Google Apps & Chromebooks for Education Deployment Best Practices

Google Apps & Chromebooks for Education Deployment Best Practices February 3, 2016 Edward Doan @edwardd / google.com/+edwarddoan

Topics Google Apps for Education Chromebooks for Education Chrome Device Management

Google HEX 3369e8 eeb211 009925 d50f25 RGB 51 105 232 238 178 17 0 153 37 213 15 37 HEX 75787B 4285F4 RGB 117 120 123 66 133 24 Google F23A35 for WorkE4A017 242 58 53 Greys 0F9D58 228 160 23 15 157 88 Why Drive? Google Apps Configuration HEX 222222 464646 6e6e6e 939393 RGB 34 34 34 70 70 70 110 110 110 147 147 147 b1b1b1 d4d4d4 e9e9e9 177 177 177 212 212 212 233 233 233 Google confidential Do not distribute

Domains & Organization Units company.com Google Apps Account company.com Primary Domain company.co.uk Domain Alias subsidiary.com Secondary Domain bob@company.com robert@company.co.uk bob@subsidiary.com jane@company.com jane@company.co.uk User Accounts & Nicknames

Recommended OU Structure

How Google Apps Directory Sync Works Google Apps Directory Sync is a one-way sync: 1. Queries your LDAP server 2. Queries your Google Apps account 3. Compares the two lists and generates list of changes 4. Updates Google Apps to match your LDAP settings Customer Data: Email accounts LDAP Queries Responses SSL Updates Firewall Queries Directory Sync Responses Port: 389

Google Apps Directory Sync Tool Synchronizes your Google Apps user accounts to match the user data in your LDAP server. Supports sophisticated rules for custom mapping of users, groups, non-employee contacts, rich user profiles, aliases, calendar resources, and exceptions. Performs a one-way synchronization. Data on your LDAP server is never updated or altered. Runs as utility in your server environment. No machine outside your perimeter accesses your LDAP directory server data. Ability to test your sync before deployment

Google Apps Directory Sync Tool

Google Apps Password Sync Installs on each domain controller in your environment Enable the provisioning API User's mail attribute must be populated with the same email address used for the user's Google Account All passwords must be reset once installed before they will sync to Google Apps

Key Lessons OU Structure needs to support service & policy settings i.e. OUs broken down per school rather than Staff/Students. Provisioning methods need to provide granular structure or groups Use GADS to translate to supportive structure Have an effective account life cycle process

Google Groups Best Practices Naming Group names do not support symbols or special characters Display name should be descriptive of the actual group use User Managed Groups Allow all employees to create and manage groups available to domain users For large organizations, Google recommends disabling user managed groups All groups are provisioned with a specific set of access rights and features True of all groups created manually, via API or GADS Use the Groups Settings API to change required settings in bulk Core IT and Early Adopter phases should be thought of as coexistence Ensure all groups are setup correctly in legacy system during migration Starting with Early Adopter phase, all mail should be routed via Google When MX records are pointed at Google and groups provisioned, mail cannot easily be routed to the legacy system. Google does not recommend this configuration. Use the Groups Settings API to change required settings in bulk Provisioning Coexistence Mail Routing

Provisioning Automation Tools Google Apps Directory Sync - LDAP mapping to Google Apps Google Apps School Directory Sync - Great for syncing groups Google Apps Password Sync - Active Directory password sync Google Apps Manager - Easy access to APIs Clever - SIS Sync

Google HEX 3369e8 eeb211 009925 d50f25 RGB 51 105 232 238 178 17 0 153 37 213 15 37 HEX 75787B 4285F4 RGB 117 120 123 66 133 24 Google F23A35 for WorkE4A017 242 58 53 0F9D58 228 160 23 15 157 88 Networking & Why Drive? Mail Routing Greys HEX 222222 464646 6e6e6e 939393 b1b1b1 d4d4d4 e9e9e9 RGB 34 34 34 70 70 70 110 110 110 147 147 147 177 177 177 212 212 212 233 233 233 Google confidential Do not distribute

Enterprise Network Topology Comparison Moving from a traditional enterprise network topology: MPLS Internet Remote Site Router Proxy Hub Site Router to a cloud-friendly network: http:80 https:443 Localized Network Services Local Egress Point Internet Centralized Network Services

Mail Routing: Early Adopter Co-existence Gmail MX Record Existing AV / SPAM / DLP External Sender (if part of legacy architecture) Routing Rules Legacy / Unknown Users Inbound: Intra-domain: Outbound: Shadow Domain Gmail gmail.yourdomain.com Legacy Mail Server

Mail Routing: Go-Live Gmail MX Record External Sender Routing Rules Unknown Users Legacy Mail Server Inbound: Outbound: Gmail

