College and university networks present opportunities to manage devices remotely, often automatically. Automating device management via the network saves students, faculty, and staff time and allows institutions to direct resources and efforts to the core business of higher education: learning.
Mobile Device Management Software
IT administrators at The Ohio State University are looking to manage applications and data and ensure malware protection for mobile devices used across campus, while requiring passwords to access the network, shares Julie Talbot-Hubbard, chief information security officer. They’ve got their eye on mobile device management (MDM) software from Good Technology, MobileIron, and McAfee. MDM software manages and troubleshoots mobile devices remotely, pushing out applications, data, patches, and settings. With the software, Ohio State will maintain central control of group policies for security while each college within the university continues to control its desktops and system settings, plus the ability to push out apps to the devices to meet educational goals. MDM should give the university more visibility into the environment and the ability to provide more services, explains CIO Kathy Starkoff.
At York College of Pennsylvania, Casper, a product from JAMF Software, is being used for MDM. The two-part solution offers OSX (Mac) solution management plus iOS (iPhone, iPad) management, says Robert Robinson, director of IT. It allows the institution to enforce security policies, push out applications, and tailor Apple devices to work in the college environment. “Apple mobile devices are not geared out of the box for enterprise environments and computer labs,” he explains. “Casper allows us to install profiles on devices that make them safe for use in a shared lab environment.”
For example, Robinson can remove the App Store from lab-based iOS devices. “We don’t want students installing their own apps on shared lab devices,” he notes. The tool also prevents lab devices from storing user credentials and enforces password requirements and specific fine-grain settings that keep the devices secure and suited to the college’s educational tasks. “Casper uses Apple’s push notification service to push out profiles to the devices with all the settings and restrictions preset,” adds Robinson.
Roanoke College (Va.) uses Apple Mobile Device Manager and Dell’s KBOX to manage institution-owned Apple devices and Dell laptops. “Apple Mobile Device Manager manages the iPads we issue. It pushes out apps that we volume purchase and sets up policies and settings for wireless devices for faculty members,” says Michael Kluge, desktop support specialist. Policies control what each device and user can access on the network and what they can do with that access. The Apple Configurator is used to set up passwords for the devices for email and wireless and to register the devices so the school can match each device to its user, Kluge says. And KBOX enables Roanoke to install apps and inventory and log Dell and HP laptops, as well as Dell, HP, and Mac desktop, usage.
NAC and Endpoint Security
Using Network Access Control (NAC) or endpoint security software, institutional leaders can ensure devices meet security requirements before they log on to and potentially infect the network, its hardware, and other devices attached to it. NAC software scans device operating systems, applications, and security software to ensure they are up-to-date and that the security software has recently run so that the device is clean.
Mount Wachusett Community College (Mass.) selected an Enterasys network with two NAC controllers, one for wired and one for wireless access, shares Susan McHugh, executive director for information technology services. Students can now stay on campus and congregate in certain areas, taking advantage of the wireless network. NAC makes it possible to offer a wireless network regardless of BYOD (bring your own device) issues because it results in a clean network environment everyone can safely use. “As a result, it feels like the school is active all the time,” says McHugh.
New York Law School uses a ForeScout CounterAct NAC appliance to gain visibility into the network and provide mobile security, endpoint compliance (keeping devices clean and up to date), and protection against network security threats, according to Peter Trimarchi, technical director of the institution. Students walk in the first week and don’t even know they have a virus, he notes. ForeScout looks at the device and sends an email alert as soon as it discovers an issue, so IT staff can fix it. The appliance also resolves large virus outbreaks for the school. It can find the port the virus is using and block that port across the entire network, he shares. When a machine tries to use that port, support staff can identify the device and clean it without having to leave their computers.
At Roanoke, which requires that devices sync with Microsoft Exchange Server, IT can wipe lost, stolen, or infected devices remotely, says Terri Austin, director of client services. Students wipe their own BYOD gadgets through a web page.
As a look at all the BYOD-related session titles of any higher ed technology event demonstrates, personal devices present a multitude of management and security issues to address. At Ohio State, MDM will allow the university to containerize personal applications so it can wipe a BYOD with user permission, in the event of a virus infection or other security or support issue. “We will have control of what we wipe. We will be able to NOT wipe the end users’ original documents/store,” explains Talbot-Hubbard.
York College uses Bradford Networks’ Campus Manager to monitor student devices. It recognizes if they’re registered as soon as the browser is opened, says Robinson. Unregistered devices get put on a separate VLAN, where they have access only for registration.
During this process, the student downloads a software agent that monitors the device to ensure the operating system is updated to the current level and the anti-virus definitions, which recognize new viruses, are also up to date, Robinson explains.
Savings and Conveniences
New York Law School realized a savings in person-hours and applications by implementing NAC. The school saw much of that by replacing many servers designed to monitor and manage the network with just one NAC appliance.
“We had all these SNMP (Simple Network Management Protocol) servers and Sys Log servers. When a trouble ticket came in, our desktop support guys would have to sort through those and if they couldn’t figure it out, they bumped it up to level two or three support,” says Trimarchi. Now, instead of examining all the SNMP data and Sys Log records, support looks at one application to find the issue.Now, instead of examining all the SNMP data and Sys Log records, support looks at one application to find the issue.
Trimarchi was able to get rid of most of those other servers. Now he employs 1.5 full-time security employees where he had needed two. “The desktop group can deal with bigger issues like hard drives blowing up or re-imaging machines,” Trimarchi says.
At the End of the Day
Administrators need not be afraid of the network’s opacity that hides unclean devices and skulking viruses, as the above options can make managing devices across the network easier and less expensive—while affording faculty, staff, students and visitors quick, clean, and virtually issue-free access to the internet and the learning environment. Meanwhile, administrators can get a good night’s rest knowing they have saved their institutions and stakeholders time, money, and the many headaches of network intrusions.