Chromebook Device Wallpapers now available in Google Admin Console!

Finally! Administrators can now get rid of that pesky Lizard, cityscape, or whatever default image the manufacturer decided to push to every device. You now have granular control over this setting and can apply it domain wide, or by OU. This helps immensely during enrollment so you can ensure the device gets put in the right OU without having to refer back to the Admin Console! Your technicians can just look at the background image on the next boot!

Of course there are other benefits. We are immediately starting a program in our Graphics Design classes that allows them to push wallpapers to the entire student body for their school. Announcements? Pictures from recent events? You can push all of that now to each student’s pre-login desktop. And it will disappear once they log in. No more pestering students by taking over their logged-in wallpaper!

Now of course there is a lot of content that gets in the way on the home screen. That is why I created this template in Photoshop that will allow your students to see what content may be obstructed. This template has 4 obstructed areas that in our testing are within 1-2 pixels on all of our 1366×768 displays. The areas are set as layers in the PSD, as follows:

“NoUsers” is what all new devices will see the first time they are logged into. If you do not allow sign-in photos, this will also apply to you. If you erase all content on each boot, this will apply. If you use Clever badges – this will be obstructed.

“BottomBar” is self explanatory. Obstructed on ALL devices.

“SingleUser” is where most 1:1 students will fall. Only this single small square is obstructed on 1:1 devices if only ONE user has ever signed in on the device.

“PartialObstruction MultipleUsers” is just showing areas that can be obstructed if more than one user uses a device.

Enjoy! Feel free to download and distribute.



Proxy Auto Config File (.PAC) and Chromebooks

We made the decision early on to filter all traffic through our CIPA-compliant internet filter.  USD290 currently has a Lightspeed Rocket that is the barrier between all network traffic and the internet.  We also have a separate Cisco ASA that is a more hardened firewall that does the heavy lifting behind the scenes.

So what does that all mean exactly?  Well, every device is filtered through our Rocket, no matter where they are, as long as they have internet.  Our policies apply at all times.  That’s not to say we don’t loosen the reins at times.  We employ a simple .pac file that allows us to redirect some traffic and take certain loads off of our system.  We could, theoretically, allow Netflix, Pandora, and Spotify at home, and not see a bandwidth spike as long as our .pac file is properly configured.  Below, I will tear into our config line by line, and show you how it works!

First, all .pac files are JavaScript.  As such, it’s pretty easy to find resources for configuring your own script on the internet.  The first few lines of our script simply initialize the function, and set an IP address variable to use for the duration of the processing.  Setting this variable allows you to reuse it throughout the script, instead of requesting it multiple times, thereby increasing the time required to process the code.  We also allow any local resource to bypass the script, since it will already be filtered onsite anyway.

Next we have a code block that allows us to prevent students from logging off of their Chromebook, and logging in under a personal Gmail account.  This also prevents them from adding a consumer account to Google Chrome.

At one point, we would bypass the filter if the students had a local IP address.  This was an effort to remove some of the load from our Rocket, but was later deemed unnecessary.  We have not seen a substantial increase in traffic from our always proxying devices.  Nevertheless, here is the part of the script that would allow local IP bypass

Next step is the Google portion.  We previously had each of these declarations as a separate line.  What this does is force every single URL to iterate through each line and check for a match.  We wrapped all the Google URL’s into a single check, thus eliminating significant processing time.

And the final section checks for a few more URLs that we want to bypass our Rocket and go straight to the internet.  If no other rules apply, the last declaration of the script tells the Chromebook to pass the traffic directly to our Rocket.  If the Rocket is not reachable, it then proceeds to DIRECT.  You could, if you wanted, list several different URLs in this declaration, separated by semicolons.  This will allow you fail-over access to multiple proxy servers!



That’s all there is to it!  Here is the complete PAC script for USD290:


Here is a bonus piece of code that will allow you to load balance between multiple proxy servers.  Replace the last three lines of the above script with the following:

And don’t forget the closing  } !




Can you sync S2 Netbox Access Levels With AD Security Groups?

Sure you can!  But it isn’t a feature that is accessible from the GUI.  We saw a need at USD290 to link our Active Directory Security Groups and S2 Access Levels to simplify employee onboarding and offboarding.  Is offboarding  a word?  Maybe jettisoning?  Regardless…I spent a morning crafting a PowerShell script that will run as a scheduled task and regularly synchronize these two groups.  This was a quick script to fill a void, we will be enhancing it in the near future to take into account disabled accounts too!  We also saw the need to track the NFC credential too.  This script allows you to store the credential in Active Directory in the ‘Pager’ field (or any field for that matter) and sync it up to S2 as well.

