This course will guide you through implementing the Lightspeed Systems Bundle for Chrome. This course is for customers who have purchased the Best bundle, which includes Classroom Orchestrator, Reports, and the Web Filter.
1. Configure your Bundle
You’ll log into the Bundle dashboard and set up your school.
2. Connecting your Google Domain to Mobile Manager
We’ll set up your organization and set Mobile Manager as the MDM of choice. We’ll sync your Google Domain with Mobile Manager and import your users.
3. Setting Google as an Authentication Source
We’ll set up Google as an Authentication Source in Google Admin and the Lightspeed Web Filter.
4. Pushing Lightspeed User Agents
Push Lightspeed’s user agents to your users.
5. Setting up Classroom Orchestrator
Set up basic Classroom Orchestrator settings and connect Classroom Orchestartor to your Google Domain.
6. Setting up Your Admins and Teachers for Classroom Orchestrator.
Learn how to get your admins and your teachers ready to use Classroom Orchestrator.
7. DNS Cloud Filter
Learn how to use the DNS Cloud Filter, Lightspeed’s solution for filtering BYOD/guest devices.
8. Chrome Reports
Learn how to use the Chrome Bundle’s new reporting functions.
9. Device Detective
Learn how to set up and use Device Detective, our solution for lost or stolen devices.
10. Additional Resources and Troubleshooting
Learn more about Lightspeed’s products and troubleshoot potential issues.
All of this will just take a few minutes. Let’s get started!
You will need to configure your bundle, including registering and setting up your school before you can use the Lightspeed Bundle for Chrome.
After your purchase the Chrome Bundle you will receive an email from the Lightspeed team with your serial number and a link to register.
Go to: https://launch.lightspeedsystems.com/register
Enter the email address that the Lightspeed email was sent to and the serial number contained in your email.
You will now be taken to the Launch Dashboard. From here you can access all of your Lightspeed services.
The Launch Dashboard is not only a useful tool for administrators, but teachers as well. We have created a teacher version of the Dashboard that gives teachers access to classroom extensions of the tools you administrate. We will talk about the teacher tools in a later post.
Setup Your School
From the Launch Dashboard you can access all of our Lightspeed services.
Your first step to accessing our services is setting up your school.
Click on the Admin Tools tile and choose Schools.
There will be one school in the list – and that will be the name of your organization that was given to Lightspeed at the time of account setup. You can either go in and change the details of this school or you can add a new school.
To choose an existing school to edit – just select it from the list. (in our case, we have already created several schools within our demo district.)
Otherwise you can create a new school by clicking the green + circle at the bottom right of the window.
Enter all the requested info including the address fields.
Note: make sure to use proper SIS IDs so they will match your CSV imports. This SIS ID information is needed to match your students and staff from your CSV to the proper school within your District (Organization).
Manually Adding a User, Group, and Membership
We recommend that you do a SIS sync for a full school deployment – but you might find it easier to just create Users, Groups, or Memberships manually within the Launch dashboard if you are only doing a partial deployment.
Note: You will be able to sync your Google users when you sync your Google Domain to Mobile Manager in the next lesson. This is a significantly simpler way to sync users. You will still need to add groups manually or through a SIS sync.
Adding Users Manually
From the Launch dashboard, choose Admin Tools -> Users.
Click the green + plus at the bottom right.
Add in all user information and then click the green checkmark.
Manually Adding a Group
From the Launch dashboard click on Admin Tools -> Groups.
Click the green + plus sign on the bottom right to create a new group.
Enter information into the appropriate fields and then click the green checkmark to save.
Manually Adding Users to a Group
From the Launch dashboard click on Admin Tools -> Groups.
Click on the group you want to add members to. This will open a field to the right. On the field, the bottom section will show current group members. To add new members, click the green + plus button to the right of Members.
In the search field type the name of the user you want to add to the group and then choose the appropriate user from the list below. Click Save.
The user has now been added to the group, and you should see the new addition in the Members list.
Learn more about managing users, groups, and schools here.
You will now need to integrate your Google Domain with Classroom Orchestrator and sync your users in Launch.
Integrating with Classroom Orchestrator
Open Classroom Orchestrator. Click on Organization Options on the top right and select Settings.
Click the green plus (+) sign to the right of Managed Domains.
