"Locking down" Chromebooks?

[Marion Bates]

I guess this post might be more appropriate for a 1:1-focused forum, but I thought I'd start here since it's a tech/management thing and not so much an educational thing.

Next year, we will have a freshmen 1:1 with Chromebooks. We'll have enterprise enrollment on all of them, and a (thus far) fairly light degree of management, in the sense that we're not currently doing any content filtering (yeah, I know) or planning to do much in the way of restricting installation of Chrome extensions. We may end up using Promevo gScholar and its "invisible" extension, mainly for auditing purposes. (I think I will probably also end up blacklisting some Chrome extensions, like this one.) 

Anyway: To my knowledge there is no way to prevent a user from putting the Chromebook into developer mode and thus effectively "escaping" whatever degree of management we're trying to have. My question is, what are other schools doing about this? Is there some way to set up alerting (using whatever 3rd party software, scripts making API calls, paid, free -- anything) such that administrators could receive a notification if a user does this to a school-owned Chromebook? I don't relish the idea of having to manually check gScholar audit logs to detect if 1 of ~200 devices has gone unnaturally quiet.

Along similar lines: Are there tools that can audit the Chrome extensions that a user has installed? We can probably get a good sense of it from the "visited URLs" log that gScholar provides, but it'd be nice to be able to query/audit that info separately.

Thanks,

-- MB

[George Sorrells]

I am with you in regards to not "managing" much. 

There is no way of stopping someone from putting it into developer mode.  A big thing to consider is how you have your wireless network designed.  For example, if you want the chromebooks to connect only to an SSID that is hidden for management and monitoring purposes, the control panel is priceless.  If you configure your guest network to not allow the chromebook fingerprint to connect, you will have the students coming to you very quickly when they can't get an internet connection.

I am looking at an extension called Guardian that lists the chrome extensions, It is free for now...  if gSchollar gives you that it would be a good tool.

George Sorrells 

We shouldn't be teaching technology, we should be using technology to teach!                                          
Director of Technology
Winneconne Community School District 
Learning Today ... Leading Tomorrow

920.582.0911 
Google Apps for Education Certified Trainer
Google Apps Certified Individual

[Elizabeth Shutters]

+1 for Guardian. Just started using it and it provides helpful info in an easy to use interface. They are still working out the kinks, which I believe is why it's free until August. Screenshot attached. You can see which apps users have installed by organization and by individual. http://laptoplookout.com/?r=7495

Thanks,

Beth

Elizabeth Shutters
Roycemore School
Technology Coordinator

[Marion Bates]

Thank you both for the recommendations! Got Guardian just now.

George, I like your idea about using wifi access to discourage tampering, but unfortunately this school has a very relaxed BYOD policy, so it'd be a little complicated (i.e., they could wipe the Chromebook via dev mode, then just connect it to the BYOD network and fly under the radar that way.) I could conquer that by turning off BYOD access for all the freshmen, but then they'd be whining about their phones, etc. and, well...we're all very "special" here.  ;)  

Maybe I can work with our wireless engineer (we have Aruba, purchased through Adaptive Communications out of Portsmouth, +1 to them for being awesome to deal with) to figure out some mechanism whereby we block the MACs of all the Chromebooks from being able to use the BYOD network, or something like that.

Anyway, thanks again. I'm sure I'll be posting here more often in the coming months!   :)

-- MB

[George Sorrells]

I am not sure how Aruba works, as I use a different wireless company.  The MAC address will work, but that is going to be a very labor intensive way to manage.  Ask if they can capture device type.  If so that will be a much easier way to block the chromebooks from your guest network.  The only limitation will be if other students bring in chromebooks as part of BYOD.  

Though if you do have a liberal filtering policy, I wouldn't even worry about it.  I too have a liberal policy, and I have learned that most students won't mess with anything as long as they can get where they want.  My problems with kids messing around with settings has almost disappeared once we adopted a more liberal policy.  

[Andy Emerine]

You can disable developer tools. You can do this in the same place you block apps/extensions. Device management > Chrome management > User Settings > Developer Tools set to "Never allow use of built in developer tools". 

--
--
You received this message because you are subscribed to the Google
Groups "Google Apps K12 Technical Forum" group.
To post to this group, send email to k12ap...@googlegroups.com
To unsubscribe from this group, send email to
k12appstech...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/k12appstech?hl=en?hl=en

---
You received this message because you are subscribed to the Google Groups "Google Apps K12 Technical Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to k12appstech...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Marion Bates]

Hi Andy,

Thanks. I have done that, but I thought that the user could still (with physical access) either flip a hidden switch (older Samsungs) or press a key combo (newer Samsungs, Acers, not sure about others) and still get into dev mode that way. Perhaps I'll have to try it myself.  :)

-- MB

[Elizabeth Shutters]

Marion, you are correct. We have earlier Samsungs, and I have disabled the developer tools in the admin panel, as described by Andy. Our students can indeed flip the developer mode switch and wipe the settings. I would love to prevent this!

In the meantime, what I do when it happens is Deprovision the Chromebook with the admin panel, then change it to Pending. Without wiping it, I've been able to re-enroll it by logging in with a domain account. (This only works if you've enabled devices to enroll automatically in device management, Chrome, Device settings.)

Elizabeth Shutters

Technology Coordinator

Roycemore School

Evanston, Illinois

Twitter: @shnology

[Andy Emerine]

How can students bypass the policy? 

[Elizabeth Shutters]

On our Samsung Series 5 Chromebooks, there is a switch hidden behind a plastic flap on the right side. You can flip this switch with a paperclip, turn on the computer, and see the sad computer face screen. After that, simply pressing Control-D will wipe the machine, no matter what the domain settings are. There are instructions for doing this on any type of Chromebook here: https://support.google.com/chrome/a/answer/1360642. It's meant to be used when you have to re-enroll a machine, but of course, it can be done by anyone anytime.

- Beth

[Jonathan Crosby]

Just for clarification, there are 2 different concepts being discussed here, developer mode and developer tools. The latter is toolset within the Chrome browser used for debugging and web authoring; this can be disabled via the console. The former is a mode that the Chromebook can be put into which bypasses the secure boot features thus allowing for root shell access, etc. Unfortunately there is no way to prevent developer mode from being accessed.

--

[Joel Lowsky]

Sounds to me that this is a human issue rather than a technological issue and should be controlled via policies and rules rather than unreliable tech configurations. As long as the switch or key combination exists, kids wiping the cbs will be a concern. Like smoking in the boys room.

Joel