Wednesday 27 December 2017

Microsoft paints a cloudy picture for EDU.

At this years annual Ignite conference for developers and IT professionals, Microsoft outlined in some detail what a Windows based system will look like in the future.  There was no ambiguity, it was laid out very clearly with template designs, business scenarios and migration strategies and the story is this;

Microsoft want you to work from the cloud using Azure as a service infrastructure and Office365 as your productivity platform.

You can still have on-premises servers but it’s increasing likely that these will be used to support legacy requirements or as an aid to consume cloud resources more effectively.

Going forward, Azure Active directory will replace local Domain Controllers with  Modern Authentication with direct links to third party SaaS providers while device management moves away from Group Policy to a MDM model all controlled through InTune.

The new deployment strategy does not require imaging servers. A Windows10 device can now be placed under policy control and upgraded to Enterprise licensing without local  systems being involved.  Software upgrades and security updates will be pushed out from Redmond’s centralised patching system without any requirement for WSUS or System Center Configuration Manager (SCCM),

The device in the users hands will become far less important. I’m not sure Microsoft really cares anymore whether you are using a Microsoft Surface or a iPad so long as you are consuming resources and licensing from Azure and Office365. The user will always have a more complete experience running MS Windows but if you want to run the Office365 Android apps on a Chromebook, that’s just fine so long as there’s an Office365 licence to back it up.

Data will be stored and accessed directly from cloud storage using protocols that are far better suited to a the mobile environment than a Windows server file share. New services such as Microsoft Teams for Education will be cloud only.

Are you seeing a picture emerge?

This is Microsoft’s vision for the modern workplace and it’s how many business already operate using competing platforms such a Google’s GSuite for Business.

It’s a “cloud first” approach.

You don’t even have to guess what the future is going to look like any more, it’s a published strategy with product roadmaps, timetables and working examples.

So why is education still investing heavily in complex local infrastructure with fixed point PC’s running expensive, locally installed, proprietary software ?

It’s not how a modern startup company would work today, let alone in ten years time when this years student intake walks out the gate. It’s an outdated, expensive approach that’s moving further and further away from what a student will experience in the workplace.

So let’s make a New Year resolution to start thinking seriously about designing educational IT like it’s 2018 and not 2008.

Cloud first is cheaper, better, more innovative … and to be honest you no longer have a choice.

Sunday 12 November 2017

Teams v Classroom - when worlds collide - Part 4

This is the final part of a multi-part post that examines the new Microsoft Teams for Education with reference to Google Classroom. This post focuses on mobile and provides an overall summary.

Part 4: Teams for Education on mobile devices.
Like Classroom, MS Teams has a set of mobile apps that provide a native experience on both Android and iOS.

Mobile is an important element of the overall strategy as Classroom is often used as a bridging technology across iOS and Windows devices. For those schools firmly embedded with Microsoft this  can act as an initial introduction to Google which this is a situation Microsoft is keen to avoid.
This highlights another key difference between the platforms.  Although Classroom is closely integrated with GMail - it’s also loosely coupled, which is a very clever trick.  This means that Classroom can be deployed using Office365/Exchange as the mail engine. The only core requirement is Google Drive and Classroom itself.
Teams for Education doesn’t have a specialist app, it just Teams along with Sharepoint, OneNote and OneDrive. On mobile it's a bit of a cooperative effort.

The Teams app only runs on  iOS10 which means there's no support for either the iPad2 or the iPad3.

This isn’t an problem in the corporate world but schools with class sets of the Gen3 models will need to plan for an upgrade.

Testing with the Android version lists the Teams and the corresponding channels in a functional, clean looking interface.

A Teacher gets the ability to create, delete and edit channels.  Students can be added and removed from the Team and muted from the chat.

From the students viewpoint they can list the Teams and contribute to the conversation thread in each channel. However there’s no visibility of the assignment calendar or any way to interact with the document store, in this respect the app acts mainly a messaging client.

Loading the SharePoint app displays the documents but there's still no Assignment calendar and as you might expect the Notebooks are only available using the OneNote app (below).

Falling back to the web interface is not option as both iOS and Android devices return an unsupported message when navigating to the Teams URL.

I suppose the conclusion is that it’s all there (except the calendar) but you just have to look for it.

Microsoft Teams: The End of Year Report Card.

Microsoft Teams for Education wouldn’t exist without the challenge of Classroom and it’s clear that first release is closely modeled on its main competitor.

This is both a good and a bad thing. Google has taken three years, a ton of feedback and dozens of minor iterations to slowly evolve Classroom into the platform we see today.  In contrast Microsoft has been forced to hit the ground running, trying to deliver a product which is  a marriage of a number of different technologies.

In this respect Classroom is similar. It’s build on top of Google Drive, Calendar, and Gmail but it doesn’t feel like that, it works and operates like a stand alone product. Teams on the other hand still looks and feels like a ‘mash-up’. The joins between OneDrive and Sharepoint are clearly visible and are glued together by elements such as the Calendar Assignments view which doesn't seem to live anywhere.

Teams also shows its business pedigree by including a number of features and configuration settings that are likely to ‘exploited’ by students.  I’m not sure what Meetings and Calls is supposed to add to a classroom environment ?

On the whole it just feels a bit disjointed, files are stored in multiple locations (Sharepoint sites and OneDrive), scheduling is  only visible in Teams, the workflow around assignments is a bit strange, the mobile strategy is still evolving and some key management functions are missing.

I can see Teams working with older year groups who have the patience to understand how all the elements fit together but for younger pupils, it’s just not that easy to use.  In the workplace you can get away with this level of complexity but in education simplicity wins every time.

