Extending a Chromebook past the Auto Update Expiration with BrunchOS

 I first ventured into the world of Chromebooks in 2014 with a class set of Acer C720s. We were coming from a fleet of repurposed ex-staff HP laptop bricks with terrible battery life and wifi, so getting a 2.5 pound 8-hour battery cloud terminal was magical! I think they cost $280 CAD each so that allowed us to get outstanding value, even with the addition of the exploitative $30 management console fee.

In 2018 we retired the fleet. They had worked outstandingly well, save for a few keypad issues. We had expanded the Chromebook program to our entire grade 5 population so replaced them with Lenovos. There are many build quality issues with the Lenovos around the camera, keyboards and screens that have frustrated me but those stories are for another day!

Even though the C720s were running great we would have had to retire them the next year anyway due to Google's Auto Update Expiration (AUE) that only guarantees ChromeOS updates to a certain date. Running Chromebooks past this date is like running iPads past their iPadOS end-of-life; they'll work but they receive no security patches or bug updates. This is problematic in a school environment and generates lots of e-waste.

For Chromebooks the easiest solution is using Neverware's Cloudready images. The process is fairly straightforward: download the Cloudready image, burn it onto a USB device using the Chrome Recovery Utility, and restore it on the Chromebook. Unfortunately, the C720 is not on their official supported devices list but I'm sure it would work fine. The pricing structure can work for larger 1:1 districts, but at minimum yearly $2500 USD I don't see value in maintaining an older set of Chromebooks for extended periods.

Replacing an aging fleet over a 3-year cycle is more cost-effective

Another solution is turning Chromebooks into simple Linux boxes. Crostini is Google's official Linux release but it's only officially supported on certain devices, not including the C720. The easiest chroot solution is Crouton but I've never tried it since I'd prefer to run Linux outside of ChromeOS. GalliumOS xubuntu seems to be the most popular option for single-booting.

Since I wanted to renew our C720s for student use I instead looked for a way to install a newer, updatable version of ChromeOS. This attempt had started a few years ago with the release of Croissant (love the food names, perhaps in the spirit of Android dessert release names?). Recently I discovered Brunch, a framework that uses a generic recovery image to install ChromeOS.

To start, you need to update the C720's firmware. Before you can flash a new firmware, remove the write protect screw. Then enable Developer Mode and reboot. Open a crosh shell and run the script provided by MrChromebox:

cd; curl -LO mrchromebox.tech/firmware-util.sh
sudo install -Dt /usr/local/bin -m 755 firmware-util.sh
sudo firmware-util.sh

With the updated firmware you can boot from the USB where you've placed Brunch. Note that on the C720 you must use the Rammus recovery image only. 

Assigning Apple Volume Purchasing licenses to Bring Your Own Devices

My school has enjoyed the myriad of benefits from Bring Your Own Device for a number of years now. Students in Grades 2-4 are expected to include an iPad as part of their school supplies. Over the years, we've experienced the longitudinal wave of app acquisition: from excitement and experimentation with dozens of free apps in the early years to paid apps and, recently, back to free apps.

In the beginning with a handful of iPad 2s (2011; over a decade ago!) our teachers were excited to try out such exciting digital opportunities as Calculator, Screen Ruler, or many other free apps that barely made it out of the substitution tier in Puentedura's SAMR model. Free was great for classrooms on a budget and we didn't need to worry about licensing since free apps could be transferred to different iPads using master backup images in iTunes. Shortcuts included using encrypted backups to save passwords and wallpapers, and 10-port USB hubs for simultaneous re-imaging

App development reached a crescendo with the refinement of the iTunes App Store. License agreements were refined and the Volume Purchase Program (VPP) was created to help with the influx of educators wanting paid versions to avoid advertisements or to unlock premium features. VPP in particular was a boon for me as it offered 50% discounts for 20+ quantity purchases and offered an easy distribution method for our BYOD model: redemption codes.

Redemption codes allowed me to transfer licenses of paid apps directly to our students. Ownership and updating remained with families and was completely hands-off from the school. We didn't need any device information, AppleIDs or any other identifying information. Redeeming a code downloaded the exact version of the app we wanted and eliminated any confusion that could happen with providing gift cards or having families deal with inputting payment information. We were also able to track which student received which code and stay on top of compliance.

A little too app happy?

In recent years, we've started to move away from paid apps back to free apps. But instead of ad-sponsored or freemium apps we're back to relying on a small number of legacy or enterprise apps: Keynote, iMovie, Google Docs and Slides and a number of free-to-download apps that use subscription models. One notable exception is Book Creator and their move towards a teacher-centered subscription model with unlimited students. Book Creator has removed the academic discount of 50% for their app (currently $3.99 CAD) and heavily promotes their web-based subscription model.

Last year we migrated to Apple School Manager (ASM) to ensure continuity of purchasing and managing our volume licenses. ASM works well with Meraki MDM which I use to manage our iPadOS devices. Last year also marked Apple's deprecation of redemption codes. This was a gut punch to our model of hands-off BYOD and required some thought to maintain our level of support.

We could use Apple Business Manager instead which still allows generation of redemption codes. Unfortunately ABM does not offer academic discount of 50% on 20+ quantities. This would add up to hundreds of dollars for us yearly. Instead, I am using ASM to purchase paid apps along with any applicable discount. These licenses sync with Meraki which allow for easy distribution to school devices. Family BYOD never engage with Meraki though, and I did not want to go down the path of registering of external devices with our MDM for privacy, security and logistical issues.

What is working well so far is using Apple Configurator to assign licenses to family devices based on device IDs and serial numbers. No personal or other identifying information is shared. Configurator also allows me to transfer the apps instantly without the need for families to log into an AppleID or initiate a download. Unfortunately, this requires a physical connection from the iPad to Configurator. This involved me visiting groups of students and plugging their devices in. Students needed to enter their passcode, after which I made sure to download the unlock token.

VPP apps in Configurator

It took me while to sort out the ASM and VPP accounts and syncing them with Configurator. Sometimes I would log in and could view non-migrated licenses, and other times I was able to view VPP licenses. This article was helpful but I ended up not needing to create another location in ASM. I highly recommend saving a copy of the .ipa file for each app you want to transfer. Configurator, for some reason, removes the .ipa after each transfer which means it downloads a fresh copy every time you plug a new iPad in. This adds minutes to each transfer. For me, the .ipa gets saved in:

~/Library/Group Containers/K36BKF7T3D.group.com.apple.configurator/Library/Caches/Assets/TemporaryItems/MobileApps/

You must copy the file before Configurator completes the transfer because as I mentioned, it'll get removed immediately after the transfer completes.

To transfer the app and assign the license plug in the iPad and select +Add App. Choose the apps and cancel the operation after Configurator assign the licenses. Now select +Add App again and choose the .ipa files from your computer. If the app does not open on the iPad when tapped it probably means the licenses weren't assigned correctly in Configurator and you'll need to repeat the process.

There are some unknowns about this process. I don't know what happens when an app needs updating, or if the apps gets removed by accident. I assume we'll need to plug everything back in to Configurator. I also wonder what happens if we revoke licenses; does the app stop functioning or is it similar to download an app then logging out of the AppleID? The biggest question would actually be: what's changing next?!