-
Reddit’s r_k12sysadmin Credits: @r_channels @reddit2telegram
Secure sharing documents with board members
I've been tasked with finding a secure way to share information with our board members.
We're a Google shop and board members have BYOD Windows or Mac devices (not my choice, I've been overruled on that) with org-issued email accounts. Docs are shared with them using "view" access via Google. The prior admin would make a list of links on a password-protected page on our school website. For reasons that I can't get into here, but you can probably guess, I have to restructure that and cannot keep the docs on our website any longer.
What I'm hoping to do is:
Upgrade our Google account so I can set those docs to have CSE (installation of the token on their devices would be a requirement for all board members)
Create a shared drive that board members are added to
Create a sub-folder for each monthly meeting
Teach my superintendent how to restrict users from downloading shared docs
Thoughts on this? How does it compare to what you do/would you recommend we do something else?
https://redd.it/13n2jnc
@r_k12sysadmin
Hiring scenario for y’all. You have two candidates: one with 10 years of experience in a highly technical skillset—but has never worked in K-12; the other has no technical experience of any kind, but has worked in K-12 for 10 years. Who should get paid more?
My district says the latter.
They determine the rate of pay for a new employee on whether they have experience working in K-12.
Even if a candidate is extremely knowledgeable with a very technical skillset, they would start them at base pay for the role, simply because they haven’t worked in K-12.
Let’s put this in context: a custodian—who has never touched a computer in their life, who has 10 years of experience cleaning toilets in elementary schools—would be eligible for a substantially higher rate of pay than a well-qualified, expert candidate with 10 years of technical experience who hasn’t worked in K-12.
HR decides how much to pay them, even though candidates’ salary comes out of the tech department budget.
And the superintendent wonders why we’re unable to hire the best talent, and get stuck with unqualified folks for 20+ years until they retire.
https://redd.it/13mxldi
@r_k12sysadmin
Guest BYOD Onboarding
So it’s 2023. 802.1x for guest BYOD still a slight pain. Onboarding SSID to get the correct certs which connect you to the correct SSID.
Captive portable options that can do redirects to a self serve portal to download correct certs.
What else are you doing for guest that supports EAP-TLS?
We currently use SecureW2 and LOVE it.
Setup:
SCEP for all macOS, tvOS, iOS (EAP-TLS)
Pushing certs for Chromebook’s (EAP-TLS)
Guest BYOD with Google WorkspaceIDP authentication(but requires onboarding SSID) (EAP-TLS)
Would like to drop the onboarding SSID just not sure of ways around it.
What are you doing for guests? - that’s secure
We are pushing really hard to tighten up security in all areas. Zero Trust approach, just rolled out crowdstrike to all endpoints this week.
https://redd.it/13mbqx9
@r_k12sysadmin
Windows 11 Wireless Miracast PIN prompting
I have a strange issue I'm having a hard time figuring out and wondering if anyone else can point in a direction. On a Windows 11 Education device that is NOT managed by Intune/AzureAD joined I can connect and disconnect repeatedly to a Screenbeam using Miracast (Windows Key + K) and the only time it asks me for a PIN is the first time I connect to it (PIN is static and doesn't change). If I do the same thing on my Intune joined device with the same OS, same drivers it prompts for a PIN every time I connect. I cannot find any policy/profile/security configuration that I have configured or set that seems like it should affect this. Any ideas?
I can confirm that when I just freshly enroll the device and if I hit continue anyway and quickly connect to the device, it works as intended and does not prompt for the PIN every time, so it's not merely the fact it's Azure joined. It has to be a policy or application that is pulling down after the fact which is causing it to prompt every time for a PIN.
*RESOLVED* - There was a setting in the new Screenbeam for "Enable Windows 10 support". For whatever reason, turning that off seems to have fixed it for the Intune managed devices.
https://redd.it/13lwugv
@r_k12sysadmin
Best practices for classroom computers
Hi,
We are in the process of setting up classrooms with one computer each to potentially address semi-presentiality due to covid-19. That is, some students physically present, others connected remotely using Zoom or Google meet. This is potentially happening in Argentina in a few months when classes start.
I'll be handed with a plethora of different types and brands of workstations and laptops, around 45 total. Hopefully 4 different kinds of hardware.
I was initially of the idea of setting up something up like FOG to image them using a standard, but after reading a bit more here I might go with WDS/MDT.
However, what do you think are the best practices to set this up? An AD would be required if I wanted to use WDS I think, but what about user management for example? This setup will probably be comprised of shared computers that won't me moving around, so I was thinking of setting up generic restricted users to even auto login. In the end, they will just be used for Zoom or Google meet.
