Coming Soon: The Google Classroom

Comments: Comments Off
Published on: May 7, 2014

Google yesterday announced their new Classroom product, a free learning management system for Google Apps schools. I think this is a natural evolution for what they’re trying to accomplish with GAFE, and I look forward to learning more about it.

I’ve tinkered with Promevo’s gScholar and looked at the Hapara LMS, and it seems Google is finally bringing the same functionality in natively. I imagine there will be premium features with the third-party LMS software which isn’t available in Classroom, but it may be Classroom is enough for most schools to get rolling.

I’ve signed up to be part of the preview. With luck I’ll be able to get some hands-on information soon.

Filter Connections, Not Devices

Tags: ,
Comments: Comments Off
Published on: April 25, 2013

When we go 1:1, I have no intention of putting filtering software on student devices.

Shocking, I know. I can hear your collective gasps and the skips in your heartbeats from here. I’ve been told this is everything from crazy to stupid to liberal. I counter with filtering every device is a poor method of playing CYA, satisfying only district lawyers while putting an additional burden on technology staff, on staff and students who follow the rules, and on district budgets.

If we measure a content filter’s effectiveness as being able to block objectionable content without preventing access to legitimate sources, then there’s not a single one on the market nearing the 100% effective mark. If the tech staff leaves things too loose, the filter may as well not be there. If the filter is tuned too tight, then students are blocked from research material. In my opinion, we need to have something in place to cut down on pornography and blatant obscenity, and I also enforce Google Safe Search to cut down on accidental exposure in searches.

Notice the use of “cut down on” in that last sentence. We can limit access, but total prevention is a myth. Yet if we tell our parents their child’s device is filtered, they’re going to expect it to be 100% effective. The first time little Johnny stumbles across something objectionable, we’re going to hear about it.

The next problem is the definition of “objectionable.” Where do we draw the line? I’ve had teachers report students looking at objectionable material, only to find a student was browsing a celebrity gossip site with tame (in my opinion) photos of actresses in bikinis on a beach. The student would see the same thing on the covers of the magazines in the checkout line at Walmart. Blocking hardcore pornography is obvious, but expanding into glamour shots, pinups, and fashion photography starts bringing in broad ranges of materials and interpretations.

And that’s just photos and videos. We haven’t gotten to music yet, or to literature, or worse yet, to ideology. Before you tell me it won’t happen, or doesn’t happen, go have a chat with your librarian about parents and social groups insisting certain books be removed from the library.

If we receive federal funding, we must comply with CIPA. The smartest part of CIPA? Not telling us what needs to be blocked. If that’s a can of worms the government refuses to open, then why should we pick up the can opener? We have a filter in place. Done. If we filter our connection, we are compliant.

At this point we’ve covered configuration: what to block. Now let’s move on to the practical side, how to block. First, there are few filters that can’t be circumvented, whether through defeating the software on the device or by using an outside source, such as a proxy connection or website, to get around the filter. In the case of a lockdown browser, a determined student will turn to an app. Or worst case, they’ll start hacking the device. If we’re not going to give the students some flexibility and ownership of their device, they’re not going to use it.

Now, instead of troubleshooting one connection, the tech staff is faced with troubleshooting hundreds—if not thousands—of devices. It’s just not worth the hassle. We are better off focusing that time on professional development and digital citizenship than we are chasing moving targets and reloading stacks of jailbroken devices.

Finally, let’s discuss cost. The most effective filters also cost quite a bit of money, often requiring per-student subscription fees. This raises the cost of entry into a 1:1 considerably, and obviously I question the value. The open source filter on my connection is just as effective and it doesn’t annihilate my ever-shrinking, rural Illinois budget. I can not in good conscience let a major education initiative die in my district because we can’t afford to make sure a child won’t accidentally stumble across a nude photo at home.

Will this raise questions and concerns from parents? Absolutely, and I’m prepared to handle them. Might it affect policy? Probably, and I’m prepared to tackle that, too. I prefer both of these scenarios to wasting my time battling others’ demons.

