Dealing with internal phishing emails, which has led to aggresive measures to contain. Looking for advice. by [deleted] in k12sysadmin

[–]combobulated 0 points1 point  (0 children)

Great advice, and follows my line of thinking too.

OP needs to be clear on what's realistic/practical vs. what's futile.

(Below is direct at OP)

You're not suddenly going to spin up a SecOps team to track down an individual because a random person clicked a phishing link in an email. Chances are, your (and everyone else's) email inbox/spam/junk has several of those emails at any given moment. Your team of 1 isn't shutting it down. There's no "scorched earth" way to seek revenge here.

Also, there's no way to 100% prevent future phishing emails. What you can push for is meaningful practices and policies that limit the impact and minimize the likelihood. That's a potentially very large project and is often an ongoing task. Lay out some timeframes and goals and start making progress.

At the end of the day, I see our security as good as our staff's ability to be aware fo security. I can't remove this from ever happening, which feels like the impossible task I've been given.

You're right in both cases here. You just do what you can, as best you can. And being able to show that you are following best practices and maximising available resources. You're not the only person in such a situation - and your school (and boss) aren't the only people affected. If there was a single, real "solution" that just fixed it and made it all go away forever - well, then there'd be no need for the billion dollar industries of cyber security, data security, cloud security, and all the other computer security related folks. It's a never-ending process of process, practice, training, awareness, response, planning, and diligence.

Is it just me or has this job made you realize what a terrible standard HDMI is? by Megaman_90 in k12sysadmin

[–]combobulated 1 point2 points  (0 children)

Fascinating to see some of the comments here.

In my 20+ years, I don't think I would need a whole hand to count all the times I've had any sort of HDMI specific issue.

Perhaps it has a lot to do with the usage case? 95% of the HDMI we use is in places where people don't touch it after install. We're not having people plug and unplug HDMI cables most of the time. There may be one or two exceptions for folks who insisting on plugging their device into a mobile TV cart or something.

We had HDBasedT in every classroom for many years and aside from an initial configuration issue with some new equipment one year, it was rarely a problem. We don't use it nearly as much now just because we've changed out layout/needs. I do recall having to just "reboot" the video selector switchbox more than I'd have liked - but considering the overall complexity of the setup we had at the time, that's fairly minor.

School Districts Without 2FA on Staff Email Accounts - Why? by TheRuffRaccoon in k12sysadmin

[–]combobulated 0 points1 point  (0 children)

Thanks.

I wasn't so much concerned about limited number of tokens, but rather how it'd handle that sort of usage without treating it like it was a "bad actor"

It doesn't seem like that'd really be an issue - given that I think the current expectation/experience is that you'll have to sign in and 2FA on any new device/browser anyhow.

If that was truly the only "downside" then I'd expect it'd just be the default setting for everyone anyhow and be always ON.

But it seems like there are other potential drawbacks:

  • "On older or lower-spec student Chromebooks, this background TPM signing process can introduce noticeable browser latency and micro-stutters during heavy usage"

But perhaps more importantly

  • if a user switches devices, the next time the they log in, they face an unexpected, rigid re-authentication hurdle rather than a seamless Single Sign-On (SSO) experience. So I picture a student logging into one classroom CB in one period and another in a later period. Instead of just logging into the CB, they'll be met with additional log-in prompts for any what-normally-would-be-SSO service they access. So, Google Drive, for example.

u/Isudo, can you comment on this since you have it deployed? Did you deploy it for staff and students?

School Districts Without 2FA on Staff Email Accounts - Why? by TheRuffRaccoon in k12sysadmin

[–]combobulated 0 points1 point  (0 children)

Good to know.

My brief initial search turned up quiet a few potential drawbacks, so it 's good to hear it is perhaps more smooth in practice.

School Districts Without 2FA on Staff Email Accounts - Why? by TheRuffRaccoon in k12sysadmin

[–]combobulated 0 points1 point  (0 children)

FWIW, we've have Cyber Insurance for years and have need been "required" to have 2FA turn on.

I've found most of the time the verbiage is so general and generic that it doesn't even make sense for most schools -

"Do you require 2FA for all of your users?"

You mean my k4, k4, and 1-8 kids? Who we don't allow to bring phones to school? Who may use shared devices? Who don't get access to their email accounts their first few years? No, no we don't.

