At the physical layer, each netbook is password-protected and embedded with tracking software at the BIOS level of the machine.
That is administered through an enterprise services bus, which also connects the Remedy suite for asset management, Active Directory for authentication and Aruba's Airwave for wireless network management.
If a netbook were to be stolen or sold, the department can remotely disable it over the network. Even if the hard drive of the machine was swapped out or the operating system wiped, it would be useless to unauthorised users.
Already, it has noted the loss or damage of just six netbooks out of the 20,000 rolled out since August - and have tracked a teacher using their device on a field trip in New Zealand.
While there is a serial number and barcode on each computer, the department said that thieves or students might be able to remove them. To combat this, it is using passive RFID chips on every machine that will enable them to be identified "even if they were dropped in a bathtub".
Being passive, an RFID reader needs to be within close proximity of the device to read it. (Active RFID transmitted a signal back to base.)
The department used the AppLocker functionality within Windows 7 to dictate which applications are installed.
Web access on the netbooks is filtered according to a corporate security policy
(using McAfee's SmartFilter technology) plus an additional SOCKS
-based proxy client, which provides web filtering at the network layer.
The devices also use Microsoft's Forefront Antivirus technology.