The two-fleet refresh: device imaging and printer fleet management in Stanislaus County K-12

A Stanislaus County K-12 IT desk runs two fleets at once: the student 1:1 device fleet and the admin/office printer fleet. Districts that treat them as one project with one accountable team are the ones whose first day of school actually works.

Why a Stanislaus district IT desk is really two teams in one

It’s the third week of June 2026 and a director of technology at a Stanislaus County district is sitting on two checklists at once. The first is a Windows 11 imaging project for roughly 9,000 student Chromebooks and a couple thousand teacher laptops, because Microsoft ended support for Windows 10 on October 14, 2025 - eight months ago - and Extended Security Updates double in price every year for a maximum of three years¹. The second is a printer fleet that is overdue: a front-office copier that has been imaging the wrong color profile for two weeks, three workgroup printers in elementary sites with toner “very low” warnings, and a front-office team that cannot get bell schedules printed in time for fall open house.

These are not two separate problems. They are the same problem viewed from two sides of the same office. A district IT lead running Windows 11 Autopilot deploys in the morning, then after lunch is on the phone with the copier vendor about a fuser. Both have deadlines that hit the same week.

This is what we mean by “two fleets.” It is also the reason Datapath structures its school practice around both halves of the workload, not just the device half.²

What does summer 2026 actually cost us?

A reasonable question, and one a superintendent or CBO will ask in mid-June. Three numbers matter and they are all moving together:

• The OS gauntlet. Windows 10 EOS dropped on October 14, 2025³. Any district still shipping a Windows laptop to a student in August is now paying for ESU coverage, and that cost structure doubles per year for up to three years before it disappears entirely¹. Most Stanislaus districts chose to refresh rather than pay.
• The 1:1 baseline. CoSN’s 2026 State of Ed Tech survey (reported in May 2026) found that 84% of districts now permit 1:1 device policies for upper grades and 78% provide devices down to K-2⁴. That baseline is essentially a standing requirement: every August, you are imaging thousands of devices whether you planned the budget for it or not.
• The imaging funnel. A district our size in Stanislaus - call it a 13,000-student district - can plan on roughly 12,000 to 14,000 student-facing devices (laptops, Chromebooks, shared iPads in elementary) plus 600 to 1,200 staff devices, all needing to land in a building, be enrolled in MDM, and be assigned to a student account before bell schedule.

The summer 6-to-8-week window is the only safe capacity. Districts that start the imaging run in late July fail the August open house.

Imaging tools: Autopilot, Apple School Manager, or a vendor?

For Windows fleets, the lowest-friction path today is Microsoft Intune plus Windows Autopilot: ship the device from the vendor with a hardware hash pre-loaded, the laptop boots out of the box, joins Entra ID, and enrolls in Intune with the right district policy applied at first sign-in⁵. For K-12 scale, this is the same pattern Fresno Unified leaned on for a 120,000-device Windows 11 deployment in 2025⁵.

For Apple devices, Apple School Manager gives the equivalent zero-touch path: Managed Apple IDs are created automatically, devices purchased from an Apple-authorized reseller arrive pre-enrolled in MDM, and the device lands with no IT touch at all⁶. Apple School Manager also integrates with Google Workspace, Microsoft Entra ID, and Student Information Systems (Aeries, PowerSchool, Infinite Campus), which is why the SIS-driven account provisioning piece works even when classes change in the first two weeks of school⁶.

A useful internal rule:

• If teachers run on Windows (Office, Teams, district SIS apps) - Autopilot + Intune.
• If teachers run on Mac and classrooms use iPad - Apple School Manager, MDM, Shared iPad.
• If you have both - run a single MDM-backed program and stop trying to standardize the student-facing hardware. The teachers already voted.

There is a third option: a deployment vendor that ships devices pre-imaged and pre-tagged. This is the right move when the district IT team is two people and the refresh is 8,000 devices. The friction is that you are now dependent on the vendor for any policy change - so make the vendor relationship a long one, with the district holding the Apple Business / Education portal or the Microsoft CSP enrollment, not handing over admin rights.

Where does FERPA risk actually hide in the printer fleet?

Most of the FERPA conversation in K-12 lands on the device side, but the printer fleet is where the small, recurring leaks happen. Two specific cases we have seen in California K-12:

• The shared front-office tray. A grade printout, an IEP progress note, or a discipline incident report sits in the output tray of a copier used by anyone walking through the front office. FERPA (34 CFR Part 99) treats that as an unauthorized disclosure risk if the record is identifiable to a single student⁷. The fix is straightforward - secure print release with PIN or badge at the device - but only if the printer fleet supports it.
• The student-account-driven queue. When you provision a student account with printing rights tied to that account, the print job carries the student name through the queue and into the device logs. This is fine in principle, but if the printer logs are stored on a vendor cloud and the vendor’s data-handling does not align with California’s Student Online Personal Information Protection Act (SOPIPA, SB-1177), you have a contract gap⁸.

CIPA sits on top of the device side of the same problem: any district receiving E-Rate discounts must operate “an Internet safety policy” that includes technology protection measures on internet access - which is why a Chromebook in a Stanislaus classroom has web filtering turned on before it ever reaches a student⁹. The printer fleet is the place many IT leads under-protect on purpose, because print feels “old,” but it carries identifiable student data more often than the Chromebook does.

