best practices to shape & secure
your 1:1 program for chromebooks
securly://
tech brief – summer2014– v1.5
Contents
Overview ...........................................................................................................
Overview
A key requirement of a 1:1 Chromebook program is security – ensuring students are using the
device safely and pro...
Now, when your Chromebooks first arrive, your students can login with their admin console
created credentials and automati...
Policy Refresh Rate
We recommend using the minimum 30 minutes policy refresh setting – especially early in the
1:1 rollout...
involve platform independent vulnerabilities that target the user directly – e.g. identity theft,
financial theft, passwor...
Using the “Manage pre-installed apps” wizard, search for the filtering extension of your choice
on the Chrome Web Store, a...
Safe Search on Google
If your district’s web filter does not support Safe Search for Google, the following setting allows
...
Conclusion
By following these recommendations, the school IT and educators will be better able to shape
and secure the kid...
Upcoming SlideShare
Loading in …5
×

Best practices to shape and secure your 1:1 program for Chromebooks

3,714 views
3,475 views

Published on

A key requirement of a 1:1 Chromebook program is security – ensuring students are using the device safely and productively. This document addresses several aspects of the Google Apps for Education Admin Console that are important to configure correctly for a successful 1:1 experience.

Published in: Education, Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,714
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
149
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Best practices to shape and secure your 1:1 program for Chromebooks

  1. 1. best practices to shape & secure your 1:1 program for chromebooks securly:// tech brief – summer2014– v1.5
  2. 2. Contents Overview ................................................................................................................................. 3 Chrome Device Settings ..................................................................................................... 3 Device Enrollment ............................................................................................................. 3 Guest Mode ........................................................................................................................ 4 Sign-in Restriction ............................................................................................................ 4 Chrome User Settings ......................................................................................................... 4 Pages to Load on Startup ............................................................................................... 4 Policy Refresh Rate .......................................................................................................... 5 Safe Browsing & Malicious Sites .................................................................................. 5 Proxy Settings .................................................................................................................... 6 Pre-installed Apps and Extensions............................................................................... 6 Allowed Apps and Extensions ........................................................................................ 7 Plugin Authorization ......................................................................................................... 7 Incognito Mode and Browser History ........................................................................... 7 Safe Search on Google.................................................................................................... 8 Developer Tools ................................................................................................................ 8 Blocking Chrome:// URLs ................................................................................................ 8 Conclusion .............................................................................................................................. 9 About Securly ........................................................................................................................ 9
  3. 3. Overview A key requirement of a 1:1 Chromebook program is security – ensuring students are using the device safely and productively. This document addresses several aspects of the Google Apps for Education Admin Console that are important to configure correctly for a successful 1:1 experience. The Google Apps cloud-based policy essentially consists of: 1) Device Settings and 2) User Settings While the User Settings are pushed down to the Chrome browser regardless of the device as soon as the user logs in, the Device Settings are only pushed down to the Chromebook device if the device is enrolled into the school’s enterprise policy as configured via the admin console. Chrome Device Settings Device Enrollment The Device Settings can include important pieces such as Guest Mode access or Sign-in Restrictions (both described in this paper). In order to have the Chromebooks be enrolled into the school policy, you will need to use ensure the device is enrolled into the enterprise policy. To achieve this, go to the following section, and keep the “Allow devices to enroll automatically” setting turned on for Organizational Units whose devices need to be managed by the admin console.
  4. 4. Now, when your Chromebooks first arrive, your students can login with their admin console created credentials and automatically enroll the Chromebooks into the enterprise policy for the school – without the admins needing to individually login to each of these devices. Guest Mode We recommend disabling Guest Mode to allow better auditing of student activity. The guest mode otherwise allows the Chromebook to be used as a guest without the district user policy in place. This mode is similar to the Incognito Mode supported by the Chrome browser – which we also recommend turning off in a subsequent section. Sign-in Restriction Just like the Guest Mode and Incognito Modes allow the students the ability to browse without being audited, this setting if not configured correctly, can allow students to use even their Gmail ids to login and browse without a good account of how they spent their time online. As shown above, by using *@domain command separate list, we can prevent students from logging in with @gmail ids. Chrome UserSettings Pages to Load on Startup We recommend using this section to display an Acceptable Use Policy (AUP). Students get to see it the first thing when they open their browsers. This serves as a reminder about the policy and any other school code the students are bound by.
  5. 5. Policy Refresh Rate We recommend using the minimum 30 minutes policy refresh setting – especially early in the 1:1 rollout - to ensure the Chromebook is polling for new admin console updates frequently. Safe Browsing& Malicious Sites This setting allows you to safe guard your students against malicious sites. While Chromebooks are generally hardened and immune to most forms of malware, it is important to note that the User Settings from the admin console apply to the Chrome browser even on other devices such as Windows machines. Further, malicious sites can also include Phishing or other sites that
  6. 6. involve platform independent vulnerabilities that target the user directly – e.g. identity theft, financial theft, password theft etc. You can safely leave the following settings on for this section: Proxy Settings If your 1:1 Chromebooks are not take-home, your school’s web-filter will work for these just fine. If instead, your Chromebooks leave school with the students, then there are only two ways of securing these devices – a web filter proxy or a Chromebook extension – both of which intercept and police network traffic to and from the devices. If you go with a proxy solution, use the following configuration to point to your filter’s PAC (Proxy Autoconfiguration) file. The PAC files allow you some level of control over what traffic should be proxied. E.g. you can have exclusions for intranet sites local to your district. Pre-installed Apps and Extensions As mentioned in the Proxy Settings section, the only other way of securing take-home 1:1 Chromebooks is by deploying a Chrome extension on these devices that monitors and policies network traffic on them.
  7. 7. Using the “Manage pre-installed apps” wizard, search for the filtering extension of your choice on the Chrome Web Store, and deploy it to the organizational units that will take the devices home. Allowed Apps and Extensions Along with pre-installing security and other instructional apps, in order to prevent students from later installing games and other time-sinks, it is generally a good idea to configure this section as follows: Plugin Authorization A frequent user-experience issue is that certain plugins request authorization from the students before they install or initialize. If we follow the white-listed approach of only letting plugins that are installed by the admins run, we can go ahead and auto acknowledge these authorization requests so they are never presented to the students. Incognito Mode and Browser History To prepare evidence reports, we recommend keeping browser history turned on. Further, we find that the Incognito Mode bypasses pre-installed security apps and can be used to evade district filtering policy. The following settings are recommended.
  8. 8. Safe Search on Google If your district’s web filter does not support Safe Search for Google, the following setting allows you to enforce this directly via the Chrome policy. This applies only to the Google search engine. In order to achieve safe search on other search engines, you need a web filter that is capable of enforcing this on for those engines. Developer Tools Developer tools allow users to debug network, script, apps and other issues. In a 1:1 program however, these could be used to circumvent district policy or gain unfair advantage over other students by reverse engineering of edtech applications that transmit insecure data or have confidential information hidden away in the code. We recommend disabling the user of developer tools. Blocking Chrome:// URLs You should disable chrome://extensions and should consider disabling chrome://settings. Chrome://extensions allows students to start/stop extensions, while chrome://settings and other chrome:// addresses provide settings or information that students typically do not need.
  9. 9. Conclusion By following these recommendations, the school IT and educators will be better able to shape and secure the kids’ online screen time on the 1:1 Chromebook deployments. About Securly Securly is a cloud-based web filter that provides in-school and take-home filtering across all devices. For more information, please visit www.securly.com or email support@securly.com

×