tag:blogger.com,1999:blog-42977706451548468592024-03-06T08:32:46.276+00:00the serverless schoolThe Serverless Schoolhttp://www.blogger.com/profile/06190457830296623655noreply@blogger.comBlogger117125tag:blogger.com,1999:blog-4297770645154846859.post-78615843053475577662022-10-10T20:50:00.000+01:002022-10-10T20:50:08.066+01:00Troubleshooting InTune Win32 app deployments.<p><b> Troubleshooting</b></p><p>One of the first places you can have a look when there are any issues, is the Intune Management Extension Logfile at: </p><p>C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\</p><p>IntuneManagementExtension.log</p><p>Log files can be formatted using the CMTrace.exe tool.</p><p>The Intune Management Extension stores some info in the registry at the following locations.</p><p>HKLM\SOFTWARE\Microsoft\IntuneManagementExtension\Apps\</p><p>HKLM\SOFTWARE\Microsoft\IntuneManagementExtension\Win32Apps\</p><p><br /></p><p><u>Windows Event Log</u></p><p>Windows Logs>Application</p><p>Applications and Services Logs> Microsoft> Windows></p><p>DeviceManagement-Enterprise-Diagnostics-Provider</p>The Serverless Schoolhttp://www.blogger.com/profile/06190457830296623655noreply@blogger.com0tag:blogger.com,1999:blog-4297770645154846859.post-79706322359372394382022-02-18T16:15:00.002+00:002022-02-18T16:15:35.573+00:00Clearing down Chromebook profile data.<p><br /></p><div><div>It's sometimes useful to be able to cleardown the Chromebook user profile data from a group or class-set of Chromebooks. This can help with odd issues you run into with respect to application caches, particularly local Android apps.</div><div><br /></div><div>Fortunately you can do this from the admin console </div><div><br /></div><div>Devices - Chrome - Devices</div><div><br /></div><div>Select devices from the containing OU. You can only select a maximum of 50 devices at once. If you have more you simply need to repeat the process.</div><div><br /></div><div>Click "Reset selected devices"</div><div><br /></div><div>Select the option "Clear User Profiles".</div><div><br /></div><div>This removes all user profile data but keeps device policy and enrolment.</div></div><div><br /></div><div><br /></div><div><br /></div>The Serverless Schoolhttp://www.blogger.com/profile/06190457830296623655noreply@blogger.com0tag:blogger.com,1999:blog-4297770645154846859.post-59237297057790939132022-02-07T19:53:00.000+00:002022-02-07T19:53:09.275+00:00Routing Google email using a subdomain<p>One task that Google admins have to undertake from time to time is the addition of a new DNS sub-domain to the tenancy,</p><p>This is particularly true of larger multi-academy trusts (MATS) that operate under a single central trust domain such as <b>centraltrust.org</b> but then allocate codes to each school site. In this case <b>St Peters Primary School</b> might be addressed as <b>spp.centraltrust.org</b>. Larger independent school often isolate student accounts under a separate routable email domain and so require forms such as <b>student.largesite.org</b>.</p><p>While the process of adding <a href="https://support.google.com/a/answer/7502379?hl=en" rel="nofollow" target="_blank">new subdomains to a Google tenancy</a> is well documented the action required to route inbound email is not always clear and admins often believe that so long as the root domain is routed correctly this automatically covers any subdomains - but this not the case. The MX records have to be added as a separate process.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiK0az1CfHcj28InKwlbBMlH0IHNMkG16d2VyOkZsOE3htNHEWHQtSlG1NqtVju9uKPX-vtCBXwuAu1FEpafMVOcXPT7tosuv0zpMgytAeagn0n5VveRppHQONpcNcGqkDDtZoZ5h9jJdN6_TNDDVLfg6EDtkNaF1ctHk1YsgB_PY-JG4ZSJg-hSVgY/s411/email.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="240" data-original-width="411" height="117" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiK0az1CfHcj28InKwlbBMlH0IHNMkG16d2VyOkZsOE3htNHEWHQtSlG1NqtVju9uKPX-vtCBXwuAu1FEpafMVOcXPT7tosuv0zpMgytAeagn0n5VveRppHQONpcNcGqkDDtZoZ5h9jJdN6_TNDDVLfg6EDtkNaF1ctHk1YsgB_PY-JG4ZSJg-hSVgY/w200-h117/email.png" width="200" /></a></div><br /><p>What you need to do is follow the <a href="https://support.google.com/a/answer/33915?hl=en#zippy=%2Cstep-add-new-mx-records">instructions for setting up MX records</a> for a new Google domain listed - but with one major change.</p><p>Using the example of <b>spp.centraltrust.org</b> you follow the instructions but set <b>spp</b> in hostname field instead of <b>@</b></p><p><i>Also note the instructions in the link are for switching between mail providers. You're not doing that - just adding a new subdomain. Therefore ignore all the comments to DELETE MX records.</i></p><p>This will create a set MX records for <b>spp.centraltrust.org</b> and mail will route correctly.</p><p>In summary the procedure is </p><p></p><ul style="text-align: left;"><li>Logon to your domain DNS provider.</li><li>Edit the root DNS zone for your school or MAT.</li><li>Add the corresponding Google MX records below using appropriate subdomain identifier for in the hostname field.</li></ul><p></p><p></p><ul style="text-align: left;"><li>1<span style="white-space: pre;"> </span>ASPMX.L.GOOGLE.COM.</li><li>5<span style="white-space: pre;"> </span>ALT1.ASPMX.L.GOOGLE.COM.</li><li>5<span style="white-space: pre;"> </span>ALT2.ASPMX.L.GOOGLE.COM</li><li>10<span style="white-space: pre;"> </span>ALT3.ASPMX.L.GOOGLE.COM</li><li>10<span style="white-space: pre;"> </span>ALT4.ASPMX.L.GOOGLE.COM</li></ul><p></p><p>Once DNS has been updated you’ll see email routed correctly.</p><p><br /></p>The Serverless Schoolhttp://www.blogger.com/profile/06190457830296623655noreply@blogger.com0tag:blogger.com,1999:blog-4297770645154846859.post-47915154555989073122022-01-13T10:14:00.001+00:002022-01-13T10:14:19.520+00:00Google Classroom and Error - 409<p> A Google Workspace user recently reported an error when adding a student to a classroom. The action failed with the error.</p><p><b>ERROR: 409: Requested entity already exists - 409</b></p><p>Checking the student list showed that the user account was not a current member of the class. Trying to remove the ‘existing’ student account also created an error.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhhWtRQFODnsxx0kDnV23wO2tCtdniVX1kZX19nUtqY9C-OXqAYtXsrsSsLYFE6Z6zwQGt3Jt5wQsJf9AvCubhw3y1XWLbnoVIsg3C2D-VXO7nKo-9mDD4xojjkzTzof7A2WD5ShmqQ3KdGGtVmyYUda4WLyXXmSL1kc2f1keUs0vDG93gGu-U5mT9w=s364" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="266" data-original-width="364" height="146" src="https://blogger.googleusercontent.com/img/a/AVvXsEhhWtRQFODnsxx0kDnV23wO2tCtdniVX1kZX19nUtqY9C-OXqAYtXsrsSsLYFE6Z6zwQGt3Jt5wQsJf9AvCubhw3y1XWLbnoVIsg3C2D-VXO7nKo-9mDD4xojjkzTzof7A2WD5ShmqQ3KdGGtVmyYUda4WLyXXmSL1kc2f1keUs0vDG93gGu-U5mT9w=w200-h146" width="200" /></a></div><p>The solution was pretty simple - the student account had been added to the class as a teacher by mistake. Quite how this occurred is being examined by the admin team. Removing the student account from the teaching team and adding it back in as a student fixed the error. </p><p>As with most problems related to managing Google Classroom your best friend is <a href="https://github.com/jay0lee/GAM/wiki" rel="nofollow" target="_blank">GAM</a>, particularly the </p><p><b>gam print course <course number> </b></p><p>command that provided a wealth of information and highlighted the issue straightaway.</p>The Serverless Schoolhttp://www.blogger.com/profile/06190457830296623655noreply@blogger.com0tag:blogger.com,1999:blog-4297770645154846859.post-63861843366166255342021-08-18T16:23:00.005+01:002021-08-18T17:19:42.094+01:00 SSO Profile Assignment arrives at last.<p>The<u> <a href="https://blog.theserverlessschool.net/2019/10/chromebooks-and-azure-sso-revisited.html" target="_blank">sequence of posts</a> </u>describing how to federate from Google to Microsoft Azure AD (SSO) has remained one of the most popular subjects on the site.</p><p>However, ever since the process was first described it always came with a warning.</p><p><b>If you turn on SSO it applies to all non-admin accounts in the Google organisation. </b></p><p>Historically the capability to scope SSO to a particular group of users was never provided, it was either ON or OFF for everybody. The IP subnet field gave you some control over testing and rollout but other than that it was all or nothing.</p><p>This wasn't too much of an issue for a school operating within a single organisation but for larger Multi-Academy Trust (MATS) that managed dozens of schools under one tenancy it was a bit of a show stopper. In this situation you couldn't turn on SSO for one school without affecting all the others. </p><p>However now that <a href="https://support.google.com/a/answer/10723804?hl=en&ref_topic=7556907" rel="nofollow" target="_blank">SSO profile assignment has arrived as a beta feature</a>, all that has changed.</p><p>SSO profile assignment is simple and easy to implement. The standard <b>Single sign-on (SSO) with third-party identity providers (IDPs)</b> dialog in the <b>Security</b> section remains unchanged. You need to fill that in with the same data as before.</p><p>What has changed is the fact that once you turn the profile ON this action simply marks the profile as being active from the root OU and provides you with a dialog to update it.</p><p>Therefore to fix SSO to a particular OU you need to edit the root entry to turn the feature OFF and then add additional entries at lower OU levels to override the setting and turn it back ON. Basically SSO now operates like all the other Google Apps features and settings.</p><p><br /></p><p><span id="docs-internal-guid-33fad1d6-7fff-5449-39c9-fd8a72562b65"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 248px; overflow: hidden; width: 602px;"><img height="220" src="https://lh3.googleusercontent.com/XGt-5n4KodjJuED0Xx8K6jafLBVBLMDdOF8n-Al1EuEtWH22jbPKLairIrXIUiD3u0WLH2S9ZlEjp5FxWUQymZvDnUIBbROiFRHwdkaX09WlvpRZJEC7K9-k2QjynEP36igmGXCZ=w534-h220" style="margin-left: 0px; margin-top: 0px;" width="534" /></span></span></span></p><p><br /></p><p>In the example above SSO is turned OFF at the root and is only active for the Students OU.</p><p>Selecting the <span style="color: #2b00fe;">MANAGE</span> option (above) displays the OU tree with the ability to select and edit the properties of each OU. Those OU’s with overrides set are marked with a grey dot (below)</p><p>Removing the settings from an OU is not quite as simple as selecting the <span style="color: #2b00fe;">REMOVE SCOPE</span> option. You first need to clear the override by selecting <span style="color: #2b00fe;">INHERIT</span>. The Remove Scope option then removes it from the list shown above.</p><p><span id="docs-internal-guid-3c9aa89d-7fff-5d52-d31c-f7eaa6173cac"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 387px; overflow: hidden; width: 602px;"><img height="335" src="https://lh4.googleusercontent.com/xUlGlBMPGaW0LjlsXpA_ourqt5xiVGJ32URVlqg5NtDTo1Y9Oa_XwYYs-f1j7co4_8wcK6dp9glBVHR4ezFyaPnTMa_hhkJMh9jVmf-BEcg6PtsDEMpAjqmj0RSRA1wU3ZL06Qo5=w522-h335" style="margin-left: 0px; margin-top: 0px;" width="522" /></span></span></span></p><p>As well as OU’s Google provides the ability to set SSO based on Groups and Users. This is a particularly useful feature if your OU structure does not map directly to the requirements for SSO.</p><p><span id="docs-internal-guid-21d671c4-7fff-e797-0a4f-c75524e39632"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 255px; overflow: hidden; width: 359px;"><img height="227" src="https://lh3.googleusercontent.com/ollTDAUfvMoDyu-ulZFOT5-lYZ38pQzw3UgnenknwSKCvFANbcFPqcjw91dfrl2NSKzAkJYrszbEalRDOkto_P3eybACBiZZCcgt8rUZHf--LsvrkD8EC9qPLcs0KZuQffdl28an=w320-h227" style="margin-left: 0px; margin-top: 0px;" width="320" /></span></span></span></p><p>Like other implementations of groups, assignment to a group or user can only be used to turn the feature ON and not as an exclusion</p><p><br /></p><p><u>Conclusion.</u></p><p>Although still a beta feature SSO profile assignment worked exactly as expected in a recent implementation for a multi-site MAT and certainly removed a large amount of risk from the project. All in all, a great new feature that’s been long overdue on the G Suite Admin console.</p><p><br /></p>The Serverless Schoolhttp://www.blogger.com/profile/06190457830296623655noreply@blogger.com0tag:blogger.com,1999:blog-4297770645154846859.post-21089304928876630612021-07-14T12:00:00.001+01:002021-09-19T17:40:11.994+01:00Returning the Windows 10 key from Powershell.<p>It's sometimes a useful skill to be able to return the Windows 10 key from a device that has lost a sticker.</p><p>Fortunately you can get the windows key from a simple Powershell command run as admin.</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtekWfEW6xVz7KTKjwALWvEYmRHC-M6pQ35QSJA1EOUoHfCMPPcHk2Ret9M0RMczYYx09K4T-iCIjfJPqNWf7ezL6IX2rQcQoqnCv5_3CX2CmIHLCFMpCkQGF2LZy-7DplQ1UCcPkZWO8/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="192" data-original-width="1069" height="71" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtekWfEW6xVz7KTKjwALWvEYmRHC-M6pQ35QSJA1EOUoHfCMPPcHk2Ret9M0RMczYYx09K4T-iCIjfJPqNWf7ezL6IX2rQcQoqnCv5_3CX2CmIHLCFMpCkQGF2LZy-7DplQ1UCcPkZWO8/w400-h71/image.png" width="400" /></a></div><br /><br /><p></p><p><span style="background-color: black;"><span style="color: white;">(Get-WmiObject -query 'select * from SoftwareLicensingService').OA3xOriginalProductKey</span></span></p><p><br /></p><p><u>Microsoft Office 2019 and Office 2016</u></p><p>Press Windows logo key+X on your keyboard to open the quick action menu.</p><p>Select Command Prompt (Admin).</p><p>If a security prompt window is displayed, select Allow.</p><p>Using the command line to check your license type</p><p>Open an elevated Command Prompt window.</p><p>Type the following command to navigate to the Office folder.</p><p><br /></p><p>For 32-bit (x86) Office</p><p><span style="background-color: black;"><span style="color: white;">cd c:\Program Files (x86)\Microsoft Office\Office16\</span></span></p><p>For 64-bit (x64) Office</p><p><span style="background-color: black;"><span style="color: white;">cd c:\Program Files\Microsoft Office\Office16\</span></span></p><p><br /></p><p>Type</p><p> <span style="background-color: black;"><span style="color: white;">cscript ospp.vbs /dstatus</span></span>, </p><p>and then press Enter.</p><p><br /></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4GFduaTPlgse9_phkSPkYd3i8ylyX5WbODEFqKhsnr3eBRr4x-nU2d7HemHNCEh-C0BBM_PHHjezoAucYxX_8AXA7lzOdZ4KfNmekIMa8ccBaHdPXs9tlxBIhkkX-Xwc_z6LXUAZ4TYw/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="352" data-original-width="884" height="159" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4GFduaTPlgse9_phkSPkYd3i8ylyX5WbODEFqKhsnr3eBRr4x-nU2d7HemHNCEh-C0BBM_PHHjezoAucYxX_8AXA7lzOdZ4KfNmekIMa8ccBaHdPXs9tlxBIhkkX-Xwc_z6LXUAZ4TYw/w400-h159/image.png" width="400" /></a></div><br /><br /><p></p><p>In the example above the screen displays the Retail type license. If you have a volume license (VL) product, the license type is displayed as VL or Volume Licensing.</p><div><br /></div><p><br /></p><p><br /></p><p><br /></p>The Serverless Schoolhttp://www.blogger.com/profile/06190457830296623655noreply@blogger.com0tag:blogger.com,1999:blog-4297770645154846859.post-71728927109942227822021-06-17T14:57:00.000+01:002021-07-19T14:59:03.381+01:00Turning off Hello for Business in EDU<p>IT managers using MEM to manage Windows devices for schools often struggle with Windows Hello for Windows (WH4B). While the corporate world has a clear requirement for the type of 2FA that WH4B provides it's not that useful in schools. </p><p>Unfortunately the default setting found in the <b>Windows-Enrolment</b> in the MEM console turns WH4B on and targets the <b>All Users</b> group and unlike other settings there's no option to edit this group assignment or add an exclusion policy.