In its defense you have to remember that is a early release and looking back to Classroom version one which was a bare bones product when it was first launched, it’s not a bad attempt.

There’s no doubt that Microsoft are playing catch-up but is also a game they have played many times before and emerged successful.

So how committed are Microsoft to producing an integrated platform to take on Classroom?  You'll know this time next year.

Update: 17th November 2017:

This time next year - or maybe earlier.

Microsoft has just announced a raft of updates and planned improvements to Teams for Education.

It looks like the Team mobile client will be getting an update to allow it to access assignments and the Assignments calendar is getting an agenda view with a search function, which is a big plus.

A future update will allow teacher to distribute assignments to multiple Classes as well as adding grading support for OneNote and a range of other features. 

Check out the Microsoft post for the full list.

Wednesday 8 November 2017

Teams v Classroom - when worlds collide - Part 3

This is the third part of a multi-part post that looks at Microsoft Teams with reference to Google Classroom. This post examines the role of Assignments.

Part 3: Assignments.
Assignments is a tool for teachers to create distribute, track and review student work that duplicates the a similar capability in Google Classroom.  In both platforms the basic workflow is the same and follows the paper trail common in most schools.

The teacher has the ability to set a task against a turn-in date which can be linked to resource such as a worksheet or a document template. Documents are automatically duplicated into each student's workspace and can be edited collaboratively using features such as commenting and chat.

Students have a turn-in option that returns the work to the teacher who can monitor the status in a dashboard view. The assignment can be marked and returned to the student with the platform controlling the process throughout.

The first thing that strikes you about Assignments is that up until now Teams have largely been organised through Channels but Assignments only work at the General level. There doesn’t appear to be anyway to link them to a channel/stream or classify them in the way that Labels work in Google Classroom.

So to create an Assignment you select the Assignment tab on the General channel and select “New Assignment”.

After naming the the Assignment, teachers can set a turn-in date, allocate a grading scale and attach resources. Reference materials are a common document set shared with all members of the team. Each Assignment can be allocated a set of MS Office documents that act as templates or worksheets which are duplicated for each student account. Only MS Office documents are accepted, copied from local storage or OneDrive, but not custom cloud storage at this point.

The Assignment can be saved as a draft but currently lacks the schedule option found in Classroom. Also in this early release there doesn’t appear to be any way to copy or reuse an assignment or issue the same assignment across multiple teams.

There’s also no way of supporting differentiated learning in Teams - other than a creating another Team. When an assignment is set it goes to all members of the team without the ability to limit the distribution to a subset of students.

Once set the task appears on the Teams calendar view (below) which acts as dashboard for all the assignments in the Team. This arrangement has a few interesting features.

Each assignment must have a turn-in date because without a date there’s no way to pin it to the calendar view.  Even if the task is open ended it must have a date and simply giving it a date well into the future requires the students to scroll forward in order to find it as there's no agenda style view. I suspect the short term solution is to set a recent time and date and then set “Late hand-in allowed”.

Because the Assignment dashboard is a calendar, the view of upcoming work for students shows every task pinned to the day before submission.

If a teacher sets work for Wednesday 8th November it’s visible in the student calendar on Tuesday 7th November. Unless the student gets into the habit of scrolling forward through the five day view to get some idea of upcoming deadlines he/she could be in for some surprises and possibly a few late nights.

The second point is that unlike Classroom, the Team assignment calendar does not currently update personal calendars.

You can gain a view of assignments across multiple teams from the Assignment icon on main menu, which works the same way for both student and teacher but this information can only be accessed from the Teams interface.

Opening up an Assignment from the calendar view displays a dialog which allows a Teacher to delete or amend any of the properties; including the title, turn-in date and the attachment set.

The Review button displays a dashboard that lists the status each student Assignment and a links to the working document set (below). Anybody familiar with Google Classroom will be completely at home with this style of presentation..

Like Classroom the document icon provides a link which allows the assignment to be edited collaboratively by both student and teacher. Using this on a student Chromebook with Office webapps works very well, with features such a in-document commenting and chat, creating an experience very close to Classroom.

However it’s important to realise that all this work takes place within the Teams sharepoint site - these files do not reside the students OneDrive. To work on the assignment requires Teams or Sharepoint Online which isn’t a problem but may need explaining to students (and staff).

Each student has a calendar view of the assignment that gives then access to all the resources needed to complete the task including a templated Office document (Word/Excel/Powerpoint) which can be worked on collaboratively up until the point of submission.

An assignment is Turned-in using the custom button on the main assignment dialog (above).  The teacher sees this action in the dashboard view as completed work with a time/date stamp.

Google Classroom handles this activity by changing permissions on the document. The student gets read only access and the teachers maintains edit rights.  While the assessment is in the teachers electronic ‘in tray’ the student cannot update the document.

Microsoft approaches the same problem by duplicating the document, giving both students and teacher update access to two completely separate documents. Interestingly the student maintains the right to turn-in the document multiple times up until the submission date. Every time the student hits Turn-In another version of the document is created in the Teams Sharepoint site. The teacher will always see the latest document in the dashboard but any comments or updates made to the earlier version by the teacher will be lost to view.
You can see the workflow in action by opening up the Team as a Sharepoint site. The assignments files are stored under the Site Content menu option and the the Student Work subsite.
From here you see two further sub-sites. The first is for working files where each student has a separate subsite containing a  sub-site for each assignment. These are the working documents for the assignment.
The second is for Submitted Files, with the same structure except each student assignment has a new sub-site called “Version n” which is created with a copy of the source document every time the student hits the Turn-In button. The teacher will always work on the most up to date version - until a new one is created.
Unfortunately with two versions of the same file it’s a little too easy for the workflow to get out of step. There’s very little point in a teacher commenting or amending the student file prior to the turn-in date as the student can ‘overwrite’ the feedback at any point by simply by hitting the ‘turn-in’ button and creating a new version for the teacher to assess. All the amendments in the first submission are lost to the student because they were made in the teacher's copy of the file which the student only get’s to see when it’s returned.

