17
Reddit’s r_k12sysadmin Credits: @r_channels @reddit2telegram
Chromebook monitoring services
My school is nearing the end of our Blocksi contract. No major issues, good customer service and support. But looking at quotes for the next contract. I have quotes from Blocksi, Go Guardian, and Securly. Any other companies I should be looking at? Does anyone have any feedback for Go Guardian or Securly? Good or bad welcome.
https://redd.it/1r45v15
@r_k12sysadmin
Google Workspace / GoDaddy Forwarding Not staying
Hi,
I've been having too re-updating my DNS 301 forwarding for my Google Workspace domain every few weeks or so.
Instead of forwarding from domain1.com \-> domain2.com, it is going to domain1.com/lander. When I update the DNS it saves for a few days. until it goes back to the /lander
Any ideas on how to make this save?
Thanks!
https://preview.redd.it/lvc94ntn6jig1.png?width=1680&format=png&auto=webp&s=3b99078eb0017a4146f5b2e7abe0ccd5fb071035
https://redd.it/1r0g20v
@r_k12sysadmin
Destiny timeout issues?
Hello,
In the past week or so, we've received several complaints that Destiny (follettdestiny.com) has started timing out sooner than usual. The timeout is set to 480 minutes for librarians and 30 minutes for the Tech Dept. People have reported that using a different browser doesn't help. A tech got signed out after about 10 minutes when using Edge, for example. Anyone else experience this? Destiny support hasn't been much help.
https://redd.it/1r0567s
@r_k12sysadmin
Student BYOD schools - How are you dealing with AI?
What are some of the biggest changes you had to make in response to AI?
https://redd.it/1qzivlh
@r_k12sysadmin
Google SAML Certificate Renewal (200day/47day)
Hey all,
So I have been combing through various systems in preperation for this change. One thing I guess I have overlooked until this moment is that the SAML certs for google will also fall under the 200 day, and 47 day renewal cycle.
At this time, nearly every single application we have uses this certificate. Perhaps I don't fully understand the hierachy but I assume even if we automated Googles renewal of the SAML base cert, that I would then need to load that new certificate into every single downstream app.
That is essentially impossible, especially given the shortened timelines. Right now we do it every 3 years and that is already a hurdle for timing etc.
Am I missing something here? Seems like I need to start having some discussions with various vendors on how they might approach tackling this issue with us. Right now it is always a painful upload process with each companies tech support as very few of the apps even have forward facing SSO/SAML setup. Aside from clever, Incident IQ, and maybe one other I am missing at the moment.
I am really hoping I missed some key take away where this will not impact us haha
https://redd.it/1qxxjlz
@r_k12sysadmin
How we blocked Google AI Mode on student Chromebooks
Well, we did it... I think?
I spent the majority of the afternoon in the Admin Console and I think we have successfully blocked the AI Mode and Overviews in Chrome and Google Search for our Lower and Middle School students. I saw other posts in my research, so thought I'd share what we did:
In the Admin Console:
Turned off every AI option available in User & Browser Settings
Search terms I used to find the settings were "AI mode", "generative AI", and "Gemini"
Under Generative AI, made sure all features for the Gemini app and Gemini for Workspace were turned off
Force installed this extension to student chromebooks. There seems to be oodles of similar extensions, but this was one of the first I tried and it worked, plus it's free (for now at least)
I also know [xfanatical](https://xfanatical.com/blog/how-to-block-ai-mode-in-google-search/) is an option, but we thought we'd try the extensions before buying that
In Lightspeed
Blocked https://www.google.com/search?udm=50&aep=11, as even after we completed the above steps, students could still Google "Google's AI mode" and access the above URL
My colleagues and I tested with several different student OUs and it appears to work.
