wiki: compile cascades-tucson (full) -- 7/1 caretaker roster update (35 in SG-Caregivers) + phone-login CA cutover integrated

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
2026-07-01 15:47:03 -07:00
parent 282c4af8cc
commit 1775571abb
2 changed files with 24 additions and 9 deletions

View File

@@ -108,6 +108,9 @@ sources:
- clients/cascades-tucson/session-logs/2026-07/2026-07-01-howard-vlan20-migration-live-reconcile.md
- clients/cascades-tucson/docs/printer-gpo-map.md
- .claude/memory/project_cascades_vlan20_migration_routing.md
- clients/cascades-tucson/session-logs/2026-07/2026-07-01-howard-caretaker-roster-update-phone-login-cutover.md
- clients/cascades-tucson/reports/2026-07-01-caretaker-roster-update.md
- clients/cascades-tucson/docs/cloud/caretaker-phones-only-list.md
backlinks:
- projects/gururmm
- wiki/systems/uos-server
@@ -115,7 +118,7 @@ backlinks:
# Cascades of Tucson
Senior living / assisted living facility in Tucson, AZ. Single 6-floor building plus a MemCare (Memory Care) wing on floors 5-6. ACG took over from a previous MSP. Primary compliance driver is HIPAA. Active multi-phase migration project ongoing as of 2026-07-01 -- the network/VLAN 20 staff-machine move is largely complete (22 machines migrated, ~6 stragglers left), with printer re-IP/GPO work now the lagging piece.
Senior living / assisted living facility in Tucson, AZ. Single 6-floor building plus a MemCare (Memory Care) wing on floors 5-6. ACG took over from a previous MSP. Primary compliance driver is HIPAA. Active multi-phase migration project ongoing as of 2026-07-01 -- the network/VLAN 20 staff-machine move is largely complete (22 machines migrated, ~6 stragglers left), with printer re-IP/GPO work now the lagging piece. Also on 2026-07-01: the caregiver roster was reconciled against the client's updated list (8 offboarded, 4 hired, `SG-Caregivers` now 35) and the caregiver Conditional Access policies were cut over to an interim posture allowing phone + desktop sign-in (on-network only) -- see Entra Access Architecture and Conditional Access / Caregiver Policies.
---
@@ -143,11 +146,15 @@ Senior living / assisted living facility in Tucson, AZ. Single 6-floor building
### ALIS SSO
- Entra app registration -> OIDC SSO into ALIS; **tenant-wide admin consent granted** (2026-06-03). Per-user join key = **ALIS staff Email must equal the Entra UPN**. Caregivers SSO silently on phones (ALIS-native 2FA off); office users SSO with offsite MFA.
### Caregiver phone SSO go-live (SUBSTANTIALLY DONE 2026-06-30 -- Entra/identity side complete)
### Caregiver phone SSO go-live (SUBSTANTIALLY DONE 2026-06-30, roster reconciled + CA cutover 2026-07-01)
The caregiver phone-SSO onboarding was executed 2026-06-30. To silently SSO into ALIS on a shared Samsung phone, each caregiver must be (1) in `SG-Caregivers` (bypasses the tenant-wide all-users-MFA CA policy, falls under the location+device posture), (2) M365-licensed (Business Premium, which also carries the Entra ID P1 the CA lockdown needs per-user), and (3) have ALIS staff `Email` = Entra UPN. **Live AD state:** `OU=Caregivers` holds 42 objects = 40 enabled real caregivers + `pilot.test` (test artifact) + `n.castro` (disabled). All 40 real caregivers had NEVER logged into the domain (bulk-created 2026-05-16/18) and were UNLICENSED before this session.
- **DONE (Entra/identity):** all 40 caregivers added to `SG-Caregivers` (was 38; added `c.lassey` + `p.sandoval-beck`), assigned **Microsoft 365 Business Premium** (`usageLocation=US` first, then `assignLicense`), and given unique phone-typeable AD temp passwords with **forced change at next logon** (hybrid PHS -> the AD password is also the M365/phone sign-in). Temp passwords vaulted at `clients/cascades-tucson/caregiver-temp-passwords-2026-06-30.sops.yaml` (40 entries; retrieve with `vault get`, NOT get-field -- keys contain dots; delivered to Howard via Discord DM). **`SG-Caregivers` is frontline caregivers ONLY** -- Veronica Feller + Christine Nyanzunda (admin-adjacent) and `pilot.test`/`n.castro` are intentionally excluded (reverses the earlier 6/4 plan to add Feller/Nyanzunda).
- **REMAINING gate (Howard handling -- ALIS side):** set each caregiver's ALIS staff `Email` = Entra UPN so "Sign in with Microsoft" resolves. Of the 40 AD caregivers: 23 confirmed ALIS caregivers (just need Email=UPN), 5 in ALIS with blank job role (confirm caregiver + Email=UPN), 5 Med Techs (Email=UPN; Howard earlier said "ignore for the moment" -- revisit), **7 have NO ALIS staff record (must be created before SSO can work)**, and **3 ALIS caregivers have no AD account** (Judith Palmer, Joey Ty, Alejandra Vallejo -- create AD accounts if they need phones). Also blanket-disable ALIS-native 2FA for the caregiver bucket as records are matched. NOTE: Zeke Huerta stays `e.huerta@cascadestucson.com` (do NOT "correct" to z.huerta) -- his ALIS Email must be `e.huerta@`. Build path: `alis` skill `build-import` -> upload .xls in ALIS UI (no staff-write API).
