Summary
Rock Island-Milan School District oversees 14 schools in the Rock Island and Milan areas of Illinois. When it came time to replace their aging Active Directory® hardware, Rock Island embarked on a search for the best directory service for their infrastructure. They needed a solution that could manage Macs, strengthen control over their networks, and integrate with G Suite and Office 365. In their search, they found Directory-as-a-Service®, and discovered a solution that would modernize their IT operations.
Organization: | Rock Island – Milan School District |
Size: | 6,500 Students, 1,000 Staff |
Location: | Rock Island and Milan, IL |
Problem: | Aging Active Directory Hardware, Weak Network Access Control, Autonomous Macs |
Goal: | Secure Network Access, Centralize System Management |
Background
Rock Island was at a crossroads. They needed to either update their existing Active Directory instance or upgrade to something new – and that meant it was time for Mike MacKenna, Infrastructure and Security Administrator, and Troy Bevans, Director of IT, to survey their options. They started with the status quo: Microsoft®.
Mike told us, “Most of our infrastructure was running Windows Server 2008 R2 – six or seven year old servers. So we were in a position where we looked at Microsoft volume licensing and Client Access Licenses (CALs), and how much it would cost to get a volume license agreement. For five years, I want to say it was around $30k.”
“So our first option was to reinvest with Active Directory and get a whole lot of Microsoft licensing. But we had Macs and free file storage coming down the pipe from Google.”
“There was so much new cloud-based infrastructure that was getting good reviews. So, it just seemed like the right point for us to completely revamp everything.”
The Challenge
Rock Island could have justified sticking with Active Directory if the only problem was outdated hardware and expensive licensing, but AD also left them wanting more when it came to managing network access. Mike and Troy explain:
Mike:
“We started with separate SSIDs to try and keep faculty on one VLAN and students on another. The problem we had with shared keys was eventually the password would get out and you would see faculty members on student networks and students on faculty networks. So we were losing the ability to keep connections in appropriate containers for the different policies.”
Troy:
“Also, students would discover the passphrases to get on to our wireless networks and would constantly consume the bandwidth. We wanted a way for everyone to have their own credentials and authenticate individually. So when we heard about JumpCloud’s RADIUS-as-a-Service it looked really intriguing to us.”
The other major challenge for Rock Island was Mac management.
Mike:
“Our Macs were autonomous, and while we wanted to get them into a directory structure, we didn’t want to buy CALs for Windows servers.”
The Solution
Rock Island came across JumpCloud as they searched for a comprehensive directory solution.
Mike:
“We were looking for a way to unify the different platforms with a single directory structure and at the same time solve our need for RADIUS. In our search, we stumbled across JumpCloud. We did some initial testing. We were impressed with it then and we have been ever since.”
“We looked at some alternatives. But they were more expensive and complicated than JumpCloud’s implementation. We didn’t need all of that.”
“The more we looked into JumpCloud, it fit the bill for everything we needed all in one nice package.”
Implementation
WiFi Access Through RADIUS
Troy:
“We have two implementations of JumpCloud. We have a staff implementation and a student implementation. We don’t have the cloud RADIUS service with the students. For the teachers, they can just log in with their credentials. We have 14 schools and they just move from school to school, using their RADIUS credentials, and they can access the WiFi.”
Mike:
“We don’t need it for students because those are hardline machines. For their personal devices, we just push on to a quarantine public network anyway. So the need for RADIUS really comes down to wireless devices for faculty that have access to our applications and internal resources. For those devices, we want to know exactly who it is on the device and what they’re accessing. JumpCloud has been able to accommodate us from that standpoint. So we have definitely been happy with the RADIUS implementation.”
“I forget that I’m authenticating when I walk into the building and it just works.”