S2 has a very antiquated API available that we can leverage on the backend to inject this information.  The API is simple, and accepts some XML input and has provisions for authentication.  I would strongly suggest that you do not expose your S2 installation to the web when using this API.  There are authentication mechanisms available in the API, but they are poorly documented so they were omitted from this script.  I will reach out to S2 and see about improving this code with the proper Message Authentication Codes.

On to the script!  First things first – there are some prerequisites!

  • This script assumes that you have a separate OU in AD dedicated to your Access Control Security Groups
  • This script only plays nice when your AD Security Group Names match your S2 Access Level Names verbatim!
  • You must enable the API by going to Configuration ->Site Settings->Network Controller->Data Integration and checking the API checkbox
  • Backup your database before using this script!

That last one is important.  I have extensively tested this in our environment, and it works splendidly for our needs.  I will not be held responsible for any damage caused by this script when run in your environment.  Ultimately, this is a script you found on the internet that can completely ruin your S2 installation if not configured properly.  You have been warned!  The line that actually performs the writing to S2 is commented by default for testing.  Remove the leading # on the last line of the script to run the script live!

Security,Windows Admin


Lower case ‘t’ in GPO? Nah…

Update: Reader Ryan Engstrom pointed me to a MS Hotfix on the issue!  Well, the hotfix covers the backspace issue, I will test lowercase ‘t’ later tonight! 

Came across something very odd in Group Policy Management today.  I was attempting to break a GPO into two separate GPO’s – one for staff, and one for students.  The actual splitting was the easy part.  The difficulty came when I decided to indicate which was for Staff and which was for Students.  I was not able to use a lowercase ‘t’ in the name of the GPO.  Any other letter was fine!  I quickly toggled my Windows key, Ctrl key, Alt key, and anything else to make sure I wasn’t experiencing an input error caused by my hardware.  I then ended my mRemoteNG session, and fired up RDP directly thinking maybe mRemoteNG was messing with something.  I even undocked my Lenovo P70, and used the built-in keyboard.  I was stumped.  I needed a solution, so I opened up notepad, typed the name I wanted, and then copied and pasted it over to rename the GPO.  I couldn’t leave it at that.  I had to figure out what was going on.

You are probably reading this right now, and you have your own ideas of what you would have tried.  And you probably expect me to say that I was able to diagnose the issue and detail how I fixed it.  Well…that’s not going to happen.  I took to the phones and walked two other admins through this at different companies.  Both experienced the same issue.  Here is how you can check it out for yourself!

  • Launch Group Policy Management
  • Expand the “Group Policy Objects” folder (near the bottom of the folder list) 
  • Select a GPO…I used a disabled one for this example, so as to not interfere with anything
  • Now, if you right click and rename, all is well.  It will work.  You can type a lowercase ‘t’.  But…
  • lowercaset1

  • Select the ‘Settings’ tab on the right hand side.
  • Now on the left hand side, in your list of GPO’s, right click and try to append a lone ‘t’ to the end of your GPO name.  Can’t do it!  You also cannot press backspace
  • lowercaset2

This was a perfect storm.  I was checking the settings that were applied by the GPO and then decided to rename the object.  Give it a shot and see what you get!


Shameless plug for mRemoteNG?  Yea.  That’s what this entire blog entry is all about!


Windows Admin


S2 Access Control and Holiday Schedules

So…we just recently added Access Control to most of our exterior doors district wide as part of our Safety and Security upgrades.  This has been a huge undertaking and we have battled with contractors non stop.  But that is not what this post is about.  This post will focus solely on the biggest hangup with our new S2 NetBox installations.  Holidays.  It is such a minor thing, and could be fixed very easily by tweaking some UI elements, but alas – it is broken.  Phil Elliott over at Spring Hill has warned us about this several times.  He explained the intricacies of holidays in S2, and reiterated that he has to review it every year to make sure it is right.   If there is a feature of your product that your users have constant trouble with every time they go to use it, your feature needs re-engineered.

So what is it about holidays that is so difficult to implement?  Well, let’s dive into some screenshots and I will show you!

