How to Securely Deploy the iPod Touch in a K-12 Environment
The iPod Touch could easily become the next major technology in K-12 education. There is a huge growth in free or inexpensive, easy to install apps and books. This article will touch more on the infrastructure configuration necessary to safely support such devices.
I would recommend to the school that the parents/student purchase the device. This purchase would be made as a requirement for incoming freshmen and would replace a traditional graphing calculator purchase that's about the same price as an 8 Gb iPod. There are free and inexpensive graphing calculator apps for the iPod / iPhone to enable the same functionality. Students will be able to install any application from the iTunes store, or possibly many others if they "jailbreak" their device. Even if parental controls are enabled, a simple hard wipe would return the iPod back to a factory default. So, it makes sense that it is owned by the student, since no policy can be enforced. And, the money invested in their apps will stay with them. A small bank of school owned loaner iPods might be necessary. These can be signed in and out on a per period basis in case of lost / forgotten iPods. With Windows and Macintosh computers, policies and restrictions can be set and managed via their directory services. The iPod Touch and iPhone platforms do not have such management capabilities, so the primary concern becomes security. For the purpose of this article, we will work under the understanding that we want the students to use the internet with their iPod touch and the network infrastructure has VLAN capabilities. As a technician, I have found some wonderful network scanning and server management tools in the App Store. Which means, the students would have access to the same utilities. It would be necessary to have a separate wireless network just for the iPod touch devices. Most modern professional grade access points have the ability for multiple SSID networks. So we have an iPod touch wireless network with it's own SSID. We would want it secured with a WPA pass phrase, which changes yearly, if not monthly. This new wireless network needs to be on it's own VLAN and connected to it's own firewall. Also, since the iPod is provided by the parent, it is then their responsibility, not the school's liability, for the content on their child's device. Although a training class for parents on how the device is to be used and what to look for would not be out of the question. The iPod Touch network firewall should be configured to proxy all web traffic through a content filter, since any proxy filter configuration on an iPod touch can be easily removed by a student. Policies should be in place to only allow secure and unsecured ports for Web, and mail services (if student e-mail is allowed per school policy). I would even go as far to allow DNS traffic to only go the school's DNS servers. The WAN port of the firewall should have it's own VLAN to the primary switch. There should also be policies in place to only allow connection to the firewall management from certain IP addresses. These could be static IP addresses of administrator machines, or static DHCP mappings for the administrator machines. This configuration will ensure that the students get filtered web traffic and will not be able to scan or attack any of the district servers or workstations.