17
Reddit’s r_k12sysadmin Credits: @r_channels @reddit2telegram
What did I miss, Looking for a sanity check from the K-12 community
What happened:
A user on a managed Windows 11 device used the built-in camera, then uploaded the resulting file to a web-based chat site that allowed peer-to-peer file transfer. The site was categorized as safe by our web filter. Based on my review, the site never rendered the uploaded file on-page — it just facilitated the transfer between users. Nothing in our stack flagged it.
Environment:
Microsoft 365 A3
Intune-managed Windows 11 endpoints
EDU baseline applied, plus additional hardening (MS Store blocked, no Control Panel, no printer installs, other standard restrictions)
Lightspeed Filter agent deployed via Intune with a fairly restrictive content policy
Lightspeed Classroom monitoring on student machines
90-day web traffic retention
Camera was not blocked prior to the incident — Teams uses it and some classes legitimately require it
What the logs showed:
Nothing flagged beyond routine ad/blocked-category hits. No concerning search terms. The navigation pattern suggests the site was known from outside sources rather than discovered on-network.
Status:
Incident came to light through routine use of the classroom monitoring tool. Legal has been consulted and I have clear direction on investigation and mitigation. Camera access has since been restricted.
Not looking for legal or safeguarding advice — that's handled.
What I'm asking:
What am I missing at the A3 tier? Would A5 / Defender for Endpoint P2 with Web Content Filtering actually have caught this, given the site was being used legitimately by others and was appropriately categorized? My read is no, but I'd like to be wrong.
Is there an Intune control I should have had in place? Specifically for the pattern of "local camera capture → upload via a web app on a categorized-safe site." I don't see a clean technical intercept point at A3 that doesn't either break Teams/legitimate camera use or break general web upload functionality.
For those running 1:1 programs on A3, how are you bridging the gap between URL-category filtering and behavioral detection? The site isn't really the problem — users violating TOS on any chat-enabled platform is the problem. URL categorization can't distinguish "legitimate use" from "TOS-violating use," and I haven't found a detection layer at our licensing tier that addresses this cleanly.
Appreciate any insight from folks who've dealt with similar gaps.
My take, feel free to tell me I'm wrong.
There is only so much tech can do and this highlights why classroom management is critical. If something is not getting flagged I will never know to look. The fact that the teacher that saw.this wasn't even the teacher managing the class highlights the failure of their management. The frequency the students went to this site tells me it happened a lot while in class.
I'm sure I'm going to get destroyed by leadership on Monday, and I doubt they want to hear how a layered approach is needed.
https://redd.it/1soh4kn
@r_k12sysadmin
PowerSchool to LDAP -- Wanting a more Secure Connection
We are a Google free edition school. We are moving over to PowerSchool and I see they want me to connect to the LDAP on my servers. I hate to have this connection because of security. I would really like to have MFA or some other security. I have thought about trying to get the Google Education paid edition because I think it can do MFA/SSO for this application. We have the Microsoft O365 for teachers not students. Looking for ideas and thoughts.
Thanks in advance.
https://redd.it/1snomrp
@r_k12sysadmin
Remote Control software for Windows PC on LAN only
We are currently looking for alternatives for remote control software just from windows pc to windows pc. We have 4 techs that would need to be able to connect to 400 computers on our internal network.
Our existing software Dameware Remote Control just 3x our renewal.
It does not need to be web based or have access when off network.
https://redd.it/1snfwnb
@r_k12sysadmin
Data breach at edtech giant McGraw Hill affects 13.5 million accounts
https://www.bleepingcomputer.com/news/security/data-breach-at-edtech-giant-mcgraw-hill-affects-135-million-accounts/
https://redd.it/1sndn1c
@r_k12sysadmin
Making an "approved" game website list
Greetings all,
I was curious if anyone has a list of "approved" game websites that I could perhaps look over. Getting a little tired of the whack-a-mole in trying to tamp down all the generic game proxy websites and looking towards next year I was hoping to build a list of websites that teachers can allow when students earn free time. I know it won't curb all of the activity but at least trying to provide an incentive to keep students on task.
Obviously actual educational games would be preferred. I know some of my teachers are using sites like Prodigy, Booklet, and Gimkit. IXL has some games that it borrows from ABCYa that I've allowed through. I've recently tentatively allowed Nitrotype via Typing .com .
