Information About Mac Changes for the 2018-2019 School Year
Good morning/afternoon/evening (please select as appropriate),
I hope the new school year is off to a great start for you so far! I wanted to take this opportunity to explain a few changes in regards to our MacBook configuration this year, in hopes that you'll both be aware of the changes and understand the reasoning behind our decisions. I'm aware that some changes will be very popular, while others might at first seem like an inconvenience (though as I'll explain, it is all done for your benefit).
First, I'll start with news that I believe everyone will be happy about: we are finally able to support the official version of Google Chrome directly provided by Google on both student and staff MacBooks. Although Chromium and Google Chrome are nearly identical from a technical standpoint, many users still preferred to use Google Chrome, so now it is automatically installed by default on all MacBooks.
Second, let me rip the bandage off quickly here on the decision I believe will initially be least popular: we have decided not to grant full administrator rights to staff this year as we have done in previous years, except in a very small number of cases (fewer than 5 I believe) in which specialized positions require having elevated access, such as law enforcement and PLTW robotics instructors. We did this for a few primary reasons (among several others):
- Last year we saw a sharp increase in the amount of malware on the staff MacBooks, which not only can place one user's private data at risk, but places everyone in our environment at a greater risk. New antivirus/antimalware software is prohibitively expensive and can slow down the MacBooks, so the best solution to prevent it is to restrict administrative privileges.
- When Apple released a new major OS update last fall several staff members updated because they were prompted to do so from Apple (understandably), but doing so cut their MacBook off from our management system so they could no longer receive important updates like new WiFi codes and testing apps. Some lost network access completely. This will prevent that from happening again.
- We had several network incidents where students used their parents' or friends' staff MacBooks with administrative privileges to gain access to our secret WiFi codes, then shared them with their friends, allowing anyone to connect devices to our network (too many devices can cause wireless access points to be overburdened and stop functioning, and causes the network to become congested). This will also prevent that.
I want to clear up a few misconceptions though:
- We are NOT preventing you from using any apps you want on your MacBook. If there is any app you would like, please submit a helpdesk ticket and we will either install it remotely for you as a one-off, or if it may be of interest for everyone, we will add it to the Self Service application so anyone can download it. The only requests we say no to are for malicious apps or apps used only for gaming (such as Steam or Fortnite). You can also run any app you wish from your Desktop, Downloads, or Documents folders.
- You can still add printers. In System Preferences -> Printers & Scanners the plus button will still be available, because everyone is still a printer admin on their own system. In rare instances an administrator password will be needed to install a driver, but this is rare, and we will gladly do so for every request.
This brings me to the other big changes to Mac management, which has to do with our students.
In prior years, we had a special restriction profile on student MacBooks which prevented them from running any app that wasn't in the /Applications folder. This limited their use of apps to only those which we expressly approved and let them install.
The problem with this approach is that many apps need to run things outside of the /Applications folder, and with our old way of doing it, it would cause the application to crash. For those of you who have dealt with students who require special software for NCVPS classes, Mayland courses, or for accessibility purposes, you know how frustrating this was. An app would crash, I would have to investigate it, and then sometimes spend days trying to track down the file the app tried to run, and then add an exception for that file in our lockdown profile (which left a vulnerability on every single Mac in our district that anyone could use to get around our restrictions).
With our new management software, JAMF, we now have a different way to manage student Macs. We can block them from running specific apps (or specific categories of apps) without having to restrict them to only the /Applications folder. That means that this year, students in those classes should be able to start their course work immediately and not have to miss due dates or deadlines because of those tech issues. I'm sure all teachers who deal with this will be pleased.
Please note that it will take us some time to perfect the list of blocked apps for students. We have the major ones blocked right now, but we'll have to keep our eyes open and pay close attention during the first few weeks to make sure we get the list as tight as possible. Please note this does NOT affect content filtering - inappropriate content will continue to be blocked for them. But if you see them running apps you've never noticed before - this is why.
A few other notes to round off this blog post:
- For the handful of staff members who did not turn in their MacBooks over the summer, we will be contacting you to schedule a time during the first few weeks of school to get your MacBook updated.
- We will be switching from our old WiFi scheme (with ACS-Staff and ACS networks) over to our new WiFi scheme (avery-wifi) within the first few weeks or school, once things have settled from handout. ANY MACBOOKS THAT HAVE NOT BEEN UPDATED RISK LOSING NETWORK ACCESS ONCE THIS SWITCH TAKES PLACE. All student MacBooks are already configured for the new avery-wifi network, as well as all staff MacBooks that have been updated.
- We have a new content filter, Zscaler, which has replaced Lightspeed. As with any new content filter, we may need to manually allow for certain sites or content to stop them from being blocked. Please let us know if you run into any issues (via the helpdesk system) and bear with us as we fix these issues.
Last but not least, please keep in mind that right now we are absolutely swamped here in the tech department trying to prepare for student handout next week, the PD sessions later this week, and generally get everything prepared so we can have a successful start to the school year. If you send us a message and we take a while to respond, know that are slammed and will get back to you ASAP. Helpdesk tickets are assigned and sorted based on priority, so the most urgent needs get addressed the quickest.
If you have any questions or concerns, please let me know. Have a great school year!
Nathan Dyer | ACS Tech Services