tag line

moving IT to the cloud with service not servers

Saturday, 12 August 2017

Going serverless with Microsoft

Over the last few months Microsoft have been developing a blueprint for a fully serverless cloud architecture based on Office365 and InTune for Education.

The individual elements for a serverless school have existed for some time but we now have a Microsoft strategy document that brings all the pieces together with a clear technical direction.

The document is updated regularly so there’s little to be gained from summarising it, other than to note it includes the two core elements mentioned above plus School Data Sync, One Note, Whiteboard and Teams while avoiding any mention of local servers, Active Directory and the System Center Configuration Manager (SCCM) management suite.

Sounds great, but how practical would it be migrate to this his model today?

First, it’s clear that the Microsoft vision of a serverless school requires Windows 10 clients in order to link into the security and management features of the Azure cloud based directory.

Therefore Step 1 is migrate all clients to Windows 10 and when that’s done you can move onto Step 2.  A full client upgrade program would be a good sized step for Neil Armstrong never mind an school with a mixed set of legacy hardware but currently it’s a prerequisite for a Microsoft cloud solution.

However, let's assume we’re already at Step 2. What other obstacles do we face?

The first is the same stumbling block that challenges other initiatives in this area  - how to support locally installed Windows applications ?

In this instance Redmonds approach has an advantage since we have a fully featured Microsoft operating system and the ability to deploy and maintain applications using InTune.

Things become less clear when we consider how well this model applies to shared devices in a teaching environment. If the toolset is fairly static across the user base it might be practical but if you have applications required for specific classes, students moving between computers and large installation packages being pulled across an internet connection, it could get messy quite quickly.

Strangely there is no mention of Windows 10 S in the document. This is the Windows OS which works exclusively with apps from the Windows Store and is aimed directly at  educational deployments.  This might be because the post is focused on a migration scenario but I would still expect a mention, if only to position Windows 10 S within the overall strategy.

Perhaps the idea is not present too many disruptive concepts all at once.

A school that has moved to Azure AD automatically gains access to Microsoft's ecosystem of Single Sign On (SSO) web applications. While this is mainly focused on the workplace the directory already contains over one hundred web resources marked for education including well known names such as Khan Academy, Discovery Education, My Homework, Edmodo and ClassDojo.

Once a school starts to take advantage of the rapidly evolving pool of SaaS applications with built-in SSO  the deployment issue disappears and Windows 10 S becomes a good news story for everyone, with perhaps the exception of software houses still shipping an .msi file on an annual release cycle.

Locally installed applications of any type do not work well in shared device deployments that require a degree of differentiation. Until 1:1 rollouts are commonplace, SaaS will win out every time and a cloud based directory with integrated SSO can only accelerate this process, unless of course your students are really looking forward to next years release of SameOldProg V8.

It’s also worth examining how the integration with the Azure directory will be managed.

Third party software such as classroom control, content filtering, payment schemes and print management need to read data from the user directory. In the future this will be in the cloud and not on a local domain controller. All this is fine except that Azure AD does not support LDAP or Kerberos, the two access methods that every management tool sold to education in the last twenty years expects to use.
Azure AD has it’s own convention (Microsoft Graph API) which is better suited to modern internet protocols than either LDAP or Kerberos.
Therefore vendors of firewalls and content filters will need to embed support for this new directory source before schools can consider moving to the cloud.
In a completely unscientific survey I recorded the Lightspeed content filter as capable of working with an Azure directory.  If you know of any  others please let me know and I’ll compile a list.

Wireless might also have a problem with a Microsoft serverless school. A common security method uses the RADIUS protocol to query group and user information and in the past this was normally provided by a local Windows server that accessed information from a domain controller.

The problem is - not only are we a server short, we don’t have a domain controller either !

Anybody know of any vendor initiatives in this area ?

Microsoft and Google are going head to head for this market and now both vendors are essentially proposing the same serverless approach which will only drive innovation at an even faster rate.

In the short term Microsoft has the advantage because they are are the incumbents in this space and now have an offering which appears to match Google GSuite for Education in certain areas.

However these are early days and few would describe the Microsoft strategy as fully defined offering. A number of roadblocks remain but over the next few months we should expect new features to emerge at a rapid rate to fill the gaps. Overall the outlook is pretty exciting and whatever your technical point of view, schools will benefit massively from the one upmanship as the two tech giants slug it out.

The real challenge is convincing education to assess the alternatives with an open mind and then invest some time in constructing a development plan that will take advantage of this unique opportunity to get things right.

Friday, 4 August 2017

Why BYOD could soon be BYOC.

Bring Your Own Device (BYOD) has always been an attractive idea for education.

The possibility that students could use personal devices in a learning environment without the school having to make a financial investment sounds beguiling but there are some fundamental problems that have never really been overcome.
  • How to integrate a variety of devices, all with different capabilities into a lesson plan.
  • How to securely manage school data on a range of devices.
  • How to onboard the devices onto the wireless network without a management overhead.
  • How to provide secure web filtering without additional licencing costs.
  • How to answer the question “It’s my device, why can’t I have Facebook”?
Unfortunately the big advantage of BYOD is also it’s biggest weakness.