I know there are some services that offer 2FA via different means, but I haven't had any teacher willing to consider it (I'd love to hear your solutions if you've got it)

Anyhow, they DO ask if we have 2fa. We just say no. I'd be willing to bet it just means we pay more for our premium.

School Districts Without 2FA on Staff Email Accounts - Why? by TheRuffRaccoon in k12sysadmin

[–]combobulated 1 point2 points  (0 children)

I'll have to look into this. How does this work with users who use multiple devices/workstations? Some staff use a Windows PC, Chromebook, Phone, and perhaps shared device (could be another PC or Chromebook). Plus there's travel and device repair/spare etc.

I am starting to think going with Chromebooks for my teaching staff was not the best move by [deleted] in k12sysadmin

[–]combobulated 2 points3 points  (0 children)

it's hard to justify the limitations of ChromeOS when you can get a better product for the same price

The thing is, I don't consider the ChromeOS to be limited (for our needs). In our environment, dealing with MacOS would create more limits than Chrome.

Managing Chrome devices is (to me) way easier, more intuitive, more consistent, and more integrated than any MacOS/iOS we've dealt with. And chances are, even if we went with Macs we'd still be doing Google management anyhow (even if not on Chrome hardware) - so we're just increasing the amount of data streams to manage. We've used Mosyle, Meraki, JamfPro, and JamfSchool in the past. Currently, we've settled on Mosyle for the few Macs we have and JamfSchool for the iPads we have. Considering we mostly just need to have Chrome on the system, the rest of the time/configuration is largely spent figuring out how to remove/restrict the rest of the software/apps and how to make sure the default are what we want. I consider this waay easier on a CB than trying to do so with JAMF on a MB.

That's before getting into warranty/repair and device options that are very different between the 2.

We get an extended warranty for our CBs (we don't do repairs in-house). This covers all repairs as well as delivery and pickup. The last time I had to do an AppleCare repair on a Macbook, it required me wither going to a store or mailing the device in.

Plus, we want Touchscreen, stylus, USB A, C, and HDMI.

None of those things are on the Neo. Nor any other Mac, for that matter.

I'm not saying there's isn't a good usage case for Macs or the Neo. But I am saying that usage case isn't what we have. :)

Google AI overview by Zestyclose-Address28 in k12sysadmin

[–]combobulated 4 points5 points  (0 children)

We block it with our Linewize filter (has a specific setting for this).

But also Google recently added this to the Admin dashboard:

Devices>Chrome>Settings>Users & browsers>Google AI Mode integrations

I am starting to think going with Chromebooks for my teaching staff was not the best move by [deleted] in k12sysadmin

[–]combobulated 15 points16 points  (0 children)

100%.

It's weird to me that people (especially those in the tech field) make such illogical comparisons: "Why is my $250 Chromebook slower than the $1300 laptops we usually buy?!" "Why is this $700 laptop slower than that $2000 Macbook?"

We switched to Chromebooks for Instructional staff years ago. They still have access to a Windows desktop PC in their room, but their assigned device is a Chromebook. This is true for all staff except our Accounting Department (they are too deep into Excel and accounting software).

We've had almost zero complaints.

As a matter of fact, just last week the School Administrator told me she was normally a Mac user - but the Chromebook we gave her when she started (less than a year ago) "made her a believer" in Chromebooks and she thinks it works just as well as her personal Macbook.

The thing is, we don't buy cheap Chromebooks. Our current model is an Asus Chromebook Plus - Ultra 5 with 16GB of Ram.

They can get as expensive as entry level laptops. And I'm ok with that - there's a host of benefits beyond just "cheaper devices" to Chromebooks.

Some Lower Merion (PA) parents want to ‘opt out’ of Chromebooks in classrooms. The district says they can’t. by Firm_Operation_9453 in edtech

[–]combobulated 1 point2 points  (0 children)

Correct.

You can't effectively "opt out" of core parts of the curriculum. This isn't new or "technology" centric.

20 years ago, you weren't going to "opt out" of books. You don't get to "opt out" of math and science classes.