Stanislaus by district size: one play does not fit all

The five districts we routinely work with in Stanislaus range from small single-school districts to the largest combined district on the county line. The table below is the rough shape as of mid-2026 - the kinds of fleet sizes that drive whether you need one imaging tech or a four-person summer team:

District (Stanislaus County)	Approx. students	Student 1:1 fleet (est.)	Admin/staff fleet	Printer/copier fleet	Summer staffing shape
Modesto City Schools (Elem + High)	~30,000 combined	~28k Chromebooks / laptops	~1,800 staff	~120 MFPs, ~350 desktop printers	Dedicated 6-8 person summer team, partner-led
Turlock Unified	~13,376	~13k devices	~800 staff	~55 MFPs, ~150 desktop	3-person IT + Datapath partner for imaging surge
Ceres Unified	~14,000	~13k devices	~700 staff	~50 MFPs, ~140 desktop	2-person district IT + partner
Sylvan Union	~9,000	~8.5k devices	~450 staff	~35 MFPs, ~110 desktop	1-2 person IT + heavy partner engagement
Smaller unified districts (Hughson, Denair, Riverbank, etc.)	1,500-5,500 each	1,500-5,000 devices each	80-300 staff	8-30 MFPs each	1-person solo, partner-as-team

What the table really says: there is no such thing as a “Stanislaus school district IT playbook.” A 1,500-student district and a 30,000-student district both need to image every device every summer; only one of them can afford three staff on the project.

What “good” looks like: a 10-point checklist

This is the readiness checklist we run with our Stanislaus K-12 clients in late June. The order matters because each row builds on the previous one:

• Inventory lock. Every student-facing device has a serial number in the asset system, tied to a school site and (where the asset allows) a student ID badge - which FERPA allows because a student ID is directory information by default¹⁰.
• Vendor purchase order is in the district name, not a partner’s. Apple Business Manager / Apple School Manager or Microsoft CSP enrollment is owned by the district⁶.
• Imaging profile is signed off by Curriculum AND IT. Both. Always. If only IT signs off, the apps are wrong; if only Curriculum signs off, the security policy is wrong.
• MDM scope. Every student device is enrolled in MDM before it leaves the imaging bench. No exception.
• Content filtering bound to CIPA. Web filter policy is bound to the device record before the student opens the lid, not on day five when the CIPA audit asks⁹.
• Printer fleet audit in the same 60 days. Toner SKUs re-ordered, MFP firmware current, secure print release enabled on every shared device, fax lines decommissioned⁷.
• Secure print release tested by an admin user, not just IT. If the registrar cannot use it, the rollout has failed even though the technology works.
• Vendor data-handling reviewed under SOPIPA. Any print management vendor or MDM vendor handling student identifiable data has a contract clause matching SOPIPA’s prohibitions - no ad targeting, no sale, no profiling⁸.
• Bell schedule, ISP calendar, and lunch program PDFs are pre-printed for open house. The first-day-of-school test is whether the front office can copy a packet, not whether a student can log in.
• A real person from a named team is on call by cell phone the night before the first bell. Not a ticket queue. A name.

Where Datapath fits in this picture

Datapath is a managed IT and cybersecurity firm headquartered in Modesto with an office in Irvine, serving K-12 school districts and the wider public sector across the Central Valley and Central Ohio. Our K-12 practice is built around the belief that two fleets in one district should be two named teams in one delivery plan - not one junior IT tech trying to do a four-person summer’s worth of work in eight weeks.

If your Stanislaus district is staring at a July where the imaging bench and the printer fleet both need attention at once, a 30-minute conversation with our Modesto office tends to be the fastest way to find out whether the OS refresh, the MDM migration, or the print fleet audit should run first. We are particularly useful in the middle of the two-fleet problem - the place a generic “managed IT” vendor is uncomfortable, because it requires specific K-12, SOPIPA, and CIPA judgment, not just server uptime.

Start with our managed IT services page, or jump straight to the Modesto team. If you want to read how we approach regulated-industry work more broadly (the same posture we use on CJIS for county sheriffs we serve), our cybersecurity practice page lays it out. And if you’d rather see one of our operational plays spelled out in print, our blog writeup on end-of-life device refresh is the closest companion to this article. A short call beats another checklist - so let’s talk.

---

Footnotes

1. Orchestrating a Smooth Move to Windows 11 ↩ ↩²

2. sopipa - California Legislative Information - CA.gov ↩

3. FERPA - Protecting Student Privacy - Department of Education ↩

4. Protecting Student Privacy ↩

5. Vestavia Hills City Schools - Laws, Rules, Standards ↩ ↩²

6. Children’s Internet Protection Act (CIPA) ↩ ↩² ↩³

7. K–12 Education - Deploy and Manage ↩ ↩²

8. Digital Forensics for K12 : r/k12sysadmin ↩ ↩²

9. Frequently Asked Questions ↩ ↩²

10. Laptop deployment in K-12 - IT & Tech Careers ↩