Because the device remains the property of the pupil or a parent/guardian there’s a reasonable expectation that, outside of school hours the device could shared with other members of the family to access Facebook, eBay, NetFlix and various game sites.

Of course this creates a host of e-safety issues that’s almost too long to list. Therefore the cautious response is to apply the school security policy at all times even though for the majority of the year the device is at home and belongs to somebody else.

So in a BYOD EDU environment how do you answer the question;

“It’s my device, why can’t I have Facebook” ?

Let’s look at this from another angle. Ideally, how would you fix this problem?
  • During school time the device is under management control with all the usual policies applied. 
  • Outside of school hours the device takes on a personal policy which allows access to Facebook.
  • The two worlds must never meet.
Elements of this approach are already possible using web filtering rules that can be updated based on a schedule but this doesn’t address the fundamental problem of device security.

When the device is under personal control how do you ensure security isn’t compromised by malware, keyloggers, trojans, inappropriate software or images which are then brought into school and propagate across the network ?

This problem doesn’t rest with the management platform, it lies with the nature of the user device.

The device has to maintain a set of isolated user profiles without any possibility that information or activity could bleed from one to the other. It would also have to have built-in security that would ensure that the operating system image was clean and verified as secure. Once you throw in the requirement for centralised web based policy control it's clear that the device you describing is a chromebook.

Let's imagine what this new form of BYOD, admittedly limited to Chromebooks, might look like.

Each pupil would need to bring a Chromebook to school. It could be an existing device, newly purchased or sourced through a payment scheme. Any finance schemes would be independent of the school because the device remains the users personal property at all times.
Students would be able to choose a form factor that best suits their requirements (touch / size / price), shop around for the best deals and personalise them as much as they like. I suspect the ‘missing key’ problem will disappear appear overnight.

Personal Chromebooks could be enrolled into the schools Google organisation using the home broadband or a simple phone tether, it’s really not that difficult. The school will be buying a batch of non-recoverable Chromebook management licences but this is small cost when you consider that this would enable a 1:1 programme with very little management overhead.

The big selling point of this approach is that during school hours a policy is applied that restricts access to all the fun stuff and locks down the device. Out of hours this restriction is lifted - hello Facebook.

This could be done in a number of ways. It could be as simple as enabling guest access or lifting the restriction on organisational only logins. As the schedule moves back into school hours the standard policy is re-applied.

This doesn’t mean that the student could access social-media using an organisational login only that the Chromebook would allow a logon using a consumer account to which the filter does not apply. Nor does it mean that an out-of-hours policy would apply to all devices. It could be operated as an opt-in scheme that requires parental consent or be subject to an acceptable use policy
Integrating personal Chromebooks into the classroom is easy because although you might have 57 varieties they will all be running the same OS version and all have the same basic capabilities. Because they remain personal devices the school doesn’t need to get involved with insurance or warranty repairs, although a loan pool of utility Chromebooks all covered in a massively uncool school laminate might encourage careful handling and long term memory.

Expensive trolleys aren’t required. Ad hoc charging could be problem but only until USB C becomes commonplace. There’s no issue with respect to software licencing as this likely to be SaaS based and linked to the organizational account or installed within the user's encrypted profile.

Sounds interesting ?

Unfortunately none of this is possible because the basic mechanism to relax the Chromebook management profile on a timed schedule doesn’t currently exist.

However ChromeUnboxed recently reported a new commit to the Chromium repository described below.
“Allow unrestricted using of parent-funded Chrome OS EDU devices (Chromebooks) that are managed by school, while the device is not at school (“off-hours”).”
While we are unlikely to see this feature until ChromeOS V62 the fact that it’s even in the pipeline is a significant development.

Currently there is little indication how this might work other that the fact that it uses an "Off-Hours" flag in the device policy but it’s clear that this initiative could accelerate the drive towards 1:1 devices in education and be an important new way of getting Chromebooks into the classroom.

BYOC perhaps.

Saturday, 1 July 2017

Print Options with Google and Chromebooks.

The standard way to print from a network device is to install a driver for the required printer model.

However you cannot load print drivers onto a Chromebook. In fact you are not allowed to load any driver onto a Chromebook. This is one of the features that make Chromebooks so secure and stable.

For most schools the solution is implement Google Cloud Print. However to provide a complete picture it's worth mentioning some other approaches and how these relate to Google Cloud Print.

Direct Print.
There is an experimental feature which is likely to move to production in the future that allows a Chromebook to attach to a network printer and operate in much the same way as a MS Windows or MacOS device

With Version 57 Chromebooks gained support for Unix-style print standards—the CUPS (common Unix printing system) system that uses IPP (internet printing protocol).

The problem with deploying CUPS printing in a schools is that it’s still very new and there doesn’t appear any method to control the actions from the admin console so mapping printers is a manual exercise on each device. However it’s worth testing it out as it may prove a useful solution in a specific situations.

There is a second option for direct print.

HP printer users can install the HP Print for Chrome app. This is not a driver but controls printing to HP devices using a Chrome extension.

