|
The Google Admin Discussion thread is intended to address questions and concerns about the Google Admin Console (admin.google.com). There are many settings and brief descriptions that leave you wondering what exactly the functionality is and whether or not it is a security concern. These topics can become points of debate where there isn't always a go to answer to be sure about. --- I'll start the thread with a question that has been bothering me since the first time it came up in conversation for me. As a software support representative I take escalated calls that are related to more technically oriented questions and issues. One of the things that has come up several times for me regarding the Google Admin Console is concern about a setting located in: Device Management > Chrome > Device Settings A setting exists that dictates whether or not local user info, settings, and state are erased after sign-out, or not. The software I support requires "Do Not Erase Local User Data" be set in order to ensure that the client does not have to re-enter any of the setup process when re-launching the kiosk app. The concern seems to have been regarding security, though it has never come to fruition where I have had to pursue that avenue of support very far and is usually left alone quickly after it is brought up. Still, being unable to answer the question definitively I have researched this topic several times briefly and have been unable to find anything indicating that it is a security concern. There is documentation indicating that Google recommends having the setting enable for "Do not erase local user data" because it speeds up the login process. There are also various posts regarding the need for "Do not erase local user data" so that you can see a history of the user logins. This should also be stored in the google admin audit logs, so I am not sure why this would be necessary. If anyone can provide clarity regarding the "Do Not Erase Local User Data" setting I would like to kick the thread off with that. Feel free to ask your own questions and share your own experiences as well.
|
#
?
Mar 12, 2015 15:06
|
|
|
|
| # ? Apr 26, 2024 13:20 |
|
|
The kiosk app I support, Pearson TestNav, needs to keep user information and test data on the machine in the event that the answer files don't get uploaded and verified on Pearson's side of things. For all other uses, I would rather the users have to wait an extra few seconds to download their profile information than risk whatever personal information gets saved on the Chromebook getting into someone else's hands. TestNav stores test log files and answer checksums in the user's profile, there's a concrete reason to not erase user data. I don't think the Recent Activity log shows a list of recent users, only the most recent and a list of how long others were logged in to the Chromebook.
|
|
#
?
Mar 12, 2015 17:30
|
|
|
Am I SOL for creating an email forward on a grandfathered free Google Apps domain? People tend to spell my dad's name wrong so the emails come to me.
|
|
#
?
Mar 13, 2015 04:41
|
|
|
I don't know what the restrictions are on the free accounts, but to make a forward I'd just make a group with the email address set as required, then add the address you want messages to go to as the only member.
|
|
#
?
Mar 13, 2015 10:26
|
|
|
We have a Google Apps for Edu primary domain such that users log in as username@primary.org. We also have a slew of "domain aliases" such that username can receive emails sent to username@aliaseddomain.org. Users want to be able to log in as username@aliaseddomain.org. So the obvious direction to go is to convert aliaseddomain.org into a "secondary domain." However, I am 99 percent sure that if I do this, emails sent to username@primary.org will bounce. Can anyone confirm?
|
|
#
?
Mar 16, 2015 13:48
|
|
|
The Google Admin console is terrible. It's so basic and completely worthless for batch operations. I love everything else about the product, and the service for my end users is amazing, but as an admin I'm left copy pasting addresses 25 at a time off of spreadsheets to create groups, or clicking on arrows to load addresses 50 at a time. I've reached out to some experts and gotten nothing, but if someone could help me automatically generate distribution lists based on my OUs I would be so thankful. So far I've been able to pull OU information from the API, but I can't find anything that let's me modify my distribution groups.  SopWATh posted:The kiosk app I support, Pearson TestNav, needs to keep user information and test data on the machine in the event that the answer files don't get uploaded and verified on Pearson's side of things. For all other uses, I would rather the users have to wait an extra few seconds to download their profile information than risk whatever personal information gets saved on the Chromebook getting into someone else's hands. TESTNAV 
|
|
#
?
