Saturday, 9 July 2016

M is for Identity: Managing the mPLE

In my last post about Managed Personal Learning Environments I argued that an mPLE has the agility and flexibility of the "Anything Goes" personal learning environment, but the security and structure of a VLE. Is that really possible? This time I want to explain that further and share the first stage of our multi-school setup and the next step which we're rolling out this summer.

The key element to being able to manage is identity management.

To safeguard the children who use our system we must be confident that we know who the people on our system are.  We have to maintain a directory of people that can use the system across 33 schools and ensure that it is kept up to date, and we have to maintain a structure of group membership so that you can address a resource to the right people without having to expend a lot of energy.

Single Sign On is important. It means people using the system don't go crazy from repeatedly having to put in user names and passwords everywhere, but it's more than a convenience - if you don't have single sign on you have an awkward mess that will frustrate people and leave holes in your safeguarding arrangements.

There is no one way of doing this - I'm just describing how we do it.

Active Directory might have a long history, but with the advent of Azure it's still highly relevant. Although it requires people with a definite skill set to manage it (I have happily managed Office 365 and Google Apps domains, but there are dim corners of AD I don't pretend to engage with - but I have colleagues that do). When you go to one of those desktop PCs and login, it's Active Directory that checks that there is an account with that name, grants access and determines what you're allowed to do on the network. We have a federated Active Directory across all of our sites, so that I can login anywhere (well that isn't the main reason, but it's a good by product) which breaks membership at each academy into units that can be managed locally.

So we know that if someone is in AD that someone in that academy has verified they are who they say they are and should be able to do what they are allowed to. It means teachers at Academy A can work with students at Academy B even if they have never met, because both are validated as real people with access rights on the system locally. We also know that those people have agreed to a set of conditions (an Acceptable Use Policy) and that anyone who doesn't follow those rules will be taken off the system [I'll blog in a future post about a way we're developing to automate renewing that agreement of the AUP].

So far, so very traditional. All this is really is a standard (medium sized) enterprise network being done in schools. We work closely with European Electronique to deliver. As an organisation we're very "cloud based" (I dislike that term and prefer to think of it as "web first" but we have registered and use so I guess the term has stuck).

Last year, as well as nearing completion of that all-schools enterprise network we offered two very important cloud services to our users - Office 365 and Google Apps for Education. Neither one, nor the other, because if you can use a combination of both, why would you limit yourself to one? As I'll explain in future posts, we often make two tools available that do the same job, but individual academies can engage more with one than the other - the beauty of using the web is the ones that best suit that school can be used.

The Office 365 link uses an Azure single sign on connector and it "just works." We had some fun setting up Yammer, which I'll touch on in the future, but Yammer is a semi-detached part of Office 365 in truth but other than that once we make an account in AD and assign an email address, within an hour it is ready to use in Office 365 (with one wrinkle I'll mention below).

It is seamless, but then you'd expect two Microsoft products to talk to each other wouldn't you? (I am smiling when I type that, but these two, whilst clearly from different planets in terms of design, mesh perfectly).

Our Office 365 is a multi-domain, single tenancy - so each site can have it's own domain name, but all exist in the same directory space. With 12000 users we're probably one of the bigger schools sites in the UK and I cannot recommend the core parts of 365 highly enough.

We use a product called GADS to do the same thing with Google Apps and again that just works. From the perspective of a Google Apps admin the only difference is that I never touch user accounts in Google Admin (because any changes I make will be overwritten within minutes) but in every other way it is business as usual - with a Chromebook, a Google App on an iPad or a Windows PC.

We did have some issues with some Google Apps (like G+) and apps on iOS that we suffered through for a while until we found that some parts of single sign on in GADS weren't set to the defaults - if anyone encounters that I'd be happy to explain it.

The result?

If you use an iPad, iPhone or Android device in our schools you just use any Microsoft or Google App you like and use the same login details and it works.

If you use a Mac or PC similarly it just works - in Windows the integration with 365 is pretty deep in places and you'd never know we were mixing in anything else.

Chromebooks love it. We use them in Kiosk mode and make our homepage the default. Within a couple of seconds of startup you're at a login screen.

The downsides? This year the biggest has been scale. Managing groups has grown into a full time concern - and it is no joke trying to use something like Google Classroom or OneNote Class Notebook if your class doesn't have a single up to date email address that you can be totally confident is right up to date. With 12000 users those groups just aren't.

Another issue is automating Office 365 license allocation. Making a user in 365 isn't enough, you need to attach licenses, even if they are free ones, to each account and right now that is a manual process (or a little powershelgl script if we're feeling adventurous).

Several tools exist to do the job of bringing some order to that.

Capita have just launched a product called SIMS ID that seems to do much of what I describe above but also pulls information from SIMS to update group membership. I don't know how well this would scale to a multi-school setup because SIMS does not really understand a multi-school world in the way I'd like.

Ruler Connect has a tight integration with SIMS too - pulling group membership from SIMS and writing it to Active Directory or Office 365. We really liked the product and the people and although we didn't select it can certainly suggest it is worth a good look.

In the end we've chosen another tool called Salamander. Salamander can sit in our data centre on a relatively low powered server and talk to each installation of SIMS overnight. When a member of staff or student is added it will pull the details through, add it to AD with the right group membership and license and if an account is taken out of SIMS it will suspend it. This level of automation will give us time to do the interesting stuff, reduce risk of errors creeping in and solve the problem of group membership. When I want to share a OneNote document with 11Tec1 at an academy, I'll be able to do so with the confidence that all the people currently in that group will access it - and the beauty of that is that every Google Apps and every 365 tool will be able to do so.

I hope that's been of interest - in many ways this is the least learning focused post in this series, but without the management in mPLE we have something that is not fit for purpose as a place online for children to work. When assembling our mPLE, the price of entry for a product is to be able to let users use their AD credentials to sign in... and between 365, Google ID and AD there are very few services that don't make the cut.

What I'd like to write about next are some of the tools and design decisions we're making in putting together an mPLE - some services have to be mandatory (e.g. email, although we have Gmail and Exchange Online, we need one to keep a single directory of addresses and to make compliance simple to manage) whilst others we can give choices and let the users decide, and others we need to buy in and do the integration work such as our upcoming eBook Library.

If you're interested in this stuff and would like to steer the series in any way, please do get in touch buy the usual methods.

No comments:

Post a Comment

Thank you for reading my blog and taking the time to comment. All comments are moderated - I will aim to review your comment quickly and make sure it is made available.