Primary School Network... to domain or not to domain?

Discussion in 'Business & Enterprise Computing' started by GetSmart, Oct 20, 2014.

  1. GetSmart

    GetSmart Member

    Joined:
    Feb 13, 2004
    Messages:
    2,704
    Location:
    Brisbane
    Imagine you are the IT guy for a primary school. What would you do:

    Scenario 1:
    You have sixty 9yr - 11yr olds that have their own laptop (purchased via the school). Would you connect them to the domain? Or would you go domainless and have them responsible for installing their own programs, setting up their own printers etc (localadmins)?

    Scenario 2:
    You have 150 odd laptops floating around the school that are shared amongst 5yr-11yr old students. Would you connect these to the domain?

    Scenario 3:
    You have 30 teacher laptops.

    Our organisation wants to go domainless but I can't see it being feasible for children so young/shared environments and teachers that aren't interested in administering their own devices.
     
  2. closed_gate

    closed_gate Member

    Joined:
    Oct 21, 2004
    Messages:
    736
    Location:
    Brisbane
    Speaking from being a school tech for the past 8 years. If the machines are owned by the school, Domain Join them and use something like SCCM to manage installs. Otherwise, if they own them, then give them wireless access using Radius and AD so that you can track, and limit them.
     
  3. BAK

    BAK Member

    Joined:
    Jan 7, 2005
    Messages:
    1,167
    Location:
    MornPen, VIC
    Scenario: You have 150+ devices owned by the organisation. You need to configure wireless/shared network access etc.

    Why wouldn't you connect them to the domain?

    As a previous tech in a school, time is limited (esp in primary schools if its anything like Victoria). The more stuff you can automate/batch/push out remotely, the more time you'll have to do more important things. Central administration should be the default, rather than the "should we?", imo.
     
  4. ir0nhide

    ir0nhide Member

    Joined:
    Oct 24, 2003
    Messages:
    4,286
    Location:
    Adelaide
    Kids doing bad things with laptops. That alone should be 200% of the required amount of justification for joining laptops to a domain and locking them down.
     
  5. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    13,820
    This, so much this... As a nerd, talking to other nerds, Domain vs No Domain is a sensible question, because we both know the pros and cons of each. As a nerd talking to the business, the business doesn't give 2 shits about the underlying technology, they have outcomes that they want/need to achieve.

    What the fuck is a domain?

    None of those really fit the definition of a windows domain.

    Rather than trying to sell domain vs domainless, work out a list of what you are trying to achieve, then put up a list of possible solutions next to it. cross off ones that don't meet the requirements, promote the ones that do. In most cases. In many cases (especially if the devices are company owned, and windows) a domain is going to be the answer.

    Now that's out of the way, we can talk using nerd language.

    Scenario One - Its their own laptop, it doesn't join the domain, it doesn't get plugged into the actual network. It can access domain based resources via terminal services/vdi. These devices all live in their own isolated network, with strict rules about what traffic can come onto the actual network. I don't care about the device, as long as its got a RDP/VDI client.

    Scenario Two - Its a company laptop, It gets locked down and put onto the domain - ease of management and all that.

    Scenario Three - Again, Company laptop, onto the domain it goes, locked down even more, because teachers.
     
  6. mr626

    mr626 Member

    Joined:
    Jul 17, 2011
    Messages:
    2,746
    Here's what I would do:

    For students: Domain join + mandatory profiles + redirected user folders (My docs etc).
    For teachers: Domain join + roaming* profiles + redirected user folders (My docs etc).

    *I'm on the fence about this actually. Roaming profiles can be a pain at the best of times, and if the teachers are always using the same laptop you aren't really gaining much. If the laptops are always used by the same teacher I would probably just let them have a local profile on the machine.

    Edit: and as above, you shouldn't be speaking to non-technical people about concepts like domains. Just a waste of everyone's time and will probably do more harm than good
     
    Last edited: Oct 21, 2014
  7. infiltraitor

    infiltraitor Member

    Joined:
    Sep 7, 2002
    Messages:
    3,801
    Location:
    melbourne Donated:$133.70
    That one looks like it covers this situation
     
  8. miicah

    miicah Member

    Joined:
    Jun 3, 2010
    Messages:
    6,678
    Location:
    Brisbane, QLD
    Uhh what school are you working at in Brisbane that doesn't already have a domain? Is this a private school?
     
  9. OP
    OP
    GetSmart

    GetSmart Member

    Joined:
    Feb 13, 2004
    Messages:
    2,704
    Location:
    Brisbane
    We have a domain, but we're being told to take devices off the domain.

    Google "domainless" school, filter Australia and you'll see there are a number of schools taking the same approach.
     
  10. hosh0

    hosh0 Member

    Joined:
    May 28, 2007
    Messages:
    8,969
    Location:
    Sydney N.S.W
    You are tackling this the wrong way, never go in with a technological solution/design type etc. Just get the business outcomes that need to be met and build something to those outcomes. Don't try looking at it as a technology problem you are trying to fix, look at is as a business problem and use technology to solve that problem.
     
  11. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    13,820
    A traditional domain wont work for BYOD/Non Company owned devices, which the whole laptop per person in a school is. I can see why it would be attractive.

    But the things that a domain provides (in the way of Authorization/Authentication) still need to be covered off by any alternative solutions.
     
  12. miicah

    miicah Member

    Joined:
    Jun 3, 2010
    Messages:
    6,678
    Location:
    Brisbane, QLD
    If the school owns them, they should be connected to the domain.
     