The action to return the work to the student is initiated from the Post button at the Teachers review dialog.

Any student assignment that has been graded is automatically selected which allows the work to be marked and returned in batches which is a useful feature. The teacher is also given the option to provide feedback in a separate input field.

The student sees the grade, the feedback and the updated status in the personal assignment view along with a link to the assessed document. The file version that’s returned to the student is the teacher mark-up in read-only mode. The teacher edits are visible as well as the feedback dialog but the comments are lost. From this point the editable version is not selectable from the student Teams interface. It just disappears from view.

Returning to the calendar view and selecting the document only returns the read-only Teacher version. There doesn't appear to be any way for the student to continue to work on the active document or re-submit for marking. Once the assignment is returned, it’s closed off.

The student can gain access to the editable version but only by dropping into the sharepoint site and navigating to

      <Team Name>  / Working Files / <student > / <assignment >/<document>

It seems odd that student work is editable after it’s been submitted but read-only once it’s been returned. Surely it should be the other way round?

Lastly, from a practical viewpoint there are some functional omissions from this release that I expect to see in future updates.

 - Teachers must to be able to export the grade marks or feedback into a spreadsheet for analysis or import back into an MIS/SIS database. This is popular feature in Google's Classroom offering and need to be addressed without involving a Powershell script.

 - There needs to be some way to manage the lifecycle of a Team. As you create more and more Teams they simply stack up on the console. Other than deleting the Team there is no way to hide or archive a Team. Deleting a Team only removes the Office 365 group. The Sharepoint site remains, as does all the data files and user accounts so this could be used as an option in the short term.

 - As mentioned earlier you cannot issue an assignment to a sub-set of your Team which makes differentiated learning an issue.

If I was to Turn-in Teams I think the assessment workflow element deserves a score of 60% with the feedback being “could do better”.

In the last post we’ll take a look at the cross platform mobile support and give a summary.


Saturday 4 November 2017

Teams v Classroom - when worlds collide - Part 2

This is the second part of a multi-part post that looks at the new Microsoft Teams for Education with reference to Google Classroom and shows how they can be used in combination.

Part 2: Using Teams.

Both Google Classroom and MS Teams can be accessed through a web interface ( and In addition Teams has a locally installed windows application which looks and acts very much like the web version which is a nice integration.

Logging into Teams for the first time displays a similar interface for both the student and the teacher. Google has opted for a ‘chunky’ tile style portal which allows user to easily move in and out each classroom while the Microsoft interface displays each Team as a ‘mini-tile' within an integrated dashboard.

Any Microsoft account granted Team access from the Office365 admin portal can create a Team. However an account with the Office 365 A1 for faculty licence is presented with an additional set of templates (below) that customises the Team for classroom use while a student just gets a standard dialog.

Not surprisingly the basic unit of organization is the Team which can contain both teacher and student accounts.

The meatball icon after the Team name gives you access to all the core management features including the ability to add members and update some Team settings.

As you might expect only Teachers get access to the management options.

The Add Members option gives you a dialog with a Settings tab.

As the Team is already templated for class use you can leave the majority of the settings unchanged with the possible exception of “Only owners can post messages” which mimics the “Only teachers can post or Comment” in Classroom.

The Theme section gives you access to a fixed set of icons that you can use to replace the standard tile graphic. These are not customisable at the moment.

One advantage of changing the tile graphic is that is shows up in the details dialog in the Office365 group management dashboard which could be useful in identifying the item as a Team rather than a standard group.

Adding students to a Team is a simple as picking an account or an existing group from a list.

Note: It has to be an Office365 team or a Distribution Group, a security group does not work in this context. 
The process ‘seeds’ the new Team using the accounts in the  group. Adding or removing members from the original Office 365 group does not affect Team membership. There isn't yet an equivalent of the “Class Code” option that’s available with Google Classroom however for larger implementation you might expect Teams to be linked directly into the school SIS/MIS system for ease of management. Like Classroom there are third party tools that will do this and a free utility provided by Microsoft.

When you create a Team this automatically creates a General channel. Channels allow you to keep conversations and workflows focused to specific subject area within the Team . You can dedicate channels to specific topics within the class using the Add Channel menu item.

Each channel can host a conversation,  a file section and a notebook.

The conversation section represents a chat area dedicated to the specific channel and has some interesting properties including an email address which can be accessed from the meatball menu to the right of the channel description. This allows you to post from an external email account right into the stream. This option to display the email address of the stream is also available to the student which is a little surprising since it opens the the door to the possibly of anonymous postings.

You can turn this feature off (it’s on by default) from the Office36 Console from Settings - Services and add-ins - Microsoft Teams - Email integration. Any inbound email to the channel address will now be bounced but like everything in the console it’s is a tenant level policy only.

Other than the external address the conversation is restricted to the members of the Team in the same way that the chat function in Classroom operates. The conversation can incorporate attachments from other cloud storage accounts including Google Drive and Dropbox which is definitely a nice feature.

Also the ability to add giphy, smilies, emojis and stickers certainly adds to the fun factor but may not be appropriate in all circumstances. You can control these functions from the console (for the whole organisation) or at the Team level by accessing the options from the Manage Team - Settings dialog.

