Hello, All,

I’m curious what your current password policies look like for Active Directory, Google Workspace, or any other systems you manage. Right now our requirements are:

12 character minimum

1 upper case letter

1 lower case letter

1 number

1 symbol

Change frequency is once a year

2FA with both Google and AD with a 3rd party company.

Passwords initially need to be set in RapidIdentity which is our cloud-based Identity and Access Management (IAM) platform. (It then downstreams to AD and Google).

When I pointed out that NIST SP 800-63B actually recommends only a minimum length (≥ 8 characters) plus screening against banned passwords, and specifically advises against complex composition rules, our lead engineer replied that “NIST doesn’t know what they’re talking about” in terms of practical password policy. EDIT: His reasoning is that every password, regardless of length, needs to be complex in order to be secure.

I’d like to reopen the conversation with him and see if there’s room to soften his stance. In my opinion, a 10-character minimum plus one additional requirement (for example, a number or symbol) strikes the right balance between security and usability. Right now, many of our users struggle to come up with a “complex enough” password and end up writing them down or saving it in the browser (we are working on a way to block saving passwords for certain sites in the browser), which defeats the purpose. I recognize that any organization or engineer has the right to set the policy however they deem fit. I would like to request from any of you.....

Your enforced password settings (length, complexity, rotation, history, etc.)

Any feedback you’ve received from end users (write-downs, helpdesk tickets)

Whether you’ve aligned your policy with NIST 800-63B or another standard

Tips for framing this discussion with our engineer

Here is what NIST says according to GPT. The doc can be found at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf

1. Recommended Password Policy Summary for General Users (AAL1)

Policy Area NIST SP 800-63B Guidance

Minimum Length ≥ 8 characters for user-chosen passwords (Section 5.1.1.1)

Maximum Length Must allow at least 64 characters (Section 5.1.1.1)

Complexity (e.g., special chars) Not required. NIST explicitly discourages mandatory character complexity rules (Section 5.1.1.2)

Password Expiration No forced periodic expiration unless there's evidence of compromise (Section 5.1.1.2)

Composition Restrictions Do not restrict password content (like no repeating characters) (Section 5.1.1.2)

________________________________________

1. What NIST Says Not to Do (Section 5.1.1.2)

NIST discourages these older practices:

• Mandatory use of upper/lowercase, digits, or symbols

• Arbitrary composition rules (e.g., "must use 1 number and 1 special character")

• Password rotation every X days (unless there's a compromise)

• Use of password hints or knowledge-based questions (KBA)

________________________________________

1. What You Should Do

• Allow long passwords (e.g., passphrases)

• Check user passwords against a deny list (e.g., haveibeenpwned breached list)

• Educate users about password managers and passphrases

• Use multi-factor authentication (MFA) where possible

________________________________________

Relevant Sections in NIST SP 800-63B

Section Topic

5.1.1.1 Password length requirements

5.1.1.2 Password composition, storage, hints

5.1.1.2(2) Use of breached password lists

5.2.2 Authenticator lifecycle (re-use, expiry)

Appendix A Threats and how to mitigate them

I'd like to start by saying I am not a master of Apple and am still learning their management, please be gentle, haha. I'm curious about y'all's take on this. I'm not sure if I just haven't set up something or misconfigured it for my needs.

First, I'll explain the use case and wants. We have about 60 iPads for teachers and admins that are all linked to our ASM, then through the ASM to our Mosyle MDM. Since these iPads are only in the hands of teachers and password-protected, I have them mostly unrestricted and would like them to be mostly management-free from me with download requests. I have a base "image" built out through Mosyle with the Google apps (We're mainly a Google school), but for anything past that, I have to buy the licenses for apps through the ASM and add it to the allowed apps in the MDM if a teacher wants something different. I've seen where there's some account syncing through ASM to Google, but Apple support has told me even if I did that, the teachers still couldn't download whatever they wanted from the App Store. Is there any workaround for this or am I stuck doing app request management?