 Using this you can print from a Chromebook (or any Chrome browser) to HP Printers connected on the same network.  Again there is no way to control this through the console so it’s a manual action and if the Chromebook is on a different VLAN to the printer (which is often the case with wireless networks in schools) it’s not going to work. Support is a problem -  so like CUPS printing this is only really suitable if it meets a specific requirement.

Which leaves you with Google Cloud Print.

Google Cloud Print uses a generic print service installed at part of the Chrome browser to format and transfer a print job to Google where its sits a queue waiting for an inbound connection from a printer.

The advantage of this process is that a Chromebook does not have to be on the same network as the printer to send a print job - in fact so long as it has an internet connection it can print from anywhere in the world.

The downside is most of the advanced print features are missing. If you are hoping to make use of the stapling and collating features you are going to be disappointed although the basic options  such as quality, paper size, number of copies, margins and duplex are be supported.

Setting up Google cloud print is fairly straightforward. There are two steps to getting it going.
  • Creating the individual print queues with the Google Cloud Print service
  • Advertising the new cloud printers to the client devices.

Creating the individual print queues with the Google Cloud Print service

Most vendors now include the facility for printers to advertise directly with the Google Cloud Print service. In fact you would be hard pressed to find a high end printer sold in the few years that is not “Cloud-Ready”.

Google maintains a list of supported printers which is pretty comprehensive.

Each vendor will provide a set of instructions that will allow you to enable the printer with Google but the basic process is the same.

Before implementing Cloud Print check the firewall connection between printer and Google. All of the traffic is outboard from the printer on standard ports. Therefore you must have port 80 and port 443 open to outbound traffic from the printer's IP address. In addition you must open port 5222 outbound to talk.google.com. This port allows the printer to advertise it’s status to Google. If it’s blocked the printer will be created but then go “offline” after a short period.

All the cloud printers with Google are owned by a user account in your domain. This can be any account but essentially this user becomes the print administrator. Obviously if that user's account is subsequently deleted or suspended you also lose the print queues, which is situation to be avoided if at all possible.

Therefore its a good policy to create a service account to specifically to manage the printers. This account does not have to have any special administrative rights.

Once the account is created you can logon and access the print queue by navigating to the print management console.

For each printer enable the cloud ready option following the manufacturer's instructions. At some stage it will ask for the details of the Google print account and the printer will visible in the console.
The disadvantage of the Cloud Ready approach is that there is limited control of the print jobs and each printer is set-up individually. 

In fact it's more likely that a school will already have a print server in place that advertises a number of printers to Windows and Mac clients and may also run older printers that are not Cloud Ready. In this case you would fall back to using the Google Cloud Print Service.

Installing the Google Cloud Print Service.
This a local service that runs on the print server that advertises all printers to Google Cloud print. During the installation you get the option to choose which printers you which to publish.
Installation is very simple, Download the installation from the link below and run the install.

Once launched it requires details of a AD account that has rights to manage the printer accounts and install as a local service. 

It also requires details of the Google account you have identified to host printer queues - in this case printeradmin@myschool.com.

At this point you can select the printers to publish and also enable an auto register feature.

After a few moment the printers should be visible on the cloud account.

Note that in this case the you must have port 80 and port 443 open to outbound traffic from the server's IP address as well as open port 5222 outbound to talk.google.com. You do not need to open any ports from the printer addresses.

Advertising the new cloud printers to the client devices.

The last stage is to share the printers to your users. This is done using the Share button from the cloud print console.

It's pretty simple to share a Google Cloud printer with another individual account but in academic environment that's fairly impractical, you really need to share to a  group.

Assume that your print account is printeradmin@myschool.com.

Create a new Google group called  “HP Colour Laser Jet Users”  for example.

Add printeradmin@myschool.com as an owner of the  “HP Colour Laser Jet Users” group  and share the printer with that group logged on as  the printer@myschool.com account.

Access the printer@myschool.com email account and accept the shared printer for the entire group by accepting the e-mail.

When you share with groups, the group administrators receive the invite and they can accept on behalf of the group. Alternatively if your personal account is already the owner of the group you can accept the invite on the users behalf.

Your Chromebooks user will now see the printer when they open the print dialog and select Change button under destination.

Adding a new user to the “HP Colour Laser Jet Users” group does not automatically advertise the printer with the user. This action is the same for printers as it is for documents. The workaround is to remove the group from the printer share and then immediately add it back in again once a change has been made to the group membership.

Its worth noting that the Google Cloud Print Service has a reputation for being somewhat unreliable. Some schools overcome this by periodically restarting the service on a schedule using the command set below.

     @ECHO OFF
     NET STOP CloudPrintService
     NET START CloudPrintService

Printing in a Serverless School
It’s possible that you may not have access to the local print server or have sufficient rights to install software or have any servers at all!

In this case you could consider the Lantronix xPrintServer, an easy-to-use, plug-and-print appliance for Google Cloud Print.

The Lantronix device is fully supported and generally provides a more robust service than Google Cloud Print Service running on a Windows server. The setup is done through a setup wizard rather than downloading the Google Cloud Print Service.

