RM UnifyRoadshow Events

Welcome

• Stuart Sefton – Glow Delivery

• Presenters:• Simon Thompson – Product Manager• Rob Potter – Architect• Rob Chandler-Toal – Architect• Tom Gregory – Programme Manager

Introductions & Agenda

Outline Agenda (1)

  • Top Level View• Provisioning & Authentication

Provisioning SSO & Technologies Authentication Establishment Transfers ( includes Identity

Matching)• Account Management (Demos)

Establishment Admin Tasks LA Admin Tasks Staff Admin Tasks Staff-Service Admin Tasks

Outline Agenda (2)

  • Password Policy & Password Management

• Apps Process• Transition Plan• Q&A

Top Level View• Focussed on usage of RM Unify – materials to help you• Continue to invest in development and content• The platform will remain open and flexible

Get to know RM UnifyFrom 10,000 feet

Launch Pad App Library Management Console

Access to SSO apps and web links

RM Unify Admin: Define layout for each role

Discover online services

Staff & Admins: Install apps to Launch Pads

Manage your users

RM Unify Admins: Full access

Staff: Limited access

Roles in RM Unify• Student• Teaching Staff• Non-Teaching Staff• Other• Parent

“RM Unify Admin” – a permission not a role

Demo time

Whirlwind tour

Service ProvisioningData feeds in, data feeds out

Service provisioning

1. Provisioning RM Unify2. Provisioning online services or “Apps”

Data source

s

RM Unify

Apps

Sources of user data• User data can come from:

• SEEMiS – changes in SEEMiS are synchronised• Web form – in Management Console• CSV imports

• RM Unify • provisions a user account• acts as a ‘router’ - passing on user updates

RM UnifySEEMiSOffice 365

Glow Meet

Data flow from SEEMiS

Which apps need to know about this user?

SEEMiS Admin

Users

Automatically keep services in sync

RM UnifyOffice 365

Glow Meet

Data flow using web form

RM Unify Admin

Users

Create a single user, quickly

name

role

Which apps?

RM UnifyOffice 365

Teacher App #1

Data flow from CSV

RM Unify Admin

.CSV

Users

Create multiple users in batch

T

T

T

Which apps for each role?

Users(all roles*)

Student Stage

Registration Class

Teaching Groups

SEEMiS Y Y Y Y

CSV Y Y N N

Manual Y N N N

What can we get from each source?

*Except parents

Provisioning approachesIn-advance provisioning

• App must know about users before access• Example: Office 365 (email)

Just in time provisioning • App creates account on-the-fly• App knows the user is authorised by RM Unify

• Example: Simple reading app (bookmark)

Demo time

Installing an app

How are new apps provisioned?• App is found in the App Library

• Privacy policy accepted• Important: this defines the data release

• Choose the applicable roles• App is installed on the Launch Pads

For apps needing in-advance provisioning: Provisioning process starts

RM Unify

The Best Science

App

Provisioning a new app

RM Unify Admin

UsersBest App

install

1. Get users in appropriate role

2. Filter user attributes

Students

Teachers

T

I need to know about the users

How are apps de-provisioned?

RM Unify

The Best Science

App

RM Unify Admin

UsersBest AppRemov

e

1. Get users that were provisioned

2. Send delete messages

Students

Teachers

T

XX XX

User Authentication

Logging into RM Unify, logging into apps

Logging onto Glowglowscotland.org.uk domain will continue to work

Browser will redirect to RM Unify from: portal.glowscotland.org.uk

secure.glowscotland.org.uk

to: https://glow.rmunify.com

Logging onto apps• SSO apps – click and go!

• ‘Saved password apps’• Enter credentials first time• No prompted again• Any device

Demo time

Saved password app: Edmodo

Logging out• Single log out

• Log off RM Unify, it closes sessions on apps

• Can only log off SSO apps

• Only sure way is to close the browser

Establishment TransfersThe account moves when the user does

Transfer: AutomaticSEEMiS

E1

RM Unify

CREATE

E2

Office 365

RM Unify Admin

UsersAttributesSecurityMailboxOneDrive

CREATEACCOUNTMODIFYACCOUNT

CREATEDELETE

X DISABLEACCOUNT

E1E2

Match

Automatic school transfer• Most transfers will be automatic• Email sent to the user’s O365 mailbox• No approval needed from RM Unify Admin • Audit available

• E1 Admin sees – “Outbound transfers”• E2 Admin sees – “Inbound transfers”

Why the need to approve transfers?Users may be enrolled in two schools concurrently

Why?• Dual registered students• Dual registered teachers• Previous school processes leavers late• Previous school forgets to process leavers