They will also be just able to connect to the Internet and working in an isolated network with its own AD infrastructure.
Thanks!
https://redd.it/ktdtpe
@r_k12sysadmin
Teachers and education staff in a lot of states will soon be eligible to receive Covid-19 vaccines. IT staff who work in school buildings would most likely be eligible too right?
Sorry I know this is not directly a tech question but I have seen many states say teachers and education staff can be next in line in their lists but nothing about IT workers in schools. I assume we are included in that category? NY state for instance plans to open up 1B this coming Monday which includes teachers and I know other states have similar plans although it might be several weeks to get appointments with limited supply still.
https://redd.it/kte90m
@r_k12sysadmin
Driveline dismissal
Anyone use charterapps' driveline dismissal software? Looking into a new system and would like to hear anyone's feedback. https://charterapps.com/
https://redd.it/ktazb6
@r_k12sysadmin
Chromebook DHCP lookup failed
Hello All,
We have had a recurring issue with Chromebooks. We are 1 to 1, all machines are new this year, HP Chromebook 14a G5. We deployed \~500 or so, and never really had any issues. When suddenly.... Each day, randomly, 10-15 machines would fail to connect, giving the error "DHCP Lookup failed". Now, all these machines were enterprise enrolled, and all connected to this same SSID in order to do that. It doesn't have to the same machine each day. If you wait like, several hours, they will connect as though nothing was ever wrong. Sometimes, they'll be used in the morning, and then fail to connect after lunch.
Has anyone here seen this behavior? Anyone have any solutions? All Windows machines work perfectly fine.
Extreme (Aerohive AP's, running newest stable Extreme code), Windows AD domain running DNS and DHCP. Packet Traces show request for DHCP made and sent, but Chromebooks ignore it. Both Google and HP basically threw their hands up, although i am still working a ticket with Google. It's just impossible to pick which random machine it will happen to to give them an example.
I'm running out of ideas. HELP!! Please :)
https://redd.it/kt9gdn
@r_k12sysadmin
HP laptop cameras not working
Has anyone else run into this at all? We use HP for our staff devices, but we have seen somewhat frequently where they are not detecting the camera. We have tried everything short of replacing the camera itself, and usually have to end up sending it back to HP.
https://redd.it/kt565o
@r_k12sysadmin
Apple managed ipads - demands staff phone number
So I'm setting up school iPads for students and staff, and I am incredibly frustrated by the online Apple School Manager, which I am using with JAMF School.
Apple School Manager absolutely demands that instructor accounts use a 10 digit phone number to verify their account (USA).
Phone extensions and pause symbols can not be included with this authentication number, so the classroom phone extension won't work for verification.
There is no other option for a non-phone authentication option like a rolling code authenticator.
WTF Apple?
We can not demand that staff have a personal smartphone to identify themselves to use their iPads.
We can't afford to be handing out school-owned phones with subscriptions for staff, solely to authenticate themselves because Apple demands it.
Why should I as the IT network admin have to provide Apple my own personal smartphone number to set up staff accounts for the iPads?
I am seriously inclined to just say Apple can go to hell, I am creating the staff as student accounts that do not require phone authentication in Apple School Manager.
Possibly a second option is to set up a free Google Voice virtual phone number for each staff member.
https://redd.it/kt3h8c
@r_k12sysadmin
What exactly can GoGuardian see
On a windows computer I have a separate school chrome account with different extensions from my main one. Can goguardian when it’s being used on my school account see my entire screen so if I have like discord up or something can the teacher see that or can they only see the web browser with the extension
https://redd.it/ksy2t4
@r_k12sysadmin
Problem logging in to Savvas Realize
No idea if this is the right place to ask, but worth a shot:
(I'm a teacher)
For the past few weeks, I've been having issues logging into Savvas's website. I can enter my username and password and get to the next screen (browse/create a class/create an assignment) but when I click browse, I get a spinning loading circle.
Anyone else having an issue? Most teachers in our school don't use the website so no help there. The problem happens in Firefox in both Mac and Windows, and Chrome and Edge for Windows. Just trying to figure out if this is a problem at my end or Savvas's.
https://redd.it/ksuvoa
@r_k12sysadmin
Chromebook Repairs - Bezel Adhesive?
Hey All! This school year we've begun repairing our Chromebook fleet in house. It's been one of the best operational decisions we have made in a long time. We have reduced costs and the turnaround time is way quicker than depot repair.
