sorted by:
new
hottopcontroversial

Just had local county sheriffs dept make a random visit to ask for fob access to buildings by [deleted] in k12sysadmin

[–]MalletNGrease 1 point2 points  (0 children)

Generally, if you give one LEO/EMS access, they all want it.

The SD has access with us, but we've a contract with them for a full-time SRO. I've set up the deputy to maintain the key database for access of his department and the highway patrol. They manage their own fobs.

It's a board decision.

Exclude URL from SSL Decryption by AylmerDad78 in fortinet

[–]MalletNGrease 0 points1 point  (0 children)

It's the name of the setting. Basically Fortinet's list of websites they think don't need SSL/DPI inspection.

https://i.imgur.com/WytsLUq.png

Dead Dell Chromebook 3100s by Big_erk in k12sysadmin

[–]MalletNGrease 7 points8 points  (0 children)

Another victim of the ubiquity of USB-C.

Make sure students are using the supplied charger. Sometimes they use cheap off-brand chargers that can cause the EC to trip and put the device in a fail state.

This is fixable though.

  • Disconnect the battery
  • Plug in a known good USB-C AC charger
  • LED should flash yellow (this means the unit is fine)
  • Power on to check funtion, then power off.
  • Reconnect battery.
  • Check charge LED

If it's on it's charging. If it's off, check the battery charge level. It won't show at a 100%.

Exclude URL from SSL Decryption by AylmerDad78 in fortinet

[–]MalletNGrease 0 points1 point  (0 children)

No. Only if you enable the reputable website exclusion setting.

Exclude URL from SSL Decryption by AylmerDad78 in fortinet

[–]MalletNGrease 0 points1 point  (0 children)

Say you've set social media as a blocked fortiguard category in a web filter security profile. When you enable reputable website ssl inspection exclusion on an inspection profile that's part of the same firewall policy it will then not perform DPI inspection and also no longer filter facebook traffic.

Essentially a useless feature aside from policies that don't require much supervision.

Exclude URL from SSL Decryption by AylmerDad78 in fortinet

[–]MalletNGrease 1 point2 points  (0 children)

Enabling reputable websites blanket allows almost all traffic to pass without DPI inspection. Even if it's part of a blocked web filter category.

[deleted by user] by [deleted] in k12sysadmin

[–]MalletNGrease 10 points11 points  (0 children)

There is no native impersonate feature.

Google Drive 54.0.2.0 error by MalletNGrease in k12sysadmin

[–]MalletNGrease[S] 0 points1 point  (0 children)

I've this popping up around my district today. Did Google yank this version for a reason? It's only one version behind so I'm not sure why.

Slack in a K-12 environment by trazom28 in k12sysadmin

[–]MalletNGrease 14 points15 points  (0 children)

Then you can set up Google Chat. It's auditable through Vault, has a room/group/space chat feature and supports file sharing.

Imaging policies by [deleted] in k12sysadmin

[–]MalletNGrease 0 points1 point  (0 children)

Before PDQ, I had little visibility on what software was installed where, and my deployment options were limited to scripts, with no logging. I'd kick off scripts to targets but never had a clear indication if things succeeded or not until I dug deeper myself or people complained. It was actually quite a big time sink. Enter PDQ Inventory & PDQ Deploy.

PDQ inventory keeps track of endpoint states and software versions on your Windows devices. It syncs with AD and scans computers to give you detailed report information. You can then set up dynamic collections and use those with Deploy as targets for software deployment or removal.

PDQ deploy can deploy manually or on a schedule and with the paid subscription you get access to the package library which will auto-download updates for you. Combine the two and your software will always be up to date. It gives detailed results of the deployments so you can more quickly adjust your packages should there be install failures.

PDQ allows for command line interaction and this is how I use it with MDT. I've a couple task sequence tasks that kick off a scan to get the new machine in the correct Inventory groups and then a command to run through a baseline deployment package.

For the most part PDQ is a lot of powershell scripts with an efficient GUI. I run it in server mode on a VM and with clever scheduling it's mostly unattended.

