It is still in the early stages of the Los Angeles Unified School District's (LAUSD) plan to give iPads to all students and teachers. Many problems are showing up, but one related to security management teaches a lesson applicable to all managed deployments: If you lock down devices too strictly, users will push back and try to bypass the restrictions.
The district allowed students to take their devices home, but restricted the sites to which students could connect. They use AirWatch for Mobile Device Management (MDM), and through that force users through the Apple Global Proxy, which allows the District to filter Internet access. But many students quickly worked around the restrictions.
Roosevelt students matter-of-factly explained their technique Tuesday outside school. The trick, they said, was to delete their personal profile information. With the profile deleted, a student was free to surf.
More to the point, by deleting the profile, the students were able to unenroll their iPad from AirWatch. It's worth pointing out that this in no way reflects badly on AirWatch, and IT received notice when students deleted their profiles. But to the extent that District IT was surprised that students did what they did, it reflects badly on IT planning. I reached out to AirWatch, but they weren't able to respond in time.
The LAUSD plan was marked by ambition and idealism. In a recent interview with National Public Radio, LAUSD Superintendent John Deasy defended the program as a way to make the best technology as available to the poorest students as the richest; eventually 640,000 iPads are to be distributed to students.
All students should have access to technology. And all students should have access to live digital curriculum. I mean, what we would want for the most privileged students, it's our obligation to make sure that students who live in circumstances of poverty have exactly that.
Unfortunately, assuming Deasy is sincere about trying to make technology as available to the poorest students as the richest, it's clear evidence of the doomed nature of the program. It is now 3 1/2 years since the release of the original iPad 1, and that device is effectively obsolete, and has been for a while. It can only run an old and insecure version of iOS and lots of 3rd party software won't run on it anymore.
Is the LAUSD committed to upgrading student hardware every few years to keep them current? Because the rich kids in the schools can certainly afford to buy their own new iPads every year or two.
Back to the tech. It's inevitable that such an ambitious project would run into problems, and there are purported success stories of iPad deployments in education, such as the one in the Lexington, South Carolina School District. LA Lexington used MobileIron for MDM instead of AirWatch, but that's not what matters. Neither product can stop the user from removing the profile. Organizations that use Apple Configurator can lock the profile, but this feature is not available to outside MDM management software. Apple will change this soon to enable MDM products to lock the profile.
But even if the profile were lockable there will be ways, perhaps harder, but still there, for students to get around the restrictions, and they'll do it even if they know the District will find out. When that happens, the District has to be ready to follow through on their discipline policies or they lose all credibility.
That's why they need to tread carefully with policies. The LAUSD appears to have tried to get maximum policies with minimum effort.
I asked Ojas Rege, VP of Strategy at MobileIron about it. He made an apt analogy: "Giving your teen a fast car and saying 'only drive 35 miles per hour' doesn't work." If the LAUSD really wants to try to enforce its rules against inappropriate content and software, Rege sees three options:
- Secure access to school services through identity certificates so that connectivity is only available if the device is in compliance (no bad apps, etc.) when the device is on campus. So even if the device is out of compliance off campus, there are no inappropriate activities enabled on campus
- Only provide the mobile device on campus – it is no longer a take-home device (that’s what my son has at his school)
- Use some of the upcoming iOS enrollment capabilities to lock down the device capabilities on or off campus (in future)
Rege also notes that kids of different ages may be presumed to have different levels of responsibility, so they may want to have different policies for different grades or age groups.
The real problems with the LA iPad deployment are policy-related. The technology did exactly what technologists must have told the District it would do. And it's not just bad IT policy.
The vast majority of the cost will be covered by school construction bonds, a payment method that has sparked some concerns and legal and logistical hurdles.
Yes, today's iPads will likely be unusable in 2016, but they will be paying for them until 2043 with money that was meant for facilities. That's the real scandal.
Correction: An earlier version of this story at once point misstated that the LAUSD used MobileIron. They use AirWatch, and Lexington, SC uses MobileIron.