  13. sympozium

    sympozium Member

    Joined:
    Feb 25, 2005
    Messages:
    462
    Location:
    NSW
    completely school owned: join to domain


    privately owned = byod. Which means users look after their own shit and if teachers want to facilitate learning around technology, then the teachers need to teach the kids how to not to break their shit (just like pens, pencils or calculator, whatever) and NOT plan for lessons to involve a piece of software that not everybody has. (The people providing professional learning development for technology based pedagogy are very bad at talking about software that very few have. I have seen one talk about mac software at a pc school and confuse the shit out of the computer illiterate teachers).

    If its proper privately owned BYOD, Do yourself a favour and just provide the learning platform, ie a moodle, and network access+whitelisted internet. (A proxy landing page can link users to school resources such as the moodle, clickview web player etc whatever you have). The user can worry about everything else

    By providing heavy support via domain enrolment for non standardised "BYOD" devices in a school environment, your just asking for headaches. There will ALWAYS be somebody screwing something up and you will be obligated to fix it.

    If you go down the domain route for BYOD devices, be prepared for backlash from any parents who question your choice to lock down a device that they own. Some parents actually want the laptop to babysit the kids with games etc.

    IF your in the situation where the parents have bought the devices but there is a policy in place where the school retains all control of said devices, screw the domain, just create yourself a SOE that is locked down for students and a generic one for teachers, update it every week with appropriate updates. When your looking after 150+ devices that are handled by teachers and kids, a re-image is your best friend.

    Source: worked in govt education for too long.
     
  14. Zzapped

    Zzapped Member

    Joined:
    Jul 8, 2001
    Messages:
    12,351
    Location:
    Madora Bay
    Spent 10 years working as Network Manager in education at a few schools and the one thing most of you have missed is that, as an Educational Institution, you are required to provide a duty of care to your students, this means NOT allowing them to watch porn or download illegal software etc, and yes, this applies to owned and BYOD devices, having a domain based setup eliminates this if its done properly. Ive never allowed a BYOD device on any of my networks unless I can either manage it, or join it, no discussions.
     
  15. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    13,820
    How does joining them to a domain stop porn?

    Network based filtering would achieve this for all devices, regardless of domain joined status or not.

    Can you enlighten us on how far the duty of care goes? We didn't have new-fangled computer porn when I was at school, we had old-fashioned dirty-magazines pilfered from the bottom of our parents closets. If school staff saw them, they would be removed, I would expect a similar policy would cover off the duty of care for Tablets/Phones/Laptops.

    ie. You provide basic filtering, so the porn doesn't come from your network, but you have no realistic ability to stop kids from connecting to a 3rd party wifi network and porning up, or even trading USB-Porn, domain joined devices or not.

    More and more places are moving away from the traditional 'every device must be on the domain' policies, especially with the proliferation of non-windows tablets. The domain may still have its place as an identity provider, but much of the time, you will be using federation to control access to 3rd party systems, rather than local groups to control access to local application. More and more MDM tool sets are including some of the device based policies that were traditionally the realm of the Domain, and for Non-domain joined windows PC's theres always things like OneCare, or LocalGPO.
     
  16. sympozium

    sympozium Member

    Joined:
    Feb 25, 2005
    Messages:
    462
    Location:
    NSW
    This.

    Not even once do I recall a student or teacher at any school successfully obtaining questionable content via the school provided internet access. If content is placed on a student device its via external sources like usb or bluetooth. Are you going to block jpegs and avi's being opened? Good luck with that.

    A transparent proxy (like squid) with white-listing is all you need for primary kids to be able to have a safe online experience. With authentication if you want clearer accountability and auditing abilities.

    Anyway.....I believe OP is asking re device management not duty of care/web access. Save the headache and just use a locked down SOE with generic logins and software if devices are school owned and/or managed, and will be in the hands of students all day.

    There is lots of little things to consider, like do you want to deal with a teacher who has had her daily lesson plan screwed up because WSUS/SCCM rolls out updates when the kids all turn on their devices, and they spend 30mins installing updates? Or do you want to spend hours after school frequently booting machines for the purpose of updates? Or keep a SOE up to date, apply it to devices as needed as well as roll it out twice a year? Sure WoL can be used for updates but its a tough scenario unless you can guarantee the devices will be stored in the correct state for WoWLAN to work

    The thing to remember with schools and technology is that you are dealing with teachers. They are easily disparaged from incorporating technology into their lessons and for them to become frustrated and abandon new toys because they are seen as a hindrance. Keep everything as simple as possible.
     
  17. Zzapped

    Zzapped Member

    Joined:
    Jul 8, 2001
    Messages:
    12,351
    Location:
    Madora Bay
    There are many ways, directed proxy, content filtering etc etc........you clearly have not been responsible for this and don't know the legal requirements.
     
  18. Zzapped

    Zzapped Member

    Joined:
    Jul 8, 2001
    Messages:
    12,351
    Location:
    Madora Bay
    In the Education System, Duty of Care overrules EVERYTHING else.......Its non negotiable
     
  19. sympozium

    sympozium Member

    Joined:
    Feb 25, 2005
    Messages:
    462
    Location:
    NSW
    Indeed, but unless your the principal you don't have to worry about it, they are the ones who makes the decision, its just up to you to implement what they want as they are the site manager, local schools local decisions all that jazz (gotta love govt policies).

    I'm sure OP is aware of all the duty of care requirements if he has worked in schools before.
     
  20. Zzapped

    Zzapped Member

    Joined:
    Jul 8, 2001
    Messages:
    12,351
    Location:
    Madora Bay
    Don't want to start deraling here but, that's wrong, its not the principal who decides these issues, its actually the state government, and if I had adopted that attitude towards my responsibilities then I wouldn't have had a job
     

Share This Page

Advertisement: