Tuesday, 15 January 2019

Studentnet Cloudwork V29 Release Notes

The Cloudwork team welcomes you all to a New Year. We're sure that you are all preparing for your new 2019 enrolling year.
Our team has been hard at work introducing many new features and user experience improvements in the dashboard. Please find below a brief description of newly available improvements in our latest release - Version 29.
V29 New Features
  • Added a notification system to the dashboard screen enabling Studentnet to easily deliver important update information to Cloudwork Administrators
  • Contents of Password Reset SMS messages can now be controlled via Message Templates
  • "Require password change at next login" feature exposed on Password Change screen in admin
  • SMS-based Multi factor Authentication can now be enabled for a user from the Cloudwork Dashboard
  • Support SSL connections in Email Sync Profiles, meaning Email Sync Profiles can now connect to a wider range of in boxes
  • New configuration option in Email Sync Profiles enabling users to be placed into a specific Org Unit
  • Extra details are now available on the IdP Details page, allowing administrators to easily discover certificate fingerprints
User Experience Improvements
  • The "Download" button in Reports now handles the report generation asynchronously, allowing much larger reports to be successfully  generated
  • Cloudwork Dashboard will now show a red error message if a group sync is attempted with a bad LDAP search filter
  • Relaxed form processing rules for SSO Services that don't have signing certificates or logout URLs
  • Removed `required` tags from some form fields, to make editing SSO Services easier
  • Help page now links to the Wiki
  • Sidebar menu will stay in its current state between page transitions
  • The Login Theme form has been broken down into smaller, more easily managed forms
  • Various bug fixes
If you wish to access any of these new features, your Cloudwork instance will need to be updated to V29. We will be commencing individual instance upgrades starting in February, 2019. To schedule a time for your school's instance upgrade please submit a support ticket or email your request to support@studentnet.id.
Looking forward to working with you again in 2019 - Thank you

Wednesday, 12 September 2018

Australian Cyber Security Centre(ACSC) alert: 2018-140 Malicious activity targeting education institutions (GREEN)

Studentnet is a registered partner of the Australian Cyber Security Centre(ACSC). The ACSC is part of the Australian Signal Directorate of the Department of Defence. Registered partners of the ACSC are considered by DoD to be part of Australia's critical infrastructure. Studentnet receives alerts such as this as a result of that status. 

The ACSC has issued the following alert that is directly relevant to our school education community.:



2018-140: Malicious activity targeting education institutions

The Australian Cyber Security Centre (ACSC) is aware of ongoing spear-phishing campaigns targeting multiple Australian higher education institutions.

The alert is marked TLP Green:
"Restricted to closed groups and subject to confidentiality. 
You may share GREEN publications with external organisations, information exchanges, or individuals in the network security, information assurance or critical network infrastructure community that agree to maintain the confidentiality of the information in the publication. You may not publish or post on the web or otherwise release it in circumstances where confidentiality may not be maintained."

This means that Studentnet cannot distribute the content of the alert via this blog. However, we can email the alert to directly to individual members of our community.

The alert contains detailed information on the malicious activity and recommendations on protecting your organisation. Cloudwork contains specific features that allow you to easily implement the protection recommendations of the ACSC.

Studentnet strongly recommends that you obtain a copy of the alert. You can obtain a copy by emailing a request to kjk@studentnet.id. Studentnet will email you a full copy of the alert under TLP green conditions.

Please contact Kevin Karp at Studentnet(+61 2 9281 1626 or kjk@studentnet.id) to discuss and plan your implementation of the ACSC's recommendations using Cloudwork's features.

Thursday, 6 September 2018

Advisory: NTLM Abuse Mitigation

NT Lan Manager (NTLM) authentication is currently being abused to harvest user credentials, so CERT Australia has prepared a list of recommendations for techniques to mitigate NTLM abuse.

CERT Australia is now part of the Australian Cyber Security Centre(ACSC) of the Australian Signals Directorate(ASD) section of the Department of Defence.

Wednesday, 16 November 2016

Advanced User Upload Usage

The user upload feature is not new, it has been in operation many years. We have recently looked at it's capabilities and decided to update what it can do in our dashboard.

Let's look at what it currently does.

You can upload a CSV file to create or update multiple accounts at once.

Your CSV file must contain the following headings: 

Email,User Name,First Name,Last Name,Password,Role

For example:

Email,User Name,First Name,Last Name,Password,Role
The following email accounts will be created:
  • Username: principal
    Password: pri2009
  • Username: joeblogs
    Password: joe2009
  • Username: SN1234
    Password: as2010
Valid roles must be chosen from the following list:
  • Student
  • Alum
  • Teacher
  • Parent

This has been pulled directly from the dashboard so no new information there.

All of these values are the same and remain required information.

The Let's look at the additional fields that we have added.

Recovery Phone

This is the phone number that is used in password reset. As with the other headings it must be put exactly as above. This field is not compulsory and may be left out if it is not required.

Recovery Email

 This is the email address that is used in the in password reset. As with the other headings it must be put exactly as above. This field is not compulsory and may be left out if it is not required.

Additional Attributes

This is where things can get a little more interesting. You can now add additional attributes to the import and will will import them into the Custom Attributes for the user. This can be useful when having to bring additional information for a user that needs to be sent to the service provider, but doesn't quite fit in the existing categories. For example StudentID, SynID etc

These are not compulsory and can be left blank for the users that do not have such a value.

If we look at what this might look like in a spreadsheet

This will create a record as normal with the below attibute
User Name: principal
Email: principal@example.edu.au
First Name: School
Last Name: Principal
Password: pri2009
Role: Teacher

With the new attributes this will also add

Password Reset Recovery Email: othermail@gmail.com
Password Reset Recovery Phone: 0412345678

Another attribute will be created:

SynID: 314159

Once the user logs in, all the normal attributes will be created and sent to the service provider, additionally this user will have SynID sent. NB Password reset information is NOT exposed to service providers.

So when the user is created all the information about the user is already there without need for further interaction.


Just to make things clear on these new attributes, they can be left blank for users that they do not apply, or just simply not included in the import.

Remember these imports can be run as scheduled imports through the sync profile interface.





Tuesday, 26 January 2016

Managing your Alumni accounts for the new academic year

Updating your graduating students to Alumni status is a simple process.

We have prepared new instructions for maintaining your graduating year students on the Cloudwork Wiki.

These instructions can be found here: https://wiki.studentnet.net/index.php?title=Graduating_Students_Accounts

Tuesday, 8 December 2015

Password Reset Flow

Password Reset Flow
When looking to reset a password a user will be given a link, this can be on a portal or the login page or whatever method is preferable.
The first screen that is presented is below. This screen the user will enter their username and choose how they want the process to go, by choosing Email or Mobile

If the username is not found or the user does not have the particular recovery method available to them an error will be given. This can happen if the user selects Mobile and the system does not have any record of a Mobile number for the user. Same applies for email. For security reasons the actual reason for failure is not given.

Otherwise we move onto the next screen

Given that we are now on this screen this means a message has been sent to the user’s email or mobile.


The user will then enter the code that was sent to them into the field and continue.

From there the user will be able to reset their password. This is the point where password complexity rules will be applied.

Once the new password is put in and the “Change Password” is pressed. The password change is made and the user is now able to use that password for future logins.