G-Suite or Office 365?

It’s been five years of G-Suite administration, and two years of Office 365 administration. As I look back on the journeys with both, and look forwards to how we manage both platforms on a day by day basis, I’m struck by the different approaches Microsoft and Google have taken in the area.

To summarise if you’re not going to read further. Google make it easy, Microsoft make it harder. And harder.

We found an example of this as we migrate our Mailboxes for staff from on-premise Exchange to Office365. With on-premise Exchange our engineers were able to perform any operation they needed to from the GUI. A common operation is providing an employee with full access to the mailbox for someone who’s recently left. For on premise,  the Exchange Control Panel lets you do this. For some unknown reason, for Office 365, for exactly the same operation you have to use PowerShell!. So, engineers have to learn a whole new set of skills.

Google on the other hand, make everything available in the GUI, and rather sensibly, allow us to organise our users into Organisations, and then decide for each Organisation which services they can use. So we can enable mail to some users, and not others. Being a school, being able to disallow social network apps for younger users is important.

So why I ask myself, does Microsoft pitch Office 365 at schools with no easy methods to enable or disable services for groups of users (In the GUI this is. No doubt a few hours of research or $ spent with a consultant would let us achieve what we want).

But in schools where staff are time poor, please Microsoft, make it a bit easier.

 

Apple Configurator 1.4

Hot on the heels of iOS7, Apple have released Apple Configurator 1.4.

An important change is that the OS requirement has changed from 10.7 Lion to 10.8 Mountain Lion.

Configurator 1.4 supports the new iOS 7 restrictions and features including being able to specify AirPlay destinations and passwords, connecting supervised devices to any Mac, and configuring AirPrint printers.

These changes should take away the headaches many schools have around configuring Bonjour to allow Airplay and Airprint, and the inability to sync Supervised iPads to computers in classrooms. The gotcha is that the devices have to be unsupervised and supervised again.

Other improvements include being able to enrol multiple unsupervised devices into an MDM without touching the iPad and completing the setup and enrolment of Apple TVs into an MDM.

All up, this update looks like a pretty useful set of tools.

Allowing your devices to talk to Apple – part 2

Like many schools we’ve installed Apple TVs into our classrooms. Like many schools we also have restrictions in place as to what types of traffic can reach the internet.

Setting the Date and Time

When we first started up our Apple TVs, they all hung at the first screen “Settting Date and Time”.

When an Apple TV first boots up, it looks for an NTP server to set its date and time. Rather than use a local NTP server if one is published, Apple TV tries to connect to time.apple.com.

time.apple.com resolves to an IP address in Apple’s 17.0.0.0/8 range so if access to this range is allowed, you shoud be fine. If not, check the ports which are allowed to access this range. On Apple’s support page at http://support.apple.com/kb/HT2463 they give the ports used by Apple TV;

  • TCP port 123 is used to communicate with a network time server.
  • TCP port 3689 is used to communicate with iTunes while using the iTunes Library Sharing feature.
  • UDP port 5353 is used by Apple TV for automatically finding computers with iTunes on your network using Bonjour.
  • TCP port 80 is used for communicating with podcast servers.
  • TCP port 80 and 443 are used for basic and secure communications with the iTunes Store via the Internet.
  • TCP port 53 is used for regular DNS.

Port 123 is the important port for the date and time setting to work.

An alternative way to solve this problem is to use an internal DNS server which the Apple TVs use, and on this DNS server setup a record for time.apple.com to resolve to your internal network time server. We setup this internal DNS server to be used only by Apple TVs, so the rest of our gear can still contact Apple.

Avoiding the Updates

From time to time Apple release software updates, but they tend to do this without warning. With the release of iOS7 we expect to see updates to Apple TV’s version of iOS as well. We’re a couple of weeks away from holidays, so we would prefer to apply these updates then, having tested on one unit first.

Our solution to be able to schedule these updates is similar to one of the solutions for setting the date and time. On an internal DNS server we added an A record for applednld.apple.com and gave it the IP address of 1.1.1.1. Now our Apple TVs can’t communicate with Apple’s update servers they won’t prompt users to install any updates. When we’re happy to apply the updates, we’ll update the internet DNS records to point to one of the real IP addresses used for the update.

Getting rid of the tiles

We only want our Apple TVs used as Airplay devices, they won’t be used for any of the native functions or channels on the device. A nice side effect we found of using an internal DNS server was that the only tiles which show are the Settings and Computer tiles. Much more elegant and less distracting for students and staff.

Allowing your devices to talk to Google

Recently I wrote about allowing devices to talk to Apple. One of the recommendations in that post was to allow traffic from your network out to Apple’s address range, 17.0.0.0/8

At the moment I’m trialling a Chromebook enrolled into our Google Apps domain. The setup of the Chrombook needed to download some updates from Google so that I could complete the enrolment. The updates failed inside our network in its existing configuration, so I looked around for documentation from Google on where their various services might be hosted.

