tag line

moving IT to the cloud with service not servers

Saturday, 12 August 2017

Going serverless with Microsoft

Over the last few months Microsoft have been developing a blueprint for a fully serverless cloud architecture based on Office365 and InTune for Education.

The individual elements for a serverless school have existed for some time but we now have a Microsoft strategy document that brings all the pieces together with a clear technical direction.

The document is updated regularly so there’s little to be gained from summarising it, other than to note it includes the two core elements mentioned above plus School Data Sync, One Note, Whiteboard and Teams while avoiding any mention of local servers, Active Directory and the System Center Configuration Manager (SCCM) management suite.

Sounds great, but how practical would it be migrate to this his model today?

First, it’s clear that the Microsoft vision of a serverless school requires Windows 10 clients in order to link into the security and management features of the Azure cloud based directory.

Therefore Step 1 is migrate all clients to Windows 10 and when that’s done you can move onto Step 2.  A full client upgrade program would be a good sized step for Neil Armstrong never mind an school with a mixed set of legacy hardware but currently it’s a prerequisite for a Microsoft cloud solution.

However, let's assume we’re already at Step 2. What other obstacles do we face?

The first is the same stumbling block that challenges other initiatives in this area  - how to support locally installed Windows applications ?

In this instance Redmonds approach has an advantage since we have a fully featured Microsoft operating system and the ability to deploy and maintain applications using InTune.

Things become less clear when we consider how well this model applies to shared devices in a teaching environment. If the toolset is fairly static across the user base it might be practical but if you have applications required for specific classes, students moving between computers and large installation packages being pulled across an internet connection, it could get messy quite quickly.

Strangely there is no mention of Windows 10 S in the document. This is the Windows OS which works exclusively with apps from the Windows Store and is aimed directly at  educational deployments.  This might be because the post is focused on a migration scenario but I would still expect a mention, if only to position Windows 10 S within the overall strategy.

Perhaps the idea is not present too many disruptive concepts all at once.

A school that has moved to Azure AD automatically gains access to Microsoft's ecosystem of Single Sign On (SSO) web applications. While this is mainly focused on the workplace the directory already contains over one hundred web resources marked for education including well known names such as Khan Academy, Discovery Education, My Homework, Edmodo and ClassDojo.

Once a school starts to take advantage of the rapidly evolving pool of SaaS applications with built-in SSO  the deployment issue disappears and Windows 10 S becomes a good news story for everyone, with perhaps the exception of software houses still shipping an .msi file on an annual release cycle.

Locally installed applications of any type do not work well in shared device deployments that require a degree of differentiation. Until 1:1 rollouts are commonplace, SaaS will win out every time and a cloud based directory with integrated SSO can only accelerate this process, unless of course your students are really looking forward to next years release of SameOldProg V8.

It’s also worth examining how the integration with the Azure directory will be managed.

Third party software such as classroom control, content filtering, payment schemes and print management need to read data from the user directory. In the future this will be in the cloud and not on a local domain controller. All this is fine except that Azure AD does not support LDAP or Kerberos, the two access methods that every management tool sold to education in the last twenty years expects to use.
Azure AD has it’s own convention (Microsoft Graph API) which is better suited to modern internet protocols than either LDAP or Kerberos.
Therefore vendors of firewalls and content filters will need to embed support for this new directory source before schools can consider moving to the cloud.
In a completely unscientific survey I recorded the Lightspeed content filter as capable of working with an Azure directory.  If you know of any  others please let me know and I’ll compile a list.

Wireless might also have a problem with a Microsoft serverless school. A common security method uses the RADIUS protocol to query group and user information and in the past this was normally provided by a local Windows server that accessed information from a domain controller.

The problem is - not only are we a server short, we don’t have a domain controller either !

Anybody know of any vendor initiatives in this area ?

Microsoft and Google are going head to head for this market and now both vendors are essentially proposing the same serverless approach which will only drive innovation at an even faster rate.