Type your GAFE domain (southernacademy.org, in our case) into the field and click Save. Repeat this process for each GAFE domain.
Once you are done adding your GAFE domains, scroll down to the bottom of the Settings page and click Save.
Syncing Google Users in Launch
Once you have added your domains to Classroom Orchestrator, you will need to sync your Google users in Launch.
Navigate to the Launch dashboard, hover your mouse over the Admin Tools tile, and click on Districts.
Click on your district from the list. (You will only see a single entry if there is only a single district.)
Your district settings will open on the right side of the screen.
Scroll down to Google Integration and click Enable Integration.
You will be taken to a Google Request for Permission page. Click Allow.
Once your Google users have been integrated with Launch, the you will see the options to Disable Integration (clicking this will disable your Google integration) and Sync Users (clicking this will sync your Google users with Launch) in your district settings.
Setting up Google as an Authentication source for your Web Filter will allow users to seamlessly sign on to their Chromebook devices and Google services with their Web Filter policies.
To enable Google Single Sign On, follow these steps to configure Google as an authentication source.
Note: Because of the way Google authentication works, it can be used for personal overrides, but not for the “teacher override” where the override is performed for another user.
- 1. Log into Google as an administrator of your Google domain.
- 2. Navigate to https://console.developers.google.com
- 3. In the upper left, just after “Google APIs” there is a Project dropdown menu. Select the option to create a new project. A project ID will be generated automatically.
- 4. From the Library tab, search for and enable Admin SDK and Google+ API.
- 5. Click OAuth Consent Screen, then enter the product name and click Save. The product name should reflect functionality (ex. Web Filter Authentication.)
Note: Do not use the word “Google” in your Product Name, as it will cause an error.
- 6. From the credentials screen, click Credentials and then add an Oauth 2.0 client ID.
- 7. Next, choose the Credentials tab. For the Application Type, select Web Application.
- 8. Give it a name. In the Create Client ID form, fill in the Authorized redirect URI field with the publicly-available hostname of your Rocket, with an ending suffix of /auth/google_oauth2/callback. Save the credential by clicking Create.
Example: http://southernacademy.org/auth/google_oauth2/callback). Click Create.
Troubleshooting Unable to redirect URI? Check your Google Developers Console and navigate to the project created for the Google authentication source. In that project, there should be a redirect URI (http://(rocketFQDN)/auth/google_oauth2/callback). Copy that url and create a new redirect URI, saving it as https. That way, you will have both an http and https callbacks. Once complete, please resave the Google authentication source in the Rocket.
- 9. Make a note of the Client ID and Client Secret.
If you have a Cluster
setup, then you need to have an “AUTHORIZED REDIRECT URL” for the Master appliance (running Web Filter 3) that handles web filtering for any appliance that will be used for Google Authentication.
Note: This is an overview of the required steps to configure the app. For specific details, please refer to the Developers Console Help.
- 1. Navigate to https://admin.google.com.
- 2. Click Security.
- 3. Click API reference.
- 4. Under API access, select (check) Enable API access.
1. Log in to the Rocket.
2. Click Settings -> Tier Management and navigate to your first tier.
3. Scroll down to Authentication Sources.
- 4. Perform Steps a through g for every tier.
- a. In the Authentication Sources grid, click the green “+” icon. Select Google Authentication.This action opens the following page:
- b. Enter a name, a friendly name, and the email domain (everything after the “@” sign).
- c. Enter the Client ID and Client Secret you copied in step 8 (above).
- d. Select (check) Available to End Users.
- e. Click Save. You will be directed back to Google to give them permission to make API calls. Please note that all “scopes” (i.e., authentication information received from users) listed on this window are read-only.
Note: You must be logged in as an administrator of your Google domain. Otherwise, it will look like everything was setup fine, however, the auth source just won’t work. A client accessing this will either get a 401 Unauthorized or 403 Forbidden when attempting to use the auth source.
Please note you must repeat these steps for each different domain that you have configured within Google. For example, if you have @Studentdomain.org and @Staffdomain.org domains they need to be setup as two different authentication sources, even if they are managed by a single Administration page, and a separate account with administration privileges in each domain will need to be used when configuring the authentication source.