Unlike Apple, Google’s services seem to be run from a number of different subnets. On the plus side, Google do publish an excellent guide on network configurations for deployment of their services, whether this be just Google Apps accessed from any device, or a full-scale Chromebook deploment

The full document of Google’s Networking Best Practices for Large Deployments is available here.

The relevant piece of information I was looking for was their IPv4 address ranges, which they give as 216.239.32.0/19, 64.233.160.0/19, 66.249.80.0/20, 72.14.192.0/18, 209.85.128.0/17, 66.102.0.0/20, 74.125.0.0/16, 64.18.0.0/20, 207.126.144.0/20 and 173.194.0.0/16.

The Best Practices document is packed with useful information about managing proxy servers, PAC files ports used by various Google services and sizing of your infrastructure to give users the best experience possible.

Mac App store – creating an Apple ID without needing a credit card

It looks like Apple would like everyone on the planet to have at least one Apple ID.

If you’ve received a new Mac recently, it will have come with the iLife suite, iMovie, iPhoto and Garageband.

Chances are at some stage you’ll run software update (normally I end up doing this to update iTunes), and find an update to one of these apps.

They’re not paid apps, but when you try to update them you’ll most likely be asked for an Apple ID.

Trying to create an Apple ID through Apple’s website, or through the Mac App Store (by clicking the Create Apple ID button on the sign-in screen) takes you through a process which, when you get to the Provide a Payment Method screen, only gives you options for credit cards (this is the case in New Zealand – I assume the same in the rest of the world). To update a free app it doesn’t seem fair to have to enter credit card details,

There is a way round this, and it’s similar to creating an Apple ID to download free apps.

In the Mac App Store, find a free app (Google Earth, Evernote are apps I use). Go through the process of obtaining these apps;

  1. Click the button to install the app
  2. You’ll be asked to sign-in
  3. Click the Create Apple ID button
  4. Complete the fields required to create an Apple ID, but, because you’re trying to obtain a free app, there will be a “None” payment option available.
  5. Select this option, then download the free app. (You’ll need to verify the new Apple ID in your email).

Now that you have your Apple ID with no payment details saved, you should be able to go ahead and update your free apps from Apple.

Allowing your devices to talk to Apple – part 1

First we thought of Apple has a hardware company, selling computers. Then it became a software company, with its operating system (which it licensed for a time to other hardware manufacturers), its office suite (ClarisWorks, AppleWorks, Pages/Numbers/Keynote) and its multimedia tools (iLife, Logic etc). It’s also a music retailer and with its App Stores become a software reseller.

How many of us think of Apple as a Cloud service vendor? It’s been a subtle change, but a significant one. iCloud with its Photostream sharing methods, document storage and sync capabilities and Backup and Restore functionalities all rely on devices being able to communicate with Apple.

In the home world, this all works easily. Fire up a device and it can communicate at will to the outside world, so all of these services work just as they do on the TV ad – take a photo on your iPhone, and it arrives on your iPad. People start to expect this to work at work and school as well.

It’s common for an organisation to have some form of filtering or management on internet access in place. Each organization will have different reasons, and different policies. These systems were frequently designed to cope with traditional internet access. http://abadsite.com is probably blocked, and if someone has a good reason to be visiting http://abadsite.com they’ll be a process they can follow to be granted access.

But what are the URLs for Apple’s services?

Fortunately there’s a simple solution if your organization comes across a problem with Apple’s cloud services.

Apple’s servers all sit in the same IP address range, 17.0.0.0/8. If you can convince the person looking after your proxy servers/firewall to allow any traffic out of your network to this address range without having to be authenticated, many of your headaches will go away.

iOS 7’s a coming – what do we need to think about?

September 10th 2013 – “This should brighten everyone’s day”

New iPhones, new iPads? New laptops? A watch? What about the iMac? It’s been a while since all of these had received some love from Apple looking back at changes made in the last year or so. Oh, and the iPod as well, what does it’s future hold.

Going by the tagline, we should be expecting changes to all of these. If not, the schoolkid who has an old iPod shuffle and wants to have something for Christmas might be disappointed.

But, hardware aside, what’s going to brighten a Sysadmin’s day?

Apple have promised lots in the iOS 7 pages. New features are always good to have “Institutions … can use their MDM solution to assign apps to students and faculty and staff members over the air” sounds brilliant.

What’s needed for all this to work though?

  • A robust wireless network
  • A network configured to allow push notifications to traverse it
  • An MDM solution, correctly deployed to allow communication to Apple
  • A copy of Mavericks server to cache apps locally (how many times will Garageband be downloaded before the internet pipe is swamped)

And how about those VPP codes you have at the moment, deployed through Apple Configurator – how do they fit into this new world?

There’s a pretty hefty list of catch-up work to do if these aren’t in place yet. In the Southern hemisphere the academic year is on our side. We’ll get a few months before the new school year starts in January 2014 to work through these processes.

(oh, and don’t forget about proxy servers – an authenticated proxy server is great for tracking students and being able to have accountability, but for devices like iPads which want to access the internet at will, better think of a strategy to make these easy for people to use.)