uni network/login/qlab/multiple users

[durian]

Id be most grateful to find out how you deal with university IT depts in this scenario:

 

our tech box has a mac desktop which for some years has been connected to what they called a 'laptop connection' basically that meant free access to the internet but not to the typical uni intranet and its associated services of shared drives and users personal data.

 

we are now told that the regulations of the JaNET mean this can no longer continue and all connected machines must have a login which each user must enter.

No one may share log in details

I have a lot of users and I forsee that this is going to cause us huge problems:

 

what happens when we run our typical solo directing week when daily we run up to 24 back to back performances, with different operators, the need to keep the computer running at all times, playing different content to different screens throughout the day. how do we manage each operator logging in and out without disrupting any media that may need to continue playing....

 

thats just the tip of the iceberg, what happens when a visitng proffessor turns up four minutes before his time, demands internet streaming to the screen and he doesnt have a log in?

 

our IT dept dont see a problem, I do.... so if you operate in a similar environment id be happy to hear how you deal with these people who dont have a clue about running a tech box

[alistermorton]

One argument is that if there is content going to various screens that absolutely must continue regardless of what is happening in user-world, then that should be on a dedicated machine, or if that's not possible then they should be running on services/daemons which are not affected by logging in and out of users.

[mac.calder]

A show machine should not be connected to a public network. My suggestion would be to unplug the mac from the network (and hence from your IT departments security policies), get a cheap PC (all in one or something) and plug it into your laptop port for downloading any files you need and transfer via USB.

[Jevans]

I would suggest that a playback computer should never be connected to the internet, for a start, but your needs may differ.

 

Do you have Wifi access? We have access to the Eduroam system, so I have a seperate login for the wireless network that in theory( though I've never tried it) means I can login to any university wireless network in Europe that uses the Eduroam system. Potentially you could say that all internet access has to be through wireless( which presumably everyone has logins for) and then disconnect the playback machine from the network entirely.

 

I wasn't aware that this was a rule JANET were enforcing - certainly here I have used machines connected to the network that have a shared password with no individual logins.

 

If you really, really need internet streaming to the playback machine then you'll just have to inform your boss that you are unable to connect the playback machine to the network under the rules and requirements you have to work with, and higher ups deal with IT, though IT/JANET are usually pretty unmovable. We couldn't even get permission to set up an isolated hidden wireless network purely for our Ion - IT tend to be paranoid...

[Junior8]

Based on recent experience of institution's IT protocols I'm surprised you've been allowed this at all anyway! Most IT managers want complete traceability via log-in. But every one of them seems to have different rules either about access or prohibitions. (One history archive I use has open access but has barred both Wikipaedia and Virgin Media as well as image searches!) On the face of it though this is one of those situations which has to be solved by compromise where the need for control/monitoring is fulfilled as far as is practicably possible in a real-life situation. (I nearly wrote that this shouldn't be impossible until I thought of all the IT managers I'd dealt with since 1997. But it shouldn't be - unless they are paranoid!) Either that or you have to use a non internet linked playback machine.

[GR1]

With Mac on this. A show machine must be exclusively to run the show. No other software running and all power saving disabled. No connections to other than the show network.That keeps it simple and all other comers can use another machine. Borrow another machine from It for the week and use that or tell the they have to provide a technician to babysit the existing computer 24/7. As soon as this person sees the first problem they will give you another machine and go home.

[pjb304]

We have access to the Eduroam system, so I have a seperate login for the wireless network that in theory( though I've never tried it) means I can login to any university wireless network in Europe that uses the Eduroam system.

 

I've used it's quite happily. I'm based at Southampton, and have used my eduroam credentials at Oxford, Cambridge and in Ghent without issues.

[durian]

One argument is that if there is content going to various screens that absolutely must continue regardless of what is happening in user-world, then that should be on a dedicated machine, or if that's not possible then they should be running on services/daemons which are not affected by logging in and out of users.

 

our mac is a dedicated machine, I often need to leave content playing that is streaming from the web. when we are using QLab I always take the ethernet plug out the wall.

If I have to leave web content playing then I am not leaving my personal credentials open to abuse while content plays and I have left the tech box.

 

I shall enquire about daemon options that might be open to us. thanks

 

A show machine should not be connected to a public network. My suggestion would be to unplug the mac from the network (and hence from your IT departments security policies), get a cheap PC (all in one or something) and plug it into your laptop port for downloading any files you need and transfer via USB.

 

A university network is not a public network. unplug the mac from the network means no more security updates or the ability to re/de authorise any licences that may need updating or replacing

 

a cheap pc will not work for our needs, however I have asked for a network pc that will enable me to at least stream content, it still doesnt get around the need for guests who turn up late and no one home in IT to provide them a guest log in

 

I would suggest that a playback computer should never be connected to the internet, for a start, but your needs may differ.