</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieMr3NsX3Lnu8r75sTp6rkwRf7Z5Jvw-_ZoJhaEzeGeWBiL9Ibr8fiYBBWxcpkelsqgZtAbMcZx0M6EIy9xYKxprtNvE8aHCIVp1EGKOmHpeswq8EUDIFbeWVhVmP68b_nc35Roj-UUg4/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="146" data-original-width="446" height="105" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieMr3NsX3Lnu8r75sTp6rkwRf7Z5Jvw-_ZoJhaEzeGeWBiL9Ibr8fiYBBWxcpkelsqgZtAbMcZx0M6EIy9xYKxprtNvE8aHCIVp1EGKOmHpeswq8EUDIFbeWVhVmP68b_nc35Roj-UUg4/" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div>In essence you can turn WH4B on or off for all users but that's about the limit of the scope control.<p></p><p>Another common complaint is that once you have noticed your mistake and turned WH4B off, this only affects new device enrolments, <b>not</b> devices and user accounts that have picked up the policy. While there are <a href="https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/37093513-disable-windows-hello-on-windows-devices-after-int" rel="nofollow" target="_blank">various workarounds </a>for this situation it's not one you really want to be in.</p><p>However a preview feature in the MEM<b> Endpoint Security</b> section now allows you to enable/disable WH4B based on user groups, effectively providing a scoping control.</p><p>On the MEM console navigate to - <b>Endpoint Security - Account Protection</b> and create a new policy.</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgb8PAowjylA-2E2ZfHRO8FrYLMtHrrDNG7z4UkL5Fb0sv1ZaJ-Uc6W8iZoyjPDdBOWLE2N62gnkhrUwbKxlh4hPaXq033GpTn8W3JGF-YiOBxWHyW6OPw6ECgYCG0KwXVkVk4Jyub2Ol4/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="280" data-original-width="891" height="126" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgb8PAowjylA-2E2ZfHRO8FrYLMtHrrDNG7z4UkL5Fb0sv1ZaJ-Uc6W8iZoyjPDdBOWLE2N62gnkhrUwbKxlh4hPaXq033GpTn8W3JGF-YiOBxWHyW6OPw6ECgYCG0KwXVkVk4Jyub2Ol4/w400-h126/image.png" width="400" /></a></div>The options are limited but you do have the ability to block Windows Hello for Business. If you set this against a a user security group WH4B is removed, exactly as you would expect.<p></p><p>Lastly you should note that the WH4W settings in the Windows Enrolment pane are the only ones that apply during OOBE and apply to the entire tenant and, as we have noted, this can’t be scoped. So if you want to remove the WH4B prompt during OOBE you would have to block it for everyone using the tenant wide setting but then turn it back on in the Endpoint Security - Account Protection section making sure you only assign to the appropriate user group.</p>The Serverless Schoolhttp://www.blogger.com/profile/06190457830296623655noreply@blogger.com0tag:blogger.com,1999:blog-4297770645154846859.post-90731368664820281362021-05-13T17:48:00.000+01:002021-07-19T14:58:16.931+01:00Controlling MAM device enrolment.<p>During the early stages of the project a mistake that schools often make when adopting <b>Microsoft Modern Management</b> is to ignore the question of device enrolment and as a result thing can become unmanageable pretty quickly.</p><p>Without changes to the base settings Microsoft Device Manager is quite relaxed about restricting access to the enrolment process and a limited rollout of a six devices can quickly extended to many dozens by students downloading the Company Portal App and taking advantage of the generous personal enrolment allowance of five devices each.</p><p>Things get even worse if the admin allocates the students an Azure P1 premium licence because with the MAM Users scope set to All (default), any device registered with Azure AD using a school account will also also push the <a href=" https://docs.microsoft.com/en-us/mem/intune/enrollment/quickstart-setup-auto-enrollment" rel="nofollow" target="_blank">device into the MDM</a>.</p><p>The solution is to do a bit of work on the MAM console to make sure the settings match the schools IT policy <b>before</b> things get out of hand.</p><p><br /></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJfIg5MVYGLFdmC6oNiex8-BSYcAtd-ADa9rrNPgBzyEqKeEd_PyIzaRh6QznvAXAG-olnyTdfzzh-Acw5xDsEQsoA_S0RXUGQXwsUni7_cNMvqNvyUpkl-8Meiuaz6iegO0hPDjocBBs/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="180" data-original-width="518" height="111" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJfIg5MVYGLFdmC6oNiex8-BSYcAtd-ADa9rrNPgBzyEqKeEd_PyIzaRh6QznvAXAG-olnyTdfzzh-Acw5xDsEQsoA_S0RXUGQXwsUni7_cNMvqNvyUpkl-8Meiuaz6iegO0hPDjocBBs/" width="320" /></a></div><br /><br /><p></p><p>You can use <a href="https://docs.microsoft.com/en-us/mem/intune/configuration/device-restrictions-configure" rel="nofollow" target="_blank">Device Restrictions</a> to block hardware device types and set conditions on the operating systems but you need to be a careful that you don't go too far and also block auto-enrolment for any Autopilot rollouts you may have planned.</p><p>Although most of the options are controlled through MEM policies an often over-looked setting is located in the Azure AD - Devices section. </p><p></p><ul style="text-align: left;"><li>Navigate your browser to https://portal.azure.com.</li><li>In the Azure Active Directory pane, click Devices.</li><li>In the Devices pane, click Device settings.</li><li>Check the option settings for <b>Users may join devices to Azure AD</b></li></ul><div>If you are using an account that's out of scope you'll see the <b>801c03ed</b> error during device enrolment . </div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJa8l1hIlfjXDEk1EqroUSnJCRalLg8nrMvWkqviggiBWxmcbU5qiCUEy7krxqkU2-uqto0yDrCzG2oWalCaXyQwEtRYoYTbjas40ST6BT9yLyWhV3DbkdHbVrbFI2iaPYyXECMp6ZAAc/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="765" data-original-width="1705" height="144" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJa8l1hIlfjXDEk1EqroUSnJCRalLg8nrMvWkqviggiBWxmcbU5qiCUEy7krxqkU2-uqto0yDrCzG2oWalCaXyQwEtRYoYTbjas40ST6BT9yLyWhV3DbkdHbVrbFI2iaPYyXECMp6ZAAc/" width="320" /></a></div><br />Setting an account as an enrolment manager doesn't override this restriction.</div><div><br /></div><div>A great reference is a post by Samuel McNeill that explains the options in a clear fashion.</div><p><a href="https://samuelmcneill.com/2020/10/30/how-to-blocking-personal-byod-devices-from-enrolling-into-intune-but-allowing-autopilot-enrollments/" rel="nofollow" target="_blank">https://samuelmcneill.com/2020/10/30/how-to-blocking-personal-byod-devices-from-enrolling-into-intune-but-allowing-autopilot-enrollments/</a><br /></p><p>It's an essential read for anybody planning to rollout of Microsoft Device Manager for the first time or who been given the job of cleaning up the device list.</p><p>Recommended.</p><p><br /></p>The Serverless Schoolhttp://www.blogger.com/profile/06190457830296623655noreply@blogger.com1tag:blogger.com,1999:blog-4297770645154846859.post-71529252684069143232021-04-02T17:51:00.000+01:002021-04-30T07:11:11.768+01:00 Troubleshooting in MEM/Intune (p2).<h3 style="text-align: left;"> Accessing the local log files.</h3><p>When a school or business adopts remote management and mobility something becomes immediately obvious - it’s often no longer possible to access a local machine to troubleshoot an issue. </p><p>The device could be at home, offline or just turned off. The user may not have the elevated privileges to run diagnostics, have concerns about remote sessions or be unable to securely transfer clear text log files over the internet. Suddenly support is a different world.</p><p>The Intune (MEM) console has a range of reporting tools that can provide insights into failed operations and these are a great place to start but sometimes you need to get hold of the local logs to get the complete picture.</p><p>On the client side Microsoft provides some excellent tools that can collate information into easily readable files. The most useful of these is <b>MDMDiagHtmlReport.html</b>. This can be generated by visiting navigating to <b>Settings - Accounts - Access work or school</b>. Find the <b>Connected to “Your Organisation”</b> banner and click the<b> Info</b> button.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6x8DbrK9zkObPqtDYbFAB-0L16nPSq91DIsxX3mcvhvNnGdoiBkEmmOfyH21yN2dGfCTcMIDjtOSorYC73K_hHY6GySqG5fUUydsHQ7n1Lkx5tNx5FW3e0td1Lp1MLpS2eopYyf2EjeI/s717/Info.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="185" data-original-width="717" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6x8DbrK9zkObPqtDYbFAB-0L16nPSq91DIsxX3mcvhvNnGdoiBkEmmOfyH21yN2dGfCTcMIDjtOSorYC73K_hHY6GySqG5fUUydsHQ7n1Lkx5tNx5FW3e0td1Lp1MLpS2eopYyf2EjeI/s320/Info.png" width="320" /></a></div><p>The Info dialog is divided into three sections. In the last section you have the option to produce an A<b>dvanced Diagnostic Report </b>by clicking “Create Report”. </p><p>This action builds the <b>MDMDiagHtmlReport</b> html file in the C:\users\public\documents\MDMDiagnostics directory which contains information on the devices status and the policy settings being applied.</p><p>Alternatively you can select the <b>Export your management log file</b> link that is listed below the Connected to “Your Organisation” banner. This option goes a little bit further and creates a cab file in the same directory that contains both the MDMDiagHtmlReport file and a <a href="https://www.anoopcnair.com/mdm-diagnostics-tool-windows-autopilot/" rel="nofollow" target="_blank">host of other diagnostics files</a> including dumps of key event logs.</p><p>However useful these resources are the problem still remains that they are stored on the users computer and are not directly accessible to the support team</p><p>However a new MEM feature currently in public preview changes all of that.</p><p>If you navigate to the Devices - Window section in the MEM console and select a device, expanding the ellipses (…) should reveal a new option - <b>Collect diagnostics</b>.</p><p></p><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXNFJEmrn0Jep2QvNODlYQwUjOnbm0zmWwbATpu2DWN6hUU9FnI1rgVQeQgm2k8xNSFMBEc-gyW2YWcSrrfX_dQFJYQwYeur2lUBMvCCkJYcBJJLis4uD46nD7ECD5KlTOKedv5y7Mrc0/s628/CollectDiag.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="302" data-original-width="628" height="193" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXNFJEmrn0Jep2QvNODlYQwUjOnbm0zmWwbATpu2DWN6hUU9FnI1rgVQeQgm2k8xNSFMBEc-gyW2YWcSrrfX_dQFJYQwYeur2lUBMvCCkJYcBJJLis4uD46nD7ECD5KlTOKedv5y7Mrc0/w400-h193/CollectDiag.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div></div><p></p><p>Selecting it will present a dialog asking you whether to collect diagnostics from the device. A simple click on the <b>YES</b> button starts the process.</p><p>The results can be found in <b>Monitor - Device Diagnostics</b> on the same device pane (below).</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRDuUGFomFj0qeiowpw9pbz07AWQLsUR82XrdjrTE3wxikNBv5uB-EvCVud_pP7jYsyn38LzZaJZJYuktzr9oxUWCecJCnnvG7UII8W5JDQ84ANTxgne0AunMU4avKho6-qXjCd1cz5nM/s508/Preview.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="508" data-original-width="348" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRDuUGFomFj0qeiowpw9pbz07AWQLsUR82XrdjrTE3wxikNBv5uB-EvCVud_pP7jYsyn38LzZaJZJYuktzr9oxUWCecJCnnvG7UII8W5JDQ84ANTxgne0AunMU4avKho6-qXjCd1cz5nM/s320/Preview.png" /></a></div><p>Initially the status will show pending but once the device picks up the request you should see the status update to <b>Complete</b> with the option to <b>Download</b>. If the device is online the action takes about ten minutes.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiD9Ri0i6_2dDvvWNagNhtcyB1LYJJK_GQTEP_S4TCHVEH-rKiaHdkxprpDbYi0Up9zKl0di80KGys-1gcupRDacqfzH_QuVvaPwZBmouWSNFWCDqbqlNB8q_1j9oT1i5WkP1rXzTp_Tcw/s879/Download.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="183" data-original-width="879" height="84" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiD9Ri0i6_2dDvvWNagNhtcyB1LYJJK_GQTEP_S4TCHVEH-rKiaHdkxprpDbYi0Up9zKl0di80KGys-1gcupRDacqfzH_QuVvaPwZBmouWSNFWCDqbqlNB8q_1j9oT1i5WkP1rXzTp_Tcw/w400-h84/Download.png" width="400" /></a></div><p><br /></p><p>The process creates a zip file which you might expect to contain a set of files but instead it presents a list of directories numbered 1-50.</p><p>Since the feature is still in preview these directories might be renamed to give a better idea of the contents but at the moment it’s a bit like opening your birthday presents. A number of the directories contain a single file which is nothing more than a log of the process that created the rest of the logs (logs of logs) but some are much more useful.</p><p>All this could change but at the moment some of the highlights are listed below.</p><p></p><blockquote><i>Spoiler Alert: the <b>MDMDiagHtmlReport</b> can be found in a cab file in directory 44.</i></blockquote><p> </p>
<hr />
<p></p><ul style="text-align: left;"><li>Directory 1 -11</li></ul><p></p><p>Dumps of registry entries (.reg).</p><hr /><p></p><ul style="text-align: left;"><li>Directory 12 -27</li></ul><p></p><p>Logs files for the collection actions (logs of logs)</p><hr /><p></p><ul style="text-align: left;"><li>Directory 28 -37</li></ul><p></p><p>Dumps of various Event logs. (.evt)</p><hr /><p></p><ul style="text-align: left;"><li>Directory 38:</li></ul><p></p><p>A set of event traces data files relating to Autopilot. To view an etl file open with PerfView.exe.</p><hr /><p></p><ul style="text-align: left;"><li>Directory 40</li></ul><p></p><p>Contains <b>mpsupportfiles</b>, a cab file that contains various diagnostic logs and event dumps relating to Windows Defender.</p><hr /><p></p><ul style="text-align: left;"><li>Directory 41:</li></ul><p></p><p>The <b>wlan-report-latest</b> html report created by the ‘netsh wlan show wlanreport’ command that shows wireless session information and related stats. </p><p>Apart from a wealth of information in the hardware interfaces it contains a dump of the output from 'ipconfig /all' and ‘netsh wlan show’ - two of the most useful tools in the box.</p><hr /><p></p><ul style="text-align: left;"><li>Directory 43:</li></ul><p></p><p>The <b>energy-report.html</b> output file created by powercfg /batteryreport tool useful in troubleshooting laptop battery usage and health.</p><hr /><p></p><ul style="text-align: left;"><li>Directory 44:</li></ul><p></p><p>Holds a single file <b>mdmlogs-xxxxxxxx.cab</b> which contains the files created by the Export your management log file link including the important <b>MDMDiagHtmlReport</b> file.</p><p>Other files include:</p><p>DeviceHash_<devicename>.csv - contains the device hash.</p><p>Setupact.log - Information and log events from upgrade actions.</p><p>Intune Management Extension logs.</p><p></p><ul style="text-align: left;"><li>AgentExecutor.log</li><li>ClientHealth.log</li><li>IntuneManagementExtension-xxxx.log</li></ul><p></p><p>Event logs from key MDM providers.</p><hr /><p></p><ul style="text-align: left;"><li>Directory 45:</li></ul><p></p><p>Log file output from the <b>msinfo32.exe</b> tool which summarized the hardware and software profile of the device.</p><hr /><p></p><ul style="text-align: left;"><li>Directory 48:</li></ul><p></p><p><b>Cbs.log</b> : Component-Based Servicing Log. This file contains detailed information from the most recent Windows installed updates.</p><hr /><p><br /></p><p>Hopefully the directory set will be updated to make navigation through the file a bit easier. However even in the preview phase this is a welcome addition to the troubleshooting toolkit.</p><p><br /></p>The Serverless Schoolhttp://www.blogger.com/profile/06190457830296623655noreply@blogger.com0tag:blogger.com,1999:blog-4297770645154846859.post-71159819455303018522021-03-11T14:00:00.003+00:002021-03-12T17:55:14.948+00:00 Troubleshooting in MEM/Intune (p1).