Bring your own device is one of the hot topics of today, not only in education, but all public and private sectors it seems. I don't intend to write about how useful or inafective a scheme can be in education, however I would like to discuss the subject from a technical point of view. Geek mode on...
Firstly and obviously you need wifi, but have you really thought about how your wifi will cope when hundreds possibly thousands of devices start connecting to it? After reading this blog by @johnnybevacqua which touches on the subject it got me thinking.
Where I work we have tried to start a BYOD scheme. We knew we needed a robust, scalable and affordable wifi network. After much research and consultation with other schools, we decided to install a Ruckus controller, and 24 Ruckus 7363 access points.
We chose the Ruckus system for a number of reasons. Firstly, it came very highly reconmended by many of the edugeek community. The controller allows for centralised management of multiple SSIDs, VLAN tagging, ACLs, a captive portal and LDAP integration. All I think vital for securing and monitoring unknown devices within your network.
We chose the 7363 access point (which at the time was the mid range - in terms of price) due to its a/b/g/n dual band capabilities, Beam forming technology, it's internal switch functionality and mesh capabilities. The latter two allowed us to place AP's in places quickly without pulling extra network cables.
It was excellent to read this Tom's Hardware comparison a couple of months after we'd made our decision too!
We were also aware that to support this wireless network we needed to upgrade our core infrastructure. It's all very well having an all singing all dancing wifi, but if you're backbone isn't up to the job, the project will fail. We replaced our core switch with a HP Procurve 5412ZL, which also acts as our inter VLAN router, HP Procurve 2910AL PoE as edge switches, and HP Procurve 2510's for client devices. All interconnected with multiple gigabit trunks. 10GBit was just not within our budget (or the capabilities of our fibre), but both the 5412 and 2910's do support it if there is spare cash in the future.
Staff and student wireless devices are tagged within their own VLAN, given IP's within their own range. They are isolated from each other and have access lists applied which only allow them to access our edge router, and our moodle site. We currently do not use Windows NAP.
The biggest issue we face, and the one which is often over looked, was our internet connection. We currently have a 10mbit connection back to our LEA provider. This is simply not enough, and we are currently in talks with them about the most cost effective upgrade. Schools who intend to use BYOD need to look at how much they can invest in their internet connection. @StephenHeppell at Learning without Frontiers 2012 said "Bring a Browser". That rung a bell with me. The device (and apps) are becoming less important. The power is in the browsers!
How restrictive is your internet connection? If it doesn't allow your BYOD users to access many of the apps, applications, cloud storage and websites they use at home, will they bother to connect? Filtering needs to be at a level that encourages users to connect, so that monitoring and safeguarding can continue.
That brings me to the LEA proxy server...
Our LEA like many provide services to hundreds of primary and secondary schools and libraries. Not only do they need to ensure the system is secure, they need to make it work for everyone. This brings issues. One solution does not fit all. The smallest libraries generally need a system that allows simple and straight forward web access. Primary schools need quick and easy access to a growing range of services. Secondary schools generally have a higher level of technical support in-house, and therefore like to push the boundaries a little more, and need a helpful reactive service.
Most LEAs and RBC ask their users to authenticate and utilise a proxy server. This is where a successful BYOD will either fly or fail in my opinion. The technicians in schools need to have access to a miriad of devices to test and support the staff and student devices. The easier they can make attaching to the internet, the better.
I have published both PAC and WPAD files on our internal network. We broadcast the WPAD file within our DNS, and on our Ruckus Controller (a new feature within v9.3). We created posters giving advice on how to configure devices to use PACs. The following grid shows my experience with a few of the devices.
|Android 2.3||No||No||Yes||Depends on manufacturer|
|Linux||Yes||Yes||Yes||Depends on distro|
WPAD definitely gives the best end user experience, but popping a PAC file into your devices isn't too taxing. However, for most, manually inputting a proxy server, and various exceptions to allow access to internal services, is too much to bother with.
There is without doubt advantages to BYOD, but if you want your scheme to succeed then you must consider your infrastructure. I still have more work to do at my school. Much of which is a matter of sitting down with the LEA and coming up with a solution which fulfills my users needs, whilst complying with their security concerns.
Please feel free to comment.