In the software, we first have to manually add all of the holidays at our school.  This includes calendar holidays, teacher workdays, Winter and Summer breaks, and the unknown snow days (but we won’t get into those today).  When setting up each holiday, we need to assign it to a group.  Holiday 1, holiday 2, or holiday 3.  There is no rhyme or reason to these, they are just there for you to use as you see fit.  We utilize them as follows:

  • Holiday Group 1 – Calendar Holidays
  • Holiday Group 2 – No School, but building staff are present
  • Holiday Group 3 – Extended Breaks or snow day.  No Staff

Here is a picture depicting the setup for Labor day of 2016.  Calendar holiday – so it gets the Group 1 designation.  We also prepend our holidays with the year (a tip from Phil@Spring Hill) to make for easier changes next year!

Labor Day 2016

And here is a picture of today’s teacher inservice.  No student’s are here, but our staff still needs to get in the buildings.  Holiday Group 2.

September23rd Workday

Pretty straightforward so far?  Hold on!  Once you have defined all of your holidays for the year, you need to assign them to “Time Specs”.  These time specs are then assigned to doors, and you are done!  Therein lies the problem.  Let’s dig in.  Look at the following picture and tell me what would happen at 7:30AM on Labor Day?  Labor Day is a hol1 (Holiday Group 1).

The door would not unlock.  If you want to apply a holiday to a time spec, you have to NOT check it.  So in this time spec, the doors would unlock on Monday through Friday, and any Holiday Group 2.  It’s backwards, and it can be confusing.  If you take the time to think about it – it finally starts to make sense.  If the verbiage could just be changed from “Days of the week” to something like “Select the days and holiday groups which you would like the doors to unlock” it would be a bit easier.  Am I over complicating this?




Starting Somewhere…

My journey in technology has taken me in many different directions.  From a call center, to a data center and everything in between.  My latest move has put me back into a school district.  I enjoy my work in a school setting, as there is never a dull moment.  Every day is different.  Every day is exciting.  Every project is meaningful.  Our goals are clear, and our mission is achievable.  There are no blurred lines, there is minimal red tape, and I get to work with people who truly have a passion for what they do.

Recently, a few neighboring school districts have lost some great talent from their technology departments.  Four area technology directors have moved on to new jobs, leaving their previous positions vacant.  My district was in a unique spot.  We had just created a new position for our schools, thus expanding the size of our technology department.  With a little coaching, and a little negotiating – we had a plan.  We would offer technology services to the area schools in need.  We approached the schools, negotiated terms, and came away with two new districts to support.  Contracts were just finalized and we now provide consulting services for West Franklin USD 287, and Anderson County USD 365.

Welcome to the family!  Staring Monday – Documentation!  Rule #1 is to not make sweeping changes.  Evaluate, Understand, Investigate.  The two environments we inherited are very heterogeneous in terms of technology being used.  One is a Google school, and one is a full Microsoft shop.  One is on Chromebooks, the other on Windows devices.

Really looking forward to diving further into this consortium to see what savings we can offer up when it comes to Group Purchasing, shared services, and system standardization – whenever it makes sense.



YouTube Restrictions!

Goodbye YouTube For Schools!  Hello DNS based restrictions!

The folks over at YouTube in collaboration with Google Apps for Education have finally allowed us administrators some amazing tools to help filter what is available to students when navigating YouTube.  Gone are the days of adding videos to a specific school’s playlist to allow only certain videos in.  Gone are the days of the dozens of phone calls, emails, and trouble tickets asking for help adding videos to the approved playlist.  These new DNS rules allow us to do a few things:

  1. Filter out pretty much all of the bad stuff.
  2. Give teachers the ability to approve videos with the click of a button – and easy access to approvals from within the video
  3. Give teachers the ability to approve entire channels!

So many schools are afraid of YouTube and the challenges it presents.  Some schools block YouTube entirely.  We all need to understand the resources that YouTube provides.  There is so much user generated content, so much substance, and so much to learn from perusing the site.  Yes, you can get lost in funny videos, music, and video game reviews.  But you also have physics projects, lectures, book reviews, etc.

If you are reading this, and are currently blocking YouTube access – please reach out and let me know what I can do to help.  Here is a document I wrote that explains how to setup the DNS settings, and how to navigate the new options.  It has been used by thousands already, and I have fielded dozens of questions.  Happy to help!