On the debatably educational to obviously not side of games I know Acceleration City is popular with my students but I know they're just assuming direct control of the car and not actually coding things. Haven't delved into the other games on the CS-STEM site but haven't seen it pop up much outside of Acceleration City.
Stes that don't spam ads would also be ideal but I know that's probably rare these days without coughing up money. Just wish I could make my Linewize Top Blocked widget ignore certain categories so I don't get false positives...
https://redd.it/1sn9ne2
@r_k12sysadmin
Chrome v147 issues
Is anyone else experiencing browsing issues after their users updated from chrome v146 (or older) to v147 on Windows devices?
We have been having issues since last week for about 4 different websites (frontline, classlink, incident iq, eschool). In most cases the page just never loads. Just spins forever.
When we have the user install Firefox instead of chrome the same websites load perfectly fine. If we downgrade chrome to an older version it works fine.
https://redd.it/1sn6d8x
@r_k12sysadmin
Chromebook prices
Anyone willing to share their most recent chromebook prices and where they bought them from? I know we are kind of late in the game. I want to see what people are paying for 11 and/or 14" chromebooks, x86 processor, 8 gb of Ram, non touch. I went to purchase some today and order was canceled. The vendor could no longer honor the pricing from Dell.
I always stick with intel or amd cpus. Anyone go to mediatek and are happy? Any issues or concerns with compatibility?
Most the quotes I got back for the ones with x86 cpus are now over $400 per device. Our last bulk purchase was for some Hp Fortis for around $250 last year.
I was expecting price increases but hoping to keep them under $400.
https://redd.it/1smwhr1
@r_k12sysadmin
Chromebooks and Wifi
Hello all!
I have some Chromebooks that are having issues with speed on our wifi. And I have tested so many things, that I can't narrow down if it's settings on the APs, chromebooks/Google Admin or the limits on the switches with our internet.
Here is some more info:
APs: Extreme Networks, model AP4000; they are located about every other room, maybe 20-25 ft apart.
Chromebooks: Asus CX1400CNA, bought in 2022, Chrome OS version: 132, and on long-term support candidate channel (These are my only Asus, I own mostly Lenovos and HP's) I have about 400 total on site.
Switches are also Extreme, both APs and switches are about 3 years old.
Other info: We are MCA testing right now (MN state testing), with about 90 chromebooks on the network on a different floor. We have 1GB internet coming into the building.
Any settings I can check on the Google Admin side or internet side would be wonderful.
https://redd.it/1sm8rh7
@r_k12sysadmin
Badge maker for staff and students
I have been asked to find a badge maker for students and staff. They would like school info, picture, id #, on front and safety, 988 info on the back. Some one told me about badge pass might be an option. Looking for ideas and thoughts. Do any of these integrate with SIS system?
Thanks in advance
https://redd.it/1slgsji
@r_k12sysadmin
Is your district ready for an AI-powered cyberattack?
The guys discuss the rising AI-driven security risks facing school districts, including convincing deepfake video and voice scams, advanced phishing, and the implications of new AI research such as Anthropic’s Mythos and Project Glasswing.
https://k12techtalkpodcast.com/e/deepfakes-phishing-preparing-k%e2%80%9312-for-ai-powered-cyberattacks/ and all major podcast platforms
https://redd.it/1sl98in
@r_k12sysadmin
Student Email Filter Suggestions?
We're at a point where we can get a web filter for the students. Is there a goto 3rd party company for this? Set and forget would be idea.
https://redd.it/1skfaz9
@r_k12sysadmin
Google AI overview
I have the AI mode blocked with our web filter but the overview still works, does anyone have any idea how to block it. We have a mix of iPads, Windows devices and Chromebooks. Google keeps embedding this into everything making it tough to stay ahead of kids trying to cheat.
I'm using *UDM=50* currently to block AI mode.
https://redd.it/1shy3pn
@r_k12sysadmin
Mac Lab - Network Storage
We have two Mac digital media labs (Mac minis) managed via Addigy with Google Workspace SSO. Outside of these labs, students use Chromebooks almost exclusively, and a sprinkling of Windows labs. A teacher wants network storage so students can access project source files and submit completed work — mostly large video files.
We showed the Mac exclusive teacher that we could easily do this in the Windows computer labs; but he has zero interest in having Windows computers even though they are using Adobe Creative Cloud.