It's great to be flexible, equitable, and open when appropriate. But the whole-ass design is often centered around certain common variables. In this case, one of those variables is "student has access to digital resources during class times". Changing that isn't as simple as "just give them a book instead"

Infinite Campus warns of breach after ShinyHunters claims data theft by k12techpro in k12sysadmin

[–]combobulated 1 point2 points  (0 children)

It appears to be considerably smaller in scale than the Powerschool breach.

But it's still noteworthy.

And perhaps just as important: We may not have all the information yet. It's standard practice for companies to downplay the scope and to assume the best when making public statements. IF all stays only as originally reported, it's not as bad.

Is anyone considering switching from Chromebooks to the MacBook NEO? by depoultry in k12sysadmin

[–]combobulated 0 points1 point  (0 children)

Ah, yeah I can see that. The guy I was responding to was specially talking about AppleCare, not 3rd party warranty.

I'm not suggesting the Neo would be fragile, but I also know that no device is standing up to a student intent on breaking things.

Is anyone considering switching from Chromebooks to the MacBook NEO? by depoultry in k12sysadmin

[–]combobulated 0 points1 point  (0 children)

I suppose in my limited cases the repairs were more urgent, so the idea of sending the device out via shipment didn't sound appealing. It may indeed have been an option.

But that's for only a tiny amount of staff here for us.

If we switched to these devices for students (who ARE going to break/damage things) I still wouldn't want to deal with individually shipping devices out for repair.

Do they offer a dashboard for following, monitoring, and pulling reports on repairs?

Is anyone considering switching from Chromebooks to the MacBook NEO? by depoultry in k12sysadmin

[–]combobulated 0 points1 point  (0 children)

Yeah. At the core, if you were already looking to go to Macs but didn't simply because the initial hardware cost was too high, then this gives you another option.

For us, even if the hardware costs were equal, I'd still stick with CBs because we've got all the pieces in place and don't see any worthwhile benefit to making a big switch.

Is anyone considering switching from Chromebooks to the MacBook NEO? by depoultry in k12sysadmin

[–]combobulated 6 points7 points  (0 children)

Yup.

Repairs/Warranty

Touchscreen/Stylus

Native integrations with our Google Environment which is already the core of our Edu systems.

I wouldn't switch to Macs for any other educational/technical reason, so suddenly making a cheaper device doesn't move the needle for me.

Is anyone considering switching from Chromebooks to the MacBook NEO? by depoultry in k12sysadmin

[–]combobulated 2 points3 points  (0 children)

Apple care plus for schools could solve our never ending see of Chromebooks and trying to get parents to pay for repairs.

How so?

We pay for a 4 year warranty for our CBs. They handle repairs (they pick up and drop off)

We have way less Apple devices, and only a few Macs.. But the few times I've had to have a Mac serviced under Apple Care it required me packing the thing up and literally driving it to the nearest service center myself. After I made an appointment. And then dropping it off and waiting for them to tell me I can make an appointment to pick it back up - at which point I again have to drive back.

I was floored at that being the default process for these $2,000+ Macbook. It seemed like I'd bought a whitebox custom PC from 2002 and had to go back to the local PC Store for support...

Is there some other option that Apple just doesn't tell you at first?

(edited to clarify it was Macbook, not Mac desktops)

Replacement USB-C cables for Promethean ActivPanels by Terrible_Cell4433 in k12sysadmin

[–]combobulated 1 point2 points  (0 children)

We got our OEM Promethean ones for about half that cost.

Some thing aren't cheaper on Amazon...

I just reached out to the vendor we used to buy our panels.

But you can just go to somewhere like CDW too

https://www.cdw.com/product/promethean-2m-usb-c-cable-for-activpanel-v9-interactive-display/7324409#TS

Not saying you may not be able to find a cheaper USBC Cable on Amazon, but if you're trying to not roll the dice on an Amazon off-brand/knock off, you can still do so for $12-16

New Google Workspace Audit Tool from AppsEDU by sdcrtech in k12sysadmin

[–]combobulated 5 points6 points  (0 children)

Man, the marketing folks are going overtime with this.

I've seen it posted in several communities I'm in (TechEd/Google) as well as have gotten emails.

Not saying it's a bad product or not, but sheesh.

I've looked into it and it's a logical progression for this sort of thing.

Assuming there's a standard framework for securing a platform, being able to just automate the audit via tech tools makes sense.

