diff --git a/wiki/clients/cascades-tucson.md b/wiki/clients/cascades-tucson.md index 0f93ddfc..569bbedd 100644 --- a/wiki/clients/cascades-tucson.md +++ b/wiki/clients/cascades-tucson.md @@ -2,7 +2,7 @@ type: client name: cascades-tucson display_name: Cascades of Tucson -last_compiled: 2026-06-30 +last_compiled: 2026-07-01 compiled_by: Howard-Home/claude-main sources: - session-logs/2026-03-24-session.md @@ -103,6 +103,11 @@ sources: - clients/cascades-tucson/session-logs/2026-06/2026-06-30-howard-caregiver-phone-sso-license-onboarding.md - clients/cascades-tucson/session-logs/2026-06/2026-06-30-howard-tamra-matthews-offboarding.md - clients/cascades-tucson/session-logs/2026-06/2026-06-30-howard-vlan20-printer-migration.md + - clients/cascades-tucson/session-logs/2026-06/2026-06-24-howard-ticket-review-and-cascades-consolidation.md + - clients/cascades-tucson/session-logs/2026-06/2026-06-30-howard-alis-sso-login-model-recall.md + - clients/cascades-tucson/session-logs/2026-07/2026-07-01-howard-vlan20-migration-live-reconcile.md + - clients/cascades-tucson/docs/printer-gpo-map.md + - .claude/memory/project_cascades_vlan20_migration_routing.md backlinks: - projects/gururmm - wiki/systems/uos-server @@ -110,7 +115,7 @@ backlinks: # Cascades of Tucson -Senior living / assisted living facility in Tucson, AZ. Single 6-floor building plus a MemCare (Memory Care) wing on floors 5-6. ACG took over from a previous MSP. Primary compliance driver is HIPAA. Active multi-phase migration project ongoing as of 2026-06-30. +Senior living / assisted living facility in Tucson, AZ. Single 6-floor building plus a MemCare (Memory Care) wing on floors 5-6. ACG took over from a previous MSP. Primary compliance driver is HIPAA. Active multi-phase migration project ongoing as of 2026-07-01 -- the network/VLAN 20 staff-machine move is largely complete (22 machines migrated, ~6 stragglers left), with printer re-IP/GPO work now the lagging piece. --- @@ -178,10 +183,10 @@ Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingIn - Tamra Matthews -- Move-In Coordinator (Marketing/Sales), SALES4-PC. **OFFBOARDED 2026-06-30** (left June 2026 -- see Access section). - **Syncro contact emails (authoritative):** ashley.jensen@, jd.martin@, crystal.rodriguez@, John.trozzi@, meredith.kuhn@, accounting@/accountingassistant@cascadestucson.com. - **Billing rate:** $175/hr all labor (prepaid block customer) -- **Hours remaining:** **37.5 hrs as of 2026-06-30 (live Syncro).** Prior: 46.75 hrs as of 2026-06-26; 47.75 hrs as of 2026-06-25; 48.25 hrs as of 2026-06-24. Always live-check via `GET /customers/20149445` before billing. +- **Hours remaining:** **37.5 hrs as of 2026-07-01 (live Syncro, unchanged from 2026-06-30).** Prior: 46.75 hrs as of 2026-06-26; 47.75 hrs as of 2026-06-25; 48.25 hrs as of 2026-06-24. Always live-check via `GET /customers/20149445` before billing. - **Syncro customer ID:** 20149445 -- **Managed devices (Syncro assets):** 29 (live 2026-06-30) -- **Active tickets:** **0 open Syncro tickets as of 2026-06-30 (live Syncro).** See Active Work and session logs for ongoing project work (domain migration, EDR rollout, caregiver phone SSO, VLAN 20 printer migration). +- **Managed devices (Syncro assets):** 29 (live 2026-07-01) +- **Active tickets:** **0 open Syncro tickets as of 2026-07-01 (live Syncro).