Tuesday, 3 November 2020

GDPR and the Googles model contract.

It's a universal truth that a parent on the board of governors of a British school will at some time ask the question;

             "Where does Google store the schools data and is it within the EU."

The first response to this question is that GDPR itself does not require data to remain within the EU. 

The second fact is - GDPR is whatever you decide it is.

To this end the Department for Education  and Google have negotiated what is called a 'model contract' which defines what GDPR compliance means with respect to using Google Cloud as a Data Processor.

So long as Google sticks to the clauses of the model contract and the school agrees to the same clauses both the school and the Google are working within the GDPR framework. Although the model contract does not require Google to hold data exclusively within the EU it's almost certain that the schools data stored on the datacentre in Dublin. However it's likely that recovery copies also exist in other data centres outside the EU.

The more important question is where does the school agree to the model clause?  

It can be found in the admin console under Account Settings - Legal and Compliance.

A school administrator needs to accept the model contract clause and also fill in the details of the local data officer.  If these actions are not completed the school is technically non-compliant if, in the unlikely event, it ever came to an data audit.  This fact is probably more important than worrying about exactly where the data is stored.

Of course if the school has an independent GDPR policy which states that all data MUST remain in the EU then you'll have to migrate it all back to local servers.

Hold on... England's not in the EU either.   Hmmm - USB sticks.

Tuesday, 6 October 2020

Managing Digital Displays with InTune.

A common requirement for schools is the management of digital displays. While there are a dozens of excellent SaaS applications that will do the job perfectly well it’s also possible to put together a workable solution using the standard features provided by Intune and a third party resources such as Google Slides without any additional cost.

One of the more useful features of Intune are the preconfigured device templates and one of these is Single Application Kiosk which is exactly what you need for digital displays. It’s not worth going through the details of how this is set up as it’s covered in a number of other posts including this excellent video walkthrough. Rather this post lists some of the tweaks that take this general idea and makes it work in practice.

One tip mentioned in the video and worth repeating is that you really need to set a maintenance window when you config the kiosk policy. You really don’t want your digital player to be rebooting in the middle of the days to take a feature update.

You don’t need any special windows app to run a web session in kiosk mode - Explorer/Edge will do nicely. The standard kiosk policy takes care of all the auto-login and full screen requirements without any extra effort on your part. What you do need to do is create a separate policy to control the target URL for the display.

This is done through creating a new Device restrictions policy shown below replacing your value for the URL.

If you are running a number of displays all presenting different slide shows, each will need it’s own policy assigned through security groups containing the appropriate display device. Changing the display then becomes as simple as moving the device between groups.

You need to be a little careful working with Kiosk mode as some of the features such as autologon will conflict with standard security settings set in other policies especially if these are held by the All Devices group. The best approach is to create an All Digital Displays security group and then explicitly exclude it from all policies set on All Devices unless it carries a policy you require.

Setting your policy apply should force an autologon and present a full screen display and so you might well believe it’s a job well done - not quite. If you return in ten minutes you’re likely to find sleep mode has kicked in and your screen is now a blank page.

Intune has a number of configuration policies that control aspects of sleep mode but these are not always effective in kiosk mode, The solution is to create a new custom profile type with three OMA-URI entries using the information below.

Name: DisplayOffTimeoutPluggedIn

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Power/DisplayOffTimeoutPluggedIn

Data type: String

Value: <enabled/><data id="EnterVideoACPowerDownTimeOut" value="0"/>

Name: StandbyTimeoutPluggedIn

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Power/StandbyTimeoutPluggedIn

Data type: String

Value: <enabled/><data id="EnterACStandbyTimeOut" value="0"/>

Name: HibernateTimeoutPluggedIn

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Power/HibernateTimeoutPluggedIn

Data type: String

Value: <enabled/><data id="EnterACHibernateTimeOut" value="0"/>

Once these are set and applied to your security group the display will stay fixed.

Its also worth checking if your hosting device has a BIOS setting that allows reboot on power loss. This is a standard feature on the Intel NUC and allows the screen to recover to the display from a power on without any manual intervention. You don't really want to be searching for the on/off switch when the screen is 2m from the floor.

In this example I used a Google Slide that’s published to the web as the target. You can use any URL or third party resource. If you know how to replicate the functions of published Google Slides with Microsoft PowerPoint please drop me a line.

If you are using a third party platform it's likely that the display will be driven through a local application that controls the update cycle. Using a simple URL like the one provided by Google Slides allows you to control the advance rate but not it's refresh. Once the slide deck is loaded it's cached locally which has some advantages if the internet connection is dropped but it also means that new information is only going to be visible once the URL is reloaded.

The easiest way guarantee a URL reload is schedule a reboot of the device.  This can be achieved using another custom profile type.

Name: ReoccuringRebootSchedule

OMA-URI: ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent

Data type: String

Value: 2019-10-01T02:00:00Z

The date and time value is in ISO8601format and both are required. This will reboot the device each day at 02:00 am to ensure the presentation is current for each day.  

Other reset options can be found in this post.

Thursday, 10 September 2020

AI - the second wave of SaaS.

If nothing else the events of the last few months have highlighted the limitations of traditional IT solutions based on servers and local data.

Schools that embraced cloud storage and SaaS have found the adoption of remote learning an easier pathway than those with teaching resources locked up behind firewalls or maintaining a heavy reliance on server based applications.

For education it’s been a significant change. Numerous SaaS programs were fast tracked over the summer break and there’s no returning to the old way of working. In the future IT systems will be designed to allow the efficient consumption of SaaS services without the requirement for local stateful data. While people talk about a hybrid scenario it’s really only an interim solution or a ramp to move processes and data offsite. The future is firmly SaaS.

While remote learning is an immediate payback of this transition it’s only a small part of the SaaS advantage. Previous posts have discussed other elements such as cost management, scalability and the levelling of the ‘tech’ playing field but perhaps the biggest advantage has yet to be realised.

ADS - Classroom Dashboard

Visualisation Suite for Google Classroom.

Once data is centralised in the cloud, a canvas that was once just fragmented shards of black and white expands into a kaleidoscope of colour painted by Data Analytics and the emerging field of Artificial Intelligence (AI).

The resulting landscape is not just better than what we have currently but completely new.  It’s the same transformation that drives the success of platforms such as Amazon Facebook and Google and it’s inevitable that both processes will have an important role to play in education.

Most schools and businesses already make use of Data Analytics and AI. Microsoft’s Data Loss Prevention (DLP) features rest on top of these platforms as do most of the processes that intercept email spam and control the threats to your internal network. AI based systems have the capability to draw relationships between seemingly unrelated points of data and then use this information to improve the response. The power of continuous improvement should be familiar to anybody who works in teaching and now it can be put to work in a practical way, analysing the schools data resources in ways that were impossible only a few years ago,

The information stored in platforms such as Google Classroom and Microsoft Teams can be opened out in new and exciting directions. Not just the simple lists of students and classes (although this is useful enough) but insights into how it’s being used, identifying those students who are engaging, those who are being left behind. Not just raw numbers but the patterns of use within that data drawn out across year groups, subjects or any label type and then presented in a secure way using a web dashboard.

Every school using Google G Suite and Microsoft Office 365 already has access to an advanced analytics toolset through Google Cloud Platform (GCP) or Microsoft Azure but because they are not fully understood they are rarely used. This is almost certain to change because the benefits of adopting this toolset are almost limitless.

Established SaaS platforms such as Securly use an AI engine to scan messages for signs of depression and self-harm thats capable of understanding local nuances and working across language barriers. Senso.cloud offers a visual threat intelligence feature as a standard component in its safeguarding product also using AI.

Other company's such as Applied Data Science are working with trusts in the UK to help them build customised analytics platforms that open out the data they hold in platforms such as Google Classroom. The result goes far beyond the simple snapshot view that you get with a spreadsheet download providing ongoing analysis that can expose trends and patterns over time and give real insights into how a school or Trust is operating and performing.

The real takeaway for education is the fact that none of this is particularly difficult or costly to implement. Once the school has adopted a SaaS platform the data is in the cloud and the delivery platform is in place (GCP/Azure). Both come with a generous free tier that can be used to trial a service. No local infrastructure is required (of course) and ongoing costs are mainly limited to data storage.  Data remains within the same security boundary controlled by the school or Trust -  it’s just moved from one database to another. 

The data is already there, it just needs to be put to work. 

Disclosure: The Serverless School provided consultancy services to Applied Data Science to help realise the Visualisation Suite for Google Classroom.