The auth piece is where we're stuck. Addigy's Google SSO creates and keychains to a local macOS user account. I've written a login script that can scrape the student's Google address and domain from the session, but haven't found a good way to leverage that identity to authenticate against a Samba share or NAS. We have no interest in manually maintaining hundreds of student accounts.
Options we've considered:
\- SMB auto-mount via login script — we can identify the user, but what do we actually mount with and authenticate? We tried having it mount a student or staff share based on their domain(student vs staff), but ended up with students able to delete another students uploaded work, or if a substitute logged on they would have read / write access to the files.
\- Synology + Google Secure LDAP — students authenticate with their Google credentials, but we're not sure how well this works in practice for SMB share access. I tried to great a Synology VM on a Proxmox cluster but couldn't get the darn thing to boot to provide a proof of concept.
Really looking for what's worked for others — ideally something that bridges Google identity into NAS/SMB access, leverages Google Groups for permissions, or can be rostered without per-student account management.
Help me, r/k12sysadmin you are my only hope.
https://redd.it/1sh0ayr
@r_k12sysadmin
Fog server help
We're trying to get a FOG imaging process up and going. I've got the FOG server working, and I've created a virtual machine in VirtualBox per the guidelines discussed here:
https://www.ceos3c.com/sysadmin/create-generalized-windows-10-image-deploy-fog-server/
Granted, those guidelines are for Win10, and I'm using a Win11 Pro Tiny ISO as the basis for this project, but the steps have all matched so far.
The FOG client has been installed on the VM as part of those guidelines, and I created a new image on the FOG server in preparation for capture. But when I change the boot settings in the VM to use Network boot as first priority, I don't get the FOG menu to register the device. I get the attached PXE boot screen.
https://preview.redd.it/navf6gylqztg1.png?width=631&format=png&auto=webp&s=d363070491fd173b55ad2d9466e01683ff5e018b
I could successfully ping the FOG server from the VM (before it shut down after running Syprep).
Any ideas as to what I might be missing?
Thanks.
https://redd.it/1sfx9am
@r_k12sysadmin
Clever or ClassLink
We have been using Clever for several years. I have been approached by ClassLink to demo them. Would like some thought of people that used Clever and went to ClassLink or the other way. Thoughts and ideas of platform. I saw where ClassLink cost and Clever is free does anyone a rough cost estimate?
Thanks in advance.
https://redd.it/1sgsft5
@r_k12sysadmin
GoGuardian replacement?
We were looking at KyberGate, but they have some questions about their data, AND sort of ghosted me for a weeek, so...
We're looking at a replacement for GoGuardian. SOmething that has the same functionality (classrooms, teacher blocks/chat), preferably a timed portal to a particular typically banned site rahter than password based. Hoepfully around 8-10$ per studnet (or less.)
What do you use? How quick was it to set up? What do you like? What don't you like? Does it integrate with Classroom? How much per student? Is it an addon, or how is it installed?
Anything else you'd like to add.
https://redd.it/1sobjgu
@r_k12sysadmin
Anyone have any good/bad on Optoma IFPs?
Just curious as to user experience with this brand. We've been mostly Newline, but an opportunity at a good price on some of these has come up and I wanted to get some input on them. . .
https://redd.it/1sn9ssk
@r_k12sysadmin
Bloomz Communication Tool
I did a quick search on the board here and I am not seeing anything recent, There was a post from 4 years ago but I am wondering if anyone is using Blomz as their communication tools. We are currently reviewing and have had webinars with 3 vendors Apptegy which is a no go for us because we do not want to change our website platform and they are a all in one solution so you can not just buy the communication piece.
Then Parent Square which is nice and probably the most common, but they don't have a true mobile app.
The last one which has all the features we want and a Mobile app that can be branded to our school is Bloomz. Bloomz is my choice, because of features, app and pricing but would like some reviews.
Thanks In Advance.
https://redd.it/1sncyx3
@r_k12sysadmin
XCreds
Anyone with any experience using XCreds for Google SSO login for macs? We currently pay for this through Mosyle oneK12, but at almost twice the cost of Premium, and Mosyle's stubborn refusal to allow us to split our subscription (half our sub covers ipads), we're looking into alternatives. (Yes, we're aware Apple has made it easy for a company like Google to provide a native solution; we're not holding our breath.)