Note: If you use Google’s Admin SDK, from time to time your users may get HTTP 503 errors when they try to authenticate. This can happen when users try to authenticate and the Google Admin SDK’s query rate per day (QPD) of 150,000 requests per day has been exceeded. In addition, the QPD can also be exceeded in other circumstances.
To prevent this from occurring, you can set up billing. However, you can also configure a free Google Web Application in your Google domain and configure Google authentication on your Rocket.
- 1. Navigate to admin.google.com
- 2. Click Chrome Management
- 3. Click User settings.
- 4. Scroll down to Apps and Extensions and click Manage force-installed apps.
- 5. Under Chrome Web Store, download the extensions you need. Click Add to add each extension. Click Save after you’ve added all your necessary extensions.
||Chrome Webstore Link
|Lightspeed Management for Chrome
|Lightspeed Broadcast for Chrome
|Lightspeed User Agent
|Lightspeed Mobile Filter
|Lightspeed S-Mobile Filter
Once you push the Lightspeed user agent extensions to your devices, these devices will auto-populate in your Chrome Bundle. You can view a list of your devices in the Mobile Manager Devices tab.
Customers who currently use SSL certificates generated by a Certificate Authority (CA) with their Rocket appliance MUST
push the new Chrome Lightspeed S-Mobile Filter
and not the Lightspeed Mobile Filter to devices. Learn more here
Customers who have devices other than Chromebooks (Windows or iOS devices) will need to install those specific user agents on their devices. Learn more about Windows
You will need to set several settings in order to prepare Classroom Orchestartor for use.
1. Instruct users to sign into Google Chrome browser by entering chrome://settings and then clicking Sign in to Chrome or clicking the Chrome menu icon in the upper right-hand of the screen (), clicking Settings, and then clicking Sign in to Chrome.
When users sign into Chrome they must use the email address that is assigned to their Launch user account.
2. Verify that the user is signed into Chrome.
Note for Gmail Users:
If you use a @gmail.com address, Chrome will strip out any periods when authenticating. For example, email@example.com becomes firstname.lastname@example.org. If Launch is configured to use firstname.lastname, then the authentication won’t work. If you are going to use @gmail.com addresses, you need to strip any periods from the address in Launch.
Please note that is only true for the @gmail.com domain; it does affect other domains. Click here to read more about this issue on Google Gmail’s support site.
1. In the Chrome browser navigate to https://chrome.google.com/webstore/detail/lightspeed-orchestrator/nhjickhghbcblfhcnjbjgbplibnkpmle?hl=en.
2. Click Add to Chrome in the upper right-hand corner.
3. Confirm that the extension has been installed by entering chrome://extensions or clicking the Chrome Menu icon in the upper right-hand of the screen and then clicking Extensions. The following shows a successfully-installed Classroom Orchestrator extension.
Screen capture options at the school and district level allow capturing each client’s
- active window only
- full screen
Capturing the client’s active window does not require their permission. The default full-screen capture, though, does require permission from the student. In this instance, when a group becomes active, the client will receive a prompt to share their screen. School and district admins can modify screen capture configuration for Chromebooks at the school or district level.
Clients will see a notification stating that screen sharing is active. If a student stops sharing his or her screen the screen sharing notification will pop back up.
Mac and Windows Chrome Browsers
District Admins can manage Google Domains through Classroom Orchestrator.
1. Navigate to Classroom Orchestrator and click the Options dropdown icon to open up the options menu. Click Settings.
2. Your Managed Domains will appear on top of your Classroom Orchestrator settings.
3. Click the green plus sign to the right of Managed Domains to add a new domain.
4. Input your domain into the field and click Save.
5. You can delete a Managed Domain by clicking the “x” to the right of the domain name.
The BYOD Filter is a feature of Lightspeed Systems filtering solutions. The purpose of the BYOD Filter is to provide schools with a CIPA compliant way to filter BYOD/Guest devices or unique devices that cannot support one of Lightspeed’s filtering agents.
You can access the BYOD Filter by logging into Launch with your Google, Office 365, or Lightspeed Systems credentials and clicking the appropriate tile from your Launch dashboard.
From the BYOD Filter menu, you will be able to obtain setup information, configure settings, and view reports.
Note: Any change you make to BYOD Filter settings, categories, or reports will take approximately 15 minutes to take effect on your clients.