Outside of the Conversation settings for each Team there is a general Chat facility that allows a student to set up a private message group which can contain any other user within the organisation. It can be accessed through the Chat icon in the left hand menu bar.

If this sound like something you’d like to avoid within your school, a control for this can be found in Settings - Services and add-ins - Microsoft Teams, Messaging section in the Office365 admin console (below).

If the option is turned off the Chat icon is removed from member sessions but is retained for Team Owners.

However like all console setting this option operates at the organizational/tenant level only.

The Files sections of a channel provides access to a dedicated SharePoint site related to the topic.  A Microsoft Office document saved to this area is available all team members and documents can be opened and worked on collaboratively using the Office Online web tools. Like GSuite the Office Online web tools provide a Chat facility for users actively editing the file and all of this works very well on a Chromebook.

With this in mind the option to add Cloud Storage to the storage site provides some intriguing possibilities.

The screenshot above shows a GSuite Classroom folder mapped into the File section of a Team Channel allowing you navigate through the folder tree and open and edit a Google Doc (below) in exactly the same way as if you were working with Google Drive - which of course you are because it’s just another web session.

Google Drive isn’t the only storage option, you can enable other suppliers for the Team admin section in the console, but the same limitation applies - it’s a organizational level setting.

So where does OneDrive fit into all of this?

The answer as the storage option for the whole site, working outside of the Channels and any individual Team you might create. OneDrive sits under the File option on the main menu bar and acts as the default personal document store for the student. But if you enable Google Drive it can also join OneDrive on the menu bar pretty much as an equal partner.

This all may look a little strange but it works fine. Office Docs in Google Drive open in read only mode but Google docs work as you would expect, or at least it did on my Chromebook. You don’t get to see the Drive artefacts such as Recent, Shared with Me or any of the search features. The option to edit the documents Share details is also disabled but other than that it’s just like any normal GSuite editing session.

OneNote has been used as a collaborative tool in MS based schools for a number of years now and has a well established workflow based on a shared workbook principle. Teams doesn’t really add to it’s functionally but simply incorporates it into the framework of a Team channel.

In this respect a channel is essentially three elements brought together with a single set of access permissions.
  • Notes: A OneNote notebook with the teacher as the owner stored in Sharepoint.
  • Files: A Sharepoint Site.
  • Conversations: A hidden directory in Team storage (Conversation History\Team Chat) which is replicated to an Exchange Group Mailbox for compliance purposes.

The power of Teams is that every time a Channel is created all these resources are automatically setup and managed as a unit going forward.

The fact that Teams is built on top of Sharepoint is not hidden and indeed the meatball menu provides the option of opening the Team directly in the Sharepoint interface (above) which gives you additional facilities including the ability of importing existing Notebooks into a channel.

Another advantage of opening up the Sharepoint interface is that it gives you an insight into how Teams actually work. This is particularly useful when we look at the workflow around Assignments, which is covered in the next post.

Continue: >

Sunday 29 October 2017

Teams v Classroom - when worlds collide - Part 1

After Microsoft pulled the preview edition of MS Classroom earlier in the year the focus moved to Teams for Education as the primary collaborative workflow platform. This places it up against Google Classroom,  part of GSuite for Education which has proved highly successful since its launch in 2014.

At the overview level the two competing software suites have a lot in common.

Both are cloud only and provide a blended learning platform that simplifies the creation, distribution and grading of assignments as well as creating secure, controlled communication areas using instant messaging type interfaces. Collaboration is a key feature of both offerings as well as anywhere learning and cross-platform mobile support.

And since they do the same thing, they must work in the same way, right?

Well, not quite and since I suspect schools will be looking closely at both platforms in the near future here’s a side by side comparison from the user and admin perspective. This multi-part post is not intended as a ‘smackdown’ but an impression of the Microsoft Teams platform gained from using both products, focusing on administration, usability and overall impressions. It might also prove a useful guide for schools who plan to use both !

Part 1: Administration.

Both platforms are managed through a web console and share a basic similarity - there’s not much you can control and see at the admin level. This to be expected because the whole idea is to place the day-to-day control of the Classroom or Teams back into the hands of the teachers.

Google GSuite for Education uses the membership of a reserved group (Classroom-Teachers) to determine who has rights to create a Classroom. Microsoft uses the allocation of the Office 365 A1 for faculty licence in the same way. This doesn’t prevent a student from creating a Team, it’s just that they don’t get access to the template that adapts the Team to provide the custom workflow.  The fact that you can’t easily stop students from creating Teams is a reflection of the fact that Teams is a product built for business that’s being adapted for education  - while Classroom is built from the bottom up for schools.

At the moment you can only control access to Teams at the Organizational/Tenant and User levels, there’s currently no equivalent of the control that a Google sub-organization provides. This might not  be problem for a small school or even a large one that’s all-in with Teams but managing a phased roll out or Multi Academy Trust or District could prove challenging. Microsoft’s long term solution is group-based licensing which comes closer to Googles approach but this feature is still only available in Preview. Until then the fallback is a Powershell script, as it it with most Microsoft products.

Teams are managed through the Office365 admin portal but without a dedicated management icon. Configuration information can be found in Settings - Services and add-ins - Microsoft Teams. All the control options operate at the organizational/tenant level.

For this reason not yet possible fix a setting for a subset of users that might represent a year group or class set.  Again this is more of restriction for an organisation with  differentiated user groups, like a school, than it might be for a business.

Even with this limitation there are a number of settings that are quite useful. The first is the ability to enable the T-bot proactive help messages.