If anyone else has had success with other methods, please share. I'd love to be in a place where students can successfully use the integrated AI features on a chromebook, but we just aren't there yet.
https://redd.it/1qxuyei
@r_k12sysadmin
Dual Google Tenants, Students Can't Access External Google Sites
Hi all,
To make a long story short, my district adopted Google Workspace before there was the ability to have multiple domains in a single tenant, so we had to create one for students and one for staff, as they have different email domains. This will be resolved this summer when we move all student accounts into the staff tenant. But, at the moment, it's been hell on earth to deal with the miscellaneous issues that spring up due to the need for restrictions on the student accounts.
We (unfortunately) allow Google Sites (at least for the time being), and some of our teachers utilize Google Sites created by other teachers out on the web for their lessons. At the current moment, if a student tries to access one of those sites from outside of our domains, they get a 404 error. However, staff accounts can see it fine. On the flipside, student-created sites cannot be accessed by staff accounts, giving a 404 error as well, despite it obviously existing. Even my admin account within the student tenant can't see all student sites and I get the 404 error as well.
I'm not entirely sure what setting is causing this or what needs changed, or if there is any way to add exclusions to those external sites, but has anyone else encountered anything like this? I wish that managing Google Sites was similar to managing Msoft SharePoint sites, because at least I can see everything that exists on the tenant. Sites sucks. Thanks in advance.
https://redd.it/1qxlf2v
@r_k12sysadmin
ViewSonic vCast vs AirSync
Our district uses ViewSonic Viewboards. For the past few years we have had the teachers using vCast as the video casting solution. Now that AirSync is available we are trying to decided what to use going forward. Is ViewSonic planning on continuing support for both applications? How has peoples experience been with Airsync? Thank You
https://redd.it/1qxmjl2
@r_k12sysadmin
Fortinet/forticlient Wifi Issues
I'm losing my mind over in my district with wifi cutting in and out for all my staff members. My networking teams says it's the device itself, but I think it's the Forticlient agent installed on staff devices doing something with the wireless nic. I've installed the latest intel driver, reset wifi drivers/deleted them, I've ran the Lenovo System Update and still can't figure out this issue. I honestly think it's the Forticlient agent but the networking team doesn't. I've tried all kinds of things and still wifi issues for staff. Students originally had this problem, but the networking team created an open network filtered by MAC address for students. So, students no longer have the issue. I've honestly no idea what to try and the networking team is to hard headed that they don't believe it's the network. It doesn't help that the networking team doesn't really know what they're doing half the time, so troubleshooting with them won't work. They always respond with the following: "Put the device on intune, install latest intel wifi drivers, run all updates, we'll restart the AP." It's like I'm talking to a brick wall because I always confirm all of these actions and they never actually dive into the problem at hand. Any advice or troubleshooting ideas, I would appreciate it. My rant is now over.
https://redd.it/1qxgj09
@r_k12sysadmin
ChatGPT for Teachers fixed
After almost 2 months going back and forth with OpenAI support, we finally were able to claim our workspace and link it to our domain. Now our teachers don't need to verify so we are rolling it out very smoothly.
You're verified and ready to join this is the message they see now. If anyone need help I'm happy to assist because I was so frustrated trying this lol.
https://redd.it/1qxhme7
@r_k12sysadmin
Headphones?
Does anyone know of a brand or model of headphones that stands up to the abuse of K-8 students? I've tried several different brands, including two that are quite rugged, and they just all seem to die faster than we can keep up with.
https://redd.it/1qx01wz
@r_k12sysadmin
Seeking Advice on Hypervisor Migration
Hi K12 Admins,
I am one of the admins at K12, primarily working on infrastructure. Currently, our environment is as follows:
Virtualization: VMware on bare-metal ESXi hosts
Management: vCenter in linked mode (not a full DR setup)
Hosts & VMs: 6 ESXi hosts running a total of 50 VMs
Storage: Pure1 Storage
Backup: Rubrik (no complaints regarding Pure1 or Rubrik)
My main concern is VMware’s recent pricing hikes, which is becoming a significant challenge.