In the short term Microsoft has the advantage because they are are the incumbents in this space and now have an offering which appears to match Google GSuite for Education in certain areas.

However these are early days and few would describe the Microsoft strategy as fully defined offering. A number of roadblocks remain but over the next few months we should expect new features to emerge at a rapid rate to fill the gaps. Overall the outlook is pretty exciting and whatever your technical point of view, schools will benefit massively from the one upmanship as the two tech giants slug it out.

The real challenge is convincing education to assess the alternatives with an open mind and then invest some time in constructing a development plan that will take advantage of this unique opportunity to get things right.

Friday, 4 August 2017

Why BYOD could soon be BYOC.

Bring Your Own Device (BYOD) has always been an attractive idea for education.

The possibility that students could use personal devices in a learning environment without the school having to make a financial investment sounds beguiling but there are some fundamental problems that have never really been overcome.
  • How to integrate a variety of devices, all with different capabilities into a lesson plan.
  • How to securely manage school data on a range of devices.
  • How to onboard the devices onto the wireless network without a management overhead.
  • How to provide secure web filtering without additional licencing costs.
  • How to answer the question “It’s my device, why can’t I have Facebook”?
Unfortunately the big advantage of BYOD is also it’s biggest weakness.

Because the device remains the property of the pupil or a parent/guardian there’s a reasonable expectation that, outside of school hours the device could shared with other members of the family to access Facebook, eBay, NetFlix and various game sites.

Of course this creates a host of e-safety issues that’s almost too long to list. Therefore the cautious response is to apply the school security policy at all times even though for the majority of the year the device is at home and belongs to somebody else.

So in a BYOD EDU environment how do you answer the question;

“It’s my device, why can’t I have Facebook” ?

Let’s look at this from another angle. Ideally, how would you fix this problem?
  • During school time the device is under management control with all the usual policies applied. 
  • Outside of school hours the device takes on a personal policy which allows access to Facebook.
  • The two worlds must never meet.
Elements of this approach are already possible using web filtering rules that can be updated based on a schedule but this doesn’t address the fundamental problem of device security.

When the device is under personal control how do you ensure security isn’t compromised by malware, keyloggers, trojans, inappropriate software or images which are then brought into school and propagate across the network ?

This problem doesn’t rest with the management platform, it lies with the nature of the user device.

The device has to maintain a set of isolated user profiles without any possibility that information or activity could bleed from one to the other. It would also have to have built-in security that would ensure that the operating system image was clean and verified as secure. Once you throw in the requirement for centralised web based policy control it's clear that the device you describing is a chromebook.

Let's imagine what this new form of BYOD, admittedly limited to Chromebooks, might look like.

Each pupil would need to bring a Chromebook to school. It could be an existing device, newly purchased or sourced through a payment scheme. Any finance schemes would be independent of the school because the device remains the users personal property at all times.
Students would be able to choose a form factor that best suits their requirements (touch / size / price), shop around for the best deals and personalise them as much as they like. I suspect the ‘missing key’ problem will disappear appear overnight.

Personal Chromebooks could be enrolled into the schools Google organisation using the home broadband or a simple phone tether, it’s really not that difficult. The school will be buying a batch of non-recoverable Chromebook management licences but this is small cost when you consider that this would enable a 1:1 programme with very little management overhead.

The big selling point of this approach is that during school hours a policy is applied that restricts access to all the fun stuff and locks down the device. Out of hours this restriction is lifted - hello Facebook.

This could be done in a number of ways. It could be as simple as enabling guest access or lifting the restriction on organisational only logins. As the schedule moves back into school hours the standard policy is re-applied.