In some respects this is a response the G Suite Training facility that offers simple training lessons to get you up and running with Google application set. Currently this seems to be limited to a chatbot style interface with embedded video but it will be interesting to see where this goes in the future.

Another section allows you to enable custom cloud storage provider to supplement OneDrive, an option that includes Google Drive.

The inclusion of Google Drive is pretty surprising and creates a genuine opportunity to integrate the two systems and we’ll investigate how this might work in a follow up post.

You can also remove the relationship between the licence and access to Teams. Using this it would be possible to ‘turn-off’ access to Teams to all students. This doesn’t remove the icon but give a licence error on selection.  Conversely if Teams are not working for the students accounts, this is one option to check.

Like Google Classroom, a Microsoft Team is really just a specialised group with a few application bolt-ons but unlike Google Classroom, Teams can be managed through the standard admin Groups dashboard appearing as type “Office 365 group”.

Users can be added and removed and the details of the Team (such as name) updated. You can’t create a Team using the Groups dashboard, only amend and delete it. The delete option may cause an issue as you cannot differentiate between a Team and a standard Office 365 group and since students can also create Teams with duplicate names you can see what’s likely to happen.

Turning off the ability for students to create Teams currently requires the version of Azure Active Directory Module for Windows PowerShell version which is still in preview.

In the next post we’ll examine Teams from the user perspective, see how Google Drive can fit into the picture and investigate a few more admin settings that might make your job a little easier.

Continue >

Sunday 24 September 2017

Chromebooks and Office365 - surprise!

Chromebooks can be a surprisingly useful tool in reducing the device management overhead for schools that are standardising on SaaS applications such as Microsoft Office365.

This is mainly due to the fact that Chromebooks handle imaging and updates in a completely different way to traditional Windows clients which traditionally depend on  a suite of local software such as WSUS, MDS and SCCM.

The Chromebook model can be a bit of a culture shock for Microsoft admins who are used to managing infrastructure and controlling every aspect of the update process. However once the basic concepts are understood, the initial scepticism is normally replaced with a sense of relief that one of the more tedious elements of desktop management, imaging and updates has at last been fixed.

So from a Microsoft sysadmin’s perspective what are the surprises when working with Chromebooks?

Surprise One : There’s no image.
Unlike a Windows client the local admin does not build, maintain or deploy a Chromebook image. The work of integrating, patching and regression testing still occurs but that’s all done by the the Google smarts. The local admin only sees a fully formed download. Each Chromebook is delivered from the manufacturer with a running version of the operating system (ChromeOS) which will automatically update to the latest release once the Chromebook connects back to Google. Behind the scenes each version of ChromeOS has a specific image matched to the hardware so everything stays in step with the model of the Chromebook. 

Surprise Two : There’s no patch set.
ChromeOS moves forward as a series of minor and major point releases. There is no concept of a security or application patch which is independent of a point release. This system avoids the possibility that a security patch or application upgrade could introduce instability into the system when combined with a specific OS version. For this reason there’s no requirement to invest in auditing tools to provide a patching profile of each client device. If a Chromebook is running version 61.0.3163.101 that’s all you need to know.

Surprise Three; There’s no gold build or extra security requirements.
As an administrator you are committed to move forward on Google's six week release schedule . There are some breaks and controls that you can use to affect the pace of the change but the direction is always forward. It’s not possible to hold on a gold image which remains static for an extended period and because security updates are integral to point releases they can't be side stepped. This ensures that all Chromebook’s are running with the latest security policy rather than an out-of-date set that's vulnerable to current threats. There no requirement to slipstream extra software into the build to protect against viruses and malware which, apart from the benefit of reduced licence costs, just makes things easier and more secure.

Surprise Four;  There’s no update scheduling.
There's no Configuration Update message or patching schedule because the update process does not impact on the user experience. The user does not see any spinning graphics, percentage dialogs or delays on boot. Each Chromebook has two copies of ChromeOS that act in a similar way to the “Last Known Good” on a Windows client, although the security model is entirely different. Updates are applied to the passive version of the OS as a background process. Once it’s complete and verified the two versions are swapped on the next power cycle. Because the updates can occur without affecting the running workload and from any location is there’s no real point in attempting to impose a schedule that has to be checked and independently managed.

Surprise Five;  There’s no profile management.
Chromebooks can run in an entirely ‘stateless’ manner. Each time a user logs off all personal is removed and the Chromebook returns to exactly the same state it was in before the user session. The user profile that’s delivered from Google is extremely light. User data files can be forced into cloud storage (Google Drive/OneDrive) so moving between devices is a seamless experience. There are however some operational benefits to maintaining a cache of local profiles but even here Google has your back. Each local user profile is protected by an encryption layer that only the owner of the profile can pass through and the Chromebook will automatically purge degraded profiles to free up space in a shared device deployment.

Surprise Six: There’s no requirement for any local infrastructure.
Managing a suite of Chromebooks does not require any local resource and for this reason is an ideal partner for a serverless approach or any strategy built apon SaaS applications such as Microsoft Office356 or Google GSuite.  However this exposes one potential weakness in the solution. In a Microsoft environment the on-premises WSUS server acts a cache for downloads and updates but no such facility exists for Chromebooks. So what happens to your internet bandwidth when 500 Chromebooks all decide to update at same time.

Fortunately this situation can be addressed in a number of ways.

First the admin console provides a option to stagger the updates over period up to two weeks so not all the Chromebooks will request the data at the same time. Chromebooks are also capable of updating through a peer-to-peer process although this function has a limited role on more secure wireless networks due to the reliance on mDNS as the discovery mechanism.

