Pushing Microsoft Interactive Classroom

The Microsoft Interactive Classroom is a nifty tool for teachers to share their PowerPoint presentation with students running OneNote

“With Microsoft Interactive Classroom, students participate like never before while staying up-to-speed on instructor notes. It gives educators the power to add in-class polling and to share lessons over a wireless network. If a teacher updates a presentation, students capture the notes in real-time via Microsoft OneNote.”

Our staff trainer presented this to the teachers last night and with 460 student netbooks on campus, with another 320 coming in December, should get a bit of use.

We extracted the files from ICSetup.exe and used Altiris to push the InteractiveClassroom_O14.en-US_x86.MSI silently to our staff tablets and student netbooks. PowerPoint and OneNote gain an Academic menu which in PowerPoint is used to start a shared preso, and in OneNote is used to connect to the preso.

Even though we have separate VLAN’s for staff and students it was easy to get the machines talking to each other over the network. Most traffic seems to be over port 80, which is what we have allowed. The only restriction is that students have to manually enter the name of the staff machine to join the session

Sonicwall’s Application Firewall and blocking BitTorrent

BitTorrent
We’ve just updated the firmware on our NSA 4500 to 5.5.2.0-3o and have started playing with the Application Firewall and DPISSL (Deep Packet Inspection). The 4500 is a Layer 7 firewall and the application firewall feature lets you do some pretty tricky filtering. We’ve noticed that some of the student machines coming in for repair have bittorrent clients installed. At the moment that sort of traffic is blocked by our ISA firewall/proxy which is the gateway for the Student Netbook VLAN, but we want to remove that over the next few months because it causes a bottleneck for heavy traffic, like heavy ClickView use. When we remove ISA we can either use the Sonicwall or ACL rules on the ProCurve 5400 (or both) to filter the traffic between the netbooks and the rest of the world. After the firmware update with the addition of the DPISSL it seemed like a good chance to see how good the filtering was on the NSA4500.

Before creating the new application firewall policy, I had to create an object for the bittorrent traffic. The Sonicwall has an IDP category for all P2P traffic which has signatures for many P2P applications. You can block traffic for particular applications, eg only block Azureus and allow other bittorrent clients

 applicationobject

With the Application object defined, we can create the policy. In this case we wanted to stop all bittorrent traffic, however, its possible to excluded addresses and or users, which would be handy with the SSO. The rule will look for any traffic deemed to be P2P going through the sonicwall and will drop the packets. nice and easy

policysettingse

Any requests that match the rule are blocked and can be checked in the log view, which can be filtered by application firewall

LogFilter

Setting up uTorrent on a test machine and queuing up some files showed that the rule was working properly and not allowing any traffic to get through. The sonicwall not only blocked the file transfer but also the attempts to look for other peers etc
Capture4

The combination of the application firewall and the DPISSL would also prevent this traffic from running over secure ports or ssl vpn type setups.

Application firewall rules can also be configured to shape traffic to/from any site on the web. At the moment we’ve configured a rule to shape traffic to megaupload and other download sites that work over port 80, and depending on Facebook traffic that could be a contender too. Another type of rule that was described in some sonicwall promotional guff was a rule to catch IE6 traffic and redirect it to a warning page to upgrade your version of IE. That rule sounds like a good idea, I think that might be my next one

Netbooks: Setting Student as Admin’s during deployment

3761637114_47d8ac8cf0 As part of our config for the Student Netbook SOE, we’re going to make each Student an Administrator on their netbook. We don’t want to make every student an administrator on the machines, because of the security/privacy issues that may arise. If every Student is an administrator then it’s possible for them to log onto another Students machine and look/edit/delete/copy their files.

When we unboxed the netbooks we attached our Asset tags (BGSID) and used the barcode scanner to grab the BGSID and Serial for each netbook and put them into Excel. We thought we could use this data and run a post imaging script from Altiris to set the student admin on each machine after they’re sysprep’d and before they’re given out to Students.

We created a SQL database with one table, see below. The image shows our test data, but we’re able to copy the BGSID’s and Serials from the spreadsheet to the database and assign a username for each netbook. The database also has a field for MachineName, which is blank initially and is populated when the script is run. Altiris automatically names the machines, according to the template we’ve specified, but we thought it would be handy to grab the machine name and store it next to the Serial as the machines are assigned to Students.
We can also be sneaky, and use the StudentUserName field to query AD and grab the Student’s firstname and surname to make sticky labels for their machine and maybe their bags too… will see

image001

‘______________________ Start SetStudentAdmin.vbs __________________________
‘Option Explicit

dim adoConn, adoRS, adoStrm
Set adoConn = CreateObject(“ADODB.Connection”)
Set adoRS = CreateObject(“ADODB.Recordset”)
Call GetBGSID

‘_______________________________________________________________________

Sub GetBGSID()

Dim NetBookSerial

winmgmt1 = “winmgmts:{impersonationLevel=impersonate}!//.”
Set SNSet = GetObject( winmgmt1 ).InstancesOf (“Win32_BIOS”)

for each SN in SNSet
NetBookSerial = SN.SerialNumber
Next

adoConn.Open “Provider=SQLOLEDB;Data Source=lumberjack;User ID=sa;Password=12345;Initial Catalog=Netbooks;”
adoRS.Open “select * from netbooks where (Serial = ‘” & NetBookSerial & “‘)”, adoConn, 1, 3

