Secure Mode

Configuring LanSchool Secure Mode

What is LanSchool Secure Mode?


LanSchool has two different optional security modes that can be enabled on installation called Password Secure Mode and Active Directory Secure Mode, and one or both may be selected. If the options are not properly installed, however, a Teacher will not be able to communicate on the desired channel and Student access will be unavailable. Each feature has different purposes and requirements, so be sure to read carefully to choose which feature(s) may be beneficial for your environment.

If LanSchool is installed using the LanSchool Connection Service (LCS) the same process of selecting each mode must be leveraged during the installation of the LCS. 

Password Secure Mode

This mode requires teachers to type in a password when the console is launched to see students on a particular channel. This feature adds an extra level of security to prevent unauthorized Teacher Consoles from being able to interact with student devices.

  1. Goal – stop unauthorized access of Teacher console from monitoring Students
  2. Risk – student gets a copy of Teacher installer and tries to monitor/control other Students
  3. Solution – student cannot use Teacher console without being a member of Active Directory group
  4. Requirements – Teacher AND Student must use Windows and be joined to Active Directory domain
  5. Feature Limitation – only works on Windows devices
Installation Steps:
  1. After double clicking on either the teacher.msi or student.msi file, continue through the install as previously described. To install the password protected version, check the box to Enable a security mode.
  2. Select Password Secure Mode.
  3. Type in a password and re-enter it to confirm.
  4. Repeat these steps for both Teacher or Student installations.


The password is required on the Teacher install so that if a teacher computer uses the “Become a Student” feature, it can still be secure.

When a teacher launches the console or changes channels, they will be prompted for a password to view the students on that particular channel or group of channels.

To install the password protected version on the Teacher or Student using a script or Active Directory, refer to the section above, “Scripting or Mass Deploying LanSchool 9.0 via MSI”.

In order to use .adm or .admx templates with the secure version of LanSchool, you must login to the customer portal search for "Encrypt AD Pass" and generate a key that will go in the password section of the .adm or .admx files.

In the event that only a Teacher or a Student, but not both, was installed with Password Secure mode, the Student will not be accessible by the Teacher. This will be indicated by a Security Locked Out icon on the Student thumbnail. You can verify if this is the case by checking the version number on the Students. 

The password that is configured for the LCS needs to match the password of the students, otherwise communication will not occur between the teacher and student systems.
If the teacher's password is compromised, it will be necessary to re-install both Teacher and Student computers with a new password. 

Version Identifiers

If you hover with your mouse over the icon in the Student system tray, it will show a version number something like: v9.0.6Ls, v9.0.2.6Sd, v9.0.6Sds

The lowercase letters are security identifiers, where “s” signifies Password Secure Mode, “d” signifies an Active Directory Secure Mode installation and “r” is appended to the version for Teacher and Student when connected through the LanSchool Connection Service.

The uppercase L and S are not actually security identifiers, rather they refer to the type of LanSchool install chosen. L is for the Light version and S indicates a Subscription license. The system is designed to lock out any devices that don’t match security models. The Students will need to be reinstalled with the correct security mode option(s) in order to correct the security lock out issue.

Active Directory Secure Mode

LanSchool 9.0 has the ability to leverage Windows Active Directory to ensure that only authorized teachers can control students. This mode adds an extra level of security to prevent unauthorized consoles from being used. This mode will only function in an Active Directory Domain environment and on Windows 2000 or newer systems. To fully configure this mode, you must have Domain Rights to create and populate a domain User Group.
  1. Goal – stop unauthorized access of Teacher console from monitoring Students
  2. Risk #1 – student gets a copy of Teacher installer and tries to monitor/control other Students
  3. Risk #2 – student gets access to Teacher machine with Teacher Console
  4. Solution – launching the Teacher Console will result in password prompt before connecting
  5. Requirements – same password needs to be set on installation of students machines and LCS, plus password needs to be shared with Teachers to connect after launching Teacher Console
  6. Feature Limitation #1 – because the same password must be shared to multiple teachers, the password may become compromised, which would result in changing the password for all Students and the LCS that use that specific password
  7. Feature Limitation #2 – after entering the correct password, the Teacher Console will not prompt again until it is closed and reopened so be mindful of unattended machines with Teacher Console running
  8. Recommendation – automatically lock machines after inactivity and train teachers to lock machines when unattended to further minimize limitation #2
  9. Optional – different sites or areas of students (e.g. different LCS servers) can use different passwords
Installation Steps:
  1. After double clicking on either the teacher.msi or student.msi file, continue through the install as previously described. To install the password protected version, check the box to Enable a security mode.
  2. Select Active Directory Secure Mode.
  3. Repeat these steps for both Teacher or Student computers


To install the Active Directory Secure mode on the Teacher or Student using a script or Active Directory, refer to the section, “Scripting or Mass Deploying LanSchool 9.0 via MSI”.

