diff --git a/lmn-client.yml b/lmn-client.yml
index 0b1d4e1..cf0e23c 100644
--- a/lmn-client.yml
+++ b/lmn-client.yml
@@ -87,6 +87,8 @@
     - lmn_security
     - role: lmn_localhome
       when: when: groups.localhome is defined and inventory_hostname in groups.localhome
+    - role: lmn_teacherlaptop
+      when: groups.teacherlaptop is defined and inventory_hostname in groups.teacherlaptop
     - role: lmn_networkd
       when: ansible_interfaces | select('search', 'enp2s.+') | first is defined
 
diff --git a/roles/lmn_fvs/files/policies.json b/roles/lmn_fvs/files/policies.json
index 08797b5..5b6edc0 100644
--- a/roles/lmn_fvs/files/policies.json
+++ b/roles/lmn_fvs/files/policies.json
@@ -1,7 +1,7 @@
 {
     "policies": {
         "Proxy": {
-            "Mode": "system"
+            "Mode": "autoDetect"
         },
         "OverrideFirstRunPage": "https://www.steinbeisschule-reutlingen.de",
         "Homepage": {
diff --git a/roles/lmn_fvs/tasks/main.yml b/roles/lmn_fvs/tasks/main.yml
index 21f4c7b..08284ef 100644
--- a/roles/lmn_fvs/tasks/main.yml
+++ b/roles/lmn_fvs/tasks/main.yml
@@ -90,6 +90,7 @@
       - plasma-discover
     autoremove: true
     state: absent
+  when: not (groups.teacherlaptop is defined and inventory_hostname in groups.teacherlaptop)
 
 - name: Make sure wireshark works for all users after installation and upgrades
   ansible.builtin.copy:
diff --git a/roles/lmn_network/tasks/main.yml b/roles/lmn_network/tasks/main.yml
index 0c7176a..94187d1 100644
--- a/roles/lmn_network/tasks/main.yml
+++ b/roles/lmn_network/tasks/main.yml
@@ -7,6 +7,15 @@
       https_proxy="{{ proxy }}"
       ftp_proxy="{{ proxy }}"
       no_proxy="{{ no_proxy }}"
+  when: not (groups.teacherlaptop is defined and inventory_hostname in groups.teacherlaptop)
+
+- name: Set chromium proxy-policy to auto_detect
+  copy:
+    dest: /etc/chromium/policies/managed/proxy.json
+    content: |
+      {
+        "ProxyMode": "auto_detect"
+      }
 
 - name: Set aptcache
   ansible.builtin.copy:
diff --git a/roles/lmn_networkd/tasks/main.yml b/roles/lmn_networkd/tasks/main.yml
index 31e9742..cc5c54a 100644
--- a/roles/lmn_networkd/tasks/main.yml
+++ b/roles/lmn_networkd/tasks/main.yml
@@ -1,6 +1,20 @@
 ---
 # temporary disable network manager
-- name: Use iwd but ignore interfaces managed by systemd-networkd (wlan0,en*)
+- name: Use iwd but ignore interfaces managed by systemd-networkd (en*)
+  blockinfile:
+    dest: /etc/NetworkManager/NetworkManager.conf
+    block: |
+      [device]
+      match-device=interface-name:wl*
+      wifi.backend=iwd
+      [connection]
+      match-device=interface-name:wl*
+      ipv4.route-metric=2048
+      [keyfile]
+      unmanaged-devices=interface-name:en*;interface-name:vm*
+  when: groups.teacherlaptop is defined and inventory_hostname in groups.teacherlaptop
+
+- name: Use iwd for USB-Wlan-Sticks but ignore interfaces managed by systemd-networkd (wlan0,en*)
   blockinfile:
     dest: /etc/NetworkManager/NetworkManager.conf
     block: |
@@ -12,6 +26,7 @@
       ipv4.route-metric=2048
       [keyfile]
       unmanaged-devices=interface-name:wlan0;interface-name:en*;interface-name:vm*
+  when: not (groups.teacherlaptop is defined and inventory_hostname in groups.teacherlaptop)
 
 - name: Enable Networkmanager
   ansible.builtin.systemd:
@@ -36,6 +51,16 @@
     line: "MACAddress={{ ansible_facts[ansible_interfaces | select('search', '^en.*') | first].macaddress }}"
   when: ansible_interfaces | select('search', '^en.*')
 