- **Prior crosscheck (2026-06-29):** phone-only caregivers = NONE (all caregiver rows are `D+P`; only the 3 Transportation drivers are phone-only and do not need ALIS). 7 caregiver-list people are present in ALIS only as **Discharged** records (Niel Castro, Kasey Flores, Bella Mendoza, Corey Tate, Gloria Williford, Mary Kariuki [DUP records 429856/429858], Maia Baker) -- decide reactivate-vs-recreate. Confirm Charity Sika (CSV) == Bariffa Sika (ALIS 309045).
- **[UPDATE 2026-07-01] Roster reconciled against the client's updated caretaker list + CA phone-login cutover.** The client's list was checked 1:1 against live AD (`OU=Caregivers`, 42 objects) via GuruRMM. Executed on CS-SERVER: **8 accounts disabled + removed from `SG-Caregivers` + Business Premium reclaimed** -- the 7 already-flagged leavers (b.mendoza, c.tate, d.fierros, g.williford, k.flores, m.baker, m.kariuki, all previously ALIS-Discharged/no-record and never logged in) plus `t.lassey-assiakoley` (client confirmed Tele Sepopo Lassey Assiakoley = Celia Lassey -- a duplicate of `c.lassey`, which was kept). **4 new caretakers created** (OU=Caregivers + `SG-Caregivers` + Business Premium + forced-change temp passwords): a.vallejo (Alejandra Vallejo, already an ALIS caregiver with no prior AD account), j.munezero (Jeanpabtiste Munezero), n.cota (Nicole Cota), k.robinson (Katlyn Robinson). Temp passwords vaulted at `clients/cascades-tucson/caregiver-temp-passwords-2026-07-01.sops.yaml` (retrieve with `vault get`, not `get-field` -- dotted keys). **`SG-Caregivers` is now 35 members** (down from 40; cloud group `8b8d9222` verified synced with all 4 new hires present). SPB pool: 45 enabled / 41 consumed (4 free).
- **Zeke Huerta (e.huerta) moved to front desk** -- removed from `SG-Caregivers` only; his AD account stays in `OU=Caregivers` because Entra Connect's sync scope covers ONLY `OU=Caregivers` / `OU=Groups` / `OU=Caregiver Devices` -- an OU move would delete his cloud object. OU move deferred until `OU=Administrative` enters sync scope. He now falls under the tenant-wide `Require MFA for all users` policy with **no registered MFA method -- Authenticator registration is pending.**
- **Christine Nyanzunda reaffirmed OUT of `SG-Caregivers`** despite the client's list naming her as a caretaker -- Howard held the frontline-only rule (established 2026-06-30). She keeps her existing `christine.nyanzunda` account with its broader (admin-adjacent) access.
- **Caregiver phone/desktop login verified end-to-end and two CA blockers fixed** (Howard's go). Root cause: `pilot.test` had only ever worked because it sits in `SG-Caregivers-DeviceTest`/`-Test`, which are excluded from the compliance-block and targeted by the allow-list -- live caretakers hit both problems at once. **Fix 1:** `Require MFA for all users` (`7e87a1c7`) excluded only the stale `SG-Caregivers-Pilot` group -- added the live `SG-Caregivers` (`8b8d9222`) to `excludeGroups` (break-glass `excludeUsers` preserved). **Fix 2:** `CSC - Block caregivers on non-compliant device` (`ede985e2`) was blocking every caretaker device because the CSC-* phones report Intune-noncompliant (no Windows device is Intune-managed either) -- **disabled 2026-07-01, do not re-enable, superseded by the allow-list at final lockdown.** **Interim posture:** all caretakers may sign in on desktops AND phones, on-network only (`e35614e1` off-network block + `7d491c7a` 8h sign-in frequency remain enforced); the device allow-list (`1b7fd025`) stays scoped to the TEST group. This supersedes the 2026-06-24 "stay TEST-scoped, do not flip lockdown until all devices are domain-ready" decision. Phones-only lockdown is deferred to the end of the rollout -- tracking list `docs/cloud/caretaker-phones-only-list.md` (per the 4/22 staff CSV every caretaker is currently `D+P`; the phones-only cohort is TBD with the client).
### Caregiver desktop/laptop management -- Hybrid Entra Join + GPO (the chosen path)
Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingInput`; no Windows device ever Intune-enrolled -- MS case open), Windows caregiver devices are managed via **Hybrid Entra Join + on-prem Group Policy** instead. This needs no Intune. The CA access model is unchanged (hybrid join just gives the device an Entra object so the allow-list/deviceId still applies).