<h3>Basic Troubleshooting.</h3><p>When IT admins are first presented with a problem it normally comes in a user centric form.</p><p>For instance;</p><p></p><blockquote><p>William Gates can't access the finance package from his new laptop.</p></blockquote><p>Probably 90% of all tickets are made up of users complaining that they can’t access a resource or something linked to their logon account is not working as they expected.</p><p>Unfortunately most management consoles (and MEM is no exception) are organised from an application or service centric viewpoint which can make it hard to get an overview from a users perspective. You can end up ping-ponging around the console opening up one service dialogs after another trying and get a handle on the issue but getting nowhere.</p><p>There is however, an excellent resource that should be the first port call for all help desk operatives - the well named but rarely visited <b>Troubleshooting + support</b> tool.</p><p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsc0i_ibIa5Qy3XehmXMC5_zw0fznz3tGffQGilaIOLhsIp5ABM_bpknlStewVaxkcgs8SnGoLCdb7Sx85bz5qX5ECgL2TPkHawgEAHcZqmrskBFWtNsvI8VcCjU0ApLzagRt2AGDiRmk/s357/Ticon.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="124" data-original-width="357" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsc0i_ibIa5Qy3XehmXMC5_zw0fznz3tGffQGilaIOLhsIp5ABM_bpknlStewVaxkcgs8SnGoLCdb7Sx85bz5qX5ECgL2TPkHawgEAHcZqmrskBFWtNsvI8VcCjU0ApLzagRt2AGDiRmk/s320/Ticon.png" width="320" /></a></div><br /><p>This might sound obvious but there is a tendency to drive straight into the detail without first gaining an general overview. The advantage of the Troubleshooting + support tool is that it organises information from the user perspective, summarising a wealth of information in an easy to read manner. Since most issues are caused by something stupid this can reveal the problem straight away. </p><p>The top level dialog shows basic account information including whether the user has an Intune licence, a list of group memberships, application allocations, registered devices, application protection status and enrolment failures.</p><p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnJuFvAmkVBKOiSvVekZFycoRm7-rZlJMdo0GWF4yKpy5BGB9qJzjJj-ynzOAkZT8JjRg43QWhWz9K9uecF5qHf2PUA_inemRX_RMZV4d5RqyHb_wyJ7fGN6L5VPQLZcLowB9w-ClJa0A/s893/TroubleshootingDialog.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="752" data-original-width="893" height="337" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnJuFvAmkVBKOiSvVekZFycoRm7-rZlJMdo0GWF4yKpy5BGB9qJzjJj-ynzOAkZT8JjRg43QWhWz9K9uecF5qHf2PUA_inemRX_RMZV4d5RqyHb_wyJ7fGN6L5VPQLZcLowB9w-ClJa0A/w400-h337/TroubleshootingDialog.png" width="400" /></a></div><p>The drop down provides data on a number of other key areas such as compliance and configuration policies and enrolment restrictions and a number of other key areas. Selecting the information takes you directly to the service configuration dialog page which is a real time saver.</p><p>A good approach would be to find a user that works and then use the summary features of the Troubleshooting tool to find the difference between the two user states. It’s not going to work all the time but it's a recommended first step.</p><p><a href="https://blog.theserverlessschool.net/2021/03/troubleshooting-in-memintune-p2.html" rel="nofollow" target="_blank">Part 2: Accessing the Local Log files.</a></p>The Serverless Schoolhttp://www.blogger.com/profile/06190457830296623655noreply@blogger.com0tag:blogger.com,1999:blog-4297770645154846859.post-137884255628505132021-03-01T12:40:00.012+00:002021-03-01T15:08:53.631+00:00Universal Print Revisited.<p>The print subsystem is one of the last hurdles that a school or business needs to overcome to remove the dependence on on-premise servers.</p><p>Ideally the collaborate workflow and document sharing mechanisms of platforms such as Microsoft 365 and Google Workspace will eventually replace the traditional method of transferring data using wood pulp but that may be a little way off yet.</p><p>In the interim, Microsoft has introduced <a href="https://www.microsoft.com/en-gb/microsoft-365/windows/universal-print" rel="nofollow" target="_blank"><b>Universal Print</b></a>, a system similar in architecture to the now defunct <b>Google Could Print</b> that allows Windows 10 users to print to a device anywhere on the network through a cloud based connector.</p><p>A number of excellent <a href="https://www.youtube.com/watch?v=iDv3egbVkHc" rel="nofollow" target="_blank"><b>blogs and video resources</b> </a>have been created that explains how Universal Print works but it's worth repeating a couple of points.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJRtMg96Y7gXBzIoa3NDltt4Bt5vlld4mgWdGjiQfItYbnouv3RqRt-S4qsS0HltUMznUnGGFa-8q0ifdyEjljE3Ls1rgD44GBBtEhVm-XXEt4yqOrWIW9KECJ50RlDe1ngt9KdJxgxQA/s368/UP.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="315" data-original-width="368" height="171" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJRtMg96Y7gXBzIoa3NDltt4Bt5vlld4mgWdGjiQfItYbnouv3RqRt-S4qsS0HltUMznUnGGFa-8q0ifdyEjljE3Ls1rgD44GBBtEhVm-XXEt4yqOrWIW9KECJ50RlDe1ngt9KdJxgxQA/w200-h171/UP.png" width="200" /></a></div><p>Universal Print (UP) is still in development and is missing some key features. The most obvious being that native hardware support is missing from most printer ranges. In fact, at the time of posting I can only find one manufacturer <b>Lexmark</b> that supports UP through a firmware update. The models are listed <a href="http://here.">here.</a></p><p>Licencing for Universal Print is bundled as part of the Microsoft E3 licence. Schools looking to move to Modern Management should be adopting Microsoft E3 as standard. If your school subscribes to Office 365 with Enterprise Mobility + Security this is not enough to get Universal Print. For each user that accesses a printer you'll also need<b> </b>Windows 10 E3, E5, A3 or A5. The client also needs to be running Windows 10 version 1903 or later.</p><p>Universal Print doesn't currently support 'Follow-Me' or ID card management. You'll need a bolt-on service like <a href="https://www.papercut.com/products/do-more/universal-print/" rel="nofollow" target="_blank"><b>Paper-Cut</b></a> to provide that. This feature is pretty much top of the product roadmap as it's absence is a show-stopper for any type of enterprise deployment. </p><p>Lastly, the mapping of printers through Intune (Endpoint Manager) is a little clunky. I'm pretty sure this is by design, Microsoft doesn't want you to be printing or mapping local drives in the future. However it can be done and this useful post shows how.</p><p> <a href="https://powers-hell.com/2020/10/25/deploying-universal-print-printers-with-powershell-intune/" rel="nofollow" target="_blank">Deploying Universal Print Printers With PowerShell & Intune</a></p><p>So work in progress. If you need a simple system that supports basic print functions without the inconvenience of a local print server Universal Print, even in the preview form might be for you.</p>The Serverless Schoolhttp://www.blogger.com/profile/06190457830296623655noreply@blogger.com0tag:blogger.com,1999:blog-4297770645154846859.post-65924556954179593722021-02-25T19:38:00.002+00:002021-02-26T10:31:17.914+00:00First Look at Azure Active Directory Connect Cloud Sync<p>New schools setting out on the Microsoft 365 platform can look forward to a future without on-premise servers, using Azure AD as the directory service and InTune (Microsoft Endpoint Manager) for device management. </p><p>For existing schools, moving to the cloud while maintaining on-premise Active Directory isn't quite so easy. Local resources such as printers and file shares are protected by local AD while cloud resources require Azure AD accounts. This means two different user databases that have to be maintained and updated.</p><p>Fortunately Microsoft has always provided an application to make this job easier. </p><p>The best known is <b>Azure Active Directory Connect</b> (AADC), a tool that has been ‘rebranded’ several times over the years. Administrators may also know this utility as the Directory Synchronization tool, Directory Sync tool or just DirSync.</p><p>Basically AADC is an application that synchronizes the on-premises Active Directory Domain Services (AD DS) users to the Azure AD tenant. As well as account provisioning it can also transfer a password hash that delivers a seamless logon experience for the user across both platforms. Although it's possible for changes to move in the opposite direction (password updates in the cloud are reflected in local AD) for most setups this is a one way trip - changes in on-premises Active Directory are reflected in Azure AD.</p><p>Azure Active Directory Connect has been a workhorse for Azure deployments but it has a number of limitations, some of which are particularly relevant for schools.</p><p>First, only one instance of AADC can be attached to a single Azure AD tenant. For larger educational trusts that are planning to consolidate multiple sites, each having their own Office365 organization, this provides quite a challenge. Currently the only solution is to ensure network level connectivity between the domain controllers in each forest so that the sync requests can be channelled through a single AADC instance. For medium sized companies that have a corporate WAN in place this isn’t a problem but for an educational trust trying to incorporate a dozen small primary schools, all using different internet providers, it’s a major headache.</p><p>Second, AADC requires a hosting device and in some cases that means dedicated server. If the school requires resilience or some degree of fault tolerance you now need two servers. For schools running a virtual infrastructure that requirement can be absorbed but for smaller sites it’s an unwelcome burden</p><p>Lastly although the ease of setup has improved over the years some expertise is still required to install and configure AADC which is largely managed through the onsite application rather than the cloud.</p><p>In response, Microsoft has rewritten Azure Active Directory Connect (AADC) from the ground up to create <a href="https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/what-is-cloud-sync" rel="nofollow" target="_blank"><b>Azure Active Directory Connect Cloud Sync</b></a> (AADCC). Disregarding the confusing naming convention this new addition is a real winner for education</p><p>Lets run through a few of the new features.</p><p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixJ-vuY9g6TpoL6ZPiHRtdUGIoDMZDojo9SuWNygINtRk0ijxZQciB6JOqm8sJP-BUUShhraYn61WoISX8gqHvkfp0xe4_Ep4tMrRCMKAi0evdF0Yqmx25PrZ22foaTsofFIZ7azAh7wQ/s683/Azure.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="330" data-original-width="683" height="194" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixJ-vuY9g6TpoL6ZPiHRtdUGIoDMZDojo9SuWNygINtRk0ijxZQciB6JOqm8sJP-BUUShhraYn61WoISX8gqHvkfp0xe4_Ep4tMrRCMKAi0evdF0Yqmx25PrZ22foaTsofFIZ7azAh7wQ/w400-h194/Azure.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><p>First, AADCC can work alongside existing installations of AADC, This is because multiple instances of AADCC can connect to a single Azure organization, each managing a separate domain namespace, a killer feature which removes one of the biggest limitations of AADC. In the new model a fully detached AD forest with AADCC installed can feed into a single centralised tenancy, no WAN required.</p><p>Second most of the configuration and logic has been moved into the cloud meaning that the local install is extremely light. The only requirement is domain-joined Windows 2012 Server with SQL Server 2012 Express LocalDB (a smaller version of SQL Server Express) installed.</p><p>Lastly the software has no additional licencing requirements and has a simple deployment model. Installing multiple active agents provides high availability</p><p>How does this help the adoption of Modern Management techniques in a Trust or District model?</p><p>Up until now amalgamation of schools into unified tenancy model has been hampered by the fact that only one site can host the AADC. A second site that wished to run with hybrid identity would need ‘line-of-site’ of the hosting sites domain controllers. </p><p>So long as all the other sites only used ‘cloud only’ user accounts you didn’t have a problem but if two large schools, both with a detached AD forest wanted to move to Modern Management while maintaining access to local file shares through hybrid identities, you had a problem - until now.</p><p><br /></p><p>So what's the drawback to using AADC over AADCC ?</p><p>The new tool does not allow Pass-Through Authentication. Currently passwords are checked against a password hash stored on Azure. Also there’s no support for writeback for passwords, devices or groups but other than those two items the functionality is much the same. </p><p>This<a href="https://youtu.be/mOT3ID02_YQ" rel="nofollow" target="_blank"> video</a> from the recent Ignite Conference gives a good overview which includes some configuration and install instructions.</p><p>It’s hard to overestimate the importance of this new capability to the adoption of Microsoft Endpoint Manager as a viable management platform.</p><div><br /></div>The Serverless Schoolhttp://www.blogger.com/profile/06190457830296623655noreply@blogger.com1tag:blogger.com,1999:blog-4297770645154846859.post-30530281156970159922021-02-02T18:56:00.003+00:002021-02-02T19:00:54.239+00:00Managing Local Groups with InTune<p>For most IT administrators control over local user groups is an important part of the management process. Unfortunately for Windows devices that are Azure joined this has always been a bit of a challenge.</p><p>Working with InTune there was a <a href="https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-restrictedgroups" rel="nofollow" target="_blank">CSP Policy - RestrictedGroups</a> that you could use but it had a number of limitations.</p><p></p><ul style="text-align: left;"><li>It didn’t support groups, only user accounts.</li><li>It had an overwrite feature – it simply replaced the original user list with users in the policy set so the results were a little unpredictable. If a user account had been added to the Local Admins group to support a legacy application it would be removed when the new policy set was applied. You couldn’t create policies that layered accounts into the group.</li><li>It only controlled the local Admin group, not any of the other in-built local groups.</li></ul><p></p><p>However with <b>Windows 10, version 20H2</b> you get a new feature – the ability to control access to local groups by nesting an Azure AD security group.</p><p>The initial setup is a bit of a challenge but once done it’s a useful tool to have at your disposal.</p><p>The first job is to create a Azure AD security group to contain your new local admins, let's call it - <b>All Additional Local Device Admins</b>.</p><p>The second task is to find the SID of your new group.</p><p>Unfortunately you can’t read the information from the web UI because it doesn’t display the SID. However it can be found with the <a href="https://developer.microsoft.com/en-us/graph/graph-explorer" rel="nofollow" target="_blank">Graph API/ Explorer</a> using the <b>Group Object ID</b> which is presented as part of the Group properties page.</p><p style="text-align: center;"><span id="docs-internal-guid-54aacda9-7fff-48d0-9461-9c6b33b0e1a7"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 277px; overflow: hidden; width: 271px;"><img height="277" src="https://lh3.googleusercontent.com/f6bYjJ0b-TRmHJjQCxmkZ2KoWDCSi_Ok9f-_mAoOyclHvziqg0eMYCNL-gFGw3WlL80ULrUOjK0rZMsVIQtbtzWLmunzW3iPfs5FvWZcMukoU5sbGfMyROdKcRcJWGQtR5L0RIkJ" style="margin-left: 0px; margin-top: 0px;" width="271" /></span></span></span></p><p><br /></p><p>With the Object ID recorded, login to the Graph API/ Explorer and run a GET query using the form of the request below.