Device Management Standards
- Part of:
- Education Digital Standards
All user devices in school whether rich client or mobile should be managed. You need to ensure that safeguarding and cyber security protocols are in place in line with your overarching school policies. You also need to plan for succession – all devices have a limited lifecycle and there will be annual costs to licence and maintain them. Building this total cost of ownership into financial planning will enable you to replace and upgrade devices more readily.
For the purposes of this Standard, rich client refers to a device which plugs directly, and mapped, onto the school IT network. Typically, this would be a desktop. A mobile device works over the school Wi-Fi and is predominately light weight and designed to be used on a more ad hoc basis throughout the school, rather than in a fixed location. These would typically be mobile laptops or tablets.
Implementation of mobile solutions in school should take account the existing infrastructure and wireless provision to ensure that the supporting environment is able to meet the demands.
In this context, a 'managed device' is one that can be updated and configured remotely. Ensuring all devices in school are managed prevents individual machines disrupting lessons by performing unplanned updates or missing essential software apps.
It is essential that you plan for the introduction of new devices carefully so that the network is capable of supporting their introduction and the correct images have been installed to ensure that they can be properly supported.
All devices owned and used by the school should be managed. This means that the device is being monitored, configured and secured. It will also allow Education Technology Support Partners to ensure the latest security patches and the correct configuration is applied.
It is essential that you plan for the introduction of new devices carefully so that the network is capable of supporting their introduction, and the correct images have been installed to ensure that they can be properly supported.
Management of rich client devices can be done through the Network Performance Management tools. Management of mobile devices can be done through an appropriate Mobile Device Management (MDM) resource.
It is important to remember that schools rely on IT in the same way as businesses do and are not simply larger versions of home usage situations.
Devices bought for school use need to be "enterprise grade" and allow for appropriate settings, security and safeguarding measures to be applied consistently, otherwise teaching and learning can be disrupted with devices behaving differently in lessons.
Buying devices under an education contract can help minimise disruption caused when devices need repairing or replacing.
Devices should not be purchased from high street vendors – whether online or in store – as they will not have the necessary educational cover, and may not be suitable for deployment in a bulk user environment leading to connectivity issues.
Network devices should be enterprise grade equipment and not home user level equipment. This will ensure that they are designed to be managed and maintained effectively in a bulk user environment. It also ensures that the drivers, compatibility and life expectancy are suitable for a large deployment and high use environment.
When buying devices, you should consider the lifecycle of the device model, its processing power and memory. You need to consider whether it is sufficient to meet the needs of its intended user(s), and the warranties in place to support its lifecycle. You should also factor in the requirements for licencing any MDM solution for that device.
This can help you assess “whole life” costs (“total cost of ownership”), including the market price of the device : costs of managing those devices; costs for digital applications and resources; and technical support plan options.
Procurement of devices should be carried out through recognised routes such as frameworks identified by the Welsh Government or local authorities. These will provide assurance through due diligence checks made on the vendor/resellers on the framework in areas such as trading viability; track record with education customers; and act on behalf of the sector to achieve best value.
Please note that devices bought from high street retailers – whether online or in store – will not be built to go on a school IT network, and are unlikely to conform to policy settings or warranties that are appropriate to education.
It is also important to ensure that purchase of devices is completed in line with statutory procurement regulations. Schools should seek guidance from the local authority in cases of doubt.
The best way to manage devices in school is to use dedicated MDM software. Essentially this allows schools to configure all devices in a secure way in one go, and to 'push' out new apps or updates at convenient times outside of core teaching hours.
Your Education Technology Support Partner will be able to advise you on how an MDM can be used in your school.
Implementation of mobile solutions in school should take account of the existing infrastructure and wireless provision to ensure that the supporting environment is able to meet the demands.
Features of an MDM solution should include:
- Application delivery
- Appropriate software controls
- Caching services as appropriate
- Usage tracking
- Operating restrictions
- Remote access to manage security.
Furthermore, ensuring that all school owned mobile devices are managed as part of a wider MDM solution will provide consistency across the estate of devices in schools. It also ensures that all devices are maintained and managed effectively.
Please note that Windows devices are managed separately to this through Group Policies.
Setting and agreeing appropriate security and usage policies when implementing your MDM solution will ensure that all your devices will be protected the same way from cyber threats.
Policies should be reviewed on a regular basis in line with wider school safeguarding policies.