@@ -156,8 +163,9 @@ Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingIn
- **App + printer delivery GPO `CSC - Caregiver Workstation`** (`{3B5CD9A6-A278-4676-A9FD-9396D21A8261}`, User-config GPP) -- **BUILT + VALIDATED on NURSESTATION as pilot.test (2026-06-05).** Linked at `OU=Caregivers,OU=Departments`; security filter = `SG-Caregivers-Test` (Apply, pilot.test only) + Authenticated Users (Read, for MS16-072). Go-live = swap filter to `SG-Caregivers`. Contents: 3 desktop shortcuts -- ALIS, LinkRx, **Helpany** (`https://app.safe-living.com/login` -- named "Helpany," the brand caregivers know) -- + 6 `\\CS-SERVER` shared printers (NursesPrinter, HealthServices, MCMedTech, MCReception, MCDirector, CopyRoom) with **default printer by device location** (Nurses for `SG-PC-MainTower`, MC MedTech for `SG-PC-MemoryCare`, computer-context ILT) + HKCU `LegacyDefaultPrinterMode=1` so the default sticks. Build scripts: `clients/cascades-tucson/scripts/build-caregiver-gpo.ps1` + `link-caregiver-gpo.ps1`. NOTE: the domain-wide `CSC - Printer Deployment` GPO is intentionally disabled (empty CSE / version 0) and is **not** to be used -- reference only.
- **Device lockdown GPO `CSC - Caregiver Device Lockdown`** (`{E6174988-2721-4D96-ADF5-F5BB44E92769}`, computer-only, linked to `OU=Caregiver Devices`) -- **DEPLOYED 2026-06-05.** Auto-logoff is a HIPAA requirement (SS164.312(a)(2)(iii)) for shared PHI devices. Settings: screen **lock at 3 min**, **auto sign-out at 15 min** total idle, **90-second warning** before sign-out, **never sleep** (display off 10 min). Delivered via a computer **startup script** (`caregiver-lockdown.ps1`, in SYSVOL) that sets `InactivityTimeoutSecs=180`, powercfg, and registers a logon-triggered scheduled task running an idle monitor in each caregiver's session. Deploy script: `deploy-device-lockdown-gpo.ps1`. **Startup scripts run at boot -- NURSESTATION must reboot** to activate (not yet verified). **Companion:** ALIS app session timeout 20->15 min (Howard, ALIS admin) **PENDING.** Lock/logoff are **device-level** (affect any user on the device in `OU=Caregiver Devices`).
### Status (as of 2026-06-30)
- **Caregiver phone SSO -- Entra/identity side COMPLETE** (group + Business Premium license + forced-change AD temp passwords for all 40). Remaining gate is the ALIS Email=UPN match (Howard) + creating ALIS records for the 7 with none + AD accounts for the 3 ALIS-only caregivers.
### Status (as of 2026-07-01)
- **Caregiver phone SSO -- Entra/identity side COMPLETE for the current 35-member roster** (group + Business Premium license + forced-change AD temp passwords). Remaining gate is the ALIS Email=UPN match (Howard) + creating ALIS records for the 3 brand-new hires (Munezero, Cota, Robinson) + setting Vallejo's ALIS Email=UPN + the outstanding items from 6/30 (7 discharged-record decisions, Kariuki ALIS dup 429856/429858 dedupe if she returns).
- **Caregiver CA lockdown is LIVE (interim posture, 2026-07-01):** caretakers sign in on desktops and phones, on-network only -- see the 7/1 update above and Conditional Access / Caregiver Policies. Phones-only lockdown deferred to end of rollout.
- **Proven working end-to-end on a hybrid-joined desktop (NURSESTATION + pilot.test):** caregiver lockdown (CA off-network block + device allow-list) **and** silent ALIS SSO. The allow-list policy `1b7fd025` carries NURSESTATION's current deviceId `d3bf931f-f128-4261-8398-b46c34a4b342` and the device is tagged `extensionAttribute1=CSCCaregiverDevice`.
- **GPOs DEPLOYED:** `CSC - Caregiver Workstation` built and validated on pilot.test. `CSC - Caregiver Device Lockdown` deployed to `OU=Caregiver Devices` 2026-06-05. **Go-live (still gated on all devices domain-ready):** swap GPO filter `SG-Caregivers-Test` -> `SG-Caregivers`; CA allow-list test group -> `SG-Caregivers`; move real caregiver machines into `OU=Caregiver Devices` + correct `SG-PC-*` location group one at a time. **Still pending:** lower ALIS app timeout 20->15 min; reboot NURSESTATION to verify lockdown.
- **Independent open item:** Microsoft case for `INTUNE_A PendingInput` -- does NOT block caregiver access (hybrid+GPO path replaces the Intune dependency).
@@ -326,6 +334,7 @@ Cascades' line-of-business / reporting SaaS (the systems they pull data OUT of,
- **svc-scan (scan-to-folder service account):** vault: `clients/cascades-tucson/svc-scan.sops.yaml`. AD account on CS-SERVER for the Accounting Brother's SMB scans.
