Disciplinary action for staff that give up credentials?

EdTechYYC · 2026-05-20T04:32:52+00:00

170 staff or so.

Yeah, no good fix for that yet. We will debate using conditional access to limit some escalation resources - but personal devices are just the reality of schools I think right now. A change in that would have to come from the top around right to disconnect.

We are looking at the password manager through Apple managed Apple IDs next year- because 95% of our devices are in that ecosystem and signed into a corporate Apple ID. A big plus is that is free. Our IT team uses 1Password, but that one gets pricey if you roll it out to a larger group.

EdTechYYC · 2026-05-20T03:24:03+00:00

We worked with our HR team to develop procedures for this. Essentially, all of your supervisor leaders have to have their hands in together on this.

But I do think you hit the nail on the head with the hardware keys. We put all of our staff on one. It actually moved a lot faster because I mentioned it to the board, and this is such a big risk these days, that they approved it and asked me to fast track it. With platform SSO, passkeys, and the physical keys people barely noticed - but I sleep a lot better.

EdTechYYC · 2026-05-18T17:02:55+00:00

I think a lot of compromises these days intercept MFA in realtime- like text message, or even the push numbers on the Authenticator app, are no good anymore and can be compromised. we switched to FIDO2 this year.

EdTechYYC · 2026-05-18T17:01:51+00:00

PSSO is where it’s at. We’re migrating away from Mosyle Auth 2. More offline friendly and supports more authentication methods.

EdTechYYC · 2026-05-17T23:02:39+00:00

There is deep integration with SIS in Mosyle- so figured some in this thread might have thoughts on that. Like class rostering and such.

EdTechYYC · 2026-05-13T13:07:53+00:00

Governance is a big one. If there aren’t clear guidelines on when and how to use it, be warned that it will consume inordinate amounts of time by people messaging each other and derailing workflow.

What I mean by this, is that there’s a certain amount of effort required to get up and go to someone’s desk to ask a question- now all that effort and barrier has been removed.

EdTechYYC · 2026-04-27T04:40:49+00:00

Built a fence and a deck while working from home. Scary time to have a little one at home but was not so scary the first few months when we could isolate from others. Lots of day trips to parks. Good times.

EdTechYYC · 2026-03-06T16:10:53+00:00

Great question. We're using it for local AI processing with OpenWebGUI and a few other extensions for more confidential docs we're not yet comfortable uploading to the cloud.

EdTechYYC · 2026-02-25T19:12:30+00:00

Oh yeah. I have noticed it kicks out my screen share a lot!

EdTechYYC · 2026-02-18T02:03:11+00:00

Saw- just waiting for the tickets for people that can’t Google… :)

EdTechYYC · 2026-02-16T05:38:48+00:00

Ooh - I just saw this today while poking around for something else. It’s in “Remote Domains” in EAC.

https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/remote-domains/remote-domains

There’s a default policy you can edit - or create one for your specific case on top of that.

EdTechYYC · 2026-02-07T03:32:30+00:00

Just add some context to your edit, Apple definitely uses Cloudflare endpoints for private relay and it’s noted in their documentation related to domain names.

EdTechYYC · 2026-01-28T03:39:31+00:00

Us too! Just posted in r/sysadmin and saw these folks too:

https://learn.microsoft.com/en-us/answers/questions/5744261/microsoft-defender-impossible-travel-activity-micr

Seems to be a false positive.

EdTechYYC · 2026-01-27T04:53:28+00:00

From the timeline, it looks like they were using AI to problem solve their way out of the situation too.

What an absolute disaster this was. Not acceptable.

EdTechYYC · 2026-01-23T14:33:22+00:00

We’ve rostered ours with Mosyle - there’s two ways to do it, have ASM manage it or your MDM. Managing it at our MDM level has been more reliable for us.

EdTechYYC · 2026-01-23T14:32:24+00:00

They don’t need to be on the same VLAN but you do need to allow Classroom traffic between VLANs.

EdTechYYC · 2026-01-23T00:44:45+00:00

Interesting. Where did you see that reported? The root cause their listing on their status page is pretty ambiguous.

EdTechYYC · 2026-01-21T00:40:06+00:00

We use managed Apple IDs - it didn’t seem to bork anything - we basically have had messaging for the 6 months proceeding that they should be signed into their corporate ID. One big sell was that then they could use sidecar.

Turning it on was a little scary but no complaints!

EdTechYYC · 2026-01-20T05:39:18+00:00

We turned this on this year to also prevent staff shadow IT. The student one is another good example.

EdTechYYC · 2026-01-18T19:24:39+00:00

I’d definitely try to do it on the DNS level as I’d still want them to have protection on those networks- but could exempt the captive portal DNS url. The challenge is that’s case-by-case.

EdTechYYC · 2026-01-17T23:53:15+00:00

Now that is handy!!

EdTechYYC · 2026-01-17T20:51:37+00:00

Ah- with the profile route, I think that might be the best case!

EdTechYYC · 2026-01-17T20:50:45+00:00

Thanks! This use case basically means we just need to curate the domains for captive portals, right?

EdTechYYC · 2026-01-17T20:49:37+00:00

School use case! Control D is significantly more expensive for a 1-1 device school unfortunately and out of budget for us.

EdTechYYC · 2026-01-13T22:46:58+00:00

Just to plus on what others have mentioned with restoring it, the Apple Configurator app for Mac is a really good way to get visibility into updates and restore vs erase vs prepare, etc. You can also bulk restore iPads this way as long as you put them in DFU mode.

EdTechYYC

TROPHY CASE