The most common solution for large Chromebook deployments is to use an edge security device that has a file transfer proxy function. Updates are one of the few Google functions that can operate outside of the https security envelope so the patch files can be easy cached using software such a Squid.  File integrity is maintained by the fact that every update is digitally signed by Google and this signature must be verified before the update is applied. 

So basically there’s far less hassle and and fewer things that can go wrong from the security and general management perspective. Because Google does all the background work it’s possible for schools and districts to manage hundreds and sometimes thousands of devices without being bogged down by the overhead of imaging and patching and, because it’s a serverless model, hardware dependencies can’t put a break on the deployment. 

Although a Chromebook will never run a local copy of MS Office they make great platforms for thin client deployments using the Citrix Receiver or MS Remote desktop client and of course the MS Office webapps.

Although you still need a Chromebook management licence and a Google GSuite for Education account it's role is reduced to that of an policy management engine for your Chromebooks as there's no actual requirement to take any of the core GSuite services such as GMail, you simply turn them off and replace them with links to Office365 and your SaaS applications.

You can even replace the authentication service with Active Directory by directing the Chromebooks to a local federation service (ADFS) if you have a strong desire to be presented by a familiar logon dialog.
Even if you're planning a Single Sign-On solution you still need to synchronise user accounts between Active Directory and GSuite for Education but there are tools available to help with this.
So as web-based applications become increasingly integrated with MS Office365 there are fewer reasons not to look at Chromebooks as the student device of choice. Try it out, it might be a pleasant surprise

Saturday 12 August 2017

Going serverless with Microsoft

Over the last few months Microsoft have been developing a blueprint for a fully serverless cloud architecture based on Office365 and InTune for Education.

The individual elements for a serverless school have existed for some time but we now have a Microsoft strategy document that brings all the pieces together with a clear technical direction.

The document is updated regularly so there’s little to be gained from summarising it, other than to note it includes the two core elements mentioned above plus School Data Sync, One Note, Whiteboard and Teams while avoiding any mention of local servers, Active Directory and the System Center Configuration Manager (SCCM) management suite.

Sounds great, but how practical would it be migrate to this his model today?

First, it’s clear that the Microsoft vision of a serverless school requires Windows 10 clients in order to link into the security and management features of the Azure cloud based directory.

Therefore Step 1 is migrate all clients to Windows 10 and when that’s done you can move onto Step 2.  A full client upgrade program would be a good sized step for Neil Armstrong never mind an school with a mixed set of legacy hardware but currently it’s a prerequisite for a Microsoft cloud solution.

However, let's assume we’re already at Step 2. What other obstacles do we face?

The first is the same stumbling block that challenges other initiatives in this area  - how to support locally installed Windows applications ?

In this instance Redmonds approach has an advantage since we have a fully featured Microsoft operating system and the ability to deploy and maintain applications using InTune.

Things become less clear when we consider how well this model applies to shared devices in a teaching environment. If the toolset is fairly static across the user base it might be practical but if you have applications required for specific classes, students moving between computers and large installation packages being pulled across an internet connection, it could get messy quite quickly.

Strangely there is no mention of Windows 10 S in the document. This is the Windows OS which works exclusively with apps from the Windows Store and is aimed directly at  educational deployments.  This might be because the post is focused on a migration scenario but I would still expect a mention, if only to position Windows 10 S within the overall strategy.

Perhaps the idea is not present too many disruptive concepts all at once.

A school that has moved to Azure AD automatically gains access to Microsoft's ecosystem of Single Sign On (SSO) web applications. While this is mainly focused on the workplace the directory already contains over one hundred web resources marked for education including well known names such as Khan Academy, Discovery Education, My Homework, Edmodo and ClassDojo.

Once a school starts to take advantage of the rapidly evolving pool of SaaS applications with built-in SSO  the deployment issue disappears and Windows 10 S becomes a good news story for everyone, with perhaps the exception of software houses still shipping an .msi file on an annual release cycle.

Locally installed applications of any type do not work well in shared device deployments that require a degree of differentiation. Until 1:1 rollouts are commonplace, SaaS will win out every time and a cloud based directory with integrated SSO can only accelerate this process, unless of course your students are really looking forward to next years release of SameOldProg V8.

It’s also worth examining how the integration with the Azure directory will be managed.

Third party software such as classroom control, content filtering, payment schemes and print management need to read data from the user directory. In the future this will be in the cloud and not on a local domain controller. All this is fine except that Azure AD does not support LDAP or Kerberos, the two access methods that every management tool sold to education in the last twenty years expects to use.
Azure AD has it’s own convention (Microsoft Graph API) which is better suited to modern internet protocols than either LDAP or Kerberos.
Therefore vendors of firewalls and content filters will need to embed support for this new directory source before schools can consider moving to the cloud.
In a completely unscientific survey I recorded the Lightspeed content filter as capable of working with an Azure directory.  If you know of any  others please let me know and I’ll compile a list.

Wireless might also have a problem with a Microsoft serverless school. A common security method uses the RADIUS protocol to query group and user information and in the past this was normally provided by a local Windows server that accessed information from a domain controller.

The problem is - not only are we a server short, we don’t have a domain controller either !

Anybody know of any vendor initiatives in this area ?

Microsoft and Google are going head to head for this market and now both vendors are essentially proposing the same serverless approach which will only drive innovation at an even faster rate.

In the short term Microsoft has the advantage because they are are the incumbents in this space and now have an offering which appears to match Google GSuite for Education in certain areas.

However these are early days and few would describe the Microsoft strategy as fully defined offering. A number of roadblocks remain but over the next few months we should expect new features to emerge at a rapid rate to fill the gaps. Overall the outlook is pretty exciting and whatever your technical point of view, schools will benefit massively from the one upmanship as the two tech giants slug it out.

