1. RM Unify Roadshow Events Welcome

2. Stuart Sefton – Glow Delivery Presenters: Simon Thompson – Product Manager Rob Potter – Architect Rob Chandler-Toal – Architect Tom Gregory – Programme Manager Introductions & Agenda

3. Outline Agenda (1) Top Level View Provisioning & Authentication  Provisioning  SSO & Technologies  Authentication  Establishment Transfers ( includes Identity Matching) Account Management (Demos)  Establishment Admin Tasks  LA Admin Tasks  Staff Admin Tasks  Staff-Service Admin Tasks

4. Outline Agenda (2) Password Policy & Password Management Apps Process Transition Plan Q&A

5. Top Level View Focussed on usage of RM Unify – materials to help you Continue to invest in development and content The platform will remain open and flexible

6. Get to know RM Unify From 10,000 feet

7. Launch PadApp Library Management Console Access to SSO apps and web links RM Unify Admin: Define layout for each role Discover online services Staff & Admins: Install apps to Launch Pads Manage your users RM Unify Admins: Full access Staff: Limited access

8. Roles in RM Unify Student Teaching Staff Non-Teaching Staff Other Parent “RM Unify Admin” – a permission not a role

9. Demo time Whirlwind tour

10. Service Provisioning Data feeds in, data feeds out

11. Service provisioning 1.Provisioning RM Unify 2.Provisioning online services or “Apps” Data sources RM Unify Apps

12. Sources of user data User data can come from: SEEMiS – changes in SEEMiS are synchronised Web form – in Management Console CSV imports RM Unify provisions a user account acts as a ‘router’ - passing on user updates

13. RM UnifySEEMiS Office 365 Glow Meet Data flow from SEEMiS Which apps need to know about this user? SEEMiS Admin Users Automatically keep services in sync

14. RM Unify Office 365 Glow Meet Data flow using web form RM Unify Admin Users Create a single user, quickly name role Which apps?

15. RM Unify Office 365 Teacher App #1 Data flow from CSV RM Unify Admin.CSV Users Create multiple users in batch T T T Which apps for each role?

16. Users (all roles*) Student Stage Registrati on Class Teaching Groups SEEMiSYYYY CSVYYNN ManualYNNN What can we get from each source? *Except parents

17. Provisioning approaches In-advance provisioning App must know about users before access Example: Office 365 (email) Just in time provisioning App creates account on-the-fly App knows the user is authorised by RM Unify Example: Simple reading app (bookmark)

18. Demo time Installing an app

19. How are new apps provisioned? App is found in the App Library Privacy policy accepted Important: this defines the data release Choose the applicable roles App is installed on the Launch Pads For apps needing in-advance provisioning: Provisioning process starts

20. RM Unify The Best Science App Provisioning a new app RM Unify Admin Users Best App install 1.Get users in appropriate role 2.Filter user attributes Student s Teacher s T I need to know about the users

21. How are apps de-provisioned? RM Unify The Best Science App RM Unify Admin Users Best App Remov e 1.Get users that were provisioned 2.Send delete messages Student s Teacher s T X X X X

22. User Authentication Logging into RM Unify, logging into apps

23. Logging onto Glow glowscotland.org.uk domain will continue to work Browser will redirect to RM Unify from:portal.glowscotland.org.uk secure.glowscotland.org.uk to: https://glow.rmunify.com

24. Logging onto apps SSO apps – click and go! ‘Saved password apps’ Enter credentials first time No prompted again Any device

25. Demo time Saved password app: Edmodo

26. Logging out Single log out Log off RM Unify, it closes sessions on apps Can only log off SSO apps Only sure way is to close the browser

27. Establishment Transfers The account moves when the user does

28. Transfer: Automatic SEEMiS E1 RM Unify CREATE E2 Office 365 RM Unify Admin Users Attributes Security Mailbox OneDrive CREATE ACCOUNT MODIFY ACCOUNT CREATE DELETE X DISABLE ACCOUNT E1 E2 Match

29. Automatic school transfer Most transfers will be automatic Email sent to the user’s O365 mailbox No approval needed from RM Unify Admin Audit available E1 Admin sees – “Outbound transfers” E2 Admin sees – “Inbound transfers”

30. Why the need to approve transfers? Users may be enrolled in two schools concurrently Why? Dual registered students Dual registered teachers Previous school processes leavers late Previous school forgets to process leavers

31. Dual registered users SEEMiS E1 RM Unify CREATE E2 Office 365 RM Unify Admin Users Attributes Security Mailbox OneDrive CREATE ACCOUNT CREATE E1 Match E1->E2

