tag line

moving IT to the cloud with service not servers

Saturday, 10 June 2017

An early look at Google Drive File Stream

Google is introducing a new feature called Drive File Stream which will present your GDrive as a local mapped resource on your Mac or Windows PC.

Another utility, Google Drive Sync does something similar but Drive File Stream is different in that it works like an “intelligent cache” so the files appear local without actually being copied down.  In this respect Drive File Stream has more in common with Dropbox’s Smart Sync feature for Dropbox Business customers.

Once installed you can work directly from all the familiar Windows apps like Microsoft Adobe Photoshop and Microsoft Office. Any change you make to files in those apps is saved automatically to GDrive to be accessed from any other device.

Google Drive File Stream is currently in the Early Adopter Phase (EAP) and unlike Drive Sync requires a business, education, or enterprise G Suite subscription.

Let's take a look  at some of the features available in the EAP offering. Testing used a five year old laptop running Windows 8.1, probably typical of the type of device it would need to support in the field.

Currently the installation is via a download site without any options to adjust the installation parameters. As Drive File Stream is aimed squarely at the enterprise space we can assume this will change by the time it moves to GA.

The installation is extremely light and installs a device driver that presents your Google Drive as a G: drive. While in the EAP phase there doesn't seem to be any method of controlling the drive allocation.

During the installation the user is asked to re-enter Google user credentials and accept authentication rights. Once accepted the user is not re-prompted on subsequent logons.

As soon as the driver is loaded the user is immediately presented with a personal GDrive mapped as G: with any Team Drives shared with the user appearing at sub-directories at same level.

Files and directories respond as you would expect to the standard windows key functions and dialogs. Most file actions are supported including the deletion of GDocs and non-GDocs.  The files turn up in the GDrive trash in exactly the same way they would if the action was completed from the web UI. The only thing that's not supported at present is cut-and-paste to create a new GDoc.

Interestingly the properties of the Drive File Stream (G:) show as a FAT32 partition with 1EB (exabyte) of capacity. The format function is also available but I didn't feel brave enough to try that!

Dragging files into the the G: drive immediately returns control back to user as the file is cached locally and transferred to GDrive as a background process. The arrow icon on the Drive updates to reflect the backgound activity.  A file added to GDrive through the webUI turns up in the G: drive also immediately. In fact any amendment to GDrive is reflected within seconds.

The icons on each file also give some indication of status. Icons with the small cloud overlay indicate files that have been moved to GDrive  In this case the icon represents a local placeholder and if selected the file will be downloaded before being opened.  

If the file is fairly large the user may well see a dialog and the arrow icon on the drive indicating progress of the download. 

Once the file is downloaded all actions take place locally with the save action being to the local drive cache with the sync following on as a background process.  
Actions on G Suites documents are unchanged. Clicking on a Google doc icon will open a browser editing session working directly from the cloud store. 
Copying or moving local documents into the G: drive will initially result in a file icon without the cloud overlay. The icon is only updated once the file or folder has been transferred back to GDrive.

However this is where it gets clever. Drive File Stream is trying to guess what you might do next and is pre-loading the file cache with files that it thinks you might need. For instance opening a Word document, writing back and closing Word goes through all the actions to synchronize to the cloud and when it’s complete the icon will show a cloud overlay. However reopening the file a second time does not force another download, Drive File Stream has cached it, guessing that you might just be coming back. When opening the file after a write back the local icon doesn’t update to indicate a read from Drive - the file just opens.

You might might see an odd action here as opening the file shows data being written back to GDrive rather than from it. What appears to be happening is that the file is opened on a local cache but Office creates a temporary file in the same directory which is written back to GDrive -  although the file never actually displays. This is speculation on my part but it would be interesting to know how Drive File Stream handles application temporary files.

There is little information on how the intelligent caching of Drive File Stream works but I guess that's the point. It just sits in the background becoming familiar with your work processes and making sure that when you open a files it’s ready and available. Machine Learning (ML) is going find it's way into an increasing number of products in the future so we need to get used to the idea that the machine will be thinking for us.

If a non-Google document stored on GDrive has been edited in another remote session it always forces a refresh and you’ll get the latest version. I found this process to be very reliable and responsive.

However writes to non-Google files have to be treated with caution. Standard files are not access locked and can be edited by two users at the same time, the last write wins. Other writes are saved as versions and can be downloaded and manually recovered but without the simple reversion facility available to Google docs. This shouldn’t be too much of an issue for the single user working with GDrive but Drive File Stream also exposes the Team Drives which may have editing rights granted to multiple users.

Even in EAP, Drive File Stream is very impressive and could be used to solve a number of problems. 

