UCS@school: How the Wetteraukreis Manages Its School IT Centrally

How can centralized school IT be successfully implemented in a rural district with 85 schools? The Wetteraukreis demonstrates how to establish a reliable digital infrastructure using UCS@school, clear processes, and a strong team. Key factors for success include automation, data protection, and direct on-site support.

The Wetteraukreis is located north of Frankfurt am Main and, with an area of 1,100 square kilometers, is a classic rural district—characterized by many small towns, long distances, and numerous school locations spread across the entire district. As the school authority, we are responsible for the IT infrastructure of 85 schools at 90 locations in approximately 400 buildings. By the end of 2024, around 43,000 students and 4,200 teachers were registered in our central identity management system.

The technical equipment is correspondingly extensive: We currently manage about 6,200 PCs and laptops, 6,400 iPads, 1,900 interactive whiteboards, and 800 projectors, along with around 1,000 printers and 184 servers. Our network infrastructure includes 1,700 switches and 3,800 access points—the comprehensive WLAN in our schools was established as part of the DigitalPakt Schule, which also enabled the complex cabling of many older buildings.

This heterogeneous and large IT landscape is centrally operated from the data center of an external service provider. Our school IT is based on UCS@school as the identity management system and integrates additional solutions such as Nextcloud, Microsoft Office 365 (pseudonymized), Matrix42, and Relution for mobile device management of Apple iPads. In total, over 450 software and app applications are available, which we provide centrally. The software packages are tailored to specific school types, updated monthly, and evaluated annually.

This entire system is managed by a 16-member team at the school authority, supported by ten additional technical staff from our service provider HORN & COSIFAN GmbH. I would like to present to you in this report how we have managed to integrate this multitude of devices, users, and school types into a centrally controlled system—and what we have learned about digitalization in the process.

Unlike in large cities with centrally located schools, our educational landscape is spread over a vast area. For many IT issues, this means long distances, extensive coordination, and little room for quick on-site solutions. Anyone working in a rural district knows that school IT presents a unique challenge. Our experience shows that when you have to manage thousands of devices remotely, keep them regularly updated, and ensure they are flexible to use, you need modern and robust systems along with well-thought-out and automated processes.

The central question for us was: What do we need to make our infrastructure truly manageable? School IT is more complex than it appears at first glance. It is not enough to deliver devices and set up Wi-Fi; digitalization must be integrated into everyday school life. Or rather: it must become a lived “digitality.” Teachers and learners should be able to rely on their technology and use it intuitively, without it becoming a burden.

Additionally, standard solutions that may work well in the business sector cannot simply be transferred to schools. Child, youth, and data protection regulations impose special requirements, and many IT systems fail to meet these conditions. Our goal in the Wetteraukreis is therefore clear: We want to create a digital infrastructure designed not only to function in schools but also to support and enhance digital teaching and learning.

The initial situation was far from ideal: For many years, IT in our schools was largely operated in a “userless” manner. This meant that student PCs automatically started with a predefined profile that required no login. Changes to the system were simply discarded upon the next restart. Teachers worked with their own password-protected profiles—ensuring that students had no access to these devices, but that was about it. iPads were also used without any login.

What was once considered the best and most feasible solution was no longer tenable in terms of data protection, security, and usage tracking. It was impossible to trace who had used which device and when. Devices were tied to specific locations, making exchanges between schools technically difficult. Data storage occurred exclusively on the respective school server—there was no cross-school structure or central management.

With the growing number of devices and the increased demand for digital teaching, it became clear that this infrastructure could not be carried into the future. A solution was needed that allows for personal logins, operates in compliance with data protection regulations, enables the transfer of users and devices between locations, and remains efficiently manageable from a distance.

We set out to find a solution that would significantly ease the teaching process—through centralized user management, simple integrations, and a reliable digital foundation. With each new app, device, and additional digital offering, the pressure to fundamentally rethink our IT structure increased.

What we needed was an identity management system that could manage all students and teachers across schools — automatically, consistently, and without manual maintenance. It also had to work across multiple applications, so we wouldn’t have to create new and increasingly complex structures for each new service. The data for this identity management should be taken directly from the state of Hesse’s teacher and student database (LUSD) and continuously synchronized in an automated process. (Full automation is currently pending approval by the state of Hesse, but can be implemented immediately once approved.) This way, we no longer have to take care of this task ourselves — and at the same time, we benefit from high-quality data sets.

At the same time, it should be possible for devices like iPads or laptops to move as flexibly between school locations as their users do. Whether teachers working at multiple schools or students traveling between schools—IT should not be a barrier.

Another goal was to establish a powerful cloud system: Teachers and learners should be able to access their materials from anywhere, whether for lesson preparation at home or in the classroom itself. For this to work, it requires not only technology but also competence. Therefore, it was clear to us that the new infrastructure must be so intuitively usable that its implementation poses no hurdle for any teacher or student.