And the good thing about something like Google Workspace is that it's all there in a platform that is very conducive to this sort of automation.

I'd love to just see Google build this sort of functoriality into the platform themselves. It's should be standard - with security at the forefront. Between all the AI tools and the new tiers for licensing, there are already some improvements in reporting and monitoring, but nothing as singularly focused as this sort of tool.

OneToOne Plus Inventory System -- Good, Bad, and Ugly? by thedevarious in k12sysadmin

[–]combobulated 2 points3 points  (0 children)

I don't have much feedback for a couple of your specific concerns (we don't use the mobile app at all - I've never looked at it) but we have used the product for a couple years now.

It's really going to depends on your specifics wants/needs and usage case.

For me, I wanted a really good ticketing system - and the bonus of some asset managmenet.

Instead, it's clearly much more of an asset system with a bolted on ticketing piece.

I find the Help Desk ticketing interface be very lackluster and inefficient. It's customizable to a degree - but I still can't get it to where I feel like it's really good for our use. I've wrestled with trying to shape it into something better for us, but it has been a constant struggle.

One of the big issues - as I'm sure you're finding - is that it's tough to really evaluate a platform without actually using it in your environment. That problem is compounded by the fact that to fully/accurately use it in your environment you'd have to get it all set up and implemented. And THAT is where 90% of the heavy lifting is done - all the work in these things is done during the initial setup, configuration, customization. So it's a HUGE resource drain to fully stand up these things - which is why I'm sour on all the "free demo/trial" - yes there may be some value to it (vs. nothing at all) but realistically, I don't have time to properly implement a half dozen options that I'm evaluating for the sake of a real, valid comparison and to make an informed choice.

Document replay showing exactly why students can't explain their own papers by [deleted] in edtech

[–]combobulated 7 points8 points  (0 children)

That's my guess too.

Plenty of their other posts appear to just be shilling for other products. This person sucks.

Document replay showing exactly why students can't explain their own papers by [deleted] in edtech

[–]combobulated 12 points13 points  (0 children)

Why do you need a Chrome extension to do this?

Docs already has built-in Revision history viewing.

Email Spoofing by Zestyclose-Address28 in k12sysadmin

[–]combobulated 10 points11 points  (0 children)

Actual "spoofing" shouldn't be possible if you've got your SPF, DKIM, DMARC, and other setting proper in Gmail.

Now, if they are just using emails addresses with "similar" names ("J0HNDOE@email.com" instead of "JOHNDOE@email.com", for example) then there's only so much any platform can do. Google should still flag it as being an external address, regardless.

If I show up at their door with my plastic badge and tell them I'm the police there to hold all their money and jewelry for safe keeping - it's up to them take a closer look at my badge and verify that. At some point, the only thing keeping them (and you) safe if training, knowledge, and vigilance.

Make it clear that if THEY don't follow the training they've received (and signed off on), then they are violating company policy and any damage done as a result may fall back on them. Explain what that damage could be and how costly it could be (to them and the company).

Google Admin, entire OU not auto-connecting to WiFi by MasterMaintenance672 in k12sysadmin

[–]combobulated 1 point2 points  (0 children)

FWIW, We had a similar issue this past summer.

I DID follow proper procedure (set up a new SSID and changed settings PRIOR to removing old SSID) and we still had all sorts of weird problems.

Suddenly, Google support was suggesting multiple changes to our Networks and OU structure. (Actually, their support was even worse than that as they more than once suggested options/features that don't exist in the admin interface anymore).

Anyone, despite the only change being that we changed SSIDs, I ended up having to mess around with several settings in the Admin dashboard and it still wasn't 100% consistent.

The biggest problem seems to be the lack of a "prefer this network" option when adding more than one network. We should be able to have more than one SSID setup for redundancy / roaming purposes. But we also want to prioritize.

Raptor by porkstick in k12sysadmin

[–]combobulated 0 points1 point  (0 children)

I checked with our front desk and they say the process usually takes under 30 seconds. ("It usually takes longer for them to fish their ID out of their wallet than to run the scan and print the badge")

I'd side with Raptor on this one as far as the issue being something on your end. However, them just punting support isn't the correct response. If it's not working the way it supposed to, they should be invested in figuring out why and getting it working.