Mar 16, 2015 14:25
|
|
|
I have thought similarly about the fact that there is definitely lacking functionality in the Google Admin Console. Admittedly I haven't really had a good opportunity to try and fully utilize it. I am just wondering if it is really a concern for the students with the "Do Not Erase Local User Content" setting. From reading I think it only stores information pertaining to User Settings and such that would be stored in the User Portion of the Google Admin console.
|
|
#
?
Mar 17, 2015 15:03
|
|
|
Roargasm posted:I've reached out to some experts and gotten nothing, but if someone could help me automatically generate distribution lists based on my OUs I would be so thankful. So far I've been able to pull OU information from the API, but I can't find anything that let's me modify my distribution groups. If you're comfortable with the command line, then GAM is your friend. The initial setup is a lot of steps, so be sure to do it on the computer(s) you plan to keep using for these tasks -- i.e. I did it on a linux server I can reach from anywhere. The documentation for this tool is stellar. In your example, it sounds to me like you'd want to start with a download of that org's members (from the Google admin panel), then take it into a text editor or spreadsheet program and do a series of search-and-replaces so you end up with a file of lines like code:The happiest thing I did with gam was write a disgustingly quick and dirty php wrapper around its "add new user" commands, and then my tech minions use my account-maker.php webpage whenever we get a new student -- it FORCES them (the tech minions) to pick a suborg AND a distribution group whenever they add a new person. All the fields (username, real name, password, suborg, and group name) are all in one web form with one submit button that does it all, so it's way faster than doing all three steps through the admin panel, and my crew can't forget to add new people to a list.
|
|
#
?
Mar 17, 2015 17:28
|
|
|
nulldev1ce posted:If you're comfortable with the command line, then GAM is your friend. The initial setup is a lot of steps, so be sure to do it on the computer(s) you plan to keep using for these tasks -- i.e. I did it on a linux server I can reach from anywhere. The documentation for this tool is stellar. In your example, it sounds to me like you'd want to start with a download of that org's members (from the Google admin panel), then take it into a text editor or spreadsheet program and do a series of search-and-replaces so you end up with a file of lines like Got this up and running, thanks! Google's Developer console is pretty intense to set up but having this logging in front of me should be useful considering how weak my scripting still is. I'm going to hammer away at something like what you described, hopefully I get somewhere. Should be a good way to learn some python and Centos at the same time 
|
|
#
?
Mar 18, 2015 14:49
|
|
|
Roargasm posted:The Google Admin console is terrible. It's so basic and completely worthless for batch operations. I love everything else about the product, and the service for my end users is amazing, but as an admin I'm left copy pasting addresses 25 at a time off of spreadsheets to create groups, or clicking on arrows to load addresses 50 at a time. I don't work for Pearson, I've just drawn the short straw for my district. You might like a product called Google Apps Manager You have to putz around with powershell, but if you can handle writing basic scripts, it'll do a lot more than the dumb console ever could. EFB
|
|
#
?
Mar 18, 2015 18:19
|
|
|
nulldev1ce posted:The happiest thing I did with gam was write a disgustingly quick and dirty php wrapper around its "add new user" commands, and then my tech minions use my account-maker.php webpage whenever we get a new student -- it FORCES them (the tech minions) to pick a suborg AND a distribution group whenever they add a new person. All the fields (username, real name, password, suborg, and group name) are all in one web form with one submit button that does it all, so it's way faster than doing all three steps through the admin panel, and my crew can't forget to add new people to a list. Can I have your app please? If the teachers forget to move the students to the right group one more time I swear to god...
|
|
#
?
Mar 18, 2015 18:22
|
|
|
Roargasm posted:Got this up and running, thanks! Google's Developer console is pretty intense to set up but having this logging in front of me should be useful considering how weak my scripting still is. I'm going to hammer away at something like what you described, hopefully I get somewhere. Should be a good way to learn some python and Centos at the same time This ended up being really easy, thanks for the help  code:Roargasm fucked around with this message at 01:15 on Mar 19, 2015 |
|
#
?