Integrating Google Cloud print with a Print Management Solution.
There are some features that Google Cloud print does not support. These include a comprehensive reporting/quota system and a follow-me capability. Integrating with a third party solution such as PaperCut solves these issues.

Recent releases of PaperCut have native support for Google Cloud Print as well as integration with the Google user directory.

Saturday, 10 June 2017

An early look at Google Drive File Stream

Google is introducing a new feature called Drive File Stream which will present your GDrive as a local mapped resource on your Mac or Windows PC.

Another utility, Google Drive Sync does something similar but Drive File Stream is different in that it works like an “intelligent cache” so the files appear local without actually being copied down.  In this respect Drive File Stream has more in common with Dropbox’s Smart Sync feature for Dropbox Business customers.

Once installed you can work directly from all the familiar Windows apps like Microsoft Adobe Photoshop and Microsoft Office. Any change you make to files in those apps is saved automatically to GDrive to be accessed from any other device.

Google Drive File Stream is currently in the Early Adopter Phase (EAP) and unlike Drive Sync requires a business, education, or enterprise G Suite subscription.

Let's take a look  at some of the features available in the EAP offering. Testing used a five year old laptop running Windows 8.1, probably typical of the type of device it would need to support in the field.

Currently the installation is via a download site without any options to adjust the installation parameters. As Drive File Stream is aimed squarely at the enterprise space we can assume this will change by the time it moves to GA.

The installation is extremely light and installs a device driver that presents your Google Drive as a G: drive. While in the EAP phase there doesn't seem to be any method of controlling the drive allocation.

During the installation the user is asked to re-enter Google user credentials and accept authentication rights. Once accepted the user is not re-prompted on subsequent logons.

As soon as the driver is loaded the user is immediately presented with a personal GDrive mapped as G: with any Team Drives shared with the user appearing at sub-directories at same level.

Files and directories respond as you would expect to the standard windows key functions and dialogs. Most file actions are supported including the deletion of GDocs and non-GDocs.  The files turn up in the GDrive trash in exactly the same way they would if the action was completed from the web UI. The only thing that's not supported at present is cut-and-paste to create a new GDoc.

Interestingly the properties of the Drive File Stream (G:) show as a FAT32 partition with 1EB (exabyte) of capacity. The format function is also available but I didn't feel brave enough to try that!

Dragging files into the the G: drive immediately returns control back to user as the file is cached locally and transferred to GDrive as a background process. The arrow icon on the Drive updates to reflect the backgound activity.  A file added to GDrive through the webUI turns up in the G: drive also immediately. In fact any amendment to GDrive is reflected within seconds.

The icons on each file also give some indication of status. Icons with the small cloud overlay indicate files that have been moved to GDrive  In this case the icon represents a local placeholder and if selected the file will be downloaded before being opened.  

If the file is fairly large the user may well see a dialog and the arrow icon on the drive indicating progress of the download. 

Once the file is downloaded all actions take place locally with the save action being to the local drive cache with the sync following on as a background process.  
Actions on G Suites documents are unchanged. Clicking on a Google doc icon will open a browser editing session working directly from the cloud store. 
Copying or moving local documents into the G: drive will initially result in a file icon without the cloud overlay. The icon is only updated once the file or folder has been transferred back to GDrive.

However this is where it gets clever. Drive File Stream is trying to guess what you might do next and is pre-loading the file cache with files that it thinks you might need. For instance opening a Word document, writing back and closing Word goes through all the actions to synchronize to the cloud and when it’s complete the icon will show a cloud overlay. However reopening the file a second time does not force another download, Drive File Stream has cached it, guessing that you might just be coming back. When opening the file after a write back the local icon doesn’t update to indicate a read from Drive - the file just opens.

You might might see an odd action here as opening the file shows data being written back to GDrive rather than from it. What appears to be happening is that the file is opened on a local cache but Office creates a temporary file in the same directory which is written back to GDrive -  although the file never actually displays. This is speculation on my part but it would be interesting to know how Drive File Stream handles application temporary files.

There is little information on how the intelligent caching of Drive File Stream works but I guess that's the point. It just sits in the background becoming familiar with your work processes and making sure that when you open a files it’s ready and available. Machine Learning (ML) is going find it's way into an increasing number of products in the future so we need to get used to the idea that the machine will be thinking for us.

If a non-Google document stored on GDrive has been edited in another remote session it always forces a refresh and you’ll get the latest version. I found this process to be very reliable and responsive.

However writes to non-Google files have to be treated with caution. Standard files are not access locked and can be edited by two users at the same time, the last write wins. Other writes are saved as versions and can be downloaded and manually recovered but without the simple reversion facility available to Google docs. This shouldn’t be too much of an issue for the single user working with GDrive but Drive File Stream also exposes the Team Drives which may have editing rights granted to multiple users.

Even in EAP, Drive File Stream is very impressive and could be used to solve a number of problems. 

Where I see this being most useful is in Windows terminal sessions or ICT labs where you could now use GDrive as the primary storage area rather than a Windows share. There are still a few enterprise features missing, mainly around deployment and configuration options but the basic functionality is sound. 