</p><p></p><blockquote>https://graph.microsoft.com/v1.0/groups/<your Group ID></blockquote><p><br /></p><p><img height="314" src="https://lh5.googleusercontent.com/CBbNlcKX_T2L5LX38OJFLnDhYf817bf8MxAX7y3lOWP8CBt2r7MspHjXhsrPGcn9noBa9UyXz8nVF5Zud3B22aT4X9uPPHNIjvD0dUYwJJ99yHRqoIihdQBxu7S4oRP1ZrkWqKXc=w400-h314" style="font-family: Arial; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space: pre-wrap;" width="400" /> </p><p></p><p>The group metadata will be displayed in the results window and this will include the SID. Record this value.</p><p>This next task is to create a policy that uses the SID to embed your AD Azure group into the local Admins Group.</p><p>Navigate to </p><p></p> Microsoft Device Management (Intune) - Devices - Windows - Configuration Profiles<p></p><p>Create a new Configuration Profile - type Custom. Provide an appropriate name and description.</p><p>Add a new OMA-URI setting using the ID below for the OMA-URL identifier.</p><p></p> ./Device/Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure<p> </p><p></p><p>The payload for this policy is in the <b>Value</b> field.</p><p>It contains a snippet of XML that defines the action. The options that you can incorporate can provide a lot of flexibility allowing you to add or overwrite the contents of any local group but for the moment let's keep to the original requirement to update the local Admin group.</p><p><span style="font-size: x-small;"><br /></span></p><p><span style="font-size: x-small;"><GroupConfiguration></span></p><p><span style="font-size: x-small;"><span style="white-space: pre;"> </span><accessgroup desc = "Administrators"></span></p><p><span style="font-size: x-small;"><span style="white-space: pre;"> </span><group action = "U"/></span></p><p><span style="font-size: x-small;"><span style="white-space: pre;"> </span><add member = "S-1-12-1-3360748891-1147449691-4205429123-2160019913"/></span></p><p><span style="font-size: x-small;"><span style="white-space: pre;"> </span><remove member = ""/></span></p><p><span style="font-size: x-small;"><span style="white-space: pre;"> </span></accessgroup></span></p><p><span style="font-size: x-small;"></GroupConfiguration></span></p><p><br /></p><p>The code contains the instructions to update “U” the “Administrators” group by adding the SID “S-1-12-1-3360748891-1147449691-4205429123-2160019913” which we already know references the Azure Group All Additional Local Device Admins</p><p>The XML has a number of different action types including Restrict “R” which provides the same functionality as the RestrictedGroups/ConfigureGroupMembership policy setting.</p><p>You can get full list of actions and options <a href="https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localusersandgroups">here.</a></p><p>Save the policy and assign it to a suitable Device security group. There’s no option to select a single device so it’s best to test it out on a test group first before trusting your luck (and job) to All Devices.</p><p><img height="640" src="https://lh4.googleusercontent.com/WMn9OJ52u7U18wVmq4ZO5m28SaRG9ofp8w9td1bJVae2wiMR1xXpQsntzlwl1MaAz6ddkgNADpoK3_Oz5iHWpo5oR4g1h_GOQMXDo3-9DW_eGsOZL7OECbxl3Hqdhf0_JreAuzfR" style="font-family: Arial; font-size: 14.6667px; margin-left: 0px; margin-top: 0px; white-space: pre-wrap;" width="455" /></p><p>You will now find that adding an Azure AD user account to the <b>All Additional Local Device Admins</b> group will grant admin rights on a policy refresh. Even better, removing the user will remove admin rights on the next login.</p><p>If you use the local MMC to view the members of the Admin group you can see the new Group account added, but only as the SID.The name is not resolved.</p><p>Of course there’s no reason why you couldn’t use the same technique to control the membership of other local groups such as <b>Backup Operator</b>. Just be aware that although this works with all Windows 10 editions, other than Home you need to be on version 20H2 to get this new feature</p><div><br /></div>The Serverless Schoolhttp://www.blogger.com/profile/06190457830296623655noreply@blogger.com0tag:blogger.com,1999:blog-4297770645154846859.post-80087301467185380512021-01-29T16:49:00.000+00:002021-02-01T16:50:16.540+00:00Managing Policy in G Suite and Intune<p>Following on from some earlier posts looking at the management process in both <b>Microsoft InTune </b>and <b>Google Workspace </b>it’s worth having a closer look at user and device policies because the models diverge quite a bit at this point.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFS_vY2RAL2Uj7EpRIghvsga082fVxm3Wae3zVbY4qG2Bwd7GvXycHa2nInESPUrd6Th7WWLFKZoGx3bt361a0wb-OgRXlxQDQ_IvP7G9kHV_i4mmhmRojO_aOYYAlGX8w_uqRHrt_LR8/s339/noequal.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="188" data-original-width="339" height="111" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFS_vY2RAL2Uj7EpRIghvsga082fVxm3Wae3zVbY4qG2Bwd7GvXycHa2nInESPUrd6Th7WWLFKZoGx3bt361a0wb-OgRXlxQDQ_IvP7G9kHV_i4mmhmRojO_aOYYAlGX8w_uqRHrt_LR8/w200-h111/noequal.png" width="200" /></a></div><p>In Google Workspace there is a clear division between a policy that applies to a device and one that affects the user experience. In fact, other than a few examples I can think of the two policy sets are completely unique.</p><p>If you then move into the Microsoft space this division breaks down entirely. Here you have a single unified policy set which can be applied at either the device or user level.</p><p>To give an example, using the Microsoft approach you are able to set a policy which controls an aspect of the user environment and apply it at the device level. The result will be that the feature will be set regardless of which user logs on.</p><p>Using Google Workspace that's not possible. You can’t set a policy that controls the user experience and apply it to a specific Chromebook. </p><p></p><blockquote><i>Google Workspace has a kiosk mode which does something similar but this does not apply to authenticated user sessions.</i></blockquote><p></p><p>Although this sounds a little restrictive it does make things easier to maintain and troubleshoot. You never have to check if a policy is being set by the device or the user object and there is never any conflict resolution.</p><p>Not surprisingly Microsoft suggests an simple <a href="https://docs.microsoft.com/en-us/mem/intune/configuration/device-profile-assign#exclude-groups-from-a-profile-assignment" rel="nofollow" target="_blank">approach</a> to user and device policy.</p><p></p><blockquote><i>“If you want to apply settings on a device, regardless of who's signed in, then assign your profiles to a devices group. Settings applied to device groups always go with the device, not the user.”</i></blockquote><p></p><p></p><blockquote><i>“Profile settings applied to user groups always go with the user, and go with the user when signed in to their many devices.”</i></blockquote><p></p><p>The difference between the two platforms is that while Google Workspace imposes these rules, with Microsoft it's just a recommendation. Microsoft provides flexibility but this comes with added responsibility and complexity.</p><p>A second major difference is that, in general, Microsoft policies are applied through a group structure You can create a policy and then apply it to single or multiple groups and those groups can be nested. To also have the ability to create groups that contain users - and groups that contain devices and apply both to the same policy set. One last level of complexity is that groups can be be marked as either <b>applied</b> or <b>excluded</b> for each policy - with exclusion taking precedent,</p><p>Now just because you can do these things doesn’t mean you should and in fact there are good reasons why you really shouldn’t.</p><p>Again Microsoft best practice strongly recommends you do <b>not</b> mix grants and exclusions using user and devices groups as the results “may not be what you want or expect”. They provide a useful <a href="https://docs.microsoft.com/en-us/mem/intune/configuration/device-profile-assign#exclude-groups-from-a-profile-assignment" rel="nofollow" target="_blank">table</a> which is really no more than common sense.</p><p>Keeping it simple and granular is going to be the best approach working with Microsoft policies.</p><p>For both users and devices Google Workspace uses a hierarchy of organisational units to apply settings. Policy is determined but the object's position in the tree and the inheritance at that level. The major advantage of this approach is its simplicity and ease of troubleshooting but it can be difficult to incorporate exceptions to the rule. For this reason Workspace is stealing a page from Microsoft and incorporating the concept of group exclusion. A user set can have a policy applied based on the location in the OU tree but the setting can be overridden by group membership.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFrELRoxSY-PcjaVuDVcik2DzFrS76-fw0YM-GlUU2PN6KZWT08lbIrdF5Dx9J6cwp08UAVW8kJI8BhS9evgkJ9DYWAgE-8u74PEe_nCF4J5f6-tiemOQT-sZfX4QhyBm9YasHdtmD08I/s846/Groups.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="565" data-original-width="846" height="268" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFrELRoxSY-PcjaVuDVcik2DzFrS76-fw0YM-GlUU2PN6KZWT08lbIrdF5Dx9J6cwp08UAVW8kJI8BhS9evgkJ9DYWAgE-8u74PEe_nCF4J5f6-tiemOQT-sZfX4QhyBm9YasHdtmD08I/w400-h268/Groups.png" width="400" /></a></div><p>Typically, you would apply services settings to OU's and then make exceptions for some users. For example, you can restrict YouTube content for accounts but let some groups view all videos or approve videos. In all cases the policy set by the groups overrides the policy set at the OU.</p><p>Not all services allow this function. The ones most commonly used by education include ;</p><p></p><ul style="text-align: left;"><li>Directory (Profile editing)</li><li>Calendar</li><li>Currents</li><li>Drive </li><li>GMail</li><li>Google Meet</li><li>YouTube</li></ul><p></p><p>Since Google Workspace has no concept of a device group these actions apply to users only.</p><p>Lastly both platforms have a different way of handling policy negation.</p><p>Google Workspace administrators are used to working with policies that have distinct values (ON/OFF) with each setting having a default value. Also since each device or user object <b>must</b> exist somewhere in the OU tree <b>every </b>policy has a setting. The amalgamation of all the settings defines the profile.</p><p>This isn’t the case in the Microsoft world. The policy set is a variable array with elements being added or removed as an assignment moves in or out of scope. The challenge occurs when a policy sets a value to ON but then moves out of scope without another value being explicitly set.</p><p>Does the values return to the original setting, a default or remain the same ?</p><p>The answer is “it depends”.</p><p>The settings are based on <b>Configuration Service Providers</b> (CSP) and each CSP can handle profile removal differently. Some might revert to default values, others do nothing. Microsoft's advice is to work explicitly with each value that needs precise control.</p><p>For instance if you have restricted a user from a desktop service, simply removing the user group from the policy scope may not be enough to grant access,</p><p>To change a setting to a different value, create a new profile, configure the setting to <b>Not configured</b>, and assign the profile to the device. Once applied to the device, users should have control over the service,</p>
<hr />
<p>Microsoft InTune and Google Workspace, two management models, each with their own strengths and weaknesses. Not better, just different.</p>The Serverless Schoolhttp://www.blogger.com/profile/06190457830296623655noreply@blogger.com0tag:blogger.com,1999:blog-4297770645154846859.post-65962481431823536172020-12-21T08:49:00.006+00:002020-12-21T17:01:23.857+00:00Moving to a ‘cloud first’ IT strategy.<p> Introduction.</p><p>Schools thinking of adopting a ‘cloud first’ strategy can often be overwhelmed by the number of things that need to be considered, many of which appear to be project blockers. </p><p>However if you tackle each issue in isolation the process can be simplified. Most of these issues can be addressed as independent mini projects, many working in parallel with each other so significant progress can be achieved in a short amount of time. </p><p>This post outlines an approach that a school might consider when moving to the cloud. The advice is specific to UK schools but many of the ideas can be transferred to other countries.</p><p><u>Basic Strategy and Project definition.</u></p><p>As a first step the school needs to decide if they are moving to Google only (no Windows devices or Microsoft Office) or a solution that uses both platforms. If a school is planning to go solely with Microsoft Azure most of this document still applies, just ignore the Google references.</p><p>If the school is moving to “Google only” this is a different pathway that focuses on migrating the existing application set to SaaS resources and retraining staff. Both pathways have the aim of reducing the dependency on local server infrastructure.</p><p>In reality many schools will retain an element of both. In the UK it’s common to use Google for teaching and learning and Microsoft for administration, finance and supporting the SLT team.</p><p>This post assumes the school will maintain some Microsoft applications and will be running a local copy of MS Office. It also assumes the school already operates an Office365 tenancy using A1 (free) licences. </p><p>This document does not cover the requirements of the internal network in detail.</p><p>However the basic network requirements for a cloud solution are:</p><p></p><ul style="text-align: left;"><li>Robust wireless network linked by an appropriately sized wired backbone.</li><li>High speed internet connection.</li><li>Edge Security device (Firewall)</li><li><br /></li></ul><p></p><div><u>Mini-project List.</u></div><div><u><br /></u></div><div><span style="background-color: #999999;"><span style="color: white;"><b> Implementing G Suite </b> ></span></span></div><div><br /></div><div><div>G Suite can be introduced without relying or affecting the local system. If possible use the existing Office365 domain for the Google organization and adopt the same naming schema for staff and student accounts. This approach makes Single-Sign-On easy to implement.</div><div><br /></div><div><b>School Action: Create a G Suite Tenancy.</b></div></div><div><b><br /></b></div>