From my perspective as a Linux administrator, I would prefer Proxmox. However, Rubrik does not currently support Proxmox backups, and none of my team members are fully comfortable managing a Linux-based hypervisor. My next consideration is Microsoft Hyper-V, which would be entirely new for me.
We are planning a migration from VMware to another hypervisor solution, and I wanted to reach out to see how other teams are handling this:
What hypervisor solutions are you currently using?
How did you initiate the migration process?
Any lessons learned or suggestions for a smooth transition?
Your guidance and suggestions would be highly appreciated.
Thank you,
https://redd.it/1qwtrnu
@r_k12sysadmin
Sanity Check: Moving Small K-12 District (950 Students) to UniFi Hub & Spoke
Hi everyone,
I’m looking for a sanity check on a proposed network overhaul for our small PK-12 district. Moving away from extreme network due pricing and just not happy with the quality.
We’re moving toward a UniFi-centric hub and spoke model, but I plan on keeping our Fortinet at the edge for the heavy lifting.
The Stats:
• Users: \~950 students, \~150 staff (class sizes capped at 17).
• Structure: 6 sites (1 Hub, 5 Spokes).
• Connectivity: 10G Fiber at Main IDF; Spectrum-owned fiber links to remote sites.
The Architecture:
• The Core: A Fortinet Firewall will handle all DHCP and Content Filtering (CIPA compliance).
• The Gateways: Enterprise Fortress Gateway (EFG) at each site.
• The Switching: Enterprise Campus Aggregation into 3x Pro Max 48 PoE switches per site.
• The Wireless: 12–18 APs per site (choosing between U7 Pro Max or U7-Enterprise).
• Management: Cloud Key Enterprise (hosted at Hub) to manage all 6 sites via Site Manager.
My Specific Questions:
1. DHCP Relay: For those running Fortinet for DHCP with UniFi Gateways/Switches, have you run into any broadcast issues or "DHCP Guarding" headaches within the UniFi OS?
2. Double NAT / Bridge Mode: With the Fortinet handling filtering, are you putting the EFGs in "Shadow Mode" or just passing through? I want the UniFi "single pane of glass" for stats, but I don't want the EFG fighting the Fortinet for traffic inspection.
3. Cloud Key Enterprise: With 6 sites and \~100 APs total, is the Cloud Key Enterprise the right move, or is a self-hosted Linux controller more stable for this hybrid setup?
4. AP Choice: Given the 17-student cap, is the U7-Enterprise overkill? Would the standard U7 Pro suffice, or is the 6GHz performance jump worth the extra spend for future-proofing?
I’d love to hear from anyone running a similar "Forti-Fi" hybrid setup. Thanks!
https://redd.it/1qwqyr9
@r_k12sysadmin
Screencastify and Google Vids
I have a elementary music teacher who has been using Screencastify to record herself singing a song. Recently she's been having issues where the music is drowning her our and the audio for her voice will fluctuate. So far we have tried the following and still having issues.
Different device
Wired mic
Use Google Vids instead
Turn down system audio
The only thing that works is using the built in Microsoft system recorder. Does anyone have any other suggestions? I've attached an example below.
https://reddit.com/link/1qwmwue/video/ewm52g78tohg1/player
https://redd.it/1qwmwue
@r_k12sysadmin
I made an AI copy/paste blocker for Chrome
Hey everyone, I did a thing! My school does allow most AI sites, but the teachers aren't always great at monitoring students or teaching them how to use AI responsibly. I got really tired of seeing kids copy/paste quiz questions or essay prompts into AI, then just copy the answers and paste them into their documents. So I made a little speed bump for that whole process. This is just the first draft of an extension, I just grabbed the most common AI sites that I could think of as well as the wildcard for *.ai, so if there's any sites that it doesn't work on, please let me know and I'll add them. Also, this probably works best when "Hide Google AI Overviews" is added as well, since AI is now forced in Google searches. I figure most of you probably block AI, but for those who are trying to somewhat embrace it, maybe this will help.