32. What are the options? User is in multiple schools – RM Unify knows this What can happen? 1.User leaves E1 -> Automatically transfer user 2.User logs into RM Unify -> Ask them! [staff] 3.E2 Admin logs in to approve transfer Mechanisms: Automatic Manual: Self-service, or Admin-led

33. Transfer: Automatic (delayed) SEEMiS E1 RM Unify E2 Office 365 Users Attributes Security Mailbox OneDrive MODIFY ACCOUNT DELETE E1 E2 E1->E2 Back where we left off…

34. User Management Demos Robert Chandler-Toal - Architect

35. School Admin Tasks Approve manual transfers and download credentials for new accounts. Manually create a set of users. Delete users. Change user’s password. View and update a user’s attributes. Assign/remove staff member’s admin permission. Disable/enable user accounts. LA Admin Tasks Manage Child Establishments.

36. Staff Admin Tasks Change student’s password. Change teaching/registration/year group members passwords. Self Service Admin Tasks Set my home email address. Change my passwords. Reset my forgotten password.

37. Password Management Minimising administrative burden, maximising security

38. The password lifecycle How does a new user get a password? SEEMiS – Download new user credentials CSV – specify in the CSV Manual web form – specify on creation RM Unify AD Sync – synchronised from the network Forgotten passwords… Wastes teaching time Massive pain point for admins Barrier to adoption

39. Forgotten passwords Self-service where possible Non-students prompted for personal email address Students can also provide one Email addresses are verified Email addresses can be changed (and re-verified) Please don’t use the Glow email address 

40. “Please reset my password?” A student can: Reset their own password, if email address verified A teacher can: Reset the password of a single student Reset the password of an entire teaching class An RM Unify Admin can: Do all a teacher can. Also reset staff passwords

41. Personal password management Encourage people to be good digital citizens Influence: Setting their password Educate with strength-o-meter

42. Assessing crackability Approach developed by Dropbox Interactive approach Real world heuristics – aware of real techniques How ‘crackable’ is the password in seconds RM Unify Agreed a minimum bar for each role Only allow a password that meets that bar https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/

43. What about iCloud? Apple iCloud was brute-force attacked 4 digit PIN = 10,000 possible combinations 0.1s per guess = 8.3 minutes for half the possibilities Experience with Easymail shows: Brute force attacks are common Must protect email services Students like to lock out their friends Admins do not like re-enabling accounts

44. Why won’t this happen to RM Unify? Locks out after 5 attempts for 1 min Auto-enables Locks out after another 5 attempts for 2 mins Auto-enables Locks out after another 5 attempts for 4 mins Auto-enables Locks out after another 5 attempts for 8 mins [you get the idea]

46. Growing the App Library In a world where content is king

47. App developer programme What kind of apps? An app or link? Education content providers General use productivity apps Apps of ‘local interest’ Who can develop? Third parties Scottish Government: Glow services LAs developing their own apps

48. Developer decisions How is it integrated? SSO APIs App Provisioning API (In-advance) provisioning Graph API Developer sandbox An establishment to experiment in Documentation Developer Portal Github SDK

49. Demo time Developer Portal – the place to start – dev.rmunify.com

50. App development process 1. Online documentation: assess API requirements 2. Request a developer account 3. Define your app Name, description, support notes, tags Applicable roles SSO technology and data attributes Provisioning API configuration 4. Test: log in, log out 5. Submit for validation

51. Demo time Developer Dashboard – define your app

52. App Contract Process Stuart Sefton – Glow Delivery

53. App Contract Process RM Contract Position and the Glow App Library Categories of Apps  RM Apps  Third party Apps  User Apps o Saved Password Apps What this means if you want an App added at LA/School Level

54. Transition Plan Tom Gregory – Programme Manager

55. What Happens On 3 rd October? The transition from a user point of view

56. What does not change? - URL -Username and password - O365 data - RM Unify*

57. What does change? - Log in screen appearance -User management (ASM) -Some tiles will go

58. These will go:

59. What do you need to do?

60. 2+ site access is going -One log in to one site -Access to owning establishment only - New credentials required for others

61. Parents and guests are going

62. What will actually happen?

63. Day by day -Thursday 2 nd – as normal -Friday 3 rd – day of change - Monday 6 th – all seeing new log in screen - Monday 13 th – all groups now in RM Unify

64. Friday 3 rd in more detail - No new users can come in that day -No password resets that day - No ASM work on that day - New log in screen will appear late pm

65. Any questions?

66. Thanks Stuart Sefton, Glow Delivery – ssefton@rmcom e: rmunify@rm.com tw: @rmunify