Securing User Data

Comments: Comments Off
Published on: April 18, 2013

The webcomic XKCD posted a one-panel strip that serves as a good lesson to our users, and a good reminder for administrators:

XKCD: Authorization


When tech directors and school admins talk about securing a laptop (or desktop, iPad, etc.), we tend to think about securing the laptop itself against misuse and mischief. We want to make sure the user can’t accidentally download a virus, mess around with other users’ settings or files, install unauthorized software, or disable hardware or features. For the most part, we think of it as a matter of our own convenience: preventing vandalism and tampering results in less downtime for the machine and, to be honest, less hassle for us.

But what about securing the user’s own data?

We send teachers and/or students home with laptops and make sure they can’t cause too much trouble, but how often do we give them advice on keeping their data safe should they lose the machine or allow someone else to use it? And when I say advice, is there training for the how and why, or is it just a list of rules they can ignore? As the XKCD illustration shows, it’s very possible a user is logged in to multiple services on their laptop, and in many cases all the thief has to do is open the lid to gain access.

Consider the following list of security measures. This is not necessarily an exhaustive list, just something off the top of my head:

  • Password-protected screen saver or lock screen (with strong password)
  • Encrypted home directory
  • Two-factor authentication (where available)
  • Logging out of critical services (credit cards, PayPal, etc.)
  • Not allowing the browser to store passwords or personal information
  • Remote block/signout of services (where available)
  • Account/password recovery email and phone numbers are current
  • Knowing all of your own passwords, or at least having them available! Also…
  • …Secure ways of creating and safeguarding passwords (i.e., no printouts or Post-Its)
  • Backup, backup, backup!

Now ask yourself, how many of these do you practice? How many are you even aware of? If you are a user, are you trained in any of these? If you are a tech leader, are you training your users in any of these? Do your students have any idea what they are, and how they might protect data?

I’m thinking now I might have some ideas for future professional development sessions, or at least information for technology newsletters.

Apple VPP’s Flaming Hoops

Comments: Comments Off
Published on: October 31, 2012

One thing I have zero patience for in technology is having to take extra steps for no reason at all beyond a developer somewhere lacking the discipline to solve a problem. I can sometimes let this slide in a beta product from a one-man, Open Source operation, but when it comes from a company like Apple, it just kills me.

In the big scheme of things, Apple’s Volume Purchase Plan is not as bad as some make it out to be. While breaking volume app purchasing process into several different components—the purchaser, the facilitator, and the user—seems cumbersome at first, it offers a lot of flexibility for a larger school or organization.

I even understand treating Apps as consumables. Sure, it’s easy to blame Apple greed for insisting companies and schools purchase several copies of apps every year. But keep in mind, the developers still get the lion’s share of the profits. If I’m a developer I’d be all over developing apps specifically for schools to purchase over and over and over.

No, these particular hoops comes into play when distributing apps via Apple Configurator.

Flaming Hoop Jump
“Just one more of these and Keynote will be on all the iPads!”

The basic process goes like this:

  1. Download spreadsheet of purchased codes
  2. Redeem one code to download the app in iTunes (ensuring you use the iTunes account for the devices in question!)
  3. Transfer the app to Apple Configurator
  4. Re-download the spreadsheet of purchased codes
  5. Import the spreadsheet of purchased codes into Configurator
  6. Install the app

My beefs are with both 2 and 4.

Step 2 is an example of where the whole Apple ID structure cripples things for deployments. This would be a non-issue if I could use Apple Configurator to download the app, but instead I have to use iTunes, and I have to sign out and sign in with different iTunes accounts to keep everything straight. While I’m sure Apple would love it if I purchased a Mac Mini or a MacBook to manage every group of iPads, that’s just not going to happen. Even if we had the money to burn, I’m not sure the expense makes sense just for the sake of convenience. With this single instance of Apple Configurator, I maintain three separate sets of iPads for three different buildings.

Apple: If we have a separate portal for purchasing hardware and apps, then why not just give us a whole separate portal for app management? Why push us to third-party MDM suites and drive up our costs for products we can already hardly afford?