** See Active Work and session logs for ongoing project work (domain migration, EDR rollout, caregiver phone SSO, VLAN 20 printer migration). - #110680053 / #32303 -- Entra / domain migration project. Status: **Invoiced** as of 2026-06-05. Plan: `C:\Users\Howard\.claude\plans\wise-discovering-panda.md` - #109412123 -- Entra setup project (verify status) - #32403 -- Meredith locked Word doc (0.5h remote, billed 2026-06-10, Invoiced) @@ -242,6 +247,7 @@ Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingIn - **ALIS (clinical SaaS):** https://cascadestucson.alisonline.com -- Entra SSO live and working. communityId 622. Install key: `d796539d-356b-4190-9c17-35f0f1129376`. Vault: `clients/cascades-tucson/alis-sso-app-registration.sops.yaml` (API user cred: `clients/cascades-tucson/alis-api-howard-user.sops.yaml` -- username must be tenant-qualified `howard.enos@cascadestucson`). ALIS application ID `d5108493-cba8-4f08-90b6-1bb0bc09eb2a`, client secret expires 2028-05-06 (rotation reminder -- expiry breaks ALIS SSO tenant-wide). Per-caregiver: ALIS staff-record Email must match Entra UPN exactly. Staff endpoints are **read-only via API -- writes are done by uploading a `build-import` .xls in the ALIS UI.** BAA with Medtelligent not yet verified. - **Admin consent (2026-06-03):** Tenant-wide admin consent (`AllPrincipals` `User.Read`) granted on ALIS Entra service principal (`e1cae4ad-5beb-44ca-82d4-434c9bd835ad`). This resolved `AADSTS65001` sign-in failures. - **How to enable ALIS SSO for one user:** (1) Tenant-wide admin consent already done globally. (2) In ALIS admin -> Staff -> user's record, set **Email = exact Entra UPN**. (3) User signs in via "Sign in with Microsoft." (4) Turn off ALIS-native 2FA (Entra is the second factor; native 2FA conflicts and locked out Karen Rossini). + - **Login model confirmed (2026-06-30):** no local ALIS password is required for SSO users -- authentication is fully delegated to Microsoft/Entra. When building an ALIS staff-import (`alis` skill `build-import`), set **Login Enabled = Yes** with **Email = the user's UPN** and **leave Password blank**. The import builder auto-defaults Login Enabled to No when no password is present, so SSO rows must set Login Enabled = Yes explicitly or the account won't be able to sign in at all. - **Diagnostic signature:** a user with zero ALIS-app sign-in events in Entra sign-in logs is still on the old direct-login path -- fix is the ALIS Email match, not anything in Entra. - **Caregiver phones:** 22 Samsung Galaxy A15s enrolled in Intune Shared Device Mode (SDM). Enrollment profile: `CSC - Android Shared Phones (Entra SDM)` (`9a0fcc6d`); 25 devices enrolled per 2026-06-03 Intune pull. Dynamic group: `Cascades - Shared Phones` (`ea96f4b7`). Android enrollment token expires 2027-05-08 -- expiry does NOT unenroll existing devices. **Caregiver identities now licensed + grouped + temp-passworded for phone SSO (2026-06-30) -- see Entra Access Architecture.** - **Audit retention:** Approved 2026-04-29. Azure Log Analytics (90d) + Storage Account (6yr) in ACG subscription `e507e953-2ce9-4887-ba96-9b654f7d3267`, RG `rg-audit-cascadestucson`. **Not yet built.** @@ -254,7 +260,8 @@ Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingIn - **ISP / WAN:** Dual-WAN Cox. WAN1 igc0 `184.191.143.62/30` (Cox Fiber, primary, gateway `184.191.143.61`) + WAN2 igc3 `72.211.21.217/27` (Cox Coax, secondary, static); `WAN_Group` gateway group; both active full-duplex, no loss events (verified 2026-06-16). Both WAN IPs added as Cascades Named Location in Entra (ID: `061c6b06-b980-40de-bff9-6a50a4071f6f`). **Measured bandwidth (2026-06-18):** WAN1 fiber **upload ~522 Mbps**; RRD 3-day peaks ~680 Mbps down / 98 Mbps up (actual usage). WAN2 coax upload **unmeasured** (remote source-route test failed -- needs a WAN2-routed host or the Cox bill). 