Student Accounts beta testing

The tech team is working on implementing student accounts for Mac workstations. At present, all students log into a computer using a generic username and password. The main issue with this process is that all users have access to all files in the account, which allows students to delete files other than their own.

The solution is to use a separate directory service that has all user accounts, adult and student, and use this service for authentication. We used to do this using Apple’s Open Directory service and it worked pretty well for several years. However, Apple stopped supporting enterprise applications such as directory service, asking their users to use other tools such as ActiveDirectory or OpenLDAP. In addition, serving student home folders over the wifi was more than the Apple file servers could handle, and there was a limit of 100 users we routinely exceeded. However, we still use the Apple Open Directory service for our staff wifi access.

Over the last year, we have been experimenting with a Linux based, cloud served OpenLDAP server. This server currently manages our print accounts. The tech team is experimenting at the high school with implementing this authentication server for our student Macs.

The new system will allow a student to log in on any Mac, at any connected campus, using the same password. However, any files created on that Mac will stay on that device, unless manually moved to the student’s Drive account or to an external device, such as a USB. We do not expect to support student remote home folders any time soon.

In addition, we will need to set up an email based password change system so students can manage their directory account passwords.

Therefore, students will need to use the same computer each time if they want to use the file stored on that computer. This will require students adhere to seating charts and to manually back up their files. The advantage is that students can work on large files, such as videos, without worry of other students damaging their files using a common log in. In addition, students will have access to classroom printing with a managed quota and print logging.

Password security and logging in and out of one’s account will also be critical for this process to be successful.

We hope to migrate our wifi authentication to this directory service by the end of summer.

The long term goal will be to authenticate our Google accounts to this directory service, so that students will need one fewer password to remember, and can keep their accounts secure.

Man GIF - Find & Share on GIPHY

Planned changes in April

We will be spending the next month ensuring that as many student machines are ready for state testing, by spot checking each classroom. Please test the CaSecureBrowser on your student machines. The software should say “Version 9.0” when it opens. Please also review the steps to disable Mission Control / Launchpad (System Preferences / Keyboard Shortcuts< uncheck all Mission Control and Launchpad shortcuts).

The student websites server configuration has been further improved, allowing unlimited uploads (10mb at a time) and reduce costs by dynamically creating the server at 6am each school day and destroying it at 6pm each school evening. This eliminates the server and hard drives costs when the server is not in use. The two school site servers have been combined into one server, which further reduces costs. The school server is also in a load balancing and autoscaling group that will spin up and destroy additional servers as necessary. This morning’s load test was very satisfactory, as the site handled 600 concurrent connections without breaking a sweat. I look forward to more student presentations of learning.

We are also beginning the budgeting process for next year, with an eye towards replacing the remaining white Macbooks, and MacBook Pros older than 5 years.

We are also working to develop the use of Slack as the preferred communication method, in order to increase transparency and speed of the organization’s decision making processes.

The tech team has implemented a “bug bounty” to encourage students to report issues with the content filter, as well as any “hacks” that allow them to defeat the filter, so we can fix them. I really appreciate that students are taking steps to “be safe” and “be responsible” using technology by helping us identify and solve problems. The form is available here, please feel free to publicize it in your classroom.

Enjoy your spring break!