For the record, cost issues aside, we've had zero issues with Mosyle's implementation. We're looking for similar reliability in any alternative.
https://redd.it/1sna5mj
@r_k12sysadmin
Apple Business?
I hear that as of a day or so ago, they've made Apple Business free with some MDM functionality. Our district as usual would like to go with the least expensive option -- is this actually available to schools at all? Has anyone tried it or looked into it? Thanks.
https://redd.it/1sn638b
@r_k12sysadmin
On Screen Keyboard
Had a student testing today on a chromebook in kiosk mode. The on screen keyboard appeared and the physical keyboard could no longer be used. Is there a keystroke to set it back. Couldent figure out what was going on.
https://redd.it/1sn3zur
@r_k12sysadmin
SIS - What do you use/recommend
Hi,
We use FACTS for our SIS and it has a lot of custom reports and integrations between Clever, Google, Schoology, etc. We have been thinking about moving to Powerschool (we used it YEARS ago). What do you swear by? We have around 1200 students.
https://redd.it/1smlf83
@r_k12sysadmin
Needing Digital Clocks..?
Today's topic is "Digital Clocks in classrooms"
Context: We had an ancient clock system hardwired to each classroom from a central clock for decades. Then we demolished the building with the master clock and put analog (D-Cell battery) clocks in many rooms. Since then we have installed IP Clock/speakers in may rooms, but not all of them. PoE/Data cables take time and I don't have a glamorous initiative that allows me to ask my boss for $100k for wiring and digital clocks. I've been replacing a dozen clocks or so per year just to keep the project going, but we have 75 classrooms and it will take a while.
Today: I got a ticket from a teacher asking for us to fix the time on the analog clock in their classroom or (better) to replace it with a digital clock. The facities team will put in a battery and set the time. My curiousity is wondering, "Why did the teacher want a digital clock now? Could there be a reason other than wanting new tech like the other classrooms?"
Have we reached a point in time where there are adults who cannot read analog clocks? This was a random concern back when I was a child and digital clocks were new. Crotchety old folks would say things about how kids weren't learning to read analog clocks. I figured that was never going to be a thing, but I'm actually wondering if it is coming true.
Thoughts?
Sincerely,
Young Boomer
https://redd.it/1slkwo9
@r_k12sysadmin
Those of you with Windows desktop labs, what version of Office are you running?
We have been running 2019 Professional for years because they do Certiport testing and 2021 and 2024 weren't supported (as far as I was told). They want to move to 365, but can anyone break down what the licensing looks like for that?
We are a Google school 1:1 with Chromebooks but still maintain a few Desktop labs for classes like this. Would I have to license all users? Right now we do an OVS for Windows 11 and Office licensing. I don't want the kids saving to One Drive since we use Google Drive. Wouldn't it make more sense to just move to LTSC Pro 2024?
https://redd.it/1slc8pm
@r_k12sysadmin
Rostered apps/term change woes
I think this more of a "setting user expectations" issue than something we can actually do anything about, but I was curious what other folks do in situations like this.
Background: In our SIS, Algebra I for example isn't one year-long course. Instead, to allow students scheduling flexibility, it's a series of 3 courses, one for each trimester. T1 might be MAT101, T2: MAT201, T3: MAT301.
The issue: We have dozens of rostered apps in Classlink. We got a ticket from a teacher saying, "All my Newsela assignments are gone." Well, yeah, the T2 section is over, and as far as Classlink and the rostered app are concerned, the T3 section is a completely unrelated course that just happens to have the same teacher and most of the same students. Different apps seem to handle this issue different ways. One app might archive the section, another might delete it, and a third might not even notice the term change at all. This isn't really a question about Newsela - this is just the current example.
The response: We essentially told the user that there's nothing we can do.
Thoughts?
https://redd.it/1skrqrt
@r_k12sysadmin
TeacherMagic Extension - Free AI Prompt Crafting
I'm not sure where everyone is at with products that charge $3 to $4 per student per year to essentially call the OpenAI API with some education flavored prompts slapped on top. I do think they are useful, but they are essentially just prompt crafters. I've thought this for a while, but it dawned on me sitting in some presentations at one of our state wide conferences that I could build a Chrome extension that builds prompts that are just pasted into the major gen AI chatbots (Gemini, ChatGPT, Claude, Copilot).
