This post is meant as a warning to IT directors and school administrators in schools with 1-to-1 iPad implementation (especially if the students can take their iPads home).
There is some Chinese software going around call Tongbu which can allow iPad owners to bypass the built-in app store to acquire apps. Not only is this illegal and unethical, but it also opens up a huge security hole for any school trying to monitor the apps on their students’ iPads. These illegal installs do not require a jailbroken iPad and can occur on supposedly secure school iPads.
You can see a walkthrough of the process here. Now, obviously, I am not posting this in order to encourage theft. Stealing apps is illegal and incredibly insulting to the (mostly) small development teams that work so hard to create many of these apps. However, if you are going to patch up this security flaw at your school, you need to know how the flaw works.
We just did a post on iPad filtering, so refer to it for an in-depth walkthrough of different filtering options. But basically be sure to do the following steps:
Be sure your students’ iPads are being supervised by Configurator.
Be sure that Configurator and Meraki are set to NOT allow iPads to be connected to other computers.
Do a Google search for “Tongbu” and add every website on the first page of results to your internet filtering at your school (and, if possible, add “*tongbu*” as a blocked term altogether). Also, block the URL to that Youtube video I posted above.
Add these same blocked URLs and *tongbu* to your Weblock proxy attached to all the students’ iPads so this stuff is blocked outside of school as well.
And of course, enforce strict and severe disciplinary repercussions if you find any students that have still managed to work around all these security settings to install apps they shouldn’t have.
There are other services that offer this same feature. Do some research, hunt them down, and block them all!
If your school allows students to utilize their personal AppleIDs with your school-issued iPads, you might want to be aware of a new security feature in iOS 7 that will really mess with your end-of-the-year collection efforts.
Basically, when you attempt to reset an iPad to the default factory settings in iOS 7 (which you might do after collecting up all student iPads for the summer), the iPad will ask you for the AppleID and password of the previous user. If that previous user was a student using their own AppleID and not a school account or generic account, you will need their password to wipe the iPad. If you don’t have it, the iPad basically becomes a useless brick.
This was designed to prevent thieves from resetting a stolen iPad, but for schools it ends up being a huge hassle. As we began collecting the student iPads this past week, we had to modify our process to accomodate this extra step. If your students use their own ID’s, do not let them just throw their iPads in a pile and walk away! It is really hard to figure out which iPad belongs to which student because the iPad will only give you the first letter of the email address for the AppleID when trying to enter the info after a reset. If you have 300 students like we do, good luck figuring out which student with an email address that starts with “k” is the one who needs to enter their info to complete the reset.
To avoid this problem, make the student stand with a teacher and walk through the whole reset process. We have created a visual PDF guide for your teachers that your can access HERE. During the reset, you will need access to the iPad’s lock screen passcode (if there is one), the parent’s or school’s restrictions passcode (if there is one), and the student’s AppleID and password (if it asks for them). Once all the steps in the guide have been followed and you are back to the default home screen, the student’s info is no longer needed.
One last tip: make sure you read which passcode/password it is asking for. There is nothing more frustrating than typing in the school’s restriction code when it actually wants to lock screen code and then getting locked out of the reset process for 60 minutes. If nobody remembers the restriction code (and parents often forget if they set it up 9 months ago), you will need to reset it by manually connecting the iPad to a computer. But you will still need the kid’s ID and password via this method.
When our school began its 1-to-1 iPad program for our fifth through eighth grade students, we were faced with the same decision every school faces: just how much do we lock down these devices? We had already written up a solid acceptable use policy (that all students and parents had to sign), we had robust internet filtering at the school, we could monitor the iPads via Meraki, we had turned on age restrictions for all features, and we had collected the appropriate insurance money for repairs. But we still had to decide: what do we lock down on the device itself? Facetime? iMessage? The App Store?
Due to the recent iOS 7 update, now would be a good time to take another look at the native restriction settings available on every iPad. These restrictions can be used in conjunction with Meraki, but Meraki's settings take precedence. At our school, we try to inform parents about the options they have in restricting their children's iPads. We encourage them to utilize these native settings to increase the control over the iPads beyond the school's default settings.
Wether you have a youngster who can't help hitting the Home button or just a child with a little ADD, this little tip can help you keep em on task. This can be done on a large scale via Meraki MDM but it can be a little time consuming and may be a little more than you need. For a small class to a single student this is a quick setup you can do to lock their iPad to a specific App.
Lets open up Settings – General – Accessibility. Scroll to the bottom to Guided Access.
Flip on Guided Access and enter a passcode only you know.