Set objWshNet = CreateObject(“WScript.Network”)
strDomain = objWshNet.UserDomain
strComputer = objWshNet.ComputerName
Set objGroup = GetObject(“WinNT://” & strComputer & “/Administrators,group”)

strUser = adoRS.fields.item(3)

Set objUser = GetObject(“WinNT://” & strDomain & “/” & strUser & “, user”)

If Not objGroup.IsMember(objUser.ADsPath) Then
objGroup.Add(objUser.ADsPath)
End If
adoRS.fields.item(4) = strComputer

adoRS.Update
adoRS.Close
adoConn.Close

End Sub
‘______________________ End SetStudentAdmin.vbs ___________________________

Netbook 2010 SOE

We’ve confirmed our SOE for the Student Netbooks for the 2010 pilot program. Nathan Hargreaves confirmed the final list yesterday. The image will be based on Windows 7 Professional with Office 2007 with:

Access
Acrobat Reader 9
Audacity
ClickView Player
Excel
Flash Player 10
Google Earth
Interactive Atlas CD 1.4
Internet Explorer 8
iTunes
Java Runtime Environment 6
Maths Dimensions 9
Office Live Addin
OneNote
Outlook
Photoshop Elements 8
PowerPoint
Premiere 8
Quicktime
Shockwave Player
Silverlight
Visio
VLC Player 1.0.3
Windows Media Player
Word

We’ve decided that the netbooks will added to our domain, which will let the Students use their AD username and password and will provide seamless authentication for web mail, internet access and home drives on he network. We’ll also be able to use EAP-TLS with machine certificates for authentication on the new N wireless network, and we can use Group Policies to set mapped drives, installed network printers and control power settings.

It’s much more work on our behalf to have these machines on the domain and a lot more testing to make sure that the Students get the user experience that they need on the netbooks but still have the same policies, settings and restrictions on our desktop machines. The Students will all be administrators on their netbooks and will be able to install applications and change settings as they like. Finding the balance between letting the Students have the control that they need to feel ownership over the device and controlling GPO settings to ensure a seamless experience on campus will be the trick with having a successful SOE.

Too Cool for School

HP-Mini-5101-Bussiness-Netbook-left

Recently our Headmaster announced that the School was going to trial a 1:1 netbook program with out Year 9 Students. Currently our Students use desktops in Computer Labs and some class sets of notebooks with the same SOE that’s installed on our desktops. The move to netbooks will create new challenges for our Staff, especially with some of the requirements, most notably that Students will need to have administrator access to their netbooks.

The device that we’ve selected for the trial is the HP Mini 5101 which has the same spec’s as the other netbooks, except we’ve optioned these with the HD screen(1366×768) and a 6 cell battery. The SOE that we’re building for the trial includes Windows 7 Professional, Office 2007, Visio, Adobe Photoshop Elements and Premiere Elements. The SOE is pretty simple and the Students can add any other apps that they need when they’re handed over. The only problem with the software has been the Adobe licensing, which has been summed up by Rob Flavell on Learn | You | Good to perfection.

Since we’ve only ever had a notebook program for Academic Staff, we’ve been talking to colleagues at School’s with successful Student notebook programs to help work out a successful plan for Grammar. We want to the Students to feel ownership over the device which will help motivate them to look after their machines and reduce damage and support requests. However, we want the machines to be on the network, on the domain, and be able to push settings and updates out to the Student’s netbooks and ensure they have the correct printers installed, drive mappings and other group policy settings.

During the year we spoke to a School that has a notebook program for their Students(year 7-12) and their IT Staff have 3500 re-image jobs per year. This worked out to be 2 or 3 reimages for each machine in the School which is probably a full time job for someone! We’ve kept this in the forefront of our minds when planning the SOE for the netbooks even though we’re only deploying 150 machines for the pilot, we have to assume that the pilot will be a success and that before long we’ll have 600-700 netbooks to manage.

We’re dealing with the possible flood of reimaging requests with a two pronged attack. The SOE will have two partitions, one for the OS and one for Student data, and we’re working on an imaging method that the Students can run themselves. The dual partitions are setup with the Windows 7 users folder moved to the second partition and creating a junction/symbolic link to the new location, nice explanation from Scott Hanselman here. This setup allows us to reimage the partition with the OS and programs, and leave the data intact. Once we’re confident with the reimaging we won’t need to worry about backing up the Student’s data before reimaging their machine. The Student self imaging will work, at the moment, using a separate imaging VLAN and getting the Students to boot their machine from the network card and loading a custom Altiris WinPE boot image. We looked at options for imaging the netbooks from a hidden partition or via a USB HDD, but we need the imaging job to be initiated by Altiris so the computer will get the right name and settings etc during the sysprep process.

So that’s just the start, we’ve placed the order for the netbooks with HP and should have delivery before Christmas, and will need to have them finished and ready for the Students at the end of January. As we find problems or something interesting the image, netbook or how we’re supporting them, I’ll post here.