<hr /><div></div><div><div><br /></div></div><div><div><span style="background-color: #999999;"><span style="color: white;"><b> Organise the Cloud Directories.</b> ></span></span></div><div><br /></div><div><div>The Office365 domain will hold user accounts in Azure AD. These accounts are very likely synchronized from local Active Directory using the Microsoft toolset.</div><div><br /></div><div>Using standard facilities provided by Microsoft the Google tenancy can be made to defer to Azure AD for authentication. In this way a user will logon to Google using the password held in Azure.</div><div><br /></div><div>Having two cloud directories requires a method to keep them in sync and a policy decision to decide which is the ‘master directory’. Since most schools already have a well developed Azure AD with Office365 this normally maintains the position of master, pushing accounts into Google and letting Google check passwords against the Microsoft cloud directory.. </div><div><br /></div><div>It is possible to work the other way round but it’s uncommon. While it’s easy for a Chromebook to authenticate using an Azure service the ability for Windows10 laptops to communicate with a Google directory service is still a development feature.</div><div><br /></div><div><br /></div><div><b>School Action: Set the Cloud Directory hierarchy and install a syncing mechanism.</b></div></div><hr /><div><br /></div></div><div><div><span style="background-color: #999999;"><span style="color: white;"><span style="background-color: transparent;"><b> Align applications to Cloud Directories</b></span> ></span></span></div><div><br /></div><div><div><div>Legacy applications may require a local Active Directory to maintain a user list. Common examples include cashless catering, RADIUS based wireless authentication and web content filtering.</div><div>A ‘cloud first’ school does not incorporate local AD and so these functions need to be updated to support external hosted user directories and the related authentication services.</div><div><br /></div><div>There are SaaS alternatives to cashless catering, web content filtering which natively support web directories so one solution might be to shift suppliers. However most vendors now have a road map that includes a SaaS offering that supports external directories. Enquire about timelines for release and migration tools.</div><div><br /></div><div>A cloud first school gives an opportunity to re-examine the requirements for wireless authentication. In a traditional solution the internal network has to be protected to reduce the attack vector on the local server infrastructure. In a serverless situation that’s no longer the case as systems are hosted externally. In general SaaS services are accessed using wireless networks that do not require user level authentication (home broadband, mobile). A simpler system based on a WPA2 PSK might be appropriate.</div></div><div><br /></div><div><div><b>School Action: Approach incumbent vendors to gauge support for Cloud Directories.</b></div></div></div><div><br /></div><div><hr /><div><br /></div></div></div><div><div><span style="background-color: #999999;"><span style="color: white;"><span style="background-color: transparent;"><b> Align licensing to Cloud Services.</b></span> ></span></span></div><div><br /></div><div><div>Cloud licensing is based on a subscription model. Previous Microsoft licencing terms have been centred on user/device qualities or concurrent access and are out of step with modern cloud deployments. New services such as Azure Information Protection and Mobile Device Management are not covered by existing licencing. The version of Azure AD that comes with Office 365 (Basic) does not have the feature set to support a full cloud deployment.</div><div><br /></div><div>Schools need to move to the new CSP model and purchase Microsoft 365 A3 license for all staff members who will continue to use a Microsoft desktop.</div><div><br /></div><div><br /></div><div><b>School Action: Re-evaluate the Microsoft licensing model</b></div></div><div><b><br /></b></div><hr /><br /><div><span style="background-color: #999999;"><span style="color: white;"><b> Develop a data migration strategy for local data.</b> ></span></span></div><div><br /></div><div><div><div>A cloud first solution does not hold centralised data on-premise. To be specific, Windows files shares are not supported.</div><div><br /></div><div>The cloud model stores holds all files external to the site, synchronizing data to the local desktop as required. Both Microsoft (OneDrive) and Google (Drive) have facilities that allow you to work offline and experience the advantage of local access while maintaining the benefits of cloud storage. They can also be incorporated with upsetting existing workflows or the application set.</div><div><br /></div><div>By promoting cloud storage over an extended period of time the value of the local store will degrade over time. It may even be possible to migrate without transferring large amounts of legacy data.</div></div><div><br /></div><div><br /></div><div><b>School Action: Re-evaluate the value of locally held data and promote cloud storage.</b></div></div><div><b><br /></b></div><div><hr /><div><br /></div></div></div><div><div><span style="background-color: #999999;"><span style="color: white;"><span style="background-color: transparent;"><b> Develop a data migration strategy for email.</b></span> ></span></span></div><div><br /></div><div><div><div>It’s highly likely that the school mailboxes are already cloud hosted, normally within Office365 or a district service using Office365.</div><div><br /></div><div>Migrating email into the core service is not a requirement but it can provide efficiencies. If a migration is required sufficient time should be allowed for the data transfer. </div></div><div><br /></div><div><br /></div><div><b>School Action: Re-evaluate the location of email.</b></div><div><br /></div></div><hr /><br /><div><span style="background-color: #999999;"><span style="color: white;"><span style="background-color: transparent;"><b> Examine local devices.</b></span> ></span></span></div><div><br /></div><div><div><div>Windows devices operating within a cloud first school must run a recent version of Windows10. All devices not physically capable of running Windows10 in a responsive manner should be upgraded or retired. For legacy devices the Cloud Ready option provides an alternative strategy to decommissioning.</div></div><div><br /></div><div><i>Microsoft has a toolkit that can be run to evaluate upgrade readiness for a large estate.</i></div><div><br /></div><div><b>School Action: Establish the upgrade readiness for the Windows estate.</b></div></div><div><b><br /></b></div><div><hr /><div><br /></div></div></div><div><div><span style="background-color: #999999;"><span style="color: white;"><span style="background-color: transparent;"><b> Setup a PoC for Windows cloud device management</b></span> ></span></span></div><div><br /></div><div><div><div>A proof of concept (PoC) should be established on a sub-set of Windows devices to identify the blockers to a full migration. The PoC should include Azure AD user authentication, enrolment in Microsoft Endpoint management (InTune), application deployment, compliance checking and data security.</div><div><br /></div><div>The plan could also include early adoption for BYOD devices that are not catered for using local Active Directory.</div></div><div><br /></div><div><b>School Action: Plan a PoC for cloud based device management.</b></div></div><div><b><br /></b></div><hr /><div></div><div><div><br /></div></div></div><div><div><span style="background-color: #999999;"><span style="color: white;"><span style="background-color: transparent;"><b> Reevaluate the application set</b></span> ></span></span></div><div><div><br /></div><div>Not all applications will be suitable for a cloud based solution. The application set should be standardised prior to migration and SaaS alternatives adopted where possible.</div><div><br /></div><div>If the application is incompatible with Windows 10 it’s function needs to be examined and replaced.</div><div><br /></div><div>If the school is planning a BYOD strategy the browser will be the common interface across all platforms so it makes sense to move as many services to a web delivery platform as possible.</div></div><div><br /></div><div><div><b>School Action: Create a software catalogue. Start the migration to SaaS.</b></div></div><div><b><br /></b></div><hr /><div><span style="background-color: #999999;"><span style="color: white;"><b><br /></b></span></span></div><div><span style="background-color: #999999;"><span style="color: white;"><b> Reevaluate the use of Print </b> ></span></span></div><div><br /></div><div><div><div>The importance of print is greatly reduced in a cloud first school. The adoption of collaborative working practices and the ease of document sharing has the capability to remove the requirement for students to print altogether. From a management perspective arranging print services across a BYOD environment that allows home use is a challenge that is best avoided.</div><div><br /></div><div>One point that is generally overlooked is that once data is transferred to paper it moves outside any security control mechanism and therefore presents a potential backdoor to any data control policy.</div></div><div><br /></div><div><div><b><br /></b></div><div><b>School Action: Promote sharing as an alternative to print for students.</b></div></div></div><div><br /></div><div><hr /><div><span style="background-color: #999999;"><span style="color: white;"><br /><span style="background-color: transparent;"><b> Move MIS and other admin functions to SaaS.</b></span> ></span></span></div></div></div><div><div><div><br /></div><div>Schools should look to move the MIS system and related functions such as finance to a SaaS platform. </div></div><div><br /></div><div><b>School Action: Start a program to migration on-premise admin apps to SaaS.</b></div><div><b><br /></b></div><hr /><div><br /></div></div><div><div><span style="background-color: #999999;"><span style="color: white;"><b> Examine the internet connection.</b> ></span></span></div><div><div><br /></div><div>In a cloud first school the internet connection is the primary channel to services and data. For this reason it holds the same level of priority as the network backbone with a focus on bandwidth, latency and resilience. A large secondary should be looking to upgrade to a 1Gbs contract with some form of failover option. Try not to pay for bundled services that are not used.</div></div><div><br /></div><div><b>School Action: Re-examine the ISP contract.</b></div><div><br /></div><hr /><div><br /></div></div><div><div><div><span style="background-color: #999999;"><span style="color: white;"><b> Adopt a security model that protects data not systems.</b> ></span></span></div><div><div><br /></div><div><div>One advantage of a cloud first school is that it embraces mobility which often includes personal devices that are outside the security boundary of Active Directory. A security policy that controls user access to the network (802.11X) or user access to file data from the local network (Kerberos) is not suitable for a based cloud model.</div><div><br /></div><div>Both Azure AD and Google can create a secure boundary around data that protects sensitive information on both school and personal devices. The challenge is to migrate the access control checks away from the network, hosting systems and containers and onto the data itself.</div></div></div><div><br /></div><div><br /></div><div><b>School Action: Create a data security policy.</b></div><div><b><br /></b></div><hr /><div><span style="background-color: #999999;"><span style="color: white;"><b><br /></b></span></span></div><div><br /></div></div></div>The Serverless Schoolhttp://www.blogger.com/profile/06190457830296623655noreply@blogger.com0tag:blogger.com,1999:blog-4297770645154846859.post-53347054008308901282020-11-03T16:36:00.005+00:002020-11-03T16:40:16.605+00:00GDPR and the Googles model contract.<p>It's a universal truth that a parent on the board of governors of a British school will at some time ask the question;</p><p> "Where does Google store the schools data and is it within the EU."</p><p>The first response to this question is that GDPR itself does not require data to remain within the EU. </p><p>The second fact is - GDPR is whatever you decide it is.</p><p>To this end the Department for Education and Google have negotiated what is called a <a href="https://cloud.google.com/security/gdpr" rel="nofollow" target="_blank">'model contract'</a> which defines what GDPR compliance means with respect to using Google Cloud as a Data Processor.</p><p>So long as Google sticks to the clauses of the model contract and the school agrees to the same clauses both the school and the Google are working within the GDPR framework. Although the model contract does not require Google to hold data exclusively within the EU it's almost certain that the schools data stored on the datacentre in Dublin. However it's likely that recovery copies also exist in other data centres outside the EU.</p><p>The more important question is where does the school agree to the model clause? </p><p>It can be found in the admin console under <b>Account Settings - Legal and Compliance</b>.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBxU2KrPEw_ea0IHvrwVU_4WwzpZ324JtH3TgaYv445Ou-h6ggXbR4O0W5P5PTNIBu_W2FN1I9aCQAVDoU5arOj0jB2kDzLiFZNIQAY2CMy_5bmfeMQve97FJ3XGvJzlL3BPtpPuV8cr8/s646/clause.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="140" data-original-width="646" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBxU2KrPEw_ea0IHvrwVU_4WwzpZ324JtH3TgaYv445Ou-h6ggXbR4O0W5P5PTNIBu_W2FN1I9aCQAVDoU5arOj0jB2kDzLiFZNIQAY2CMy_5bmfeMQve97FJ3XGvJzlL3BPtpPuV8cr8/s320/clause.png" width="320" /></a></div><p>A school administrator needs to accept the model contract clause and also fill in the details of the local data officer. If these actions are not completed the school is technically non-compliant if, in the unlikely event, it ever came to an data audit. This fact is probably more important than worrying about exactly where the data is stored.</p><p>Of course if the school has an independent GDPR policy which states that all data MUST remain in the EU then you'll have to migrate it all back to local servers.</p><p>Hold on... England's not in the EU either. Hmmm - USB sticks.</p>The Serverless Schoolhttp://www.blogger.com/profile/06190457830296623655noreply@blogger.com0tag:blogger.com,1999:blog-4297770645154846859.post-27575047349302508292020-10-06T07:30:00.000+01:002020-11-03T16:36:59.292+00:00 Managing Digital Displays with InTune.<p>A common requirement for schools is the management of digital displays. While there are a dozens of excellent SaaS applications that will do the job perfectly well it’s also possible to put together a workable solution using the standard features provided by Intune and a third party resources such as Google Slides without any additional cost.</p><p>One of the more useful features of Intune are the preconfigured device templates and one of these is Single Application Kiosk which is exactly what you need for digital displays. It’s not worth going through the details of how this is set up as it’s covered in a number of other posts including this <a href="https://www.youtube.com/watch?v=_41uWko2WkE" rel="nofollow" target="_blank">excellent video walkthrough</a>. Rather this post lists some of the tweaks that take this general idea and makes it work in practice.</p><p>One tip mentioned in the video and worth repeating is that you really need to set a maintenance window when you config the kiosk policy. You really don’t want your digital player to be rebooting in the middle of the days to take a feature update.</p><p>You don’t need any special windows app to run a web session in kiosk mode - Explorer/Edge will do nicely. The standard kiosk policy takes care of all the auto-login and full screen requirements without any extra effort on your part. What you do need to do is create a separate policy to control the target URL for the display.</p><p>This is done through creating a new Device restrictions policy shown below replacing your value for the URL.