Tag Archives: BYOD

A Positive Start Matters

By: Tony DePrato | Follow me on LinkedIn

Stress at the start of the school year is normal. I firmly believe that a positive start leads to a positive year. Here are some suggestions I like to give to people at the start of the year.

What do you need to start the school year?

Students. Teachers. And a place for them to meet. Many of the things people stress about are not required to actually start the school year. Remember, not everything can be the most important. If everything is critical, and everything is a priority, then nothing is a priority.

No, really, what do you need to start the school year?

Here is a core checklist for the school start-up:

  • A roster of students who should be attending
  • A roster of students who left, to make certain they do not return without re-enrollment
  • Schedules (or at least a plan for the first week while scheduling is being sorted)
  • Lunch planning needs to be sorted and should be running smoothly; food is important; the communal time is important
  • Two to three weeks of lesson plans that can be executed with the resources from the previous year
  • Buddies for new staff, with a simple schedule to keep them connected and interacting
  • Short meetings scheduled to touch base on facilities issues; administrators should take the issues down and get everyone back to work
  • If the technology is being unreliable, remove layers of complexity, and simply give people access to the internet; new management protocols and summer updates can take weeks to sort out
  • Keep students connecting socially, and offline; build community first and the curriculum will be easier to deliver

Consider Staying Offline for a Few Days

For students under USA grade level 3, I would keep them offline for 2-3 weeks. Focus on social interactivity, building a relationship with their teachers, and learning how everything works within the learning environment.

For students in who are USA grade levels 3 -5 and middle school grades 6-8, I would keep them offline for at least a week. I would make sure they do a full review of the school’s AUP and Digital Citizenship program.

High school students in USA grade levels 12 and 11 should be the main focus of IT for the first two days of school. Grades 9-10 can wait. Once the upper grade technology is sorted, move down to 9-10. Remember, high school students are flexible, and they can meet IT for support in varying intervals. High school should be all online within the first four days of school.

The Big Bang is Not Good for Stress

The Big Bang Implementation Approach  (big bang), is something schools tend to do annually. Basically, they try to do everything for everyone at once. For example, connecting all BYOD devices K-12 in one day. Think about who needs access, and when they need it. Consider the curriculum. What percentage of a grade level’s content is only available with a device in hand? Do the higher percentages first, and the rest later following a steady pace.

Communicate the planning to everyone. Take a breath. And keep the school start steady, positive, and peaceful.

The Accidental BYOD Solution


By: Tony DePrato | Follow me on Twitter @tdeprato

In 2008, I would have said Apple is the best BYOD solution for any school or family that could afford the platform. Then Apple started to change. I think it could be argued, they quietly have abandoned the education market.

Event the recent iPad and classroom management software changes barely address most of the issues. In fact, in many parts of the world, managing Apps legally and efficiently is not even possible.

Aside from oddly developed apps like Swift Playgrounds, iPad App development eventually falls into two categories:

  1. A Focus on Consumer Consumption over Learning
  2. A “Make it the way the App Says” Philosophy

There is no ability for students to go beyond the rules of the iPad, to change the rules of the iPad, or to create anything that was not predicted. The iPad experience is shallow compared to the opportunity to take a blank slate, and build it to a specification or idea(like an opportunity found on a laptop/desktop computing platform).

Microsoft has made amazing strides recently. Specifically, Microsoft products such as the Surface.  However, the Surface products are expensive considering their feature set. There are also security issues involved in running Microsoft products. The Microsoft hardware does not reflect the actual cost of ownership, when much of that cost is used for defending the organizational ecosystem.

It is difficult to recommend a Surface product to a family, because they can spend less for an Apple product.

The rest of the market is too fragmented to build a stable long term platform plan. Unless a school directs students to only by a specific make a model every year (and every year it will change), there is no hope to establish a level playing field with BYOD students.

But. Maybe there is hope. An unplanned, and possibly accidental partnership. Google Chromebook + Amazon.

Google has been a big education player for some time. Their services and branded hardware are dependable and flexible. The hardware changes often, but the Chrome OS is consistent.

Chrome OS is a solution for any school that has reliable internet access. Chromebooks can make an excellent hardware platform, yet have some reasonable opposition among many EdTech leaders:

  1. The platform cannot run powerful applications like Photoshop, Video Editing Packages, Etc.
  2. The platform is slow when working outside the core Google products
  3. Chromebooks have one official browser, and are not fully compatible with all websites/applications
  4. Although it is possible to code and create software on a Chromebook, the development options are lacking compared to those of a traditional laptop (This is important for schools developing computer science and/or app development curricula.)

What if these four issues were eliminated? Would the Chromebook be a better choice for most BYOD families or for schools buying hardware for students?

Enter Amazon Workspaces.