Where I see this being most useful is in Windows terminal sessions or ICT labs where you could now use GDrive as the primary storage area rather than a Windows share. There are still a few enterprise features missing, mainly around deployment and configuration options but the basic functionality is sound. 

Altogether a welcome addition to the Google toolset.
Serverless School Serverless Serverless

Friday, 19 May 2017

Education gains one S but could lose three.

Recent announcements from Microsoft regarding Windows 10 S and InTune for Education has clearly identified Azure as the future support platform while at the same time discreetly drawing the veil across local server infrastructure. The fact that Microsoft is promoting a version of Windows that is entirely managed from the cloud instead of relying on a locally hosted domain is probably all you need to know about where this technology is heading.

With Windows 10 S Microsoft appears to have finally recognised the fact that the three S’s (Speed, Security and Simplicity) are winners in the education space and as long as you stay true to these goals and make your solution affordable you are likely to succeed.

So while I applaud Redmond’s initiative in this area what I don’t understand is the reasoning behind both Microsoft's (and Google’s) myopic desire to install monolithic software on your clean, slick, fast moving device. It’s like both parties understand the advantages of cloud computing but cannot make the final break from the 1990’s because of some sort of mental block or emotional attachment to the past.

If you want to load up your personal device with a locally installed applications that’s your choice but until education is awash with cash it will depend on the shared computer model which, from the first day that PC’s appeared on a school desk, has never played well with local apps.

Let's use Microsoft own example of a school in Colorado that runs 600 Windows S laptops to examine how locally installed application affects the three S’s.

The Three S's

One thing can be guaranteed, a locally installed app will not make your shared device boot quicker. A student must be able to pick up any laptop, turn it on and within 30 seconds be working productivity. How will the same test perform when the user has been allocated a copy of Office 2016 ?

Windows apps are large. Microsoft documentation states that Office 2016 requires 3GB of space for a minimum install.  Even if the Windows Store version (which doesn’t yet exist) is much smaller we are talking gigabytes of data. How that's going to be delivered to a user profile on demand when the install point is on the end of an internet connection shared with 600 other students? Answer - it won’t.

The only way round this is to preload Office 2016 on every device which in itself is a challenge bearing in mind all the data now has to come from the Windows Store.

Offline licensing may be an a option for Windows 10 users. With offline licenses schools can cache apps locally which solves the bandwidth issue although developers have to opt-in to this service and few have at present. You’ll also require a mechanism to deploy the app and for most situations this probably going to be System Center Configuration Manager (SCCM) installed on a local server which doesn’t sound very cloudy to me.

Even with SCCM and Active Directory back in the frame preloading every application is not really practical.  Looking at the information on the Windows Store some apps are of a manageable size (<100 MB) but most are just converted windows applications many hundreds of megabytes in size which are simply not optimized for mobile deployment.

What if the app is only needed for ten users, does it get downloaded to every shared device just to keep the logon speed within usable limits? If every device has every app, what happens to the internet bandwidth when new versions are released?

If this is sounding less and less like a true cloud solution remember that there’s is no guidelines from Microsoft as to the internet bandwidth requirements for Windows 10 S just a vague comment that you might consider dusting off that old proxy server that has file caching capabilities. I think that's good advice

In one respect Microsoft's model has a big advantage over Google.  Although the apps are larger they can be shared between user sessions on the same device. For good reasons the Chromebook security model prevents this from happening for Android apps.

If an Android application is required for a shared class set of thirty Chromebooks it could end up being downloaded 30X30 times unless you are willing to waste the first five minutes playing “find the device you used last time” game. The maths on 900 X 100Mb places us squarely back in the Microsoft camp of bandwidth extravagance.

Sacrificing speed for the perceived benefits of running local applications runs the risk of turning these exciting new devices into next generation netbooks.

Local apps do not improve security as every newly installed application has the potential to introduce a new vulnerability.

By running each application in a sandbox Windows 10 S goes some way towards protecting the underlying operating system. Chromebooks have a deeper security model that also uses sandboxing but also includes a verified boot process,TPM chips and encrypted user partitions.

However because locally applications represent such a large vulnerability the first layer of protection is to restrict the user to only loading applications from the Microsoft Store. Apps submitted to the Microsoft Store go through security and compliance tests as part of the app certification process which help protect against malicious activity but currently few of the applications that schools rely on day to day can be found in the store.

The short term solution for Windows S is to upgrade, or is that downgrade, to Windows Pro to allow programs to be deployed using the standard methods but of course this side steps the security and compliance tests.

In a shared device deployment how are locally installed applications going to be licensed?