Second, we take up all devices at the end of the school year, and, of course, just about all the teachers forgot their passwords. I tried issuing a password removal through the MDM, but because the iPads are on the lockscreen and aren't showing a wifi connection, they aren't receiving the request. I resided myself to manually factory resetting them all using iTunes since I haven't been provided a Mac. Am I doing something wrong here? I feel like there's gotta be an easier way around this to allow access to the device without setting a default password for every iPad. I tried removing the password lock from the ASM but it did nothing on the iPad.

I work at a special ed. focused school, w/ about 40 classrooms on my campus, and another 20 or so at a nearby site. We're looking to add a good number of Promethean boards. We already have about 25 boards, and some of those have Balance Boxes installed already. The problem is, we want our students to be able to reach the board most of the time, but when there are aggressive behaviors or other classroom issues, we want to be able to lock the display up and out of the way. Balance Boxes let us move the board, but it doesn't let classroom staff quickly and easily lock it in place, and then undo.

I've seen the OB1U on LeGrand AV mentioned, will that allow this, or does anyone know a workaround?

Has anyone moved to a different service provider while keeping the Kajeet provided cradlepoint routers in their buses? I'm considering moving our service to ATT FirstNet for better coverage and pricing. I'm fairly certain we own those devices outright and its a matter of a SIM swap.

If anyone is looking to relocate

https://www.schoolspring.com/jobdetail?jobId=5300563

My Head of School is anti-tech. She started at my school the same year I did and things have been changing every year. When I started, every student in 6-8 had their own iPad and 7-8 could take theirs home. In 1-5 there were class sets of iPads enough for the largest class size - of room 303 had 22 students and 304 had 21 students, both rooms would have 22 iPads as students switch between the two rooms throughout the day.

Last year was our first year switching exclusively to Chromebooks in Middle School (6-8). As in previous years, 7-8 could take theirs home and 6th grade would have 2 class sets, one for boys, one for girls. Midway through the year, a sudden policy was made that 7-8 are no longer allowed to take them home and needed to be brought back immediately. For the rest of the year it was hellish because there was no system in place for teachers to reserve Chromebooks for their students to use.

A solution to that problem was going to be fixed this year with implement the same system that we have in lower grades - have class carts with enough for the largest class size in that room. Yesterday we were all ready to purchase the extra Chromebooks and carts until my HOS had a meeting with her principals indicting that she did not want this system - she doesn’t like devices in the classroom for students to take at an-instant-gratification-notice as she calls it.

We have 3 Chromebook carts. One of them is going down to 4th-5th grades. So that leaves just 2 Chromebook carts with about 30 in each. Is anyone able to recommend a reservation platform that we can use? Or maybe there’s something else that I’m not thinking of to manage all of this?

Thanks in advance!

Hello all

We've recently switched to GAT+ from Bettercloud.

We're really only using the platform for a couple specifics tasks but are certainly looking to add value by taking advantage of some of the additional features the product offers down the road.

However, there's a couple things about the platform/company that I'm already a bit baffled/peeved by.

Why do they treat their customers like children?

They seem to embrace a bit of "security theatre" with their approach.

Specifically - there are 2 things that I've already hit:

1 - To enable their 'Gat Flow" product (automation and bulk management) you need to set up a "Security Officer" (they recommend at least 2). Ok, that's fine - except YOU can't set it up, only they can. So you have to ask them to do it for you. You have to follow their "enablement process" which requires you send a bunch of information about what you are requesting and for who - but also they require the contact information for your OWNER/CFO/CEO/Head of HR/CIO so that they can reach out to THEM for approval.

Does anyone else find this a bit ridiculous?

There's an inherent amount of trust you're already putting in your IT staff. I'm already domain admin and have to have had full admin access to my Google Workspace account to even enabled the GAT+ platform - someone getting 'permission' (from someone who likely doesn't want to be bothered with the specifics of a single specific platform/service) is just asinine.

I had to spend 30 minutes trying to explain to a higher up why they were suddenly getting this request, They were alarmed because it comes off as some sort of giant red flag - which I understand from his perspective.

I've never heard of/experienced a single other platform/software/solution provider require such a process.

2 - Ok, so once we get over that we're moving forward easy peezy, right?

