Do you mean PPSK? If so PPSK is an Aerohive thing. You don't have that option on Meraki.
For simultaneous logins, you can control that via NPS with RADIUS Accounting. I'll see if I can find an example...
There is an option in the wireless access control settings where you can enable group policies by device type. So for example, you can block Android phones from connecting to that specific SSID if you wanted to.
I will warn you that this can be problematic with apple devices as they occasionally have false positives where it thinks an apple macbook pro is an iphone, and blocks it. which requires you to set the policy back to normal.
If you use EAP-TLS for the SSID for school owned devices, then you wouldn't have to worry about AD credentials and false positives. BYOD devices simply won't be able to connect as they won't have the certificate. However certs can also be a hassle to deal with (at the start anyhow).
If your radius is configured for AD credentials vs machine authentication, then a teacher could use their AD credentials on their personal phone and connect. If you set it to machine authentication then the computers that are in your AD would be the only ones that 'should' be able to connect.
Using a PSK for BYOD stuff turns into a monster after a while. Especially if your cycling the password every now and then. In reality its really not going to be 'secure' in the sense that it would probably take little to no effort for someone on school grounds to obtain whatever the password is via social engineering, reading the paper taped to the wall that tells everyone what the password is etc. This is something you'll need to decide of course, how difficult/easy you want it to be for end users.
Easier solution for BYOD gear is to just create a guest SSID and leave it open. Lock it down of course so there is no L2 or L3 peer to peer communications. No LAN access. Strictly internet only. This makes it super easy for anyone to connect and you don't have to worry about it anymore.
I will warn you that this can be problematic with apple devices as they occasionally have false positives where it thinks an apple macbook pro is an iphone, and blocks it. which requires you to set the policy back to normal.
If you use EAP-TLS for the SSID for school owned devices, then you wouldn't have to worry about AD credentials and false positives. BYOD devices simply won't be able to connect as they won't have the certificate. However certs can also be a hassle to deal with (at the start anyhow).
If your radius is configured for AD credentials vs machine authentication, then a teacher could use their AD credentials on their personal phone and connect. If you set it to machine authentication then the computers that are in your AD would be the only ones that 'should' be able to connect.
Using a PSK for BYOD stuff turns into a monster after a while. Especially if your cycling the password every now and then. In reality its really not going to be 'secure' in the sense that it would probably take little to no effort for someone on school grounds to obtain whatever the password is via social engineering, reading the paper taped to the wall that tells everyone what the password is etc. This is something you'll need to decide of course, how difficult/easy you want it to be for end users.
Easier solution for BYOD gear is to just create a guest SSID and leave it open. Lock it down of course so there is no L2 or L3 peer to peer communications. No LAN access. Strictly internet only. This makes it super easy for anyone to connect and you don't have to worry about it anymore.
