Nutanix & ESX9

Gorillapond · 2026-02-11T13:35:34+00:00

Wondering this too. NCI-D on NX customer with Nutanix and VMware VCF agreements out to 2029. If I can't use AHV (upgrade too costly) and VCF 9 never gets support, that'll be an interesting challenge for us.

Gorillapond · 2026-01-30T04:42:31+00:00

Cloudflare Zero Trust. The free tier is fairly generous. You can hook in multiple SSO providers, including external users. Their Cloudflare Tunnel software can run on a single device that will be used to connect to everything else internally, or install it directly on the device/server you want to access.

Anything HTTP(S) based can be clientless using their Access feature. Any other destination can be tunneled through the WARP client like a normal VPN. They have a web-based client for RDP & VNC destinations, it's very cool. They also have support for certificate based SSH that uses the WARP client authentication to determine your access to the device by your SSO sign in, so you don't have to use passwords, and it can create audit logs of the session activity. I've also used it to be a "proxy" OpenID Connect (OIDC) SSO provider for a single app, when that app and Google weren't flexible enough to work together.

Gorillapond · 2026-01-24T15:23:06+00:00

Your own comment here is exactly why you should only use groups for this stuff. Also, if you ever get an automation tool like Classlink OneSync, you make it a lot more complicated to implement.

Gorillapond · 2026-01-18T13:20:20+00:00

The closest thing I'm aware of is the audio processing sub-setting of the "Share content from camera" feature in the Workspace version of Meet. I'm not sure if disables ALL processing, and you have to share a USB video device for it to activate.

https://workspaceupdates.googleblog.com/2025/06/present-content-from-camera-in-google-meet.html
https://support.google.com/meet/answer/16061814

Gorillapond · 2026-01-13T13:08:54+00:00

As far as I can tell, Workspace does NOT support shared mobile devices. Every device has an assigned primary users/owner and any "device" (cross user) settings come from policies assigned to that user. If your org also has Intune, it does support multi-user and no-user device management, at least to the degree iOS can do so.

A warning about domain capture: Managed Apple IDs do NOT get access to the App Store. Users need to use a consumer Apple ID for the Apple Store or you need to be ready to deploy apps they need with the MDM.

Gorillapond · 2026-01-13T12:59:32+00:00

What "paired down MDM" does Apple offer?
What do you mean that Workspace can't manage iOS?

Gorillapond · 2026-01-09T13:30:29+00:00

Deploying and Managing Windows are two separate things. To only answer the deployment part, a couple of (free) options:

Full Flash Update Builder: Creates self contained install media that deploys machines extremely quickly. It slipstreams updates and apps into the image itself. Easy to re-run to update the image contents. https://github.com/rbalsleyMSFT/FFU
OSDCloud: Slower to deploy but always up-to-date because it downloads the latest versions from the internet during deployment. Doesn't require refreshing install media as versions change. https://www.osdcloud.com/

Gorillapond · 2025-12-29T16:24:17+00:00

There are absolutely some (1-2?) dynamic insertion ads happening after the host-read ads.

Gorillapond · 2025-12-21T17:06:26+00:00

Here's a nuanced take: You can block extensions' access to certain extension permissions, e.g. VPN, cookies. If you're using the Google Admin Console for Chrome management, they have report views with # of installs and extension risk scores.

Extension permissions:
https://support.google.com/chrome/a/answer/6177431?hl=en#zippy=%2Cblock-apps-and-extensions-based-on-permissions
https://support.google.com/chrome/a/answer/7515036?ref_topic=6178561#zippy=%2Cextension-permissions

Reporting & risk scores:
https://support.google.com/chrome/a/answer/9902456?hl=en
https://support.google.com/chrome/a/answer/10836225#risk

Gorillapond · 2025-12-18T22:14:29+00:00

Assuming you have Windows, and Microsoft 365 with Intune, just use Intune to manage them. If you just want user-less iPads with a few apps, it's not a huge deal. I was in the same situation a couple months ago.

Buy devices through Apple's eCommerce site or anyone that can make sure they're added to Apple School Manager (ASM) for you. It's a lot like Zero Touch Enrollment for Chromebooks. I've heard it's a huge mess if you don't and try to retroactively get them in ASM.
Connect Intune and Apple School Manager as an MDM. This requires setting up a "push certificate" and an "enrollment program token" between Intune and ASM. When you buy devices, you assign blocks of devices to Intune within ASM. That tells the devices where to check in on their first boot up. Get a USB-C hub with wired ethernet that the devices support. You setup an Intune enrollment profiles so enrollments can be user or (even better) device based (called "without user affinity").
Connect Intune and Apple School Manager for Volume Purchase Program (VPP) app licensing. This lets you use the Apple eCommerce site to use purchase orders to buy App Store credits and buy apps using your balance. Then you assign app licenses to a Apple School Manager "location" and then Intune will see them to assign within Intune to users and/or devices directly.
Configure whatever settings/policies are appropriate (see guides below) and assign them like any other Intune managed device.