</p><p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYzraRBZwG5AwhV8Zqrl481iRBX0WiY5v6jobE4wDl5A4aB8HCVmdGnEfsk_IFHEO0j_ZfYULVNhoRmCh17DO_kMKkkSAIG4oIlCX0-ANbDK83ieV08AhAkQMGYFPcVJV8eIEJ3gSGZgg/s941/Custonm.png" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="335" data-original-width="941" height="143" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYzraRBZwG5AwhV8Zqrl481iRBX0WiY5v6jobE4wDl5A4aB8HCVmdGnEfsk_IFHEO0j_ZfYULVNhoRmCh17DO_kMKkkSAIG4oIlCX0-ANbDK83ieV08AhAkQMGYFPcVJV8eIEJ3gSGZgg/w400-h143/Custonm.png" width="400" /></a></p><p>If you are running a number of displays all presenting different slide shows, each will need it’s own policy assigned through security groups containing the appropriate display device. Changing the display then becomes as simple as moving the device between groups.</p><p><i>You need to be a little careful working with Ki</i><i>osk mode as some of the features such as autologon will conflict with standard security settings set in other policies especially if these are held by the All Devices group. The best approach is to create an All Digital Displays security group and then explicitly exclude it from all policies set on All Devices unless it carries a policy you require.</i></p><p>Setting your policy apply should force an autologon and present a full screen display and so you might well believe it’s a job well done - not quite. If you return in ten minutes you’re likely to find sleep mode has kicked in and your screen is now a blank page.</p><p>Intune has a number of configuration policies that control aspects of sleep mode but these are not always effective in kiosk mode, The solution is to create a new custom profile type with three OMA-URI entries using the information below.</p><p><br /></p><p><span style="font-size: x-small;">Name: DisplayOffTimeoutPluggedIn</span></p><p><span style="font-size: x-small;">OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Power/DisplayOffTimeoutPluggedIn</span></p><p><span style="font-size: x-small;">Data type: String</span></p><p><span style="font-size: x-small;">Value: <enabled/><data id="EnterVideoACPowerDownTimeOut" value="0"/></span></p><p><span style="font-size: x-small;"><br /></span></p><p><span style="font-size: x-small;">Name: StandbyTimeoutPluggedIn</span></p><p><span style="font-size: x-small;">OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Power/StandbyTimeoutPluggedIn</span></p><p><span style="font-size: x-small;">Data type: String</span></p><p><span style="font-size: x-small;">Value: <enabled/><data id="EnterACStandbyTimeOut" value="0"/></span></p><p><span style="font-size: x-small;"><br /></span></p><p><span style="font-size: x-small;">Name: HibernateTimeoutPluggedIn</span></p><p><span style="font-size: x-small;">OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Power/HibernateTimeoutPluggedIn</span></p><p><span style="font-size: x-small;">Data type: String</span></p><p><span style="font-size: x-small;">Value: <enabled/><data id="EnterACHibernateTimeOut" value="0"/></span></p><p><br /></p><p>Once these are set and applied to your security group the display will stay fixed.</p><p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQU0E5n5IPx2BUzBflEeCKp_VUDMP8yWdtmYEVTcDmqJJvG1Ra7eSRVBxILB8GjqeME3gcM8BcCNGhIYdIGQzzlvv-x2Obw2OnXOLqcuY17nZFa_hTf4KS16aYZcULzr7n-7Fxra7iYgw/s709/Custonm.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="397" data-original-width="709" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQU0E5n5IPx2BUzBflEeCKp_VUDMP8yWdtmYEVTcDmqJJvG1Ra7eSRVBxILB8GjqeME3gcM8BcCNGhIYdIGQzzlvv-x2Obw2OnXOLqcuY17nZFa_hTf4KS16aYZcULzr7n-7Fxra7iYgw/s320/Custonm.png" width="320" /></a></div><p>Its also worth checking if your hosting device has a BIOS setting that allows reboot on power loss. This is a standard feature on the Intel NUC and allows the screen to recover to the display from a power on without any manual intervention. You don't really want to be searching for the on/off switch when the screen is 2m from the floor.</p><p>In this example I used a Google Slide that’s published to the web as the target. You can use any URL or third party resource. If you know how to replicate the functions of published Google Slides with Microsoft PowerPoint please drop me a line.</p><p>If you are using a third party platform it's likely that the display will be driven through a local application that controls the update cycle. Using a simple URL like the one provided by Google Slides allows you to control the advance rate but not it's refresh. Once the slide deck is loaded it's cached locally which has some advantages if the internet connection is dropped but it also means that new information is only going to be visible once the URL is reloaded.</p><p>The easiest way guarantee a URL reload is schedule a reboot of the device. This can be achieved using another custom profile type.</p><p><br /></p><p><span style="font-size: x-small;">Name: ReoccuringRebootSchedule</span></p><p><span style="font-size: x-small;">OMA-URI: ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent</span></p><p><span style="font-size: x-small;">Data type: String</span></p><p><span style="font-size: x-small;">Value: 2019-10-01T02:00:00Z</span></p><p>The date and time value is in ISO8601format and both are required. This will reboot the device each day at 02:00 am to ensure the presentation is current for each day. </p><p>Other reset options can be found in this <a href="https://www.petervanderwoude.nl/post/scheduling-a-reboot-via-windows-10-mdm/" target="_blank">post</a>.</p><p><br /></p>The Serverless Schoolhttp://www.blogger.com/profile/06190457830296623655noreply@blogger.com0tag:blogger.com,1999:blog-4297770645154846859.post-77915115739167089862020-09-10T15:41:00.021+01:002020-09-12T08:25:03.296+01:00AI - the second wave of SaaS.<p><b>If nothing else the events of the last few months have highlighted the limitations of traditional IT solutions based on servers and local data.</b></p><p>Schools that embraced cloud storage and SaaS have found the adoption of remote learning an easier pathway than those with teaching resources locked up behind firewalls or maintaining a heavy reliance on server based applications.</p><p>For education it’s been a significant change. Numerous SaaS programs were fast tracked over the summer break and there’s no returning to the old way of working. In the future IT systems will be designed to allow the efficient consumption of SaaS services without the requirement for local stateful data. While people talk about a hybrid scenario it’s really only an interim solution or a ramp to move processes and data offsite. The future is firmly SaaS.</p><p>While remote learning is an immediate payback of this transition it’s only a small part of the SaaS advantage. Previous posts have discussed other elements such as cost management, scalability and the levelling of the ‘tech’ playing field but perhaps the biggest advantage has yet to be realised.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://adsp.ai/industries/education/" rel="nofollow" target="_blank"><img alt="ADS - Classroom Dashboard" border="0" data-original-height="711" data-original-width="1666" height="214" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgT8q2qB7h11qOfM55GF-aLEoRgJBs2IODDkrttBp1VBy_lUrfJ-f9nTFcvuHFd06dp4tVeRQKy3tiwTdMUJKIJN9cF2xhnKyiKmNY8Bsklg-lKVIGUsFjupOot45e6p1yh0wjnNSVUJ-k/w500-h214/ClassroomV2.png" title="ADS - Classroom Dashboard" width="500" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><span style="font-family: arial;">Visualisation Suite for Google Classroom.</span></div><p>Once data is centralised in the cloud, a canvas that was once just fragmented shards of black and white expands into a kaleidoscope of colour painted by <b>Data Analytics</b> and the emerging field of <b>Artificial Intelligence (AI).</b></p><p>The resulting landscape is not just better than what we have currently but completely new. It’s the same transformation that drives the success of platforms such as Amazon Facebook and Google and it’s inevitable that both processes will have an important role to play in education.</p><p>Most schools and businesses already make use of Data Analytics and AI. Microsoft’s Data Loss Prevention (DLP) features rest on top of these platforms as do most of the processes that intercept email spam and control the threats to your internal network. AI based systems have the capability to draw relationships between seemingly unrelated points of data and then use this information to improve the response. The power of continuous improvement should be familiar to anybody who works in teaching and now it can be put to work in a practical way, analysing the schools data resources in ways that were impossible only a few years ago,</p><p>The information stored in platforms such as Google Classroom and Microsoft Teams can be opened out in new and exciting directions. Not just the simple lists of students and classes (although this is useful enough) but insights into how it’s being used, identifying those students who are engaging, those who are being left behind. Not just raw numbers but the patterns of use within that data drawn out across year groups, subjects or any label type and then presented in a secure way using a web dashboard.</p><p>Every school using Google G Suite and Microsoft Office 365 already has access to an advanced analytics toolset through Google Cloud Platform (GCP) or Microsoft Azure but because they are not fully understood they are rarely used. This is almost certain to change because the benefits of adopting this toolset are almost limitless.</p><p>Established SaaS platforms such as <a href="https://www.senso.cloud/" rel="nofollow" target="_blank">Securly</a> use an AI engine to scan messages for signs of depression and self-harm thats capable of understanding local nuances and working across language barriers. <a href="http://Senso.cloud">Senso.cloud</a> offers a visual threat intelligence feature as a standard component in its safeguarding product also using AI.</p><p>Other company's such as <a href="https://adsp.ai/industries/education/" rel="nofollow" target="_blank">Applied Data Science</a> are working with trusts in the UK to help them build customised analytics platforms that open out the data they hold in platforms such as Google Classroom. The result goes far beyond the simple snapshot view that you get with a spreadsheet download providing ongoing analysis that can expose trends and patterns over time and give real insights into how a school or Trust is operating and performing.</p><p>The real takeaway for education is the fact that none of this is particularly difficult or costly to implement. Once the school has adopted a SaaS platform the data is in the cloud and the delivery platform is in place (GCP/Azure). Both come with a generous free tier that can be used to trial a service. No local infrastructure is required (of course) and ongoing costs are mainly limited to data storage. Data remains within the same security boundary controlled by the school or Trust - it’s just moved from one database to another. </p><p>The data is already there, it just needs to be put to work. </p><div style="text-align: left;"><i><span style="font-family: inherit;">Disclosure: The Serverless School provided consultancy services to </span></i><a href="https://adsp.ai/industries/education/" rel="nofollow" target="_blank">Applied Data Science</a> <i><span style="font-family: inherit;">to help realise the <b>Visualisation Suite for Google Classroom</b>.</span></i></div>The Serverless Schoolhttp://www.blogger.com/profile/06190457830296623655noreply@blogger.com0tag:blogger.com,1999:blog-4297770645154846859.post-16658379674005846012020-08-13T06:08:00.003+01:002020-08-13T06:21:14.298+01:00Chrome Sign Builder gets a reprieve.<div dir="ltr" style="text-align: left;" trbidi="on">
<a href="https://www.blogger.com/blogger.g?blogID=4297770645154846859&useLegacyBlogger=true" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a>For those schools using <b><a href="https://chrome.google.com/webstore/detail/chrome-sign-builder/odjaaghiehpobimgdjjfofmablbaleem" rel="nofollow" target="_blank">Chrome Sign Builder</a> </b>to provide digital signage, Googles announcement that it plans to phase out support for Chrome Apps over the next year came as a bit of bad news.<br />
<br />
<a href="https://www.blogger.com/blogger.g?blogID=4297770645154846859&useLegacyBlogger=true" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a>However in a recent update those schools using the app on Chrome OS got a small reprieve and will now receive support through to <b>June 2022</b>. As a result enterprise administrators can continue submitting and updating private and unlisted apps for two more years but by June 2022 Chrome Apps platform will be entirely phased out.<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-fUM5IF3wTyhD47Zo2Lx9Wi5v3AShegrxtECLyFbZrOLcinGR7NZryud5foKXf6Wa9xQID_tVNUXgD8iZihyEswsXN3OllGdMUzAq2Eg36XqIsyHq7ayX1BUxeV8QyDIR-ctRzHhU2Hk/s1600/CSB.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="188" data-original-width="529" height="113" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-fUM5IF3wTyhD47Zo2Lx9Wi5v3AShegrxtECLyFbZrOLcinGR7NZryud5foKXf6Wa9xQID_tVNUXgD8iZihyEswsXN3OllGdMUzAq2Eg36XqIsyHq7ayX1BUxeV8QyDIR-ctRzHhU2Hk/s320/CSB.png" width="320" /></a></div>
<br />
<br />
Google says it's "committed to providing a useful extension platform for customising the browsing experience for all users." and that may extend to creating an alternative version based on the <a href="https://developers.google.com/web/updates/2015/12/getting-started-pwa" rel="nofollow" target="_blank">progressive webapp</a> platform, so hope is not entirely lost.<br />
<br />
These changes only refer to the Chrome Apps platform. The many Chrome extensions that education relies on will be around well after Chrome Sign Builder disappears.</div>
The Serverless Schoolhttp://www.blogger.com/profile/06190457830296623655noreply@blogger.com0tag:blogger.com,1999:blog-4297770645154846859.post-11075667105787042112020-07-29T07:20:00.000+01:002020-08-03T08:28:23.151+01:00It’s a local file cache - just not as you know it.<div dir="ltr" style="text-align: left;" trbidi="on">
<div>
<br /></div>
<div>
When you design a serverless school there’s the always the option to leave a little bit of local storage in the mix, just to be on the safe side but this is always a mistake.</div>
<div>
<br /></div>
<div>
To operate a local file server within a role based security model you need local accounts. Cloud directories do not understand Kerberos unless you reintroduce a local domain controller and Active Directory on yet another server. </div>
<div>
<br /></div>
<div>
Once you’ve put Active Directory back into the mix and installed the device to run it on the temptation will be to solve any problem using the old techniques and before you know it you’ll have a rack of servers or, more likely, be suffering 'virtualisation creep'. Nothing has changed and you're back to square one.</div>
<div>
<br /></div>
<div>
The common accusation against a cloud first school is that you can’t access cloud data without some form of local storage or caching of files. When a class of 30 students opens a 10Gb media stored in the cloud everything will freeze as 300 Gb of data is pulled down a 100Mbs connection and two years ago that was probably true. Except now it doesn’t freeze because there is a <b>local cache</b>, just not the one you might expect.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgt7i6PFdfqxWAdNUfmV3Zh_OoP8LYbXk-pI2RQgHA3r5JXswViKi5t7DHkFugAPjPTe90J8l8SGTKXTLPp7CV3MzERYJuhxLp960YCcU_jNL1rNVAedcLwm3-XSgT13wuEXdnUbeXgbzc/s1600/distributed.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="274" data-original-width="434" height="125" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgt7i6PFdfqxWAdNUfmV3Zh_OoP8LYbXk-pI2RQgHA3r5JXswViKi5t7DHkFugAPjPTe90J8l8SGTKXTLPp7CV3MzERYJuhxLp960YCcU_jNL1rNVAedcLwm3-XSgT13wuEXdnUbeXgbzc/s200/distributed.png" width="200" /></a></div>
<br /></div>
<div>
