Managed Chromebook limit to only 1 user login

[Buddy Pride, Ed.D.]

I've heard there is a way to assign a Chromebook 1 user login such as a student and lock it down so only that student and the GAFE admin account can login.  I've searched high and low and cannot seem to find where to do that.  Has anyone done this and can you tell me how?

[Matthew A. Peskay]

It's in the 'Device Settings' section of the Chrome Settings in the 'Settings' tab of your Control Panel.

Steps in Control Panel

1) Create new OU ("Test")

2) Move chromebook device into the new "Test" OU (from the 'Devices' tab)

3) Go to Settings tab

4) Select 'Chrome' under the 'services'

5) Select the 'Device Settings' tab

6) In the 'Organizations' section, drill down until you can select your "Test" OU

7) Locate the 'Sign-in Restriction' section of the policy

8) Enter the list of users who you want to allow access to the device

9) save your settings and test

All my best,

Matthew

On Tue, Apr 16, 2013 at 1:12 PM, Buddy Pride, Ed.D. <bpr...@sb320.org> wrote:

I've heard there is a way to assign a Chromebook 1 user login such as a student and lock it down so only that student and the GAFE admin account can login.  I've searched high and low and cannot seem to find where to do that.  Has anyone done this and can you tell me how?

This transmission is intended and restricted for use by the above addressee only and may contain CONFIDENTIAL AND/OR PRIVILEGED INFORMATION WHICH MAY BE EXEMPT FROM DISCLOSURE UNDER FEDERAL OR STATE LAW. Any unauthorized review, use, dissemination, distribution, downloading, or copying of this communication or any of its attachments is strictly prohibited. If you have received this communication in error, please immediately notify the listed sender by reply e-mail, and take necessary steps to delete the file from your system and destroy any hard copies of this transmission.

--
--
You received this message because you are subscribed to the Google
Groups "Google Apps K12 Technical Forum" group.
To post to this group, send email to k12ap...@googlegroups.com
To unsubscribe from this group, send email to
k12appstech...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/k12appstech?hl=en?hl=en
 
---
You received this message because you are subscribed to the Google Groups "Google Apps K12 Technical Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to k12appstech...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Buddy Pride, Ed.D.]

So in order to lock down 1 Chromebook to 1 user, I have to create an OU for each user and set the policy for that OU to 1 user name???  I don't think I really want to do that for 850 units.  Is there any other way to do this??

[Matthew A. Peskay]

Yeah, I think that's the only way.  I'm not quite sure why you'd want to lock them down this way.  My guess is that funtionality is more to ensure that a specific set of users can access a specific set of chromebooks but prevent other users from logging in.  Not to assign a specific Chromebook to a specific user.  I can understand some specific cases where you'd want to lock down a few specific devices to a few specific students, but I'm not sure why you'd want to do that for all students.   I was just answering your question....

What's your GOAL here?  What is it you're hoping to achieve with tying student accounts to one specific device?

All my best,

Matthew

[Buddy Pride, Ed.D.]

First, thanks for replying.  So we are going to be implementing 1:1 Chromebooks grades 2 - 12.  We wanted to assign each Chromebook to 1 student and lock it down so only that student could log in.  The idea is that if only one 1 person could log into it (beside the tech dept), it would be less attractive to steal if no one else could ever use it. Our administration is very concerned about the Chromebooks being stolen.

It was mentioned at the IL Google Apps Summit that this could be done, but I haven't been able to figure out how.

[Matthew A. Peskay]

I replied to buddy but I'm reposting for the group to foster more conversation.  

Just thinking this through - you've got two situations I can think of where a chromebook will be stolen:

1) An outsider steals chromebook

In this situation, there is no indication to the outsider that the Chromebook is locked down to prevent others from logging on.  They are going to steal it, take it somewhere, open it up and not be able to logon and then either throw it away or post it on ebay or do something else with it.  You've already lost the chromebook by the time they figure out they can't use it for anything.

You could get this same functionality by just locking down the chromebooks to prevent guest mode access and only allow users from your domain to logon to all your enrolled chromebooks.  However, this would not prevent students from stealing each other's chromebooks.

2) Student steals another students laptop

Besides the obvious issues here, I think an easy solution to this would be to have each student design a little stick-on graphic that they can affix to the lid of their assigned Chromebooks.  Just a nice big visible indicator that would be impossible to forge (customized by each kid) and obvious if tampered with (if you see a chromebook without the sticket, something is fishy!)

All you would really have to do is document which chromebooks are assigned to each student (you can even do that within the Google Control Panel form the 'devices' tab, just click on a device and then enter the student assigned to the device in the 'User' field - this doesn't affect anything, it's just a note).

