The municipal authorities of the German city of Fulda in the state of Hesse are responsible for the administration and operation of the IT in 23 schools in Fulda – including 2 vocational schools and 2 grammar schools – for a total of 13,000 pupils and 1,000 members of teaching staff.
Unlike in the rest of Hesse, as an education authority for a small city, we have the city’s own well-developed fiber-optic network at our disposal. The majority of the schools are already connected to the fiber-optic network covering the whole city, which allowed us to do away with local servers in the schools at an early stage and focus on a centralized IT concept instead. As a result, all the school IT in Fulda now runs over centralized servers in our administration center. We operate an Active Directory domain of our own design on these servers with centralized domain controllers, to which a terminal server farm comprising both Windows and Citrix servers as well as the central file servers are connected.
All the computers in the schools – many of which are cost-effective thin clients – log on to these servers to access data and services. All told, the network comprises almost 1,500 Windows PCs and notebooks plus 850 thin clients. Access to the pupil network is regulated via 130 access points, which allow 3,500 users to access the network simultaneously during school hours.
Automation should reduce administrative efforts
Last year, we decided to take the centralization of our IT infrastructure one step further. The aim was to reduce the necessary administrative efforts even further on the one hand and to integrate new services for our users into the central concept at the same time on the other. The first step in the respect was to identify a reliable system for centralized identity management, to which the rest of the applications could be mounted.
Our list of requirements included:
- It should be possible to import all the pupil data from the LUSD administration software, in which all teachers and pupils in Hesse are registered, running at the IT center of the Hessian Data Processing Center (HZD) in Wiesbaden. This import should be performed automated and encrypted within our Active Directory.
- It should be possible for the IT administrators at the respective schools to maintain the teaching staff’s user accounts manually and simply via a web interface.
- It should be possible to maintain all user groups, directories, and shares from the XML files imported from LUSD by means of an automated process.
- It should be possible for the schools to reset pupils’ passwords themselves via a self-service portal and to enter personal information such as e-mail addresses and cell phone numbers.
- It should be possible to integrate additional services for the users such as Office 365 or private cloud applications simply and reliably.
UCS@school permits centralized identity management
After searching for a while, we came across UCS and UCS@school in spring 2016. After thorough testing, it soon became clear that the centralized identity management and access management offered by UCS presented an excellent solution for realizing our principle of centralization with the same degree of transparency. Following the kick-off in February 2016, we were able to implement the roll-out of UCS as quickly as the end of the summer vacation in July and manage all the pupils’ and teaching staff’s identities via UCS’ identity management system. The majority of users didn’t notice anything until the user login in Windows was changed over to “Named Accounts”.
Univention Corporate Server has been taking care of the synchronization of the user data between Active Directory and UCS, the provision of home directories, and the provision of self-service functions in our centralized IT center ever since. Another important function adopted by UCS is the automatic import of the user data from the state of Hesse’s LUSD directory already mentioned above. In this step, UCS imports the name, class and school of the users and generates a password for each user, which can be changed by the individual at a later point in time. This one password allows the user access to all the services and data as well as the school’s wireless Internet. For the resetting of passwords, UCS offers the option, for example, of saving a user’s private e-mail address, which is then used by the self-service function in UCS to allow each pupil to send a token for the resetting of his password without the need for a teacher to be involved. This process reduces administrative efforts significantly. Just imagine how often passwords need resetting in a network with 14,000 users!
In addition, the automatic life cycle management offered by UCS is also very important to us. If a pupil or member of the teaching staff leaves the school system or changes schools, this information can be input into USD with the corresponding effects on all the resources he uses and his rights. That is a point that I would like to address in more detail when we move on to the use of Office 365.
Framework agreement offers cost-effective use of Office 365 for pupils and teaching staff
In the scope of the further development of our service offering for the schools, we investigated the possibility of allowing pupils and staff to use Office applications, as this request was voiced time and time again by schools, and we wanted to offer them appropriate support.
