School ICT Policies Thread, Getting stick for locking down staff laptops in School Administration; We recently rolled out a few dozen new staff laptops. With SMT approval and various bits of policy'ing we rolled ...
We recently rolled out a few dozen new staff laptops. With SMT approval and various bits of policy'ing we rolled these out locked down. This allows staff to do almost anything conceivable on their laptops apart from installing software. (Cue "I can't install my printer/broadband/dildo at home!!!!111")
I am starting to get a bit of stick because staff are complaining they can't install stuff and the laptops are pointless. Of course I agree we will install any software they want providing it's all above board etc, and in any case most of their software runs directly off CD. OK so this is making me a little unpopular (afterall we aren't here to make friends are we?) but how can I say I am managing these laptops if we're letting staff install all kinds of crap on them? Conversely I know it's frustrating and perhaps it does affect their T&L - so what's a guy to do?
In the last company I worked for, they didn't even let their MD install software on his laptop - but they had very specific application requirements that didnt change unless a big roll out was happening.
bah, I don't know. I guess I just want a little advise on how to deal with it all. I love my job but this is the only issue really getting me down (sounds stupid I know) I might be a bit wet behind the ears but I think it would be bad to back down on this as it will just open the floodgates. As I say SMT are in approval (but then again I havent got round to locking down their laptops - yet) They have supported me by saying stuff like some staff have been here for years, don't like change, etc.. All I am trying to do is run the network like any business would do
PS I wasn't sure if this is in the right forum, if not feel free to move
I have to admit that we are fairly relaxed here ... we give staff a local account as well as the locked down domain account. They get used to using one for work and one for home. They have local admin rights on the laptop as the 'home' user but with the caveat that they have to look after the machine.
We do have a number of lusers each year who infect their machine (easily spotted thanks to ePO) or plain bugger it up .. but rarely the same person twice.
An alternative is to give them a virtual machine on the laptop that they have complete control over.
We can manage it here as we have the support staff ... and the benefits of having staff that are becoming happier with IT ... outweighs the problems.
For us it means that staff are more likely to be able to tell students what to do when they need help / advice but the staff are more confident ... but this has taken a number of years to get to this point.
Above all ... we have it in the laptop contract that the laptop may be seized and checked at any point for unlicensed software (causing a number of staff to look for open source solutions) or general health checks. We also have the warning that laptops are only to be used for work purposes due to it being a taxable perk if used for personal stuff.
Giving someone a laptop they can take home but then can't connect to the school network seems like a complete waste of time.
I could be completely wrong, but I'd guess they're given the laptop so that they can work at home. They then bring the laptop into work the next day and want to print out files; copy files for students to use etc and you say "no".
We have an approach similar to Grumbledook and this seems like the most reasonable. We will wipe/reinstall a machine if a user causes problems but we don't see it as our job to make life difficult for teachers (or other staff)
Teachers using our laptops get a local login that has local admin rights. They can also login to the network normally if they want. Laptops come in regularly for 'servicing'. If there's any need, we'll re-image them. If the laptop attempts to do anything naughty on the network it gets blown away by our NAC box (Packetfence).
We have a policy here that covers anything connecting to our network. The security settings are the same, restricted access to install programs and use floppys etc. I inform the staff who are interested in buying laptops that they will have the same restrictions as desktop PC but with the ability to be used anywhere in the school.
There are very few staff who need a laptop in order to be able to work at home and continue in school. Those who do work at home do so by email or bring it in on a USB pen. It may be different for larger schools who have a team of IT support, but here there is only me, and I dont have the time to check what is installed on laptops that i do not controll. If the teacher wants local access to it, it does not go on the network and comes under their controll when it comes to licenses etc. If there is a problem, it will be remiaged with the software it had on it when it was purchased. Any other software will only go on if it comes with licenses.
We have a similar approach to grumbledook as well. Local user with admin rights with the option of logging onto the network if they wish.
I wish they didn't have the option of logging onto the network though because no-one can seem to get their head around the idea of two separate user accounts... one local and one domain. It causes so much confusion for the teachers that most only ever use the local account nowon their laptops.
All staff have laptops and they have local admin rights as they only use them for internet at school. I have imaged them all using Acronis and it takes only minutes to get them back to brand new.
As they all have remote access via TS they don't really use the laptops that much, they tend to use them as a personal desktop at home rather than buying their own. Using them this way allows the Staff to evaluate software and other things which is very helpful to them as they are locked down tight on the network.
We too have them set up with a local Admin account for them to use and also possible to log on to the network with their normal restricted account which can access C drive to get to files they did at home using the other account.
I only have the one login for them but I give each teacher's network login local admin rights on their own laptop.
It has worked pretty well so far as I insist on a half termly inspection and upgrade session.
We had a training session to instruct them on what is risky behaviour and to be honest it has worked pretty well. They are using judgement as to what is ok to install and anything they are unsure about they are bringing to me. I'm happy at this and it is a nice middle ground between being helpful to them and still maintaining as much control as is realistically practical.
our staff users all have local power user rights to their laptops thanks to a handy script which adds the local group memberships at startup. This allows them to install printers and other hardware, but not software we still do that for them so we can audit what's being installed.
Sometimes we will grant a user local adminstrator rights for a short period of time if they have things like home broadband software they need to install with the laptop at home, this is easily managed by group memberships in AD.
At one of the schools i work at, Year 7 students and some teachers have their own laptops. They have a domain account that has user rights (gets their printers/etc installed via group policy) then a local account with full access. Generally we haven't had too many problems with their domain accounts, since its the "home" accounts that get full of junk.
We then have an image of the laptops (since the hardware is the same on all of them) that includes windows, office, virus scanner and other school related software using altiris/ghost and if they have a problem with any aspect of the software it just gets reimaged. They have been told to keep backups of any work and files elsewhere, so if they lose anything its on them.
The laptops I have given out are "Romaing workstations" and so are literally the same as their classroom workstations. I given them temporaty admin rights ONLY for if they want to add their home wireless connection into Control Panel or want to install their home printer.
Some staff have complained that they cant do things but I just remind them that the statement they signed states that they will not use their laptop as a personal computer and that its illegal for staff to install stuff that they did not purchase!
We pretty much just gave up, teachers were installing masses of games on their laptops, some even put porn on there, or rather they said their son/daughter/niece/nephew did...yeah? and what were they doing using it anyway..its a laptop for the teacher, not for the teacher to freely lend out to whomever they want to use it.
After multiple occurrences of it happening, no punishment being dished out and several heated conversations about why they cant do what they want with "their" (sorry...I thought it was the schools and you were just borrowing it) laptops. We just gave up, now they get admin rights and are free to do whatever they, or as is more likely their son/daughter/niece/nephew, want to do with it. We find that most just use the laptops as a free computer for their kids anyway