When in this mode, a teacher must be a member of the Domain User Group “LanSchool Teachers”. If the teacher is not a member of that group, then Active Directory Secure students will not interact with that teacher.

Creation of the “LanSchool Teachers” Domain User Group is done using the appropriate Windows Server 2003 or 2008 Active Directory tools. Once the group has been created, those same tools can be used to populate the group with the appropriate teachers.

While Password Secure Mode requires that both Students and Teachers are installed with this option, Active Directory Mode is a bit different. If the Student has Active Directory Secure Mode enabled, then it will be Security Locked Out to any Teacher who was not installed with the Active Directory Secure Mode enabled (or is not a member of the “LanSchool Teachers” group). The restriction does not go the other way. An Active Directory Secured Teacher (who is also a member of the “LanSchool Teachers” group) will be able to control Students who do not have AD Secure Mode Enabled, without any restrictions.
The system that is hosting the LCS needs to be a member of the domain and can see the LanSchool Teachers Group, otherwise communication will not occur between the teacher and student systems.
Active Directory Secure Mode is not available yet for Mac Teachers, Mac Students, Chromebooks, Android, or iOS and limited support when domain functional level is set to Windows 2000 mixed or Windows 2000 native mode.

    • Related Articles

    • Troubleshooting "Security Locked Out" Message

      The most common reason that the Security Locked Out icon is displayed on the student thumbnails is because of a mismatch in the Secure Mode option chosen during installation of the teacher, student and/or LanSchool Connection Server software. For ...
    • Deploying LanSchool Using Group Policy

      Overview  The LanSchool Group Policy deployment guide is designed to assist with some basic settings and deployment using Active Directory Group Policy settings.  Please note that our support team can only provide limited assistance with configuring ...
    • LanSchool Teacher Channel Assignment Using Group Policy

      Overview LanSchool provides an option to utilize a PowerShell script at teacher login to change the LanSchool Teacher channel to a unique channel from a CSV file. This is recommended for customers who are not using a LanSchool Connection Server or ...
    • Using the LanSchool Tech Console

      Installing the LanSchool Tech Console Go to the LanSchool product download location, select the TechConsole folder and double-click TechConsole.msi for Windows or lanschool_tech_console.dmg for Mac. Click Next. Read the license agreement that ...
    • Troubleshooting Student Thumbnail Status

      Thumbnail  Status The student's device is communicating with the Teacher Console. When viewing large or medium thumbnails, Student's Name and Computer Name display below the thumbnail. When using Class Lists, this means that the Teacher Console never ...
    • Popular Articles

    • Installing LanSchool Teacher for Windows

      Overview The following instructions will assist you with manually installing LanSchool Teacher on a single Windows teacher device. For information on installing the student client or mass deploying LanSchool throughout your organization, see Setting ...
    • Latest Release Notes

      LanSchool Classic Release Notes Customers with an active LanSchool subscription will have access to download the latest version from the LanSchool Customer Portal. For instructions, see Downloading LanSchool Installers. LanSchool Classic 9.1.0.42 ...
    • Limiting Application Use

      Overview Teachers can control the applications that are allowed to run on the student computers. The application limiting policy can stop ALL applications from running except for those specified in an "allow list" or can allow all application except ...
    • Limiting Website Use

      Overview Limit the websites that can be accessed by one or more student computers. The teacher can choose to restrict all web activity, allow only certain websites, or block only certain websites. This is often used to keep students focused or to ...
    • Configuring and Troubleshooting Wake on Lan

      Wake on Lan Configuration Your device manufacturer will be able to assist you with the Wake on Lan configuration.  That information is proprietary to the devices and is not provided by LanSchool. LanSchool utilizes Wake on Lan to power on the student ...
    • Recent Articles

    • LanSchool Teacher Channel Assignment Using Group Policy

      Overview LanSchool provides an option to utilize a PowerShell script at teacher login to change the LanSchool Teacher channel to a unique channel from a CSV file. This is recommended for customers who are not using a LanSchool Connection Server or ...
    • Logging On or Off Students Remotely

      Overview The LanSchool Teacher console has the ability to only log on wired and wireless Windows devices using Log On Students. The LanSchool Teacher console has the ability to log off wired and wireless Windows and Mac devices using Log Off Students ...
    • LanSchool Classic Video Tutorials

      For detailed information on how to use each feature of LanSchool Classic, visit the Using LanSchool Classic in the Classroom section of our Help Center. For quick, video demonstrations of each feature in action, visit our "LanSchool Classic Features" ...
    • Deploying LanSchool Using Group Policy

      Overview  The LanSchool Group Policy deployment guide is designed to assist with some basic settings and deployment using Active Directory Group Policy settings.  Please note that our support team can only provide limited assistance with configuring ...
    • Adding the LanSchool Teacher Console Shortcut to Desktop

      By default, the LanSchool Teacher Console will always be running the Windows system tray. To make it easier for teachers to launch, consider creating a shortcut for the LanSchool Teacher Console to place on the Desktop or pin to the Taskbar. Open the ...