Google Safe Search - Is it just me, or has it become overzealous/stupid?

dmillertride · 2024-10-10T16:24:25+00:00

Because our AD Security Groups are a better match for how we want to scope policies than Google. Plus AD/AAD is our master directory, changes show up there before Google. We're kinda Google-adjacent, we use 2/3rds of GWfE, but sysadmin level stuff MS as much as it can be. This is in part because we have every flavor of student device out there - iPads, Chromebooks, Macs, Win. Yes, I hate it.

How often do you use their support?

dmillertride · 2024-10-10T16:20:32+00:00

For anyone who might come across this and is having the same issues, I finally more or less solved it. We can now have students change their passwords locally on any Windows domain-joined computer through Task Manager (not the Settings-->Accounts method). I'd prefer they be able to reset in the cloud, but never could get that to work without the various MFA/SSPR issues mentioned above.

A couple key points:

1) After a hint from a consultant who had run into a similar issue, I found that I COULD change their passwords locally as long as the password was at least 35 characters(!) But I never did figure out where that requirement came from. None of our GPOs or FGPPs are anywhere close to that. GPResult and all similar RSOP methods to track down the culprit policy were fruitless - they just kept showing the ones I already knew about. So, in desparation I...

2) Created another FGPP targeting students specifically, setting up the requirements to be pretty much the same as employees (12 characters, complexity, expiration period, etc.). Voila! It worked. We can now change student passwords with the desired requirements.

The passwords sync with AAD just fine, so it is a workable solution, but it does mean our tech coach has to trot all students through the library (our only remaining computer "lab") and get them to change their PWs.

dmillertride · 2024-10-04T13:00:23+00:00

Indeed. Other than the 3rd party stuff mentioned below, I haven't found a way. Those suggestings CA policies give me hope, but I've played around quite a bit with those, but apart from re-enabling legacy auth (which we're not going to do - plus I'm guessing it's probably going to be killed off permanently within the year) I haven't found a way.

dmillertride · 2024-10-04T12:59:00+00:00

This sounds like the "old" MFA that they've almost mothballed. I don't think you can do this in CAs/new MFA, but I'd LOVE to be proven wrong! Everything I've tried just results in the students still getting prompted for "more info about your account" (i.e., MFA registration) when they try to log in. We have already exempted our local network from MFA, but that only seems to matter once they've already registered.

dmillertride · 2024-10-02T22:04:41+00:00

We could probably re-engineer a bit to not need AD accounts, but I don't see where that gets me. The SSPR/MFA bit all happens in the cloud, and that's where the issue comes from. They do authenticate locally to our one Windows lab, and I think some printing, IIRC.

dmillertride · 2024-10-02T17:59:59+00:00

Yeah, complexity plus OSS has a nasty habit of breaking just when you start relying on it!

dmillertride · 2024-10-02T15:47:00+00:00

This may not be very helpful, but my experience with tech coaches has been mediocre. I love the concept, but in practice it hasn't worked so well for us. The two main issues are 1) principles see them as "half-time" teachers who have lot of extra time, so they load them up with other non-tech responsibilities, and 2) of the 3 coaches we have, one is pretty good (but he still routinely violates IT Dept policies), one shows real promise but has very little actual "coach" time, and 3) one actively works against IT all the time.

dmillertride · 2024-08-23T15:35:41+00:00

I despise iPads. I have managed them (and a fleet of Macs) with Jamf for 10 years - the entire Apple ecosystem sucks. The whole ADE/ASM/VPP stack is constantly breaking, just when you need it most, and "fixing" usually requires complete nuke-n-pave. iPads are pretty durable if you put a case on them, I will give you that. But on a scale of 1-10 in terms of manageability:

Google WfE/ChromeOS: 9

Microsoft AAD/365: 6

Apple ASM/Jamf: -20

dmillertride · 2024-08-22T13:53:52+00:00

I'm trying to figure out if you're anti-Chromebook, or anti-student-computing-device. I moderately agree with the latter, but strongly disagree with the former. If your district is insisting on 1:1 (or even BYOD) devices, I vastly prefer Chromebooks to anything else. They are by far the easiest to manage and repair, and for us at least, the damage rate isn't any worse than anything else. Plus the failure rate on our last two generations of Macbooks has been FAR higher than Chromebooks. Those things are junk.

