Implementation

Schoolyear AVD is an integration between Safe Exam Workspace and your self-managed Azure infrastructure. While Safe Exam Workspace is a SaaS solution, this service does not cover your own Azure infrastructure. This infrastructure needs to be configured and actively maintained by yourself.

The Schoolyear AVD integration can be best considered as a tool that will help you set up an internal service for your education department. However, that does mean that you need a team to operate this internal service. Depending on your needs and organization, this may be a one-person operation, an IT team or even an outsourced team from one of our managed service partners.

This page will guide you through the implementation of Schoolyear AVD based on our best practices. Both the technical and organizational aspects of the implementation are considered.

Note

This guide makes the assumption you are implementing a single Schoolyear AVD integration in your production environment. However, you may choose to maintain two implementations, one in your Schoolyear Beta tenant and one in your Production tenant.

In this case, you may need to skip, adjust or reorder the steps in this guide.

Core principles

At the end of the implementation, you need to cover three main responsibilities:

1. Install, maintain and update the Azure infrastructure
2. Build & maintain images
3. Incident management and response

This page will help you through the initial implementation of Schoolyear AVD and your service team. To continuously maintain the service thereafter, the controls page describes the service controls required to maintain the service.

This page guides you through the three phases of implementation from start to finish. It starts by assembling the people you need and ends by discussing how to scale up the usage within your organization.

Phase 1: Technical implementation

In this phase you assemble your service “team” and perform the technical implementation. The duration of this phase entirely depends on your organization. The actual execution can be done in a day, but for some organizations this phase takes multiple weeks due to slow approval processes.

We encourage you to follow the testing phases outlined in these steps and understand that the intermediate tests may not match your final requirements.

1.1: Gather a service team

The first order of business is gathering a service team. They will use the Schoolyear AVD integration to provide an internal service to your education department.

The service team should cover three key roles:

1. Azure infrastructure management
2. Image development and maintenance
3. Incident response and key user support

Tip

Incident response is most effective when done by the same people that manage the Azure infrastructure. When this is not possible, the people doing incident response need to be kept up to date by the Azure infrastructure team about any changes they make and their implications.

While the term “service team” may sound like a large investment, IT personnel typically fulfill these roles as part of their existing responsibilities. You can peek at the list of service controls to get an idea of the workload for each role.

In our experience, we see organizations choose one of these options:

• A duo of generalists: When available, this is preferred as it often leads to the fastest implementations and low communication overhead. We recommend having at least two people on board to safeguard the availability of the service.

• A Team of specialists: Gather the specialists needed to fulfill the roles in the team. We still recommend having one or two leads in the team to keep the service on track.

• A Managed service provider: You can outsource the management of the service to a managed service provider. For more information, please refer to the Managed Service Partners chapter. We recommend against outsourcing infrastructure management and incident response separately.

No matter which option you choose, make sure the people in the service team are up to speed on the following topics:

• How will Schoolyear Safe Exam Workspace and Schoolyear AVD be used in your organization?
• What does the expected end-user experience look like? Make sure you the service team has seen a demo of the product.
• What are the three responsibilities of the service team?
• What support options are available to the service team?
• How does Schoolyear AVD technically work? Make sure the service team has familiarized themselves with the architecture of Schoolyear AVD.

1.2: Gather prerequisites

Next, you should check whether you meet all prerequisites. Most organizations already working with Azure can easily meet the prerequisites. However, if you are unable to meet these prerequisites, we strongly advise against proceeding with the implementation as you will likely reach a dead end.

1.3: Admin access for the service team

The members of the service team require admin access to the Schoolyear tenant. This access is required both during implementation and general operation.

Admin access can be granted by an existing admin through the Schoolyear Admin dashboard. When your Schoolyear tenant is configured with Single Sign-On, these users must first log into Schoolyear once for their account to be created.

1.4: Change management approval

Most organizations have a change management procedure. To aid you in drafting a change request, there is an Infrastructure Changes page.

It is recommended to discuss a grace period with your change approval board in which you can experiment and test the changes you need to make. This period will allow your service team to get a better understanding of all the changes that need to be persisted.

1.5: Basic technical implementation

At the core of the Schoolyear AVD integration is the Azure Virtual Desktop add-on. Add-ons are a way in Schoolyear to enable and configure integrations.

In this step you will install the Azure Virtual Desktop add-on and with it, all the base infrastructure in Azure. This step requires elevated permissions in both Entra and the Azure Subscription dedicated to this integration.

Follow the Add-on Installation guide and complete the installation.

1.6: Configure alerts

Schoolyear AVD will run a deployment job before each exam for which AVD is required and a deletion job after the exam. These jobs are called Orchestration Jobs. These jobs may fail, and it is the job of the service team to respond to these failures and resolve them.

Since these failures should be rare, it is important to be notified quickly when they do occur. Schoolyear provides a feature to receive an email notification in case of a job failure.

You can configure up to three email addresses that receive these notifications. You can either configure a shared inbox that notifies the entire service team or individual email addresses.

1. Go to the Orchestration Job page.

2. Click on Configure Alerts in the top-right.

3. Configure the email addresses you want to receive these alerts.

4. Click Update to store the configuration.

1.7: Azure Quota for technical test

Azure limits the amount of resources that can be deployed in each Subscription at any given time using Quotas. The user capacity of your Schoolyear AVD implementation is therefore limited by the quota Azure has granted you.

Luckily, you can request Azure to increase your quota. The process to increase your Azure quota may be automatic and take just a few minutes, or it might require some email exchanges with Azure support before approval, depending on the amount of requested quota.

To begin testing your implementation, you need to ensure you have at least a small amount of quota to work with. As the usage of your Schoolyear AVD implementation grows over time, the service team may need to request a quota increase.

For now, follow these steps to ensure you have at least capacity for 10 VMs:

1. Navigate to the Quotas page in the Azure Portal.

2. Select the Subscription you dedicated to this implementation

3. Select the Region you selected for deployments. You can find which region you selected by to the AVD add-on you installed in a previous step, a checking the region of the Base Resource Group shown in the Infrastructure tab.

4. Search for Standard DSv5 Family vCPUs (or a different CPU type if you are planning on using a different VM type).

5. Ensure you have at least 20 capacity for this item. If you do not have this already, request an adjustment by clicking the pencil icon.

Note

As you may have noticed, you needed to request a capacity of 20 for a user capacity of 10. By default, Schoolyear AVD uses 2 CPU cores per student. Azure counts its quotas per CPU. Therefore, you need capacity for 20 cores to host 10 students.

Side note: You may actually find that with a quota of 20 you are only able to schedule an exam with 3 students. Perhaps even less if you are planning multiple exams. This is because Schoolyear AVD overprovisions 2% VMs (at least 5 per exam) to keep room for failures. Additionally, each exam will have 2+ Trusted Proxies that consume quota as well. In practice, it is recommended to maintain 15% more quota than you would need for just the student’s VMs (students * 2.15).

After you requested your quota from Azure, you need to configure this number in the Schoolyear Admin dashboard as well.

1. Navigate to the Quota page.

2. Click Add quota.

3. Subscription ID: Fill in the ID of the Subscription you dedicated to this implementation.

4. Resource ID: Fill in azurevms.

5. Value: Fill in the quota you have available from Azure. This is the number that was shown on the Quotas page in the Azure Portal.

6. Click Add.

1.8: Build and configure your first app

For your first image, you should keep it simple and stick to building the default Office 365 image. You can customize and enhance the image according to your needs later, but first you need to verify that your implementation works correctly up to this point.

Images for Schoolyear AVD are built using the avdcli tool. Building images for Schoolyear AVD using other tools is possible but explicitly not supported.

1. Navigate to the AVD add-on you installed earlier (Schoolyear > Admin Dashboard > Add-ons > Select your add-on).

2. Click Add Application. A new app appears, ready for you to configure.

3. Click on Build a new image and follow the steps below to build the standard Office 365 image. Once the build is completed, enter the name of the selected Image Definition.

4. Enter a name for the app (e.g. Office 365).

5. Change the prefilled VM size if you are unable to use this VM size. In that case, make sure you requested quota for your custom VM size. In fact, you may need to change the Proxy VM size hidden under Advanced as well.

6. Under Quota, select the Quota you created earlier (azure.microsoft.com/[[subscription-id]]/azurevms), and configure 2*(n + max(5, ceil(n*0.02))) + min(max(2, int(ceil(n / 10))), 10). This is the calculation used to determine how much quota each exam will reserve. This is a formula with parameter n, since the amount of quota each exam needs, depends on the number of students in the exam.