30 calls ~= 3 Mbps vs ~522 Mbps fiber headroom -> **the WAN is NOT the everyday voice bottleneck** (RF is); voice QoS is insurance for WAN2 failover + rare WAN1 saturation. - **Firewall:** pfSense Plus **25.07-RELEASE** (Netgate) at `192.168.0.1`, cert CN=pfSense-685f277aa6886. Admin vault: `clients/cascades-tucson/pfsense-firewall`. SSH shell access works onsite (no interactive menu) but **tcp/22 is blocked from the OpenVPN subnet -- use the GUI (443) remotely** (the unifi-wifi `pfsense-ssh.sh` skill silently returns empty over VPN). OpenVPN user Howard: vault `clients/cascades-tucson/pfsense-openvpn-howard` (split-tunnel; `route 192.168.0.0/22`; use OpenVPN GUI or OpenVPN Connect with DCO disabled for stability). **Logs are PLAIN TEXT on 25.07 -- read with tail/grep, NOT clog.** pfSense has an **OpenVPN `--inactive` idle timeout (~300s)** on the server; it disconnects clients after ~5 min of no tunnel data (keepalive pings do NOT reset this counter). Fix proposed 2026-06-18; not applied. **[ROUTING GOTCHA 2026-06-30] The LAN "Default allow LAN to any" rule has Gateway = WAN_Group (dual-WAN policy routing), which shoves LAN->internal-VLAN traffic (e.g. CS-SERVER -> VLAN 20 printers) OUT THE WAN.** This is NOT a firewall block. Fixed with a top LAN pass rule: source CS-SERVER `192.168.2.248`, dest `10.0.20.0/24`, Gateway = default -- restores full server access to VLAN 20 (printers etc.) without matching resident/guest ingress. **[OUTAGE 2026-06-17] pfSense was on UPS surge-only side -- moved to battery-backed outlets by Mike. On-box auto-backup restored; config vaulted. Enable Netgate AutoConfigBackup to prevent future off-box gap.** - **[INFO] pfSense health check (2026-06-16):** gateway ruled out as WiFi factor -- DHCP not exhausted, unbound DNS up, both WANs full-duplex/stable, firewall states 28-31k/790k, load 0.6. -- **LAN / VLAN layout:** Primary staff/AP network `192.168.0.0/22` (pfSense .0.1, cascadesDS .0.120, UniFi APs + most WiFi clients on 192.168.2.x/3.x). DHCP pool 192.168.2.2-192.168.3.254 (~507 cap, ~270 active ~53%). Per-unit /28 VLANs: **199 DHCP subnets** total, mostly `10.x.y.0/28` per apartment (assisted-living L2 isolation) + **Staff/Internal VLAN 20** ("CSCNET", `10.0.20.0/24`, gw `10.0.20.1` -- the target VLAN staff machines + printers are being migrated onto, off the flat old LAN "CSC ENT" 192.168.0.0/22) + Guest VLAN 50 (`10.0.50.0/24`, RFC1918 blocked) + **Voice VLAN 30** (`10.0.30.0/24`, gw `10.0.30.1`). DHCP backend: ISC (Kea config present, dormant). Unbound DNS. +- **LAN / VLAN layout:** Primary staff/AP network `192.168.0.0/22` (pfSense .0.1, cascadesDS .0.120, UniFi APs + most WiFi clients on 192.168.2.x/3.x). DHCP pool 192.168.2.2-192.168.3.254 (~507 cap, ~270 active ~53%). Per-unit /28 VLANs: **199 DHCP subnets** total, mostly `10.x.y.0/28` per apartment (assisted-living L2 isolation) + **Staff/Internal VLAN 20** ("CSCNET", `10.0.20.0/24`, gw `10.0.20.1` -- the target VLAN staff machines + printers are being migrated onto, off the flat old LAN "CSC ENT" 192.168.0.0/22) + Guest VLAN 50 (`10.0.50.0/24`, RFC1918 blocked) + **Voice VLAN 30** (`10.0.30.0/24`, gw `10.0.30.1`). DHCP backend: ISC (Kea config present, dormant). Unbound DNS. **Note: VLAN 20 is NOT an isolated VLAN template** -- its only user rule is `opt238net -> lan`; other traffic rides a floating `pass inet all` catch-all (the Guest VLAN 50 four-rule block pattern is the isolation template, not VLAN 20). + - **[STATUS 2026-07-01] CSC ENT -> VLAN 20 migration -- machines essentially done, printers lagging.** Live GuruRMM reconcile: **22 online hosts now on VLAN 20** (10.0.20.x); only CS-SERVER (stays by design) + ~6 stragglers (ASSISTMAN-PC, CascadesProxess, Laptop2, NurseAssist, 2 roaming laptops) remain on 192.168.x. Printer shares lag well behind: only **4 of 15** CS-SERVER print shares are repointed to 10.0.20.x. Full detail in Patterns & Known Issues (Printers / VLAN 20 Migration) and `docs/printer-gpo-map.md`. - **Switching:** Full UniFi. **77 U7-Pro APs** + **12 managed switches** (1st Floor USW-48 PoE core; floors 2-4 USW-Pro-24-PoE; MemCare USW-Pro-24-PoE; USW Lite 8 PoE; USW-16-PoE VoIP switch). **[WARN] ~25 switch ports linked at 100 Mbps but gig-capable** (systematic cabling/NIC issue, 1st/2nd/3rd-floor switches; investigate after WiFi Phase A). 