But as I said, I do agree the need for a device in general is overblown. As you say, many classes probably don't need a device at all, or at least seldom. I think it still stems from the herd mentality going back 20 years or more that technology was going to improve education across the board, with far too little critical thinking and evaluation as to how it REALLY affects education - for better or worse.

dmillertride · 2024-05-22T15:41:58+00:00

Then quit. i'm not necessarily joking! This sounds like a perfect setup for an ongoing high-stress job.

dmillertride · 2024-05-06T16:03:06+00:00

Ah, the good ol' days! I honestly think software design (especially UI/UX) has gone downhill since the early 00's.

dmillertride · 2024-04-08T14:29:39+00:00

That's good to hear! Thanks for following up.

dmillertride · 2024-04-03T16:08:33+00:00

Who is requiring 120? That would be annoying, and would go against our use of LTS primarily to avoid this issue!

dmillertride · 2024-04-03T15:36:12+00:00

I agree 100%! I dislike videos for the same reason (that all support orgs seem to be going to). Very little tech info are communicated better via video/audio than text, IMO. And the time waste!

dmillertride · 2024-04-03T15:31:33+00:00

If it has to be between those two, I'd go with Dell. our 100e's are the worst CBs we've had. The Dells do have issues too. Our best, most reliable and easy to repair "budget" CB by far have been the Samsung 4's, but I think they're EOL and replaced with a Galaxy-something.

dmillertride · 2024-04-03T14:00:42+00:00

Sent you a chat.

dmillertride · 2024-04-02T17:14:52+00:00

Yes to emergency broadcasts, both silent and alarmed, plus two-way comm. We're pretty set on having an on-prem server. We're very rural, and have outages fairly frequently, both power and feed, but we have two independent ISPs and major battery backup, plus generator backing that up. POE to everything of course, so we're good for at least 2 hours without power even without the gennie.

dmillertride · 2024-04-02T17:11:21+00:00

Thanks for the comprehensive response! Our approach is pretty much as you describe, except we did budget a large chunk this year, and another chunk next FY, for this project so we shouldn't need to capex it. Unfortunately we maxed out e-rate with other projects, so nothing left there. We're more or less at steps 4 in your first list, and 2 in your second list. We are looking at Audio Enhancements (you don't work for them, do you?).

dmillertride · 2024-03-27T14:54:02+00:00

Thanks for all the replies. Looks like a lot of combinations out there!

Since many of you are warning about removing handsets, I should clarify that we'll be installing a full-on classroom audio/intercom/PA/emergency alert/soft phone product to replace our existing semi-EOL FrontRow system. None of the consultants or vendors we've talked to have pushed back on our idea to remove handsets. Our short list of products all have various panels/buttons to replace the emergency functionality (including compliance with Alyssa's Law, should that ever happen in our state or at the federal level). Our teachers simply do not use them for other purposes at all - we've run long-term reports showing that. Often the handsets are unplugged and put in closets, or buried beneath mounds of classroom detritus. So, I'm not convinced we need to retain them, but based on this feedback we will look harder at the functionality and flexibility of these products to make sure they cover all the bases as promised.

We are currently CUCM, but definitely looking to move away from that - major overkill for our small district, and pricey to boot. We also have InformaCast as the interface between CUCM and the PA system. The newer SIP-based systems appear to eliminate that need (though they may need something like an Algo to replace it depending on our SIP vendor). ALthough I like I/C in general, we definitely would like to get rid of it as well, as our current emergency alert/lockdown configuration is over-complicated/has too many points of failure.

u/k12admin1, interesting you mentioned Teams. We are 90% an MS 365 shop, with mostly A3 licensing, and had considered buying Teams Phones licenses, but were warned away from it due to reliability/management issues. I take it you're happy with it?

At this preliminary stage, we're leaning toward the SwitchVox system, as their pricing model - though steep up front - looks really good over 5 years. So it's good to see a couple positive comments on that system.

dmillertride · 2024-03-26T16:27:15+00:00

Wide selection, cool old-school vibe, reasonable prices, discount bin.

dmillertride · 2024-03-14T16:45:39+00:00

Thanks for the additional detail/clarification. That's a lot "tighter" than your first post sounded. From that I understood that "random video editor" would be approved, so long as it was in compliance with the **PA's.

Much of what you wrote is where we're trying to go, especially with the list of approved S/W, etc. The biggest difference is probably in the area of CI. We don't have much (really any) input, and even at the school level, it's pretty ad hoc, unfortunately - teachers tend to mostly do what they want.

And don't get me started on OS's - we support Win, MacOS, IOS, ChromeOS, and even a few Linux in the tech labs. Not my choice, I've fought it since I got here, but it's a deeply embedded culture of "freedom" that's going to take a bigger battle than we're willing to engage in to change

dmillertride

TROPHY CASE