Skip to main content

Posts

Showing posts from 2018

Acer Spin 13 Chromebook - a quick look.

A few days ago I got to try an Acer Spin 13 Chromebook. This is a high-end device - in the same price bracket as the Pixelbook. The one I looked was going to be priced around the £800. For this you get:

8th Gen i3 8100 processor16 Gb RAM64Gb SSD13" touchscreen 2256x1504 and touch flip format 
I ran a quick Octane benchmark and it scored a decent 33000 (my Pixel 2013 does around 21000).

To use its similar to the Pixel 2013/15 - same aluminum case and quality finish. The Pixelbook is a much more luggable device if that's what you are after. So it's basically a fast, touchscreen, high-resolution Chromebook with a price to match. It feels well built and the keyboard was responsive - a nice machine.

Would I buy one? Probably not. For school, the price is way too high and I manage just fine on a regular 11" Spin. As a private buyer, I currently have an Acer R13 Chromebook that does everything I need (not as fast) and cost less than half the price. I also have a Pixel 2013 r…

Adding subdomains to G Suite

This is how I add subdomains (so basically new schools) to out G suite setup. I've got these steps documented on a scruffy set of notes that I've now got in Keep - so time to document them - for myself as much as anyone else!

Steps in order (roughly)

Add the new domainVerify the new domainAdd MX records to hostingAdd SPF record for Google to hostingTurn on email authenticationAdd DMARC record to hostingSetup custom Directory and restrict students OU to this.Create an admin quarantine for the domain.Configure SPAM setting for the domain.Turn on and off services as appropriate.Map a blank Google Site to the naked domain - if required.Setup some basic groups - allstaff, allusers (for directory) and students with appropriate permissions.Deploy custom wallpapers. So the steps in a bit of detail: Add the new domain & Verify ownership Click on Domains in the admin console:
Add/remove domains followed by "add a domain" At this point make sure you select the second option. …

Chrome GPO updates Oct 2018

I while back I published this blog post about locking down Chrome. The first two policies in that article have now been depreciated and replaced. This quick video covers what has replaced them and a couple of new policies as well.



Avoiding Google Captcha's on your network

Your network may generate captcha'a if Google things you are sending too many duplicate requests to them. The end result of this can be Google search stops working or if you use a cloud-based filtering service (like Securly for us) - then your ability to proxy Google searches gets revoked for a time.

There are lots of reasons this can happen - malware, use of services like vpns and the tor network. These things should be within your control to manage/block. However, it turns out that one of the key factors is what you put in the Chrome policy "Omnibox Search Provider Suggest URL". I recently got the following string from Securly who got it from Google:

{google:baseURL}complete/search?output=chrome&q={searchTerms}

Now, why didn't I think to put that in......

So out policy looks like:
If you use the setting suggested in the list of Chromium policies, this apparently generates multiple duplicate requests. Since modifying this policy we have had zero issues.

ChromeOS 70 - a quick look

2 Factor Authentication for all staff in the new term.

This coming September 2018 we are going to finally make 2 Factor Authentication mandatory for all staff via security key. This is now easy to do via the management console and the settings look like this:












We have a free gift for all staff at the first INSET day back:


Relatively small cost for the added security for those not already on 2FA. Lots of little green lights on the INSET day!

S/MIME email signature and encryption for G Suite for Education

S/MIME has recently become available for G Suite for education. This offers digital signage of emails and enhanced encryption where supported by the recipient. There are a few steps to setting this up.

Enable on the Admin Console for users
Generate pfx certificates for users (or get them to do it)
Upload pfx into GMail settings - either the user does this or you can do it with GAM
GAM command: gam user jim@acme.com add smime file jim.pfx password p@ssw3rd default
The password is for the certificate - not the user's password.
Optionally force the use of S/MIME via a content compliance rule for certain recipients.