1. At the top you will see the snapshot report. This report identifies how many categories and how many websites have been blocked or allowed in the past 7 days.
Hovering your mouse over any of the categories will open up a tooltip that will compare the current 7 day period to the previous 7 day period.
Clicking on the More button in between the two categories will bring up the BYOD Reports menu.
The BYOD Reports menu allows you to run detailed reports on your BYOD filtered devices.
You can run four distinct reports: Blocked Categories, Allowed Categories, Blocked Websites, and Allowed Websites. Simply click the corresponding tile to navigate to that report.
You can adjust the report date range by clicking the dropdown menu. The menu defaults to Today, but also allows you to select Yesterday, Last 7 Days, and Last 30 Days as options.
You can search for specific categories or websites by utilizing the Search box in the top left.
The BYOD Setup menu can be found right under the Snapshot Reports. From here, you can setup your DNS servers and assign IP ranges to filter. The DNS Servers field identifies the IP addresses of our DNS Servers. These addresses will be automatically set by Lightspeed Systems. The DNS addresses assigned will vary by region.
The IP Ranges to Filter field allows you to identify which IPs to filter.
Enter a name in the IP Ranges Name field, the start IP in the IP Start field, and the end IP in the IP End field. Click Add to add the IP Range. This should be the external IP of your school. Once an IP Range has been added, you will see it added at the bottom. To delete an IP Range, simply click the “x” to the right.
Normally Blocked/Allowed Categories
You will find a list of Normally Blocked Categories under the Setup menu. These categories determine which kinds of websites are automatically blocked by the BYOD filter. The categories are divided by topics, such as “adult”, “forums, chat, email”, “security”, and “violence.” These categories are normally blocked by Lightspeed Systems due to their inappropriate content.
Below the Normally Blocked Categories, you will find a list of Normally Allowed Categories. These include normally allowed and safe topics, such as “Advertising”, “Business and work”, “Education”, and “Family Life.”
It will be up to you to determine which categories you want to block or allow for your students. You can manually block or allow a category by clicking the button to the right. Red, left-aligned buttons () indicate a blocked category. Green, right-aligned buttons () indicate an unblocked category.
You can easily block or unblock all categories within each Normally Blocked Category and Normally Allowed Category section. Simply click Allow All or Block All next to the section title and all categories within that section will automatically be allowed or blocked.
Customers need to configure their BYOD devices and guest networks with this DNS. Customers should use a separate DNS for users that have user agents installed.
You can learn more about Lightspeed’s database categories in this Web Filter article.
The Lightspeed Systems Chrome Bundle comes with brand new reporting functionality. You can now get real-time and past reports on a variety of categoires, including websites visited, Classroom Orchestrator statistics, website activity, top websites, trending websites, and installed apps.
The Reports interface can be accessed through Launch by clicking on the Reports icon.
Once accessed, the Reports page will appear. This page is divided into individual widgets that show various statistics.
You can set filters for your Reports at the top right corner. You can search for individual schools to see reports for that specific schools in the search bar. You can select the date range for the reports (ranging from today to the last 30 days) through the date dropdown menu.
The top widget shows the number of websites visited, the number of tabs sent, the number of broadcasts performed, and the number of screens recorded.
The next widget show Website Activity.
The following widgets show Top Websites and Trending Websites
The bottom widgets show Student Website Visits and Top Installed Apps.
Clicking on View All to the right of Student Website Visits allows you to see all websites visited by students.
The following will show. You can search for individual students in the search bar and determine the date range for the website activity you want to see.
Clicking on an individual users’ name will open up their website activity to the right. The activity log will indicate the website, the time it was accessed, and the duration of time spent by the user on the website.
Device Detective, a part of the Lightspeed Systems Bundle for Chrome, is our solution for finding lost or stolen devices. Device Detective allows you to track and locate lost and stolen devices. Device Detective utilizes Geolocation to locate lost or stolen devices that have been moved into a “lost/stolen” OU group in Google Admin Console.
Prerequestite: Device Detective will only work with enrolled Chrome devices.
Using Device Detective
You should immediately use Device Detective after a device has been identified as lost or stolen.
