Many schools are now running Chromebooks which means numerous people are learning how to best set up their staff and students in the Admin Console. Often it is learning on the fly unless you have the good fortune of being able to attend a workshop on best practices when setting up the Admin Console for your district. I am in my sixth year of using the Google Admin Console and have learned many lessons on how to best setup different features and the main layout of our students and staff in the organizational units (OU’s). This post is not going to go into any tips on some of the core services but will focus on the setup and utilization of specific features within the Admin Console.
Users & Organizational Units
Setting up the users into their organizations was probably the most challenging piece as it took a lot of playing around to find what worked best. It came down to a lot of trial and error and in my first few years, I would spend hours each summer moving classes around and getting everything set for the new school year. Now the end and start of the year setup is very quick and easy with a system that I have found works very well.
They key is creating the correct OU (Organizational Unit) structure. I used to have a general Students OU and within that our district has 3 grade groupings so I have an Elementary, Junior High, and High School OU. Within each OU I would have the class OU by graduation year with all the permissions attached. We do what is called a walled garden for our elementary students which means they can not email anyone outside of our G Suite Domain and cannot receive an email from anyone outside of our G Suite Domain. As students move to the junior high we open that piece up so they can receive an email from anyone. The problem was each year I would have to go through and adjust the permissions for each grade and it is very easy to forget some of the settings you may have unique for the different levels.
The new method I have been using the past two years is I have an overall Students OU with the breakdowns of Elementary, Junior High, and High School like I have always done. This is where I do things differently, under the High School OU I have a 12th Grade, 11th Grade, 10th Grade, and 9th Grade. The Junior High OU contains the 7th and 8th grades and then the Elementary OU has Grades 3 through 6. I attach the permissions to the grade levels which controls who students can email along with other age-specific permissions we use. Then I create an OU for each grade based on graduation year and keep it set to the defaults so it inherits the permissions. Last year, for example, the 6th Grade class is the Class of 2024 so I had the 2024 OU under the Grade 6 OU and this year I moved it to the 7th Grade OU which automatically opened everything up for the students so they can send and receive email outside of the domain. As students progress through the grades the permissions attached to the grade become assigned to their OU. As that class moves into high school they will automatically be assigned the differences we have between junior high and high school.
I no longer need to go through and make all the changes within the grade OU which I always missed some changes. Now the changes are done to the grade level and as I progress their class OU through the system in inherits the permissions specific to what grade they are in. If there is any confusion on this explanation just let me know in the comments. Click on the image to the left to view a full-size image of our structure for students.
The rest of the staff and other organizational OU’s are much easier to set up and you just need to find what works best for your district. We are a smaller school so it is a little easier for us in setting everything the way we need it.
The filter system is one I rely on daily and has helped me in catching many different situations before there were severe consequences. This is also a feature that not many people seem to know exists. To find it log in to the Admin Console > Apps > G Suite Core Services > Gmail > Advanced Settings. Scroll down to the Compliance Section and under it is Objectionable Content. This is where you can set the filters up and my suggestion is to do it just for the overall Students OU as the rule will just look at email going in and out of their accounts.
Hover over objectionable content and select the option to add a rule. You can choose what it applies to, just internal inbound/outbound email and/or external inbound/outbound email, I select all the options so it looks at all email going in and out of students accounts. You can then add words that it will look for in the email, I have close to 400 words in the list and includes words used for bullying, suicide, and many other topics. You can then set what happens if one of the words is found in the list. I created an email account called filter and set the filter that if it sees one of those words it modifies the message by adding a recipient and it will forward a copy of the email to my specialty filter email account without the student knowing. You can have it go to as many people as you want. I find a lot of emails can be caught and a lot of it is spam. What we do is a check the email account once or twice a week and if anything jumps out I investigate it further or forward off to our guidance counselor or principal right away if needed.
You can also under additional options manually add email addresses that it will ignore and not scan for the words. Dicks sporting goods is one example but you will find depending on what words you put into your list it might catch spam from specific sites so if you add those email addresses to the bypass list it will significantly reduce the number of emails you have to scan through. Again, this is probably the number one feature I utilize and probably one of the least known features as I have found when talking with other administrators of G Suite.
Pros and Cons to the App Settings for Chromebooks
The apps section is one of the most visited areas in the Admin Console I use on a regular basis. Administrators have two options when setting up what Chromebook apps students can and can not use. My suggestion is to block all apps except for the ones you whitelist. It is a bit more work up front as the only apps students can install are the ones you approve. This rules our students installing VPN’s which is my main reason for this setting and it ensures no unsafe apps are installed. The first year or two I was unblocking quite a few apps and had an application process the kids could use to submit apps they wanted open. I opened up quite a few to start which covered most of the apps but now it is rare that I have to open up any apps. The only annoyance about this setup is Chrome themes viewed as apps so any themes students want to use they have to email me. Since we are a small school it isn’t too big of a deal and only a few kids email me at the beginning of the year. If we were a larger school I might decide on no themes just for the ease of management.
The Google Vault feature is probably the most used section of the Admin Console after Users because this is where you can view what is in students email accounts, Hangouts, and their Drive. Our district does random laptop checks which check for the condition of the laptop and content on the laptop. Now it is more straightforward as I can randomly check right from Google Vault and we have homeroom teachers do quick periodic laptop condition checks. The typical situation is a teacher or administrator overhears or sees something suspicious and asks me to check in on a students account.
We follow the suggestions for archival and keep all email/files for seven years, even if someone deletes the email or file it is still kept in the vault until it crosses the seven-year mark. The vault is where we have caught many inappropriate things students have done over the years. Between the filters explained earlier and the vault you have complete visibility of the students accounts as you need.
In our opening presentations at the beginning of the year, I make it very clear to students each year that they can not expect any privacy while using the network and any services we provide. The filter we use allows for us to lock down email accounts so the only account they can use while at school is their school provided email account. We also lock down the Chromebooks so they can only log in with their school email account on the Chromebook. When students are at home they can add their personal accounts on the laptop but the minute they hit the school network those accounts are inaccessible.
Google Vault is a great tool and is one of the most essential tools I use fairly frequently.
The topics discussed do not cover every aspect of the Google Admin Console but focuses in on some of the great features that I take advantage of routinely. If you have any other suggestions to add please leave them in the comments below and I will be sure to add them to this post! Part two will be posted in the coming days and will address the topics of managing your devices, Google Groups, and the Reports feature.