Skip to main content


Showing posts from 2018

2 Factor Authentication for all staff in the new term.

This coming September 2018 we are going to finally make 2 Factor Authentication mandatory for all staff via security key. This is now easy to do via the management console and the settings look like this:

We have a free gift for all staff at the first INSET day back:

Relatively small cost for the added security for those not already on 2FA. Lots of little green lights on the INSET day!

S/MIME email signature and encryption for G Suite for Education

S/MIME has recently become available for G Suite for education. This offers digital signage of emails and enhanced encryption where supported by the recipient. There are a few steps to setting this up.

Enable on the Admin Console for users
Generate pfx certificates for users (or get them to do it)
Upload pfx into GMail settings - either the user does this or you can do it with GAM
GAM command: gam user add smime file jim.pfx password p@ssw3rd default
The password is for the certificate - not the user's password.
Optionally force the use of S/MIME via a content compliance rule for certain recipients.

Useful links:
GM Commands
Commodo - one source of certificates
How to make a pfx

Allowing Private Accounts on Managed Chromebooks

We run a 1:1 scheme where parents have the option to buy a Chromebook. However, to make things run smoothly we have always insisted that the Chromebooks are managed and only domain accounts can be used. For some parents, this has been a barrier to buying as it prevents them from using a device they have paid for. That has now all changed with the introduction of timed access to private accounts and guest mode.
In device settings, you can now specify times that a Chromebook can have sign-in restrictions lifted. To keep things secure, you must always sign-in and out with a domain account for this to be visible. We have offered this to guardians where they have paid for a Chromebook and have had a high takeup so far. The settings we use are:
Demo of what it looks like:

Pixel from ChromeOS to Ubuntu 18 04

To install Ubuntu 18.04 I followed my own blog post (but used a Ubuntu 18.04 boot stick instead):

To set the custom resolutions I followed this guide:

My settings are:

xrandr --newmode "1280x850_60.00"   88.75  1280 1352 1480 1680  850 853 863 883 -hsync +vsync

xrandr --newmode "1536x1020_60.00"  129.75  1536 1632 1792 2048  1020 1023 1033 1058 -hsync +vsync

xrandr --addmode eDP-1 1280x850_60.00

xrandr --addmode eDP-1 1536x1020_60.00

To map the top row of keys I used these instructions:

How to beat ChromeOS EOL and carry on getting updates

ChromeOS devices are great in loads of ways, but they have built-in obsolescence. Google will stop providing updates at a predetermined time according to the schedule you can find here. So the best you will achieve is 6.5 year if you buy the device on the launch day. In reality, it will be generally much less. It's something to watch as a good deal might not be such a good deal if the device only has two years left.

Once a device reaches its "due" date, you get a red pop up telling you its time to update every time you log in. The update section tells you there are no more updates. Now the device will work fine - for a while. You might get another 6 months use out of it before core services like Gmail stop working. However, if you are prepared to do a little work, you can install the OS of your choice onto the device and carry on using the device and not accept this. If you want ChromeOS, then you can install Cloudready from Neverware. I'll outline the basic steps be…

Macros in Google Sheets - a quick look.

New Directory Settings in the G Suite Admin Console

Quick demo of the latest version of the JamBoard App on ChromeOS

JamBoard is rapidly becoming my go-to "whiteboard" type app on ChromeOS. The latest update means your "Jam" file send up in Drive which allows you to preview and organise them.

Preview in a browser
Quick demo on ChromeOS

Kapwing online video editor

Switching from Windows 10 to Ubuntu 17.10

How to lock down API access on your G Suite Domain by Whitelisting

In the G Suite Management Console, there is an important setting that allows you to whitelist the apps that have API access to your domain. I'd recommend doing this to safeguard your data and prevent malicious apps doing bad things! Quick video guide below:

How to lock down who can use Chrome on Windows via Group Policy

You can restrict the use of Chrome to only the accounts you want to use it by enforcing a few group policies. The most recent of these is to force users to sign into Chrome. However, this policy need others to make it effective. Below are the ones I use.

Firstly - force users to sign in to Chrome

Make sure they can only use a domain account

Make sure they cannot use accounts you don't want them using in G Suite services

Disable incognito mode

Disable guest mode
Disable add user (might not want to use this for a staff account as they may need to use more than one account)
With this combination of policies, your users are locked down to their G Suite account and cannot do anything about it. Quick video on what it looks like:

Quick look at the ClearOS Egress Firewall config

Just a quick follow up to my video from a while ago about using ClearOS at a gateway server. One of the things I did not cover was the Egress Firewall app, which is an important part or securing your network.