r/k12sysadmin

|To our Instructure Community,

We know that for many of our customers, concerns about the potential publication of data related to this incident remain top of mind. We want to acknowledge those concerns directly – we understand how unsettling situations like this can be, and protecting our community is also a top priority for us.

With that responsibility in mind, we reached an agreement with the unauthorized actor involved in this incident. As part of that agreement, the data was returned to us, we received assurances that it will not be further shared on the dark web or elsewhere, and we received proof that any copies of that data were deleted. Further, we have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise. While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give our customers additional peace of mind, to the extent possible.

We are sharing this update in the continued interest of transparency and so that our customers know that we have addressed this element of the incident directly. To reiterate, the agreement covered all of our customers, and there is no need for individual customers to attempt to engage with the unauthorized actor.

We appreciate your patience and trust as we continue to respond to this incident thoughtfully and comprehensively. We remain committed to providing meaningful updates as our work progresses.

Regards,

The ShinyHunters claim against Follett Software deserves more K–12 attention.

As of now, the Follett incident appears to be an unverified threat-actor claim, not a fully confirmed breach. Multiple breach-intel sites report that ShinyHunters listed Follett Software around April 30–May 1, alleging access to 4M+ Salesforce records containing PII and internal corporate data. I have not found a public confirmation from Follett, Salesforce, or law enforcement.

The bigger story is the pattern: ShinyHunters has been repeatedly targeting education and edtech, especially SaaS/Salesforce-connected environments. That matters for K–12 because vendors like Follett sit close to student, staff, library, asset, and district operational data.

Is the lack of press because of the Canvas breach? Canvas/Instructure has dominated headlines because it involved nearly 9,000 institutions, claimed 275M users, service disruption during finals, and an announced agreement with the hackers.

But Follett still matters. Districts should not wait for national coverage before asking vendors hard questions:

What data was accessed?
Were student or staff records involved?
Was Salesforce or a third-party integration the entry point?
What logs were reviewed?
Will districts receive formal breach notifications?
What indicators of compromise can customers monitor?

K–12 cannot treat vendor breaches as background noise anymore. The attack surface is now the ecosystem.

Hello,

Small school of roughly 1000 students, looking at improving our backup/recovery situation. Currently, most of the lifting is done by a QNAP unit that is getting old.

I have a quote for a backup server to the tune of $15,000 just for the hardware. Veeam and what not would be separate.

Am I crazy to think that a modern NAS setup, or even a refurb server with Truenas can still do the same job for us? Probably both for the same price or less? Remember this is just one school, and not a large one either.

As long as i am asking, what is your backup situation when it comes to hardware? Does the cloud make sense for you guys in a small environment?

Thanks in advance

I inherited the administration of my school district's Google Workspace as my IT Director up and left a few months ago. We are having a HUGE problem with valid emails going into Admin Quarantine. I noticed this while testing a new email account for one of our teachers. When I go into Moderation, I can see them all there, and there were more in there than I thought.

I did the best I could to go into Apps>Google Workspace>GMail>Spam, Phishing and Malware to set up Spam settings, even creating lists to put in valid email addresses and Domains. But no matter what I do, emails from domains that are in the list, set to bypass, still end up in the Admin Quarantine.

I'm not sure what our former IT Director set up, but I can't fix it. Also, at the top of the email header, there is the line "X-Gm-Auto-Quarantined: 1", which I found out means that it gets sent to Quarantine.

This is driving me crazy... Even as I type this I see emails that seem VERY important sitting in Moderation. I can release them, but I can't be checking Moderation all day... should I be?

I really need some help on this....

Whether on YouTube videos, articles, reviews, real-world school deployments, etc., about how the new “Neo” Macbooks are working in education environments.

Part of my reasoning is honestly the price point and the image/perspective Apple gives off for a school trying to move toward more modern tech. (literally just opened up an Esports and Exploratorium with state of the art equipment)

Current setup at our small private school:

• K–3 = school-managed Chromebooks
• 4–12 = BYOB
• Staff = mix of unmanaged Windows laptops and Chromebooks
• I recently implemented Apple School Manager + Microsoft Intune for our STEAM lab Macs

I’ve been fighting with Dell Technologies and CDW over staff laptop orders getting canceled, specs changing, pricing changing after POs, etc., and it’s making me reconsider our direction.

I’m trying to make the case that staff/teachers could realistically daily-drive the Neo Macs for normal school tasks while also giving teachers a higher-quality device and the school a more forward-focused feel. The pricing seems relatively stable compared to constantly spec’ing Windows devices, though repair turnaround and availability concern me a little.

Long-term thought would be:

• Lower school stays on Chromebooks
• Staff slowly transitions to Macs
• Maybe eventually add iPads in certain grades/programs

One pushback from leadership is that Macs may feel “unfair” to students since many students use Chromebooks.

Would love any real-world experiences, deployment stories, pros/cons, or resources from schools actually doing something similar.

