To use Secure Apps during an exam, an employee must configure it for an exam using the settings widget. During this configuration, the employee must select one of the "Apps" available to their organisation. Each App represents a pre-configured desktop environment to which students get access during their exam. This desktop environment has the correct software pre-installed and pre-configured so students can get started with their exam right away.
These desktop environments are better known as "images", as they are made by making an "image" of the entire hard-drive of a machine with all the required software correctly installed.
Schoolyear provides a set of such images for a range of applications so you can get started with Secure Apps right away. However, employees may require custom configurations, specific software versions or entirely different software for their exams. In this case, you need to build publish your own image to Secure Apps.
How to publish your own image
Publish your own image, involves the following steps:
- Gather requirements: Understand which software and what configurations are required for the exam.
- Write an installation script: Write a Powershell script that installs and configured the required software. Optionally, you can configure a session script that run every time a student starts a Secure Apps session.
- Submit for publishing: Submit your installation script and session script for publishing to Schoolyear.
- Image published: After review your image will be "baked" and published by the Schoolyear team, after which it will become available for employees in your organisation.
Writing an installation script
You will need to submit an installation script to Schoolyear to publish a custom image to Secure Apps. This installation script must download, install and configure the software that will become part of the image that students will use during their exam.
To get started with writing your own installation script, you can read through the example scripts of the pre-build images offered by Schoolyear. These will be made available upon request.
The installation script must be called "main.ps1", but it may reference other files and scripts that are part of the zip-package you submit to Schoolyear. The entire package, however, may not exceed 5MB unpacked. If your installer exceeds this size limit and it cannot be downloaded from a public source during installation, please include a private download link during submission.
The installation script will be executed on Windows Server 2019 by Powershell 5.1 and will run as a user with Administration rights. During installation, host machine will have internet access. The installation script may not require user-interaction to complete.
We advise to test your installation script on an empty Windows installation before submitting it for publishing.
Optionally, you can submit a session script that will be executed every time a student starts a Secure Apps session with your custom image. The script will run as System not as the user and will have Administrator rights as such. This installation script has access to the following command line arguments:
-uid
: The Security Identifier of the user. Useful for registry edits.-username
: The login name of the user.-homedir
: The home directory of the user.
By default, users do not have any internet access during their exam. This is enforced by a firewall configuration on the machine. In specific scenarios, you may want to whitelist a specific application in the firewall. Any such firewall configuration changes, should be included in the session script. For example, the following line is included in the session script of the Python image:
New-NetFirewallRule -DisplayName "Allow squid (pip proxy)" -Direction Outbound -Program "C:\Squid\bin\squid.exe" -Action Allow | Out-Null
The line grants internet access to a web proxy (squid) installed in the Python image. The Python package manager (PIP) is configured to use this proxy to download packages from the official PIP repository. This way, we enable students to download any PIP package during their exam, without granting them general internet access.
Make sure you only whitelist application paths that cannot be overwritten by the student, as this will grant them unlimited internet access.
License servers
If your software requires a connection to a license server, please contact your support contact at Schoolyear to setup a VPN connection between Schoolyear and your license server.
To connect to your license server from within your image, you must configure the software in your image to connect to an IP address of your choosing in the 10.2.0.2/16
range (e.g. 10.2.3.4
). Once the VPN connection to your license server is setup, the traffic will be routed to the correct IP of your license server. This allows you to change the IP address of your license server without resubmitting your image for publishing.
When submitting your image, note the IP address you configured (e.g. 10.2.3.4
) in the submission form.
Submit for publishing
To make your custom image available to your organisation in Secure Apps, you must submit it to Schoolyear. The Schoolyear Secure Apps team will review your installation script and then use it to create a new image (baking).