I tested Amazon Windows 10 Workspaces last year. I liked the experience, but had no reason to use the service. It occurred to me recently that if Amazon Workspaces supported Chrome OS, then I could create a flexible platform for BYOD that used Chromebooks.

Guess what? There is a Workspaces Client and App for Chrome OS.

512nmkgumll

I have tested this platform for the last 6 weeks using the new Samsung Chromebook and an Apple Laptop. I wanted to compare the performance of the Workspace’s Client service on two hardware platforms. Here is what I have found:

All four issues above were resolved. I even installed Photoshop and used it at the office.

Although Chrome OS is free, Workspaces is not free. They do have a seemingly affordable educational package. The downside to the Chromebook+Amazon combination is the entire process, of getting signed-up and calculating the price, is very convoluted. Amazon for Enterprise Business is mature. Amazon for education seems like a discount coupon, not a well directed initiative.

The next issue is setting up management for the Workspaces. The cost of doing this at scale is currently not clear. The cost is clear online, but the actual bills do not match the flat rates. I regularly ask for my costs to be explained. I send scenarios to people at Amazon to get pricing, and then I wait for the bill. The bill never matches the predictions.

I am close to having what I would consider an affordable and reasonable deployment model for Workspaces with Chromebooks.

Keep in mind with Amazon you pay for what you use. How many schools pay for a campus level licenses for Adobe Creative Cloud, yet only use a fraction of the licenses in any one semester?

How many schools give all students a license for Windows 10, just in case they take one or two courses where Windows is required for the curriculum?

Imagine only paying for what is needed, when it is needed.

Part two of this topic is pending until July, when I receive my next bill. 🙂 

Access Denied: Controlling What Students Can Access

By: Tony DePrato | Follow me on Twitter @tdeprato

Recently I have been discussing multiple new security measures for academic networks. From these discussions with other schools, engineers, and suppliers, I have created set of goals to help keep the development of network security on track and within budget.

Physical Access

Physical access can be managed without a great deal of expense. The goals to reach for are:

  • We allow only the devices we have confirmed and labeled
  • We can control the number of concurrent devices a user is using on the network
  • We can identify by IP, Serial Number, or MAC Address (or a combination of the three) the owner of a device
  • We can remove a user from network access, and restrict their devices, with minimal effort
  • We have processes and procedures to register devices; users can switch devices through these processes
  • Users can only circumvent the processes by giving their login IDs, passwords, and hardware to another person

These goals do not imply the direct management of equipment; nor do they capture user data. These goals ensure that devices on the network are approved, registered, and can be clearly identified.

Achieving these goals is the first step towards the concept that accessing the network is a privilege not a right. Privileges can be revoked. If revocation is not possible, then the concept/policy cannot be enforced.

Guest Access

Guest Access can be problematic for schools.  However, if your school is in a country that requires you to perform due diligence for network/internet access, then the Guest Access should be provided in a limited fashion, and only when necessary. Please review the laws governing access; especially where children under 13 are present.

If you are not sure what the laws are in your country, start here.

Topology

Topology refers to the way in which constituent parts are interrelated or arranged.

These are the topology goals that should be met before additional security is added:

  • Students, Teachers/Staff, and Parents/Guests are never on the same network/same IP range (not just SSIDs, unified IP ranges and access across the network should be prohibited)
  • Printers and other devices are not on the same IP range as the Wifi; those with access to printers and devices must be provided access
  • Data sharing should happen in the cloud; or in a device that has been configured with user authentication
  • LAN ports should not be using DHCP, if those ports are physically accessible by teachers, students, parents, or guests
  • Equipment on the LAN should be managed; given an IP address; and be easily identifiable
  • VLANs need to be created to meet most of the above requirements; VLANs should be planned out on paper and clearly mapped for decision makers to understand
  • All Access Points need to be named and numbered to reflect their exact location on campus

Web Filtering

Web filtering is often sold to schools as a turnkey holistic solution to manage content that students access. The truth is that web filtering will only, and always, be partially effective with students. Web filtering is highly effective in meeting the following goals:

  • Controlling what teachers and staff access
  • Controlling what guests access
  • Controlling what school owned devices access (devices that stay at school all the time)
  • Preventing accidental content being shown/broadcast on school owned devices
  • Meeting most due diligence standards concerning laws that govern content access and control
  • Showing an overall data set to help guide decisions based-on what people are doing and trying to do online

Web filtering has two main issues. First, HTTPS content can be blocked but not read.
This means when students go to HTTPS websites, the school will not know what they are doing, and/or interacting with on those site. Since 2018, HTTPS is used more often by webusers than the original non-secure HTTP. A few years ago, a person could type http://facebook.com . Today, everyone is forced to https://facebook.com .

