Skip to main content

HS MS BS

 
My daughter's high school requires its students to have access to a laptop at home for school work. The school's trust is a Microsoft shop so her computer needs MS Teams to be installed locally and she has access to the online Office 365 suite through a school account.

No problem, right?

Yeah, right, until it was.

Last year sometime she complained to me that she couldn't log in. When she tried she was confronted with a dialog box "Your Organization requires you to change your pin" that wouldn't let her proceed with setting a "Hello PIN".  I have an account on her machine (because of course) and I found that I was getting the same problem and the same message.

But which organisation is this? I don't want to sound too full of myself but I am the Lord of IT in our household organisation and I certainly didn't ask for this.

Naturally, I did some research online and on her machine ... after reluctantly setting the PIN so that she could log in. Bizarrely, the new PIN could only contain numbers and was length-restricted, unlike the password she had been using which permitted any character and any length. 

Also bizarrely, all sign-in options appeared to be available for configuration locally and there was no indication at configuration time that there was policy restricting their use, but configuring them had no effect.

I am not a Windows admin so it took me a while but after some more poking around I found this in the account settings, with the school trust named as the manager of security policy:


Following the thread further I dumped the configuration as text and found a reference to MDMFullWithAAD in Microsoft PassportForWork. Searching for doc on that, I found  the settings for managing PINs.

At this point, I was reasonably sure that the school was imposing (at least) password policy on my hardware, affecting multiple of my users. Ugh! I found myself strongly aligned with the well-known security expert Shania Twain

That don't impress me much.

I looked up the school's IT policy and found that it appeared to require personal devices to conform to the same policies as those belonging to the school. For remote access to school systems with school accounts I don't have a problem with that in principle but it surely couldn't apply outside of the school's systems, could it?

I contacted their tech support and asked them to urgently confirm my diagnosis, justify it if it was correct, and unenroll my daughter's PC from their management. To be fair to them, the response was reasonably quick and open. I'll paraphrase it like this: 

  • Yes, this is the a result of school IT configuration. 
  • They are implementing IT policy using a feature provided by Microsoft to "ensure data protection." 
  • The feature asks people using external devices to "Allow my organization to manage my device."
  • My daughter, and many other children in the school, would have agreed to this, although the support agent accepted that it was arguably a "trick" that the option is checked by default.
  • They can't unenroll my daughter's computer remotely but I can do it locally.

They also provided the steps for me to use. I'll streamline them here:

  1. Press the Windows button.
  2. Search for "Access work or school."
  3. Select the school's account.
  4. Click on "Disconnect."
  5. Reboot if requested.

Here's the relevant config screen:

After this, if the "Allow my organization to manage my device" dialog is seen again, the option can be safely unchecked before proceeding.

There's a stack of noise online around this topic, as you might imagine, but these steps aligned with others that I had come across during my initial research so I tried them and was able to revert to using the original password. Phew.

I was pretty annoyed and almost wrote this post back then, but instead I complained to the trust's Head of IT and its Data Protection Officer. I never got a reply and slowly lost the motivation to pursue it further.

Then last week my daughter complained that, you guessed it, she couldn't log into her PC. Fortunately, having been through it once, it was the work of a few minutes to confirm the symptoms, change the PIN, walk through the steps again, and revert to her original password. 

After a bit of thinking, she recalled that she had been prompted to log in to one of the school systems and might have clicked through some kind of dialogs but she didn't recall what they said. This is the relevant one:

I don't know about you, but I'm not confident that school children can be expected to understand the ramifications of accepting this option, or the effect of unchecking it, when they are logging in to a trusted system to do something they have been told they must do.

That formed the basis of my complaint to the school, which went something like this:

  1. My daughter enrolled her PC into their domain on the basis of a confusing dialog with the wrong defaults.
  2. It's unreasonable to expect school children in general to be able to make considered choices about opaque questions when it appears they're just logging into school systems.
  3. In any case, that choice should not apply to ALL users of a machine.
  4. When being prevented from logging in, a phrase like "the organisation" is incredibly generic and unhelpful.
  5. I wasted a lot of time trying to work out just what was going on.
  6. Forcing my daughter to change to a Hello PIN arguably reduced security compared to the settings that I enforce at home.
  7. As I understand it, current industry-standard advice is moving against the password rotation that apparently triggered this episode and also suggests more characters than the school PIN policy enforces,
  8. I don't believe that I had seen anything from the school explaining that IT policy (a) existed or (b) would be enforced like this.