A digital workplace for schools that functions intuitively and truly simplifies everyday life for both teachers and students— we formulated the requirements for the new solution in the following six points:

• Central, cross-school management of users and devices—automated and compliant with data protection regulations.
• Direct connection to the LUSD database of the state of Hesse for continuous data import and fully automated synchronization.
• Personal user accounts with Single Sign-On for most systems—including Microsoft Office 365 (pseudonymized).
• Unified login on all devices, including BYOD models for teachers and learners.
• User-specific access to private cloud storage—replacing local shared drives on school servers.
• Location-independent usage, allowing all teachers and learners in the Wetteraukreis to log in at any of our 85 schools.

Another important component of our implementation is direct support at the schools. For this purpose, we have established four Digitalization Representatives in the Wetteraukreis. They are deployed whenever digitalization encounters challenges in the classroom—practically oriented, trained in the system, and approachable at eye level.

We have expanded our existing ticket system to include an additional category: pedagogical inquiries. Teachers can easily reach out to us and say, “I’m having trouble with this application—can someone help?” And that is exactly what happens. Our Digitalization Representatives go out to the schools, provide direct support in the classroom or staff room, and ensure that digital operations continue smoothly in the school day. This model has proven effective—as a low-threshold, direct assistance for specific needs.

The decision to adopt UCS@school came after extensive discussions with other school authorities in Hesse that were already successfully using the system. We were particularly convinced by its flexibility in integrating various systems, the centralized user management, and the ability to manage all schools from a single platform—regardless of location or school type.

In the Wetteraukreis, we now use UCS@school as our central identity management and broker system. In the data center of our service provider, HORN & COSIFAN GmbH, we operate a geo-redundant cloud instance with eight UCS@school servers. This setup handles all central tasks: user management, single sign-on, the (pseudonymized) integration with Microsoft Office 365, Active Directory, Nextcloud, and, in the future, the BLIDUNGSLOGIN from the Educational Media Association. Two additional RADIUS servers based on UCS ensure the authentication of personal devices in the BYOD network.

The local school servers run on Microsoft Active Directory and are connected to the central system via VPN links. All user accounts are automatically synchronized from the UCS identity management to the local AD services. The infrastructure is complemented by smaller local servers at the schools—used for specific applications such as library databases or processing registration events.

The entire environment—from the data center to the school servers—is virtualized, backed up daily, and centrally monitored. For file management, we rely on our own Nextcloud instance with storage capacity in the three-digit terabyte range, connected to the central UCS system but operated independently.

In addition to user management, we also prioritized simple, centralized control of the software solutions in use. Today, our UCS@school system is linked with a whole range of third-party applications—including Nextcloud, Microsoft Office 365, Active Directory, and network authorization.

A central element is our private cloud solution based on Nextcloud. Here, teachers and learners can securely store and share their files—personalized and compliant with data protection regulations. For this purpose, we developed a dedicated app: the WK-SchulCloud. It is available in app stores, easily recognizable, and is actively used by the schools. The storage resources are provided from our data center, currently offering around 140 terabytes. Teachers receive 20 gigabytes of storage—calculated based on typical data volumes for lesson preparation. Students get 2 gigabytes. Adjustments to the quotas are possible at any time, but so far, there have been no complaints.

At the request of the schools, a general shared folder has also been set up for each school location. This allows for the sharing of materials within the school—such as between teachers and their classes or among students. For data protection reasons, external access is not permitted, and the general shared folder is exclusively available to the faculty.

Another central topic was the integration of Microsoft Office 365—under clear data protection regulations from the state of Hesse. In this context, cloud usage is not allowed. Our solution: All approximately 45,000 Microsoft licenses are installed locally—on all devices provided by the school authority as well as on loan devices for teachers. Through our central school portal, users can download the Office suite for up to five personal devices free of charge. The login process is fully pseudonymized via UCS@school, ensuring that the users’ real names are not transmitted to Microsoft. This arrangement is also approved by the state data protection authorities, leaving all parties satisfied.

A large portion of our digital devices in the schools of the Wetteraukreis consists of iPads—currently around 6,400 units. To manage these devices efficiently, securely, and in compliance with data protection regulations, we rely on the mobile device management solution Relution. This platform, developed in Germany, is optimally integrated with UCS@school through the Univention App Center, allowing us to centrally manage all iOS devices remotely—easily, reliably, and flexibly.

Relution supports automated enrollment through the Apple Device Enrollment Program (DEP) as well as convenient license distribution via the Volume Purchase Program (VPP). It also fully covers Apple Classroom. This enables us to set up our iPads across locations, equip them with the appropriate apps, and prepare them for specific use cases—without the need for personal Apple IDs. This not only reduces administrative effort but also ensures that operations remain compliant with data protection regulations at all times.

A significant advantage is that Relution allows for stable mixed operations of various device types and operating systems. The MDM system works closely with our central UCS identity management and integrates seamlessly into our existing infrastructure. This makes the secure storage of work results on central servers and access to school file shares straightforward and hassle-free.

Building a central school IT system for 85 schools in a rural district is no easy task. However, with the right architecture, reliable partners, and a clear goal in mind, we have created a digital infrastructure in the Wetteraukreis that significantly supports everyday school life—reliably, in compliance with data protection regulations, and user-friendly. Just as important as the technology are the people behind it: a dedicated team, direct support on-site, and the willingness to truly make digitalization usable.