In a cloud first school the local cache is distributed almost all the workstation and managed directly by the <b>One Drive</b> or the <b>Google File Stream</b> client. This creates a distributed, fault tolerant local cache with access to TB’s of local solid state storage and almost limitless CPU cycles all talking to a back-end that is moving data to and from the site using predictive on-demand technologies. </div>
<div>
<br /></div>
<div>
<b>One Drive</b> supports delta level file updates across a wide range of file types including most graphics packages. A 90K update to a 10GB file creates 90k of traffic. The system has its own built in form of QoS, trickle feeding updates back to the cloud while making sure common files are received from the local cache.</div>
<div>
<br /></div>
<div>
Collaborative workflow is standard, as is file versioning and user on-demand recovery. </div>
<div>
<br /></div>
<div>
If configured correctly the data never moves outside the school security boundary. DLP policies and intelligent labelling and classification controls access based on content so that files are secured from any location and any platform. The school data protection strategy can be realised in an observable rule set applied to every device, personal or school owned.</div>
<div>
<br /></div>
<div>
Technically the distributed replication approach backed by DLP is so superior to a local file server it's like trying to compare a firework to a Falcon Heavy. This is the model both Google and Microsoft are betting business on and trying to retro-fit centralised file syncing to the cloud goes against the technological direction for both companies<br />
<br />
Distributed sync, cloud to device, no servers required is the way forward.<br />
<br /></div>
<div>
<br /></div>
</div>
The Serverless Schoolhttp://www.blogger.com/profile/06190457830296623655noreply@blogger.com2tag:blogger.com,1999:blog-4297770645154846859.post-32036843265487907512020-05-01T11:01:00.000+01:002020-06-02T08:19:17.290+01:00Win32 app lifecycle for Intune.<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
Microsoft's documentation on the format and deployment of Windows apps (Win32) within InTune is pretty comprehensive and is well supported by a number of <a href="https://www.petervanderwoude.nl/post/working-with-custom-detection-rules-for-win32-apps/" rel="nofollow" target="_blank">technical blogs </a>which take you through the <a href="https://docs.microsoft.com/en-us/mem/intune/apps/apps-win32-app-management" rel="nofollow" target="_blank">packaging</a> and the <a href="https://www.anoopcnair.com/intune-management-extension-level-3-troubleshoot/?unapproved=369278&moderation-hash=a80198951b15675a528c24a1dbbb6e7b#comment-369278" rel="nofollow" target="_blank">InTune Management Extension</a> (IME) workflow<br />
<br />
What is less well explained is what happens next.<br />
<br />
Your V1 app has been marked as <b>Required</b> and deployed successfully but now the vendor has released V2. How do you get V2 onto the desktop ?<br />
<br />
The new V2 app clearly requires repackaging to create an updated <a href="https://docs.microsoft.com/en-us/mem/intune/apps/apps-win32-app-management" rel="nofollow" target="_blank">.intunewin </a>payload and logic would suggest that if the V2 package replaces the old V1 version in the original InTune app definition the change will roll out to the desktops - but it doesn’t.<br />
<br />
As far as InTune is concerned the V1 app is marked as <b>installed </b>for the device or the user. Simply uploading an updated .intunewin file doesn’t change that fact. The only way to break the log jam is to convince InTune that the app isn’t installed anymore which forces a re-install and a subsequent upgrade.<br />
<br />
The Win32 object has a number of ways to detect if an app is installed. Again these are well documented in other <a href="https://www.petervanderwoude.nl/post/working-with-custom-detection-rules-for-win32-apps/" rel="nofollow" target="_blank">technical blogs</a> but in summary it involves checking for files, folders or registry entries or a combination of all three. This works for the initial deployment because it’s a fair bet that if the startup executable can’t be found in the install path it’s probably not installed. However for an upgrade this approach cannot be relied on. Unless the process creates a new file / folder or updates a registry entry that you can check for, the logic will always return ‘installed’ and assume there is nothing to do.<br />
<br />
Even if you can update the original app object and identify a feature to test for, you are not going to get much feedback on how the upgrade is progressing. The best that you can hope for is a report that tells you that 100 instances are installed and, at any time 100 instances are still installed. There’s no feedback on the roll-out process because the app only reports if it’s installed - which it is in all circumstances.<br />
<br />
For this reason, best practice suggests creating a new Win32 object for each app version and retiring the old version by removing the assigned group or changing the status from <b>Required</b> to <b>Available</b>. This makes things nice and clean and gives you a good idea of how things are progressing but doesn’t solve the problem of triggering the install process in the first place.<br />
<br />
<span id="docs-internal-guid-558356f0-7fff-e1c4-89a0-d69d34c61757"><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 161px; overflow: hidden; width: 491px;"><img height="161" src="https://lh6.googleusercontent.com/j4le1lyPQsOxGq80D7T49jjcvdKt8zfVU9DATWuT8PgekVZCI3c6MJkXiA1h13D__ld1OPDAChWojvo_vuGaZJmiRjSAZ9AKi3f6hy_XIUIMKlcPbxiLpIuqfCIKQGEZkZR7SRax" style="margin-left: 0px; margin-top: 0px;" width="491" /></span></span></span><br />
<br />
<br />
Fortunately the Win32 object gives you the option of running a script instead of looking for files and folders which allows you to check the version of the application using the script below.<br />
<br />
<br />
<span style="background-color: #666666;"><span style="color: white;">$ver = (Get-Command "<<< Path to the app.exe >>").FileVersionInfo.FileVersion</span></span><br />
<span style="background-color: #666666;"><span style="color: white;">if ($ver -eq "<< Version Number to Test For >>") </span></span><br />
<span style="background-color: #666666;"><span style="color: white;">{</span></span><br />
<span style="background-color: #666666;"><span style="color: white;"> Write-Host "Updated Version Installed"</span></span><br />
<span style="background-color: #666666;"><span style="color: white;">}</span></span><br />
<div>
<br /></div>
The script must return zero in the exit code <b>and</b> write to STDOUT to signal that the application has been detected.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><img height="135" src="https://lh3.googleusercontent.com/Ck5efQ751S8HxNLZW8ErZbitNrEwa2R7yNOFDfOUb6E1BFZshM9kBACG9OSsHKTzPqZny3A-f5a1ypsns1_vk49b-LEKaI6IijyU3BWhnACyH1YWDB1ecDjDJdElIPeRve1hBjIl" style="margin-left: auto; margin-right: auto; margin-top: 0px;" width="320" /></td></tr>
<tr><td class="tr-caption" style="text-align: center;">https://www.petervanderwoude.nl/post/working-with-custom-detection-rules-for-win32-apps/</td></tr>
</tbody></table>
<br />
This will force the update onto V1 machines and since the check is also run at the end of the process it’s a surefire way of ensuring the update has been a success.<br />
<br />
Once you start scripting you can embed any logic you like but it’s best to keep it simple because once the code has been uploaded to Azure store there’s currently no method within the GUI to recover the script or even view the contents so this process has to be manually documented.<br />
<br />
Clearly this is not an ideal situation and it’s likely that Microsoft has a roadmap to make this process easier, possibly by involving a version label or something similar. In the meantime it's worth giving some thought to how you intend to maintain Win32 apps before the initial install goes out.<br />
<br />
<br /></div>
The Serverless Schoolhttp://www.blogger.com/profile/06190457830296623655noreply@blogger.com0tag:blogger.com,1999:blog-4297770645154846859.post-63442748186771383222020-04-20T13:15:00.000+01:002020-04-21T11:13:02.751+01:00Take a train ride to Azure.<div dir="ltr" style="text-align: left;" trbidi="on">
For a while now Microsoft has been signalling it's intention to move towards role-based training in an attempt to test real world problem solving skills rather than the simple accumulation of facts around a specific platform or technology. This reorganization has resulted in the wholesale retirement of the old MCSx accreditation tracks which have formed the cornerstone of Microsoft training since Windows Server 3.5 launched in 1994.<br />
<br />
The original announcement fixed the retirement date on June 30, 2020. In response to the current situation this<a href="https://www.microsoft.com/en-us/learning/community-blog-post.aspx?BlogId=8&Id=375282" rel="nofollow" target="_blank"> has been extended to January 31, 2021</a> but this still places the cut-off within a nine month period. Any exam passed prior to the retirement date will stand for one year after the exam is retired but after that all current MCSx credentials <a href="https://www.microsoft.com/en-us/learning/community-blog-post.aspx?BlogId=8&Id=375289" rel="nofollow" target="_blank">will be stamped as inactive.</a> From that point it’s over to the new <a href="https://www.microsoft.com/en-us/learning/browse-all-certifications.aspx" rel="nofollow" target="_blank">role-based certification tracks</a>.<br />
<br />
Microsoft is well known for updating the training programs at regular intervals. Any network admin attempting to keep their CV up to date will know it’s pretty much a full time job so why is this change any different?<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2I4WEKLqO-vBAqADgyobM5o24WW3tm13xmDA3DdZc1Fh6ifqQ_mJKHj0gXL9JLdqASTQ5SIADd-Tgefg2riKFxY4goHzdHl31mL91wCcAphg8yoRJgrulCkX5ivJfC0UArtykzQweZsI/s1600/Screenshot+2017-12-26+at+07.55.40.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="209" data-original-width="317" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2I4WEKLqO-vBAqADgyobM5o24WW3tm13xmDA3DdZc1Fh6ifqQ_mJKHj0gXL9JLdqASTQ5SIADd-Tgefg2riKFxY4goHzdHl31mL91wCcAphg8yoRJgrulCkX5ivJfC0UArtykzQweZsI/s1600/Screenshot+2017-12-26+at+07.55.40.png" /></a></div>
<br />
<br />
Well it’s down to the number of exams being retired and the wholesale shift to cloud technologies.<br />
<br />
Consider this simple fact: there no longer an exam that explicitly tests for proficiency in <b>Windows Server 2019 </b>administration.<br />
<br />
The official line is that<br />
<br />
“<a href="https://www.microsoft.com/en-us/learning/community-blog-post.aspx?BlogId=8&Id=375282" rel="nofollow" target="_blank">Windows Server 2019 content will be included in role-based certifications on an as-needed basis for certain job roles in Azure</a>”.<br />
<br />
The Windows Server admin exams were the cornerstone of the old MCSE but now they don’t even exist. As far as Microsoft is concerned Windows Server knowledge is still important but only as it applies to Azure cloud services.<br />
<br />
Looking for the update to the SQL Server admin exam? Much the same I’m afraid because you really should be using the Azure SQL Database as a PaaS.<br />
<br />
The new Microsoft accreditation tracks are wholly and unashamedly focused on Azure and the associated cloud services such as Modern Management and Desktop Analytics. On-premise is is part of that but only as far as it supports Azure.<br />
<br />
This change will feed into the partner channels who will need to rapidly re-skill before the cut-off date so it might be a good time to invest in training companies or get that training budget signed off.<br />
<br />
For the traditional Microsoft IT administrator who expects to be cramming facts about Windows Server 2019 installation procedures, scaling limitations and hardware requirements it’s all going to look a little strange but the plan to sit tight and wait for the cloud to blow over is no longer an option.<br />
<br />
There’s a general rule that if you want to get an insight into the future direction for any tech company - check out it’s training program.<br />
<br /></div>
The Serverless Schoolhttp://www.blogger.com/profile/06190457830296623655noreply@blogger.com0tag:blogger.com,1999:blog-4297770645154846859.post-91904194439170917232020-04-13T20:55:00.002+01:002020-07-06T13:33:24.189+01:00Goodbye Office A1, hello Microsoft A3.<div dir="ltr" style="text-align: left;" trbidi="on">
<h3 style="text-align: left;">
Why schools should expect to move away from free MS licencing.</h3>
<br />
There’s little doubt that one of the attractions of the Office 365 for Education A1 (O365 A1) licence is the price.<br />
<br />
For no cost at all schools receive hosted mailboxes, a generous amount of cloud storage, office web apps and a user directory for an unlimited number of users that supports Single Sign On.<br />
<br />
So with the ever increasing facilities offered by Office 365 it might seem like a plan to ditch the servers and the local licensing, operate entirely from the cloud and pay Microsoft nothing at all. Unfortunately as schools and businesses start to understand the requirements of Microsoft's <a href="https://www.microsoft.com/en-us/itshowcase/managing-windows-10-devices-with-microsoft-intune" rel="nofollow" target="_blank">Modern Management</a> strategy that idea is a non-starter for a number of reasons.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="border: none; display: inline-block; height: 238px; margin-left: 1em; margin-right: 1em; overflow: hidden; width: 390px;"><img height="195" src="https://lh3.googleusercontent.com/1abf3DquITwYuNDLDvbmXLQozboaLqDxGEjYm4X3Lcojaq-ogG6CO-jvDwmNnpZzTSzPWvJzabA7utQznTjq16n2NPqt8skmHuG-U21HY-NOzhTQ1VLbUHkTfIhsxcDXe8f05AtE" style="margin-left: 0px; margin-top: 0px;" width="320" /></span></div>
<span id="docs-internal-guid-1dd323db-7fff-b1e7-13e8-c0cfae4e54fb"><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"></span></span><br />
<u>Windows 10.</u><br />
Without onsite servers schools will be relying on <a href="https://www.microsoft.com/en-gb/microsoft-365/enterprise-mobility-security/microsoft-intune" rel="nofollow" target="_blank"><b>Microsoft InTune</b></a> for device management and that requires a licence that’s not covered by O365 A1. It’s quite possible to register devices with Azure AD without incurring a licence and this gives you a certain amount of control around device security but this is best suited to BYOD deployments. It’s also possible to join Windows 10 devices to Azure AD in a similar way to adding a device to an on-premise Active Directory but this is not a full management package. Without enrolment into InTune you have no control over the way users access and share information and, more importantly you are unable to deploy and authenticate applications.<br />
<br />
Therefore licensing in a serverless solution will need at least Office 365 A1 + InTune for each user.<br />
<br />
<u>Azure AD.</u><br />
The cloud directory service that you get bundled with O365 A1 is the <a href="https://azure.microsoft.com/en-gb/pricing/details/active-directory/" rel="nofollow" target="_blank"><b>Office365 Apps</b></a> version which was previously called Basic. As the name suggests a few key features are missing from this package and one of the most important is <a href="https://docs.microsoft.com/en-us/mem/intune/enrollment/quickstart-setup-auto-enrollment" rel="nofollow" target="_blank"><b>auto-enrolment</b></a>. This allows users to use a school account to join devices to Azure Active Directory while automatically enrolling into InTune.<br />
<br />
