: 8th December 2009, 12:07 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •