User Management with Canvas Catalog
California Virtual Campus and the University of Maryland will share their background experience utilizing Canvas Catalog from the ground up. During this presentation, we will discuss our lessons learned and the benefits of single sign-on for Catalog registrations. We will discuss each institution's unique approaches to account generation.
Welcome to your management with Canvas catalog of myself, Mary Ann Santos and Mike Voe. We'll talk about that. Thank you for those who completed the multimeter. We just wanted to get an idea of the audience. So we see here forty seven percent of you have implemented Camma's catalog in the past, thirties, not they have not. And for those of you interested, welcome.
And we'll talk more. Oops. It did not show the screen, but that's what it says on there. Okay. Alright.
Okay. Again, my name is Mary Ann Santos, and I'm from the University of and this is my bow. We'll explain ourselves a little bit more, as we go on throughout the presentation. The agenda, we're gonna talk about what is Canvas catalog and how our case uses for me at University of Maryland and for Mike at California virtual campus and at the end we have some time for any questions that you may have in regards to campus catalog. So what is Canvas catalog? Canvas catalog.
So with Canvas, we know it's in a learning management system. That we use for all of our courses. You can use Canvas catalog as a platform that can go either with your Canvas instance or it can be working in tandem. So two separate, things. And what are some things that Canvas catalog do? So it extends beyond the campus.
So when you have Canvas in your own institution, either if it's higher ed or k to twelve, you have your own courses within within your institution that are term based. With campus catalog, you can extend it where you offer courses to anyone beyond your own campus. And part of that, you can include a payment gateway, University of Maryland uses authorize dot net. And, Mike, you said use PayPal. If you want to, set up some kind of payment gateway.
You can also offer promotions for those who are interested in taking courses from your instance. You can also give discounts and promo codes. And with Canvas catalog, you can create a certificate of completion. So, within Canvas catalog, when you turn when create a course. You create certain requirements that you want your users to complete.
And once they complete it, they're automatically called a certificate of completion. It's automatic automatically, automated for yourself. So I'm gonna talk about C, Maryland. So again, my name is Marian Santos. I'm a learning management system specialist, under the d under the division of information technology.
A little bit about university, Maryland, we are located in College Park, Maryland, eight miles away from Washington, DC. We have twelve colleges over one hundred majors, and, over thirty thousand undergraduate enroll and our student to teacher ratio is eighteen to one, just to give you an idea how big our campus is. For our fall twenty two enrollment, I've already said that we have over thirty thousand undergraduate, students. We have over nine thousand full time faculty over five thousand part time faculty and almost six thousand university staff. Now let's talk about adoption and implementation.
University of Maryland, adopted, Canvas catalog, January twenty four, twenty seventeen. You'll notice on the screen it says open learning. So university of Maryland likes to rename things that we have with our own branding. So I apologize if I confuse you if I say canvas catalog or open learning, they're the same thing. Okay.
So again, canvas catalog, open learning, same thing. Then after within the same month, University of Maryland launched their free first free first free course enrollment. January thirty one, and then, first fee based course enrollment July seven, twenty seventeen. With that we had over I'm sorry about sixty one courses. It's also called listings under Canvas catalog.
That were created and have active enrollments in twenty seventeen. And since twenty seventeen, we have a large growth. So again, we went from sixty one courses in twenty seventeen to two hundred fifty one in twenty twenty three. In regards to enrollment, we went from one thousand one hundred sixty five in twenty seventeen to Excuse me. Fifty two thousand in twenty twenty three.
And last one, the one that's everyone's favorite is revenue. We went from eighty two thousand for that year twenty seventeen to one hundred ninety seven thousand just for this year, twenty twenty two June to June twenty twenty three. And with that, we have ninety two sub catalogs. So most of you are probably familiar with subaccounts when you're in Canvas, but because you're in Canvas catalog, we have ninety two active sub catalogs. And these are just some of the departments because I don't have room to fit ninety two catalogs on here, but we have our different departments, and colleges that use, Canvas catalog, including DIT, are or Maryland Fire and Rescue Institute and are even our human resources.
Now, also promote Canvas catalog slash open learning, internally and externally. So internally, we advertise or promote it using our DID weekly newsletter to let other people know about Canvas catalog and the opportunities that they can have. And we have our own internal professional learning community called LTCOP. So learning technology community practice. This is where we have individuals in each department that represent their department and we meet with them, about monthly to share information, not just with Kevin's catalog, but anything canvas or DID related.
External, we share at conference is at educas, and of course here instructor Khan. And, we have a public professional learning community called catalog peers group. So if you're interested in I will share more information at the end if you're interested in joining our catalog peers group. And of course, we promoted on our open learning storefront. Now for customizations, excuse me.
So even though Canvas catalog has a lot of features that comes out of the box. We did a lot of customizations to fit our needs and to include our own branding. And this is something that my team has been doing since twenty seventeen before I became something explaining that most of the things that we've done is using scripting, to make these customizations. So one of the first things we did was customize the header. So you'll notice that our universe, Maryland colors, and our, banner is different.
And we've even in, updated our footer to include our terror pin, mascot logo, and, additional information, who to contact So we do a lot of work with the offices of extended studies to talk about him as catalog. Another customization we've done with scripting is redirecting our users to our getting start page. So we've the open office of extended studies, created a course that includes a lot of information how to get started with open learning depending if you're a university, Maryland user or an external user. And I'm gonna go back a couple slides. Here on our home page, we have a button next to log in that says about.
