BYOD to school – why ever not? #EDUScotICT

BYOD = Bring Your Own Device.

I was very interested to read the following article ( at written by Gemma Fraser) which bears the news that Edinburgh City will be upgrading its computer stock but also and more interestingly installing WiFi access in its schools.

Gemma says

The improved technology will also allow pupils and teachers to get internet access through their own mobile phones and laptops at school.

I had been thinking about writing concerning  the availability of WiFi in Scottish schools.  This does seem to be a matter of concern as I have seen a number of Tweets on the subject of BYOD (Bring Your Own Device) and these comments have been made by both teachers and Council IT support staff.

Pupils who introduced some of the speakers at the ICT Summit on the 17th October ( see here ) had made a parallel between schools and other public places like Costa Coffee and MacDonalds.  It seems that these young people will take advantage of free WiFi connections when drinking coffee and eating burgers allowing them to maintain their online presence.  But not so in schools where in in many cases there are rules banning the use of mobile devices and very often there is no WiFi coverage in any case.

As society is becoming ever more connected there is a is increasing pressure of opinion to support the concept of 24/7 presence even during the school day and on school premises.

It can be argued that there are some advantages in terms of benefit to a pupils education to them being always connected.  I can recall about 5 years ago visiting the Education depart of the Council featured in the article above and discussing their own vision of supporting the use of mobile devices to access Education resources.  That was early days and the availability of mobile devices was not as pervasive as is the case today – but it is good to reflect and recognize the foresight of those concerned.

Of course to have effective access to any online resource on a small form factor device may require special provision at the user interface level.  We are now very well used to having an “app for everything” which exposes the underlying functionality in the best possible manner with consideration of screen size and mode of interaction.

I am now making the bold assumption that it is both desirable and feasible to provide widespread access to wireless connectivity for school users in general.  With this set aside I will describe one approach to achieving the goal of universal wireless connectivity.

Has this been tried before?
As you might expect, this is a problem that has been recognised and overcome in other sectors of Education.  There are two extremes of approach to permitting connection to a public WiFi network as follows:

  • Allow any device to connect without applying any conditions
  • Require the user to authenticate so they can be identified and held responsible for adherence to a basic code of acceptable use.

Network administrator/owners would certainly want to have the ability to moderate or block users who abused the system.

With this basic requirement in mind the Higher Education community setup a solution for federated access to wireless networks.  The basic requirement is that a user who belonged to one University could visit another University and connect to their wireless LAN without the need to incur any additional user account administration.  This was set in place to address the prior position where a visitor needed to gain access to the visited network by registering for a visitor account.

Each user first needs to have a network access account with their home institution.  The system then allows the user to access another institutions LAN and the Internet by entering their home UID and PWD.  The process of authentication is transparent to the user as they will use the same method to authenticate regardless where they try to access the network.

The solution described (in very superficial terms ) above is called EDURoam.  A visit to the EduRoam site provides access to a complete description of how this works.

Here is my simple description of the user experience.

  • First the user signs up for an account for network access at his/her university/institutition.
  • The UID will be of the form – (this is not an email address – rather a two part UID with the @ character separating the two parts – of course for convenience it would make sense to use the users full mail address)
  • There will be a password associated with this account  – these can be integrated into the home institutions local directory for access to other applications and services there.
  • When a user enters their UID the authentication system looks at the part after the @ character and that signifies where it need to send a request to authenticate the user.
  • The user is then authenticated against their home institution and assuming their UID and PWD are a valid pair, network access is granted.

The level of network access provided will permit the user access to the internet only (subject to the visited institutions access policy) – the user can then freely access the web and or setup a VPN to access protected services at their home institution.  Which is I think is precisely what user would expect.

The following video provides an excellent over view of the advantages of the EduRoam service

To read more about EduRoam vis the website at

Why not implement a system following this approach for controlling access to wireless LANs in Scottish Schools?

Why not indeed?  In order to achieve a joined up solution for network access like this it will be necessary for any LA that wants to participate to firstly provide a wireless access capability and then to implement a federated access control system.  EduRoam is prime candidate for providing the federated access control needed to achieve this goal.

Alternatively, Scottish LAs could pursue localized and inconsistent approach – in favor of a more “joined up” and coordinated approach.