This doesn’t mean that the student could access social-media using an organisational login only that the Chromebook would allow a logon using a consumer account to which the filter does not apply. Nor does it mean that an out-of-hours policy would apply to all devices. It could be operated as an opt-in scheme that requires parental consent or be subject to an acceptable use policy
Integrating personal Chromebooks into the classroom is easy because although you might have 57 varieties they will all be running the same OS version and all have the same basic capabilities. Because they remain personal devices the school doesn’t need to get involved with insurance or warranty repairs, although a loan pool of utility Chromebooks all covered in a massively uncool school laminate might encourage careful handling and long term memory.

Expensive trolleys aren’t required. Ad hoc charging could be problem but only until USB C becomes commonplace. There’s no issue with respect to software licencing as this likely to be SaaS based and linked to the organizational account or installed within the user's encrypted profile.

Sounds interesting ?

Unfortunately none of this is possible because the basic mechanism to relax the Chromebook management profile on a timed schedule doesn’t currently exist.

However ChromeUnboxed recently reported a new commit to the Chromium repository described below.
“Allow unrestricted using of parent-funded Chrome OS EDU devices (Chromebooks) that are managed by school, while the device is not at school (“off-hours”).”
While we are unlikely to see this feature until ChromeOS V62 the fact that it’s even in the pipeline is a significant development.

Currently there is little indication how this might work other that the fact that it uses an "Off-Hours" flag in the device policy but it’s clear that this initiative could accelerate the drive towards 1:1 devices in education and be an important new way of getting Chromebooks into the classroom.

BYOC perhaps.

Saturday, 1 July 2017

Print Options with Google and Chromebooks.

The standard way to print from a network device is to install a driver for the required printer model.

However you cannot load print drivers onto a Chromebook. In fact you are not allowed to load any driver onto a Chromebook. This is one of the features that make Chromebooks so secure and stable.

For most schools the solution is implement Google Cloud Print. However to provide a complete picture it's worth mentioning some other approaches and how these relate to Google Cloud Print.

Direct Print.
There is an experimental feature which is likely to move to production in the future that allows a Chromebook to attach to a network printer and operate in much the same way as a MS Windows or MacOS device

With Version 57 Chromebooks gained support for Unix-style print standards—the CUPS (common Unix printing system) system that uses IPP (internet printing protocol).

The problem with deploying CUPS printing in a schools is that it’s still very new and there doesn’t appear any method to control the actions from the admin console so mapping printers is a manual exercise on each device. However it’s worth testing it out as it may prove a useful solution in a specific situations.

There is a second option for direct print.

HP printer users can install the HP Print for Chrome app. This is not a driver but controls printing to HP devices using a Chrome extension.

 Using this you can print from a Chromebook (or any Chrome browser) to HP Printers connected on the same network.  Again there is no way to control this through the console so it’s a manual action and if the Chromebook is on a different VLAN to the printer (which is often the case with wireless networks in schools) it’s not going to work. Support is a problem -  so like CUPS printing this is only really suitable if it meets a specific requirement.

Which leaves you with Google Cloud Print.

Google Cloud Print uses a generic print service installed at part of the Chrome browser to format and transfer a print job to Google where its sits a queue waiting for an inbound connection from a printer.

The advantage of this process is that a Chromebook does not have to be on the same network as the printer to send a print job - in fact so long as it has an internet connection it can print from anywhere in the world.

The downside is most of the advanced print features are missing. If you are hoping to make use of the stapling and collating features you are going to be disappointed although the basic options  such as quality, paper size, number of copies, margins and duplex are be supported.

Setting up Google cloud print is fairly straightforward. There are two steps to getting it going.
  • Creating the individual print queues with the Google Cloud Print service
  • Advertising the new cloud printers to the client devices.

Creating the individual print queues with the Google Cloud Print service

Most vendors now include the facility for printers to advertise directly with the Google Cloud Print service. In fact you would be hard pressed to find a high end printer sold in the few years that is not “Cloud-Ready”.

Google maintains a list of supported printers which is pretty comprehensive.

Each vendor will provide a set of instructions that will allow you to enable the printer with Google but the basic process is the same.