Anti-Spam: Sender Policy Framework (SPF) SPF Records Intra-domain mail Outbound mail Inbound mail DNS records identifying mail servers permitted to send on behalf of a domain Google highly recommends implementation for all Google Apps customers DNS txt record = "v=spf1 include:_spf.google.com ~all" Google uses SPF records to determine if messages come from authorized senders SPF records will help ensure your intra-domain mail is not misclassified as spam The recipient message security device can refer to your domain s SPF to determine if the message comes from an authorized mail server Google Apps will refer to the sending domain s SPF records to determine if the message comes from an authorized mail server

Anti-spam: Domain Key Identified Mail (DKIM) Benefits Action Items DKIM is a mail validation system designed to detect email spoofing Validates that incoming mail is authorized by the sending domain's administrators Adds a digital signature to mail message headers sent from your domain Signing improves spoofing protection for your domain Important: do not use if you route mail through an outbound gateway that modifies messages (e.g. DLP device changes header/body) Generate a domain key for your domain Add the domain key to your domain s DNS records Turn on authentication in the Advanced Tools section of the Admin Console

Google HEX 3369e8 eeb211 009925 d50f25 RGB 51 105 232 238 178 17 0 153 37 213 15 37 Google F23A35 for WorkE4A017 HEX 75787B 4285F4 RGB 117 120 123 66 133 24 242 58 53 HEX 222222 464646 6e6e6e 939393 RGB 34 34 34 70 70 70 110 110 110 147 147 147 Greys 0F9D58 228 160 23 15 157 88 Migration b1b1b1 d4d4d4 e9e9e9 177 177 177 212 212 212 233 233 233 Google confidential Do not distribute

Let's make a long-term coexistence, they said. It would be fun, they said.

Google Apps Migration for Microsoft Exchange (GAMME) You can migrate email, contacts, calendar, and Public Folder data from on-premise and hosted Microsoft Exchange to Google Apps, whether you have just a few users or tens of thousands. You can also migrate data from PST files and emails from IMAP servers (Novell GroupWise, Cyrus, Dovecot, Courier, SunMail, Zimbra and Gmail) using this tool. Link to Tool

Google Apps Data Migration Service Migrate email, contacts, and calendar data from Microsoft Exchange or IMAP hosts. Entirely cloud-based, no onpremise migration server Also migrates from another Google Apps domain Link to Tool

Chromebooks for Education

Chromebooks: Best-selling device in K-12 education 69% Less labor to deploy 82% Less teacher time spent troubleshooting 91% 0 hours Less labor to support Addressing virus issues Source: IDC white paper Quantifying the Economic Value of Chromebooks for K-12 Education (updated April 2013)

Chrome OS Device Formats bit.ly/chrometimeline

Student Assessments http://tea.texas.gov/workarea/downloadasset.aspx?id=25769824862

Essential Third-Party Tools chromebookinventory Add-on An Edu focused Google Apps consultancy group based in VA. They work with the EdTechTeam to host Google Apps for Education Summits and GAfE technical retreats throughout the world. Check out their GAfE Audit. Chromebook monitoring, filtering, and anti-theft for schools. Usage insights and analytics help schools better understand how their technology is being used, so they can positively influence student behavior. This tool allows you to export and bulk update the key metadata and org units of your managed Chrome devices via a Google Sheet. bit.ly/cbinventory

Be on the lookout for... S I S Cloudready replaces Windows/MacOS X with a customized version of Chromium OS, transforming your old computer into a fast, reliable, and easy-to-manage Chrome experience. ASUS Chromebook Flip is a convertible touch Chromebook. Chrome app ecosystem is growing, too -Android developers can now port their app to Chrome. Admins can provision and populate classes on behalf of their teachers, sync SIS with Classroom, and get basic visibility into classes being taught in their domain. Check out Rostersync.

Chrome Devices and Management

Chrome User Settings Best Practice Set granular policies by OU Pre-install apps Set default pages to load on startup Assign Bookmarks URL blacklist

Chrome Extensions & Apps Best Practice Pre-install apps per OU Block apps & extensions Recommend apps

Chrome Device Settings Best Practice Restrict sign-in to *@myschool.edu Forced Re-enrollment Assign Printers Recent Activity Reporting Set up Kiosk Mode

Chrome Device Management Best Practice Assigned owner & location Track usage Activation & update status bit.ly/cbinventory

Have you also thought about? Admin Console configuration (Security, Compliance, Services) Wireless Coverage Legacy Applications School Policies Insurance Cases

Chromebox for signage A more affordable and reliable platform for sharing information and content to remote screens Secure Affordable Flexible Manageable A variety of security features work together to help keep each device free from unwanted tampering Less expensive to buy, deploy and support than other media players Growing ecosystem and support for a wide range of hardware, peripherals and applications Manage one or thousands of devices from one browser-based console

Chrome for kiosks Give your administration or visitors the tools and information they need Flexible Affordable Manageable Administer secure online student assessments such as state standardized tests from PARCC & Smarter Balanced Low TCO Manage all devices from a single location Set up and get started in minutes Provide fresh, localized content and differentiated experiences and develop any kind of app for Chrome OS Create single-use (eg check-in) and multiple-use (eg libraries) kiosks Update functionality and content in seconds

Questions?