So when they click on that, it takes them to that page. The getting started page. Another customization is enrollment page with a warning message. So whenever you have a course available in Canvas catalog, you'll see the there's image, the title and the button to enroll. Right below I've highlighted in orange is a warm message because we have, Canvas catalog open to anyone, we have certain courses that are specific to specific users.
So we have in DIT, our defender shell to go with our terrapin, theme. That we only want users who are university, Maryland. Sorry. University, Maryland faculty and staff to use. So we put this warning on here for those who are not faculty and staff to let them know that this course is not for you and that they will be removed they're not if they do not use their directory ID.
Another customization that I know Mike will talk more about is the registration page. So out of the box when you sign in to Canvas catalog for your instance, you'll get this screen here. On the left hand side of the box, you'll see there's a field for your full name, your email, and your confirmation email. Because of this page, we get a lot of spammers. And to combat that, we have, customized our page to look what it looks like now on the right hand side, where they have to create their own associate account, get an email to complete the registration process so that we know that this is a real person creating an account and they want to enroll in a course.
So once they finish that registration process, then they can enroll into the course. Another customization thanks to Indiana University. They shared their HTML code with us to customize the course card. The course card normally has the image and a short description, but you'll see here the layout is different where it includes the overview, the course outline, and at a glance. We've also customized our dashboard.
So in Canvas, on the global navigation, you'll see the dashboard. But if you're in Canvas catalog, when you click on it, it would redirect you the storefront. So you can see all the courses that you're in for Canvas catalog. We've also buy requests on certain departments. Remove the right side navigation where it says import to comments course home page and so on.
Because some departments, they wanted their users just to focus on the content and not have to worry about all these other buttons on the side. So we've customized that as well. And in addition is we've removed the drop this course option in Canvas due to analytics, we want to keep track of the courses that are being dropped. So in order for them to drop the course, they have to go to catalog in the student dashboard to drop the course. Another, customization is in Canvas log, they provide out of the box two types of, templates for certificate of completion.
We have the default and the traditional and we've created our custom one to have our own branding. So you can see the differences on the options. And the last customization, I know we've done a lot who changes on here. But we just launched last week. HR, department just launched, workday.
They're slowly moving their human resources platform to work So they wanted to, create some resources for the staff to get an introduction on Workday. And although you can create your own sections, they requested that we wanted over fifty five courses with a maximum of two thousand enrollments And because of that, we created a messages depending on the enrollment. So we hear when you see the screen, there is no cap on the enrollment. Based on the enrollment, the messaging changes. So this is a little message that will show up on that screen.
So if it's greater than zero, but less than it equal to the twenty, they'll get message saying, hey, this is almost reaching its cap. You can go to you can enroll in this course or you can go to the next course listing. Then when it becomes zero, you'll notice the enrollment button is gone and then they would have to be directed to the next course. Then when all over fifty five courses have reached their cap. There is a messaging for them to go to their elevate page.
Again, University Maryland like to rename things. So work day is elevate. And all thanks to this amazing team. They are the ones who are the brain of Canvas catalog for university. So my manager, Doctor.
Jessica Skowalski, our inter instructional technology specialist, Lee Zu, and doctor Jennifer White. They lead the Canvas catalog for our university. LiZu is our integration specialist who did all of the scripting for Canvas catalog, and of course, our partner's office of extended studies. And now I'll hand it off to Mike. He'll talk more his institution.
Okay. So thank you very much. I'm I'm from Kansas. Any, fellow Kansas people out there? No, no wildcats. Oh, bummer.
So I I talk a little slope. I also really enjoy telling stories, and I have a horror story for you guys today. So I'm for most of you who already use catalog. You can probably know where I'm going with this. It's about user management? How many, how many spam users have you ever encountered in your entire existence of having catalogs? So, well, first, I'll start off a little bit about me, and where where I work.
So California virtual campus is a online, initiative or collaborative for the California community college system. So we have one hundred and sixteen institutions in the system. We all use Canvas. So that was a that was a huge, initiative from a few years back where we got everyone on the same platform, which was it. Really great for the state.
We have about one point eight million students across all one hundred and sixteen of those colleges. And they can they can enroll or cross enroll, across those So we've we've set this thing called the exchange so that they can, if I'm a student at, let's say, SAC City, Sacramento City College, and I need a class that SAC City can't offer, in that term. Maybe it's not offered online. Maybe it's already full. I can just cross and roll to another one of the hundred and sixteen California community colleges, in the States and take that class from them.
So and then get that transferred back in so I can keep moving through my degrees as soon as possible. So that's that's what CBC does, is where we're trying to build this network of cross enrolling institution and part of that work, that was the original vision of the California State Chancellor's office. But part of that work, was, hey, when we take a class from another college, how do we know that's the same quality as the class that we offer? And if we were to teach that class at our school. So, part of that led to this need for professional development, a state in for, professional development so that we could all kind of align our online courses to some common standards so that we have really high confidence that when students are cross and rolling between institutions, the classes they're taking are all kind of the same standard of instruction. So that created this need for for professional development offerings, for the state.
And so we use Canvas, of course, for that professional development, opportunities across the system. So we had a really talented group of professional development experts who was called at one in our system, and they would offer these online offerings and their the instructors were were drawn from the Community College them. So it was a great chance to network with other online instructors, also at another California community college, and learn from and kind of build your courses towards that common, rubric that that we had. So obviously the best way to to do that, or to offer those offerings would be to use Canvas catalog in our central sense of Canvas and let faculty know these are the available professional development opportunities that you can you can participate in. And, I'll get into a little bit about how catalog really makes that, that experience really easy seamless for external users.
But first, we want to ask a question. If if you still have that up on your your cell phones, or you wanna scan it now. If you could answer, if you use catalog, have you ever experienced intrusive spam enrollments in your system. I'm seeing a lot of smiles and smirks out there. So I'm thinking the answer's probably yes.
You have run into that, where you're trying to do something. It's really great, offer offer opportunities, but someone's taking advantage of that. They're coming in the back door. Oh, thank you so much. Okay.
Oh, I love this little graphic Alright. So we've got the eleven people are saying yes. Quite a few saying no, you're the lucky ones, you know, enjoy that while it lasts. And then, number of people who don't use Kellogg. But of the so it looks like about me, twenty five people who responded that are catalog users, eight of you have said no, fifteen said yes.
You have experienced, Canvas catalog, spam, so to speak. So let's talk about that. But first, I always like to start a story with another illustration. That's another story. So I mentioned I like to tell stories.
So, so, you'll see the the B seventeen here, back in World War II, and I borrowed this story actually from a book called How Not To Be Wrong. Ever read that or heard of it. It's a great one. It's about, you know, statistical thinking, how you use math in decision making. And so the the US army was trying to do that in World War II.
They were saying, alright, let's, let's look at, let's get some statisticians together. And let's have them, you know, look at problems, and maybe we can create some some better informed decision making out of those stats, that they kind of look at and collect and analyze. And so so that was called the statistical research group. And there was a very talented statistician named Abraham Walt, who, was working on that group. And so they one of the problems that they were presented with was, hey, our bombers are getting shot down in alarming numbers.
How do we protect servicemen and bring them home? So they they brought back a bunch of shot up planes from from the European theater, and they said, we want you to analyze all the bullet holes on these planes and determine where we should armor the planes because armor's very heavy, means the planes can't carry as many bombs or they they lose, mileage so they can't go as far. So we have to strategic about this. We can't just armor the whole thing. So tell us where to put that armor, that they'll be most effective. So everyone was looking at at those bullet holes, and they said, well, there's a lot, you know, kind of on the fuselage, the way and the control surfaces, where so obviously we should probably armor those.
Right? Well, Wall looks at at Professor Wall, who's a professor of stats at Columbia. And he said, put the armor here. And he here. And they said, there's no bullet holes there. Why would we do that? And he's like, you're missing bullet holes because the planes that you gave us all came back.
The planes that didn't come back were hit here and here. So so everyone was just kinda like, whoa. That's not what we thought. We were we were reinforcing the areas that we thought were most vulnerable based on the data we had, but in fact, the data that we had was missing a very important data set. That was the planes who didn't make it back.
So that's exactly what happened to me and my team, I would say, which is a perfect illustration for my next horror story. So I I just like to preface that I was saying, it's key to recognize what spammers are after in your system, and then identify the avenues with how they're being accessed. To what they're after. So this is from the anyone who's watched invasion of the bias natchez that's exactly what like. There was this moment in the movie where they kinda realized, oh my gosh, we have a problem.
And that moment came, in Christmas of twenty, I believe, twenty nineteen, or twenty eighteen, actually, where we had a sudden influx of fake user accounts. And when I say sudden, it was over the period of ten days we had twenty thousand new accounts created. There were only forty thousand accounts in our system prior to that. So, so we we came back from Christmas, and we like, I think our user accounts went up over over the break. And, that's kind of surprising.
And when we started looking at realized, oh my gosh, they're they're all kind of following the same pattern. They're spam accounts. So, we immediately started looking at, well, what they after? What was that target? And they were really targeting that creation of e portfolio pages in our instance. Then they were using those pages to message other people or other students, trying to offer these services that were offered. Anyone who attended the legal and privacy session yesterday, they kind of touched on that.
So So it's just a way to kind of, you know, defraud users. But our timeline, you know, we we got hit Oh, it was, sorry, twenty nineteen. Yeah, twenty eighteen, and twenty nineteen were, were our big ones. So we had twenty eight thousand MUs was actually in ten days. And then we continue to monitor that thinking, oh, we've identified the threat, and we've identified the, the avenue.
And we saw a few minor tests pop up, and you've probably seen this as well. You kind of monitor activity, and you'll see, oh, there's a few, but it doesn't seem like that much of a threat. What they were doing was that they were probing for different new avenues of attack. And so one of the first things we did, and I'll I'll talk about this more, was we shut down our self registration after that initial wave. We had self registration still turned on.
It really wasn't necessary. It wasn't serving any purpose, so use it. Get rid of that. So there's no more self registration for for users, and that kind of stopped them in their tracks temporarily. But then they kept coming in with these on their tests.
And then we got hit with a second wave last fall. And I have that same look on my face, because a couple of colleagues of mine from around the system started reaching out to me and saying, we've got some u some of your users in our environment And we don't think they're here for for good purposes. And so, so, I looked at it, and I was just like, it's happening again. They have the invasion of the vice natures all over. So we have trust accounts in California because we're facilitating all of those enrollments.
All of our instances of Canvas are connected via trust relationships, which is a whole another presentation for another day. But, But what we started noticing was that some of these other instances still had self registration turned on, and they had also posted self enroll links on their websites. So if you happen to have an account from another environment, and you access a self enroll link in another environment that's connected via trust relationship, you can get into that environment and start creating eportfolio pages there too. So so that's what they have been looking for with those little one off attacks, and that's what they got. So We were using the out of the box registration form for instructor Kellogg.
That's how someone who's not part of CDC could get an account and sign up for those Those lovely classes there are are, at one team we're offering for professional development. And so I like to look at a little bit like an emporium versus a mall, an outdoor mall. So what University in Maryland is doing, is really, it's like an emporium. It's very open on the inside, but you have to get in. And so you have to follow, it's behind a CAS, a central authenticating system.
So so you have to get into the college or university first, then can get access to view. The catalog, ours is the opposite. It's more like an outdoor mall. So it's like you can come off the street and just sign up for a class, and we'll create a Canvas account you so you can take that class, get in, and and it's great. It's really nice to use this when you're working with a very small team like mine because we just don't have enough people to really effectively run user management, which is where catalogs fantastic for that because it'll create users for you, give them access, manage enrollment, very easy to do with a small staff.
But what's different between an emporium or an indoor mall and an outdoor mall is that indoor malls have single points of entry that you can guard and safeguard very easily. Whereas an outdoor mall, everyone, if you've gone after hours, they've got a shutter in every single door is shuttered. And we did not have a shutter. We were an outdoor mall, but we did not have those kinds of protections in place. So if this has happened to you, my first recommendation is reach out immediately to your Canvas SM and the catalog users group, if you can, and say, hey, we're we're experiencing this.
Can you help us out? Your CSM can can do what they did for us was they actually reached out to, our colleagues on the Canvas team. Or a Canvas catalog team in, which I think is based in Hungary now, and facilitate a call. And so we, we've got a chance to meet with Canvas log and say, here's our problem. We need your help to fix this. We don't run your self registration page.
So we can't put any sort of protection throughout. We cannot shutter that thing by ourselves. So can you help us put a shutter on it? And, they did. They did. So, so, that recaptcha came about.
I don't know if you all remember. It didn't used to be a recaptcha on, on self enrollment, they did add that a a while back. Thankfully, in part, in part to some of the pains that experience all of us had experienced. So that helps a little bit with bot mitigation. So But, you know, there's a lot of advantages to to Canvas catalog.
It really is is great for automating that cam that account creation don't wanna lose that. So can't lock this thing down too much because then you're going to create a bunch of work for yourself and your very small limited resource teams. So so So it's easy to use. There's low overhead. It's it's an awesome platform, but the areas that needs improvement is that you need to create, it creates a user account immediately before the students even in the course.
So if your courses are paid, That's that's helpful sort of. And so that's what we've originally thought, oh, we've got too many free courses. Let's let's just, put like a dollar chart on that because, you know, all the spammer's not gonna fork over their credit card number. Well, catalog will create the Canvas account before actually finish the enrollment. So what they figured out within about two days, I mean, if if these guys were reached out to me instead of attacking system.
I would have given them a job. They were really, really good. But, but they within about two days, they figured out, Hey, you know what? We don't actually have finished an enrollment. We can just put the class in our shopping cart, fill out the reg form. We've got a, we've got a count in patient now, just waiting for us.
So we can just take that account, not finish the transaction. And now we've got access to these other connected instances of Canvas via that trust. So they just kept going. There's very limited user validation other than recaptcha. There's really none.
And so what we ended up with was a number those ghost applications where you just have the student create the registration and walk away from the the actual enrollment. So they never signed up for a class, they never had to pay for that class, but they had a Canvas account in our instance. So so this is what we learned, reached to Canvas catalog for support. And I said, look, you own that page. Can you put in IP can we geofence this page? Because we're we're just the state of California.
It's a really professional development opportunity our people. They're all within the, the US, by and large. So can we do that just basically limit activity North America, because all this was originating out of Asia and Europe. And so they were like, yeah, yeah, we can do that. Stopping in their tracks.
And I was like, oh, no, it won't. You know, they'll just use a VPN and just say, oh, I'm actually from the US. Sure. My my IP address is in the US. So I said you gotta also put on some VPN screening on that page for us so that you can detect if someone's using a VPN And then we'll just put up there, hey, if you're having access, you know, difficulties accessing this page, or or having difficulties stirring, please contact our support desk.
So anyone who's legitimately trying to get an account legitimately trying to sign out, they do have it adds a little more overhead for us, but that volume was so low. We're like, we can manage that. We cannot manage this kind of spam intrusion. So let's do that. So they implemented those two things within a matter of days.
Like Canvas catalog, administration was fantastic to work with. And we also add an approved email domain list, which which had varying levels of effect. So we'd, like, exclude certain domains that we seem to be abused. So though, with those things kind of put together, we found that it was extremely effective at locking down, spam. We've had no spam since.
And we actually also reversed our, trust relationships. I I told CSM, I was like, desperate times call for extraordinary measures. So can you lock down those trust to be one way? So the we'll trust any users coming from the colleges, but they shouldn't trust any users coming from us. And they did that. And with that, we've had no further threats.
I don't think I see one of my colleagues in the audience. I don't think we've had any additional issues in the last year. But again, these guys are always on the lookout. They're always looking for new prey. So I wanted to def I was so glad that we got the opportunity to present on this here, that you all could come because hopefully these, lessons learned will be able to help you so you don't fall victim to this kind of, intrusive unwind attacks.
And we'll talk more. Oops. It did not show the screen, but that's what it says on there. Okay. Alright.
Okay. Again, my name is Mary Ann Santos, and I'm from the University of and this is my bow. We'll explain ourselves a little bit more, as we go on throughout the presentation. The agenda, we're gonna talk about what is Canvas catalog and how our case uses for me at University of Maryland and for Mike at California virtual campus and at the end we have some time for any questions that you may have in regards to campus catalog. So what is Canvas catalog? Canvas catalog.
So with Canvas, we know it's in a learning management system. That we use for all of our courses. You can use Canvas catalog as a platform that can go either with your Canvas instance or it can be working in tandem. So two separate, things. And what are some things that Canvas catalog do? So it extends beyond the campus.
So when you have Canvas in your own institution, either if it's higher ed or k to twelve, you have your own courses within within your institution that are term based. With campus catalog, you can extend it where you offer courses to anyone beyond your own campus. And part of that, you can include a payment gateway, University of Maryland uses authorize dot net. And, Mike, you said use PayPal. If you want to, set up some kind of payment gateway.
You can also offer promotions for those who are interested in taking courses from your instance. You can also give discounts and promo codes. And with Canvas catalog, you can create a certificate of completion. So, within Canvas catalog, when you turn when create a course. You create certain requirements that you want your users to complete.
And once they complete it, they're automatically called a certificate of completion. It's automatic automatically, automated for yourself. So I'm gonna talk about C, Maryland. So again, my name is Marian Santos. I'm a learning management system specialist, under the d under the division of information technology.
A little bit about university, Maryland, we are located in College Park, Maryland, eight miles away from Washington, DC. We have twelve colleges over one hundred majors, and, over thirty thousand undergraduate enroll and our student to teacher ratio is eighteen to one, just to give you an idea how big our campus is. For our fall twenty two enrollment, I've already said that we have over thirty thousand undergraduate, students. We have over nine thousand full time faculty over five thousand part time faculty and almost six thousand university staff. Now let's talk about adoption and implementation.
University of Maryland, adopted, Canvas catalog, January twenty four, twenty seventeen. You'll notice on the screen it says open learning. So university of Maryland likes to rename things that we have with our own branding. So I apologize if I confuse you if I say canvas catalog or open learning, they're the same thing. Okay.
So again, canvas catalog, open learning, same thing. Then after within the same month, University of Maryland launched their free first free first free course enrollment. January thirty one, and then, first fee based course enrollment July seven, twenty seventeen. With that we had over I'm sorry about sixty one courses. It's also called listings under Canvas catalog.
That were created and have active enrollments in twenty seventeen. And since twenty seventeen, we have a large growth. So again, we went from sixty one courses in twenty seventeen to two hundred fifty one in twenty twenty three. In regards to enrollment, we went from one thousand one hundred sixty five in twenty seventeen to Excuse me. Fifty two thousand in twenty twenty three.
And last one, the one that's everyone's favorite is revenue. We went from eighty two thousand for that year twenty seventeen to one hundred ninety seven thousand just for this year, twenty twenty two June to June twenty twenty three. And with that, we have ninety two sub catalogs. So most of you are probably familiar with subaccounts when you're in Canvas, but because you're in Canvas catalog, we have ninety two active sub catalogs. And these are just some of the departments because I don't have room to fit ninety two catalogs on here, but we have our different departments, and colleges that use, Canvas catalog, including DIT, are or Maryland Fire and Rescue Institute and are even our human resources.
Now, also promote Canvas catalog slash open learning, internally and externally. So internally, we advertise or promote it using our DID weekly newsletter to let other people know about Canvas catalog and the opportunities that they can have. And we have our own internal professional learning community called LTCOP. So learning technology community practice. This is where we have individuals in each department that represent their department and we meet with them, about monthly to share information, not just with Kevin's catalog, but anything canvas or DID related.
External, we share at conference is at educas, and of course here instructor Khan. And, we have a public professional learning community called catalog peers group. So if you're interested in I will share more information at the end if you're interested in joining our catalog peers group. And of course, we promoted on our open learning storefront. Now for customizations, excuse me.
So even though Canvas catalog has a lot of features that comes out of the box. We did a lot of customizations to fit our needs and to include our own branding. And this is something that my team has been doing since twenty seventeen before I became something explaining that most of the things that we've done is using scripting, to make these customizations. So one of the first things we did was customize the header. So you'll notice that our universe, Maryland colors, and our, banner is different.
And we've even in, updated our footer to include our terror pin, mascot logo, and, additional information, who to contact So we do a lot of work with the offices of extended studies to talk about him as catalog. Another customization we've done with scripting is redirecting our users to our getting start page. So we've the open office of extended studies, created a course that includes a lot of information how to get started with open learning depending if you're a university, Maryland user or an external user. And I'm gonna go back a couple slides. Here on our home page, we have a button next to log in that says about.
So when they click on that, it takes them to that page. The getting started page. Another customization is enrollment page with a warning message. So whenever you have a course available in Canvas catalog, you'll see the there's image, the title and the button to enroll. Right below I've highlighted in orange is a warm message because we have, Canvas catalog open to anyone, we have certain courses that are specific to specific users.
So we have in DIT, our defender shell to go with our terrapin, theme. That we only want users who are university, Maryland. Sorry. University, Maryland faculty and staff to use. So we put this warning on here for those who are not faculty and staff to let them know that this course is not for you and that they will be removed they're not if they do not use their directory ID.
Another customization that I know Mike will talk more about is the registration page. So out of the box when you sign in to Canvas catalog for your instance, you'll get this screen here. On the left hand side of the box, you'll see there's a field for your full name, your email, and your confirmation email. Because of this page, we get a lot of spammers. And to combat that, we have, customized our page to look what it looks like now on the right hand side, where they have to create their own associate account, get an email to complete the registration process so that we know that this is a real person creating an account and they want to enroll in a course.
So once they finish that registration process, then they can enroll into the course. Another customization thanks to Indiana University. They shared their HTML code with us to customize the course card. The course card normally has the image and a short description, but you'll see here the layout is different where it includes the overview, the course outline, and at a glance. We've also customized our dashboard.
So in Canvas, on the global navigation, you'll see the dashboard. But if you're in Canvas catalog, when you click on it, it would redirect you the storefront. So you can see all the courses that you're in for Canvas catalog. We've also buy requests on certain departments. Remove the right side navigation where it says import to comments course home page and so on.
Because some departments, they wanted their users just to focus on the content and not have to worry about all these other buttons on the side. So we've customized that as well. And in addition is we've removed the drop this course option in Canvas due to analytics, we want to keep track of the courses that are being dropped. So in order for them to drop the course, they have to go to catalog in the student dashboard to drop the course. Another, customization is in Canvas log, they provide out of the box two types of, templates for certificate of completion.
We have the default and the traditional and we've created our custom one to have our own branding. So you can see the differences on the options. And the last customization, I know we've done a lot who changes on here. But we just launched last week. HR, department just launched, workday.
They're slowly moving their human resources platform to work So they wanted to, create some resources for the staff to get an introduction on Workday. And although you can create your own sections, they requested that we wanted over fifty five courses with a maximum of two thousand enrollments And because of that, we created a messages depending on the enrollment. So we hear when you see the screen, there is no cap on the enrollment. Based on the enrollment, the messaging changes. So this is a little message that will show up on that screen.
So if it's greater than zero, but less than it equal to the twenty, they'll get message saying, hey, this is almost reaching its cap. You can go to you can enroll in this course or you can go to the next course listing. Then when it becomes zero, you'll notice the enrollment button is gone and then they would have to be directed to the next course. Then when all over fifty five courses have reached their cap. There is a messaging for them to go to their elevate page.
Again, University Maryland like to rename things. So work day is elevate. And all thanks to this amazing team. They are the ones who are the brain of Canvas catalog for university. So my manager, Doctor.
Jessica Skowalski, our inter instructional technology specialist, Lee Zu, and doctor Jennifer White. They lead the Canvas catalog for our university. LiZu is our integration specialist who did all of the scripting for Canvas catalog, and of course, our partner's office of extended studies. And now I'll hand it off to Mike. He'll talk more his institution.
Okay. So thank you very much. I'm I'm from Kansas. Any, fellow Kansas people out there? No, no wildcats. Oh, bummer.
So I I talk a little slope. I also really enjoy telling stories, and I have a horror story for you guys today. So I'm for most of you who already use catalog. You can probably know where I'm going with this. It's about user management? How many, how many spam users have you ever encountered in your entire existence of having catalogs? So, well, first, I'll start off a little bit about me, and where where I work.
So California virtual campus is a online, initiative or collaborative for the California community college system. So we have one hundred and sixteen institutions in the system. We all use Canvas. So that was a that was a huge, initiative from a few years back where we got everyone on the same platform, which was it. Really great for the state.
We have about one point eight million students across all one hundred and sixteen of those colleges. And they can they can enroll or cross enroll, across those So we've we've set this thing called the exchange so that they can, if I'm a student at, let's say, SAC City, Sacramento City College, and I need a class that SAC City can't offer, in that term. Maybe it's not offered online. Maybe it's already full. I can just cross and roll to another one of the hundred and sixteen California community colleges, in the States and take that class from them.
So and then get that transferred back in so I can keep moving through my degrees as soon as possible. So that's that's what CBC does, is where we're trying to build this network of cross enrolling institution and part of that work, that was the original vision of the California State Chancellor's office. But part of that work, was, hey, when we take a class from another college, how do we know that's the same quality as the class that we offer? And if we were to teach that class at our school. So, part of that led to this need for professional development, a state in for, professional development so that we could all kind of align our online courses to some common standards so that we have really high confidence that when students are cross and rolling between institutions, the classes they're taking are all kind of the same standard of instruction. So that created this need for for professional development offerings, for the state.
And so we use Canvas, of course, for that professional development, opportunities across the system. So we had a really talented group of professional development experts who was called at one in our system, and they would offer these online offerings and their the instructors were were drawn from the Community College them. So it was a great chance to network with other online instructors, also at another California community college, and learn from and kind of build your courses towards that common, rubric that that we had. So obviously the best way to to do that, or to offer those offerings would be to use Canvas catalog in our central sense of Canvas and let faculty know these are the available professional development opportunities that you can you can participate in. And, I'll get into a little bit about how catalog really makes that, that experience really easy seamless for external users.