The real challenge is convincing education to assess the alternatives with an open mind and then invest some time in constructing a development plan that will take advantage of this unique opportunity to get things right.

Friday 4 August 2017

Why BYOD could soon be BYOC.

Bring Your Own Device (BYOD) has always been an attractive idea for education.

The possibility that students could use personal devices in a learning environment without the school having to make a financial investment sounds beguiling but there are some fundamental problems that have never really been overcome.
  • How to integrate a variety of devices, all with different capabilities into a lesson plan.
  • How to securely manage school data on a range of devices.
  • How to onboard the devices onto the wireless network without a management overhead.
  • How to provide secure web filtering without additional licencing costs.
  • How to answer the question “It’s my device, why can’t I have Facebook”?
Unfortunately the big advantage of BYOD is also it’s biggest weakness.

Because the device remains the property of the pupil or a parent/guardian there’s a reasonable expectation that, outside of school hours the device could shared with other members of the family to access Facebook, eBay, NetFlix and various game sites.

Of course this creates a host of e-safety issues that’s almost too long to list. Therefore the cautious response is to apply the school security policy at all times even though for the majority of the year the device is at home and belongs to somebody else.

So in a BYOD EDU environment how do you answer the question;

“It’s my device, why can’t I have Facebook” ?

Let’s look at this from another angle. Ideally, how would you fix this problem?
  • During school time the device is under management control with all the usual policies applied. 
  • Outside of school hours the device takes on a personal policy which allows access to Facebook.
  • The two worlds must never meet.
Elements of this approach are already possible using web filtering rules that can be updated based on a schedule but this doesn’t address the fundamental problem of device security.

When the device is under personal control how do you ensure security isn’t compromised by malware, keyloggers, trojans, inappropriate software or images which are then brought into school and propagate across the network ?

This problem doesn’t rest with the management platform, it lies with the nature of the user device.

The device has to maintain a set of isolated user profiles without any possibility that information or activity could bleed from one to the other. It would also have to have built-in security that would ensure that the operating system image was clean and verified as secure. Once you throw in the requirement for centralised web based policy control it's clear that the device you describing is a chromebook.

Let's imagine what this new form of BYOD, admittedly limited to Chromebooks, might look like.

Each pupil would need to bring a Chromebook to school. It could be an existing device, newly purchased or sourced through a payment scheme. Any finance schemes would be independent of the school because the device remains the users personal property at all times.
Students would be able to choose a form factor that best suits their requirements (touch / size / price), shop around for the best deals and personalise them as much as they like. I suspect the ‘missing key’ problem will disappear appear overnight.

Personal Chromebooks could be enrolled into the schools Google organisation using the home broadband or a simple phone tether, it’s really not that difficult. The school will be buying a batch of non-recoverable Chromebook management licences but this is small cost when you consider that this would enable a 1:1 programme with very little management overhead.

The big selling point of this approach is that during school hours a policy is applied that restricts access to all the fun stuff and locks down the device. Out of hours this restriction is lifted - hello Facebook.

This could be done in a number of ways. It could be as simple as enabling guest access or lifting the restriction on organisational only logins. As the schedule moves back into school hours the standard policy is re-applied.

This doesn’t mean that the student could access social-media using an organisational login only that the Chromebook would allow a logon using a consumer account to which the filter does not apply. Nor does it mean that an out-of-hours policy would apply to all devices. It could be operated as an opt-in scheme that requires parental consent or be subject to an acceptable use policy
Integrating personal Chromebooks into the classroom is easy because although you might have 57 varieties they will all be running the same OS version and all have the same basic capabilities. Because they remain personal devices the school doesn’t need to get involved with insurance or warranty repairs, although a loan pool of utility Chromebooks all covered in a massively uncool school laminate might encourage careful handling and long term memory.

Expensive trolleys aren’t required. Ad hoc charging could be problem but only until USB C becomes commonplace. There’s no issue with respect to software licencing as this likely to be SaaS based and linked to the organizational account or installed within the user's encrypted profile.

Sounds interesting ?

Unfortunately none of this is possible because the basic mechanism to relax the Chromebook management profile on a timed schedule doesn’t currently exist.

However ChromeUnboxed recently reported a new commit to the Chromium repository described below.
“Allow unrestricted using of parent-funded Chrome OS EDU devices (Chromebooks) that are managed by school, while the device is not at school (“off-hours”).”
While we are unlikely to see this feature until ChromeOS V62 the fact that it’s even in the pipeline is a significant development.

Currently there is little indication how this might work other that the fact that it uses an "Off-Hours" flag in the device policy but it’s clear that this initiative could accelerate the drive towards 1:1 devices in education and be an important new way of getting Chromebooks into the classroom.

BYOC perhaps.

UPDATE May 2017: The Off-Hours feature finally made it's way into Chrome with V66, You can read about it here,

Saturday 1 July 2017

Print Options with Google and Chromebooks.

The standard way to print from a network device is to install a driver for the required printer model.

However you cannot load print drivers onto a Chromebook. In fact you are not allowed to load any driver onto a Chromebook. This is one of the features that make Chromebooks so secure and stable.

For most schools the solution is implement Google Cloud Print. However to provide a complete picture it's worth mentioning some other approaches and how these relate to Google Cloud Print.

Direct Print.
There is an experimental feature which is likely to move to production in the future that allows a Chromebook to attach to a network printer and operate in much the same way as a MS Windows or MacOS device

With Version 57 Chromebooks gained support for Unix-style print standards—the CUPS (common Unix printing system) system that uses IPP (internet printing protocol).