- **ALIS SSO app registration:** vault: `clients/cascades-tucson/alis-sso-app-registration.sops.yaml`; ALIS API user: `clients/cascades-tucson/alis-api-howard-user.sops.yaml`.
- **Caregiver AD temp passwords (2026-06-30):** vault: `clients/cascades-tucson/caregiver-temp-passwords-2026-06-30.sops.yaml` (40 caregiver AD temp passwords, all forced-change-at-next-login; keys = sAMAccountName). Hybrid PHS -> these are also the M365/phone sign-in. Retrieve with `vault get` (NOT get-field -- dotted keys). Do NOT inline any values.
- **Caregiver AD temp passwords (2026-07-01, 4 new hires):** vault: `clients/cascades-tucson/caregiver-temp-passwords-2026-07-01.sops.yaml` (a.vallejo, j.munezero, n.cota, k.robinson; keys = sAMAccountName, `vault get` not get-field). Same hybrid PHS behavior as above. Do NOT inline any values.
- **UOS controller SSH (root):** vault: `infrastructure/uos-server-ssh-key` -- SSH/Mongo access for `unifi-wifi` skill and `uos-mongo.sh`. Vaulted 2026-06-15 by Mike.
- **UOS controller RW admin (Network API):** vault: `infrastructure/uos-server-network-api-rw` -- required to apply any radio/config changes. Vaulted 2026-06-15 by Mike.
- **UniFi AP device auth (Cascades):** vault: `clients/cascades-tucson/unifi-ap-ssh` -- direct AP SSH via site VPN (needed for `watch-ap.sh` live stream; L3 reach to 192.168.2.x/3.x via split-tunnel VPN). Vaulted 2026-06-15 by Mike.
@@ -362,6 +371,8 @@ Cascades' line-of-business / reporting SaaS (the systems they pull data OUT of,
- **Security group assignment is always explicit.** When creating or adding any Cascades user, always ask which security group(s). OU -> group auto-mirror was explicitly declined 2026-05-14.
- **`SG-Caregivers` = frontline caregivers ONLY** (Howard 2026-06-30). Admin-adjacent staff (e.g. Veronica Feller in OU=Care-Assisted Living, Christine Nyanzunda in OU=Care-Memorycare), `pilot.test`, and disabled accounts are EXCLUDED -- this reverses the earlier 6/4 plan to add Feller/Nyanzunda.
- **`SG-Caregivers` is an on-prem AD group synced by Entra Connect.** Cloud/Graph adds fail (HTTP 400). Do all membership writes on CS-SERVER via RMM (`Add-ADGroupMember`).
- **Entra Connect sync scope for caregiver objects is narrow -- do not OU-move a synced caregiver.** Confirmed 2026-07-01: sync scope covers ONLY `OU=Caregivers`, `OU=Groups`, `OU=Caregiver Devices`. Moving a caregiver account to any other OU (e.g. front desk / Administrative) would delete its cloud object. When a caregiver's role changes, remove them from `SG-Caregivers` in place and leave the OU alone until the destination OU enters sync scope (Zeke Huerta, front desk, 2026-07-01).
- **Caretaker roster reconciliation against a client-provided list is a standard cycle** (last run 2026-07-01): pull live `OU=Caregivers` + `SG-Caregivers` via RMM, diff 1:1 against the client's list, then per Howard's per-person decisions -- disable + remove-from-group + reclaim license for leavers, create + group + license + temp-password for new hires, and resolve any name duplicates (e.g. the Lassey dup, keep the account the client actually uses). License math and CA-policy exclusions ride on `SG-Caregivers` membership, so this reconciliation is also the license/CA source of truth.
- **New user mandatory order (folder redirection):**
1. Create AD user
@@ -433,7 +444,7 @@ Cascades' line-of-business / reporting SaaS (the systems they pull data OUT of,
### Conditional Access / Caregiver Policies
- **Phased rollout -- never tenant-wide.** CA policies for caregivers now target `SG-Caregivers` (`8b8d9222-5d71-419a-936d-56d895c6c332`). The legacy "Require MFA for all users" policy stays in place. **All 40 real caregivers are now in `SG-Caregivers` + Business Premium licensed (2026-06-30).**
- **Phased rollout -- never tenant-wide.** CA policies for caregivers now target `SG-Caregivers` (`8b8d9222-5d71-419a-936d-56d895c6c332`). The legacy "Require MFA for all users" policy stays in place. **`SG-Caregivers` is 35 members as of 2026-07-01** (was 40 on 2026-06-30; 8 offboarded, 4 new hires, roster reconciled against the client's updated list), all Business Premium licensed.
- **Enforced caregiver CA policy set (unchanged as of 2026-06-03):**
- `CSC - Block caregivers off Cascades network` (`e35614e1-e896-4a13-9407-076963af488f`) -- BLOCK if location not Cascades
- `CSC - Block caregivers on non-compliant device` (`ede985e2-ee7e-4521-88b2-34c847c3db20`) -- **DISABLED 2026-07-01** (interim: caretakers allowed on desktops + phones, on-network only, per Howard; phones-only lockdown deferred -- see `clients/cascades-tucson/docs/cloud/caretaker-phones-only-list.md`). Do not re-enable; superseded by the allow-list at final lockdown.
