Protecting Your School’s Network While Managing Hundreds of
Table of Contents
Escalating Need for More Powerful Networks Hurdles to Implementation
The Aerohive and JAMF Solution Conclusion
ISTE 2012 Video Interviews
Aging school technology networks are under assault as a fast moving flood of mobile devices streams into school buildings across the country. Technology devices such as laptops,
netbooks, iPod Touches, iPads, tablets, iPhones, smart phones and eReaders are putting increasing strain on network
architecture and broadband connectivity. There are many
schools that feature state-of-the-art technology access, but there are many more that do not have sufficient bandwidth to support the new emphasis on digitally delivered curriculum.
The National Educational Technology Plan (NETP), released by the federal Department of Education in 2010, clearly addresses the need to upgrade old networks and offer robust connectivity to achieve 21st century learning goals:
“All students and educators will have access to a comprehensive infrastructure for learning when and where they need it.
To meet this goal, we recommend the following actions:
4.1 Ensure that students and educators have adequate broadband access to the Internet and adequate wireless connectivity both inside and outside school.
4.2 Ensure that every student and educator has at least one Internet access device and software and resources for research, communication, multimedia content creation, and collaboration for use in and out of school.”1
Escalating Need for More Powerful Networks
These infrastructure directives are made to support sweeping changes in curriculum delivery, teaching, learning and
assessment – also part of the national technology plan. The goal is to replace traditional schools, as institutions of content knowledge to be memorized, with a system where schools equip students with 21st century skills to help them become creative collaborators and life-long learners.
“21st century competencies and expertise such as critical thinking, complex problem solving, collaboration, and
multimedia communication should be woven into all content areas. These competencies are necessary to become expert learners...”2
The federal Department of Education also instructed school districts to prepare for digital curriculum by 2015. Districts in Florida and Texas have already made the switch and are replacing textbooks with iPads. Hundreds of traditional basal and supplemental publishers now offer their content digitally in addition to print. Also, huge numbers of open source content advocates continue to press their case for
instructional materials that are free to all. This is a moment of tremendous convergence in devices, digital delivery options and content resources.
There are indications that digital investment may result in increased student achievement. At Earhart Middle School in Riverside, California, the idea was tested with a direct
instructional comparison. Two algebra classes used iPads while two other classes, taught by the same teachers, used the
textbook. Both the digital curriculum and the print textbook were from the same publisher. 78 percent of the students who used iPads scored in the proficient range on the spring 2012 state test while only 59 percent of the students using the textbook scored in the same range.3
1Office of Educational Technology, the U.S. Department of Education. (2010).
Transforming American Education: Leaning Powered by Technology.
3Straehley, Dayna. “Education: Schools' Need for Wi-Fi Grows.” The Press- Enterprise www.pe.com. February 19, 2012.
Hurdles to Implementation
Replacing aging servers, routers and other components of technology infrastructure can be expensive. Many districts have investigated the costs of renovating or replacing their networks. The costs to update what they currently have can be prohibitive, particularly during this time of reduced school budgets. Some district networks have been patched up
repeatedly, and others are exactly the same as when they were installed years ago.
To be able to respond to the demand for increased bandwidth to support thousands of mobile devices, districts need to invest millions of dollars to bring their networks fully into the 21st century. Those that are making the investment are offsetting some of the costs through a variety of efforts such as grants, city and county bond referendums, and corporate donations. In many cases, acquisition of mobile devices is being financed by grants, redirection of textbook funding, parent purchases and fundraising.
In an increasing number of systems, students are bringing their own devices to school (BYOD). There is speculation that the BYOD movement will be a temporary situation until the time when all students will be required to bring a mobile device to school just as they are now required to bring a calculator. The idea is that personal devices will become such an essential part of a student’s book bag that parents will be expected to provide one. In the interim, whether they are school purchased or brought from home, all mobile devices still need to be
managed on the school’s network.
