What's behind the iPad hack at Los Angeles high schools?
Last week, more than 300 students across three high schools in the Los Angeles Unified School District (LAUSD) brought their school-issued iPads home and hacked into them, probably to download juicy blacklisted apps and access banned websites.
Well, “hacked” might be a strong word. Students simply removed their mobile device management (MDM) software profile-an easy enough thing to do—which also got rid of Apple’s Global Proxy that ensures traffic goes through a Web filter. It wasn’t much of a hack, rather a couple of finger taps.
The Los Angeles Times reported the story, which was picked up by other media, and LAUSD suddenly found itself in hot water. Headlines screamed: “Students find ways to thwart school iPad security” ( rtv6) and “Students gleefully teach admins that mobile device management is hard” ( Ars Technica).
Seemingly caught by surprise, LAUSD threw together an official response. Superintendent John Deasy quickly ordered a moratorium on allowing iPads to leave campus until the district could make sure that the problem was solved and that students would use the devices safely and appropriately.
What really happened at LAUSD?
In truth, we don’t know; LAUSD would not respond to questions. But our best guess is that LAUSD had come to a fork in the road in its massive iPad rollout and was forced to choose the lesser of two evils. One path required a lot of work, the other was less secure. In the background, Apple was working on a fix that would render a decision moot. LAUSD took the latter path, hoping Apple’s fix would come soon.
The gamble didn’t pay off, and LAUSD took some bad press. To be fair, the sensationalism overshot the severity. After all, 340 high school students had access to unfiltered iPads for a single evening. By removing MDM profiles, students triggered an automatic alert to the IT department, and the matter was probably resolved the next school day. No big deal.
Students teach Apple a lesson
But the entire episode is worth analyzing as a bold chapter in the fast-evolving story of iPads in the enterprise. It’s an example of what can go wrong with Apple’s on-again-off-again love affair with companies and schools trying to support thousands of iPads.
Earlier this summer, LAUSD told the Los Angeles Times that it was spending $30 million to provide 35,000 iPads to students in 47 schools. Then CIO.com sister site CITEworld broke the news that this was only the first leg of a much larger rollout. The master plan called for all 640,000 students to have an iPad by the end of next year-one of the largest deployments of its kind.
“We’re targeting kids who most likely don’t have their own computers or laptops or iPads,” Mark Hovatter, chief facilities executive for LAUSD, told CITEworld. “Their only exposure to computers now is going to be in their schools.”
School districts across the country are feeling the iPad craze, although not to the level of LAUSD. For instance, Lexington School District One (LSDO) in South Carolina started a large iPad rollout in 2011 and today is up to 17,000 iPads, including 7,000 high school students.
Apple has been feeding the frenzy, too. Last year, Apple unveiled iBooks 2 for the iPad, a storefront for multimedia high school textbooks. Apple has special programs set up for education; schools can purchase iPads in 10-packs, while companies must buy individually wrapped iPads.
Both LSDO and LAUSD wanted their students to be able to bring iPads home. The thinking goes, if you give a person a sense of iPad ownership, then great things will happen. Students could use iPads for off-hours tutoring, homework and late-night studying.
Allowing iPads outside the corporate network, however, raises the bar on security. The school districts bought MDM software that would restrict students from using, say, iMessage or downloading apps rated 17+ from the Apple App Store. The school districts also wanted content filtering in the form of Apple Global HTTP Proxy, which blocks Facebook, Twitter, YouTube (except for educational content) and other sites.
LSDO chose MobileIron as its MDM vendor and LAUSD chose Airwatch. The problem with MDM is that it’s made for a company’s BYOD crowd. MDM was designed for employees to easily opt in and opt out. When an employee opts out and essentially un-enrolls from the BYOD program, an alert is sent to IT. The employee simply loses access to corporate assets.
In order to prevent students from opting out of MDM, LSDO most likely relied on written policies. That is, students and parents probably signed an agreement that they would not opt out of their MDM profiles. For employees in a corporate setting, there are repercussions for violating such an agreement, ranging from a bad mark on a performance review to termination.
Repercussions for high school students? Not so much. LAUSD’s policy-driven approach was akin to hanging a “Do Not Enter” sign on a gym door; kids will still sneak in to play basketball. In other words, LAUSD should not have been surprised when hundreds of students opted out of MDM.