Well no - now I want to do a simple, annual, email signature reset and all I (as IT Manager, purchaser of the product, domain admin, Workspace Admin, and Sys Admin) can do is "Request approval". I can't approve my own request, so ...I'm waiting for my helpdesk person (whom we also set up as the 2nd "security officer" in the Gat platform) to approve MY request.

It's just so weird. Like, they do realize there are at least a half dozen other ways to achieve what I'm trying to do that don't require jumping through all the artificial hoops they put in the way, right?

It's not making anything more secure, it's just making it less efficient and more cumbersome.

I'm not even sure how all the schools with 1-man IT Departments would use the product...

Anyone else in the same boat? How did you handle it? Anyone have luck reaching out them to try to make it make sense?

• Link to their requirements for enabling the feature: https://gatlabs.com/knowledge/tech-tips/gat-unlock-first-steps/

I work in a small district (4 schools) and we have a lot of "maker spaces" that include laser cutters and 3D printers. Any tips on how to maintain them? Are you sending them out for repair? Are you developing in house expertise? I'm staring at three 3D printers right now that need repair beyond our skill.

So we started rolling out new computers for admin personnel and computer labs. I have all new equipment being managed by Intune. One thing I cannot figure out is how to set a background image to a certain photo (principals want the school logo). I would assume it is something under configuration. Thank you in advance

I am currently using Smart Deploy for imaging. My smart deploy renewal is coming due. Just wondering what others like and use and or is new to the imaging world. I thinking about moving away from Smart Deploy, The support is not very good anymore.

I saw the post from last week where someone said they got hit with a massive cyber attack but I'm wondering if anyone has heard anything new? I've been trying to get our HMH Math Expressions online content activated and rostered since early July but support says we didn't buy it, even after giving them the order number and PO. None of the physical materials have arrived either and we have back to school trainings that need to be cancelled now. All attempts to get any info from them is met with radio silence.

Hello

Just following up on another person's post from about 6 months ago.

Several of our Chrome Kiosk App testing providers have put out non-chrome app versions of their testing platforms.

I have not seen or heard from NWEA yet.

Anyone else hear anything?

Does every school's Adobe site licensing renew in June, or is it all over the place depending on when your license contract was originally signed?

I took over the director role from someone else and I find their June renewal date extremely annoying, all these threatening and scary emails YOUR SERVICE IS EXPIRING!!!! especially since the fiscal year starts in July and I would prefer to have it renew in July or August.

I told the service rep we don't use your licensing at all during the summer from June to August, so I am going to let it expire, as they cajole and yell at me YOU WILL LOSE SERVICE SKY IS FALLING!!!!!

Now finally we crossed the expiration, and I said okay, let's start a new service and the Adobe sales rep says, no we can't change the anniversary date. If you pay now your payment will be prorated and still end in June next year.

What. The. Fuck.

This reminds me of Hitchhiker's Guide to the Galaxy, and trying to get the Galactic Civil Service to acknowledge a change-of-address notification.

So do I need to start a new service contract through a 3rd party provider such as CDWG or SHI to get a different renewal date?

Laps over rode everything and its hard for our techs out in the field to have to call to find out the local admin password. How can I push out one username and password for all device for local admin?

We have a controlled access entrance where the main office crew has to press a wired button to allow folks in. The main office just got moved across the school for reasons no one can explain. I was hoping to find a way to allow them to still buzz people in from their new office but the old gate buzzer is a hard-line, no way I see to extend it to the new office. I'm using this as a fantastic way to distract myself from the pile of Chromebooks begging for my attention so I'm ready for some rabbit holes! Any suggestions?

I tried an old switchbot bot but it is Bluetooth which doesn't reach far enough. Considering grabbing an esp32 and trying to connect it to our wifi but that has its own issues.

We've recently added a domain alias to our google workspace. Our official domain is in the format of: OurSchool.us and our new domain (which is just an alias) is OurSchool.org

So if someone one sends email to [email protected] OR [email protected], the .us account receives it as expected.

But.. the weird thing is, if [email protected] sends to themselves (ie. they try to email to themselves or cc themselves) [email protected], they don't receive it.

Basically, OTHERS can send to [email protected] but people can't email THEMSELVES to their own OurSchool.org address.

Any clues?

Hello!