To help pay for mobile devices, many districts are holding onto their textbooks beyond the typical five- to six-year cycle. It is also likely that some of these districts will replace their print textbooks with digital ones – increasing demand for wireless connectivity. Certain textbook publishers now offer digital versions of their textbooks but not all. It is generally assumed that the shift to digital delivery will hasten the elimination of print textbooks in schools. However, there will certainly be districts that will depend on a hybrid solution for some years to come, simply because they do not have the resources to do
Mobile Device Management
Hundreds and thousands of mobile devices entering a district’s network can pose a challenge to efficient and effective network management. Whether or not the devices have been purchased by the school or brought into school as part of a BYOD initiative, not all devices are on the same platform. In fact, there are some devices, like commercial eReaders, where different brands do not play nicely with others. Some of the clash is due to different digital rights management programs. Common platforms for school mobile devices include Apple, Android, Blackberry and Samsung. When choosing mobile device management (MDM) software, schools and districts would be well advised to choose one robust enough to handle all platforms – those available now and new platforms that may need to be added in the future.
MDM software would reside on district servers or in the cloud.
Cloud-based solutions are gaining in popularity for K-12
districts, as they can be more cost effective than server-based options. The MDM software communicates with each device via Wi-Fi or cellular connection. Protecting students and their
personally identifiable information is a top concern for districts as they are bound by law and good sense to protect student privacy.
Robust MDM software allows schools to manage mobile
devices even outside school walls. Schools can trace devices – even lock down or erase a device remotely if it is lost or stolen.
This management software can specify which programs/apps can be downloaded on the devices. This feature addresses concerns about students accessing inappropriate content on their mobile devices.
Unfortunately, the increase in mobile devices in schools is not matched by an increase of technology support staff, so finding solutions that allow devices to be efficiently managed as a group is important. Not only are school-based technology coordinators and directors implementing several hundred new tablets at a time, they are often adding these to large numbers of existing tablets, computers and interactive white boards that they support.
One of the greatest challenges in managing mobile devices is that each device must be equipped with a management profile to access the network. Each individual device must be
configured to access the network. Trying to accomplish this for hundreds of new devices each year can be a real headache.
Success often depends on teachers issuing devices and
monitoring policies. Teachers have different levels of technology comfort and this is one more responsibility for teachers who are already overloaded. Sometimes there is no way to enforce enrollment policies, and there are significant numbers of students who know how to uninstall the profiles.
Technology directors also understand that the level of technical support from software and hardware companies can be critical to successful implementation of hardware and software. They are looking for best-of-breed solutions that value the
implementation process as much as they value the sales process. School and district technology teams are looking for vendors who can be partners; vendors who understand the staff limitations in schools; and vendors who are as committed to making a difference as they are to making a sale.
The Aerohive and JAMF Solution
The leading mobile devices in schools are Apple devices. At the end of the 2011-2012 school year, more than 1.5 million iPads had been introduced into schools. Over this past summer, hundreds of districts purchased thousands of iPads for the 2012-2013 school year. The iPad is perceived by many as a game-changer for K-12 education that will help spur the transition to a more digitally rich curriculum.
The introduction of so many devices has created challenges for school Wi-Fi managers. Network administrators need robust connectivity to support the increasing number of devices. They also need efficient ways to manage the
devices for software delivery, eBook distribution, information security and inventory control.
The partnership between Aerohive and JAMF Software combines two best-of-breed solutions that address these concerns and provide a complete, simple management and network access solution. JAMF created the Casper Suite, which is the only suite of Mac OS X and iOS management software developed exclusively for the Apple platform. The Casper Suite provides a great breadth and depth of
functionality for IT administrators including software distribution, imaging, inventory, package building, image management, remote updates, mobile device management, and a powerful framework for automated support.
Complete and fully integrated Apple Management Solutions
Aerohive’s Cooperative Control Wi-Fi solutions along with the JAMF Software Casper Suite provides a robust and
comprehensive solution for managing Apple devices. Together the solution provides many benefits, including:
• Automated Enrollment and Re-Enrollment
New or unmanaged Apple devices joining the network are automatically redirected to the JAMF Software Server (JSS) to enroll and acquire the MDM profile. No network access is available unless the profile is
installed, and if the profile is uninstalled for any reason, network access is again revoked until the profile is re- installed. This takes the guesswork out of initial enrollment for Apple devices as well as ensures devices connected to the network remain under management solving a security concern.
• App and eBook Distribution/Updates
Full support for deploying, updating, removing, and configuring App store apps and privately distributed apps, as well as uploading, distributing, managing, and tracking Volume Purchase Program (VPP) codes. In addition, administrators can deploy, manage, update, and remove iBookstore, in-house, and public domain books in iBook, ePub, and PDF file formats.