Mobile Device Management (MDM) solutions allow for devices to be managed and deployed effectively across the school IT network. Ideally, the solution should support as many operating systems as possible. It should also be cloud-based to allow for enterprise level management; automated processes; and scalable for new users and increasingly sophisticated device types.
This is particularly important for tablet devices.
iPads should be procured with DEP enabled. Your local authority should be able to advise on how to ensure DEP.
The MDM should be able to:
- Authenticate users
- Deploy mobile apps
- Update and manage mobile apps
- Apply configuration and policy management
- Apply remote management – remote wipe in case of loss or theft
- Back-up and restore capability.
Schools should consider the integration potential for new devices with the MDM solution being deployed.
Schools should ensure that filtering and firewalls are configured in advance of the introduction of a new MDM solution, and are part of the testing regime of new devices and operating systems.
Specific considerations for a MDM, solution are outlined in more detail below:
- Where rich client tablets and laptops are being deployed, schools should manage them as part of an MDM solution
Where possible, large numbers of mobile devices – laptops and tablets – should be managed as part of an MDM solution. This allows for schools to ensure all mobile devices are being managed effectively. It also allows mobile devices to be planned around need, rather than what the current technical infrastructure can support.
- The solution must support access to device settings to manage security
The capability to remotely lock and wipe devices should be enabled as part of the solution. These are standard in most MDM solutions.
Policy based enrolment onto a MDM solution allows for security protocols to be applied from the outset of usage. These policies and protocols should follow wider school safeguarding and data protection policies. For completeness, these should form part of the overarching documentation retained by the school for those policies.
Approaches to security and data management for MDM should be reviewed in line with the wider review of safeguarding protocols.
The school should keep a full inventory of all IT equipment, or at least all IT devices (PCs, Laptops, tablets). Ideally the device management platform will support this.
New devices should be thoroughly tested before being used in school to minimise any disruption caused by missing software or incorrect settings.
All new devices - mobile and rich - should be built with appropriate images and tested before they are widely adopted on the school IT network. This should include:
- Appropriate access and security protocols installed;
- Updates and caching services have been allocated and managed; and
- Devices have been inventoried and included as part of overall asset management.
This prevents ‘rogue’ devices (those which haven’t been configured appropriately for the school IT network) negatively impacting on the school IT network. It also ensures that new devices have been built to minimise the impact of device updates by applying them at the build stage.
Devices that are not running an up to date operating system are a security risk as vulnerabilities can be exploited once online. Having all devices on the same version also minimises disruption caused by differing learner experiences
You should be aware when vendor support for an operating system comes to an end, so you can plan for replacements and upgrades. As a guide, planning should start no later than 18 months prior to the vendor’s scheduled end of support date.
Ensuring that all your teaching and learning devices are running on an up to date operating system means that your devices will be secure and protected from cyber threats, through the software updates made available by the vendor.
Please note that updates to operating systems can be large, and therefore impact on your network connection if not managed appropriately. See Standard F6.
Schools should be aware of when vendor support for operating systems comes to an end, in order to make plans to upgrade the operating system.
Maintaining an up to date operating system ensures that the school is providing optimal tools and resources to support digital learning. From a security point of view, it also ensures that devices and the school network are receiving updates to software, and security patches. Careful planning for how you will upgrade the operating system needs to be undertaken, as some devices in school will no longer be able to be updated due to their age.
Due to the length of time it can take to plan and manage this appropriately, schools should ensure that they are planning for succession to the latest version of the operating system in plenty of time. This should be within 18 months of end of life support.
If some or all devices in school try to download and install updates during lessons, the bandwidth available for teaching and learning will be significantly reduced leading to poor experiences and potential loss of work.
Different types of device have their own operating systems which will require their own considerations and methods of dealing with system and software updates.
You should ensure that your Education Technology Support Partner has appropriate plans in place to manage them all.
Windows 10, includes a feature called “Device Optimisation”. This allows devices to download updates from local devices as well as from the internet. This can result in lots of simultaneous downloads from the internet, or from your school IT network, which can consume all available bandwidth if not configured correctly.
Settings for Device Optimisation should be managed in line with the Standards outlined previously. Schools should ensure that all new Windows 10 devices have been built to their required specifications before they are deployed onto the school IT network.
Correctly configured Delivery Optimisation settings in Windows 10 can support the reduction of internet bandwidth consumption by sharing the distribution of updates among multiple devices in your school or set to bypass where WSUS (Windows Server Update Services) are used as the update deployment technology.
iPads should be procured with DEP enabled, your local authority should be able to advise on how to ensure DEP.