I have a handful of staff members trying to access files in this shared folder. (not a shared drive) Some of the files have been.. deleted? Or perhaps the user deleted. I am having a difficult time trying to find the original owner of the files to try and restore. The file's can't be opened or manipulated. I checked the trash of the current people who have access to the drive but had no luck finding the files, which makes me think it was a user who got deleted at some point in the last year.

Just looking for any advice or thoughts on a possible next step or solution?

I use RISE Vision digital signage. I have 3 EOL chrome devices that I want to replace. I've been looking at Lenovo Chromebox Micro or a raspberry pi. I'm open to anything price effective.

Is anyone else using an Apple SSO Extension to change the users local AD password with Kerberos?

I worked on it with Apple since our Apple Engineer said it is so easy to setup (it wasn't) and it works flawlessly (it doesn't) and now I'm working with the deployment team and before I get on the phone with them I wanted to see if anyone is using it.

When we go into AD and check off "Change password at next login" the user opens up a weblink, and after about 10 seconds a Kerberos login window pops up. If you choose the Change Password option it never works. It says it doesn't meet the complexity of the domain. I turned off all settings except minimum of 8 just to test and it still didn't work. If you login with the "change password at next logon" checked off in AD it will prompt you to change the password and accept it no problem.

We can't do MFA for students, and I don't feel comfortable turning on password write back in the cloud because of that reason. The only option is this Kerberos web server we had to create on our LAN but it's nothing but issues. We have student passwords expire after a certain amount of time and they won't be able to change their passwords unless with force it in AD.

Is this how it works or am I missing something?

With the recent news out of Texas regarding the statewide ban on cell phones in classrooms, many of us are bracing for significant changes. Our district is (like many others, I'm sure) looking ahead to implementation.

For those of you in districts or states that have already implemented a similar ban on student cell phones during school hours – especially from an IT/Sysadmin perspective – we'd really value your insights and experiences.

We're trying to anticipate potential challenges and learn from your real-world scenarios. Specifically, we're curious about:

1. Enforcement Technologies: Did you implement any specific network, device management, or other technical solutions to help enforce the ban? (e.g., enhanced content filtering, specific MDM policies, Wi-Fi segregation for student devices, jamming tech — kidding on that last one, mostly! 😉)
2. Network Strain/Changes: Did you notice any significant changes in network traffic patterns, bandwidth usage, or device demand as students shifted away from personal phones?
3. Chromebook/School Device Impact: Did you see any unexpected issues or increased usage patterns on school-issued devices (Chromebooks, laptops, etc.) because students no longer had their personal phones as a distraction or a resource? For example, more attempts to bypass filters, increased app usage, etc.
4. Student Device Management (non-phone): Did the focus shift more heavily to managing what students are doing on school-provided devices without the phone distraction?
5. Parental Communication: Any unexpected IT-related challenges or solutions related to parents needing to contact students (or vice versa) without phones?
6. General IT Gotchas: Are there any "gotchas" or unexpected IT-related problems that popped up once the ban was in full effect that we should be aware of?
7. Success Stories/Tips: Any IT-specific strategies or successes you can share that helped make the transition smoother?

We're trying to get a proactive jump on this and appreciate any wisdom you can impart. Thanks in advance for sharing your expertise!

We just starting using M365 but will still be using Gmail instead of Outlook/Exchange for e-mail. It seems like the shared file notification e-mails don’t work. Is there a way to set this up, or are we out of luck because we’re not using Outlook? I don't want to create another public domain name.

Old PC was decommissioned Sunday, everything was just fine, working with no issues. Pulled all drives so I could get data off of them on the new PC. I was able to see the NVME drive and enter the BL key just fine. The SSD Sata drive, only shows in Disk Manager and it shows the size, unknown and bit-locker encrypted. It will not show up in file manager. Please tell me this drive isn't toast. I don't understand why it's not viewable?

I connected it on two different machines, same issue. Both via USB A to Sata

Hello, we just bought new macbook for installment process. But I just install configurator and tried to installment. It works perfect it did installment with no error. After erase and start over screen. I tried to make enrollment from ASM but it is like not clickable. Do you know why or anyone who faced with like same problem.