3 offline switches: Switch 2nd Floor #2, Switch 4th Floor #2, USW Pro Max 16. PoE budgets healthy. Port p38 (1st Floor USW) 4.0% tx-drop rate. All managed on the shared UOS controller (172.16.3.29, HTTPS 11443; see [[uos-server]]); Cascades site short name `va6iba3v`, site_id `685f39068e65331c46ef6dd2`. **Mesh topology:** 2nd Floor Atrium is wireless-mesh parent for CC Bridge + salon (5 GHz backhaul ch36); 206 U7 Pro carries AP 108. Note: Switch 2nd Floor #2 (USL24PB, 192.168.2.193) was reset+re-adopted after the 2026-06-17 power outage. - **WiFi SSIDs:** - **CSCNet -- shared PPSK SSID.** `private_preshared_keys_enabled`; ~230-242 per-key->network mappings (most keys -> per-room resident VLANs 101-631; a few -> Default; one phone key -> Internal/VLAN 20; one voice PPSK -> VOICE/VLAN 30). ~1,190 historical clients (residents' IoT/TVs, staff, phones). **Do NOT repoint the SSID to move a subset of clients** -- move at the PPSK level. wlanconf `685f39078e65331c46ef7ee5`; cred vault `clients/cascades-tucson/wifi-cscnet.sops.yaml`. @@ -393,6 +400,13 @@ Cascades' line-of-business / reporting SaaS (the systems they pull data OUT of, - **Static VLAN 20 printer IPs (2026-06-30):** Front Desk Epson ET-5800 = `10.0.20.221` (share `\\CS-SERVER\FrontDesk`); Life Enrichment Canon MF741CDW = `10.0.20.94` (share `\\CS-SERVER\LifeEnrichment`, **UFR II**; sharon.edwards + susan.hicks, default stays Copy Room); Business Office Brother L8900CDW = `10.0.20.220`; Dining Room Canon MF743CDW = `10.0.20.228` (DESKTOP-MD6UQI3, direct-IP UFR II); Chef Office Brother MFC-9330CDW = `10.0.20.236` (CHEF-PC, direct-IP; JD Martin's default stays USB Chef Printer); MedTech Brother MFC-L8900CDW = `10.0.20.74` (memcare box + DESKTOP-LPOPV30/Karen); MC Reception Epson ET-5800 = `10.0.20.78` (MEMREct-PC, not yet set up). Running map: `docs/printer-gpo-map.md`. - **[PLANNED] Printer GPO:** put the Point-and-Print policy in a fleet-wide computer GPO; repoint `CSC - Life Enrichment Printers` GPO to `\\CS-SERVER\LifeEnrichment` (old ref `1F-132-RecRoom-Canon`); build per-room printer-deployment items as machines domain-join. `CSC - Printer Deployment` is the known disabled/empty/reference-only GPO. Howard floated packaging the migration how-to (VLAN routing/pfSense bypass, server-share repoint, Point-and-Print, UFR II, [char]92 UNC) into a reusable Cascades printer skill. +**[LIVE RECONCILE 2026-07-01] Migration is further along than the 6/30 docs captured -- full GuruRMM fleet + CS-SERVER printer-state pull:** +- **Machines: essentially migrated.** 22 online hosts confirmed on VLAN 20 (10.0.20.x): ACCT2-PC, ANN-PC, ASSISTNURSE-PC, CHEF-PC (workgroup), CRYSTAL-PC, DESKTOP-DLTAGOI, DESKTOP-H6QHRR7 (P&P pilot), DESKTOP-LPOPV30, DESKTOP-MD6UQI3 (workgroup), DESKTOP-N5G1ROO, DESKTOP-ROK7VNM, DESKTOP-TRCIEJA, Health-Services-Director, LAPTOP-DRQ5L558, MAINTENANCE-PC, MDIRECTOR-PC, MEMRECEPT-PC (workgroup), NURSESTATION-PC, RECEPTIONIST-PC frontdesk (.102, S/N MJ0KQHNP), RECEPTIONIST-PC memcare (.68, S/N MJ0KQH4R), SALES4-PC, megan. Only CS-SERVER (by design) + ~6 stragglers remain on 192.168.x: ASSISTMAN-PC (.2.38), CascadesProxess (.2.178), Laptop2 (.2.118), NurseAssist (.3.254), LAPTOP-8P7HDSEI (.3.101, roaming), LAPTOP-E0STJJE8 (.3.9, roaming). Offline/last-known: DESKTOP-F94M8UT (10.0.20.171), DESKTOP-U2DHAP0 (192.168.3.37, seen 