I think the school trust's IT policy implementation is too aggressive with too little transparency. Much of the opacity is due to Microsoft's technology, and my experience of that is entirely negative here, but the school has chosen to use it. 

In my opinion they must limit any policy to the school accounts used to log into the school services, not local devices that happen to be used to access the services. If they can't stomach that, or the available options don't offer it, then they should be transparent, have easy to understand instructions, and require very explicit opt-in for the behaviour they have currently implemented.

I don't have the energy to go back to the school trust about this mess and I can't imagine MS being in the slightest bit interested in my opinion so I think this post is about three things:

  • getting it out of my system.
  • documenting the symptoms and the straightforward fix for me (although I hope I never need it again).
  • documenting it also for others (and I hope I've put enough keywords in here that future searches will find it).

I'd love to know if you found this helpful or your mileage varied.

Image: Microsoft Bing Image Creator ("An image combining a Microsoft Windows logo, a school, and a bull so that all three of them are clear but they are arranged in a visually appealing way")
Labels:

Comments

Post a Comment

Popular posts from this blog

Meet Me Halfway?

  The Association for Software Testing is crowd-sourcing a book,  Navigating the World as a Context-Driven Tester , which aims to provide  responses to common questions and statements about testing from a  context-driven perspective . It's being edited by  Lee Hawkins  who is  posing questions on  Twitter ,   LinkedIn , Mastodon , Slack , and the AST  mailing list  and then collating the replies, focusing on practice over theory. I've decided to  contribute  by answering briefly, and without a lot of editing or crafting, by imagining that I'm speaking to someone in software development who's acting in good faith, cares about their work and mine, but doesn't have much visibility of what testing can be. Perhaps you'd like to join me?   --00-- "Stop answering my questions with questions." Sure, I can do that. In return, please stop asking me questions so open to interpretation that any answ...
Post a Comment
Read more

Can Code, Can't Code, Is Useful

The Association for Software Testing is crowd-sourcing a book,  Navigating the World as a Context-Driven Tester , which aims to provide  responses to common questions and statements about testing from a  context-driven perspective . It's being edited by  Lee Hawkins  who is  posing questions on  Twitter ,   LinkedIn , Mastodon , Slack , and the AST  mailing list  and then collating the replies, focusing on practice over theory. I've decided to  contribute  by answering briefly, and without a lot of editing or crafting, by imagining that I'm speaking to someone in software development who's acting in good faith, cares about their work and mine, but doesn't have much visibility of what testing can be. Perhaps you'd like to join me?   --00-- "If testers can’t code, they’re of no use to us" My first reaction is to wonder what you expect from your testers. I am immediately interested ...
Post a Comment
Read more

The Best Programmer Dan Knows

  I was pairing with my friend Vernon at work last week, on a tool I've been developing. He was smiling broadly as I talked him through what I'd done because we've been here before. The tool facilitates a task that's time-consuming, inefficient, error-prone, tiresome, and important to get right. Vern knows that those kinds of factors trigger me to change or build something, and that's why he was struggling not to laugh out loud. He held himself together and asked a bunch of sensible questions about the need, the desired outcome, and the approach I'd taken. Then he mentioned a talk by Daniel Terhorst-North, called The Best Programmer I Know, and said that much of it paralleled what he sees me doing. It was my turn to laugh then, because I am not a good programmer, and I thought he knew that already. What I do accept, though, is that I am focussed on the value that programs can give, and getting some of that value as early as possible. He sent me a link to the ta...
Post a Comment
Read more

Beginning Sketchnoting

In September 2017 I attended  Ian Johnson 's visual note-taking workshop at  DDD East Anglia . For the rest of the day I made sketchnotes, including during Karo Stoltzenburg 's talk on exploratory testing for developers  (sketch below), and since then I've been doing it on a regular basis. Karo recently asked whether I'd do a Team Eating (the Linguamatics brown bag lunch thing) on sketchnoting. I did, and this post captures some of what I said. Beginning sketchnoting, then. There's two sides to that: I still regard myself as a beginner at it, and today I'll give you some encouragement and some tips based on my experience, to begin sketchnoting for yourselves. I spend an enormous amount of time in situations where I find it helpful to take notes: testing, talking to colleagues about a problem, reading, 1-1 meetings, project meetings, workshops, conferences, and, and, and, and I could go on. I've long been interested in the approaches I've evol...
3 comments
Read more

How do I Test AI?