Step 4 is just plain stupid. Re-download the spreadsheet to fool the app? That sounds like a hack someone discovered, not part of an official howto document. While Googling for this solution myself, I ran into a number of users on message boards with the same problem. The day after I figured it out, one of my colleagues in downstate Illinois ran into it, too.

I hear a lot of people say Apple “forced iPads down our throats” without it being ready. I’m not sure that’s entirely accurate, as I think it’s as much educators putting a high demand on iPads, and they may be asking iPads to do more than originally anticipated. And yes, there are large deployments out there dealing with this very same thing.

But that doesn’t change the fact that this is just a half-baked process at best. It’s only going to add to the confusion my teachers already experience. With all the talent at Apple, and all the effort going into iOS development in general, I find it hard to believe this is the best solution they could find (especially after my preliminary experiments with Amazon’s WhisperCast, which I’ll talk more about tomorrow).

Apple Configurator is a good start. Now make it the next-level management package it should be.

It Should Not Be This Difficult

Categories: The Server Room
Comments: Comments Off
Published on: July 19, 2012

My summer has been going very smooth.

Then my Windows gear showed up.

Look, I fully support the business teacher’s decision to stick with PCs in her lab. She is more comfortable teaching MS Office, and the students should get some exposure to Windows and Office. However, just setting up the new server and PC laptops has been an exercise in frustration.

First, apparently vendors can’t just give us license keys anymore. I had to call an 800 number and work through a communications barrier to retrieve the license key for Office 2010. She took down basic information: my name, my company, my license/enrollment information, my product name, and my email address. Then she just emailed me a license key.

Why could I not just punch this information into a website and have it spit the information back at me? It would have been a lot faster and easier.

Then after I punched in the code, Office 2010 refused to activate. It would only tell me “be sure you are connected to the Internet.” Of course, I was. Surfing in any browser worked like a champ. I could ping out to various locations just fine. I even made sure the content filter wasn’t blocking me, and I tried again. No dice.

I clicked activate by phone, and was presented with this screen:

Eat a Dick, Microsoft
They’ve got to be kidding.

This time it was all automated, and I had to type in this 54-digit code. I typed it in because apparently the voice prompt doesn’t understand plain English any better than the Asian woman on the Office activation line. I entered the 48-digit response code it recited, then tried to get it to read it back to me, but it never did figure it out. After three rounds of my saying “continue” and it responding “I’m sorry, I didn’t catch that” I started heaping abuse upon it in the hope someone will listen to the recorded alleged conversation.

At first, Office didn’t activate. I closed it, restarted the program, and voilá, it was happy.

Then on to my new server. This time I logged on to their volume licensing website (which, for some reason, I could not use for Office) and was presented with a long list of licenses. I bought one copy of Windows 2008 Server, but it gave me keys for two pages’ worth of versions and service packs. I tried one key, the server rejected it. Tried another key, and fortunately that one took.

It should not be like this. I don’t juggle these problems on the Apple side, not even on the servers. Apple’s access keys come with a nice sticker I can attach to my equipment so it doesn’t get lost when I reinstall. Even using the App Store for OS X 10.7 going forward will be faster and easier than Microsoft’s licensing mess.

Get it together, Microsoft. This is a step back, and only reinforces the perception that working with Microsoft is all pain and frustration. This is exactly what chased me to Linux years ago, and now to Apple, and it’s exactly what is making many of my colleagues consider the same move.

Profile Manager to the Rescue

Categories: The Server Room
Comments: Comments Off
Published on: June 9, 2011

I’ve talked a few times about what I’d like to see Google accomplish with device management from Google Apps, and it appears Apple has beat them to the punch. The following is the advertised Profile Manager features for Lion Server:

Profile Manager offers you simple yet powerful ways to set up and remotely manage computers running Lion and iOS devices such as iPad and iPhone. It also simplifies the creation of user accounts for mail, calendar, contacts, and chat; enforcement of restrictions; PIN and password policies; configuration of system settings; and more. Because it’s integrated with the Apple Push Notification service, Profile Manager can send out updated configurations over the air automatically. And it includes web-based administration, so you can manage your server from any modern web browser. Profile Manager even gives users access to a self-service web portal where they can download and install new configuration profiles, as well as clear passcodes and remotely lock or wipe devices that are lost or stolen.

