Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 783
  • Last Modified:

Ipad and Android - Is the personal nature (lack of multiple users) of these devices an insurmountable problem in a multi-user, centrally managed, device sharing environment?

I am the director of technology at a school.  We are looking into possibly using iPads or android tablets, but in a cart where they would be shared and accessed by multiple users, not a 1-to-1 deployment. I have been playing with an iPad 2 for a couple of weeks – After having it for a couple of hours, I could see how I could really enjoy it as a personal device and I could also imagine all kinds of ways to utilize it for student learning and/or staff productivity.  My experience since has been somewhat frustrating, not to knock the iPad – I think if you purposefully try to concentrate on the limitations of any device or platform you will find many, but doing what I do and being who I am, I have spent several  hours seeing what I can make it do and more importantly what I can’t get it to do.  That said there is one limitation, I keep coming back to – multiple users (a limitation of Android tablets as well).  Some apps have addressed this, SWITCH for example, but they are application specific and I think (but don’t know all the details) that with something like Jamf management* (not free) you can secure the devices and use profile like settings to limit what the device can do, like disabling the camera, etc – but that looks like it is more related to where the device is used and not who is using it.
 
- Is the personal nature of these devices a problem in a multi-user device sharing environment?  Please share if you know of good solutions or procedures to make this work ‘as best as possible’?  Also, please share if you have examples where not having multiple-user accounts has caused problems for using or managing the devices?  - thanks.

Note: any solution that requires 'jail-breaking' is not one i would consider - not looking for legal or moral arguments, etc. - but when looking at deploying several of these in a school, 'jail-breaking' is not an option I would consider.

*Jamf mentions helping in environments where the devices are shared – even specifically in schools where they are stored in carts – but I don’t really see anything (and I spent a good bit of time on their site reading documents and watching videos) that allows for multiple user devices or directory authentication, etc. http://www.jamfsoftware.com/solutions/mobile-device-management/
0
4mrhodes
Asked:
4mrhodes
  • 9
  • 4
  • 3
  • +1
1 Solution
 
Hutch_77Commented:
The question I have is what are you trying to do.  

What you could do is setup VMWare View and have a bunch of virtual desktops and then using te wireless they can then log in through the iPad and have a desktop of their own.  You could then lock the ipad down to your needs using the apps you have looked at.

I have never looked at it the way you specifically are as when I worked with the iPad we were deploying to individuals who would be using virtual desktops to accomplish work that the iPad could not do.. oh and Flash works as well.
0
 
Jason C. LevineNo oneCommented:
>> Is the personal nature of these devices a problem in a multi-user device sharing environment?

I would think it would depend mostly on the apps used on the device and the age of the users but I could definitely see this as being a problem.  Almost all of the Apps I've used for my son (caveat: he's 4) have autosaved his progress and unlocked stuff and don't offer an easy method to reset or require multiple taps on a menu system to set up a new user.  Neither option really appeals.  

From a step back, I don't see a major problem with the devices being used as media players/textbook replacements as those uses are not THAT personal.   It's when you ask the students to produce something on the device and then turn it in for grading that you will really hit a wall (possibly with your head).

As an aside, have you read Fraser Speirs most excellent blog on how he set up iPads for all students at a small school in Scotland?  Very much worth reading: http://speirs.org/index/ start from the iPad Project Day 1



0
 
4mrhodesAuthor Commented:
@Hutch77  I use the iPad I have personally and RDP or VNC into my servers (Windows and MACs) as well as desktops, etc.  and yes - once I have a remote connection set up I get all the functionality I need, etc.  - but that seems like a strange thing to force upon all users of the ipad, it makes for an expensive terminal server, and I think some thing like the Acer W500 would be a much better product if i just wanted Window Tablets.

The iPad (and Honeycomb devices) is a slick device with the OS and Apps built from the ground up for touch operation - Windows 7 or any other client OS just can't compare as a touch operated OS becuase they weren't specifically designed for touch only use - so using the iPad as strictly a remote desktop just seems a waste.

I am looking for a way to centrally manage them and have user profiles and user based security without having to give up the iOS.
0
Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

 
4mrhodesAuthor Commented:
To add to my reply, Mac is comming out with Windows OS 10.7 (Lion) this summer.  From what i have read it is their biggest overhual of OS X since going intel and is built off of the iOS platform.  I expect (or hope) they will have iPads running LION as an option for the education and enterprise users that need central management and user profiles and granular security, etc.  But that is just wishful thinking, and not a solution I can count on as I plan my purchasing this summer for next school year.
0
 
4mrhodesAuthor Commented:
@jason1178 >From a step back, I don't see a major problem with the devices being used as media players/textbook replacements as those uses are not THAT personal.

I am not sure if you have to manage users, and probably not teachers and students, but policies and procedures that are not systematically enforced don't really work in a school environment.  i know I can lock down a lot of things - but I worry about a teacher telling it to remember her credentials when she decides to do some online banking (though I should be able to turn this off in the browser), or sets up her Mail account, which is not one of the apps that apple allows you to restrict in parent control or uninstall form the device (I can turn off safari but not mail - please explain that reasoning) - so if any user decides to set up a mail account, any one who uses it after that will be able to read their mail.  That is a big risk in a school.

