Upload
nyla-winzer
View
216
Download
1
Embed Size (px)
Citation preview
RM UnifyRoadshow Events
Welcome
• Stuart Sefton – Glow Delivery
• Presenters:• Simon Thompson – Product Manager• Rob Potter – Architect• Rob Chandler-Toal – Architect• Tom Gregory – Programme Manager
Introductions & Agenda
Outline Agenda (1)
• Top Level View• Provisioning & Authentication
Provisioning SSO & Technologies Authentication Establishment Transfers ( includes Identity
Matching)• Account Management (Demos)
Establishment Admin Tasks LA Admin Tasks Staff Admin Tasks Staff-Service Admin Tasks
Outline Agenda (2)
• Password Policy & Password Management
• Apps Process• Transition Plan• Q&A
Top Level View• Focussed on usage of RM Unify – materials to help you• Continue to invest in development and content• The platform will remain open and flexible
Get to know RM UnifyFrom 10,000 feet
Launch Pad App Library Management Console
Access to SSO apps and web links
RM Unify Admin: Define layout for each role
Discover online services
Staff & Admins: Install apps to Launch Pads
Manage your users
RM Unify Admins: Full access
Staff: Limited access
Roles in RM Unify• Student• Teaching Staff• Non-Teaching Staff• Other• Parent
“RM Unify Admin” – a permission not a role
Demo time
Whirlwind tour
Service ProvisioningData feeds in, data feeds out
Service provisioning
1. Provisioning RM Unify2. Provisioning online services or “Apps”
Data source
s
RM Unify
Apps
Sources of user data• User data can come from:
• SEEMiS – changes in SEEMiS are synchronised• Web form – in Management Console• CSV imports
• RM Unify • provisions a user account• acts as a ‘router’ - passing on user updates
RM UnifySEEMiSOffice 365
Glow Meet
Data flow from SEEMiS
Which apps need to know about this user?
SEEMiS Admin
Users
Automatically keep services in sync
RM UnifyOffice 365
Glow Meet
Data flow using web form
RM Unify Admin
Users
Create a single user, quickly
name
role
Which apps?
RM UnifyOffice 365
Teacher App #1
Data flow from CSV
RM Unify Admin
.CSV
Users
Create multiple users in batch
T
T
T
Which apps for each role?
Users(all roles*)
Student Stage
Registration Class
Teaching Groups
SEEMiS Y Y Y Y
CSV Y Y N N
Manual Y N N N
What can we get from each source?
*Except parents
Provisioning approachesIn-advance provisioning
• App must know about users before access• Example: Office 365 (email)
Just in time provisioning • App creates account on-the-fly• App knows the user is authorised by RM Unify
• Example: Simple reading app (bookmark)
Demo time
Installing an app
How are new apps provisioned?• App is found in the App Library
• Privacy policy accepted• Important: this defines the data release
• Choose the applicable roles• App is installed on the Launch Pads
For apps needing in-advance provisioning: Provisioning process starts
RM Unify
The Best Science
App
Provisioning a new app
RM Unify Admin
UsersBest App
install
1. Get users in appropriate role
2. Filter user attributes
Students
Teachers
T
I need to know about the users
How are apps de-provisioned?
RM Unify
The Best Science
App
RM Unify Admin
UsersBest AppRemov
e
1. Get users that were provisioned
2. Send delete messages
Students
Teachers
T
XX XX
User Authentication
Logging into RM Unify, logging into apps
Logging onto Glowglowscotland.org.uk domain will continue to work
Browser will redirect to RM Unify from: portal.glowscotland.org.uk
secure.glowscotland.org.uk
to: https://glow.rmunify.com
Logging onto apps• SSO apps – click and go!
• ‘Saved password apps’• Enter credentials first time• No prompted again• Any device
Demo time
Saved password app: Edmodo
Logging out• Single log out
• Log off RM Unify, it closes sessions on apps
• Can only log off SSO apps
• Only sure way is to close the browser
Establishment TransfersThe account moves when the user does
Transfer: AutomaticSEEMiS
E1
RM Unify
CREATE
E2
Office 365
RM Unify Admin
UsersAttributesSecurityMailboxOneDrive
CREATEACCOUNTMODIFYACCOUNT
CREATEDELETE
X DISABLEACCOUNT
E1E2
Match
Automatic school transfer• Most transfers will be automatic• Email sent to the user’s O365 mailbox• No approval needed from RM Unify Admin • Audit available
• E1 Admin sees – “Outbound transfers”• E2 Admin sees – “Inbound transfers”
Why the need to approve transfers?Users may be enrolled in two schools concurrently
Why?• Dual registered students• Dual registered teachers• Previous school processes leavers late• Previous school forgets to process leavers
Dual registered usersSEEMiS
E1
RM Unify
CREATE
E2
Office 365
RM Unify Admin
UsersAttributesSecurityMailboxOneDrive
CREATEACCOUNT
CREATE
E1
MatchE1->E2
What are the options?User is in multiple schools – RM Unify knows this
What can happen?1. User leaves E1 -> Automatically transfer user2. User logs into RM Unify -> Ask them! [staff]3. E2 Admin logs in to approve transfer
Mechanisms: Automatic Manual: Self-service, or
Admin-led
Transfer: Automatic (delayed)
SEEMiS
E1
RM Unify
E2
Office 365
UsersAttributesSecurityMailboxOneDrive
MODIFYACCOUNT
DELETE
E1E2
E1->E2
Back where we left off…
User Management DemosRobert Chandler-Toal - Architect
School Admin Tasks• Approve manual transfers and download credentials for new
accounts.• Manually create a set of users.• Delete users.• Change user’s password.• View and update a user’s attributes.• Assign/remove staff member’s admin permission.• Disable/enable user accounts.