I would like to see Scotland adopting a scalable and consistent solution to this issue, that in my view, would offer most benefit to its end users!

6 and 3 year anniversary this month!

It is now 6 and 3 years respectfully since my Dad and Mam passed away.  It’s always sad to think that they are no longer with us.  Life is full of twists and turns but death does seem to be the ultimate parting.  But memories are always good to have and I like to dwell on the happy ones of which there are many 😉

I have been working through the process of digitizing my Mams slide collection.  She was an avid photo taker!!!!  I have surpassed the 3000 mark!!!  It is nice to make all these photos which cover a generation made much more accessible to our family and friends.

She was very keen to take photos of flowers and skies – sunsets in particular.  This one certain conveys a sense of warmth and peace – things that she strived for!

Below are two of photos of them both at difference stages of life – not taken by my Mam but with here camera.  Happy memories 😉


In the above photo they look about as young as I can remember them and the one below sometime later in life 😉




Happy Memories 😉

Single Sign-On – taking it to the desktop – or not? #EDUScotICT

A core service of the Glow Learning Platform is the Single Sign On (SSO) service.  Arguably, this is the absolute core of Glow and one of the services which in concept should always be preserved irrespective of the other services which constitute the complete platform.  When Glow was originally conceived this was taken by some to mean that once a pupil or teacher signed into the network, that they would not need to offer any further authorization credentials.  Sadly, it was not possible to achieve this level of SSO because every local authority at the time operated its own network access control system.   So the current position is that any school-based user must pass through two authentication gates before they can access the Glow Service.  This requires that every user needs to maintain two user names (UID) and password (PWD) combinations.

Time has passed and I wonder if the value of a true single sign -on solution is now generally appreciated where users can achieve access to all the resources both at a local and national level without the need to authenticate twice.  Seems to me that this could be set down as a requirement and revisited in the context of the next iteration of Glow.

I don’t intend to offer a technical solution here but I am prepared to raise a few issues need to be considered whilst working towards a true SSO solution for Glow users.

Who owns the User Identity?
As previously stated each user in the current setup will have at least two UIDs to access the school network and Glow.  Glow through its membership of the UK Access Management Federation (UKMAF) also extends SSO to a number of federated content providers including SCRAN and Scholar.

The users local network UID and PWD provide access to both the Local Area Network and the services which are associated with it.  These services could include file storage, printer services and applications which are stored locally.  Where the LA provides onward access to the internet this will be another service which is accessible through the network login.  As discussed in my previous article access to the internet may well be filtered according to the school or LA policy.

Once connected to the internet the user can then access any service which the filter permits – which will include Glow – this is based on a second UID and PWD of course.

The two UID/PWD combinations will in the worst case be completely separate.  In some cases a LA may have decided to follow advice given early in the Glow project to use the same UID for Glow as for the local network.  Further more users could manually synchronize both passwords making it easier for end users to gain access although they will still have to pass thought the UID/PWD gate for both the local network and Glow.

In the above scenario there are two identities and two identity owners which are the school (LA) and Glow.  As already stated, Glow is the identity owner for Federated access to third party content which prevents users needing to remember other UID/PWD combinations for third party federated services.

Could this be further simplified?
In short the answer is yes, and this can be achieved in a number of different ways.

One approach is to make even more use of the UKAMF by making Glow a Federated service and having each Local Authority become an Identity Provider (IdP) in the context of the Federation.  This would ultimately put some additional responsibility on the LA as they would need to maintain their Authorization service on a 24/7 basis and setup and maintain the Shibboleth IdP service.

Each time a user tries to access a UKAMF federated service, be it Glow, SCRAN or any other, the process of authentication will involve some interaction with the users home local authorities IdP service.  This of course applies when the user is either accessing via the school network or from some other location.

Because of that way that the Shibboleth system operates there is one further stage needed when the user is away from home – ie accessing from a location out with their LA network.

The Where Are You From service (WAYF)

The WAYF service is needed when a user is accessing a federated service when they are not connected to their LA network.  For this illustration we consider the LA network to be the primary network for our users and this is where the user UID/PWD are maintained.  Consequently, a user trying to access a federated service from their domestic/home network or from any other network, roaming public WiFi access points etc, will need to use the WAYF service to ascertain the organization which maintains their IdP service.