@@ -441,6 +452,8 @@ Cascades' line-of-business / reporting SaaS (the systems they pull data OUT of,
- **Caregiver device allow-list (2026-06-03 -- report-only):** `CSC - Caregivers: allow-listed devices only (REPORT-ONLY)` -- id `1b7fd025-1aad-47c8-9274-c32c3e0b163c`; state `enabledForReportingButNotEnforced`. Device filter (mode `exclude`): `(device.displayName -startsWith "CSC-") -or (device.extensionAttribute1 -eq "CSCCaregiverDevice")`. Includes: NURSESTATION-PC (deviceId `d3bf931f`), Laptop2, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8, LAPTOP-8P7HDSEI, ASSISTNURSE-PC (needs re-join + re-tag after Win11 reinstall).
- **GDAP exclusion:** CA policy 3 must exclude "Service provider users" (GDAP foreign principals) + `SG-External-Signin-Allowed` + `SG-Break-Glass`, otherwise ACG partner admins lose access at CA cutover.
- **[FIXED 2026-07-01]** `Require MFA for all users` policy (`7e87a1c7...`) now excludes BOTH `SG-Caregivers-Pilot` and the live `SG-Caregivers` (`8b8d9222`); break-glass excludeUsers preserved. Caretakers get no MFA prompt -- protected by on-network block + 8h sign-in frequency instead. Remove the stale pilot-group exclude at pilot cleanup.
- **[ROOT CAUSE 2026-07-01] `pilot.test` login success masked two separate blockers for real caretakers.** `pilot.test` sits in `SG-Caregivers-DeviceTest`/`SG-Caregivers-Test`, which are excluded from the compliance-block policy and targeted by the allow-list -- so it never hit either problem. Live `SG-Caregivers` members hit BOTH: the MFA-exclude gap above, and the compliance-block treating every device as noncompliant (no phone or Windows device is Intune-managed). A pilot passing on a device-test group does not prove the production group will pass the same CA gauntlet -- verify against the live group's actual excludes/targets before declaring go-live, found via a full CA policy JSON pull.
- **Interim caretaker CA posture (2026-07-01, Howard, supersedes the 2026-06-24 hold):** desktops AND phones allowed, on-network only. `CSC - Block caregivers on non-compliant device` (`ede985e2`) is DISABLED and superseded -- do not re-enable it. Phones-only lockdown is deferred to end of rollout; tracking list `clients/cascades-tucson/docs/cloud/caretaker-phones-only-list.md`.
- **Pilot cleanup required when done:** Delete `pilot.test@cascadestucson.com`, clean up `howard.enos@cascadestucson.com`, remove `SG-Caregivers-Pilot` from CA policy targets and delete the group.
### EXO / Message Trace
@@ -497,9 +510,10 @@ Full design: `docs/network/phase1-voice-qos-design.md`. Status DESIGN -- nothing
- **pfSense dirty-boot / duplicate dhcpd:** After an unclean pfSense shutdown, dhcpd may start twice. Fix: `killall dhcpd && echo "services_dhcpd_configure();" | /usr/local/sbin/pfSsh.php`; verify one instance: `pgrep -f "dhcpd -user" | wc -l` == 1. Note: `pfSsh.php` is slow (~20-40s); use timeout 60s+.
- **Post-outage device stragglers:** Devices that booted during a DHCP-down window cache a disconnected state and do not retry once the network recovers. Realistic plan: reactive power-cycle as reports come in. Cox modem must be rebooted after a pfSense configuration restore.
### Known Issues / Pending Hygiene (as of 2026-06-30)
### Known Issues / Pending Hygiene (as of 2026-07-01)
- **[BUG] Stale exclude-group on MFA-all-users policy:** The `Require multifactor authentication for all users` policy (`7e87a1c7...`) excludes `SG-Caregivers-Pilot` (`0674f0bc...`) instead of the live `SG-Caregivers` (`8b8d9222...`). Fix: PATCH `excludeGroups`.
- **[FIXED 2026-07-01] Stale exclude-group on MFA-all-users policy.** The `Require multifactor authentication for all users` policy (`7e87a1c7...`) excluded only `SG-Caregivers-Pilot` (`0674f0bc...`); PATCHed to also exclude the live `SG-Caregivers` (`8b8d9222...`). The stale pilot-group exclude was left in place -- remove it at pilot cleanup.
- **[PENDING] Zeke Huerta MFA (Authenticator) registration.** Moved off `SG-Caregivers` to front desk 2026-07-01; now under the tenant-wide MFA policy with no registered method.
- **[DESIGN] ALIS-native 2FA is not a perimeter control.** Force all ALIS logins through Entra SSO (SSO-only, credential fallback disabled); disable ALIS-native 2FA per-user then globally.
- **[INFO] Android enrollment token expiry (2027-05-08) does NOT unenroll devices.** Renewal needed only before enrolling new devices after that date.