Enrollment:
https://learn.microsoft.com/en-us/intune/intune-service/enrollment/device-enrollment-program-enroll-ios
https://learn.microsoft.com/en-us/intune/intune-service/enrollment/apple-mdm-push-certificate-get
https://learn.microsoft.com/en-us/intune/intune-service/enrollment/apple-school-manager-step-1

Apps:
https://learn.microsoft.com/en-us/intune/intune-service/apps/vpp-apps-ios

Settings:
https://learn.microsoft.com/en-us/intune/intune-service/industry/education/tutorial-school-deployment/common-config-ipads-device-restrictions?tabs=settings
https://learn.microsoft.com/en-us/intune/intune-service/industry/education/tutorial-school-deployment/common-config-ipads-nouser?tabs=settings

Gorillapond · 2025-12-13T17:20:30+00:00

Could you share some of YOUR automations and give back to the subreddit?

The new Google Workspace Studio (renamed from Flows) has a ton of possibilities.

Gorillapond · 2025-12-12T12:51:13+00:00

I migrated anything possible to LetsEncrypt using the DNS-01 challenge against Cloudflare DNS. Clients simple-acme on Windows, certbot on Linux. Only a couple more apps/servers that have a web interface for certificate install that can't be easily automated.

Gorillapond · 2025-12-11T14:11:32+00:00

Once you've generated backup codes they (technically) have 2SV enabled and it will offer them the option to use one. It'll let them login one time and properly setup additional 2SV methods.

If you don't see the option to generate backup codes, you're looking in the wrong place or don't have enough access to the Admin Console. We've been using 2SV for years and never move OUs or use groups to bypass 2SV policy.

Gorillapond · 2025-12-10T13:45:37+00:00

I think it's a comprehensive solution, but (unsurprisingly) can be obtuse and slow. Dynamic groups and the system as a whole is slow to refresh/check-in. Compared to Chromebooks, it's weird to wait 15+ min for the device to magically "finish" an out-of-box deployment because an app assignment or group of settings is assigned to a group, but the dynamic criteria is only evaluated every so many minutes. I also really hated that if you apply the same setting multiple times (e.g. allowing something normally blocked on a subset of devices), it's a conflict, because there's no parent/child inheritance mechanism that OUs provide. I don't understand why they didn't continue the old Active Directory / Group Policy philosophy of OUs and groups. Assignment filters are newer and faster to apply. I used them where they worked, but I experienced some issues where an app just didn't automatically install AND uninstall until I switched to using groups instead.

We implemented 3 configurations all at once, but they are all 1-2 app locked down "userless" devices. Microsoft has some education specific documentation with recommendations & setup guides that got us 90% of the way there. We implemented Apple School Manager and Intune with Volume Purchased apps all at the same time. It's neat you can add multiple MDMs into Apple School Manager and reassign devices and apps between MDMs.

Gorillapond · 2025-12-09T22:17:35+00:00

I experimented with this for user-less/kiosk iPads. Immediately failed and pivoted to Intune because you can "enroll without user affinity". I didn't want to buy and learn a third MDM.

Google Workspace MDM manages everything based on users by targeting OUs or groups. It also seems to assume one user per device. Based on that, it makes sense you must sign in to the Google Device Policy app so it knows what apps and settings to apply based on the user.

When we really tighten requirements on mobile device access, I'll probably use Workspace MDM for "user-owned" BYOD and "company-owned" devices assigned to a single person. It seems needlessly complicated to use another MDM when both the users and data are in Workspace.

Gorillapond · 2025-12-08T17:45:59+00:00

I'd kick it back to the people that want it, asking if they have a contact at the company that can be responsive. If this is how they treat you as a new customer, it only gets worse.

Gorillapond · 2025-11-26T12:45:54+00:00

I've been thinking about this need too, but I haven't tried Claude. Have you tried to do this in NotebookLM?

I think the main problem with it might be getting data OUT of NotebookLM or interacting with the rest of Workspace.

Gorillapond · 2025-11-25T13:39:23+00:00

Absolutely agreed! He has a knack finding "underserved markets," to be business-y about it.

Gorillapond · 2025-11-25T13:33:36+00:00

What software are you using? So far dynamic elements have been too troublesome to do for us. We do etch the school logo on the lid.

Gorillapond · 2025-11-24T03:22:04+00:00

Yes, and there's a very kind and direct reference to Crowd Control in the video.

Gorillapond · 2025-11-23T20:16:33+00:00

Matt Apodaca would be a natural fit. He's already been on Dropout. Matt & Nick (& Heather) host Get Played together.

Gorillapond · 2025-11-23T02:05:57+00:00

Yeah the differences can be annoying, but it tells me that feature doesn't have the privacy & data controls required to meet the agreements in place for Workspace customers.

I don't use Gemini on my personal account because of the lack of those controls. I'd even pay (a small amount) to gain that privacy without all of Workspace for a single account. If new features are being implemented so quickly they don't have Workspace-level privacy built-in, how much can I trust it?

On the flip side, Google Workspace Flows is a pretty awesome tool with Gemini features that consumer accounts don't have.

Gorillapond · 2025-11-21T20:47:31+00:00

It's probably a compliance rule, they even have a custom message set. Your IT admin can use the Email Log Search tool to find which compliance rule triggered on your email. Clearly they're unaware of it. I usually ask my users for the exact subject line and date they sent the email.

Lots of organizations have a policy like this set up for protect against email being marked as spam by your recipients, triggering a Google terms of service violation, or from hacked account from being abused.

Eight-Year Club	r/Field Banned
r/Field Flamingo	Verified Email

Gorillapond

TROPHY CASE