I've named it TeacherMagic and itt's free. No account, no login, nothing goes to a server, just trying to make it frictionless. We're using it FERPA compliant by architecture, meaning there's nothing to sign a DPA for because there's no data leaving the browser (as always, we can't control what teachers put into these tools).
A lot of those tools are almost certainly running GPT-4o mini or something similarly cost compressed to protect their margins. TeacherMagic allows teachers to generate the prompts and automatically paste them into the webpage, using the latest models available, full stop. No margin pressure, no cost cutting on the intelligence layer.
And here's the thing people miss about better prompts: they consume significantly more tokens. Our prompts are complex, context rich, and structured. Given that it's just copy/paste, I'm not trying to run the cheapest model I can get away with and keeping prompts thin to save on API costs.
The piece I'm most excited about is the Teacher DNA profile. Teachers have their own style, their own frameworks, their own classroom context and generic AI tools ignore all of that. TeacherMagic lets you build a profile covering your grade level, your subjects, your ELL and IEP counts, and your pedagogical frameworks. Marzano, Hattie, UDL, Bloom's, Kagan, Gradual Release, Culturally Responsive Teaching, PBL, Workshop Model, Mastery Based, pick what you actually believe in. That context gets silently injected into every prompt. The teacher never writes context again. Every output sounds like it came from someone who has actually been in their classroom. That profile lives in chrome.storage.local and never touches a server. They can download it as a JSON to back it up.
On localization: some of the others claim 160 countries, which means they translated their buttons. TeacherMagic has 171 countries with actual curriculum depth covering grade structures, exam names like KCSE, NAPLAN, GCSE, and CBSE rather than just "standardized test," grading scales, special ed documentation types, and pedagogical terminology in the native language. There's a meaningful difference between knowing a country exists and knowing what Form 3 means in Kenya. Just a bonus that I spent some "extra" time on spring break adding.
I'm a tech director; I'm not trying to make money on this - just like You Shall Not Pass (which is on 500,000 Chromebooks now btw), which does have a significant update that I'll post about soon - I just want to help our teachers out. And tech directors with budgets like me haha.
https://chromewebstore.google.com/detail/teachermagic-by-jim-tyler/ehekeobckjnflfjpghocjjppghkhmmeh
Happy to answer any IT, privacy, or architecture questions in the comments.
https://redd.it/1skcdu9
@r_k12sysadmin
Transitioning from Active Directory to GCPW
Has anyone moved from Active Directory to Google Credential Provider for accessing Windows machines? We currently have accounts for students in both places that get provisioned automatically by OneSync but are interested in GCPW. Specific questions I have are regarding Windows licensing, implementation changes in OneSync, and GPOs. Any feedback from people who have made this migration would be appreciated.
https://redd.it/1sh060u
@r_k12sysadmin
Edgenuity Graphics not loading sporadically
Anyone Else having issues with edgenuity not loading graphics sporadically? Seems to happen mostly in math lessons/tests. If they refresh it will load. They cant refresh in the test however since they are using proctorio. The graphic always seems to load on the teacher side. This problem just started about a week ago.
https://redd.it/1sg349j
@r_k12sysadmin
Gmail Split or Dual Delivery not working correctly
Google appears to be having an issue where routing mail to another host from the admin console is not working correctly. Logs show mail going to Google (where the MX records point), but then getting hung up when routing to another domain/URL. Result: users that use another email system like O365 are not getting their mail. Google Workspace support has verified it is an issue and are working on a solution.
Edit: There is now an incident on the Google Workspace Status Dashboard: https://www.google.com/appsstatus/dashboard/incidents/224ozRqzW4sFBDK8hLnT
https://redd.it/1sg1fpd
@r_k12sysadmin
Infinite Campus Salesforce Breach Revisit
Read full article here... https://k12techpro.com/infinite-campus-salesforce-breach-revisit/
Last week’s K12 Tech Talk episode featured a debrief of the recent interview with Infinite Campus CEO Charlie Kratsch regarding the company’s Salesforce data breach. As the details of the leak have settled, it has become clear that securing student data is an incredibly difficult problem for K-12 IT leaders to wrap their arms around. While Kratsch received praise for his early transparency, researchers discovered that the leaked data exposed sensitive student information, including an unredacted juvenile arrest record found within an escalated support ticket.
https://redd.it/1sgrjqc
@r_k12sysadmin