- **[WARN] ~25 switch ports at 100 Mbps but gig-capable.** Investigate after WiFi optimization is stable.
@@ -536,7 +550,7 @@ Full design: `docs/network/phase1-voice-qos-design.md`. Status DESIGN -- nothing
Syncro live pull 2026-07-01: **0 open Syncro tickets; 37.5 prepaid hours; 29 managed devices.** See session logs for active project work (domain migration, EDR rollout, caregiver phone SSO, VLAN 20 printer migration).
- **[IN PROGRESS 2026-06-30] Caregiver phone SSO -- ALIS email-match (Howard handling).** Entra/identity side DONE (all 40 caregivers in `SG-Caregivers`, Business Premium licensed, forced-change AD temp passwords vaulted `clients/cascades-tucson/caregiver-temp-passwords-2026-06-30.sops.yaml`). Remaining: set each caregiver's ALIS staff `Email` = Entra UPN (23 confirmed just need Email=UPN; 5 blank-role confirm+match; 5 Med Techs revisit; **7 need an ALIS record created; 3 ALIS-only caregivers need AD accounts** -- Judith Palmer, Joey Ty, Alejandra Vallejo). Blanket-disable ALIS-native 2FA for the bucket as matched. Zeke Huerta stays `e.huerta@`. Also decide reactivate-vs-recreate for the 7 Discharged ALIS records (from the 6/29 crosscheck). Build path: `alis` skill `build-import` -> upload .xls in ALIS UI.
- **[IN PROGRESS 2026-07-01] Caregiver phone SSO -- ALIS email-match (Howard handling), roster now 35.** Entra/identity side DONE for the current roster (`SG-Caregivers` 35 members after the 7/1 reconciliation -- 8 offboarded, 4 new hires -- Business Premium licensed, forced-change AD temp passwords vaulted `clients/cascades-tucson/caregiver-temp-passwords-2026-06-30.sops.yaml` + `caregiver-temp-passwords-2026-07-01.sops.yaml`). Remaining: set each caregiver's ALIS staff `Email` = Entra UPN (carryover from 6/30: 23 confirmed just need Email=UPN; 5 blank-role confirm+match; 5 Med Techs revisit; 7 discharged-record reactivate-vs-recreate decisions); **new from 7/1: build ALIS staff records for Munezero, Cota, Robinson (need job roles -- Certified vs Resident Caregiver / Med Tech) and set Vallejo's ALIS Email = a.vallejo@cascadestucson.com** (she already has an ALIS record, just needed the AD account, created 7/1). Blanket-disable ALIS-native 2FA for the bucket as matched. Zeke Huerta moved to front desk 7/1 (removed from `SG-Caregivers`, needs Authenticator MFA registration, ALIS role change TBD); Kariuki ALIS dup (429856/429858) needs dedupe if she returns. Build path: `alis` skill `build-import` -> upload .xls in ALIS UI.
- **[IN PROGRESS, machines ~done / printers lagging as of 2026-07-01] VLAN 20 (CSCNET) staff + printer migration.** Live reconcile 2026-07-01: **22 machines online on VLAN 20**, only CS-SERVER (by design) + ~6 stragglers left on the old LAN. Printer shares only **4/15** repointed (FrontDesk .221, BusinessOffice .220, LifeEnrichment .94, MCReception .78); MCMedTech still stale at 192.168.2.53 though its target 10.0.20.74 is live+reachable (safe repoint held pending the GPO decision). pfSense CS-SERVER->VLAN20 policy-route bypass rule holding. **Next (priority order):** decide reboot-test vs pre-stage-drivers for the Point-and-Print GPO (currently pilot-scoped to DESKTOP-H6QHRR7 only) and take it fleet-wide; repoint MCMedTech + the 4 remaining stale caregiver-GPO shares (NursesPrinter, HealthServices, MCDirector, CopyRoom); repoint `CSC - Life Enrichment Printers` GPO to `\\CS-SERVER\LifeEnrichment`; reboot the MemCare RECEPTIONIST-PC box to apply the MEMCARE-STATION rename (still not applied); domain-join the workgroup boxes (DESKTOP-MD6UQI3, CHEF-PC, MEMCARE-STATION, MEMRECEPT-PC, DESKTOP-LPOPV30) then swap direct-IP printers to server shares. Map: `docs/printer-gpo-map.md`.
- **[SECURITY -- needs Global Admin] Remove the standing Privileged Authentication Administrator role from the `ComputerGuru - Tenant Admin` SP** (left over from Alma's offboarding password reset). Entra -> Roles & admins -> Privileged Authentication Administrator -> remove the SP; leave its Conditional Access Administrator role. Pending Mike's decision. See Access section.
- **[FOLLOW-UP 2026-06-30] Megan Hiatt breach re-check.** Her account carried a `CREDENTIAL_STUFFING_ACTIVE` marker in the April tenant inventory; verify the April remediation held (`/remediation-tool check megan.hiatt@`).