1. Log into the Lauch dashboard as a District admin and open Classroom Orchestrator.
2. From the Schools page, click on the Organization Options dropdown menu and select Settings.
3. Scroll down to Device Detective and enable it by toggling the enable switch.
4. Once Device Detective is toggled on, you can to enter a custom message into the Recovery Message field. This will be the message displayed on devices placed in recovery mode. You will also see App Id and App URL fields. You will need these later in the setup process. Remember to click Save.
5. Log into your Google Admin Console. Navigate to Users.
6. On the left-hand menu, click on the dropdown menu to the right of your organization and select Add sub organization.
7. Name the new sub organization Stolen Devices. Click Create Organization.
8. Navigate back to the Google Admin Console dashboard and click on Device Management.
9. From the left-hand menu, select Chrome Management.
10. Click on App Management.
11. Click on the dropdown Settings menu on the top right and select Add custom app.
12. On the Add custom app page, you will need to copy the App id and App URL from step 4 (your Classroom Orchestartor Settings page) into the ID and URL fields. Click Add.
13. On the app page, click on User Settings.
14. Click on the Stolen Devices organization you created in step 7. Click the Override command under each setting so that it changes to Inherit in order to enable toggling it on/off. Enable the Allow Installation and Force Installation settings. Click Save.
15. Navigate back to the app and now click on Kiosk Settings.
16. Navigate to your Stolen Devices organization and enable the following settings: Install automatically and Allow app to manage power. (Remember to click Override under each setting to change it to Inherit in order to be able to toggle them.) Click Save.
17. Scroll down on the Kiosk settings page and click on device settings page in order to navigate to Device Settings.
18. On Device Settings page, navigate to the Sign-in Settings section. Select Do not allow guest mode under the Guest Mode category. Select Do not allow any users to Sign-in under the Sign-in Restrictions category.
19. Scroll down to Kiosk Settings. Select Do not allow Public Session Kiosk under Public Session Kiosk and select the app you recently installed under Auto-Launch Kiosk App.
20. Scroll down to Power & Shotdown. In the field for Scheduled Reboot input the number 1. Click Save.
21. Navigate back to your Google Admin Console and click on Device Management.
22. Click on Chrome devices. Select the lost or stolen device by checking the box to the left of the device information. Click the Move to dropdown menu and select Stolen Devices. Click Move to Organization.
23. You can now find the device by navigating to Stolen Devices in the left-hand navigation menu. From here, click on the device Serial Number.
24. Scroll down and click on System Activity and Troubleshooting.
25. Scroll down the Reboot Device and click REBOOT NOW. This will reboot the device and force the logout/login event.
Once the device is rebooted, it will show the following screen.
Clicking on Let us know opens up a field where users can add their e-mails and a custom message that will show up in Device Detective.
26. You will now be able to see the device in Device Detective. Log back into Classroom Orchestrator s a District admin and click on Device Detective. You will see the device you just added to your Google Admin Stolen Devices OU in the list. Click on the device name.
The device will show a “new” icon next to the name if it’s a new lost/stolen device. The device will show an envelop icon next to the name if the user clicked on Let us know on the device and imputed a custom message.
27. The device details page will open up on the right-hand side of the screen. Here you can:
- a. Edit the device name by clicking the edit icon. We recommend that you edit the device name in order to be able to identify it in future use or to be able to easily distinguish between two or more lost/stolen devices.
- b. Remove the device from the list by clicking the Remove From List button. This will remove the device from Device Detective. Use this function once you have found a lost/stolen device.
- c. See the device’s geographic location. You can zoom in on the map in order to pinpoint exactly where the device is.
- d. View the device’s location and IP address history.
If a user opts to click the Let us know option on the “this device has been reported lost or stolen” block page and writes a message, you will also see that message on this page.
27. Once you have located the device, remove it from your Google Admin Console Stolen Devices OU. Navigate back to Device Management -> Chrome Devices. Locate the device within your Stolen Devices OU, check the box next to the device, click the Move to dropdown menu, and move the device back to the OU where it belongs.
- a. In the case of more than one lost/stolen devices, perform the above steps individually for each device, one by one. Once a device has been moved to the Stolen Devices OU, has all the correct settings set, and appears in Device Detective, rename the device. Repeat this step with each new device. This will allow you to easily distinguish between devices.
- b. District Admins are encouraged to work with local law enforcement to retrieve stolen devices and not to attempt to recover them on their own.