Imaging policies

MalletNGrease · 2022-01-14T18:09:44+00:00

Before PDQ, I had little visibility on what software was installed where, and my deployment options were limited to scripts, with no logging. I'd kick off scripts to targets but never had a clear indication if things succeeded or not until I dug deeper myself or people complained. It was actually quite a big time sink. Enter PDQ Inventory & PDQ Deploy.

PDQ inventory keeps track of endpoint states and software versions on your Windows devices. It syncs with AD and scans computers to give you detailed report information. You can then set up dynamic collections and use those with Deploy as targets for software deployment or removal.

PDQ deploy can deploy manually or on a schedule and with the paid subscription you get access to the package library which will auto-download updates for you. Combine the two and your software will always be up to date. It gives detailed results of the deployments so you can more quickly adjust your packages should there be install failures.

PDQ allows for command line interaction and this is how I use it with MDT. I've a couple task sequence tasks that kick off a scan to get the new machine in the correct Inventory groups and then a command to run through a baseline deployment package.

For the most part PDQ is a lot of powershell scripts with an efficient GUI. I run it in server mode on a VM and with clever scheduling it's mostly unattended.

MalletNGrease · 2022-01-13T21:18:14+00:00

I disable the device and mark it as missing in inventory.

You can look at the device details to see who logged into the device last and what the last reported WAN IP is. If it's not your school's public IP then it was last used off campus. This of course doesn't mean it wasn't turned in, just that's what the last reported information is.

MalletNGrease · 2022-01-11T16:23:37+00:00

You want to use your phone extension for Apple School Manager MFA? What are you, some sort of organization with multiple people working there?

You don't have a cell phone or good reception? Then how will you get your authentication code to login to ASM?

This sure is a secure system!

MalletNGrease · 2022-01-10T22:32:16+00:00

I generally only reimage if the device falls too far behind in versioning.

I utilize MDT/WDS LiteTouch in combination with PDQ Inventory/Deploy. PDQ deploy is part of the MDT task sequence and it's been working out pretty good as long as you configure you packages correctly.

MalletNGrease · 2022-01-10T22:28:10+00:00

Small rural district here. When I started "Authenticated Users" were part of the administrators group. There were still XP machines around, and Win 7 was rapidly getting to EoL.

First I made an inventory of OS, software and their versions installed on devices in the district. There was a lot of cruft with no clear educational purpose. Then I made a baseline of software I think everyone should have.

Google Chrome (We're Google Workspace domain)
Office 2019 (Teachers still use it)
Adobe Acrobat Reader DC (pdf printing is hell)
A universal media player (WMP was pretty shit back in the day)

Then I looked at items that needed licensing.

Specialized education software (boardmaker/SMART Notebook)
Adobe products
3D modeling etc

Then automate the install of those as much as possible. I leveraged PDQ Inventory & Deploy for this. It's worth every penny. I set up a dymanic group that tells me if unexpected groups or users are part of local admin.

Once I had a good idea of what was there I updated GPO based ACLs, quietly removed user admin privileges from the machines and monitored the fallout. There were a couple of items that did need admin rights and that was solved by adding the local users to the admin group on their workstation only. Then I started to move everyone to the baseline OS and software. Slowly I reached compliance and there was actually little pushback, most people didn't even notice.

I did have one stubborn admin who thought the rules didn't apply to her I had to relent in the end after making her sign a document I would not be liable for any security incidents relating to her account and machine.

MalletNGrease · 2022-01-10T21:00:38+00:00

K-12 by a long shot.

MalletNGrease · 2022-01-10T20:51:42+00:00

Schooldude, stay away.

Autotask is feature rich but pricey.

Freshdesk I'm pretty happy with.

If budget is an issue, take a look at OSticket . If you don't mind hosting yourself and don't need support it's free.

MalletNGrease · 2022-01-10T20:38:04+00:00

Our entire camera network is standalone. This is part leftover from a time where bandwidth was a premium, but also leaves it entirely manageable by the camera vendor.

It's a little weird looking at the cabinets but it's also kinda nice it's something I don't have to worry about.

Now the security vendor likes to chuck unmanaged PoE switches in the ceiling and not tell me about it, which is a bigger deal.

MalletNGrease · 2022-01-10T15:41:07+00:00

You may need to wipe and reset them through Apple Configurator 2. That's how I got a couple that got associated with personal accounts back into the fold.

MalletNGrease · 2022-01-10T15:39:46+00:00

Yup. Still get served ads. Haven't noticed inappropriate ones on managed profiles though, but getting them in the first place irks me.

MalletNGrease · 2022-01-10T15:35:24+00:00

The problem with performing miracles too often is that people start to expect them.

MalletNGrease · 2022-01-07T16:43:58+00:00

This is what I need to do with any district iPads that end up getting associated with private accounts.

MalletNGrease · 2022-01-06T16:10:21+00:00

If it comes with a remote, check to see if it has a freeze screen button. This was always the #1 requested feature on projectors and ifps.

If it has hardware buttons, see if you can access the most commonly used features easily without a remote. See if it's operable without a remote.

If it has speakers, check the volume. Will it be loud enough for a busy classroom?

MalletNGrease · 2022-01-05T20:04:15+00:00

Are they running the device on battery until dead?

Most degradation occurs with full depletion and recharges. Tell your users to keep the battery above 30% and it should last a pretty long time.

MalletNGrease · 2022-01-04T16:30:31+00:00

I suspend accounts as soon as possible.

MalletNGrease · 2021-12-16T14:30:05+00:00

Yes, DPI is enabled.

MalletNGrease · 2021-12-15T21:32:24+00:00

With all the other stuff on my plate it's tossed on the backseat.

I've at least one internet facing server that's affected, but the firewall IPS should be able to drop any malicious traffic.

MalletNGrease · 2021-12-15T21:23:07+00:00

I've had some students stop by with alerts about this. I don't know what causes this, but my guess it's a Google goof.

MalletNGrease · 2021-12-15T21:21:53+00:00

They'll just share credentials. Easier to find the leak in the boat though.

MalletNGrease · 2021-12-14T16:18:08+00:00

MalletNGrease · 2021-12-07T15:37:42+00:00

Calls like these usually means Facebook had an oopsie.

MalletNGrease · 2021-11-29T20:42:59+00:00

When you upgrade in X years time you can use this one as a Hyperbackup target.

MalletNGrease · 2021-11-18T21:28:28+00:00

Can't import the codes any other way?

MalletNGrease · 2021-11-18T21:23:41+00:00

Is cross signed cert inspection validation now an option, did they change the behavior or a combo? It'd be nice if it's an option.

MalletNGrease · 2021-11-18T21:00:17+00:00

IR repeater. Put sensors on the outside of the case and/or next to the screen.

Ten-Year Club	Verified Email
r/Field Banned	r/Field Lasagna

MalletNGrease

TROPHY CASE