Dual registered usersSEEMiS

E1

RM Unify

CREATE

E2

Office 365

RM Unify Admin

UsersAttributesSecurityMailboxOneDrive

CREATEACCOUNT

CREATE

E1

MatchE1->E2

What are the options?User is in multiple schools – RM Unify knows this

What can happen?1. User leaves E1 -> Automatically transfer user2. User logs into RM Unify -> Ask them! [staff]3. E2 Admin logs in to approve transfer

Mechanisms: Automatic Manual: Self-service, or

Admin-led

Transfer: Automatic (delayed)

SEEMiS

E1

RM Unify

E2

Office 365

UsersAttributesSecurityMailboxOneDrive

MODIFYACCOUNT

DELETE

E1E2

E1->E2

Back where we left off…

User Management DemosRobert Chandler-Toal - Architect

School Admin Tasks• Approve manual transfers and download credentials for new

accounts.• Manually create a set of users.• Delete users.• Change user’s password.• View and update a user’s attributes.• Assign/remove staff member’s admin permission.• Disable/enable user accounts.

LA Admin Tasks• Manage Child Establishments.

Staff Admin Tasks• Change student’s password.• Change teaching/registration/year group members passwords.

Self Service Admin Tasks• Set my home email address.• Change my passwords.• Reset my forgotten password.

Password Management Minimising administrative burden, maximising security

The password lifecycle• How does a new user get a password?

• SEEMiS – Download new user credentials• CSV – specify in the CSV• Manual web form – specify on creation• RM Unify AD Sync – synchronised from the network

• Forgotten passwords…• Wastes teaching time• Massive pain point for admins• Barrier to adoption

Forgotten passwords• Self-service where possible

• Non-students prompted for personal email address

• Students can also provide one

• Email addresses are verified• Email addresses can be changed (and re-verified)• Please don’t use the Glow email address

“Please reset my password?”• A student can:

• Reset their own password, if email address verified• A teacher can:

• Reset the password of a single student• Reset the password of an entire teaching class

• An RM Unify Admin can:• Do all a teacher can.• Also reset staff passwords

Personal password managementEncourage people to be good digital citizens

Influence: Setting their password

Educate with strength-o-meter

Assessing crackabilityApproach developed by Dropbox

• Interactive approach• Real world heuristics – aware of real techniques• How ‘crackable’ is the password in seconds

• RM Unify• Agreed a minimum bar for each role• Only allow a password that meets that bar

https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/

What about iCloud? • Apple iCloud was brute-force attacked

• 4 digit PIN = 10,000 possible combinations• 0.1s per guess = 8.3 minutes for half the possibilities

• Experience with Easymail shows:• Brute force attacks are common• Must protect email services• Students like to lock out their friends• Admins do not like re-enabling accounts

Why won’t this happen to RM Unify? • Locks out after 5 attempts for 1 min• Auto-enables• Locks out after another 5 attempts for 2 mins• Auto-enables• Locks out after another 5 attempts for 4 mins• Auto-enables• Locks out after another 5 attempts for 8 mins [you get the idea]

Growing the App LibraryIn a world where content is king

App developer programme• What kind of apps?

• An app or link?• Education content providers• General use productivity apps• Apps of ‘local interest’

• Who can develop?• Third parties• Scottish Government: Glow services• LAs developing their own apps

Developer decisions• How is it integrated?

• SSO APIs• App Provisioning API (In-advance) provisioning• Graph API

• Developer sandbox• An establishment to experiment in

• Documentation• Developer Portal• Github SDK

Demo time

Developer Portal – the place to start – dev.rmunify.com

App development process1. Online documentation: assess API

requirements2. Request a developer account3. Define your app

• Name, description, support notes, tags• Applicable roles• SSO technology and data attributes• Provisioning API configuration

4. Test: log in, log out5. Submit for validation

Demo time

Developer Dashboard – define your app

App Contract

ProcessStuart Sefton – Glow Delivery

App Contract Process 

• RM Contract Position and the Glow App Library

• Categories of Apps RM Apps Third party Apps User Apps

o Saved Password Apps• What this means if you want an App

added at LA/School Level

Transition PlanTom Gregory – Programme Manager

What Happens On 3rd October?The transition from a user point of view 

What does not change? - URL

- Username and password- O365 data- RM Unify*

What does change? - Log in screen appearance

- User management (ASM)- Some tiles will go

These will go:

What do you need to do?

2+ site access is going- One log in to one site

- Access to owning

establishment only

- New credentials required for

others

Parents and guests are going

What will actually happen?

Day by day- Thursday 2nd – as normal

- Friday 3rd – day of change

- Monday 6th – all seeing new log in

screen

- Monday 13th – all groups now in RM

Unify

Friday 3rd in more detail- No new users can come in that day

- No password resets that day

- No ASM work on that day

- New log in screen will appear late

pm

Any questions?

ThanksStuart Sefton, Glow Delivery – ssefton@rmcome: rmunify@rm.comtw: @rmunify