For screen replacements, most models have an adhesive around the bezel. Sometimes when pulling off the bezel, most of the adhesive gets stuck on the old screen. I have some 3M double sided electronics tape (super thin) that I use to replace it with. It's time consuming scraping off the old and applying the new. Those who do repairs in house - do you replace the adhesive or just put the machine back together as is?
https://redd.it/ksqysa
@r_k12sysadmin
Is Office 365 down for you guys?
I'm having trouble opening Outlook or logging out of Office.com. Anyone else?
https://redd.it/ksqvcy
@r_k12sysadmin
Office 365 installer that doesnt require the user to log in after to authenticate
For the life of me i cant google this properly to get a procedure. Can someone toss me a bone and tell me the proper phrase to search or even a URL to a KB?
Thanks!
My googlefoo is weak today it seems.
https://redd.it/ksfa0u
@r_k12sysadmin
Camera Solution
We have been an Exacq Vision customer since 2013. We can’t afford the move to Verkada.
Currently 250 cameras, 3 servers.
Going to do a Ava/Motorola demo next week.
Would like to be fully cloud.
What are you using?
Any grants you were able to use to help fund the expense?
https://redd.it/13n0vvu
@r_k12sysadmin
Transportation barcode scanning
Good evening,
For those that have to work with the transportation side of things as well, do you guys use a system where students scan a badge when they get on the bus? I'm looking for various leads on a system like this. We currently have Zonar and use their ZPass system, but the previous maintenance lead has since left and it's been moved to tech. It's not a bad system, but they didn't have bar codes on the card so we're having to integrate these RFID cards into other systems (Lunch, Library, and others). The wall we hit is the other systems aren't as flexible and it's causing major issues just keeping everything synced. For instance, Zonar supports unlimited cards per kiddo, but MealMagic we can only use one field (QuickID) and for each new card this has to be updated. The cycle is the kid loses a code...we update everything with a new card...goes to use the old card....no system works except Zonar....update the number again....kid brings a new card again....etc etc. Lots of repeat tickets.
​
TIA
https://redd.it/13me9bp
@r_k12sysadmin
Web LAPS
Good morning.
Just wondering if anyone here uses Web LAPS ? Secure LAPS web portal (weblaps.pro)
I am wondering if it is worth taking a look at so any thoughts or experiences with it would be greatly appreciated.
​
Thanks
https://redd.it/13lz1ri
@r_k12sysadmin
Windows Configuration Designer help
Got a bunch of new Windows machines I'm trying to provision using Windows Configuration Designer, but I'm at a loss when it comes to assigning names. This is all I get from MS's documentation for the "ComputerName" field: Specify a unique name for the domain-joined computers using %RAND:x%, where x is an integer that includes fewer than 15 digits, or using %SERIAL% characters in the name.
There's got to be some way to name them in numerical sequence, right? e.g. "Student1", "Student2", "Student3"...
Started using the "Set up School PCs" app, but gave up and moved to the Configuration Designer. Anybody have experience with this particular app?
https://redd.it/kt9o9g
@r_k12sysadmin
Digital Signage - What cool things are you doing with yours?
We have a fairly robust deployment of BrightSign media players connected to display arrays around our campus all managed by Carousel. I'm looking at what others do with their digital signage systems. For example, our system can integrate CAP Messages meaning if our fire alarm goes off it can send a CAP Message to the signage which triggers a special bulletin or something.
https://redd.it/kt9sox
@r_k12sysadmin
HR Automation in a GSuite environment (small private school ~ 100 employees)?
I've been asked to look into workflow automation and document management solutions to handle things like tax forms, vacation requests, etc.
Preferably (because my head of school is obsessed with Google) something that integrates with G Suite and docs, but I'm interested in other options as well. What do you use for this?
https://redd.it/ktabjd
@r_k12sysadmin
Domain account vs Local accounts
Hello, I just wanted to conduct a poll to see how some districts are set up on Windows laptops. If/when laptops are taken home and out of the building how do staff members log in compared to how they login at school.
Edit: apologize for formatting as I am using mobile.
View Poll
https://redd.it/ktb2v0
@r_k12sysadmin
Use QR codes to automate Chromebook enrollment
I have a dream...
What if we could use QR codes to provide all of the information needed to enroll Chromebooks? I am seeing QR codes now being used in coffee shops to give wifi information to cell phones. QR codes are used to automate the setup of 2FA Authenticator apps. Surely it would be possible, and very doable for a company like Google to implement, to allow sysadmins to generate a QR code that contains all of the values needed to enroll a Chromebook.
It could work like this:
1. Admin generates a QR code that contains the wifi information, EULA acceptance, asset ID, etc and prints the QR code.
2. Chromebook is removed from box and powered on. Admin presses Ctrl-Alt-E to bring up the webcam. Admin positions the QR code so the Chromebook webcam can scan it.