Solutions with iOS deployments should include caching provision for larger implementations.
iOS (Apple) devices should be on the most relevant and most up to date version of the operating system to ensure that it is protected and secure (see Standard F2).
Like Windows devices (see Standard F3), downloading and updating iOS devices can consume network resources, resulting in both the devices and the network becoming slow and unresponsive. This is especially so if the devices are all downloading the updates individually. For schools using large quantities of iOS devices, MDMs set up with a caching service can help.
A caching service downloads and saves the updates to a single source locally either via a Cache server, or a device acting as a server, and provides those updates faster through local network traffic to the school iOS devices. Apple Caching is available on OSX operating system only.
Using a cache will reduce demand on the internet connectivity caused by individual device updates and applications independently trying to update themselves with connections to content delivery networks (CDN’s). Protocols can also be set for when updates are retrieved to minimise impact of iOS updates on the school day.
Chrome and Android
Solutions with a mixture of Chrome and Android can be managed through the G-Suite for Education Management portal.
Administration of Chromebook is done from the cloud and management of chrome devices through G Suite automatically applies updates. There may be a significant impact on bandwidth that needs to be considered and managed in line with other MDM protocols. Please note, no caching services for Google Chrome OS and Android solutions are available as of October 2018.
The wireless network adapter is the device in a laptop that connects it to the network.
Wireless networking speeds have increased rapidly and replacing the adapter can significantly improve the connection speeds for an older machine.
To ensure that wired devices are operating as efficiently as possible and can communicate with wireless devices around school (as well as utilising the wireless network when appropriate), they should have wireless cards of sufficient capacity installed.
New devices should have a minimum of 802.11ac Wi-Fi wireless networking; IEEE 802.11a/b/g/n compatible.
Schools should also be mindful of the wireless specifications outlined in Standard E for the performance of wireless infrastructure.
Devices with Bluetooth should also have dual mode Bluetooth 4.2 which allows connections to the newest low energy Bluetooth products as well as assistive technologies, headsets, keyboard, mice etc.
Please note: Bluetooth does not connect to the local area network but provides short radio connection to peripheral devices.
Encryption ensures that the data held on a device can only be accessed by those people who are authorised to see it.
All mobile devices should support encryption of data. All teacher devices, or any device which is likely to leave school premises, or contain sensitive information must be encrypted.
Where data needs to be stored on a portable device such as a USB stick, this device should be encrypted to protect the data held on it.
All data should be collected, handled and stored in compliance with the General Data Protection Regulations (GDPR).
Device management should protect school data by ensuring malware, ransomware, viruses and Trojans cannot attempt to export data from the device.
Limiting users and accounts that have privileged access rights on the device can help mitigate the potential for loss of data. Limiting the ability for end users to install non-approved software can also be a useful precaution.
Data Loss Prevention (DLP) should be considered and deployed at policy level to ensure that schools are confident that all user types have appropriate access to sensitive data and for sharing that data.
Additionally, all mobile devices should support encryption of data. All teacher devices or any device which is likely to leave school, or contain sensitive information, must be encrypted. The device management solution should be able to track which devices are encrypted or not.
All data should be collected, handled and stored in compliance with the General Data Protection Regulations (GDPR).
Root kits and software installed on mobile devices to ‘jail break’ them are specifically designed to bypass security systems.
Jail broken devices are therefore not appropriate for use on school IT networks due to the inherent security risks.
Root kits and software installed on mobile devices to ‘jail break’ them are specifically designed to bypass security systems and should be judged as potential security risks for networks as they may leave them susceptible to viruses.
A rootkit is a clandestine computer program designed to provide continued privileged access to a computer while actively hiding its presence. Today rootkits are generally associated with malware – such as Trojans, worms, viruses – that conceal their existence and actions from users and other system processes.
Jailbreaking, in a mobile device context, is the removal of manufacturer or carrier restrictions from a device such as a tablet or mobile phone. It is often used to pass on mobile devices once a contract ends and can often be used to provide mobile phones to teenagers.
However, jailbreaking increases the risk of malware infection or hacking. A jailbroken device can be easily victimised by a Trojan, or accessed remotely by an intruder. Any security measures provided by manufacturers and installed third-party applications may be rendered inoperable or untrustworthy.
A Trojan is a malicious computer program which fools users about its true intentions and can be used to attack the system.