In short, it’s the hoped-for iPhone Configuration Utility on Steroids™. Clearing passcodes alone is going to be huge for schools, as in two separate meetings that was the single biggest complaint from technicians managing iPad deployments. Apparently some kids think it’s hilarious to set a passcode on a shared device so the next class can’t use it, and the technician had to have the device in-hand to reset the device and clear the passcode.

Doing it all wirelessly is the single biggest feature. Having to plug them all in would have been a pain in the neck at best. Pushing updates and apps out over the air is critical in a multi-building or multi-campus district. We should have known it would only be a matter of time before this came around, and I’m thrilled to see it sooner rather than later.

I’m also excited because it looks like it will have the same ease of use and management as the current Workgroup Manager utility for user management. When I just want to tweak a few settings quick, I hate having to wade through option after option to find what I’m looking for (*cough*Active Directory*cough*). This also makes it much easier to delegate management and train end users when the time comes.

The low cost of upgrade and iCloud seal the deal. I’m waiting to hear if schools and businesses will be able to set up accounts on iCloud for managing their devices, but even without that, iCloud could be a tremendous advantage for students. For free, no less! I think this is a brilliant move on Apple’s part, and is a shot at both Amazon and Google.

Given I already have the Apple infrastructure in place, it’s looking more and more like iPads will be a no-brainer for my district.

Your move, Android.

Android and Malware

Categories: The Server Room
Comments: Comments Off
Published on: June 2, 2011

I had hoped to be telling you how excited my teachers were to receive their new iPads by now, but due to supply and shipping issues, we have yet to receive them. Hopefully before long.

Meanwhile, news broke that Google has had to remove apps from the Android Market again due to malware hidden in the apps’ code. This is a huge concern for me with students with Android tablets, especially if I’m unable to limit or enforce the apps they can or can’t install.

I would prefer to keep things open, but the additional support burden of malware and other questionable apps could become a big issue in a small district with a one-man tech shop. If students are able to install from unknown sources (i.e., websites and vendors other than the Android Market), there’s no limit on the potential damage they could do to their own data/hardware or the network. With Apple I can be reasonably certain any apps they download will not be dangerous.

I’m also concerned about antivirus apps. It kills me that antivirus has to be constantly running and wasting resources on a PC, and doing the same on a tablet is only going to put a greater strain on the battery and waste time while a student is waiting on a scan instead of being productive. It’s one more thing to support and configure, and it would not shock me if it became an added cost to management.

How long, then, before some of these third-party management vendors start offering up servers and software for managing Android tablets? A custom Linux install could easily serve as a local repository for apps, profile data, and more.

Just like OS X Server 10.7 Lion may do for iOS devices.

I’m not expecting either Android or iOS deployment to be cheap, but support for malware issues goes beyond monetary costs.

Google Coming Around on Management?

Categories: Apps, The Server Room
Comments: Comments Off
Published on: May 16, 2011

Google may have a solution to device management after all, though it’s just a start. Check out the Google Apps Device Policy app on the Android Market. Right now it looks more like a competitor to Apple’s MobileMe features such as location reporting and remote wiping, but it’s a start for security for schools or companies.

According to this announcement, it’s only available for Google Apps for Business, Government, or Education customers. This at least gives IT folks some options in securing their users’ devices, especially if those devices are company-issued. Judging by user reviews, it also appears the app is difficult (if not impossible without rooting/jailbreaking) to remove.

It doesn’t say anything about pushing out apps, restricting apps or setting wireless passwords, or managing things like proxies or DNS settings. I’m also curious whether the My Devices page it mentions will list device serial numbers and activated accounts. If we get serious about testing an Android tablet at my workplace, I’ll be installing this and taking it for a test drive.

page 1 of 1
Welcome , today is Monday, January 22, 2018