Combining auto-enrolment with <a href="https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot" rel="nofollow" target="_blank"><b>Auto-pilot</b></a> it’s possible to ship devices directly to the user from the supplier and be assured that the device will exit the OOBE with a secure work profile and an approved application set installed.<br />
<br />
Auto-enrolment is closely related to<b> <a href="https://docs.microsoft.com/en-gb/archive/blogs/pauljones/dynamic-group-membership-in-azure-active-directory-part-1" rel="nofollow" target="_blank">Dynamic Groups</a></b> which is another capability missing from the Office365 Apps version. Dynamic Groups allows a user or device security group to be defined on the basis of a user property. Because groups are the primary method of controlling the allocation of policy and access rights (Azure AD does not use an directory OU structure like on-premise AD) dynamic groups are pretty much essential in an environment where users and not admins are adding devices to the directory.<br />
<br />
Going forward you are also going to need <b><a href="https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview" rel="nofollow" target="_blank">Conditional Access</a>,</b> the ability to manage access to data and systems based on user groups, locations, device platform and client application. Another key requirement is <a href="https://docs.microsoft.com/en-us/azure/active-directory/devices/enterprise-state-roaming-overview" rel="nofollow" target="_blank"><b>Enterprise State Roaming</b></a> which performs a similar function to roaming profiles providing users with a unified experience across their Windows devices.<br />
<br />
Basically the Office 365 Apps version of Azure AD doesn't meet the requirements of a Window 10 deployment which means an upgrade to <a href="https://azure.microsoft.com/en-gb/pricing/details/active-directory/" target="_blank"><b>Azure AD Premium P1</b></a> as a minimum.<br />
<br />
So you now need Office 365 A1 + InTune + Azure AD Premium P1.<br />
<br />
<u>Microsoft Office.</u><br />
To activate and manage the Office desktop apps deployed through Microsoft Intune you need an <a href="https://www.microsoft.com/en-gb/microsoft-365/business/compare-more-office-365-for-business-plans" rel="nofollow" target="_blank"><b>Office 365 ProPlus licence</b></a> allocated to each user. So long as the user holds a licence the apps can be installed on multiple devices including Macs, iOS and Android platforms.<br />
<br />
If you are keeping track the lists now reads Office 365 A1 + InTune + Azure AD Premium P1 + Office Pro Plus.<br />
<br />
<u>Azure Information Protection.</u><br />
For most schools and businesses <b><a href="https://docs.microsoft.com/en-us/azure/information-protection/what-is-information-protection" rel="nofollow" target="_blank">Azure Information Protection</a> </b>(AIP) is probably seen as a nice-to-have or even more likely, a complete unknown.<br />
<br />
AIP helps an organisation to classify and protect its documents and emails by applying labels. Labels can be applied automatically by administrators which are then used to drive rules and conditions that control how that data might be shared and used within an organization and importantly external to the workplace. Once you adopt a strategy based on mobility and collaboration the security framework provided by the share permissions tied to a fixed storage location only goes so far. Both business and schools need to adopt a new security model based on zero trust networking and move away from the historic perimeter method which is no longer effective.<br />
<br />
With AIP the access permissions rest with the document itself regardless of its location and this allows far tighter control and visibility over where the sensitive data is and who can see it. As ever tighter regulation is placed on schools to demonstrate a robust data management policy, AIP will become a necessity.<br />
<br />
Although rarely implemented in schools the O365 A1 Education licence includes some of the data protection capabilities of the Azure Information Protection platform. This feature is referred to as <a href="https://products.office.com/en-us/business/azure-information-protection-for-office-365?activetab=pivot%3aoverviewtab" rel="nofollow" target="_blank"><b>Azure Information Protection for Office 365</b></a>. The full package extends data protection across non-Microsoft Office file formats as well as providing manual, default and mandatory document classification and for that you require a minimum of <a href="https://docs.microsoft.com/en-us/azure/information-protection/what-is-information-protection" rel="nofollow" target="_blank"><b>Azure Information Protection P1. </b></a><br />
<br />
So now you need Office 365 A1 + InTune + Azure AD Premium P1 + Office Pro Plus + Azure Information Protection P1.<br />
<br />
<br />
The list is starting to grow but you are unlikely to upgrade your Office 365 A1 licence by purchasing each additional element separately because Microsoft offers some licence bundles to make life easier.<br />
<br />
The obvious one is <a href="https://www.microsoft.com/en-gb/microsoft-365/enterprise-mobility-security/compare-plans-and-pricing" rel="nofollow" target="_blank"><b>Enterprise Mobility + Security E3</b></a>. This includes Azure Active Directory Premium P1, Microsoft Intune and Azure Information Protection P1 in a single licence so it gets you most of the way but without Office Pro Plus.<br />
<br />
Previously, the easiest way to get a Office Pro Plus licence was to simply upgrade to Office 365 A3 which was essentially an Office 365 A1 licence with larger storage allocations and the ability to install the local Office apps. Putting both Office 365 E3 and Enterprise Mobility + Security E3 together gets you what you need but there is an easier way.<br />
<br />
In the future Microsoft expects you to purchase the <a href="https://docs.microsoft.com/en-us/office365/servicedescriptions/office-365-platform-service-description/microsoft-365-education" rel="nofollow" target="_blank"><b>Microsoft 365 A3</b> </a>licence which is the union of Office 365 A3 plus Enterprise Mobility + Security E3. In many respects this is the end game - a single user licence that delivers Microsoft as a Service as a yearly subscription.<br />
<br />
The pressure to move to this new licensing model comes from a number of directions. First, Microsoft's strategy is now fully focused on cloud services such as <a href="https://products.office.com/en-gb/microsoft-teams/group-chat-software" rel="nofollow" target="_blank"><b>Teams </b></a>and <b><a href="https://docs.microsoft.com/en-us/configmgr/desktop-analytics/overview" rel="nofollow" target="_blank">Desktop Analytics</a>.</b> In fact any new feature on the server platform is normally prefaced by the word "hybrid" which is generally a hint that a move to the cloud is imminent. When you see this, pack your bags.<br />
<br />
Second, education has always been dependent on the ‘<a href="https://educationblog.microsoft.com/en-us/2018/08/3-key-ways-microsoft-365-education-gives-you-the-most-value-at-the-lowest-cost/" rel="nofollow" target="_blank">student use benefit</a>’ which grants students free use of licences if the teaching team is fully licenced. Few schools would be able to afford the licencing bill without this scheme. However only the larger licence bundles are covered in any practical way. Purchasing an individual licence for InTune or Office Pro Plus allows you to licence 15 students while the larger Microsoft 365 A3 bundle gives you 40. Trying to save money by targeting specific groups with individual licence packs will cost more in the long run because you need to cover the shortfall for students.<br />
<br />
So what would be the cost of licencing a ‘serverless’ Microsoft school in the UK.<br />
<br />
Let's say the annual subscription to A3 for education is £5.00 user/month which equates to £60 per year. Therefore a school with 70 staff will be paying £4,200 a year (60 X 70) with the rights to licence a further 2800 student accounts (70 x 40) under a student benefit agreement.<br />
<br />
That seems like a scandal! One minute you’re paying nothing for Microsoft cloud services and the next you’re being scalped for just over four grand a year - but that's not the whole picture.<br />
<br />
Running Office 365 A1 with local infrastructure has a range of hidden costs once you take into account the obvious requirement for local server licences and user CALS. Servers and storage cost money to power up and cool down and represent a large initial investment that needs refreshing every five years. There’s an IT maintenance contract or internal staff costs to consider, backup hardware and software and a disaster recovery plan (maybe).<br />
<br />
Also factor in the money used to provide end-point security such as anti-virus and drive encryption especially after you consider support contracts and upgrades. Remember to include the the annual renewal for the fashionable learning platform that promised to deliver collaborative workflow and remote learning but was never widely adopted.<br />
<br />
In conclusion, schools pay indirectly for Office 365 A1 through the ancillary services but without having much idea of what the overall cost is. Well now you do.<br />
<br />
In our example and using Microsoft A3 it’s just under £1.50 a year for each of the 2870 staff and student members but only if you ditch those servers and embrace the new normal.<br />
<div>
<br /></div>
</div>
The Serverless Schoolhttp://www.blogger.com/profile/06190457830296623655noreply@blogger.com0tag:blogger.com,1999:blog-4297770645154846859.post-74217960193452505382020-03-19T13:35:00.003+00:002020-03-19T13:56:20.822+00:00Keep Calm and Get SaaS.<div dir="ltr" style="text-align: left;" trbidi="on">
The recent announcement of school closures in the UK and across Europe has thrown up a raft of new challenges, one of which is - “how can we teach without a school”.<br />
<br />
For those establishments who have made the move to Software as a Service (SaaS) and reduced the role of local servers and infrastructure this may not be too much of a problem. If implemented correctly and protected by a cloud user directory such as Azure AD or Google it’s quite possible that learning could continue remotely so long as students and teachers have access to the internet and some form of mobile device.<br />
<br />
But what can be done for those schools whose data and systems are locked behind the school firewall for the next few months.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzhkq62Udc0GnLly-ws_eCln7t-jZnvuw_B3uVoUxeQQ8ofyjHWMHPliYeShcxvEJomUzRgiqgUJZ7ony3h6BWz352rwTJUltu3ZKLJ63iwJRtfC3zIuVunfF1vzkcwxnDMdf_G4a9Ep4/s1600/KeepCalm.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="284" data-original-width="164" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzhkq62Udc0GnLly-ws_eCln7t-jZnvuw_B3uVoUxeQQ8ofyjHWMHPliYeShcxvEJomUzRgiqgUJZ7ony3h6BWz352rwTJUltu3ZKLJ63iwJRtfC3zIuVunfF1vzkcwxnDMdf_G4a9Ep4/s1600/KeepCalm.png" /></a></div>
<br />
First, it’s never too late to stand up an educational account in either Microsoft Office 365 or Google G Suite for Education and start moving services to the cloud. In response to the crisis Google are fast tracking school requests and it’s possible to be up and running with a tenancy within a few days. Both platforms have the ability to quickly import accounts, set up shared storage accounts and move data across. It may not be perfect but your school now has a fully functional collaborative workspace that can operate from any location.<br />
<br />
If you are going Google, <a href="https://edu.google.com/products/classroom/" rel="nofollow" target="_blank">Classroom</a> is going to be the answer to remote teaching for the next few months. This is now a fully featured, mature service and since it’s entirely web based and free from any licensing you can have a remote learning platform up and running in days.<br />
<br />
Both Office 365 and G Suite have integrated video conferencing and messaging platforms that can be used for teaching. Google has made the <a href="https://support.google.com/edu/classroom/thread/32576916?hl=en" rel="nofollow" target="_blank">premium features of Google Meet </a>free to all G Suite for Education customers until July 1, 2020. This includes the ability to record meetings, livestream up to 100k people and add 250 people to a Hangout.<br />
<br />
Consider getting hold of some Chromebooks for remote working. These devices are dead easy to set up and manage and work just as well with the Office 365 web apps as with G Suite. If you already have a remote access solution based on Citrix, VMware or MS Terminal services, Chromebooks are the dream client platform. If you can’t afford any hardware and only have a stock of underpowered laptops that aren't up to the mobile challenge, you can easily re-purpose them with <a href="https://www.neverware.com/#intro" rel="nofollow" target="_blank">Neverware </a>and plug them back into your new cloud services.<br />
<br />
Last of all, if this all seems a bit overwhelming, you can make the transition as easy as possible by contacting a partner or supplier who can help you with the setup process and training.<br />
<br />
Keep calm - contact a platform partner or just roll up your sleeves and get started with SaaS.<br />
<br />
<br />
<br /></div>
The Serverless Schoolhttp://www.blogger.com/profile/06190457830296623655noreply@blogger.com0tag:blogger.com,1999:blog-4297770645154846859.post-49878953626122979512020-02-14T10:37:00.000+00:002021-03-11T15:40:30.273+00:00Provisioning OneDrive for new users.<div dir="ltr" style="text-align: left;" trbidi="on">
Although you can create a student account in Office 365 and allocate OneDrive as a resource, behind the scenes the storage location is not actually assigned to the user account.<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRnzKNBSPHZ26Kjhg6IbeJRTbF9mHxhpa0FPP9bwic7Oki3TTR8-LYK96vdjQ6sUAxBeysi9yZexydJpYeF5tVdSZdgZtJsO8-XQiRpOb5TA0CS3gqeLSoE4RZ4nCEzdOoIXq4pPK_ZyQ/s1600/OneDrive.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="202" data-original-width="324" height="124" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRnzKNBSPHZ26Kjhg6IbeJRTbF9mHxhpa0FPP9bwic7Oki3TTR8-LYK96vdjQ6sUAxBeysi9yZexydJpYeF5tVdSZdgZtJsO8-XQiRpOb5TA0CS3gqeLSoE4RZ4nCEzdOoIXq4pPK_ZyQ/s200/OneDrive.png" width="200" /></a>This normally occurs the first time the users tries to access or browse to their OneDrive which sometimes causes a noticeable delay before the site opens. For one off accounts this not too much of an issue but for a class groups in the first day of term it's not something you want to be dealing with.<br />
<br />
<br />
In this situation it's a good idea to pre-provision OneDrive to improve the user experience and reduce the number of hands in the air.<br />
<br />
First create a list of student accounts and save it as a file. For example a text file named <b>users.txt </b>that contains:<br />
<br />
student1@myschool.net<br />
student2@myschool.net<br />
student3@myschool.net<br />
<br />
Next run the PowerShell command <b>Request-SPOPersonalSite</b> referencing the file you created.<br />
<br />
<span style="background-color: #666666;"><span style="color: white;">$users = Get-Content -path "C:\users.txt" Request-SPOPersonalSite -UserEmails $users</span></span><br />
<br />
That will kick off a background task to create the site for all accounts. If you are pre-provisioning OneDrive for a whole year group it might take up to 24 hours for the OneDrive locations to be created, so be patient or plan ahead,<br />
<br /></div>
The Serverless Schoolhttp://www.blogger.com/profile/06190457830296623655noreply@blogger.com0