2026-07-01), DESKTOP-KQSL232 (decommissioned), Laptop4 (no DNS record). +- **Printer shares: still only 4/15 on VLAN 20** -- FrontDesk (.221), BusinessOffice (.220), LifeEnrichment (.94), MCReception (.78) are done; the other 11 (NursesPrinter, HealthServices, MCDirector, CopyRoom, Kitchen, CulinaryChef, Accounting, AdminOffice, ExecDirector, SalesMarketing, and **MCMedTech**) still point at old-LAN IPs. **MCMedTech is stale at 192.168.2.53** even though its VLAN20 target `10.0.20.74` is live and TCP/9100-reachable -- a safe repoint offered to Howard and held pending the GPO decision (batching it with go-live rather than one-off). All 7 VLAN20 printer targets (incl. the 3 direct-IP printers) answer TCP/9100 from CS-SERVER; gateway 10.0.20.1 pings. +- **GPO still not fleet-live.** `CSC - Point and Print (CS-SERVER)` remains pilot-scoped to DESKTOP-H6QHRR7 only; the silent-new-driver-install gap (reboot-test vs pre-stage-drivers) is still the blocker to broadening it. +- **MEMCARE-STATION rename still NOT applied.** Staged 2026-06-30 on the MemCare RECEPTIONIST-PC box (S/N MJ0KQH4R); live 2026-07-01 it still reports hostname `RECEPTIONIST-PC` -- needs the reboot. +- Both the running map `docs/printer-gpo-map.md` and the `project_cascades_vlan20_migration_routing` memory were rewritten/updated to this live state 2026-07-01. No production changes were made during the reconcile (read-only). + ### Synology NAS (cascadesDS) / Shared File Access - **Device specs (confirmed live 2026-06-25 via `synology` skill):** **DS718+**, **DSM 7.2.1-69057 Update 11**, **6 GB RAM**, serial 1920PEN537202. Filesystem **ext4** (NOT Btrfs); 2x WD10EZEX 1 TB (volume1). 10 shares (homes, Public, SalesDept, Server, Management + hidden `pacs`, `Activities`, `chat`, `Sandra Fish`, `web`). 30 packages running incl. **Active Backup for Business 3.1.0**, **Synology Drive Server 3.5.0**, Chat, VPN Server, Hybrid Share. Reachable only with the Cascades site VPN up. @@ -520,10 +534,10 @@ Full design: `docs/network/phase1-voice-qos-design.md`. Status DESIGN -- nothing > **Canonical remaining-work plan: `docs/REMAINING-WORK-PLAN.md`** (built 2026-06-24 from a live > AD+RMM domain-join diff). 7 sequenced workstreams + every open ticket mapped to one. Work from it. -Syncro live pull 2026-06-30: **0 open Syncro tickets; 37.5 prepaid hours; 29 managed devices.** See session logs for active project work (domain migration, EDR rollout, caregiver phone SSO, VLAN 20 printer migration). +Syncro live pull 2026-07-01: **0 open Syncro tickets; 37.5 prepaid hours; 29 managed devices.** See session logs for active project work (domain migration, EDR rollout, caregiver phone SSO, VLAN 20 printer migration). - **[IN PROGRESS 2026-06-30] Caregiver phone SSO -- ALIS email-match (Howard handling).** Entra/identity side DONE (all 40 caregivers in `SG-Caregivers`, Business Premium licensed, forced-change AD temp passwords vaulted `clients/cascades-tucson/caregiver-temp-passwords-2026-06-30.sops.yaml`). Remaining: set each caregiver's ALIS staff `Email` = Entra UPN (23 confirmed just need Email=UPN; 5 blank-role confirm+match; 5 Med Techs revisit; **7 need an ALIS record created; 3 ALIS-only caregivers need AD accounts** -- Judith Palmer, Joey Ty, Alejandra Vallejo). Blanket-disable ALIS-native 2FA for the bucket as matched. Zeke Huerta stays `e.huerta@`. Also decide reactivate-vs-recreate for the 7 Discharged ALIS records (from the 6/29 crosscheck). Build path: `alis` skill `build-import` -> upload .xls in ALIS UI. -- **[IN PROGRESS] VLAN 20 (CSCNET) staff + printer migration.