In reality this will be fairly straightforward as the user will be given a choice from the list of LAs participating in the scheme.

Users with a National ID?

The effect of this approach is that the school user could through the use of on UID/PWD combination have access to the School internal resources and also have access to third part resources which are federated using the UKAMF.

What if Glow was the IdP for local authority network access?

In this scenario all LAs would have to agree to using the national authentication service for permitting access to the local network.  Once a user has authenticated to Glow the user will be permitted access to the local network.  In this case each user connecting to the LA network would be presented with a prompt for UID/PWD which would be their Glow credentials.

So what are the issues?

As I stated at the start of this post it is not my intention to offer a solution to country wide SSO.

  • Trust is always an issue when dealing with controlling access to resources.
  • An organisation will generally trust its own authentication system – but may be reluctant to trust a third party system.
  • If LA is IdP – this is responsibility to provide 24/7 service which might not be desirable or possible – are LAs setup to provide 24/7 supported services?.
  • Having true SSO to the desktop is definitely desirable (my view!)
  • Is there a case for making a admission control to the network or applications a shared service so same approach it taken throughout UK
  • What are the educational benefits of making access easier for all users – certainly will take one barrier away – what value do we put on easier access?.
  • Once established – why not use the authorization service for other proposes/applications – no suggestions here but many mush exist!
  • What are the implications for FE and HE if they were also to make use of the Glow service package?




Content Filtering – who’s in control? – a potted history. #EDUScotICT

I have noted a number of references to Internet Content filtering in the EDUScotICT discussion to date.  Comments seem to imply that Glow and Content filtering are in some way the same thing.  The following comments are intended to clarify the position and express some of my own views on this topic.

The History
I can recall the days when Schools were first connected to the internet directly via an Internet Service Provider (ISP).  The ISP was often specialized in Education and so was branded an “Education ISP”.  Early on, it was realized and generally agreed, that pupils needed be protected from some content on the internet so Education ISPs typically provided a filtered service this was sometimes referred to as a Walled Garden.

When the SSDN Interconnect (Glow Interconnect) was introduced, UKERNA (now JANET(UK)) pointed out that the connections to Local Authorities would be based on and equivalent to an unfiltered internet feed – in other words an open connection to the Internet.  It would become the responsibility of the LA to manage its own security policies by means of its own firewall.  As each LA was connected to the interconnect, it set up and managed its own firewall/internet filter.  In some cases the internet filter was provided to the LA by their ICT managed service provider.  This later scenario opened up some interesting issues which I don’t intend to explore in this post.

Is Content Filtering part of the Glow service?

Internet content filtering was a requirement of the original Glow functional specification, but the National Filter service as specified was never implemented.

Why was the National Filter never Implemented?

For a number of reasons it was not possible to agree a solution during the original negotiation phase and some budget was held over to help cover the cost of this service early in the contract period.

Detailed discussions were held with the Glow Contractor and proposals were put forward for a National Filter solution in which there would be a national base filter, subject to the agreement of all LA’s, and then each Local Authority could take responsibility for their own filter policies and manage them on a day-to-day basis as an extension to the national core filter.   This proposed system was capable of supporting time-of-day exceptions, and allowed filter policies to be added and associated with individual users or groups of users based on the Glow SSO service.  Each local authority would have had white and black lists which they could edit and manage locally.

LTScotland took the decision NOT to implement the solution on the basis that it was too costly despite the fact that analysis of individual LA costs (at the time) showed that a national solution would be more cost-effective and provide increased functionality.  Some LAs had at the time been holding back on upgrading their local filter service in expectation of the National Filter coming in to play.

It may well be that the same economy of scale could be achieved today if the matter of the national filter was to be revisited.

So what is the current position?

Each Local Authority has continued to implement its own filter solution (hardware and software) and sets its own policies regarding what content should be blocked or allowed to enter the LA network.  Some LAs will provide a mechanism where there are different filter policies for different times of the day and in some cases policies can be applied for different user type.  In no case will the filter policy being applied to the user’s session be connected in any way with their Glow User credentials – but the policy may be linked to the user’s network identity (the ID and password (PWD) used to access the LA network).