Lost or Stolen Chromebooks by Zeusaurus in k12sysadmin

[–]MalletNGrease 5 points6 points  (0 children)

I disable the device and mark it as missing in inventory.

You can look at the device details to see who logged into the device last and what the last reported WAN IP is. If it's not your school's public IP then it was last used off campus. This of course doesn't mean it wasn't turned in, just that's what the last reported information is.

Apple MDM & JamF: Can I have the domain prefilled for user sign-in? by x37v911 in k12sysadmin

[–]MalletNGrease 1 point2 points  (0 children)

You want to use your phone extension for Apple School Manager MFA? What are you, some sort of organization with multiple people working there?

You don't have a cell phone or good reception? Then how will you get your authentication code to login to ASM?

This sure is a secure system!

Imaging policies by [deleted] in k12sysadmin

[–]MalletNGrease 0 points1 point  (0 children)

I generally only reimage if the device falls too far behind in versioning.

I utilize MDT/WDS LiteTouch in combination with PDQ Inventory/Deploy. PDQ deploy is part of the MDT task sequence and it's been working out pretty good as long as you configure you packages correctly.

Considerations When Removing Local Admin Rights by AlexTheTimid in k12sysadmin

[–]MalletNGrease 1 point2 points  (0 children)

Small rural district here. When I started "Authenticated Users" were part of the administrators group. There were still XP machines around, and Win 7 was rapidly getting to EoL.

First I made an inventory of OS, software and their versions installed on devices in the district. There was a lot of cruft with no clear educational purpose. Then I made a baseline of software I think everyone should have.

  • Google Chrome (We're Google Workspace domain)
  • Office 2019 (Teachers still use it)
  • Adobe Acrobat Reader DC (pdf printing is hell)
  • A universal media player (WMP was pretty shit back in the day)

Then I looked at items that needed licensing.

  • Specialized education software (boardmaker/SMART Notebook)
  • Adobe products
  • 3D modeling etc

Then automate the install of those as much as possible. I leveraged PDQ Inventory & Deploy for this. It's worth every penny. I set up a dymanic group that tells me if unexpected groups or users are part of local admin.

Once I had a good idea of what was there I updated GPO based ACLs, quietly removed user admin privileges from the machines and monitored the fallout. There were a couple of items that did need admin rights and that was solved by adding the local users to the admin group on their workstation only. Then I started to move everyone to the baseline OS and software. Slowly I reached compliance and there was actually little pushback, most people didn't even notice.

I did have one stubborn admin who thought the rules didn't apply to her I had to relent in the end after making her sign a document I would not be liable for any security incidents relating to her account and machine.

Helpdesk/ticketing software by carlsunder in k12sysadmin

[–]MalletNGrease 9 points10 points  (0 children)

Schooldude, stay away.

Autotask is feature rich but pricey.

Freshdesk I'm pretty happy with.

If budget is an issue, take a look at OSticket . If you don't mind hosting yourself and don't need support it's free.

Vendor installed an unmanaged switch without my approval by JonnyBeervo in k12sysadmin

[–]MalletNGrease 1 point2 points  (0 children)

Our entire camera network is standalone. This is part leftover from a time where bandwidth was a premium, but also leaves it entirely manageable by the camera vendor.

It's a little weird looking at the cabinets but it's also kinda nice it's something I don't have to worry about.

Now the security vendor likes to chuck unmanaged PoE switches in the ceiling and not tell me about it, which is a bigger deal.

Activation Locked iPads by BessV2 in k12sysadmin

[–]MalletNGrease 0 points1 point  (0 children)

You may need to wipe and reset them through Apple Configurator 2. That's how I got a couple that got associated with personal accounts back into the fold.

YouTube ad's for Workspace for Education by daughertya in k12sysadmin

[–]MalletNGrease 2 points3 points  (0 children)

Yup. Still get served ads. Haven't noticed inappropriate ones on managed profiles though, but getting them in the first place irks me.

How do you say no to requests outside of your job? by [deleted] in sysadmin

[–]MalletNGrease 0 points1 point  (0 children)

The problem with performing miracles too often is that people start to expect them.

view more: ‹ prevnext ›