It turned out that the additional fees for providing a sufficient numbers of licenses for the use of Office 365 in the schools would be low thanks to the administration’s existing framework agreement with Microsoft. Thanks to an expansion clause in the framework agreement, the Office programs can be directly installed and used on up to five devices and an additional five mobile devices for each license owned at no extra charge. The agreement allows the pupils to use Office 365 Pro Plus and the teaching staff to use OneDrive and Office Online too. On top of the existing contractual fees for the FWU framework agreement, it was only an extra 0.05 € per pupil or teacher for the use of Office 365 Pro Plus each year. It was going to be hard to find a better deal than that! The hierarchical roles system in UCS@school proved particularly useful when it came to implementing the different teacher and pupil access privileges. More about that in a minute.
The challenge: Office 365 access complying with data privacy regulations
Once we’d discovered this cost-efficient solution, the next step was to achieve Office 365 access which complied with the pertinent data privacy regulations. After all, our data privacy officer signaled early on that Office 365 as a web service saves content and user data on its own Microsoft Azure cloud – a scenario which fundamentally contradicts German data privacy regulations concerning the treatment of pupils’ data. As such, as the situation is at present, it will not be possible to employ Office 365 in its standard configuration in Fulda until there is a possibility which complies with data privacy regulations, for example use via the “Deutschland Cloud”, which still appears to be in a very early stage of planning. Consequently, we needed to consider another option via which we could still make the financially attractive offer available as a service.
At this point, the Microsoft Office 365 Connector made available in the App Center by Univention came into play. Thank to authentication via the SAML technology integrated in UCS, all users can log on to UCS with their password as usual. The authentication to the web service is processed via UCS – the password and username remain in the internal system and are not communicated to Office 365 and saved there. Nevertheless, the problem remained of the content created in the Office 365 applications’ being saved on the Azure cloud, which is also not in line with data privacy regulations. Our solution to this problem: After registering with the web service, our teaching staff and pupils download the on-premise version of the Office programs, which they then install on their own computers and use locally. This keeps both the user data and the content within our own system, ensuring that they are not saved on Azure.
We installed the Office 365 Connector directly from the Univention App Center and connected it to the Azure Active Directory via an interface. This then allowed us to connect our UCS environment with Azure, with the result that the user authentication required for Office 365 could be effected via UCS’ password service.
Central control of Office 365 profiles via the LDAP server integrated in UCS
In the initial setup, we performed the configuration of the Office 365 profiles centrally via the UMC (Univention Management Console), UCS’ web-based management tool. Once all the important parameters had been entered and settings made, we were able to assign the profiles to groups (e.g., pupils / staff) in UCS. As such, it was simple to provide the staff group at school A with the extended Office functions as described above while only permitting users with a “pupil identity” access to Office 365.
As a parameter for the unambiguous identification of users, we decided to use a dummy e-mail address for the respective user in Fulda. Even though it is not currently in use, it could be included in additional scenarios in the future, for example the introduction of a school e-mail solution.
Central administration of the license data allows efficient control
As already mentioned above, personnel changes are becoming more and more common in larger school environments in particular, which is why keeping the number of actively used licenses under control was an important matter for us. UCS@school also offers us convenient administrative solutions in this respect. For example, the centralized identity management system in UCS can be used to assign each user his own Office license. If a pupil or member of staff leaves the school, the information only needs to be updated in the centralized system once. The replication mechanism then automatically relates the information to all necessary points and adapts the user’s license usage accordingly too. The pupil or teacher’s Microsoft license is automatically disabled and deleted within a couple of weeks. This allows us in the school administration to stay on the safe side with respect to the number of active licenses and not worry about running out of licenses, all at no extra administrative cost.
And that’s not all…
As outlined above, the introduction of the centralized identity management and access management system with UCS@school has not only reduced the necessary administrative efforts significantly for us as an education authority and within the schools themselves – it also opened up an opportunity for us to introduce further applications such as Office 365, in a manner compliant with data privacy regulations no less.
It goes without saying that we will be implementing even more steps in the years to come. For example, there are also plans to establish a private cloud, as it is anything but certain whether the planned German education cloud will actually be implemented in the foreseeable future. And why should we wait for the implementation when we have the opportunity via the Univention App Center, for example, to integrate a private cloud service in our IT infrastructure now? We already have a number of great ideas and we are delighted to be in a position to offer the schools under our care modern, tailored and efficient IT.