https://chromewebstore.google.com/detail/ai-copypaste-blocker/ohdnokamhlhcobcpebkconbepfomicoa
https://redd.it/1quxzsg
@r_k12sysadmin
Camera Controversy and Student Data Privacy!
https://k12techtalkpodcast.com/e/cameras-data-privacy/ and all major podcast platforms
We discuss the 74 reporting that federal immigration agents have been tapping Flock license plate cameras, which leads to broader conversation about school and neighborhood cameras (Ring/Nest/home systems) balancing safety and privacy. We unpack a listener email about how K12 techs should approach student data privacy.
https://www.the74million.org/article/ice-taps-into-school-security-cameras-to-aid-trumps-immigration-crackdown-74-investigation-shows/
https://redd.it/1r4nr1s
@r_k12sysadmin
PaySchools Super Admins
I was doing some auditing of account access in my district when I went into our payschools system and noticed that there were over 25 users with super admin access and all of them external to the district.
Apparently whenever a service call is placed for Payschools they just go into your system and give themselves super admin access and never remove it.
wanted to get a heads up for fellow districts to go through and make sure, some of this data is incredibly private in dealing with payments. As well as a connection to our sis.
I contacted them about this issue and they just said to provide a list of users we want removed. I have a feeling this is just going to keep being an issue.
https://redd.it/1r0beao
@r_k12sysadmin
Solution for about:blank cloacking, EagleCraft and a few other outstanding issues.
I've noticed a large gaps that has been left by Filtering Vendors, Classroom Managers, and Google Themselves.
TLDR: Got annoyed at the lack of help and said screw it, I'll do it myself. Made an extension for other people to use if you want.
I'm sure many of you have seen have gotten complaints that your teachers can't see when students are on game sites (or other inappropriate content) with GoGuardian, Securly, or Hapara's classroom managers. A few years ago when I looked into it for the first time, I found the kids were using self hosted / Google sites they controlled, to open a new tab to an about:blank page, and then load that tab with an iframe element to essentially load another site. Tabs with about:blank are considered protected by Google Chrome, so extensions have limited permissions to them compared to others. Once somebody's older brother realized this, they realized they could open various sites in this protected tab, without observation by teaching staff, and without any logs being written to the history file of the device.
Games like eagle craft (Minecraft compiled for the web with WASM), can be saved as an offline HTML file. Something that is also invisible to classroom mangers, and does not appear in the history file. This has also been a nuisance. As I'm sure many of you have learned, blocking file://* in the admin console can be a bad idea.
After getting ignored by Google to make it easier for filtering vendors to get to these tabs for a couple years, I asked ours to get to work on it, it's supposedly in progress and taking too long. I made my own as a stop gap, and share it with others who might also be tired of dealing with complaints.
Essentially it works by looking at the URL of a newly opened / opening tab, if it matches a regex pattern you provide in the policy JSON, it will close the tab without warning. Angering students to no end.
Overrides to the tab closure can be entered in the policy JSON as well. Sites like Canvas still use about:blank for pop-ups and file downloads sometimes.
Conceptually, it will work a lot like the chrome URL filtering, but with regex pattern matching so it can actually be useful.
https://chromewebstore.google.com/detail/unsecurley/icohaaiapabbaoohdadjmfccppedkkfm?authuser=0&hl=en&pli=1
https://redd.it/1r040pq
@r_k12sysadmin
Vendor and firewall
Our vendor for our new firewall only gave us limited admin credentials. So far the only thing we think we can do is whitelist/blacklist URL’s. The vendor is under a temporary contract as our MSP too for a few months to test the waters. They have done all the major networking for us for a number of years so they know our network pretty well.
Before this new firewall, our network admin was the only one that had firewall access so the rest of us didn’t even have a chance to learn as he wouldn’t give us accounts. Well he is no longer employed with us and the Palo Alto firewall was coming up for renewal. The renewal price and the price of a new one were about the same so the vendor/MSP told our super what to go with (Fortinet).