Altogether a welcome addition to the Google toolset.
Serverless School Serverless Serverless

Friday, 19 May 2017

Education gains one S but could lose three.

Recent announcements from Microsoft regarding Windows 10 S and InTune for Education has clearly identified Azure as the future support platform while at the same time discreetly drawing the veil across local server infrastructure. The fact that Microsoft is promoting a version of Windows that is entirely managed from the cloud instead of relying on a locally hosted domain is probably all you need to know about where this technology is heading.

With Windows 10 S Microsoft appears to have finally recognised the fact that the three S’s (Speed, Security and Simplicity) are winners in the education space and as long as you stay true to these goals and make your solution affordable you are likely to succeed.

So while I applaud Redmond’s initiative in this area what I don’t understand is the reasoning behind both Microsoft's (and Google’s) myopic desire to install monolithic software on your clean, slick, fast moving device. It’s like both parties understand the advantages of cloud computing but cannot make the final break from the 1990’s because of some sort of mental block or emotional attachment to the past.

If you want to load up your personal device with a locally installed applications that’s your choice but until education is awash with cash it will depend on the shared computer model which, from the first day that PC’s appeared on a school desk, has never played well with local apps.

Let's use Microsoft own example of a school in Colorado that runs 600 Windows S laptops to examine how locally installed application affects the three S’s.

The Three S's

One thing can be guaranteed, a locally installed app will not make your shared device boot quicker. A student must be able to pick up any laptop, turn it on and within 30 seconds be working productivity. How will the same test perform when the user has been allocated a copy of Office 2016 ?

Windows apps are large. Microsoft documentation states that Office 2016 requires 3GB of space for a minimum install.  Even if the Windows Store version (which doesn’t yet exist) is much smaller we are talking gigabytes of data. How that's going to be delivered to a user profile on demand when the install point is on the end of an internet connection shared with 600 other students? Answer - it won’t.

The only way round this is to preload Office 2016 on every device which in itself is a challenge bearing in mind all the data now has to come from the Windows Store.

Offline licensing may be an a option for Windows 10 users. With offline licenses schools can cache apps locally which solves the bandwidth issue although developers have to opt-in to this service and few have at present. You’ll also require a mechanism to deploy the app and for most situations this probably going to be System Center Configuration Manager (SCCM) installed on a local server which doesn’t sound very cloudy to me.

Even with SCCM and Active Directory back in the frame preloading every application is not really practical.  Looking at the information on the Windows Store some apps are of a manageable size (<100 MB) but most are just converted windows applications many hundreds of megabytes in size which are simply not optimized for mobile deployment.

What if the app is only needed for ten users, does it get downloaded to every shared device just to keep the logon speed within usable limits? If every device has every app, what happens to the internet bandwidth when new versions are released?

If this is sounding less and less like a true cloud solution remember that there’s is no guidelines from Microsoft as to the internet bandwidth requirements for Windows 10 S just a vague comment that you might consider dusting off that old proxy server that has file caching capabilities. I think that's good advice

In one respect Microsoft's model has a big advantage over Google.  Although the apps are larger they can be shared between user sessions on the same device. For good reasons the Chromebook security model prevents this from happening for Android apps.

If an Android application is required for a shared class set of thirty Chromebooks it could end up being downloaded 30X30 times unless you are willing to waste the first five minutes playing “find the device you used last time” game. The maths on 900 X 100Mb places us squarely back in the Microsoft camp of bandwidth extravagance.

Sacrificing speed for the perceived benefits of running local applications runs the risk of turning these exciting new devices into next generation netbooks.

Local apps do not improve security as every newly installed application has the potential to introduce a new vulnerability.

By running each application in a sandbox Windows 10 S goes some way towards protecting the underlying operating system. Chromebooks have a deeper security model that also uses sandboxing but also includes a verified boot process,TPM chips and encrypted user partitions.

However because locally applications represent such a large vulnerability the first layer of protection is to restrict the user to only loading applications from the Microsoft Store. Apps submitted to the Microsoft Store go through security and compliance tests as part of the app certification process which help protect against malicious activity but currently few of the applications that schools rely on day to day can be found in the store.

The short term solution for Windows S is to upgrade, or is that downgrade, to Windows Pro to allow programs to be deployed using the standard methods but of course this side steps the security and compliance tests.

In a shared device deployment how are locally installed applications going to be licensed?

Licences could be allocated to named users but does that means the application is pulled on demand from the web store during the logon process. We have already seen that this is likely to be impractical.

If the application is preinstalled how do you manage the licence allocations?

The new Windows S is supposed to be able to ‘present’ the correct application set based on the user profile but this feature has only just become available and it will still require the entire set to be installed on each device to provide a level of responsiveness acceptable in a classroom situation.

You could give the app away for free and hope to collect some revenue from a backend service but what platform do you develop for  - Android, UWP for Windows or iOS.

Do the schools with mixed deployments have to buy a licence for each platform, are the licences transferable, how do you track the allocations, how does the upgrade process work, how does this work with a BYOD program?

If all this sounds a bit complicated that’s because it is and I’m beginning to wonder if it’s really worth the effort.