One 'sorta' solution is with the jamf management software I can re-image all the iPads that get put back in the cart each night, but that doesn't solve the short term security risk during the day.  - and this is just one example.
0
 
4mrhodesAuthor Commented:
@jason1178 - thanks for the article link, just skimmed day 1 but can tell there is a lot (a lot) of good information there.  His first sentence states that they are doing a 1:1 deployment which is to me the best solution to my post (but currently not a financially relistic one for me) - and also something I think will become more and more the standard mode of operation in schools (that is 1:1, not necessarily iPads).

But the article is a great catch - thanks!
0
 
Jason C. LevineNo oneCommented:
Yes.  You should dedicate an evening to reading through the posts, not only to see how he solved technical challenges but also his thoughts on sharing devices:

http://speirs.org/blog/2011/1/21/how-the-ipad-wants-to-be-used.html

Which I happen to agree with.  His thoughts on the Android are not as clearly defined or well-supported.

>> I am not sure if you have to manage users, and probably not teachers and students,
>> but policies and procedures that are not systematically enforced don't really work in a
>> school environment.

I don't have that pleasure, no.

>> so if any user decides to set up a mail account, any one who uses it after that will be
>> able to read their mail.  That is a big risk in a school.

It may be that Android is a better choice as you do get more control over the config at the cost of overall ease of use.  But this underscores the problem of only going halfway with the rollout more than anything else :)

From where I sit, the issues with using the devices in a lab-like situation and sharing them are murkier.  I think the devices encourage collaboration between students and staff and that collab can happen almost as well in a 1:2 ratio as it does in a 1:1 ratio.
0
 
Jason C. LevineNo oneCommented:
By the way, thanks for the fascinating couple of questions.  These have been a lot of fun to answer.
0
 
RobMobilityCommented:
Hi,

Perhaps one of the reasons that Apple and the vendors of other tablets haven't enabled multipl user account support on their devices is one of profits - i.e. the lack encourages the procurement of more devices?

Currently, only Windows Tablets will support the multiple user account functionality you require OOB unless some form of 3rd party tool is used and as you have stated, even those have limitations.

You may find that some form of Kiosk software (http://ecrisper.com/ipad.htm) might help in locking down the devices so that there is less opportunity to 'fiddle'?

Regards,


RobMobility.
0
 
4mrhodesAuthor Commented:
@RobMobility  
>Perhaps one of the reasons that Apple and the vendors of other tablets haven't enabled multipl user account >support on their devices is one of profits - i.e. the lack encourages the procurement of more devices?

(Please feel free to correct anything I am about to say - I have a slight grasp on this and could definitely be mis-informed)
I have heard this argument, and though I completely except that Apple, Microsoft, Google are companies that want my money - i don't think they made this decision for that reason.  Both iOS and Android were originally designed for phones and small personal devices, no one thought twice about not having user accounts on their phone.  Both phone OSs are written off linux kernals and have two built-in accounts, a root account and single user account (Jailbreaking or rooting a device is gaining access to the root account) - if it was just the OS they could easily add the multiple user functionailty - linux has that already - but the SDK for the 1000 of apps out their are not looking for multiple users - also the overall OS and program relationship is much different on these devices than on a client OS - on a client OS there is program files, registry entries, system files, and a separate central user profile with application settings, etc. all working together to make the program work - very few programs these days run 'flat'.  But on the Phone OS the files are flat (single container) and other than needing permissions granted to access other programs they run self-contained (Android asks the user to allow access on the apps install - iOS does not ask the user to give permissions to access other functions on the install - i think the acceptance is automatic and that is one of the arguments why Apple tightly controls their app store*).  For multiple users to work there would either need to be a centrally kept user profile that the apps knew to talk to or each apps individual file framework would have to include user profiles (some apps do this but it is a user profile for that particular app - not a system wide user) that have folders or files for each user, i.e. when you add a user to the system, every app would get written to - not an impossible or even daunting task for a computer to process but I can understand why they didn't bother to build that framework on a phone. - So I don't think it necessarily is them trying to force us to not share and buy one for every user in the family.


Also - notice how fast an iPad 'boots' - if it had to authenicate itself and then authenicate users etc - that would take some time and require part of the OS or at least some file structure the OS uses to be writeable beyond the basic settings area it comes with now (From what I understand the OS is hard coded on a rom chip - another reason why it boots quickly - also why a 16gb iPad will have more available storage than other 16gb tablets that have to include the OS in that 16gb )

I would like Apple to allow the install of an app (- one that is availble if you jail-break - which to me means this is something apple could easily do just by 'allowing' it) that allows you to assign codes to any app you like on the system so your are prompted for a code when you try to open an app - that would be a nice middle ground for using the personal ipad device with multiple users until the multiple user iPad, the LION tablet, comes out (just speculation on my part).

