Main Nav

This question was asked 18 months ago by William from UTA, but without much in the way of an answer. The replies immediately went down a cloudpath rabbit hole, never to be seen again. Here is what William asked, and exactly the situation my team was put in today: "Does anyone have experience managing iPads for classrooms (where an iPad is given to each user and returned at the end of the course, only for the next class to pick them up)? I'm interested in how to manage credentials in an 802.1x environment (to ensure actions on the network are attributable to the user at that time). If someone has resolved this, I'd like to speak with them, we have instructors working on proposals." We have a 'no generic account' policy on our campus, and if it is possible we want all of our students to use their own credentials at the start of the class period with the iPads getting amnesia at the end. It seems that re-syncing them using the Apple Configurator or iTunes is the only way, but I wanted to check with the hive mind to see if anyone had some neat trick. Ideally it is a setting/template to be used, and not some MDM/onboarding solution. -Luke =-=-=-=-=-=-=-=-=-=-=-= Luke Jenkins Network Engineer Weber State University ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at


Luke, Our experience has been as follows (keep in mind we are a two person IT dept with 400+ K-12 students). After numerous conversations with an apple engineer, it appears that there is no reasonable (Configurator would take too long) way to reset the devices to ground zero state. We are using a Palo Alto firewall, with captive portal (Kerberos to AD accounts), to track any internet usage on the devices It seems pretty obvious that Apple expects everyone to purchase their own. Hopefully a bigger dept. can chime in and prove us wrong! Sincerely, Bob Williamson Network Administrator Annie Wright Schools | 827 N Tacoma Ave, Tacoma, WA 98403 | D: + | F: +1.253.572.3616 | Annie Wright's strong community cultivates individual learners to become well-educated, creative, and responsible citizens for a global society.     
I do not know how difficult it is to manage the users, teaching them to navigate the iOS settings to delete the 802.1x profile as they return the iPad... but on the loaning side, autoconfig, cloudpath or even a mobileconfig profile should get users onboard quickly. I can tell you that in cisco land with a current controller revision it is possible to syslog the Radius authentication logging. We use Splunk, but rsyslog should also be useful if scrubbing the text logs for attribution data is not sufficient. I suspect Aruba and others might be similar. Randall Grimshaw ________________________________________
Might be betterr off using a non-802.1x network and you could have a easy timeout on some sort of gateway. Other than that there may be some sort of kiosk type software that will do that sort of thing on a schedule. ----- Walt Reynolds University of Michigan
Message from

I did not know about the .mobileconfig expiration date/time, that is something I'll look into. The other solutions are also good ideas. I think a captive portal might have to be the solution for now. Thanks to everyone. I think a feature request with Apple is in order. Either 'forget network credentials on sleep' (with a 5+ minute sleep timer) or 'forget network credentials after x minutes.' -Luke