Saturday 19 November 2016

Using Google G Suite to manage BYOD in Schools

One problem that schools often face when they introduce a Bring Your Own Device (BYOD) strategy is that it can be too successful.

Students have a lot of personal devices and discovering that the senior year groups have just dumped several hundred devices on your wireless network only days after posting the key code on the staff notice board can come as a bit of surprise.

The normal response is to try and impose some order on the chaos by employing Mobile Device Management  (MDM) software.  Unfortunately most MDM’s come with a price that matches the feature set and while a school can justify an annual licence fee to manage it’s own devices it’s more difficult to make that argument when the devices are personally owned.

The cost justification is made even more difficult by the fact that you don’t really need all the extra features of a ‘full fat’ MDM to manage BYOD, just a version with a few key components that doesn't attract a licence  - MDM ‘lite’ in fact.

Other than the ability to protect your valuable wireless resource and being free  - what other features of MDM ‘lite’ would be useful in managing personal devices in school?
  • A method of connecting or on-boarding devices to the wireless network that doesn't involve standing in a queue outside the IT support office.
  • A system that matches the device with a user account for tracking purposes along with the ability to restrict access to users and devices that are misbehaving in some way.
  • Protection of school data on the device with the ability to delete it if the device is lost or compromised
Fortunately these elements are part of the Mobile Management section in Google's G Suite for Education. The basic features are licence free and capable of managing personal Android tablets, iPhones and Microsoft devices - MDM 'lite'.

So what exactly do you get for nothing? Quite a lot as it turns out.
  • The ability to install a management profile on the device that will allow an administrator to wipe the device if compromised.
  • Password and pincode controls.
  • The ability to remotely configure and install a wireless profile.
  • Collect basic inventory information.
  • An approval mechanism with an ability to bar devices.
  • Reporting of the user to device relationships.
  • Ability to identify and block compromised devices
  • Disable camera function
  • The ability to require device encryption.
There’s no application control but of course since we’re all using SaaS that‘s not an issue !

The onboarding process is fairly simple. The user is required to accept a management profile to access any resource that requires a Google organisational logon. The installed profile also contains the information to join the school's wireless network.

The user has the ability to remove the profile at any time but this also removes rights to the network and organisational resources.  An administrator has the rights to deny or revoke access at any stage.

The profile can be very minimal and still deliver the key element of access control and just because a particular policy is available that doesn't mean it has to be turned on.

Supervising a personal device is an process that must be agreed and understood by all parties especially in an EDU environment. It can mistrusted so it’s best to keep things simple.

The operational and technical considerations are outlined in a separate post which should be fully understood before proceeding.

So in addition to Chromebook control, G Suite for Education can provide a method for managing BYOD devices with a tub of MDM 'lite’.

Spread it thickly.

Thursday 17 November 2016

Can SaaS solve the IT problems in your school?

Unlike some other ‘fads’, Software as a Service (SaaS)  is not a solution in search of a problem. It has real benefits that address a wide range of issues that schools face supporting IT on a day to day basis.

Many schools are already committed users of SaaS through Office365 for Education, G Suite for Education or some other externally hosted web based service.

In the early days SaaS was seen as a ‘cut down’ option that solved specific issues with local infrastructure but was essentially limited in function. This is no longer true and it can be argued that given the choice adopting SaaS is the best strategy for the reasons below.

 Scalability and Accessibility.
For the first time smaller schools can access the same sophisticated software that was once only available to schools that had an IT budget to run the local infrastructure to support it.  This is because a SaaS solution is inherently scalable in both directions. A design that is suitable for ten students can scale up to hundreds without any consideration of hardware or software upgrades.

Compare this with a traditional on-premise solution which has limitations at every level including storage, memory, processing and software licensing blocks. Seamless expansion is normally allowed for by over-specifying the solution during the initial purchase on the grounds that subsequent upgrades are ‘expensive’ which leads to inefficiencies and waste.

SaaS also avoids the financial time bomb that is the hardware upgrade cycle.

This point hardly needs stressing to anybody who has visited a school that that has installed  local infrastructure in the last ten years but still runs the same set of servers because they could never afford to replace them.  A solution that eliminates the need for servers altogether is more likely to be successful in the long term than one that simply replaces one set of servers for another.

Local infrastructure has become far too complicated for most schools to manage.

When schools operated a single file and print server with staff mailboxes the situation was manageable but the pressure on establishments to provide ever more sophisticated IT services along with the adoption of the internet as a teaching tool has meant that facility members rarely have the broad breadth of knowledge or the time to support IT.

The basic skills required to operate a small to medium sized school now requires an understanding of Layer 3 switching, server virtualisation, the basic principles of shared storage, secure wireless protocols, Microsoft Group Policy management, imaging techniques, patch management, antivirus software, backup packages, tape media devices, application deployment, edge security, remote access, content filtering and a whole range of disparate software packages all of which claim to reduce the “management overhead” but in reality only adds to it.

All this is before a new wave of requirements around iPad integration, mobile device management, ‘everywhere learning’, ‘flipped classrooms’, BYOD, 1:1 programs and the windows desktop replacement program hits the shore.

Surely what any school requires is a system that's easy to understand and can administrated and maintained by the facility team without any specialised skills. This is what SaaS can deliver.

At the moment I predict two possible scenarios for the future.

In the first schools follow a traditional route and initiate a server replacement program combined with a support contract supported by the onsite IT team.  After five years the hardware will be so expensive to replace and upgrade that the issue will be ignored and they will end up with the same problem they had before, only it’ll be much larger and cost more to fix.

A more likely scenario is that the teachers will become disillusioned and start independent initiatives to make use of an increasing number of cheap, easy to use SaaS services that bypass the school infrastructure altogether. At some point in the future the school will not be able to understand how so much money was invested in  an energy hungry, air conditioned on-premise server farm that doesn't even run the software and services the school now depends on.

Serverless School