Useful links:
GM Commands
Commodo - one source of certificates
How to make a pfx


Allowing Private Accounts on Managed Chromebooks

We run a 1:1 scheme where parents have the option to buy a Chromebook. However, to make things run smoothly we have always insisted that the Chromebooks are managed and only domain accounts can be used. For some parents, this has been a barrier to buying as it prevents them from using a device they have paid for. That has now all changed with the introduction of timed access to private accounts and guest mode.
In device settings, you can now specify times that a Chromebook can have sign-in restrictions lifted. To keep things secure, you must always sign-in and out with a domain account for this to be visible. We have offered this to guardians where they have paid for a Chromebook and have had a high takeup so far. The settings we use are:
Demo of what it looks like:

Pixel from ChromeOS to Ubuntu 18 04

To install Ubuntu 18.04 I followed my own blog post (but used a Ubuntu 18.04 boot stick instead):

https://wpsit.blogspot.com/2018/04/how-to-beat-chromeos-eol-and-carry-on.html

To set the custom resolutions I followed this guide:

http://ubuntuhandbook.org/index.php/2017/04/custom-screen-resolution-ubuntu-desktop/

My settings are:

xrandr --newmode "1280x850_60.00"   88.75  1280 1352 1480 1680  850 853 863 883 -hsync +vsync

xrandr --newmode "1536x1020_60.00"  129.75  1536 1632 1792 2048  1020 1023 1033 1058 -hsync +vsync

xrandr --addmode eDP-1 1280x850_60.00

xrandr --addmode eDP-1 1536x1020_60.00



To map the top row of keys I used these instructions:

http://www.fascinatingcaptain.com/blog/remap-keyboard-keys-for-ubuntu/

How to beat ChromeOS EOL and carry on getting updates

ChromeOS devices are great in loads of ways, but they have built-in obsolescence. Google will stop providing updates at a predetermined time according to the schedule you can find here. So the best you will achieve is 6.5 year if you buy the device on the launch day. In reality, it will be generally much less. It's something to watch as a good deal might not be such a good deal if the device only has two years left.

Once a device reaches its "due" date, you get a red pop up telling you its time to update every time you log in. The update section tells you there are no more updates. Now the device will work fine - for a while. You might get another 6 months use out of it before core services like Gmail stop working. However, if you are prepared to do a little work, you can install the OS of your choice onto the device and carry on using the device and not accept this. If you want ChromeOS, then you can install Cloudready from Neverware. I'll outline the basic steps be…

Macros in Google Sheets - a quick look.

New Directory Settings in the G Suite Admin Console

Quick demo of the latest version of the JamBoard App on ChromeOS

JamBoard is rapidly becoming my go-to "whiteboard" type app on ChromeOS. The latest update means your "Jam" file send up in Drive which allows you to preview and organise them.

Preview in a browser
Quick demo on ChromeOS


Kapwing online video editor

Switching from Windows 10 to Ubuntu 17.10

How to lock down API access on your G Suite Domain by Whitelisting

In the G Suite Management Console, there is an important setting that allows you to whitelist the apps that have API access to your domain. I'd recommend doing this to safeguard your data and prevent malicious apps doing bad things! Quick video guide below:


How to lock down who can use Chrome on Windows via Group Policy

You can restrict the use of Chrome to only the accounts you want to use it by enforcing a few group policies. The most recent of these is to force users to sign into Chrome. However, this policy need others to make it effective. Below are the ones I use.

Update - see this page for the latest policies that replace the first two listed below.

Firstly - force users to sign in to Chrome

Make sure they can only use a domain account


Make sure they cannot use accounts you don't want them using in G Suite services

Disable incognito mode

Disable guest mode
Disable add user (might not want to use this for a staff account as they may need to use more than one account)
With this combination of policies, your users are locked down to their G Suite account and cannot do anything about it. Quick video on what it looks like:







Quick look at the ClearOS Egress Firewall config

Just a quick follow up to my video from a while ago about using ClearOS at a gateway server. One of the things I did not cover was the Egress Firewall app, which is an important part or securing your network.