Mar 18, 2015 19:11
|
|
|
SopWATh posted:Can I have your app please? If the teachers forget to move the students to the right group one more time I swear to god... I feel your pain. For what little it's worth, here's the script I cobbled together: http://dev.dresden.us/~mbates/account-maker.phps Caveats: - Terrible code. I know this. - Undoubtedly GAPING SECURITY HOLE, run this on a server that can only be accessed from within your IP space and use firewalls and certs and whatnot, yadayada. - Related to aforementioned security hole -- it's been awhile but I'm pretty sure I had to do some minor machinations in php.ini to allow system calls outside of the webroot (to /usr/local/path/to/gam.py, for example) and looking now, it appears that I made gam and its related files be chgrp'd to apache to support this (YES I KNOW I SUCK.) You could improve the "security" of this by using .htaccess instead of the silly "look for a password in the POST" -- again, quick 'n dirty is how I roll. - Some of the rules checks in the beginning are related to the fact that we went through a transition from the format firstname.lastname@domain.org to firstnamelastname@domain.org (little kids can't remember to type the dot), BUT we wanted to preserve backwards-compatibility with parents' assumptions about email conventions, so, all users get a dotted nickname. - Technically, hyphens and apostrophes are allowable characters in email addresses, but we've found that they're problematic with some other mail servers so we ban them. As far as I know, you can have anything in the human-readable first and last name part of the account. We've got LOTS of kids with names like "Hubert Huffington-Piedmont O'Flaherty IV" and it's easier to just say "letters ONLY!" when they're trying to log in for the first time. - Our password scheme is a four-letter noun concatenated to a four-digit number. (Again, youngsters. And the nouns are from a 6th-grade reading level vocab list, you pervs.) I left references to that "algorithm" in there in case it's handy. The form merely suggests it anyway. - Use a forward slash to reference suborgs. If your suborgs have spaces in their names, you might need to use quotes or escape them. (Or rename them now, before you start hardcoding stuff against them, like I had the luxury of doing.) - gam's flags for "user has already agreed to the agreement" are a nice idea -- in theory, it would let the user skip the captcha -- but from what I read, if you have ANY non-stock Google Apps enabled, it is ignored and they still must do the captcha at first signin. That definitely seems to be true for us. One other random thing I remember, every X days this script would stop working and I finally figured out it was because the system call to gam was getting intercepted by a "hey there's an update, wanna check it out?" message. There is a way to suppress this, where you touch a file in gam's root called nobrowser.txt -- look for details in the docs. If you try to use this or a variant of it and you get stuck, I'm happy to try to help.
|
|
#
?
Mar 21, 2015 04:17
|
|
|
Roargasm posted:This ended up being really easy, thanks for the help (Well MAKE it look easy why dontcha.) Thanks!
|
|
#
?
Mar 21, 2015 04:21
|
|
|
nulldev1ce posted:I feel your pain. I'll mess with this and see if I run into any issues. We basically set all the passwords to the same thing, not because the kids can't remember their passwords, but because the teachers can't handle the kids that "forget" their password on the same day an assignment is due. Sigh.
|
|
#
?
Mar 25, 2015 18:41
|
|
|
|
| # ? Apr 26, 2024 13:20 |
|
|
Anyone know what specific Admin rights are required to use the Quarantine Manager? I can't figure it out and Google's documentation just says "Administrator", which isn't a thing as far as I can tell. I did find a brief blurb ("An administrator is a user who has been assigned privileges to manage one or more organizations (see Create Administrators and Manage Authorization Records).") but the user in question has "All orgs" listed under the "Admin Rights" tab in the Admin roles page so it just looks like Google's documentation sucks in this case. Edit: the answer was "superadmin" for anyone who is curious. Also quarantine manager is busted as gently caress right now so I wouldn't recommend anyone using it seriously in production. Sheep fucked around with this message at 20:22 on May 13, 2015 |
|
#
?
Mar 26, 2015 17:03
|
|