*Just for the record - I work and manage multiple platforms - I like them all (Windows, Mac, Linux, Google) - they all have things about them, decisions made, that can be argued as good or bad - but often, almost always, the good or bad of those decisions really depends on who the end user is - so I don't get some of the heated, blindly brand loyal, debates out there that smash one against the other.  I don't agree with every little decision each of these giants make, for example, i think the iOS should include MAIL as one of the choices in the restriction settings, but I can give examples like that on any of the systems - and in general can make arguments for, based on the user, anyone of the systems.  Apple tends to give the end user as well as the developers less freedom - this is a very wise model for some users and not so much for others.  .... I'll stop there, I could go on for a while on this tangent.
0
 
4mrhodesAuthor Commented:
@RobiMobility - Thanks for the link and kiosk idea - not at all a solution for the 'lab/cart deployment' I am looking into - but definitely helpful and on topis regarding other possible shared scenerios.  FYI - the ecrisper is a controlled browsing app (something I could see useful in a school setting, especially lower grades) - the 'locking down' of the ipad for kiosk use that they suggest is not a software solution - it done with hardware that covers the home button so the user cannot leave the 'ecrisper' app.  I wish there site had a search function for locating where some of these are being used, it there was one near me i would go check it out.
0
 
RobMobilityCommented:
I believe there may be solutions available where you can whitelist applications and disable other functionality so you only permit what you want to be executed?
0
 
4mrhodesAuthor Commented:
>I believe there may be solutions available where you can whitelist applications and disable other functionality so you only permit what you want to be executed?

If you know the name of one that would be great - I haven't had much luck finding such an app for an non-jailbreak ipad
0
 
RobMobilityCommented:
Hi,

This product may provide some of the features you require:

http://www.soti.net/Mobicontrol/KFiOS.aspx

Regards,


RobMobility.
0
 
4mrhodesAuthor Commented:
What I am looking for is something that will allow me to make the iPad user aware - so that when Ms. Smith uses it with her credentials she has a different experience (access, apps, etc.) than when Susie Student uses the same iPad device.  If that is not possible, and I don't think it is.  I would like a way to code any app, so after locking the device down the same way for all users, Ms. Smith could still open facetime with her secret code but Susie student could not - still talking about both users using the same ipad.

@RonMobility - thanks for the tip - from what I read it is a similar solution to the JAMF product.  (If I understand it correctly - big if) It does help with central management - but doesn't give you the ability to change the user experience based on who the user is like a client OS does. From a central management you can build deploy apps, lock down feature (though i wonder if this is tied to the restrictions settings built in which doesn't allow locking down mail - i.e. can you lock down any feature or just certain features), remote wipe, configure settings such as exchange settings, password strength, etc and have these settings applied to groups or individual ipads (but not groups or individual users)  - The active directory support it is talking about is when a user joins the Mobicontrol it will prompt them for the user credentials and apply the profiles accordingly - but that laptop is then considered 'tied' to that user, not a shared device.  It is better than nothing and definitely something we are looking at even if it is just to give me the ability to turn off mail whihc it may or may not do - unconfirmed (we are mostly looking at jamf for the same features - jamf also allows you to apply seeting based on which AP it connect to so for example if they are in our Area 51 building the camera will not work).

For the most part - I don't think jamf or mobicontrol really add anything to 'what' you can lock down and do - just make those things centrally managed and allow you to build profiles and apply it to grpoups of registered devices.

I did find a solution (just missed it when I first looked at the restrictions settings), to disabling MAIL (surprised Jason didn't already point this out - I have a feeling it is not new information for him - maybe it is mention somewhere in the spiers blog) - In Settings-Restrictions , MAIL is not one of the APPS you can restrict (true) - however you can restrict the ability to make account changes, which would give you the same results if no accounts are set up (haven't tested this yet - just came across it).
0
 
4mrhodesAuthor Commented:
Update - I guess i made some quick assumptions.  Under restrictions you can turn off the ability to allow changes to accounts - which does grey out the account settings in MAIL, contact, calendars under settings - however, when you launch Mail with no accounts set up it prompts you to set one up and allows it even when restricted - seems like something Apple should 'fix' - I don't think that is the intended behavior.

Maybe I'll start a new post on just the question of disabling MAIL.
0
 
Jason C. LevineNo oneCommented:
>> Maybe I'll start a new post on just the question of disabling MAIL.

I don't think you're going to get too far with that one unless you are willing to consider jailbreaking.  This all goes back to Apple wanting to control the user experience and the more you deviate from what Apple intended, the harder you will find things to do.  Disabling core applications completely is very, very hard to do on the iPad unless you jailbreak.  I knew about the way to sorta do it as well as the fact that it really doesn't do it :)

>> doesn't give you the ability to change the user experience based on who the user is like a client OS does

This is very intentional by Apple -- they want the iDevices to be completely personal.  You are going to have a hard, if not impossible, time creating a fully functional workaround.  I long ago learned to not slam my head into brick walls so either I give in and budget accordingly (fortunately possible for me to do) or I look to a less controlling technology.

>> i think the acceptance is automatic and that is one of the arguments why Apple tightly controls their app store

Yes.  Jobs has stated on the record that the thing he fears most for the iOS platform is the iOS equivalent of a BSOD.  The app store is tightly controlled and apps are tested to determine not if the app will crash but if it will crash and take the device with it.  
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

  • 9
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now