  Recently a few people have asked me how I test AI. I'm happy to share my experiences, but I frame the question more broadly, perhaps something like this: what kinds of things do I consider when testing systems with artificial intelligence components .  I freestyled liberally the first time I answered but when the question came up again I thought I'd write a few bullets to help me remember key things. This post is the latest iteration of that list. Caveats: I'm not an expert; what you see below is a reminder of things to pick up on during conversations so it's quite minimal; it's also messy; it's absolutely not a guide or a set of best practices; each point should be applied in context; the categories are very rough; it's certainly not complete.  Also note that I work with teams who really know what they're doing on the domain, tech, and medical safety fronts and some of the things listed here are things they'd typically do some or all of. Testing ...
Post a Comment
Read more

Not Strictly for the Birds

  One of my chores takes me outside early in the morning and, if I time it right, I get to hear a charming chorus of birdsong from the trees in the gardens down our road, a relaxing layered soundscape of tuneful calls, chatter, and chirrupping. Interestingly, although I can tell from the number and variety of trills that there must be a large number of birds around, they are tricky to spot. I have found that by staring loosely at something, such as the silhouette of a tree's crown against the slowly brightening sky, I see more birds out of the corner of my eye than if I scan to look for them. The reason seems to be that my peripheral vision picks up movement against the wider background that direct inspection can miss. An optometrist I am not, but I do find myself staring at data a great deal, seeking relationships, patterns, or gaps. I idly wondered whether, if I filled my visual field with data, I might be able to exploit my peripheral vision in that quest. I have a wide monito...
1 comment
Read more

Don't Know? Find Out!

In What We Know We Don't Know , Hillel Wayne crisply summarises a handful of research findings about software development, describes how the research is carried out and reviewed and how he explores it, and contrasts those evidence-based results with the pronouncements of charismatic thought leaders. He also notes how and why this kind of research is hard in the software world. I won't pull much from the talk because I want to encourage you to watch it. Go on, it's reasonably short, it's comprehensible for me at 1.25x, and you can skip the section on Domain-Driven Design (the talk was at DDD Europe) if that's not your bag. Let me just give the same example that he opens with: research shows that most code reviews focus more on the first file presented to reviewers rather than the most important file in the eye of the developer. What we should learn: flag the starting and other critical files to receive more productive reviews. You never even thought about that possi...
Post a Comment
Read more

ChatGPTesters

The Association for Software Testing is crowd-sourcing a book,  Navigating the World as a Context-Driven Tester , which aims to provide  responses to common questions and statements about testing from a  context-driven perspective . It's being edited by  Lee Hawkins  who is  posing questions on  Twitter ,   LinkedIn , Mastodon , Slack , and the AST  mailing list  and then collating the replies, focusing on practice over theory. I've decided to  contribute  by answering briefly, and without a lot of editing or crafting, by imagining that I'm speaking to someone in software development who's acting in good faith, cares about their work and mine, but doesn't have much visibility of what testing can be. Perhaps you'd like to join me?   --00--  "Why don’t we replace the testers with AI?" We have a good relationship so I feel safe telling you that my instinctive reaction, as a member of the T...
Post a Comment
Read more

Express, Listen, and Field

Last weekend I participated in the LLandegfan Exploratory Workshop on Testing (LLEWT) 2024, a peer conference in a small parish hall on Anglesey, north Wales. The topic was communication and I shared my sketchnotes and a mind map from the day a few days ago. This post summarises my experience report.  Express, Listen, and Field Just about the most hands-on, practical, and valuable training I have ever done was on assertiveness with a local Cambridge coach, Laura Dain . In it she introduced Express, Listen, and Field (ELF), distilled from her experience across many years in the women’s movement, business, and academia.  ELF: say your key message clearly and calmly, actively listen to the response, and then focus only on what is relevant to your needs. I blogged a little about it back in 2017 and I've been using it ever since. Assertiveness In a previous role, I was the manager of a test team and organised training for the whole ...
Post a Comment
Read more

Software Sisyphus

The Association for Software Testing is crowd-sourcing a book,  Navigating the World as a Context-Driven Tester , which aims to provide  responses to common questions and statements about testing from a  context-driven perspective . It's being edited by  Lee Hawkins  who is  posing questions on  Twitter ,   LinkedIn , Mastodon , Slack , and the AST  mailing list  and then collating the replies, focusing on practice over theory. I've decided to  contribute  by answering briefly, and without a lot of editing or crafting, by imagining that I'm speaking to someone in software development who's acting in good faith, cares about their work and mine, but doesn't have much visibility of what testing can be. Perhaps you'd like to join me?   --00-- "How can I possibly test 'all the stuff' every iteration?" Whoa! There's a lot to unpack there, so let me break it down a little: who is suggesting that "al...
Post a Comment
Read more