Because many schools want to use web filters to study student access data, they will fail to achieve that goal, regardless of the fact the filter claims it can read the data. The filter can read some data, but not all; and currently not most.

Second, students can install and run VPN services fairly easily. When they do this, most filters are circumvented. Keep in mind that good VPN services are not free. Having those difficult conversations with parents at the beginning of the year, and as frequently as possible, is often more valuable than new snazzy technology solutions. If parents enable behavior, it is very difficult for school policies to be successful.

In summary, Physical Access, Guest Access, and Topology goals are usually achievable with current network hardware and software solutions employed by schools with a population of 500 users or more. Achieve these goals first, before investing in web filters or other solutions.

Remember, giving students freedom to work and create will create security loopholes. Depending  solely on technology solutions in an environment where education opportunities are abound is a bad strategy to pursue. There is no substitute for engaging students in dialog when they are acting inappropriately.

BYOD and Network Anonymity

networkAnonymity

By: Tony DePrato | Follow me on Twitter @tdeprato

Many countries have begun to create or enforce new rules concerning online anonymity.

Here are some examples of anonymity rules: South Korea , ChinaThe United Kingdom

These rules are manifested in places like coffee shops that require a phone number to be verified via SMS. It is not optional anymore to allow students or staff to be online anonymously. Cyberbullying, hacking, and other issues cannot be addressed if the person (or persons) involved cannot be identified. Most school administrators may not realize how prevalent anonymous access is on many K-12 campuses.

General Policies and Procedures

There is often a knee jerk reaction to fix problems by spending money. There are plenty of nifty IT solutions to help with security, but without proper policies and procedures in place, technology will eventually fail.

Policies and procedures must be adopted and implemented from the highest levels of the organization. Any exemption creates a vulnerability. Luckily, the concepts and steps are simple enough, and they apply to both BYOD and non-BYOD schools:

  1. Every user on the network has a login.
  2. Logins are either genuine/legal names or employee/student ID numbers.
  3. Passwords are not shared or common;
  4. Every device on the network, printers included, must have the default username and password customized.
  5. School owned devices must require individuals to login; generic logins like “classroom1” cannot be permitted.
  6. Very young children who cannot manage a username and password must be assigned devices, and those devices need to have a static IP address.
  7. Children from grade 1 and up should learn to login with an individual username or using an ID number; a shared password is acceptable until grade 3.
  8. Primary school children should not be on the same network and/or Wifi as middle and high school children. This is essential to prevent older students using a younger student’s account.
  9. Teachers and students should not be on the same network and/or Wifi. Sharing should happen in the cloud or file servers.
  10. Guest access should be very limited unless there is a major event.

These policies and procedures have a two-pronged effect. First, they set a standard for the type of network equipment and design that is required. Secondly, they take very technical topics and reduce them to yes/no questions. “Are children under the age of six using assigned devices?” “Do all school owned devices require an individual login?” “Can students login to the network with a shared password?”

BYOD Specific Policies and Procedures

There is an underlying truth about letting people use equipment. If a person can take a piece of equipment to an anonymous location, they can hack into the equipment. If a school owns a laptop, and allows a student to take that laptop outside of the school, then that student can own that laptop and manipulate it.

I have demonstrated this to people who were setting policies for school owned equipment, and believing that the equipment was secure. I once unlocked a Windows laptop in 5 minutes with a USB tool I created from free software. I did this in front of three people who had deployed over 100 laptops to my campus, believing the laptops were secure. The last time a school gave me an Apple laptop loaded with “security features” I was able to circumvent the security in less than 10 minutes. The modification were never detected. The truth is, I am not even half as motivated or talented as many students. However, I can think the way they think.

A few years ago I spent an entire day with a CISCO engineer. I wanted to brainstorm with him on BYOD security. We went through all the scenarios. In the end, we came up with a good low cost set of protocols for BYOD management:

  1. The school needs 3-4 SSIDs (Wifi Names) per division. For example: Teachers,  Secondary_Students, and Guest. Primary students would not be able use the Secondary_Student Wifi.
  2. Students, Teachers, and Staff must authenticate with the PEAP protocol. This means everyone needs to login like they are in a coffee shop. A small pop-up window asks for your username and password every 24 hours (or similar concept).
  3. All BYOD access requires a 3-point authentication process: MAC Address + IP Lease + Username. (If anyone wants to know HOW to do this, please email me directly).

These three steps ensure that unless Student A gives their username and password to Student B, it is impossible for Student A to use Student B’s computer (without committing theft). This is the core issue with BYOD. A school needs to be able to show how they know what they know. The access responsibility needs to be on the students, and down to a personal choice.

As with the general policies and procedures, this protocol will help set the network equipment and configuration standards without requiring the administration to have a deep understanding of technology.

Please feel free to contact me directly with further questions or to arrange a discussion.