Friday, 16 February 2018

Chromebooks? Yes Please.

We've started seeing more and more Chromebooks.

To those in education overseas, they're not exactly news, but they have recently become (slightly) less unusual in South Africa, and are (intermittently) available from local suppliers. With the advent of Android-compatible models, we can now use them across all of our "core" software.

So far, I've been very pleased with them from a sysadmin point of view.
Acer R11 C738T

Read on for more experiences....

We had a slow start to this, as the devices that were ordered were delayed in their arrival by quite some time (due to some shipping mistakes by the distributor). I suspect they went to another similarly named school in another province (we've had that happen with Apple products before, too!). That requires someone to really not be paying attention in the packing and shipping depts. :/

Of course, that has nothing to do with the devices themselves...

First: The Bad/Ugly


I've found one thing I *don't* like about Android-compatible Chromebooks - the managed app store (i.e. where you restrict apps to those you approve) is "frozen in time" to whatever apps were approved there at the time the user first signed into the Chromebook.

We've found one work-around/dirty hack - sign the user out, remove the user at the sign-in screen, and get them to sign in again, and it'll update (and freeze app selection again!) but at least you'll have the "current" app set.

Google support say this issue has been flagged with their engineers, but as they still consider Android on ChromeOS "Beta"; there's no ETA on when this will be fixed, but it seems like the sort of thing they'll iron out soon(ish).

Google support suggested one other "hack" to address this- if you force-provision an app after you approve it, it will also wind up on enrolled devices - this is useful for "non-negotiable" apps, but seems a bit "heavy handed" for optional apps. You can of course force-install on a per OU basis, which can be useful, but also makes things more complex and unpredictable (unless, of course... internal documentation!).

As the only real "wrinkle" I've found so far, it's not a train-smash, and other than that, I'm kind of left gawping at them going "why the hell are these not the mandatory BYOD schoolwork device?"...
Tablet mode. For when somehow a keyboard is not ideal

The Good

Everything. Else. 

We've mainly seen Acer R11 (mostly C738T) models, and we really like them, and a few CB5-132T; spec wise, they seem pretty much identical, other than the colour! Sure, there's a few small learning curves for all involved, but they're just so much better than Android or Apple tablets that it's not even funny. 
R11 also available as a white CB5-132T.
And can be used in this weird configuration.

Particularly great features:
  • Low cost (compared to any other commonly available device with similar specs/functionality, notably solid state storage).
  • Actual physical keyboard
  • Actual multi-touch touchscreen, with keyboard-disabling tablet mode if you want it.
  • High "ruggedness" - no moving parts.
  • Long battery life
  • Speedy reboots. 
  • Lovely 1366x768 IPS screens with Gorilla Glass for scratch resistance. 
    • Reasonable screen resolution and size for the average school desk.
  • Considerably less likely to get pushed off a desk than a Surface 3 (because: laptop form factor, with no "kickstand"). Yes, I've had a child push our imported Surface 3 off a desk during an exam. Cringe. Also, no official Surface supply in this country. 
  • Obviously(!) tight integration with GSuite.
  • Locked down, centralised control (with Chrome Device Management Licenses). 
    • Getting out of it requires physical hacking of the device (to hack a new/fake serial number into the firmware), depending on settings. 
    • You can lock logins down to members of your domain, which with the above really reduces resale value (of lost/stolen devices). It also means you can enforce policy fully. 
    • Once a user (who owns a device) leaves, you can simply deprovision the device from centralised management, have them "powerwash" it, log in with their own personal Gmail credentials and it's "fully theirs". 
  • Centralised OS management, done by Google. 
  • OS seems pretty stable and is, so far as I can see, much more secure than typical of Windows (also, less interesting to the average 0-day developer). 
  • Centralised provisioning of root certificates and wireless settings.
  • Centralised, forced provisioning of "essential" apps. 
  • Can work with USB and SD Cards.
  • Supports most media formats you throw at it. 
  • All of the tweaks you can apply to the managed device configuration(s). So many good things!
  • "Managed" Play store feature, with (optionally) only those apps you think are worthwhile being available. 
    • There are arguments to be made here that this may be overly restrictive. 
    • Of course, most children abuse this notion, and all too many will sadly abuse any other settings. The number of times you see kids just playing games in classrooms with oblivious teachers is not amusing. 
  • Pretty much all Android apps "just work". 
  • Work ought to be saved in the Cloud, so if the thing gets lost/stolen/falls in the pool, they're up and running again quickly. Balanced against that, there are still offline modes, in case you're out of Internet range. 
So long as you have a "true broadband" connection (and, at school level, I'm talking hundreds of megabits per second) and access to a Google Global Cache or a full Google Datacentre at low latency, life is very peachy with such devices. Obviously, you'll need robust WiFi with that... 
Tent mode. Handy for media consumption -
or having a textbook open on your desk