7. Click Save Changes.

Build the standard Office 365 image

The Image Building popup will show you the main steps involved in building images. For more information, there is an entire chapter on building images.

For now, you should build the standard Office 365 image to test your AVD implementation up to this point.

1. Install or update the avdcli tool as instructed in the popup.

2. Download the avd-image-community repository from Github.

3. Run avdcli bundle layers -l ./layers/com.schoolyear.win10-office365.

4. Copy the avdcli bundle autobuild... command from the Image Building popup and execute it. This requires you to have the Azure CLI installed and be logged into it.

5. The autobuild command will prompt you to create an Image Definition in Azure. Click the link to create one. For more information on how to create an Image Definition, follow these steps. After creating the Image Definition, restart the command.

6. Wait for the command to finish and use the link in the last step of the popup to follow the progress of the build.

1.9: Technical test 1

Now it is time for your first technical test to make sure all you did up until now works as expected. This test cannot be done on a ChromeOS device yet because that hasn’t been set up yet. For this test you must use a Windows or macOS device instead.

To schedule the exam to test with, follow these steps:

1. Go to New Exam in the top-left of Schoolyear and click + Custom Exam.

2. Give the exam a name and select a start time 1h5m in the future and an end time 2 hours thereafter. Click next.

3. Add a website to the exam: https://example.com. Click Add, then Next.

4. You can skip the File step and click Next.

5. Select Yes for desktop applications.

6. Select the App you created in a previous step. In our example, it was called Office 365. Click Next.

7. Enter 2 for the number of students and click Next, then Create.

8. Wait for the exam to start. You can monitor the progress of the deployment from the Orchestration Jobs page. On that page, you can see the scheduled Deployment and Deletion job for the exam you just created. Once a job starts, you can view the log or trigger a retry from this page.

Once the exam is deployed and has started, you can log into the exam as if you were a student. It is recommended to use a dummy student account for this instead of your own Azure account. This way, you can simulate the access a student would normally have.

To start the exam you just created, follow these steps:

1. Navigate to the exam you created.

2. Follow the Student instructions visible on the screen. When prompted for name and student ID, you can enter dummy values.

3. Follow the onboarding procedure for students and start the Schoolyear Safe Exam Workspace application.

4. When prompted for a Microsoft account, preferably use the dummy student account.

The Safe Exam Workspace should start up and settle on a Windows desktop with the Schoolyear VDI browser running on it. The website you configured earlier should be visible on the screen.

Verify that this first technical test is successful before proceeding with the rest of the implementation. Troubleshooting any issues at this early stage is simpler compared to doing so later when custom configurations are applied.

Now that you know your current implementation is working, make sure to test the changes you make from now on. Troubleshooting an issue after making many changes will prove difficult.

1.10: Configure deployment time clearance

It takes time to deploy the resources in Azure required for a Schoolyear AVD exam. Therefore, Schoolyear AVD automatically starts deploying a while before the start of an exam. How much time in advance the deployment starts is configurable per App in the AVD add-on.

Navigate to the add-on and check the Deployment duration. The value that is prefilled should be enough for most deployments to finish on time. However, it is recommended to use a longer deployment time in production to ensure the service team has enough response time in case of a deployment failure. It is not uncommon for organizations to configure 3 hours as the deployment time.

While being in the technical implementation phase, it is common to reduce this to 25 minutes to speed up frequent testing. Make sure to increase this duration again before the pilot or production exams.

1.11: Disable MFA (when applicable)

If students are required to log into their Microsoft account with Multifactor authentication (MFA), it is common to configure an exception for exams. MFA during exams can disrupt students by requiring them to access their phones, which is not ideal for maintaining exam integrity.

If students are not prompted for MFA when using Schoolyear AVD, you can skip this step.

Follow the Entra MFA Exception guide to configure the exception.

1.12: Connect a license server (when applicable)

Some applications require a LAN connection to a license server. If you need such an application during your pilot, you need to set up this connection. You can always revisit this step later once the need for such an application surfaces.

Follow the License Server Peering guide to set up the connection.

1.13: Set up an isolated ChromeOS exam network (when applicable)

The prerequisites mention an isolated network for ChromeOS devices. If you are going to use ChromeOS devices, you need to configure the public IP ranges of this network in the AVD add-on. This configuration only applies to new deployment jobs, so it cannot be changed after the deployment job of an exam started.