I feel like since we’ve paid for this firewall we should have full admin rights to it.
https://redd.it/1qyi2mk
@r_k12sysadmin
How do you collect decommissioned Chromebooks
Curious to hear what other districts are doing. We have inventory of our Chromebooks, and can produce a report of all the ones that need to be replaced, and can bulk disable/deprovision. But how do you actually go about retrieving them? Do you pick through one by one during the summer? Or do you provide a stack of Chromebooks to the building, and let the teachers return the ones that are disabled and swap it out themselves?
https://redd.it/1qxuyc7
@r_k12sysadmin
Google Workspace, DOH and Umbrella
Long story short, I'm trying to get Umbrella to unblock all the dependencies and assets that some middle school educators need for a podcasting elective class for a certain website. We use Cisco Umbrella DNS filtering and while I've added all the top level domains for these podcasting sites as well as their dependencies that show in Chrome Developer mode, the podcasts themselves won't play on a filtered device. I'm working with Cisco support and they're saying that in order for Umbrella to really work as it should, we need to enable DNS over HTTP (called DOH from here on) for our whole org.
I'm a bit surprised as it's been years and we've never had to do this for 99% of the URLs and domains our network touches and we've had Umbrella all the while, so it's weird that this podcasting site requires that. Has anyone else been through this or something similar, or is familiar with enabling DOH in Google Workspace that can shed some light on this? My main hesitation is that I don't want enabling this in Workspace to mess anything up for the hundreds of sites we DO need access to just because we enabled a setting that 6 fairly unimportant sites need. I don't think that will happen, but my director wants me to document this and have a reasonable assurance it's a safe move.
https://redd.it/1qxsmb4
@r_k12sysadmin
Backup Internet
Those of you that work for larger districts and have multiple Internet connections to your sites, what are you doing? We have 55 fiber connected sites that connect back to two datacenters via AT&T. Each datacenter has their own Internet. DHCP and DNS is centralized. Our single point of failure is the fiber connection to AT&T. If that gets cut or is down, the site loses connection to the rest of the world. We've been testing Starlink at some sites and thst looks promising, but we're struggling with cost doing it district-wide and also providing enough bandwidth for our larger sites (like high schools with 2,700 students).
Just wondering how the architecture looks at districts that have figured this out.
https://redd.it/1qxlgo0
@r_k12sysadmin
NBC interview concerning Google and YouTube in schools
https://k12techtalkpodcast.com/e/google-in-schools-pipeline-or-partnership-%e2%80%94-k%e2%80%9112-tech-talk-ep-249/ and all major podcast platforms
The episode features an interview with Tyler Kingkade, national reporter at NBC News, about his recent reporting on internal Google documents revealed in litigation. Tyler explains how those slide decks describe K12 as a potential “pipeline” of future users and explores tensions around YouTube’s place in classrooms - useful educational content versus algorithmic rabbit holes.
https://www.nbcnews.com/tech/social-media/google-schools-aims-pipeline-future-users-internal-documents-rcna255175
https://redd.it/1qxlfez
@r_k12sysadmin
Replacement USB-C cables for Promethean ActivPanels
Hi all,
Anyone find a compatible, slightly longer, more durable, cheaper alternative to Promethean's $25.00 6ft USB-C cable?
ActivPanel 9-A cable (60W PD)
ActivPanel 9-B cable (100W PD)
I know that not all C cables are created equal, so I figured I'd ask here before I try something. At least 75W PD would be great since our Chromebooks are 65W charging capable. Thanks!
https://redd.it/1qxgur4
@r_k12sysadmin
Google Workspace inbound mail issues after MX cutover from Microsoft 365
Hi all — looking for a sanity check from anyone who’s handled a **student email transition involving Microsoft 365 Exchange Online and Google Workspace Gmail** in a K-12 environment.