When a user leaves his/her place of work (school/office etc) they will subsequently connect via their home network or some other public access point such as library or community centre etc.   When at home, LA filter will have no effect on their access to the internet however some public places my also offer access through the filter service this could include public libraries and community centres which are managed by the LA.

Why do we filter content sources hosting useful education resources?

 This is of course the consequence of decisions which LAs have made about filtering.  I do not intend to level any criticism at any local decisions about filter policies but I do want to make some general observations.

I think that access to some education resources have been blocked inadvertently as a result of a policy decision taken to block certain types of content for a variety of reasons.  Let me elaborate around one case I have seen discussed!

YouTube contains a wealth of content which is educationally useful.  It also contains loads of very questionable content!  Video content (the stuff of YouTube) is also known to be a consumer of network bandwidth – much more so than other media such as text based and audio only messaging etc.  In order to either prevent the network being used to access questionable content or to stop the transit of video traffic a decision will be taken to block access to all YouTube traffic.  This is an easy decision to take and the resulting policy is easy to implement.  But the consequence is arguably bad for education because this prevents access to a wealth of useful resources.

The justification for this position is either to reduce the risk of an abuse incident or to protect scarce network bandwidth – or both.

LAs do have a significant responsibility to provide appropriate connections to schools and to manage their available budget to achieve the best possible provision in this context.  We should not be naive about this and recognize that there will always be some resource limitations.  We need to also balance this against the value that quality access to internet based resources can bring in terms of increased learner and teacher experience.

In the YouTube scenario above, decisions taken about protecting the network  and/or its users can lead to a disadvantage for educators and learners.

Some LAs chose to implement the Glow Content Delivery Network (CDN).  This provided a web cache in each school so that access to high bandwidth resources could be achieved in a much more efficient manner.  This was exemplified when a Virtual Work Experience simulation was implemented which made extensive use of Video and allowed pupils to explore at will a number of virtual worlds concerning different jobs.  Without the CDN in place this application caused the network to crash but with CDN it worked perfectly.

In my view this is something that really needs to be looked at again.

Irrespective of the existence of Glow we need to use the resources invested in to open up opportunities for enhancement of the classroom experience – not limit the opportunities.  How crazy is a situation where a teacher might want to refer to a video but have to tell the pupils to “look at it when they get home”! A core objective of the Glow portal was to make it easy for users to access and share content – at no point in the specification of Glow was it discussed that the introduction of Glow would take the place of the internet as a source of resources.  I believe that the Glow vision was more about providing better access to resources and collaboration opportunities where ever they are hosted.

The point is, from the start, Glow was always intended to be, and always has been, an OPEN network. It is local filter policies that have rendered the user experience of Glow as something much more restrictive.

I am not discounting the consequences and risks of opening up access to the internet but I really think that for the sake of teachers and pupils we do need to challenge some current thinking on this topic.

How to implement a better system?

It is not for me to dictate what should be done by those who are in charge of LA networks but I would like to offer a few observations.


  • The current position is unacceptable – LA ICT managers should not be dictating which resources teachers can and cannot exploit!
  • If there is a network resource issue – i.e. lack of bandwidth let us expose this by demonstrating the effect of lessening content access restrictions.
  • Each LA should have a procedure for opening up a block when a teacher has found a resource which is considered essential to their teaching and learning.
  • Removing a restriction should be possible in as short a period of time as possible, and preferably instantaneous.
  • Detect abuses of the network service and deal with each event on its own merits.
  • Take a position that we need to start from an open environment and only apply filter where very necessary.
  • The process of policy decision making should be open and responsive to exception requests.
  • Teachers should have a the strongest voice when it comes to decision about filtering any content that is educationally appropriate.

Glow 1 to Glow 2 – preserving the a national learning platform through evolution.

Based on what is known about Glow today – it is clear that Glow as we know it will be replaced by some other service in the near future.  There is currently no hard information around about what the new Glow will consist of, but we do know that the current contract will come to an end in September 2011 – that is  less than 12 months from the time I am writing this post.  We also know that the Glow re-procurement exercise, which was started some time ago, has been stopped by the Scottish Government.  So currently there is a real possibility that there will be no Glow after the end of this school session.

