Can I update the Sign-in Restriction setting in an OU? If so how?

[Jefferson Davis]

Trying to avoid a massive, ongoing, type-by-hand configuration change/update cycle to meet a demand from our administration.

It is desired that we restrict sign-ins on each device to that device's assigned user (which we can obtain via SQL query of our Student Information System), but the only way to do this is by assigning each device to it's own OU.  

So far pseudo code looks like

for each assigned device in SIS {

   check if sub OU exists, if not, create sub OU for the device's assigned user

   move any existing devices from this sub OU to the parent OU

   assign the student's device to the sub OU

   update OU sign-in restrictions (THIS IS THE MISSING PIECE)

}

[Jay Lee]

There's no way to do this. Out of curiosity, why prevent students from using each others devices?

Jay

--
You received this message because you are subscribed to the Google Groups "Google Apps Manager" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at http://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/292fc786-fb7c-4292-bec3-314c9a62e3be%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Jefferson Davis]

Thanks for the very fast reply...  

Kids that have not taken care of their own device have swapped with other students, and I suppose more pressing is that it is a need articulated by our administrators, to which there is some merit.

consider this scenario:

• johnny breaks his district-issued chromebook's screen.
  
• johnny switches his broken device for timmy's functional device, without asking or telling timmy or the teacher.
  
• timmy gets initially charged for the repair, and then timmy's device must now be tracked down, which depending on how many layers of "swapping" have been done, could be a very convoluted process
  

Devices become difficult to track by user, and given that a goal is to use the device to teach personal responsibility, preventing this has been presented as a high priority.

If I can find another way to meet this request I'd love to, but that Sign-in Restriction attribute does not seem to be exposed in the API.

[Jay Lee]

I think the best you could do is reporting and monitoring. Use:

gam print cross

To get a csv showing user logins. If recent users.N.email (where N is a number) isn't the owner student then take action (move Chromebook to disabled OU?)

Jay

--
You received this message because you are subscribed to the Google Groups "Google Apps Manager" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at http://groups.google.com/group/google-apps-manager.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/7f6fd04b-6ea1-4fba-ba6c-e29e3b52cfa6%40googlegroups.com.

[Jefferson Davis]

That might fly.  IF I can get interested parties to think outside the box a little.  Great idea at least until Google updates the API and exposes those attributes.  Again, thanks VERY much for the quick reply AND the suggestion.  VERY impressed with GAM.

Karen, what do you think?

[Chris Tenbarge]

This idea could be easier if the student enrolled the device, automatically putting the student's name in the device notes. A python script could go through a list of 3000 students in an a couple of hours without the need for SIS export files.

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail and should destroy all copies of this e-mail.

[James Hatz]

I would always verify serial numbers of devices to student assigned before I would even think of sending a letter - thats the most straight forward and non convoluted process I can think of.  We checkout a device to each student and the information is recorded as part of the checkout process.  We are putting everything into our Media Center database. 

[Jefferson Davis]

James, do have any docs for your process?  Our roll-out was done in a very rushed manner ("let's get those devices in our student's hands ASAP!") with little opportunity for proper planning, and now were are in this position.

Perhaps your model would work better.  We are using CDWG's "white glove" service which covers enrollment, but once enrolled we see no way of doing any of this on the device, and the idea of having an OU for each device seems unnecessarily complex.

[Jefferson Davis]

We already have this in the SIS, and a working PERL script to pull the data and run ./gam.py to make changes, create OUs, etc.

[James Hatz]

Hi Jefferson, nothing in writing - all in my head :)  

What will make this a lot easier for you - in my mind - I think... if you have access to a bar code scanner (steal one from your media center - they won't miss it lol). 

So - with usb bar code scanner in hand - first get a list of all students in a spreadsheet - either Google/Excel/Open Office etc..  

Make a column heading for Serial Number - then finding the students name - scan the barcoded serial number right into your spreadsheet. This is not only faster than typing - but eliminates typo's - just make sure you are entering the scan in the right row. I also scan our Asset ID bar codes into the same spreadsheet.  Once I have all this - I import it into my Access database - just in case I need to do queries or something fancy like that with the data. 

Another thing I do is for each Chromebook listed in our domain (talking in the Google Admin console) - under notes - I hand type in our Asset ID numbers.  Much shorter and easier to find based on this later than hunting through serial numbers where often times only one character is different.  Then when anyone calls with an issue - I look up the number in the Notes column and go from there.  

What will be new next year - is we are going to do this same type of thing in our Media Center book checkout program.  Each student will go through the media center and check out their chromebook like a book.  Its going to take some time to get our inventory in this system - but feel it will make things that much easier later. I'm still going to keep my system of using a spreadsheet for when I receive new chromebooks - its good to have an inventory I can look at whenever without bothering the Media Specialist for a report.   We could import my spreadsheets into the system as csv files.. but only if we pay the software company to do it - we found its cheaper to do it manually. 

Anyway - hope this is of some help to you. 

[Kevin Peck]

I realize I'm reviving an old thread, but out of curiosity, does anyone know if this is still a no go.  I'm in a similar situation where I don't want to manually update a sign in restriction list every time I get a new student.

On Monday, June 1, 2015 at 2:53:59 PM UTC-4, Jay Lee wrote:

There's no way to do this. Out of curiosity, why prevent students from using each others devices?

Jay

On Jun 1, 2015 2:50 PM, "Jefferson Davis" <jda...@standardschools.net> wrote:

Trying to avoid a massive, ongoing, type-by-hand configuration change/update cycle to meet a demand from our administration.

It is desired that we restrict sign-ins on each device to that device's assigned user (which we can obtain via SQL query of our Student Information System), but the only way to do this is by assigning each device to it's own OU.  

So far pseudo code looks like

for each assigned device in SIS {

   check if sub OU exists, if not, create sub OU for the device's assigned user

   move any existing devices from this sub OU to the parent OU

   assign the student's device to the sub OU

   update OU sign-in restrictions (THIS IS THE MISSING PIECE)

}

--
You received this message because you are subscribed to the Google Groups "Google Apps Manager" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.

[+KimNilsson]

Not possible, and probably never will.

A Chromebook is built as a multi-user device.