To configure these public IPs, follow these steps:

1. Navigate to the AVD add-on.

2. Open the Deployment config tab.

3. Find the Chromebook IP ranges field and add the IP ranges of the isolated network(s). If you want to add a single IP address, use the /32 suffix. Only IPv4 addresses are supported.

4. Click Save Changes.

5. Schedule a new exam with Schoolyear AVD enabled and test if it the exam can be started on the Chromebooks.

Note

This step assumes the Schoolyear Safe Exam Workspace kiosk app is already working on the Chromebook.

1.14: Implement more images (optional)

If you want to test multiple Apps during the pilot, you may decide to implement one or two of them at this stage. It is not recommended to start building all the images you may ever need before you complete an initial pilot.

The Image Building chapter has all the information on building these images and configuring them as Schoolyear AVD Apps.

Phase 2: Pilot

After your technical implementation, and before production use, you should have a pilot phase. This pilot is for the service team and the education department to practice for the real exams. You also want to make sure everything is ready to go before you schedule any real exam.

Ideally, you do a few pilot exams with actual students, but without the outcome of the exam being of any consequence. Consider whether it would be acceptable if these pilot exams were to fail completely.

2.1: Ensure quota for the pilot

In phase 1, you requested a quota of 20 from Azure. This gave you a user capacity of just under 10.

Now, you need to increase your Azure quota to have enough user capacity for during the pilot.

Follow the Azure Quotas guide to make sure you have enough user capacity.

2.2: Functional test (go/no-go for pilot)

Before doing the pilot with students, perform a dry run. Let a professor or teacher schedule a mock exam as would be normally done. Check if the deployment succeeds and use a dummy student account to take the mock exam. Include the service team, any functional manager and exam supervisors to showcase all the user flows.

If everything works all right, you can go ahead and schedule the pilot exam.

2.3: Pilot

At this stage, we suggest you do a pilot with students. How this is organized depends entirely on your organization.

Our main recommendations are these:

• Consider whether it would be acceptable if these pilot exams were to fail completely. It is not uncommon for the first pilots to run into unforeseen problems. In fact, that is their purpose. Make sure failing is actually an option.
• Schedule the pilots in the afternoon. If a deployment fails, your service team can investigate and resolve the issue during regular office hours.

2.4: Recap pilot

Based on the results from the pilot, make any technical or organizational adjustments you need to make this service generally available to your education department.

Phase 3: Service controls and scale up

Congratulations on making it this far. You now have a service team, a working implementation and an education department that is ready to go. This phase is about maintaining what you have and scaling up the service.

3.1: On-call schedule for incident response

Before general availability, it is good to have an “on-call” schedule for the third key role of the service team: incident response. This may sound more involved and expensive than it needs to be. For most organizations, a simple Excel sheet or calendar may be enough.

The “on-call” person has two main responsibilities:

• Respond to any incidents raised by the education department. For practical reasons, it is recommended to keep the number of users that can reach out to the service team limited (e.g., max 3).
• Monitor for job failure alerts. Early in the implementation, you configured the email addresses that received these notifications.

3.2: Implement service controls

To maintain the service, the service team needs to continue operating the service.

A great tool for this is the list of Service Controls. This list details all the controls you need to maintain to keep the service up and running smoothly. It details which controls should be acted upon when or how frequently.

To maintain service, it is now important the service team acts on these service controls when they “trigger.” Service controls have three possible triggers:

• Initial: By following this implementation guide, you already acted on all these controls.
• Periodically: These are periodic jobs. Create a schedule or calendar so you don’t forget about them.
• Event: Sometimes you need to act when something happens. For example, in case of an emergency patch. It is important for the service team to know about these events, so they know when to act.

3.2: Gradual scale-up

Now that you have your service implemented and your team ready to maintain the service, you can gradually introduce the service in your organization.

You will likely spend this period working with the education department to onboard new users, building new images and gradually increasing your quota in Azure.

We hope you and your users enjoy using the product, and we are always happy to help to make your secure assessment journey a success.

Tip

While this implementation guide is comprehensive, and terms like ‘service team’ and ‘on-call schedule’ may seem daunting, we believe a thorough approach is essential for a successful implementation. Our goal is to provide you with all the necessary information and best practices from the outset.