3. Chromebook scans the QR code and takes the information it contains to finish enrolling itself into the organization.
Yes I know there are solutions like Centipede and Go-Box, but they rely on keystroke injection which is slow and finicky. I would love to see a more robust and fast solution like QR codes.
If this sounds handy to you, let's band together and see if we can make this happen. Hit the hamburger in G-Suite and click Send Feedback. Forward onto your colleagues. Reach out to contacts at Google if you have any. Surely this would be doable for them, and would be such a huge timesaver for us. Thanks all.
​
Very rough draft of how this could work
https://redd.it/kt40lj
@r_k12sysadmin
ChromeBook Randomly Switching Tabs
Has anyone else been getting reports of chromebooks that are just switching to another chrome tab then back to the tab the user was on, without the user doing anything.
https://redd.it/kt4i0q
@r_k12sysadmin
Google meet not loading in
We have some older asus c300 handed out that no longer will join a google meet but instead just stays loading in the you’ll join in a moment screen. I’m wondering if it has to do with the new chrome os update but not sure if anyone knows how to resolve this issue.
https://redd.it/kszwa4
@r_k12sysadmin
Chrome Management - Device Off Hours
On our school owned CBs, is it possible to have sign-in restrictions (domain accounts only, no guest mode) also have restrictions based on time? (no logins before 5:00am, no logins after 10:00pm)?
Google Admin device off hours settings looks like I can set "device off hours", but doing so would open up guest mode and logins with accounts outside our domain... kind of the opposite of what I'm looking for. Is there somewhere else I can apply sign-in restrictions based on time?
https://preview.redd.it/ey3bk24o3x961.png?width=761&format=png&auto=webp&s=4793a7bcd6491039bcaeace6b632f94cfef8a97b
https://redd.it/ksdxn6
@r_k12sysadmin
Google Meet PSA: I have the student's OU set to not be able to create Meets, however, a Meet can still be created by the student in a Calendar event
A teacher notified me that a parent found out that a student was in a Meet with another and no staff member. I have the OU setup so that students can only join Meets and not create them. I went into the Meet quality tool and sure enough, I see that two students each created a few Meets that they are organizers on.
I took over those student accounts and used them to try and recreate how they were creating Meets. Going to meet.google.com behaved as expected, only letting them join. So then I tried the only other way I know of to create a Meet, through calendar. I confirmed on three different student accounts in the student OU that a Meet could be made through Calendar in an event.
I contacted Google support and they observed my desktop as I recreated the issue and I sent them the HAR files they asked for.
Support could not recreate the issue on their end so it is something with my org.
Google engineers are working on the issue now and have been great and very communicative with me.
I wanted to give you guys a heads up in case you run into this issue.
I ended up disabling the Calendar app for Students for now, not that they use it anyway. I confirmed that disabling the Calendar app does not interfere with the calendar function in Classroom.
https://redd.it/kstsfx
@r_k12sysadmin
Playback issue for videos stored in Google Drive on Chromebooks
We've seen an issue on our Chromebooks where video files stored in Google Drive lock up when scrubbing forward/backwards but the audio continues. Our workaround has been to tell students to make the video full screen and then exit which seems to fix the issue. Has anyone else seen this and come up with a solution that isn't a workaround?
https://redd.it/ksri56
@r_k12sysadmin
Does anyone know is this a real or fake drop test?
https://redd.it/ksoyfw
@r_k12sysadmin
Enabling Gmail for Students
Hi all,
Noob looking for suggestions, experiences and wisdom.
Looking for a little help here. I've been tasked with coming up with a plan of action for providing students with district email accounts. In the past we used Gaggle to provide email accounts to high school students for college applications and communication with teachers/staff.
Fast forward, Gaggle no longer provides student emails and our students have been without for a couple years now.
We are a Google Suite district so all staff and students have a Google account already but Gmail is shut off. Students have no email access and teachers/staff are using exchange email.
* What would your process be to provide students with email in the current already established ecosystem?
* Would it be possible to let the teachers continue using exchange but activates and set up students to use Gmail? Maybe with a sub domain?
* Would it be worth just moving everyone to Gmail and saying goodbye to exchange? (Of course we would need to transfer calendars etc from one to the other if it's even possible)
*What would the process be to activate these gmail accounts? Connecting MX etc?
*What are your experiences with Gmail compared to Exchange (for those who made the switch)
Thanks to all in advance for your help and much appreciation for any information no matter how small!
https://redd.it/ksm2l4
@r_k12sysadmin