• Configuration and Security Profiles
Administrators can configure the entire range of
Configuration Profile settings available on iOS devices, build Configuration Profiles from directly within the JAMF Software Server or upload Configuration Profiles previously created with the iPhone Configuration Utility. Administrators also have the ability to require that users enable security pass codes on their devices, configure a wide range of settings and policies, and configure account access through integration with LDAP (Lightweight Directory Access Protocol). They can even require that users enable data encryption on their devices, and in the event that a device is lost or stolen, have the ability to quickly lock or wipe the device remotely.
• Inventory and License Management
Management capabilities include the ability to gather a full inventory of device information, installed apps, and settings.
Administrators can easily reference purchasing and warranty information from Apple’s Global Service Exchange (GSX) database and populate user information with LDAP. Devices check in regularly (every 24 hours by default) to provide inventory information, which can be utilized in a variety of ways for configuration and compliance.
• Network-Based Mobile Device Management
If the connected devices are not corporate or school-issued or if they are not Apple devices, an administrator still has the ability to implement network access controls based on
identity, device type, connecting location, and time of day.
These controls are independent of the MDM profile and require no acceptance or installation of any software on the end-user device, but rather rely on the intelligence of the infrastructure to enforce permissions to network resources.
Test-driving JAMF’s Casper Suite
Six years after implementing JAMF Software’s MDM Casper Suite in the Lakeville Area Public School District in Minnesota, Sandy Hinding, Lead Macintosh Technician, and her colleagues continue to depend on the Casper Suite as they grow their network in 2012. Even with funding obstacles, Sandy and her team have been able to complete multiple large projects that include mass imaging deployments, Self Service utilization and an iOS deployment (with an expansion of iOS devices most likely on the horizon).
In the summer of 2011 the school district experienced multiple budget cuts resulting in teacher layoffs, increased class sizes and the closing of one building. With the relocation of many machines across multiple sites, the IT department wanted to ensure data wasn’t being transferred with the computers. Using the Casper Suite they implemented yet another mass imaging project, which included an upgrade from OS X 10.5 to 10.6. But, according to Sandy, her travel from site to site was minimal.
Due to budget cuts, there has been a decrease in tech support hours in buildings across the district. However, Sandy’s team has been able to counteract the issue by using Self Service to allow end users to perform general troubleshooting on their own machines.
“It’s so easy to be able to spell it out for them, it’s a one-click solution,” she said. “If I put it in Self Service I know they’re doing it the way it’s supposed to be done. All the steps are in the right order.”
Sandy is pleased to receive positive feedback from teachers when it comes to Self Service. She said they feel empowered to learn how to help themselves, instead of waiting for an IT administrator to come to them. For example, it has helped save a significant amount of time on a seemingly simple, yet common request – setting up printers.
With the time and resources saved by the Casper Suite, Sandy has been able to think ahead to her future projects. As a long-time customer, she said her JAMF Software Server has
“gotten a bit bloated” and plans to trim down some of her imaging configurations. Using scoping and software usage tracking, she said she’s evaluating packages from over the years to determine what can stay, and what needs to go – reducing costs for unused software.
As a satisfied Casper Suite customer, Sandy says, “I’m not interested in looking at whatever other solution I see out there.
Maybe there will be other competition, but we’re invested in JAMF. We see it as the future.”4
4 Lakeville Area Public Schools Case Study.
How Aerohive's Cooperative Control Wi-Fi works with JAMF's Casper Suite
Enforcing security and access controls on the hundreds of devices in schools and districts is a primary concern for
technology directors. There are basically two main options when it comes to controlling and containing mobile devices:
• An agent/profile-based solution
• An intelligent network infrastructure to enforce permissions to resources based on identity, device type, location and time.
In order to be truly successful in corralling the “iEverything”
explosion, the ideal infrastructure solution will support both.
Using network infrastructure to enforce mobile device management, otherwise known as Network MDM, is an
essential feature for any networking provider. Aerohive uses the highly intelligent cooperative control capabilities built into
HiveOS to enforce network permissions based on identity, device type, location, application, and time. This allows administrators to control what, how, and when the device can access network resources, but does not extend to controlling access on the device itself. In order to support functionality such as security policy enforcement, app and software
installation/updates, and licenses, a profile-based MDM solution is required.