@@ -662,6 +676,7 @@ Syncro live pull 2026-07-01: **0 open Syncro tickets; 37.5 prepaid hours; 29 man
| 2026-06-30 | **Tamra Matthews OFFBOARDED (Move-In Coordinator; left June 2026).** Cloud-only M365 object: sessions revoked, sign-in blocked, password vaulted, mailbox -> SharedMailbox (Crystal/Megan/Meredith/Ashley FullAccess+AutoMap), O365 Standard seat freed, hidden from GAL, 3 groups stripped. On-prem AD disabled + moved to `OU=Excluded-From-Sync`. No litigation hold despite PHI-adjacent role (Howard authorized). AutoMapping rollback on rapid grants root-caused (spaced one-at-a-time fix). Follow-up: Megan Hiatt breach re-check. |
| 2026-06-30 | **VLAN 20 (CSCNET) printer migration.** Migrated Front Desk Epson ET-5800 (.221) + Life Enrichment Canon MF741 (.94) onto VLAN 20 server shares, then dining/chef/medtech/MC-reception. Root-caused a hard blocker: CS-SERVER couldn't reach VLAN 20 printers because the LAN "allow LAN to any" rule policy-routed internal traffic out the WAN (WAN_Group gateway) -- fixed with a top LAN pass rule (gw=default, src CS-SERVER). Established the Point-and-Print policy fix for standard-user driver installs and the Canon UFR-II-only driver requirement (PCL6 -> Error #822). Staged RECEPTIONIST-PC (MemCare box) rename to MEMCARE-STATION. GPO planning doc `docs/printer-gpo-map.md` created. |
| 2026-07-01 | **VLAN 20 migration live-reconciled -- much further along than docs showed.** Full GuruRMM fleet pull found **22 machines already on VLAN 20** (only CS-SERVER by design + ~6 stragglers remain on the old LAN), but printer shares lag at **4/15** repointed (MCMedTech still stale 192.168.2.53 despite its live target 10.0.20.74). Rewrote `docs/printer-gpo-map.md` to the live state and updated the `project_cascades_vlan20_migration_routing` memory. No production changes made (read-only reconcile); MCMedTech repoint offered and held pending Howard's GPO go-live decision. Also fixed Howard-Home Tailscale (`UnattendedMode=always`) after it dropped RMM/coord reachability. |
| 2026-07-01 | **Caretaker roster update + caregiver phone-login CA cutover.** Reconciled the client's updated caretaker list 1:1 against live AD: disabled 8 (7 leavers + the Lassey duplicate, client confirmed Tele Sepopo Lassey Assiakoley = Celia Lassey) with SG-removal + license reclaim, created 4 new hires (Vallejo, Munezero, Cota, Robinson) with temp passwords vaulted, removed Zeke Huerta from `SG-Caregivers` (front desk, OU move deferred -- Entra Connect sync scope is OU=Caregivers/Groups/Caregiver Devices only), and reaffirmed Nyanzunda stays out (frontline-only rule). `SG-Caregivers` now 35; SPB 45 enabled / 41 consumed. Verified phone/desktop login end-to-end and found + fixed two CA blockers `pilot.test` had masked: the known MFA-exclude bug (added live `SG-Caregivers` to the exclude, fixing the wiki-tracked bug) and the compliance-block policy (`ede985e2`) blocking every device as Intune-noncompliant -- disabled, superseded by the allow-list at final lockdown. Interim posture (Howard's go, overrides the 6/24 hold): caretakers on desktops + phones, on-network only; phones-only lockdown deferred to end of rollout with a tracking list (`docs/cloud/caretaker-phones-only-list.md`). |
---

View File

@@ -18,7 +18,7 @@ Run `/wiki-lint` to check for stale entries and broken backlinks.