But first, we want to ask a question. If if you still have that up on your your cell phones, or you wanna scan it now. If you could answer, if you use catalog, have you ever experienced intrusive spam enrollments in your system. I'm seeing a lot of smiles and smirks out there. So I'm thinking the answer's probably yes.
You have run into that, where you're trying to do something. It's really great, offer offer opportunities, but someone's taking advantage of that. They're coming in the back door. Oh, thank you so much. Okay.
Oh, I love this little graphic Alright. So we've got the eleven people are saying yes. Quite a few saying no, you're the lucky ones, you know, enjoy that while it lasts. And then, number of people who don't use Kellogg. But of the so it looks like about me, twenty five people who responded that are catalog users, eight of you have said no, fifteen said yes.
You have experienced, Canvas catalog, spam, so to speak. So let's talk about that. But first, I always like to start a story with another illustration. That's another story. So I mentioned I like to tell stories.
So, so, you'll see the the B seventeen here, back in World War II, and I borrowed this story actually from a book called How Not To Be Wrong. Ever read that or heard of it. It's a great one. It's about, you know, statistical thinking, how you use math in decision making. And so the the US army was trying to do that in World War II.
They were saying, alright, let's, let's look at, let's get some statisticians together. And let's have them, you know, look at problems, and maybe we can create some some better informed decision making out of those stats, that they kind of look at and collect and analyze. And so so that was called the statistical research group. And there was a very talented statistician named Abraham Walt, who, was working on that group. And so they one of the problems that they were presented with was, hey, our bombers are getting shot down in alarming numbers.
How do we protect servicemen and bring them home? So they they brought back a bunch of shot up planes from from the European theater, and they said, we want you to analyze all the bullet holes on these planes and determine where we should armor the planes because armor's very heavy, means the planes can't carry as many bombs or they they lose, mileage so they can't go as far. So we have to strategic about this. We can't just armor the whole thing. So tell us where to put that armor, that they'll be most effective. So everyone was looking at at those bullet holes, and they said, well, there's a lot, you know, kind of on the fuselage, the way and the control surfaces, where so obviously we should probably armor those.
Right? Well, Wall looks at at Professor Wall, who's a professor of stats at Columbia. And he said, put the armor here. And he here. And they said, there's no bullet holes there. Why would we do that? And he's like, you're missing bullet holes because the planes that you gave us all came back.
The planes that didn't come back were hit here and here. So so everyone was just kinda like, whoa. That's not what we thought. We were we were reinforcing the areas that we thought were most vulnerable based on the data we had, but in fact, the data that we had was missing a very important data set. That was the planes who didn't make it back.
So that's exactly what happened to me and my team, I would say, which is a perfect illustration for my next horror story. So I I just like to preface that I was saying, it's key to recognize what spammers are after in your system, and then identify the avenues with how they're being accessed. To what they're after. So this is from the anyone who's watched invasion of the bias natchez that's exactly what like. There was this moment in the movie where they kinda realized, oh my gosh, we have a problem.
And that moment came, in Christmas of twenty, I believe, twenty nineteen, or twenty eighteen, actually, where we had a sudden influx of fake user accounts. And when I say sudden, it was over the period of ten days we had twenty thousand new accounts created. There were only forty thousand accounts in our system prior to that. So, so we we came back from Christmas, and we like, I think our user accounts went up over over the break. And, that's kind of surprising.
And when we started looking at realized, oh my gosh, they're they're all kind of following the same pattern. They're spam accounts. So, we immediately started looking at, well, what they after? What was that target? And they were really targeting that creation of e portfolio pages in our instance. Then they were using those pages to message other people or other students, trying to offer these services that were offered. Anyone who attended the legal and privacy session yesterday, they kind of touched on that.
So So it's just a way to kind of, you know, defraud users. But our timeline, you know, we we got hit Oh, it was, sorry, twenty nineteen. Yeah, twenty eighteen, and twenty nineteen were, were our big ones. So we had twenty eight thousand MUs was actually in ten days. And then we continue to monitor that thinking, oh, we've identified the threat, and we've identified the, the avenue.
And we saw a few minor tests pop up, and you've probably seen this as well. You kind of monitor activity, and you'll see, oh, there's a few, but it doesn't seem like that much of a threat. What they were doing was that they were probing for different new avenues of attack. And so one of the first things we did, and I'll I'll talk about this more, was we shut down our self registration after that initial wave. We had self registration still turned on.
It really wasn't necessary. It wasn't serving any purpose, so use it. Get rid of that. So there's no more self registration for for users, and that kind of stopped them in their tracks temporarily. But then they kept coming in with these on their tests.
And then we got hit with a second wave last fall. And I have that same look on my face, because a couple of colleagues of mine from around the system started reaching out to me and saying, we've got some u some of your users in our environment And we don't think they're here for for good purposes. And so, so, I looked at it, and I was just like, it's happening again. They have the invasion of the vice natures all over. So we have trust accounts in California because we're facilitating all of those enrollments.
All of our instances of Canvas are connected via trust relationships, which is a whole another presentation for another day. But, But what we started noticing was that some of these other instances still had self registration turned on, and they had also posted self enroll links on their websites. So if you happen to have an account from another environment, and you access a self enroll link in another environment that's connected via trust relationship, you can get into that environment and start creating eportfolio pages there too. So so that's what they have been looking for with those little one off attacks, and that's what they got. So We were using the out of the box registration form for instructor Kellogg.