Agent or Profile-based Mobile Device Management allows an administrator to tightly control devices on the network by enforcing security parameters such as requiring a pass code on the device, remotely wiping the device in the event of misuse or mishandling, controlling app and software installation and updates, and distributing configuration
information. The most common issue with profile-based mobile device management solutions is simply getting the profile installed on the device itself, and then ensuring an enterprising user doesn’t simply uninstall it once it is there. The Aerohive and JAMF Software Casper Suite integration solves this dilemma for administrators who want to use a profile-based MDM solution for managing Apple devices.
New or unmanaged Apple devices joining the network are automatically redirected to the JAMF Software Server (JSS) to enroll and acquire the MDM profile. No network access is available unless the profile is installed, and if the profile is uninstalled for any reason, network access is again
revoked until the profile is re-installed. This takes the
guesswork out of initial enrollment for Apple devices as well as ensures devices connected to the network remain secure and under management.
The cloud-based Aerohive and JAMF Software solution is integrated into HiveOS and HiveManager 5.1. The network administrator simply specifies the configuration parameters for the Aerohive devices to enable JSS integration, and then
whenever a new iOS device joins the network, the JSS server is queried to determine if the device is known and whether the profile is currently installed on that device. If the JSS server reports that the device is unknown or the profile is currently not installed, the device is immediately redirected to the JSS MDM Profile enrollment page and is required to download the profile before gaining access to the network.
Configuring forced and reinforced MDM enrollment on the Aerohive access points and routers is as easy as checking the box to enable the service and specifying the JAMF Software Server (JSS) enrollment URL. This feature can be enabled per-SSID, so the administrator can determine which iOS and OS X devices are forced to enroll to get a JSS profile.
If the connected device is not an Apple device, the
administrator can specify additional parameters for containing access for that device using Aerohive Network-based MDM.
This functionality allows an administrator to configure
customized network, firewall, QoS, time-of-day schedule, and tunneling policies based on the identity of the user and the device type. Device type can be determined using
DHCP option 55 or the HTTP user agent, or both, to ensure all devices are properly identified and permissions are granted.
This feature can also be configured on a separate SSID to enable all guest devices (even Apple devices) limited access based on identity, device, location, application, and time.
The Aerohive and JAMF Software partnership provides a cost- effective and comprehensive solution for the management of the influx of Apple devices into schools and districts. By enabling comprehensive management of Apple devices, control of eBook and App distribution, and automating and enforcing enrollment of devices to ensure compliance with school policies, this solution represents a compelling vision for managing the technology requirements of the schools of the future.
But don’t just take our word for it. Check out some interviews with customers at the 2012 ISTE conference in San Diego.
http://aerohive.com/solutions/solutions-industry/education As you will see in the videos, we frequently hear these types of comments from technology directors from across the country:
• “Does exactly what it says it will.”
• “Easy to install, easy to scale access points, easy to manage.”
• “Campus-wide connectivity inside and out.”
• “No implementation issues at all.”
• “Reduces cost.”
Aerohive Networks reduces the cost and complexity of today’s networks with cloud-enabled, distributed Wi-Fi and routing solutions for enterprises and medium sized
companies including branch offices and teleworkers.
Aerohive’s award-winning cooperative control Wi-Fi architecture, public or private cloud-enabled network management, routing and VPN solutions eliminate costly controllers and single points of failure. This gives its
customers mission critical reliability with granular security and policy enforcement and the ability to start small and expand without limitations. Aerohive was founded in 2006 and is headquartered in Sunnyvale, Calif. The company’s investors include Kleiner Perkins Caufield & Byers, Lightspeed Venture Partners, Northern Light Venture Capital and New Enterprise Associates, Inc. (NEA).
About JAMF Software
By listening to colleagues, customers and thought leaders in the industry, JAMF Software has grown into the world leader in Mac OS X and iOS management. JAMF Software
continues to develop software made to support Macs and iOS devices in an enterprise environment. From their offices in Minneapolis, Minnesota and Eau Claire, Wisconsin, JAMF Software builds innovative solutions and has assembled a support and services team dedicated to helping customers manage Macs and iOS devices.