+- name: Configure systemd-networkd ethernet.network
+  ansible.builtin.copy:
+    dest: /etc/systemd/network/35-ethernet.network
+    content: |
+       [Match]
+       Name=enx{{ ansible_facts[ansible_interfaces | select('search', '^enp.*') | first].macaddress | replace(':','') }}
+       [Network]
+       Bridge=virbr1
+  when: groups.teacherlaptop is defined and inventory_hostname in groups.teacherlaptop
+
 - name: Configure systemd-networkd ethernet.network
   ansible.builtin.copy:
     dest: /etc/systemd/network/40-ethernet.network
@@ -88,3 +113,9 @@
        DHCP=yes
        [DHCPv4]
        UseDomains=true
+  when: not (groups.teacherlaptop is defined and inventory_hostname in groups.teacherlaptop)
+
+- name: Enable systemd-networkd
+  ansible.builtin.systemd:
+    name: systemd-networkd.service
+    enabled: True
diff --git a/roles/lmn_teacherlaptop/files/lmn-networkmanager.rules b/roles/lmn_teacherlaptop/files/lmn-networkmanager.rules
new file mode 100644
index 0000000..f369d6f
--- /dev/null
+++ b/roles/lmn_teacherlaptop/files/lmn-networkmanager.rules
@@ -0,0 +1,6 @@
+polkit.addRule(function(action, subject) {
+    if (action.id == "org.freedesktop.NetworkManager.settings.modify.system" &&
+        subject.isInGroup("role-teacher")) {
+            return polkit.Result.YES;
+    }
+});
diff --git a/roles/lmn_teacherlaptop/files/lmn-packagekit.rules b/roles/lmn_teacherlaptop/files/lmn-packagekit.rules
new file mode 100644
index 0000000..49cad6a
--- /dev/null
+++ b/roles/lmn_teacherlaptop/files/lmn-packagekit.rules
@@ -0,0 +1,9 @@
+polkit.addRule(function(action, subject) {
+    if ((action.id == "org.freedesktop.packagekit.package-install" ||
+         action.id == "org.freedesktop.packagekit.package-reinstall" ||
+         action.id == "org.freedesktop.packagekit.system-update" ||
+         action.id == "org.freedesktop.packagekit.upgrade-system") &&
+         subject.isInGroup("role-teacher")) {
+            return polkit.Result.YES;
+    }
+});
diff --git a/roles/lmn_teacherlaptop/files/mountserver b/roles/lmn_teacherlaptop/files/mountserver
new file mode 100644
index 0000000..6c7c9a2
--- /dev/null
+++ b/roles/lmn_teacherlaptop/files/mountserver
@@ -0,0 +1,26 @@
+#!/usr/bin/bash
+set -eu
+
+exit_script() {
+    echo "unmounting media - terminated by trap!" >> "/tmp/${SUDO_UID}-exit-mount.log"
+    findmnt "/lmn/media/${SUDO_USER}/share" && umount "/lmn/media/${SUDO_USER}/share"
+    findmnt "/srv/samba/schools/default-school" && umount "/srv/samba/schools/default-school"
+    trap - SIGHUP SIGINT SIGTERM # clear the trap
+    kill -- -$$ # Sends SIGTERM to child/sub processes
+}
+
+findmnt /srv/samba/schools/default-school > /dev/null && exit 0
+
+umask 0002
+mkdir -p /srv/samba/schools/default-school
+chmod 777  /srv/samba/schools/default-school
+mkdir -p "/lmn/media/${SUDO_USER}/share"
+
+mount -t cifs //server/default-school/ /srv/samba/schools/default-school \
+      -o "sec=krb5i,cruid=${SUDO_UID},user=${SUDO_USER},uid=${SUDO_UID},gid=1010,file_mode=0770,dir_mode=0770,mfsymlinks,nobrl,actimeo=600,cache=loose,echo_interval=10"
+mount --bind /srv/samba/schools/default-school/share "/lmn/media/${SUDO_USER}/share"
+
+echo "Einbindung erfolgreich!"
+echo "Dieses Fenster bitte nicht schließen!"
+trap exit_script SIGHUP SIGINT SIGTERM
+sleep infinity
diff --git a/roles/lmn_teacherlaptop/tasks/main.yml b/roles/lmn_teacherlaptop/tasks/main.yml
new file mode 100644
index 0000000..a39cc58
--- /dev/null
+++ b/roles/lmn_teacherlaptop/tasks/main.yml
@@ -0,0 +1,26 @@
+---
+- name: Copy polkit rule to allow install packages by role-teacher
+  ansible.builtin.copy:
+    src: "{{ item }}"
+    dest: /etc/polkit-1/rules.d/
+    mode: "0644"
+  loop:
+    - lmn-packagekit.rules
+    - lmn-networkmanager.rules
+
+- name: Copy mountserver script to /usr/local/bin
+  ansible.builtin.copy:
+    src: mountserver
+    dest: /usr/local/bin/
+    mode: "0755"
+
+- name: Deploy sudo configurations (apt for role-teacher) 
+  copy:
+    dest: /etc/sudoers.d/90-lmn-teacherlaptop
+    owner: root
+    group: root
+    mode: '0700'
+    content: |
+      %role-teacher ALL=(root) NOPASSWD: /usr/bin/apt
+      %role-teacher ALL=(root) NOPASSWD: /usr/sbin/cryptsetup
+      %role-teacher ALL=(root) NOPASSWD: /usr/local/bin/mountserver