LA Admin Tasks• Manage Child Establishments.
Staff Admin Tasks• Change student’s password.• Change teaching/registration/year group members passwords.
Self Service Admin Tasks• Set my home email address.• Change my passwords.• Reset my forgotten password.
Password Management Minimising administrative burden, maximising security
The password lifecycle• How does a new user get a password?
• SEEMiS – Download new user credentials• CSV – specify in the CSV• Manual web form – specify on creation• RM Unify AD Sync – synchronised from the network
• Forgotten passwords…• Wastes teaching time• Massive pain point for admins• Barrier to adoption
Forgotten passwords• Self-service where possible
• Non-students prompted for personal email address
• Students can also provide one
• Email addresses are verified• Email addresses can be changed (and re-verified)• Please don’t use the Glow email address
“Please reset my password?”• A student can:
• Reset their own password, if email address verified• A teacher can:
• Reset the password of a single student• Reset the password of an entire teaching class
• An RM Unify Admin can:• Do all a teacher can.• Also reset staff passwords
Personal password managementEncourage people to be good digital citizens
Influence: Setting their password
Educate with strength-o-meter
Assessing crackabilityApproach developed by Dropbox
• Interactive approach• Real world heuristics – aware of real techniques• How ‘crackable’ is the password in seconds
• RM Unify• Agreed a minimum bar for each role• Only allow a password that meets that bar
https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/
What about iCloud? • Apple iCloud was brute-force attacked
• 4 digit PIN = 10,000 possible combinations• 0.1s per guess = 8.3 minutes for half the possibilities
• Experience with Easymail shows:• Brute force attacks are common• Must protect email services• Students like to lock out their friends• Admins do not like re-enabling accounts
Why won’t this happen to RM Unify? • Locks out after 5 attempts for 1 min• Auto-enables• Locks out after another 5 attempts for 2 mins• Auto-enables• Locks out after another 5 attempts for 4 mins• Auto-enables• Locks out after another 5 attempts for 8 mins [you get the idea]
Growing the App LibraryIn a world where content is king
App developer programme• What kind of apps?
• An app or link?• Education content providers• General use productivity apps• Apps of ‘local interest’
• Who can develop?• Third parties• Scottish Government: Glow services• LAs developing their own apps
Developer decisions• How is it integrated?
• SSO APIs• App Provisioning API (In-advance) provisioning• Graph API
• Developer sandbox• An establishment to experiment in
• Documentation• Developer Portal• Github SDK
Demo time
Developer Portal – the place to start – dev.rmunify.com
App development process1. Online documentation: assess API
requirements2. Request a developer account3. Define your app
• Name, description, support notes, tags• Applicable roles• SSO technology and data attributes• Provisioning API configuration
4. Test: log in, log out5. Submit for validation
Demo time
Developer Dashboard – define your app
App Contract
ProcessStuart Sefton – Glow Delivery
App Contract Process
• RM Contract Position and the Glow App Library
• Categories of Apps RM Apps Third party Apps User Apps
o Saved Password Apps• What this means if you want an App
added at LA/School Level
Transition PlanTom Gregory – Programme Manager
What Happens On 3rd October?The transition from a user point of view
What does not change? - URL
- Username and password- O365 data- RM Unify*
What does change? - Log in screen appearance
- User management (ASM)- Some tiles will go
These will go:
What do you need to do?
2+ site access is going- One log in to one site
- Access to owning
establishment only
- New credentials required for
others
Parents and guests are going
What will actually happen?
Day by day- Thursday 2nd – as normal
- Friday 3rd – day of change
- Monday 6th – all seeing new log in
screen
- Monday 13th – all groups now in RM
Unify
Friday 3rd in more detail- No new users can come in that day
- No password resets that day
- No ASM work on that day
- New log in screen will appear late
pm
Any questions?
ThanksStuart Sefton, Glow Delivery – ssefton@rmcome: [email protected]: @rmunify