Users and Systems
Troy:
“The way we have been integrating a machine is by using some scripts that Mr. MacKenna wrote. We basically just run the script and it installs everything we require. We use the Chocolatey package manager to push things out, and when we get it, JumpCloud binds the machine. That works very well. With the faculty, we’re only doing one person per machine so that way if they leave we can just take their rights away. But with the students, we use pGina, so they can authenticate against the entire LDAP directory.”
Student System Access (Libraries and Computer Labs)
Mike:
“For students, we only have 300 machines but we have 1,700 students, and nobody wants to keep track of which student is going to use which machine. So our first thought was to set up 1,700 accounts to every machine. Windows didn’t care for it that much.”
“We talked to JumpCloud’s Customer Success Team and they gave us the following guidance based upon their work with other .edu’s in our similar situation. They said, ‘In our testing, more than a couple hundred accounts within Windows gets a little unwieldy.’ Their recommendation was to leverage pGina on our student-Windows systems, which is an open source authentication module for Windows which enabled us to point these systems directly at JumpCloud’s LDAP service.”
“So now the way we have it set up is, any student sits down at a machine, and they type their credentials on the Windows system. If they have never logged into that particular machine before, it generates their profile and they have an account on there moving forward. We use Google in the back end, so they’re essentially logging into Google and straight away they’re working with their own Google Docs.”
G Suite and Office 365 Integration
Troy:
“Of course, every school is going to use Google. JumpCloud integration with Google means users have one less password that they have to remember. They just have to use the JumpCloud password to log in. We also use Office 365, which has been working for us in the same way.”
“To see that JumpCloud integrated well with Google was another piece that seemed to fit into the puzzle.”
The Result
From AD to the Cloud
Mike:
“We’re in the process of moving off of Active Directory entirely. We’ve taken pretty much all of our student devices and things like that off of Active Directory. So, we’ve already started to minimize our server footprint, internal boxes, and also CALs from that perspective.”
“We still have some legacy stuff out there that we haven’t rolled over yet with some of our faculty resources, like thin clients that are at the end of their life. But we’re definitely headed there.”
Troy:
“We don’t even use file servers anymore. Since we’re a school district, we have unlimited storage space on Google. We’re using a program called ExpanDrive, and testing Drive File Stream. Both of these will map a drive letter to your Google Drive, so we store everything there. When somebody logs into their machine with JumpCloud, it’s the same credentials to enter into Google, where they are saving all of their documents. Then we use Spanning Backup to ensure everything is backed up so we can restore it instantly when we need to.”
“It’s a nice system.”
Achieving Simplicity
Mike:
“We’ve managed users in and out of Active Directory with Powershell scripts before, but we also did a lot of it manually as well and it’s cumbersome as far as how many OU’s [organizational units] we had to use and making sure things are in the right place.”
“Whereas JumpCloud seems to be able to do that a lot more dynamically and quickly than Active Directory. Plus, we had a couple of domain controller meltdowns at one point, and that could be a show stopper. Whereas with the JumpCloud system, we haven’t had any of those kinds of issues and it has been rather quick for us.”
“Things seem less complex than they used to be.”
Saving Time and Money
Mike:
“The simplicity that JumpCloud offers has really been the time saver. We’re not dealing with constantly looking at replication and if things back up correctly and all this other stuff that we had to deal with in order to maintain our Active Directory implementation. So that frees us up to do things that we really want to.”
“We really like JumpCloud. We think it’s very unique. I’ve often wondered why Microsoft didn’t come up with something like this. They’re still sort of trailing behind. But we’ve been very happy with JumpCloud and I would be willing to recommend it to another school.”
Troy:
“We were at a point where we needed to decide if funds were going to be allocated to upgrade our aging servers, including hardware and software requirements. However, after making the decision to go with JumpCloud, we actually saved money, which allowed us to make some much needed workstation purchases for the district. Additionally, I do not have to allocate resources to manage the servers any longer, which provides more time for us to serve the district.”
“It’s a very forward thinking model. JumpCloud really embraces the whole cloud.”