** Front Desk Epson (.221), Life Enrichment Canon MF741 (.94, UFR II), Dining Canon MF743 (.228), Chef Brother 9330 (.236), MedTech Brother L8900 (.74) done 2026-06-30; MC Reception Epson (.78) marked but not set up. pfSense CS-SERVER->VLAN20 policy-route bypass rule added. **Next:** Point-and-Print into a fleet-wide computer GPO; repoint `CSC - Life Enrichment Printers` GPO to `\\CS-SERVER\LifeEnrichment`; reboot MEMCARE-STATION to apply rename; domain-join the workgroup boxes (DESKTOP-MD6UQI3, CHEF-PC, MEMCARE-STATION, MEMREct-PC, DESKTOP-LPOPV30) then swap direct-IP printers to server shares. Map: `docs/printer-gpo-map.md`. +- **[IN PROGRESS, machines ~done / printers lagging as of 2026-07-01] VLAN 20 (CSCNET) staff + printer migration.** Live reconcile 2026-07-01: **22 machines online on VLAN 20**, only CS-SERVER (by design) + ~6 stragglers left on the old LAN. Printer shares only **4/15** repointed (FrontDesk .221, BusinessOffice .220, LifeEnrichment .94, MCReception .78); MCMedTech still stale at 192.168.2.53 though its target 10.0.20.74 is live+reachable (safe repoint held pending the GPO decision). pfSense CS-SERVER->VLAN20 policy-route bypass rule holding. **Next (priority order):** decide reboot-test vs pre-stage-drivers for the Point-and-Print GPO (currently pilot-scoped to DESKTOP-H6QHRR7 only) and take it fleet-wide; repoint MCMedTech + the 4 remaining stale caregiver-GPO shares (NursesPrinter, HealthServices, MCDirector, CopyRoom); repoint `CSC - Life Enrichment Printers` GPO to `\\CS-SERVER\LifeEnrichment`; reboot the MemCare RECEPTIONIST-PC box to apply the MEMCARE-STATION rename (still not applied); domain-join the workgroup boxes (DESKTOP-MD6UQI3, CHEF-PC, MEMCARE-STATION, MEMRECEPT-PC, DESKTOP-LPOPV30) then swap direct-IP printers to server shares. Map: `docs/printer-gpo-map.md`. - **[SECURITY -- needs Global Admin] Remove the standing Privileged Authentication Administrator role from the `ComputerGuru - Tenant Admin` SP** (left over from Alma's offboarding password reset). Entra -> Roles & admins -> Privileged Authentication Administrator -> remove the SP; leave its Conditional Access Administrator role. Pending Mike's decision. See Access section. - **[FOLLOW-UP 2026-06-30] Megan Hiatt breach re-check.** Her account carried a `CREDENTIAL_STUFFING_ACTIVE` marker in the April tenant inventory; verify the April remediation held (`/remediation-tool check megan.hiatt@`). - **[PLANNED -- CARF accreditation] Technology and System Plan deliverable** (requested by Ashley Jensen 2026-06-24). One of the five required CARF Section-1 plans (Aging Services); must be an action document covering 8 canonical areas with per-area current tech + projected need + timeline + vendor + cost + responsible person + target/completion date, annual dated leadership sign-off. Done: gap analysis, project memory `project_cascades_carf_tech_plan`, an on-brand PDF first pass (via `impeccable`), and a pre-filled CARF intake worksheet. **Next: gather Cascades' inputs, then build the final plan branded as Cascades' (ACG as preparer); confirm the exact standard citation + review cadence.** Standing rule: all client/vendor-facing deliverables run through the `impeccable` skill before delivery. @@ -647,6 +661,7 @@ Syncro live pull 2026-06-30: **0 open Syncro tickets; 37.5 prepaid hours; 29 man | 2026-06-30 | **Caregiver phone SSO -- license + group + temp-password onboarding.** Completed the Entra/identity side for all 40 frontline caregivers: added the 2 missing to `SG-Caregivers` (now 40), assigned Business Premium (Howard bought 11 more seats -> SPB 34->45 enabled), and set unique forced-change AD temp passwords (vaulted `caregiver-temp-passwords-2026-06-30.sops.yaml`, delivered via Discord DM). `SG-Caregivers` corrected to frontline caregivers ONLY (excl. Feller/Nyanzunda). Remaining gate: ALIS Email=UPN match (Howard) + create ALIS records for 7 + AD accounts for 3 ALIS-only caregivers. | | 2026-06-30 | **Tamra Matthews OFFBOARDED (Move-In Coordinator; left June 2026).