What process is so critical that it justifies this complicated framework just to delivery the 10% of functionality that’s not yet available as a SaaS based application?

Is education relying too much on the familiar and expecting IT to make it happen just to save the effort of seeking out new ways of working?

Maybe I’m just not thrilled by another lump of code landing on my sleek efficient Chromebook or Windows S laptop but be honest I’m not convinced any of this will work for a shared classset model whatever the OS.

Vendors mess with the three S’s at their own risk.

Saturday, 15 April 2017

Recreating the local admin role in G Suite

Delegating management privileges to a section of the G Suite organisational tree is a common requirement for deployments that scale across districts or educational trusts.

When a single branch of the organisational tree contains a entire school with thousands of user accounts the ability to create a local admin who can manage that branch without having access to other parts of the tree becomes a useful facility. Unfortunately the local admin role isn’t one of the built-in options provided by G Suite  - you have to make your own.

The ability to assign users to roles is managed through the Admin roles icon on the console. The same dialog allows ‘super’ users to select individual permissions from a set of fixed options to create custom roles.

The trick to creating the new local admin role is to avoid any permission that only operates at the root level. Some objects, such as groups can only be managed at the organisational  level. Therefore selecting the groups permission immediately restricts you managing at the top level which is not what we want. When you assign users to roles with root permissions the option to select an OU will be fixed to All Orgs.

So what permissions can be applied at the branch level?  The interface gives no obvious indication but it turns out there are quite a few.. as well as a couple of things that can trip you up.

The current list of permissions that can be applied at the sub-organisational level are shown here.

Selecting all the permissions listed in the dialog creates a role that can manage the user and chromebook objects under a specific node in the organisational tree.

The local admin can also update the organisational tree, deploy applications to chromebooks and even manage network policies. The role does not have the ability to update any policy relating to the core application set (Drive, GMail, Classroom etc..) or any policy affecting the organisation as a whole such as domains and security.

A couple of points worth noting:

The permission to manage User Chrome policies works in two different modes depending on whether the organisation has purchased Chromebook licences or not.

If the organisation does not have Chromebook licences you need to select the option below.

Once Chromebook licences have been added a new option appears under Services and you should transfer the rights to this node (see below).

If the organisation has purchased licences and uses the first option without ticking in the new permissions the User Chrome Management dialog will hang when the local admin user tries to access it.

The second point is less obvious.

If you check in the ChromeOS permission within Services it will fix permissions at the root level which is something  we are trying to avoid.

However if you only check in the  individual sub-options under ChromeOS and leave ChromeOS unchecked you’ll find that the OU drop down is still available (above). This is a subtle difference but it allows you to delegate the rights to manage Chromebooks to a single node in the organisational tree.

Interestingly you can also reuse the policy for all your local admins. When you hit the Assign Admins button the dialog gives you Assign More as an option (below).  You can add multiple user accounts within this dialog  – each batch of users can  point to  a different node in the organisational tree.

It’s also possible to enter the same user account multiple times so long the user is assigned to  a different node in the organisational tree. Using this method the user will find they are able to access more than one sub-organisation in the tree which is useful if a single account is responsible for managing multiple schools. 

Currently the only way to update the allocated sub-OU is to delete and recreate the assignment. 

If the new local administrator navigates to admin.google.com they’ll  be presented with a dashboard containing just the Device management and Users icons. The whole organisational tree is visible but the custom role works like a filter. Users can only view and manage user accounts and chromebooks that fall under the allocated sub-OU for the role.

The method described would be appropriate for a district or multi school trust but could equally apply to a single school where the super administrator wishes to delegate admin rights for an intake year or class group. 

The rights as shown are fairly liberal but can be reduced without affecting the ability to be assigned to an specific sub-OU.

One last note. Even if you check in all the delegated rights you do not re-create a super account.
A super account maintains a even higher level of access rights which includes the ability to bulk load users and (oddly) the ability to update a user to share contact information. I'm sure there are many more.

My thanks go to Aled Owain Jones, Technical Support Officer for Conwy County Borough Council, Wales for working through these examples with me.

Sunday, 19 March 2017

Should education learn to love hybrid IT?

Hosting local servers and running a serverless school might sound like a contradiction but it isn't because every site needs local compute to provide edge security, wireless access and move data packets around the network.

It’s not the tin-box itself that’s the problem but the way it’s managed and maintained.

Take for instance your firewall, content filter or core switch. You turn it on and it just works. It has a web-interface that’s easy to access and update. It’s possible that the device is taking software updates directly from the internet and sending status updates back to base to be proactively managed.  An annual subscription fee ensures that if it goes wrong the supplier will replace it with the same or improved model.

At this point it’s no longer a server but an appliance. It’s simple to manage and not your problem if it goes wrong.

What if your remaining on-premise server estate could work in the same way and could be managed and financed the same way as your cloud resources.  What would a Hybrid IT  appliance actually look like?

First, like all SaaS subscription services there is little or no up front costs. The school doesn’t own the hardware, that would remain the property of the supplier and the school just pays for the service. Basic functions such as Active Directory and file and print  are built in, along with network services such as DNS and DHCP.  It also has extended facilities such as edge security and content filtering, all managed through a simple to use web console without any visibility of an underlying operating system.