**Lastly, this is a neurodivergent school, not that it makes a difference but as far context figured it'll help **

Before I reinvent the wheel, has anyone developed an alert or custom script to notify administrators when a Workspace user has sent an excessive amount of emails (i.e., indicative of an account compromise)?

I'm thinking something along the lines of pop an alert if a single account sends >50 (or 100) emails in a 24 hour period. I looked through the canned security rules in Workspace but didn't see anything that accomplished that.

1. Do not take their status page as truth for a secure environment

2. Terminate all API access - your SIS, Google, Microsoft…

3. Terminate your SSO connections

4. Block traffic

5. Call your insurance and state agency

6. Tell your district YOU do not feel comfortable with allowing access. Your job is to protect data, do it. Yes it’s inconvenient for staff but there are alternatives. Google Classroom, Teams, paper and pencil.

7. Notify staff and families if you haven’t

8. Check your canvas API logs for anything strange

9. Advocate for the safety and security of your data. They’ve been breached TWICE in less than a week.

Lean into your community. We’re all here to support one another.

Hey guys, could use some assistance.

I use Manage Engine MDM.

My setup is

1. Offline RootCA
2. Domain joined intCA signed by root
3. SCEP server on a separate box, using AD CS

I am in the process of creating an NDES/SCEP for our mac devices and ipads. I got this working.

1. Device on IT vlan
2. Run profile in MDM
3. Profile installs, device gets certificate.

I noticed the next day the VPN profile was gone, and the the certificate was gone on the device as well. I look in the MDM logs and see "ndes server not reachable". The certificate still exists in the IntCA under issued certs

I go back to the device and see i left it on the guest network, which has no access to the ndes server.

So my guess here is the device checked in with the MDM, couldn't reach ndes and just removed the profile it already had? I don't know why it tried to reinstall this profile as nothing changed. So I repushed the profile and it caused the device to get a brand new cert, rather then using the one it had.

This is where im stuck. This seems like a pretty big issue i don't know how to solve. We have some remote employees, and its sounding like SCEP/NDES needs to be accessed from the public internet. Otherwise when they are home, they will lose their SCEP, their VPN and then get a brand new cert if i get them reconnected.

Can someone give me some times? Maybe i missed something? Any advice?

Really College Board? One update the Friday before AP testing starts and now another one the day before the start of the second week? I know it "auto updates", however, this is not cool!

Our SIS has just enforced two factor authentication for all faculty and staff. They require daily verification codes. How often does your system require faculty and staff to authenticate?

Anyone using the Samsung interactive displays in classrooms? Specifically, the WA75F model.

I didn't get any notification from Powerschool nor Canvas about this until I opened a case with Powerschool. Just an FYI in case anyone was as lost as I was:

"Following news reports of a recent security incident involving Instructure, PowerSchool has proactively disabled the integrations between PowerSchool products and Instructure’s Learning Management System, Canvas, out of an abundance of caution.

At this time, we have no indication that these integrations were involved in, or were impacted by, the reported incident. This step was taken purely as a preventative measure while we continue to monitor the situation.

Due to the fluidity of the situation, we do not yet have a timeline for restoring the integrations. We are closely monitoring the situation with Instructure and will promptly restore the integrations after validating a security connection and restored confidence. We will share updates as more information becomes available."

We use Linewize and I noticed quite some time ago that Paypal is #2 on the list of top bandwidth users. I feel like it's actually VPN traffic, which is categorically blocked, because all of the IPs are from student personal devices on the BYOD network. When I contacted Linewize about this in the past, they were unable to explain what was happening and we left it at that. Any ideas what can be done to stop this?

We tried a 1yr to use Adlumin. At the end of the year due to cost, we decided to go to another platform. I have been using the gpo and PDQ to send out a msiexec to uninstall the application. However it will not remove unless I manually go and touch all endpoints. Does anyone have other suggestions?

Thanks in advance.

Greetings!

I was able to get managed browsers in google admin up and working. I had to create a token from google admin for the "managed browsers" and then add that token to intune. Since I've done that I can see my windows' devices.

Is there a way to lock down the Chrome browser with google admin. For example, on a windows device, if I open up Chrome for the 1st time, I'm able to login with a personal account or an organization account. I want to be forced to sign-in with my domain account and not to be able to add additional google profiles. I do notice that when users open up Chrome for the 1st time, they get prompted to sign-in their account. Once the user signs in, they get 2 profiles, 1 is a "work" profile and the other is their actual domain profile. Is there a way to get rid of that on the google admin side as well or is that just a chrome browser thing that I have to manually get rid of for each user.

I've went through google admin to confirm that I have secondary accounts disabled, Forced browser sign-in, multiple sign-in access blocked, as well as restrict sign-in pattern enabled with my domain. I'm not for sure if google admin has this capability or if I need to go through intune for my windows devices to enforce the Chrome browser to sign in with a domain account.

Any ideas of what I could try via the google admin console or will I need to go through intune to set this process up. I appreciate for any guidance on this.