** Cloud-only M365 object: sessions revoked, sign-in blocked, password vaulted, mailbox -> SharedMailbox (Crystal/Megan/Meredith/Ashley FullAccess+AutoMap), O365 Standard seat freed, hidden from GAL, 3 groups stripped. On-prem AD disabled + moved to `OU=Excluded-From-Sync`. No litigation hold despite PHI-adjacent role (Howard authorized). AutoMapping rollback on rapid grants root-caused (spaced one-at-a-time fix). Follow-up: Megan Hiatt breach re-check. | | 2026-06-30 | **VLAN 20 (CSCNET) printer migration.** Migrated Front Desk Epson ET-5800 (.221) + Life Enrichment Canon MF741 (.94) onto VLAN 20 server shares, then dining/chef/medtech/MC-reception. Root-caused a hard blocker: CS-SERVER couldn't reach VLAN 20 printers because the LAN "allow LAN to any" rule policy-routed internal traffic out the WAN (WAN_Group gateway) -- fixed with a top LAN pass rule (gw=default, src CS-SERVER). Established the Point-and-Print policy fix for standard-user driver installs and the Canon UFR-II-only driver requirement (PCL6 -> Error #822). Staged RECEPTIONIST-PC (MemCare box) rename to MEMCARE-STATION. GPO planning doc `docs/printer-gpo-map.md` created. | +| 2026-07-01 | **VLAN 20 migration live-reconciled -- much further along than docs showed.** Full GuruRMM fleet pull found **22 machines already on VLAN 20** (only CS-SERVER by design + ~6 stragglers remain on the old LAN), but printer shares lag at **4/15** repointed (MCMedTech still stale 192.168.2.53 despite its live target 10.0.20.74). Rewrote `docs/printer-gpo-map.md` to the live state and updated the `project_cascades_vlan20_migration_routing` memory. No production changes made (read-only reconcile); MCMedTech repoint offered and held pending Howard's GPO go-live decision. Also fixed Howard-Home Tailscale (`UnattendedMode=always`) after it dropped RMM/coord reachability. | --- diff --git a/wiki/index.md b/wiki/index.md index b856efba..f24b735b 100644 --- a/wiki/index.md +++ b/wiki/index.md @@ -18,7 +18,7 @@ Run `/wiki-lint` to check for stale entries and broken backlinks. | Article | Summary | Last Compiled | |---|---|---| -| [Cascades of Tucson](clients/cascades-tucson.md) | Prepaid block $175/hr, **37.5 hrs remaining** (live 2026-06-30); senior living; active domain migration + HIPAA caregiver-lockdown project (GPOs deployed; Entra Hybrid Join + CA allow-list + ALIS SSO model proven); single DC (CS-SERVER) on aging R610 -- RAID **live-verified HEALTHY 2026-06-24** (the 6/15 "degraded" self-recovered; both mirrors Ok, 1:0:4 = global hot spare; consumer 320GB drives + lost-PSU-redundancy are planned follow-ups, NOT an emergency); cloud backup verified running; **Planned power outage 2026-06-23** clean self-shutdown executed + verified (bring-up ~09:00, John onsite); **Voice VLAN 30 migration COMPLETE 2026-06-19** (~38 devices: 29 Poly + 8 AudioCodes + desktop; awaiting Vertical to set Poly 5GHz-only); **UniFi RF optimized 2026-06-19** (77 U7-Pro APs/~587 clients: 2.4GHz power->Medium on 47 radios + 5GHz clean-DFS 40MHz channel plan -> 5GHz retry halved; 6GHz blocked by WPA3 on PPSK SSID); Syncro 0 open tickets (live EOD 2026-06-25), device-readiness audit done (5 PCs on Win Home need Home->Pro before join); **Alma Montt offboarded 2026-06-25** (Tenant Admin SP left holding a standing PAA role -- removal pending Mike); **CARF Technology & System Plan** deliverable in progress for Ashley Jensen; **endpoint security migration started 2026-06-25** (Datto EDR/AV replacing Bitdefender; 34 agents enrolled); **CS-SERVER: all Datto software removed 