The school has the ability to configure each service but the management of the device remains solely the responsibility of the supplier. They have control of resource allocation, security, OS patching, backup and recovery. Backup images and configurations are streamed to the cloud as a background process without any user interaction. Loss of the device due to a local disaster simply triggers a replacement device and a recovery from cloud storage under an SLA agreement.

This new type of hybrid device is designed to work alongside SaaS and to complement its function. The school is likely to be running Microsoft Office365 or Google G Suite for Education so most of the heavy lifting of email and shared storage is already in the cloud.  The appliance will take advantage of this and be pre-configured to link the onsite and cloud directories and use cloud storage as a backup repository.

The school never has to invest in underutilised capacity because the cloud service absorbs any immediate growth and since the school doesn’t own the device there is no replacement cycle to plan for.  Over time the the role of the device many change, requiring smaller or larger capacities. In this case it’s a simple case of arranging a swap out and an update to the subscription terms.

The appliance has enough spare capacity to host a dedicated virtual server if you need to run a print management system, SIS or VLE making it adaptable to specific requirements.

In this case the responsibility for patching and maintaining the image returns to the local IT support team who really should be planning for SaaS alternatives rather messing about with local operating systems !

Is any of this realistic ?

The Linux Schools Project has a well established offering that covers some of these areas. The server distribution is known as Karoshi and can be installed on most hardware platforms but it’s still locally managed.

Recently a fully featured commercial offering has emerged from Zynstra that embraces the subscription model. At a technical level the offering works pretty much as described above.

While the device itself delivers an comparable service to local server farm the school does not own the hardware and has no visibility of the underlying operating system - delivering an on premise service without the hassle of maintaining on-premise hardware.

In this way schools can remove the roadblocks that often stand in the way of full cloud migrations by keeping some workloads local while funding and managing the service in same way as SaaS, with many of the same advantages.

A marriage made in the clouds in fact.

Friday, 17 February 2017

Microsoft as a Service

Note: Microsoft outlined exactly this strategy in a update to the educational website in May 2017.

Is it possible to run a school with Microsoft technologies without managing any servers at all ?

We're not just talking about on-premise servers but ANY servers, including those concealed in offsite datacenters or running on an IaaS platform like Microsoft Azure.  A true Microsoft ‘serverless school’ has no domain controllers, no Hyper-V farms, no Remote Desktop, no SCCM, no ADFS, no servers for imaging, patching, antivirus or backup. In fact no servers at all. 

Can it be done ?

Last year the answer was ‘maybe’ but it’s clear that the message now coming out of Redmond is ‘definitely’ and reading between the lines it seems be the template for the future.

In terms of the functions mentioned above everything can now be replaced by a “Software as a Service” solution provided by Microsoft and of course with SaaS there are no servers to manage.

Active Directory (AD) is the easiest one to replace because Microsoft has been running a cloud service for years now. It’s called Azure Active Directory (AAD) and every tenant of Office365 already runs an instance of this service. Extending ADD using Azure Active Directory Domain Services lets you join Azure virtual machines to a domain without the need to deploy any domain controllers at all.

At the moment this strategy has a licencing cost that few schools could absorb but that's easily solved because all new Windows 10 devices have the ability to link to AAD directly rather than to traditional AD using a process called Azure AD join. Once enrolled the management of these devices is through  InTune rather than group policy or SCCM as Microsoft moved to adopt an MDM approach in order to capture a wider range of platform types.

Patching and the security of the Windows10 devices will be managed directly by Microsoft through the new feature update service while the servers… of course there are no servers. Microsoft Office client apps will use a new facility ominously called “modern authentication” which uses the SAML federation service in AAD to provide a Single-Sign-On experience.

None of this is very new but two announcements have raised the stakes.

Microsoft recently launched Intune for Education, a version of the device management service that’s specifically aimed for schools. The emphasis is on ease of use and contains a policy set tailored for education which defines some useful predefined functions such as online testing. Apps are drawn directly from the Windows Store and admins will be able to control which apps students and teachers can see and install. Included in the bundle is School Data Sync a tool that channels data from a selection of common Student Information System into WAAD to provision online classrooms and teacher/student accounts.

When placed alongside Office365 for Education, which features all the standard Microsoft productivity tools as well as OneNote and Microsoft Classroom it’s clear that this strategy is pitched directly at countering the cloud centric approach of Google's G Suite for Education.

The second move was the announcement of a simplified version of Windows 10 that's designed to run Microsoft’s Universal apps from the Windows Store and is rumoured to be free for vendors to install. This is pitched to challenge the success that Chromebooks have enjoyed in the education space and clearly validates the cloud first approach.

The Roadmap for Education,
As a complete solution you are unlikely to see this setup running a school in the near future and it might be that Microsoft is just throwing sand around to buy enough time to reorganise the delivery model and licencing plans.

Whatever the situation the point is this;

The future for IT does not require servers and now both Microsoft and Google are painting the same picture.