The problem with deploying CUPS printing in a schools is that it’s still very new and there doesn’t appear any method to control the actions from the admin console so mapping printers is a manual exercise on each device. However it’s worth testing it out as it may prove a useful solution in a specific situations.

There is a second option for direct print.

HP printer users can install the HP Print for Chrome app. This is not a driver but controls printing to HP devices using a Chrome extension.

 Using this you can print from a Chromebook (or any Chrome browser) to HP Printers connected on the same network.  Again there is no way to control this through the console so it’s a manual action and if the Chromebook is on a different VLAN to the printer (which is often the case with wireless networks in schools) it’s not going to work. Support is a problem -  so like CUPS printing this is only really suitable if it meets a specific requirement.

Which leaves you with Google Cloud Print.

Google Cloud Print uses a generic print service installed at part of the Chrome browser to format and transfer a print job to Google where its sits a queue waiting for an inbound connection from a printer.

The advantage of this process is that a Chromebook does not have to be on the same network as the printer to send a print job - in fact so long as it has an internet connection it can print from anywhere in the world.

The downside is most of the advanced print features are missing. If you are hoping to make use of the stapling and collating features you are going to be disappointed although the basic options  such as quality, paper size, number of copies, margins and duplex are be supported.

Setting up Google cloud print is fairly straightforward. There are two steps to getting it going.
  • Creating the individual print queues with the Google Cloud Print service
  • Advertising the new cloud printers to the client devices.

Creating the individual print queues with the Google Cloud Print service

Most vendors now include the facility for printers to advertise directly with the Google Cloud Print service. In fact you would be hard pressed to find a high end printer sold in the few years that is not “Cloud-Ready”.

Google maintains a list of supported printers which is pretty comprehensive.

Each vendor will provide a set of instructions that will allow you to enable the printer with Google but the basic process is the same.

Before implementing Cloud Print check the firewall connection between printer and Google. All of the traffic is outboard from the printer on standard ports. Therefore you must have port 80 and port 443 open to outbound traffic from the printer's IP address. In addition you must open port 5222 outbound to This port allows the printer to advertise it’s status to Google. If it’s blocked the printer will be created but then go “offline” after a short period.

All the cloud printers with Google are owned by a user account in your domain. This can be any account but essentially this user becomes the print administrator. Obviously if that user's account is subsequently deleted or suspended you also lose the print queues, which is situation to be avoided if at all possible.

Therefore its a good policy to create a service account to specifically to manage the printers. This account does not have to have any special administrative rights.

Once the account is created you can logon and access the print queue by navigating to the print management console.

For each printer enable the cloud ready option following the manufacturer's instructions. At some stage it will ask for the details of the Google print account and the printer will visible in the console.
The disadvantage of the Cloud Ready approach is that there is limited control of the print jobs and each printer is set-up individually. 

In fact it's more likely that a school will already have a print server in place that advertises a number of printers to Windows and Mac clients and may also run older printers that are not Cloud Ready. In this case you would fall back to using the Google Cloud Print Service.

Installing the Google Cloud Print Service.
This a local service that runs on the print server that advertises all printers to Google Cloud print. During the installation you get the option to choose which printers you which to publish.
Installation is very simple, Download the installation from the link below and run the install.

Once launched it requires details of a AD account that has rights to manage the printer accounts and install as a local service. 

It also requires details of the Google account you have identified to host printer queues - in this case

At this point you can select the printers to publish and also enable an auto register feature.

After a few moment the printers should be visible on the cloud account.

Note that in this case the you must have port 80 and port 443 open to outbound traffic from the server's IP address as well as open port 5222 outbound to You do not need to open any ports from the printer addresses.

Advertising the new cloud printers to the client devices.

The last stage is to share the printers to your users. This is done using the Share button from the cloud print console.

It's pretty simple to share a Google Cloud printer with another individual account but in academic environment that's fairly impractical, you really need to share to a  group.

Assume that your print account is

Create a new Google group called  “HP Colour Laser Jet Users”  for example.

Add as an owner of the  “HP Colour Laser Jet Users” group  and share the printer with that group logged on as  the account.

Access the email account and accept the shared printer for the entire group by accepting the e-mail.

When you share with groups, the group administrators receive the invite and they can accept on behalf of the group. Alternatively if your personal account is already the owner of the group you can accept the invite on the users behalf.

Your Chromebooks user will now see the printer when they open the print dialog and select Change button under destination.

Adding a new user to the “HP Colour Laser Jet Users” group does not automatically advertise the printer with the user. This action is the same for printers as it is for documents. The workaround is to remove the group from the printer share and then immediately add it back in again once a change has been made to the group membership.

Its worth noting that the Google Cloud Print Service has a reputation for being somewhat unreliable. Some schools overcome this by periodically restarting the service on a schedule using the command set below.

     @ECHO OFF
     NET STOP CloudPrintService
     NET START CloudPrintService

Printing in a Serverless School
It’s possible that you may not have access to the local print server or have sufficient rights to install software or have any servers at all!

In this case you could consider the Lantronix xPrintServer, an easy-to-use, plug-and-print appliance for Google Cloud Print.

The Lantronix device is fully supported and generally provides a more robust service than Google Cloud Print Service running on a Windows server. The setup is done through a setup wizard rather than downloading the Google Cloud Print Service.

Integrating Google Cloud print with a Print Management Solution.
There are some features that Google Cloud print does not support. These include a comprehensive reporting/quota system and a follow-me capability. Integrating with a third party solution such as PaperCut solves these issues.

Recent releases of PaperCut have native support for Google Cloud Print as well as integration with the Google user directory.