 

Do you have Wifi access? We have access to the Eduroam system, so I have a seperate login for the wireless network that in theory( though I've never tried it) means I can login to any university wireless network in Europe that uses the Eduroam system. Potentially you could say that all internet access has to be through wireless( which presumably everyone has logins for) and then disconnect the playback machine from the network entirely.

 

I wasn't aware that this was a rule JANET were enforcing - certainly here I have used machines connected to the network that have a shared password with no individual logins.

 

If you really, really need internet streaming to the playback machine then you'll just have to inform your boss that you are unable to connect the playback machine to the network under the rules and requirements you have to work with, and higher ups deal with IT, though IT/JANET are usually pretty unmovable. We couldn't even get permission to set up an isolated hidden wireless network purely for our Ion - IT tend to be paranoid...

 

we have eduroam but as ive pointed out to our IT people, its so patchy in its coverage I would never rely on it for streaming media for an event, its hard enough just to do a facebook update some days! I have asked that something be done, but I doubt anything will change come september

 

With Mac on this. A show machine must be exclusively to run the show. No other software running and all power saving disabled. No connections to other than the show network.That keeps it simple and all other comers can use another machine. Borrow another machine from It for the week and use that or tell the they have to provide a technician to babysit the existing computer 24/7. As soon as this person sees the first problem they will give you another machine and go home.

 

borrowing another machine for the week wouldnt work for us. we rely on our mac for QLab and often a performer will suddenly want to add some content from the internet in to a performance. and whyt shouldnt they?

if I retreive that content on a network pc for example, I then have to burn it to cd or dvd as data because our network bit locker security on usb devices is not recognised by a mac.

 

 

I wasn't aware that this was a rule JANET were enforcing - certainly here I have used machines connected to the network that have a shared password with no individual logins.

 

If you really, really need internet streaming to the playback machine then you'll just have to inform your boss that you are unable to connect the playback machine to the network under the rules and requirements you have to work with, and higher ups deal with IT, though IT/JANET are usually pretty unmovable.

 

we have meetings with IT heads of dept and managers next week, I shall certainly mention this, thankyou. streaming is bread and butter for us with mulitple users, so its vital we manage to come up with some work around based around our tech box mac and its QLab/streaming needs.

[ddproduction]

often a performer will suddenly want to add some content from the internet in to a performance. and whyt shouldnt they?

 

When I did this type of event, our artists had a strict deadline for content submission (a couple of days I think), if they didn't hand it in on time it didn't get put up!

Meant we had ample time to transfer onto the show machine, convert/compress etc...

[durian]

 

When I did this type of event, our artists had a strict deadline for content submission (a couple of days I think), if they didn't hand it in on time it didn't get put up!

Meant we had ample time to transfer onto the show machine, convert/compress etc...

 

we work with emerging artists who often create as they perform. our dept ethos is no limits, create and be free, so to speak.

 

I guess its time things changed !

 

and seeing as this new ruling has taken four of my other macs offline, im inclined to get a job as a cook in a hotel!

[mac.calder]

A university network is not a public network. unplug the mac from the network means no more security updates or the ability to re/de authorise any licences that may need updating or replacing

 

If any machine other than a show related machine is on the network with the Mac, in this context it is a public network. The theory behind correct setup of a show machine is such - you set up a machine to a state that it is working and bug free - every service you don't need, you disable. Every piece of software you don't need, you remove. Then you unplug it from the rest of the world. You then create a disk image (time machine backup). Security updates are generally unnecessary - most security updates are protecting against network intrusion - we have solved that via an "airwall" (ie it's not connected to a network). Since all applications run in user space on OSX, chances of a USB-autoexec type virus are low, but in the event one happens to occur, you then restore from time machine. The only time you plug into the network is when you _need_ an OS update for functionality or they release a bugfix that you require.

 

If you have an event that REQUIRES internet access to stream video, I would be looking at wireless broadband over ethernet (4g ethernet router with a 4g dongle plugged in the side or a wifi 4g dongle - avoid USB as driver conflicts etc can be a dog).

[dosxuk]

We got an ADSL line fitted.

[durian]

 

 

If any machine other than a show related machine is on the network with the Mac, in this context it is a public network.

 

thanks for that, point taken. I was meaning it was not public in the context that one needs a log in to access our network

[chelgrian]

we are now told that the regulations of the JaNET mean this can no longer continue and all connected machines must have a login which each user must enter.

No one may share log in details

I have a lot of users and I forsee that this is going to cause us huge problems:

 

The JANET Acceptable Use Policy doesn't mandate this. What it does mandate is that you do not give access to the JANET network to users who do not have permission to use it this is quite strictly enforced. This is because the bodies that fund UKERNA want to very sure that they never get a story in the Daily Mail saying 'UK Tax Payer funding internet access for businesses using universities as conference centres'.