| Article | Summary | Last Compiled |
|---|---|---|
| [Cascades of Tucson](clients/cascades-tucson.md) | Prepaid block $175/hr, **37.5 hrs remaining** (live 2026-07-01); senior living; active domain migration + HIPAA caregiver-lockdown project (GPOs deployed; Entra Hybrid Join + CA allow-list + ALIS SSO model proven); single DC (CS-SERVER) on aging R610 -- RAID **live-verified HEALTHY 2026-06-24** (the 6/15 "degraded" self-recovered; both mirrors Ok, 1:0:4 = global hot spare; consumer 320GB drives + lost-PSU-redundancy are planned follow-ups, NOT an emergency); cloud backup verified running; **Planned power outage 2026-06-23** clean self-shutdown executed + verified (bring-up ~09:00, John onsite); **Voice VLAN 30 migration COMPLETE 2026-06-19** (~38 devices: 29 Poly + 8 AudioCodes + desktop; awaiting Vertical to set Poly 5GHz-only); **UniFi RF optimized 2026-06-19** (77 U7-Pro APs/~587 clients: 2.4GHz power->Medium on 47 radios + 5GHz clean-DFS 40MHz channel plan -> 5GHz retry halved; 6GHz blocked by WPA3 on PPSK SSID); Syncro 0 open tickets (live EOD 2026-06-25), device-readiness audit done (5 PCs on Win Home need Home->Pro before join); **Alma Montt offboarded 2026-06-25** (Tenant Admin SP left holding a standing PAA role -- removal pending Mike); **CARF Technology & System Plan** deliverable in progress for Ashley Jensen; **endpoint security migration started 2026-06-25** (Datto EDR/AV replacing Bitdefender; 34 agents enrolled); **CS-SERVER: all Datto software removed 2026-06-26**, and the CS-SERVER "SMB error 67" proved to be an RMM-test artifact -- server is healthy, Karen share access verified interactively; **caregiver phone SSO 2026-06-30: all 40 frontline caregivers licensed (Business Premium) + in SG-Caregivers + forced-change AD temp passwords -- Entra side DONE, ALIS Email=UPN match pending**; **CSC ENT->VLAN 20 migration (live 2026-07-01): 22 machines on VLAN 20 (only CS-SERVER + ~6 stragglers left on old LAN); printer shares lag at 4/15 repointed; P&P GPO still pilot-scoped**; remaining-work plan: docs/REMAINING-WORK-PLAN.md | 2026-07-01 |
| [Cascades of Tucson](clients/cascades-tucson.md) | Prepaid block $175/hr, **37.5 hrs remaining** (live 2026-07-01); senior living; active domain migration + HIPAA caregiver-lockdown project (GPOs deployed; Entra Hybrid Join + CA allow-list + ALIS SSO model proven); single DC (CS-SERVER) on aging R610 -- RAID **live-verified HEALTHY 2026-06-24** (the 6/15 "degraded" self-recovered; both mirrors Ok, 1:0:4 = global hot spare; consumer 320GB drives + lost-PSU-redundancy are planned follow-ups, NOT an emergency); cloud backup verified running; **Planned power outage 2026-06-23** clean self-shutdown executed + verified (bring-up ~09:00, John onsite); **Voice VLAN 30 migration COMPLETE 2026-06-19** (~38 devices: 29 Poly + 8 AudioCodes + desktop; awaiting Vertical to set Poly 5GHz-only); **UniFi RF optimized 2026-06-19** (77 U7-Pro APs/~587 clients: 2.4GHz power->Medium on 47 radios + 5GHz clean-DFS 40MHz channel plan -> 5GHz retry halved; 6GHz blocked by WPA3 on PPSK SSID); Syncro 0 open tickets (live EOD 2026-06-25), device-readiness audit done (5 PCs on Win Home need Home->Pro before join); **Alma Montt offboarded 2026-06-25** (Tenant Admin SP left holding a standing PAA role -- removal pending Mike); **CARF Technology & System Plan** deliverable in progress for Ashley Jensen; **endpoint security migration started 2026-06-25** (Datto EDR/AV replacing Bitdefender; 34 agents enrolled); **CS-SERVER: all Datto software removed 2026-06-26**, and the CS-SERVER "SMB error 67" proved to be an RMM-test artifact -- server is healthy, Karen share access verified interactively; **caregiver phone login LIVE 2026-07-01: roster reconciled to 35 (8 offboarded incl. Lassey dup, 4 new hires), two CA blockers fixed (MFA-exclude bug + compliance-block disabled), interim posture = desktops+phones on-network only; ALIS Email=UPN match + 3 new-hire ALIS records pending**; **CSC ENT->VLAN 20 migration (live 2026-07-01): 22 machines on VLAN 20 (only CS-SERVER + ~6 stragglers left on old LAN); printer shares lag at 4/15 repointed; P&P GPO still pilot-scoped**; remaining-work plan: docs/REMAINING-WORK-PLAN.md | 2026-07-01 |
| [Dataforth Corporation](clients/dataforth.md) | Prepaid block ~$2,099/mo, **31.5 hrs remaining** (live 2026-06-23); signal-conditioning manufacturer; 64 DOS test stations; 2025 ransomware recovery + incomplete file restore (migration-gap audit); 2026-03 phishing + MFA rollout; test-datasheet pipeline (DSCA cert publish via Hoffman API + testdatadb UI on AD2); mail stack INKY->Mailprotector CloudFilter->EXO; FreePBX 17 outage fixed 2026-06-08/09 (qualify_frequency=0; no RTP-forward); shares-ACL project (all open to staff; Phase 2 target-state strawman drafted 2026-06-22); Syncro asset reconciliation 2026-06-02; GuruRMM fleet ~45; Bitdefender phase-off | 2026-06-23 |
| [Instrumental Music Center](clients/instrumental-music-center.md) | Prepaid block $175/hr, 12.5 hrs remaining; music retail/repair; AIMsi POS on SQL Server 2019; phantom DC causing slow logons; GuruRMM enrolled (IMC1) | 2026-05-24 |
| [Jimmy Company](clients/jimmy.md) | Break-fix, $150/hr; single aging workstation BLASTER2 (Win10 22H2 EOL, i5-3470/3.8GB — replace); backups the recurring theme (QuickBooks data); onboarded to GuruRMM 2026-06-19 (RDP NLA + Kaseya removal + cleanup); MSP360 local backup drive full, 90-day retention set, space reclaim pending in console (cloud B2 healthy) | 2026-06-19 |