THen, if you ever had a complaint you can just grab the chromebook, look it up in the control panel via MEID and see what student it is supposed to be assigned to.

What do you think?

All my best,

Matthew

On Wed, Apr 17, 2013 at 12:57 PM, Buddy Pride, Ed.D. <bpr...@sb320.org> wrote:

First, thanks for replying.  So we are going to be implementing 1:1 Chromebooks grades 2 - 12.  We wanted to assign each Chromebook to 1 student and lock it down so only that student could log in.  The idea is that if only one 1 person could log into it (beside the tech dept), it would be less attractive to steal if no one else could ever use it. Our administration is very concerned about the Chromebooks being stolen.

It was mentioned at the IL Google Apps Summit that this could be done, but I haven't been able to figure out how.

[Melissa Benson]

Keep in mind that anyone can wipe/restore via USB stick a chromebook and then get the option to use the device in guest mode. Even if guest access is turend off...you still get a blue link to go into guest mode on a fresh device before you enroll. I *really* wish that they will take off the guest ability.

--
Melissa Benson
@mebenson
mebe...@gmail.com
www.melbenson.com

[Buddy Pride, Ed.D.]

Those are good suggestions.  I already locked down the ones we have so that you can only log in to the devices with a username from our domain, which should make it useless for anyone else to use.

We also had the idea of putting a label with the student's name on each Chromebook  so it's more obvious who should be using that Chromebook, which in most cases should deter theft.

In the case of the more crafty older junior high and high school students, I was hoping to be able to lock it down even more and if this was easy to do, sounded like the best way to deter theft.  

[Buddy Pride, Ed.D.]

I knew that the device would still be managed even if they used a USB to reinstall, but did not realize the Guest mode was still available even if it's supposed to be turned off.  Hmmmmm.... I hope we can find a way around that.

[Matthew A. Peskay]

I don't believe that a device is automatically re-enrolled if it is wiped.  I believe you need to manually re-enroll the device.

anyone have a firm answer on this?

All my best,

Matthew

[Jaymon Lefebvre]

Depends if auto enroll is enabled in GAFE dashboard for that unit or not, and if that unit is in the device inventory.

[Melissa Benson]

If a machine is wiped it is my understanding that it is NOT still enrolled.

[Matthew A. Peskay]

I think this says that you have to re-enroll a device after wiping it - so stealing a chromebook and wiping it gives you an un-managed, un-recoverable chromebook.  Happy birthday.

All my best,

Matthew

[Matthew A. Peskay]

LINK: http://support.google.com/chrome/a/bin/answer.py?hl=en&answer=1360642

All my best,

Matthew

[Matthew A. Peskay]

We've had auto-enroll turned on from day 1 and I don't think I've ever had a device actually automatically enroll.  We've always had to manually perform the enrollment every time we wipe a CB.  Maybe it works for others, but not for us.

All my best,

Matthew

[Matthew A. Peskay]

Here's the auto-enroll info:

http://support.google.com/chrome/a/bin/answer.py?hl=en&answer=1360534

We're covered under the first bullet in the 'Notes' section... :(

Automatic enrollment

To enable automatic enrollment, in the Admin panel, go to Settings > Chrome > Device Settings, and make sure the setting Enroll Devices Automatically is set to Allow devices to enroll automatically.

Automatic enrollment will enroll a Chrome device the first time a user signs in with their Google Apps username and password, and it requires no additional action from the user. If a user attempts to sign in with a username that's outside of your domain, such as a personal Gmail account, the device shows an alert that says the username is ineligible for use on the device.

Notes about automatic enrollment:

• While automatic enrollment guides the user with enrolling the device, it shouldn't be used as the only way to enforce enrollment of the devices. If the device doesn’t automatically enroll, follow the instructions above to manually enroll the device.
• If you need to automatically enroll many devices in your organization, test automatic enrollment with a few devices first before deploying it to all devices in your organization.
• 
  

All my best,

Matthew

[Sean Eisner]

I like the idea of being able to 'lock' the devices to the domain.
Then, all of a sudden, a USB or switch just clears the devices and
then the lock is bypassed. It doesn't take too much googling to figure
out how to bypass the security settings. I wish that the devices could
truly be locked to our domain and not easily reset or bypassed.

Sean

[Melissa Benson]

"auto enrollment" just means that anyone who logs into the chromebook for the first time with your domain gets enrolled. Compared to NOT auto enrollment where the user has to do the ctrl + something + E.

[Matthew A. Peskay]

Great point Melissa - I didn't even think about that. Buddy, I think Melissa has your best argument for not trying to use the control panel to prevent theft.  

You could look at something like 'LaptopLookout' which installed a Chrome-addon tracker, but again if someone plugs in a USB and wipes the device then this product would be worthless.

All my best,

Matthew