The Arbitrary

Things that might not be ideal for some, but are a non-issue for us.
  • Limited availability - very few suppliers, very limited stock. 
    • Not an issue if you plan ahead - and not an issue in many countries. 
  • Obviously, no Windows-only software. This only affects a tiny minority of our teaching and learning, and is due to externally mandated software requirements. 
    • VDI or other Windows labs provide options to work around that. 
  • Managed/Enterprise Enrolled mode precludes the likes of Crouton/Chrubuntu. 
    • Of course, if there's a compelling teaching/learning reason to need that, simply deprovision the device, have the pupil sign something promising to be extra-good, and off they/you go. One day, there will be a decent way of running a Java IDE (Hey, Oracle, port Netbeans already) and MySQL DB (likewise) on a Chromebook, and this need will fall away for us (to date, it's just the guys doing IT as a formal subject that have need of such a thing). 
  • Chrome Management Licenses are tied to a particular model "for life" - you can't, at least in GSuite for Education, simply maintain a central pool of n licenses in perpetuity. Increases per unit costs by about 10%. You can "recycle" within a model, however (if you RMA one, or replace one that was lost/stolen/irreparably damaged) after the previous one is deprovisioned. 
  • Limited on-device storage - so long as the pupil only installs limited apps, and stores only limited amounts of media on the device, this is a non-issue. 
    • USB and SDCard support provide some useful expansion options. 
    • And of course, there's all that cloud space which is what you should be using for storage.
  • If you get a non-Android code compatible model, things are less rosy. Simply avoid!

The Highlight?

It's the small things, sometimes. 

You can enrol users in 2FA (for a new user) without needing access to a phone number

This is the only platform I've seen that option for. 

Also, once the user is logged in, they make use of a Google Prompt-like "yes/no" tap-to-allow 2FA system if they try to log in elsewhere. Obviously, if they have other 2FA capable devices, they can also be used, but for Junior School pupils who are not allowed a mobile phone, this is a real plus - particularly as if you use your own phone, firstly, it stops accepting new pairings after a while, and secondly, you'll intermittently get s storm of 2FA codes delivered to your phone from random accounts... 

Persuade them to print out some backup codes and keep them safely, and you have a way to have junior school kids use 2FA without too much of a 'mare.

Thank you, Google! 

The Future?

I think the "value proposition" of Chromebooks is high enough that moving from BYOD to 1:1 has a lot to be said for it. 

Particularly because having one type of device (or at least, OS) in a class makes it MUCH easier for teachers to be on top of things, like making sure an app they want to use in a lesson (or flipped classroom activity) is likely to work, and so on. 

The larger size also makes it a little harder to "life hack" your way into not paying attention in lessons

Less of this sort of thing is only good:

https://www.wikihow.com/Text-in-Class
I remember also seeing some inventive student had hidden their smartphone or small form factor tablet inside their pencil case to watch a live stream of a sports match... 

It also means you can keep a small, consistent "pool" of loan devices that are quickly usable by any student who doesn't have one right now for all the usual reasons - and have almost zero use/attraction outside of school. 

If every student has a Chromebook, do you even need to support BYOD? 
Can you ban smartphones in classrooms (and on your network) outright? 

No comments:

Post a Comment