**Environment**
* Authoritative public DNS reachable and responding correctly
* **MX currently points to Google Workspace:**
* [`ASPMX.L.GOOGLE.COM`](http://ASPMX.L.GOOGLE.COM) (priority 1)
* [`ALT1.ASPMX.L.GOOGLE.COM`](http://ALT1.ASPMX.L.GOOGLE.COM) (priority 5)
* [`ALT2.ASPMX.L.GOOGLE.COM`](http://ALT2.ASPMX.L.GOOGLE.COM) (priority 5)
* [`ALT3.ASPMX.L.GOOGLE.COM`](http://ALT3.ASPMX.L.GOOGLE.COM) (priority 10)
* [`ALT4.ASPMX.L.GOOGLE.COM`](http://ALT4.ASPMX.L.GOOGLE.COM) (priority 10)
* Exchange Online was configured to **coexist safely with Google** using an **internal-relay-style approach and connectors** in M365 so mailboxes wouldn’t be deleted during the transition by removing domain in M365.
**Current Issue**
* Students **cannot reliably receive external email**, especially from **Gmail senders**
* Some providers (e.g., Yahoo) occasionally work, creating inconsistent behavior
* **Internal mail delivery works normally**
**Confirmed Behavior**
* MX resolution verifies mail is delivered **directly to Google Workspace**
* **Microsoft 365 is no longer in the inbound delivery path**, so Exchange coexistence should not be affecting external mail flow
Has anyone encountered **external Gmail delivery failures even when MX routes directly to Google** after M365 to Gmail cutover?
Even with DNS passing we get this, even after a few days.
https://preview.redd.it/sr1iuejeeshg1.png?width=682&format=png&auto=webp&s=f99ef9cca60809681a623eb5e01372e69e7ee69e
https://redd.it/1qx5vgi
@r_k12sysadmin
Teams Admin
Running into an interesting problem with MSFT Teams. I can't get external users to be allowed to chat while in a Channel.
I've ensured that Guest users can chat (Team Admin > Users > External Users).
The policy that's assigned to me has Meeting Chat on for everyone. (Meeting Policies)
I've added myself (I have a secondary account) to the channel as a guest member too.
Is there another policy I'm missing somewhere?
https://redd.it/1qwoimj
@r_k12sysadmin
AWS Billing Yearly
Hi,
Is there anyway to pay my AWS bill yearly as more of a Pay-As-You go with credits? I am using an EC2 for snipeIT.
Would it be worthing going through a reseller?
Our accounting would just like everything to be combined rather than monthly.
(I am aware of setting up a Savings Plan, but it doesn't cover things like backups, eventbridge pricing).
Thanks.
https://redd.it/1qwp653
@r_k12sysadmin
Data compliance. Where to start?
Hi there all, I am revisiting every nook and cranny in our environment to make sure we update and become complaint for the sake of cyber security insurance. The big elephant in the room is data compliance when it comes to sharing with users outside of our domain. Right now it’s the Wild West for staff; and putting any guard rails will surely cause an uproar. I wanted to see how others have approached this and made changes without rocking the boat too much…I know it comes down to having union and superintendent on board, but I need some type of road map to present them. Thank you and appreciate it the input
https://redd.it/1qwp9a6
@r_k12sysadmin
Intune Bluebook
Curious how others that use Intune for Windows devices are keeping the Bluebook app updated?
I have the new version uploaded to Intune, but I can't find any files in Windows Explorer or the registry with a version number to use for the detection rule. And using the same detection rule as the previous version, Intune never actually pushes the update out because it detects it already.
https://redd.it/1qwlcvk
@r_k12sysadmin
Cybersecurity grant
We have a firewall, endpoint protection, training for employees, monitoring network software and data backups. Looking for ideas for possible ideas for a new cybersecurity grant that I could have overlooked.
Thanks in advance
https://redd.it/1qwjvgh
@r_k12sysadmin