Licences could be allocated to named users but does that means the application is pulled on demand from the web store during the logon process. We have already seen that this is likely to be impractical.

If the application is preinstalled how do you manage the licence allocations?

The new Windows S is supposed to be able to ‘present’ the correct application set based on the user profile but this feature has only just become available and it will still require the entire set to be installed on each device to provide a level of responsiveness acceptable in a classroom situation.

You could give the app away for free and hope to collect some revenue from a backend service but what platform do you develop for  - Android, UWP for Windows or iOS.

Do the schools with mixed deployments have to buy a licence for each platform, are the licences transferable, how do you track the allocations, how does the upgrade process work, how does this work with a BYOD program?

If all this sounds a bit complicated that’s because it is and I’m beginning to wonder if it’s really worth the effort.

What process is so critical that it justifies this complicated framework just to delivery the 10% of functionality that’s not yet available as a SaaS based application?

Is education relying too much on the familiar and expecting IT to make it happen just to save the effort of seeking out new ways of working?

Maybe I’m just not thrilled by another lump of code landing on my sleek efficient Chromebook or Windows S laptop but be honest I’m not convinced any of this will work for a shared classset model whatever the OS.

Vendors mess with the three S’s at their own risk.

Saturday, 15 April 2017

Recreating the local admin role in G Suite

Delegating management privileges to a section of the G Suite organisational tree is a common requirement for deployments that scale across districts or educational trusts.

When a single branch of the organisational tree contains a entire school with thousands of user accounts the ability to create a local admin who can manage that branch without having access to other parts of the tree becomes a useful facility. Unfortunately the local admin role isn’t one of the built-in options provided by G Suite  - you have to make your own.

The ability to assign users to roles is managed through the Admin roles icon on the console. The same dialog allows ‘super’ users to select individual permissions from a set of fixed options to create custom roles.

The trick to creating the new local admin role is to avoid any permission that only operates at the root level. Some objects, such as groups can only be managed at the organisational  level. Therefore selecting the groups permission immediately restricts you managing at the top level which is not what we want. When you assign users to roles with root permissions the option to select an OU will be fixed to All Orgs.

So what permissions can be applied at the branch level?  The interface gives no obvious indication but it turns out there are quite a few.. as well as a couple of things that can trip you up.

The current list of permissions that can be applied at the sub-organisational level are shown here.

Selecting all the permissions listed in the dialog creates a role that can manage the user and chromebook objects under a specific node in the organisational tree.

The local admin can also update the organisational tree, deploy applications to chromebooks and even manage network policies. The role does not have the ability to update any policy relating to the core application set (Drive, GMail, Classroom etc..) or any policy affecting the organisation as a whole such as domains and security.

A couple of points worth noting:

The permission to manage User Chrome policies works in two different modes depending on whether the organisation has purchased Chromebook licences or not.

If the organisation does not have Chromebook licences you need to select the option below.

Once Chromebook licences have been added a new option appears under Services and you should transfer the rights to this node (see below).

If the organisation has purchased licences and uses the first option without ticking in the new permissions the User Chrome Management dialog will hang when the local admin user tries to access it.

The second point is less obvious.

If you check in the ChromeOS permission within Services it will fix permissions at the root level which is something  we are trying to avoid.

However if you only check in the  individual sub-options under ChromeOS and leave ChromeOS unchecked you’ll find that the OU drop down is still available (above). This is a subtle difference but it allows you to delegate the rights to manage Chromebooks to a single node in the organisational tree.

Interestingly you can also reuse the policy for all your local admins. When you hit the Assign Admins button the dialog gives you Assign More as an option (below).  You can add multiple user accounts within this dialog  – each batch of users can  point to  a different node in the organisational tree.

It’s also possible to enter the same user account multiple times so long the user is assigned to  a different node in the organisational tree. Using this method the user will find they are able to access more than one sub-organisation in the tree which is useful if a single account is responsible for managing multiple schools. 

Currently the only way to update the allocated sub-OU is to delete and recreate the assignment. 

If the new local administrator navigates to admin.google.com they’ll  be presented with a dashboard containing just the Device management and Users icons. The whole organisational tree is visible but the custom role works like a filter. Users can only view and manage user accounts and chromebooks that fall under the allocated sub-OU for the role.

The method described would be appropriate for a district or multi school trust but could equally apply to a single school where the super administrator wishes to delegate admin rights for an intake year or class group. 

The rights as shown are fairly liberal but can be reduced without affecting the ability to be assigned to an specific sub-OU.

My thanks go to Aled Owain Jones, Technical Support Officer for Conwy County Borough Council, Wales for working through these examples with me.