That's how someone who's not part of CDC could get an account and sign up for those Those lovely classes there are are, at one team we're offering for professional development. And so I like to look at a little bit like an emporium versus a mall, an outdoor mall. So what University in Maryland is doing, is really, it's like an emporium. It's very open on the inside, but you have to get in. And so you have to follow, it's behind a CAS, a central authenticating system.
So so you have to get into the college or university first, then can get access to view. The catalog, ours is the opposite. It's more like an outdoor mall. So it's like you can come off the street and just sign up for a class, and we'll create a Canvas account you so you can take that class, get in, and and it's great. It's really nice to use this when you're working with a very small team like mine because we just don't have enough people to really effectively run user management, which is where catalogs fantastic for that because it'll create users for you, give them access, manage enrollment, very easy to do with a small staff.
But what's different between an emporium or an indoor mall and an outdoor mall is that indoor malls have single points of entry that you can guard and safeguard very easily. Whereas an outdoor mall, everyone, if you've gone after hours, they've got a shutter in every single door is shuttered. And we did not have a shutter. We were an outdoor mall, but we did not have those kinds of protections in place. So if this has happened to you, my first recommendation is reach out immediately to your Canvas SM and the catalog users group, if you can, and say, hey, we're we're experiencing this.
Can you help us out? Your CSM can can do what they did for us was they actually reached out to, our colleagues on the Canvas team. Or a Canvas catalog team in, which I think is based in Hungary now, and facilitate a call. And so we, we've got a chance to meet with Canvas log and say, here's our problem. We need your help to fix this. We don't run your self registration page.
So we can't put any sort of protection throughout. We cannot shutter that thing by ourselves. So can you help us put a shutter on it? And, they did. They did. So, so, that recaptcha came about.
I don't know if you all remember. It didn't used to be a recaptcha on, on self enrollment, they did add that a a while back. Thankfully, in part, in part to some of the pains that experience all of us had experienced. So that helps a little bit with bot mitigation. So But, you know, there's a lot of advantages to to Canvas catalog.
It really is is great for automating that cam that account creation don't wanna lose that. So can't lock this thing down too much because then you're going to create a bunch of work for yourself and your very small limited resource teams. So so So it's easy to use. There's low overhead. It's it's an awesome platform, but the areas that needs improvement is that you need to create, it creates a user account immediately before the students even in the course.
So if your courses are paid, That's that's helpful sort of. And so that's what we've originally thought, oh, we've got too many free courses. Let's let's just, put like a dollar chart on that because, you know, all the spammer's not gonna fork over their credit card number. Well, catalog will create the Canvas account before actually finish the enrollment. So what they figured out within about two days, I mean, if if these guys were reached out to me instead of attacking system.
I would have given them a job. They were really, really good. But, but they within about two days, they figured out, Hey, you know what? We don't actually have finished an enrollment. We can just put the class in our shopping cart, fill out the reg form. We've got a, we've got a count in patient now, just waiting for us.
So we can just take that account, not finish the transaction. And now we've got access to these other connected instances of Canvas via that trust. So they just kept going. There's very limited user validation other than recaptcha. There's really none.
And so what we ended up with was a number those ghost applications where you just have the student create the registration and walk away from the the actual enrollment. So they never signed up for a class, they never had to pay for that class, but they had a Canvas account in our instance. So so this is what we learned, reached to Canvas catalog for support. And I said, look, you own that page. Can you put in IP can we geofence this page? Because we're we're just the state of California.
It's a really professional development opportunity our people. They're all within the, the US, by and large. So can we do that just basically limit activity North America, because all this was originating out of Asia and Europe. And so they were like, yeah, yeah, we can do that. Stopping in their tracks.
And I was like, oh, no, it won't. You know, they'll just use a VPN and just say, oh, I'm actually from the US. Sure. My my IP address is in the US. So I said you gotta also put on some VPN screening on that page for us so that you can detect if someone's using a VPN And then we'll just put up there, hey, if you're having access, you know, difficulties accessing this page, or or having difficulties stirring, please contact our support desk.
So anyone who's legitimately trying to get an account legitimately trying to sign out, they do have it adds a little more overhead for us, but that volume was so low. We're like, we can manage that. We cannot manage this kind of spam intrusion. So let's do that. So they implemented those two things within a matter of days.
Like Canvas catalog, administration was fantastic to work with. And we also add an approved email domain list, which which had varying levels of effect. So we'd, like, exclude certain domains that we seem to be abused. So though, with those things kind of put together, we found that it was extremely effective at locking down, spam. We've had no spam since.
And we actually also reversed our, trust relationships. I I told CSM, I was like, desperate times call for extraordinary measures. So can you lock down those trust to be one way? So the we'll trust any users coming from the colleges, but they shouldn't trust any users coming from us. And they did that. And with that, we've had no further threats.
I don't think I see one of my colleagues in the audience. I don't think we've had any additional issues in the last year. But again, these guys are always on the lookout. They're always looking for new prey. So I wanted to def I was so glad that we got the opportunity to present on this here, that you all could come because hopefully these, lessons learned will be able to help you so you don't fall victim to this kind of, intrusive unwind attacks.