Before implementing Cloud Print check the firewall connection between printer and Google. All of the traffic is outboard from the printer on standard ports. Therefore you must have port 80 and port 443 open to outbound traffic from the printer's IP address. In addition you must open port 5222 outbound to talk.google.com. This port allows the printer to advertise it’s status to Google. If it’s blocked the printer will be created but then go “offline” after a short period.

All the cloud printers with Google are owned by a user account in your domain. This can be any account but essentially this user becomes the print administrator. Obviously if that user's account is subsequently deleted or suspended you also lose the print queues, which is situation to be avoided if at all possible.

Therefore its a good policy to create a service account to specifically to manage the printers. This account does not have to have any special administrative rights.

Once the account is created you can logon and access the print queue by navigating to the print management console.

For each printer enable the cloud ready option following the manufacturer's instructions. At some stage it will ask for the details of the Google print account and the printer will visible in the console.
The disadvantage of the Cloud Ready approach is that there is limited control of the print jobs and each printer is set-up individually. 

In fact it's more likely that a school will already have a print server in place that advertises a number of printers to Windows and Mac clients and may also run older printers that are not Cloud Ready. In this case you would fall back to using the Google Cloud Print Service.

Installing the Google Cloud Print Service.
This a local service that runs on the print server that advertises all printers to Google Cloud print. During the installation you get the option to choose which printers you which to publish.
Installation is very simple, Download the installation from the link below and run the install.

Once launched it requires details of a AD account that has rights to manage the printer accounts and install as a local service. 

It also requires details of the Google account you have identified to host printer queues - in this case printeradmin@myschool.com.

At this point you can select the printers to publish and also enable an auto register feature.

After a few moment the printers should be visible on the cloud account.

Note that in this case the you must have port 80 and port 443 open to outbound traffic from the server's IP address as well as open port 5222 outbound to talk.google.com. You do not need to open any ports from the printer addresses.

Advertising the new cloud printers to the client devices.

The last stage is to share the printers to your users. This is done using the Share button from the cloud print console.

It's pretty simple to share a Google Cloud printer with another individual account but in academic environment that's fairly impractical, you really need to share to a  group.

Assume that your print account is printeradmin@myschool.com.

Create a new Google group called  “HP Colour Laser Jet Users”  for example.

Add printeradmin@myschool.com as an owner of the  “HP Colour Laser Jet Users” group  and share the printer with that group logged on as  the printer@myschool.com account.

Access the printer@myschool.com email account and accept the shared printer for the entire group by accepting the e-mail.

When you share with groups, the group administrators receive the invite and they can accept on behalf of the group. Alternatively if your personal account is already the owner of the group you can accept the invite on the users behalf.

Your Chromebooks user will now see the printer when they open the print dialog and select Change button under destination.

Adding a new user to the “HP Colour Laser Jet Users” group does not automatically advertise the printer with the user. This action is the same for printers as it is for documents. The workaround is to remove the group from the printer share and then immediately add it back in again once a change has been made to the group membership.

Its worth noting that the Google Cloud Print Service has a reputation for being somewhat unreliable. Some schools overcome this by periodically restarting the service on a schedule using the command set below.

     @ECHO OFF
     NET STOP CloudPrintService
     NET START CloudPrintService

Printing in a Serverless School
It’s possible that you may not have access to the local print server or have sufficient rights to install software or have any servers at all!

In this case you could consider the Lantronix xPrintServer, an easy-to-use, plug-and-print appliance for Google Cloud Print.

The Lantronix device is fully supported and generally provides a more robust service than Google Cloud Print Service running on a Windows server. The setup is done through a setup wizard rather than downloading the Google Cloud Print Service.

Integrating Google Cloud print with a Print Management Solution.
There are some features that Google Cloud print does not support. These include a comprehensive reporting/quota system and a follow-me capability. Integrating with a third party solution such as PaperCut solves these issues.

Recent releases of PaperCut have native support for Google Cloud Print as well as integration with the Google user directory.