The Problem With Device Management In Schools and How To Solve It
By Denis O’Shea, founder, Mobile Mentor.
If you had asked me a couple of years ago about what common challenges schools face from an IT perspective, I would have said a lack of device inventory and restrictive budgets. This isn’t the case anymore. The pandemic brought swift and necessary change to the way schools approach technology. When in-person learning became impossible, school administrators were forced to invest in technology to pivot to remote learning.
When COVID-19 hit, schools started supplying their students and educators with devices that made remote learning possible. They bought tablets and laptops in staggering numbers and shipped truckloads of devices to schools to provision and distribute. This generated a new set of challenges related to the management and security of devices.
IT teams at schools struggled to effectively manage the flood of new devices due to lack of time, lack of resources, or both. The result was that best practices were missed as the school environment was extended to the homes of millions of students and faculty. At the same time, cyber threats exploded and schools started to get hacked in record numbers. To date, our educational institutions remain one of the largest targets that exist for cybercriminals.
Now that hybrid and remote learning has become the new norm, schools must address the issues that came along with the procurement of large fleets of devices. They can begin by taking a critical look at their inventory management practices, identity infrastructure, and security of the devices.
As mentioned above, schools nationwide have recently found themselves with a newly acquired budget large enough to buy massive fleets of devices. However, I’ve discovered through a series of conversations with several IT administrators in Education that this new inventory was not managed properly from the get-go. In fact, in many cases, it is a downright mess.
An IT director at one school told me that his team simply hasn’t had the time or resources to unpack and image their new devices. So, they are sitting in their original packaging in a storage room in the school’s basement. Another director told me that her team had imaged their new devices, but they never made it into the hands of the students or faculty. The image was out of date before the devices could be distributed and the effort to update them was overwhelming for a small IT team. One school principal plainly confessed to me that his team doesn’t know where many of the new devices have gone. For all he knew, they’d been lost, stolen, or sold on eBay.
These problems are not isolated, and I feel a high degree of sympathy for all the schools with these and other challenges. Beyond the obvious logistics and budgetary impact are the more serious security challenges. The solution to inventory management challenges is in Modern Device Management (MDM) tools and practices.
We’ve worked with most of the device management platforms since I started Mobile Mentor in 2004. This is a technology category that is constantly in flux but right now, I’m confident in recommending Microsoft Intune as the platform to manage all your Windows, Apple and Android devices. And we are waiting for an announcement regarding Chromebooks in 2022.
Rather than using three different tools (e.g. JAMF, SCCM and Google Admin), Microsoft Intune manages the device lifecycle from one screen. It allows for devices to be provisioned and shipped directly from the manufacturer to the end-user, so schools can avoid the bottleneck of manual imaging and shipping. The OS (Windows, macOS, iPadOS) can be updated while the device is in the student’s home and learning apps can be silently deployed, updated and revoked. Perhaps most importantly, Intune has the ability to wipe and disable a device if it is lost or stolen, which mitigates some very real security concerns.
Modernizing Identity Infrastructure
Another pervasive issue IT groups in Education are encountering with new devices stems from legacy identity infrastructure. Many schools are still using on-premise Active Directory and others have challenges with 3rd party identity tools that were deployed over the last few 5-10 years. A few that come to mind are PortalGuard, RapidID and Shibboleth. These tools were deployed to enable Single Sign-On (SSO) with education applications and they served a purpose, but frankly they are now getting in the way.
In fact, in many instances, they’ve made the school environment complicated and cumbersome to manage. The truth of the matter is that legacy identity infrastructure is holding many schools back and making it harder to modernize endpoint management.
The other related challenge is account creation. I’ve seen more than a few schools get tangled up with the creation of new accounts for students in one system and new accounts for faculty in another system. Then they need to replicate those accounts in other systems, so it quickly becomes a bowl of spaghetti for the next IT director to own.
To solve this issue, IT departments at schools need to establish a single source of truth for identity for a student, teacher, or staff member. I recommend Azure Active Directory to define identity, build groups, attribute properties, and establish policies. This sets the stage to shift from a device centric model to a user-centric model as each student is likely to use multiple devices during their education journey.
An unfortunate challenge I’m seeing in many schools and colleges is poor password hygiene. It’s all too common for schools to use formula-based passwords like 4-digit pins or student birthdays. It’s understandable. Using a systematic password structure makes them easy to remember but it also makes them easy to crack.
Once a cybercriminal knows the formula for passwords, they don’t have to “break-in” to your environment, they simply log-in. Once they’re in, they start to move laterally to access and exploit sensitive data.
Schools can start to solve their poor password hygiene problem by embracing multi-factor authentication and enabling biometrics to login into devices. This reduces the need for passwords and moves the school one step closer to going password-less.
The IT Staffing Shortage
The final problem that is pervasive when it comes to device management in schools is the simple lack of staff with endpoint management skills. There is an IT talent shortage everywhere, but it especially evident in education and in endpoint management.
The best way to combat the woes of a skeleton IT crew is to strategically outsource the work that can be done outside the school. Some tasks simply have to be done inside the school, but work like OS updates, app patching and modifying provisioning profiles can be done remotely by people with specialist skills.
It goes without saying that school IT admins are most effective when they have the time to devote to major projects so reducing the noise is one of the best ways schools can focus on getting their device management on the right track.
I suspect schools will continue to adopt the latest and greatest in technology for years to come. How could they not? This means, there will constantly be an influx of new devices to configure and manage. Schools should be proactive and embrace modern endpoint management now to prepare for the next wave of challenges.