 

How your university computing service chooses to implement the restrictions is up to it and they are perfectly within their rights to require that the user has their own credentials and does not share them. This usually comes out of wanting to be able to trace say copyright violation back to a specific user.

 

It would be technically possible to allow people to login using Eduroam credentials however this would definitely require involvement of your computing service to provide the correct infrastructure and I doubt they would do it if they aren't already providing it.

Several universities do a 'wired eduroam' service, you can use the eduroam credentials to get network access and like your previous 'laptop connection' you get JANET access but not local network access.

 

Unfortunately without the will to solve this issue at the university computing service level in the best technical way you are probably stuck with your more expensive solution of getting a non JANET internet connection. You may need this anyway if you have touring people coming who don't have the right to access JANET in the first place.

 

However you have it easy, I had quite discussion recently with someone who literally wrote the book on show network connectivity whose university computing service were mandating Bradford Network Sentry (nasty thing which tries to periodically audit your machine before giving you network access) and a whole pile of antivirus stuff before they would allow the machine to connect to the network. Needless to say this is pretty incompatible with show machines.

 

A more holistic approach is needed with show networks and machines generally not connected to the internet but firewall rules in place such that they can access certain things such as Apple and Microsoft update sites. This still leaves you with the problem of making sure things like USB keys are clean however you have exactly the same problems with things like Windows based lighting desks like ETC's line. Can you imagine what ETC support would say if you installed a load of third party security software on the desk...

 

Unfortunately the best way to deal with the 'mawwwa I want to stream this thing from the internet during my talk' is just not to advertise that you have internet access in the first place and politely say that it's not possible.

 

For my show and general networks I have the advantage that I am my own computing officer and the upstream university computing service that I'm connecting via is pretty good at providing technical solutions which implement the spirit of the rules rather than producing arbitrary laws which go far beyond the spirit of the JANET rules. However I still don't let show machines directly access the internet as it's just too dangerous. Obviously if someone came up with a valid artistic reason for needing it we'd find a way to do it for that show but we wouldn't provide it as a standard service.

[durian]

 

The theory behind correct setup of a show machine is such - you set up a machine to a state that it is working and bug free - every service you don't need, you disable. Every piece of software you don't need, you remove. Then you unplug it from the rest of the world. You then create a disk image (time machine backup). Security updates are generally unnecessary - most security updates are protecting against network intrusion - we have solved that via an "airwall" (ie it's not connected to a network). Since all applications run in user space on OSX, chances of a USB-autoexec type virus are low, but in the event one happens to occur, you then restore from time machine. The only time you plug into the network is when you _need_ an OS update for functionality or they release a bugfix that you require.

 

 

than you for this. very helpful

 

we are now told that the regulations of the JaNET mean this can no longer continue and all connected machines must have a login which each user must enter.

No one may share log in details

I have a lot of users and I forsee that this is going to cause us huge problems:

 

The JANET Acceptable Use Policy doesn't mandate this. What it does mandate is that you do not give access to the JANET network to users who do not have permission to use it this is quite strictly enforced. This is because the bodies that fund UKERNA want to very sure that they never get a story in the Daily Mail saying 'UK Tax Payer funding internet access for businesses using universities as conference centres'.

 

How your university computing service chooses to implement the restrictions is up to it and they are perfectly within their rights to require that the user has their own credentials and does not share them. This usually comes out of wanting to be able to trace say copyright violation back to a specific user.

 

It would be technically possible to allow people to login using Eduroam credentials however this would definitely require involvement of your computing service to provide the correct infrastructure and I doubt they would do it if they aren't already providing it.

Several universities do a 'wired eduroam' service, you can use the eduroam credentials to get network access and like your previous 'laptop connection' you get JANET access but not local network access.

 

Unfortunately without the will to solve this issue at the university computing service level in the best technical way you are probably stuck with your more expensive solution of getting a non JANET internet connection.

 

However you have it easy, I had quite discussion recently with someone who literally wrote the book on show network connectivity who's university computing service were mandating Bradford Network Sentry (nasty thing which tries to periodically audit your machine before giving you network access) and a whole pile of antivirus stuff before they would allow the machine to connect to the network. Needless to say this is pretty incompatible with show machines.

 

A more holistic approach is needed with show networks and machines generally not connected to the internet but firewall rules in place such that they can access certain things such as Apple and Microsoft update sites. This still leaves you with the problem of making sure things like USB keys are clean however you have exactly the same problems with things like Windows based lighting desks like ETC's line. Can you imagine what ETC support would say if you installed a load of third party security software on the desk...

 

Unfortunately the best way to deal with the 'mawwwa I want to stream this thing from the internet during my talk' is just not to advertise that you have internet access in the first place and politely say that it's not possible.

 

gosh, I am indebt to you sir, thankyou for this information