From the Microsoft viewpoint this strategy is a difficult sell to education. The model is so radically different from the one they have been licensing, supporting and deploying in schools for over thirty years, the pitch could easily be coming from another company. Just sorting out the licensing will be a massive chore although they have have already made a start on that.

How much of the current on-premise investment can be carried forward into the brave new world of “Microsoft as a Service” is debatable and while the IT team are heaving servers and Windows 7 clients into the dumpster they just might just decide to look at G Suite for Education rather than wait for Microsoft's offering to mature because it's now clear that both are offering the same vision of the future.

From Google's perspective having Microsoft challenging them in so many areas is a move that shouldn't be underestimated.  Redmond may not be the first to the party but they always seem to leave with the girl!

Monday, 6 February 2017

The Serverless School - Hall of Fame.

Talking to educationists in my day job and at meet-ups and shows it's clear that, without any fanfare or fuss or even much technical assistance, quite a few schools have already made the move to 'go serverless' .

In some cases the move was prompted by financial pressures but most often it was just the realisation that the incumbent system wasn't delivering on the early promise and was now just a drag on innovation and change.

Going forward I plan to feature some of the stories with a view explaining how it was achieved from a technical point of view but also the motivation behind the change.

Most of these sites are in the UK but if you have a story you'd like to share regarding your school please drop me a line from the contact panel and I'll feature it on the blog.

The first of these is a school in the north of England that's taking a whole new approach right across the board.

XP School - Doncaster - UK

Wednesday, 1 February 2017

Wire, wire everywhere..

If you are planning a school network with a view to supporting mobility and a SaaS resource like G Suite for Education then one of the technical aspects that's often overlooked is the physical wiring. In this respect we are referring to the sockets on the wall that you plug your network cable into.

How many do you need, how are they connected and where are they best located?

At this point the thought might hit you: “What’s a network cable? I haven’t used one of them for years.”  You might also reflect that although everyone around you seems to be consuming the internet at a furious pace, your home and your favourite coffee shop doesn't come with any network sockets at all. So why does your school need hundreds and sometimes thousands of them ?

The fact is that most modern client devices are wireless based and the technology has progressed to the point where Chromebooks, iPads, Android tablets MS Surface devices don’t even have a standard RJ45 network port. Without purchasing an adapter you couldn’t plug them into the wall even if you wanted too.

When you consider that the cost of providing each of those sockets (after you have taken into account the cable, terminations, installation, testing and switching) is around £100 you get some idea of how much money was wasted by the ‘just in case’ approach that was common in the pre-wireless days but which is still around today.

It wouldn't be so bad if this was the limit of the wasted resources but it's not. In the UK guidelines require that all network points installed into a new build are active. This results in the bank of unused ports being matched by an even more expensive rack of unused switches all linked by underutilised but costly high bandwidth interconnects.

The irony of the situation is that most of the traffic is only heading towards the web anyway so after zipping across a 10Gbs backbone it’s then forced down a low bandwidth pipe because, after purchasing all the switching and redundant network sockets, the school doesn't have the budget for a decent internet link.   Crazy doesn't even come close.

While it’s clear that a new build school could save a significant amount of money by adopting a design with far fewer outlets that’s optimised for wireless, this strategy also has some lessons for schools looking to upgrade their internal infrastructure.

The normal approach is to launch an expensive hardware replacement program in the hope that bigger and faster will deliver the required change.

But how does this help when all the exciting, and transformative learning resources are no longer on the internal network?  You're just going nowhere quicker!

The aim should be to get clients onto the wireless network and then out onto the internet as fast as possible and this simple objective doesn’t require a mass of cabling and switching hardware.

So what's the plan ?

Invest in a good managed wireless network. For the features on offer there are some great deals around at the moment using the new IEEE 802.11ac standard. Check out vendors other than the established names. Don't pay for features unless you plan to use them.

Make sure you have quality cables running to high level locations. If necessary lay new cable to those sites pulling it back to a PoE capable switch at the core rather than spending money on maintaining low level ports that nobody will be using. Incorporate IP CCTV into this plan if you have it.

Look at the rest of the network. What else could be moved to wireless? Digital signage is a good candidate along with softphones on personal mobiles instead of fixed desk IP phones.

Where are the areas that still need fixed ethernet?  Administration offices, front desk, the teacher walls and maybe specialised technology and media devices. However your plan should be focusing on providing a solid wireless signal across the school before looking at areas that would benefit from a fixed network port.

If you have printers liberally scattered about you won’t have any money to fix the network anyway because the budgets already allocated to paper, laser cartridges, leasing contracts  and print management licences.

If you are still left with hundreds of devices still requiring an RJ45 socket (really!) there is a cheap solution - reuse some of the switches you already have. When your fixed clients are consuming SaaS resources, a 10/100 switch will be just as fast as a 1Gbs model because in a serverless school the internet connection becomes the constraining factor not the speed any particular switch or interconnect. Just don’t plug any wireless access points into them.

Now while some of these suggestions may not be practical or directly applicable to your situation the fact remains that one of the main reasons why networking is so expensive is because we are still patching like it’s 1999.

Just don’t do it.