I want to use this post to exercise my own thinking about how this will affect the current Glow user base.

Let me preface my comments by making a comparison between Glow and a traditional school.  Glow is a learning platform with the capacity to support up to 1.5 Million unique users with adoption increasing on a year on year basis.  I prefer to deal with the facts as I know them as opposed to  speculating on the basis of information rumor.  Glow also provides a national focus for online learning which not as some seem to think completely closed down and exclusive of the web as a whole.  Many discussions seem to confuse the impact of Local Authority internet filtering as synonymous with Glow – nothing could be further from the truth.

Pupils and teachers attend school each day and school is traditionally taken to be a place of learning.  Lots of resources are collected there which both teachers and pupils can use to deliver and enhance the learning experience.  What an outcry there would be if the government was to announce that it was stopping its involvement in curriculum development, or worst still closing down all schools in a years time and leaving the process of Education to the “free” sector.  Scotland makes a significant investment in its education system and although it’s not perfect it has certainly served Scotland’s learners well.  Of course the education system does need to evolve to remain relevant so change is inevitable.  I would assert that the government has a key role and responsibility to ensure that the education system is protected and developed in a caring and sensitive manner.  The use and development of ICT today is now embedded in our education system in my view – but I do recognize that we have some way to go before ICT is universally adopted as part of daily practice in schools.

Scotland took a very brave decision early in the last decade to establish Glow as a country wide service at a time when this was unprecedented. The technology landscape at the time was very different to the way it is today and to some extent the context did influence what could be achieved.

The cost of the Glow initiative was also very small in the context of overall spending in Education.  With an overall burget of £37.5M.  This cost was spread over the initial 5 years with payments being made only when the contractor achieved clearly defined milestones according to user account provision and service performance.  There may well be a case for altering the commercial model of Glow to recognize actual service usage.  This would lead to a situation where cost of the service would of course increase as user adoption increases.  This idea is complex and probably warrants another post dedicated to considering how this may make better sense.

Early in the Glow (SSDN) project words of Alan Kay were often quoted as follows

“The best way to predict the future is to invent it”

I believe that the Glow project was one of a number of initiatives by the Scottish Government aimed at trying to “invent” the future IT landscape for Scottish education.  This was always set against a backdrop of continuous change and evolution in the world or IT at large.  We have certainly seen a number of unexpected developments taking place which have altered peoples expectations – these include the advent of Web2.0 and the social networking revolution which were just beginning to emerge when Glow was initially being specified.

Glow is based on a national directory of users including pupils, teachers, school support workers and parents.  Establishing this directory has been possible by designing and implementing a data transfer system which allows existing school MIS data to be first cleaned up and then used to trigger the setup and alteration of user accounts in Glow.  Although this process was very difficult and complex one could argue that getting user accounts setup in the Glow directory is the easy part.  Much more difficult is getting teachers to take the opportunity to use Glow and embed it into their daily teaching practice.  There is always a group early adopters but I think that in reality the majority of teachers are overwhelmed with their current workload and for some technology adoption is a step too far.

A critical issue here is the type of support that teachers are given – it is useful to note that the majority of the Glow budget was apportioned to teacher support – not the platform systems.  It was always recognized that helping the teaching profession to adapt their attitude towards and knowledge of using technology in the context of classroom practice was a key element.  This goes much further than just giving instruction of how to operate and application and is also about how the application can be used effectively to improve the learner experience.

For me it is critical that any transition from the current position to the next must be managed in a way that brings existing users onboard.  The move to the next system should be perceived as an evolution where users can easily adapt in easy stages.  I believe that a fundamental requirement here should be that existing users should be able to continue to access the platform using their existing user identifier (UID) and password (PWD).  Things like email address should be preserved as they currently are and of course the current investment in content – both nationally provide and user created – must also be preserved.

In closing I should also state that I recognize that some elements of Glow need to change but on the following basis.

  • It is essential that the move forward takes into account any lessons learned from the experience of deploying and using Glow to date.
  • We should develop the good and remove/replace/enhance the elements which are judged to be weak in a planned and staged manner.


Evolution not Revolution is the way forward.