2026-06-26**, and the CS-SERVER "SMB error 67" proved to be an RMM-test artifact -- server is healthy, Karen share access verified interactively; **caregiver phone SSO 2026-06-30: all 40 frontline caregivers licensed (Business Premium) + in SG-Caregivers + forced-change AD temp passwords -- Entra side DONE, ALIS Email=UPN match pending**; remaining-work plan: docs/REMAINING-WORK-PLAN.md | 2026-06-30 | +| [Cascades of Tucson](clients/cascades-tucson.md) | Prepaid block $175/hr, **37.5 hrs remaining** (live 2026-07-01); senior living; active domain migration + HIPAA caregiver-lockdown project (GPOs deployed; Entra Hybrid Join + CA allow-list + ALIS SSO model proven); single DC (CS-SERVER) on aging R610 -- RAID **live-verified HEALTHY 2026-06-24** (the 6/15 "degraded" self-recovered; both mirrors Ok, 1:0:4 = global hot spare; consumer 320GB drives + lost-PSU-redundancy are planned follow-ups, NOT an emergency); cloud backup verified running; **Planned power outage 2026-06-23** clean self-shutdown executed + verified (bring-up ~09:00, John onsite); **Voice VLAN 30 migration COMPLETE 2026-06-19** (~38 devices: 29 Poly + 8 AudioCodes + desktop; awaiting Vertical to set Poly 5GHz-only); **UniFi RF optimized 2026-06-19** (77 U7-Pro APs/~587 clients: 2.4GHz power->Medium on 47 radios + 5GHz clean-DFS 40MHz channel plan -> 5GHz retry halved; 6GHz blocked by WPA3 on PPSK SSID); Syncro 0 open tickets (live EOD 2026-06-25), device-readiness audit done (5 PCs on Win Home need Home->Pro before join); **Alma Montt offboarded 2026-06-25** (Tenant Admin SP left holding a standing PAA role -- removal pending Mike); **CARF Technology & System Plan** deliverable in progress for Ashley Jensen; **endpoint security migration started 2026-06-25** (Datto EDR/AV replacing Bitdefender; 34 agents enrolled); **CS-SERVER: all Datto software removed 2026-06-26**, and the CS-SERVER "SMB error 67" proved to be an RMM-test artifact -- server is healthy, Karen share access verified interactively; **caregiver phone SSO 2026-06-30: all 40 frontline caregivers licensed (Business Premium) + in SG-Caregivers + forced-change AD temp passwords -- Entra side DONE, ALIS Email=UPN match pending**; **CSC ENT->VLAN 20 migration (live 2026-07-01): 22 machines on VLAN 20 (only CS-SERVER + ~6 stragglers left on old LAN); printer shares lag at 4/15 repointed; P&P GPO still pilot-scoped**; remaining-work plan: docs/REMAINING-WORK-PLAN.md | 2026-07-01 | | [Dataforth Corporation](clients/dataforth.md) | Prepaid block ~$2,099/mo, **31.5 hrs remaining** (live 2026-06-23); signal-conditioning manufacturer; 64 DOS test stations; 2025 ransomware recovery + incomplete file restore (migration-gap audit); 2026-03 phishing + MFA rollout; test-datasheet pipeline (DSCA cert publish via Hoffman API + testdatadb UI on AD2); mail stack INKY->Mailprotector CloudFilter->EXO; FreePBX 17 outage fixed 2026-06-08/09 (qualify_frequency=0; no RTP-forward); shares-ACL project (all open to staff; Phase 2 target-state strawman drafted 2026-06-22); Syncro asset reconciliation 2026-06-02; GuruRMM fleet ~45; Bitdefender phase-off | 2026-06-23 | | [Instrumental Music Center](clients/instrumental-music-center.md) | Prepaid block $175/hr, 12.5 hrs remaining; music retail/repair; AIMsi POS on SQL Server 2019; phantom DC causing slow logons; GuruRMM enrolled (IMC1) | 2026-05-24 | | [Jimmy Company](clients/jimmy.md) | Break-fix, $150/hr; single aging workstation BLASTER2 (Win10 22H2 EOL, i5-3470/3.8GB — replace); backups the recurring theme (QuickBooks data); onboarded to GuruRMM 2026-06-19 (RDP NLA + Kaseya removal + cleanup); MSP360 local backup drive full, 90-day retention set, space reclaim pending in console (cloud B2 healthy) | 2026-06-19 |