To make the outdated, heterogeneous IT landscape of Flensburg’s schools a thing of the past, the school’s IT department took a new approach. Since 2017, it has relied on the modular, flexible and easy-to-use open source solution UCS@school. Since then, this solution has been successfully deployed as a school platform with central identity management (IDM). It started with a pilot school and was gradually followed by other schools until all 23 schools in Flensburg were connected to the UCS@school environment in 2023.

Anwender

User

  • 23 Schools (run by the city of Flensburg)
  • 15,000 pupils
  • 900 teachers
  • 4,000 tablets, 1,200 PCs and notebooks as well as various presentation systems
  • 7 IT employees for the technical support of general education schools
Checkliste

Requirements

  • Connect internal and external services via LDAP and single sign-on
  • Provide a Radius server for BYOD implementation
  • Centrally manage and deploy Windows clients and tablets
  • Relieve IT faculty from IT tasks
  • Intuitive usability of the new IT solution for different user groups
  • Efficient bundling of support and easy maintenance
  • Enable users to access files from anywhere
Lösung

Solution

  • Development of a UCS@school environment as a central school platform in the data center of the city of Flensburg with directory service for identity management, Active Directory functionalities, school portal, school server and educational functions
  • Connection to a radio server that allows users to log into the school WLAN with their access data
  • Rapid implementation of a solution to manage Windows clients on the network
  • Integrate Jamf School as Mobile Device Management (MDM) and centralize control of student and teacher mobile devices
  • Outlook: Use of the UCS@school ID Connector so that there is only one identity for access to the IDM Flensburg and the SH school portal

Initial Situation in the City of Flensburg: From IT Desert to Beacon School

Before the city’s IT department decided to deploy UCS@school in the city’s 23 general education schools, there was no centralized IT structure, but rather a heterogeneous landscape. While some schools only had a NAS server, others were already using larger servers for virtualization that were primarily used to run applications in IT classes.

To ensure that the promotion of digital learning no longer depended on dedicated teachers, IT needed to be professionalized. The introduction of the modern, modular and flexible open source solution UCS@school with central Identity Management (IDM) supported this process significantly. In addition, by connecting a secondary school as a pilot school for the project, important practical experience was gained in an early test phase, which could be used to gradually establish the same standards in all schools. The goal of this modernization process was also to efficiently bundle the support tasks, to relieve the teaching staff in the long term, to give them more time for their pedagogical work, and to offer the user groups an IT solution that not only convinces with its technical advantages, but also with its simple and intuitive usability.

Open Source Solution UCS@school for the Reorganization of the IT Infrastructure

According to the new approach of the city of Flensburg, a standard UCS@school environment was set up with primary and backup directory nodes and a directory replicated on replicated directory nodes for the individual school locations. These components run together centrally, virtualized and sorted by school in an area created for school IT in the city of Flensburg’s new data center, which will be built in 2022. Dedicated servers will be operated there to reliably connect various services relevant to everyday teaching and learning, including UCS applications as well as in-house and external applications. Outside the data center, there is only one firewall in the schools, to which the Internet access for the end devices is decoupled.

The majority of the schools are connected via dark fiber (point-to-point connections) leased from Stadtwerke Flensburg. The remaining schools, for which this option would not have been economical due to their size and distance from the data center, were successfully connected via the VPN operated on Dataport’s fiber optic network. Today, pupils and teachers can access all important services centrally via the school portal (https://portal.schulen-flensburg.de/univention/portal/#/).

This is what our customer says.
  • „With UCS@school, we have found an IT solution for Flensburg's schools that is modern, reliable, and easy to use, making our school IT fit for the future. ”

Challenges Flensburg IT faced during the Project

During the course of the project, which began in 2016, the city’s IT team kept encountering new challenges, both large and small, that needed to be overcome. For example, when updating the pupils’ digital devices to Android 12, a problem arose with the previously smooth use of the RADIUS package including Internet rules from UCS@school with different VLANs for network segmentation, but a solution was quickly found. To get the devices working again after the update, new certificates had to be issued and stored on the RADIUS servers to prove a trustworthy connection.

Another challenge was connecting external applications to facilitate the school day. The school authority’s IT team set up a reverse proxy in front of the actual UCS@school environment so that applications such as the timetable software in the backend can access the required master data in the directory via WebUntis and an LDAP-S connection. Not all external applications are connected via this redirection: The file sharing solution Nextcloud, the video conferencing service BigBlueButton and the software distribution tool opsi are connected directly to the Univention directory.

While it was planned that the Univention Samba shares would only be accessible from the workstations in the school network, i.e., within the school’s UCS domain, there were special requirements for computer science lessons. For example, files should be saved directly from a program to a network drive and also be able to be viewed outside the local network. A solution was quickly found by using the existing Nextcloud, integrating SAMBA shares and creating a custom Powershell script for the school’s own computers: The pupils’ login and credentials are now passed directly to Nextcloud and WebDAV mount on the local computers.

Conclusion & Outlook

Malte Matthiesen from the City of Flensburg emphasizes: “We are considering using the Univention ID Connector in the future to replace our self-developed transition system, which accesses the UCS@school API, and to create an even more secure and simpler connection between the SH school portal and the IDM of the City of Flensburg.”

Flensburg is currently still using its own solution to import new master data lists of pupils, teachers, and school staff. This is to be replaced by the Univention ID Connector in the future, so that user maintenance and master data import at the school authority will no longer be necessary, and it will be easier to change schools within the state. Pupils in the lower grades in particular would benefit greatly from being able to log in centrally with just one account and password. The city’s IT department would also like to use the new computer room module in UCS 5.0 via Veyon instead of iTalk, and include all printers in the schools in the central UCS print server management. There are also plans to consider alternative models for financing additional iPads, such as leasing the devices, e.g., via the pupils’ parents.

If you are interested, you can find Malte Matthiesen’s presentation at the Univention Summit 2023 on our YouTube channel (in German).

Newsletter

Stay updated on all news about Univention and our IAM products via email.

Get started

Make an appointment and get to know our IAM solution.

Further References