Dynamic PSK vs Apple Configurator - ZD3000

  • 1
  • Question
  • Updated 3 years ago
Hi there,

I’m am involved with setup of a cart of iPads using Apple Configurator supervision. This is in a school situation, and the iPads are to be used by different students at different times of the day - they are not assigned to one user, and are regularly refreshed with Configurator. Our current site-wide wifi is run by a ZD3000 and uses Zero-IT and Dynamic PSK.

My questions is, what’s the best way to get these iPads on our wifi?

Dynamic PSK appears to be a problem. As far as I know, Configurator doesn’t have any easy method for pushing a unique PSK to each device. The usual method is to put one PSK in one configuration profile, and push that to all the connected devices. Because these devices are refreshed regularly, having to touch each device to configure anything is not an option.

Is there any way to have a static PSK on an SSID with Dynamic PSK enabled? Or is there any way to associate one PSK with multiple MAC addresses? Or is my only option to create another SSID with Dynamic PSK disabled?

Any suggestions would be appreciated.

Thanks,
Ben
Photo of Ben Mannell

Ben Mannell

  • 2 Posts
  • 0 Reply Likes

Posted 3 years ago

  • 1
Photo of Primož Marinšek

Primož Marinšek, AlphaDog

  • 413 Posts
  • 48 Reply Likes
Hi Ben

There is a very easy way to push a unique PSK to each device. That's the purpose of the Zero-IT and the Dynamic PSK options under the Configure :: WLAN settings. You can setup a "Guest WLAN" and under Configure :: Guest Access service enable the "Onboarding" checkbox in the selected profile, then make a dummy SSID like "Device-Onboarding" and choose the profile you created under the guest access menu. Then users will use that portal to generate a device-unique PSK.





But there isn't much sense in using DPSK and share that key with every device. That's why you have the static keys for. And the same DPSK is limited to 4 devices I think.

But you can, in addition to configuring a DPSK per device, use a captive portal for use authentication, so that each new user will have to authenticate with their credentials before using it.



Hope this helps
Photo of Ben Mannell

Ben Mannell

  • 2 Posts
  • 0 Reply Likes
Thanks for your detailed reply, Primož. Unfortunately it's not the answer I was hoping for. As far as I understand, you are saying simply to use the Zero-IT process to get a unique PSK to each device. I realise that would work, however I was hoping for a simpler user experience.

Each device is restored from a backup image, and loaded with a standard set of config profiles (including wifi settings), every time it is checked out to a new user (which is several times a day). This means each new user will have to go through the Zero-IT process, worst case scenario this will be up to 100 students a day. I was hoping to avoid this.

What I'm hoping for is the ability to push one PSK to all 20 iPads in the cart using Apple Configurator and have them connect to the same SSID as all other BYOD devices in the school which use Dynamic PSK. I'm assuming this is not possible.

Unless anyone else has any other suggestions, from here I think my best option is to setup a new SSID with dynamic PSK disabled.

Thanks,
Ben
Photo of Martin Kane

Martin Kane

  • 72 Posts
  • 7 Reply Likes
That is exactly what we do, Ben. School-owned devices use a WLAN separate from the BYOD devices. The WLAN used by the school-owned devices is a simple WLAN with one passcode pushed to the devices using Meraki (similar but not quite as good as Apple Config).

After restoring an iPad from backup, it's only necessary to www link to the meraki Config file (we use a guest network at that stage, but we are being overly complicated) and then the WiFi Config bundle is pushed to the iPad, giving the WLAN passcode to the school-owned devices.

Not enough DPSKs permitted on the ZD1100 for us to waste them on school-owned devices.

Cheers
Martin