Going Public: The Simplest Approach to Mobile Security

A large Texas school district simplified its mobile device security approach by deflecting all that activity to a public Wi-Fi.

Katy Independent School District has outfitted every fifth grader in the district--2,700 of them--with HTC Droid Incredible phones from Verizon. Every campus in the 63,000-student district has carts filled with wireless laptops and wireless netbooks to run on the school-supplied wireless infrastructure. There's plenty of bring-your-own-device activity with teachers, students, and staff. Plus, just about every principal and assistant principal has a district-supplied Samsung Galaxy tablet. Starting in the 2012-2013 school year, one of Katy's elementary schools will be piloting a new tablet program, though CIO Lenny Schad said he still isn't sure whether those will be tablets running iOS, Android, or Windows 8.

With that proliferation of devices, however, Schad said he doesn't fret much about mobile security or management. His approach is simple and elegant: The devices are expected to work their educational magic through the public Wi-Fi provided on each campus, "just like a user walking into Starbucks," he said. "When the teachers and students walk onto campus, they search for the public Wi-Fi that's available to them and they connect to it."

No Cell Phone Service, No Texting
In the case of the student mobile phones, cellphone use and texting is turned off. They're strictly mobile learning devices enabled to access the Internet. "They're on the Wi-Fi at school. When the kids take them home, they're on the Verizon network at night," Schad explained.

He doesn't have to worry about managing them because they're never accessing internal network resources. Teachers handle pushing out new apps to the phones; students can't do that themselves, because they don't have access to the Android Market (now known as Google Play).

The district relies on Verizon to keep the Incredibles' operating system updated. That updating starts the moment the student walks off campus. "By the time they hit the parking lot, they've lost their Wi-Fi coverage," Schad said. "At that point the phones flip over and get on the Verizon network. We've set up a VPN tunnel with Verizon, so that the Verizon network recognizes these as student devices."

So no matter when the students are on the school Wi-Fi or the Verizon 3G service, the phone Internet access is filtered for Child Internet Protection Act (CIPA) compliance, in the same way district-computers are, "so the kids can't go to inappropriate Web sites."

The same basic approach applies to the Samsung tablets in use by principals and other users who bring devices into the schools. "We don't want to authenticate anything, because I don't know if you're a staff member, student, or guest," Schad said.

There's a limit, of course. The Katy ISD approach requires that each school filter people on campus to the lowest common denominator. "If you're at the high school and you're a staff member, you're filtered to the high school student level," Schad said. "We do the same thing at the junior high or elementary schools." The district is considering tweaking that a bit in the next school year to allow staff members to authenticate on non-district computers, but no final decision has been made.

The Secret Weapon
The principals were outfitted with tablets in the first place to allow them to go into classrooms and perform teacher evaluations. "It's easy for them to walk in and tap through an evaluation while they're sitting there watching the work happen," Schad noted.

They can do that, he said, because the software they're using--in fact, the software in use by all of these mobile device users--is Web-based.

That's the benefit of having spent many years focusing on building up the use of Web 2.0 in the district. Teachers and students do much of their communication and collaboration through Edmodo, a Web-based social networking and course management system. Principals use Eduphoria SchoolObjects pdas, a Web-based application, to do teacher evaluations. In both of those situations, Schad doesn't worry about encryption because confidential data isn't stored locally on the device; it's maintained on the Web service. "Most of our core subsystems are Internet accessible, I'm not eliminating a lot of resources when I say, 'You're not logging into our network.' That is why going with the public Wi-Fi made so much sense."

In addition, from a management perspective, "there's zero going on with those devices." When somebody's phone or tablet needs technical support, district techs "press the reset button and take it back to the factory settings," he said.

Rigidity and Control vs. Public Access
That doesn't mean that simply allowing Internet-enabled devices to proliferate would work on any campus. It depends on the cultural readiness of the organization, Schad observed, "because that's going to drive your technical decision."

District leaders need to evaluate user expectations. Katy ISD users expected to connect to the Internet to get to the majority of their resources; it's how they'd been learning how to do it as professional development took place. That meant the public Wi-Fi approach would work in the Katy environment.

However, "If you haven't made an investment in Web 2.0 and the majority of your instructional resources still are sitting on your internal network, then the path is internal authentication with a device management overlay on top of that," Schad said, pointing out that it can be expensive. "When I do that, I've got to go through all these things that check what operating system you have, what version of virus protection, what version of the latest drivers. And it goes through all these checks, because now I'm letting you inside my wall and I'm jeopardizing my whole infrastructure."

Faced with that pricey proposition, the decision becomes whether to invest in the immediate payoff of that overlay structure or follow the longer term process of getting those internal resources online and available through the public Wi-Fi.

"That internal side has to be rigid and controlled and limiting," Schad noted. He prefers the route Katy ISD is following. "We're blazing new ground here as it relates to how mobile devices can interface and interact with your existing infrastructure."

Featured