From 6228793152445e246106d17118acd56097e5d66c Mon Sep 17 00:00:00 2001 From: Howard Enos Date: Wed, 3 Jun 2026 11:51:47 -0700 Subject: [PATCH] sync: auto-sync from HOWARD-HOME at 2026-06-03 11:51:39 Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-06-03 11:51:39 --- .../session-logs/2026-06-03-session.md | 39 +++++++++++++++++++ wiki/clients/cascades-tucson.md | 3 ++ 2 files changed, 42 insertions(+) diff --git a/clients/cascades-tucson/session-logs/2026-06-03-session.md b/clients/cascades-tucson/session-logs/2026-06-03-session.md index 601bdc6..b06b2e8 100644 --- a/clients/cascades-tucson/session-logs/2026-06-03-session.md +++ b/clients/cascades-tucson/session-logs/2026-06-03-session.md @@ -157,3 +157,42 @@ The real difference was the **login path**: Megan had 10 ALIS sign-in events thr Symptom signature: a user with zero ALIS app sign-in events in the Entra logs is on the old direct-login path (not SSO) — the fix is the ALIS Email match, not anything in Entra. Sweep target: apply this to all office/clinical users (Karen Rossini, MemCare reception, etc.) to standardize everyone onto SSO. + +## Update: 11:50 MST — Caregiver device allow-list rollout: enrollment approach + join-model decisions + +Resumed the caregiver device allow-list workstream. Live check confirmed none of the 5 target devices are usable yet: the 4 laptops (Laptop2, LAPTOP-8P7HDSEI, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8) are not in Entra; NURSESTATION-PC has only a stale 2021 Workplace-registered record (OS build 18363, last seen 2021-07-03, unmanaged) to be ignored/cleaned. Tenant holds 91 Windows device objects, mostly previous-MSP cruft. + +Decided the join model per device. Laptops will be **Entra-joined (cloud join)**, not domain-joined: the allow-list is a CA device filter that can only match a device with an Entra device object, and a domain-join-only PC has no Entra object — so domain-only cannot be allow-listed and is ruled out. The laptops are shared ALIS/Teams/Outlook access points and do not need the on-prem GPO stack (folder redirection, mapped drives). NURSESTATION-PC stays domain-joined and gets **Hybrid Entra Join** (it needs on-prem printers/ALDocs share) — requires a one-time device-options config in Entra Connect on CS-SERVER. Mixed model (Entra-joined laptops + hybrid NURSESTATION) is supported. + +Printing does not require domain join. Entra-joined laptops print via direct IP network printers or an Intune-pushed printer config (Add-Printer against the printer IP). Printing alone is not a reason to domain-join; only the full domain experience (GPO printers + folder redirect + seamless shares) would justify hybrid, which these laptops do not need. + +License/account analysis: Business Premium (SPB) = 34 seats, 4 consumed, 30 free. `sysadmin@` carries only Power Automate Free (FLOW_FREE); `admin@` and `devices@` are unlicensed. Device-join policy allows all users to join (quota 50). Recommended join account is the dedicated `devices@cascadestucson.com` (Cloud Device Administrator), which needs a Business Premium license assigned at enrollment time so auto-MDM-enroll fires. + +Clarified Intune licensing lifecycle: the enrolling account's license is needed only at the moment of join. After enrollment the device stays Entra-joined and Intune-managed, and the CA allow-list (which keys on the device object) is unaffected by the enroller's later license state. One license covers sequential enrollments of all devices; the Business Premium seat can be reclaimed from `devices@` after the batch. Per-user Intune licensing for ongoing use is satisfied by the caregivers (Business Premium) and/or by marking each laptop a shared device (remove primary user in Intune). + +### Key Decisions (this update) +- Laptops = Entra join, not domain join: domain-only produces no Entra device object, breaking the CA allow-list. The laptops do not need the on-prem GPO stack. +- NURSESTATION-PC = domain-joined + Hybrid Entra Join (needs on-prem resources); ignore/clean its stale 2021 Entra record. +- Printing handled via direct IP / Intune push — not a justification to domain-join. +- Use `devices@` (Cloud Device Administrator) as the join account, licensed with Business Premium only transiently for enrollment, then reclaim the seat. + +### Configuration Changes (this update) +- None applied. Planning + live read-only checks only. Business Premium license assignment to `devices@` offered but NOT yet executed (awaiting go-ahead). + +### Credentials (this update) +- `devices@cascadestucson.com` / `Gptf*77ttb!` — Cloud Device Administrator, user ID `aaca80c6-861b-4294-8068-1033c68d7667`. Vault: `clients/cascades-tucson/devices-account.sops.yaml`. Currently UNLICENSED — needs Business Premium at enrollment. + +### Reference (this update) +- SPB (Business Premium) skuId `cbdc14ab-d96c-4c30-b9f4-6ada7cdc1d46` (34 seats, 30 free). O365_BUSINESS_PREMIUM (Business Standard, suspended) skuId `f245ecc8-75af-4f8e-b61f-27d8114de5f3` (0 enabled, 31 consumed). +- Printers (CS-SERVER print server): FrontDesk = Epson ET-5800 `192.168.2.147`; CopyRoom = Canon imageRunner C478iF `192.168.2.230`; MCReception = Epson ET-5800 (Memory Care reception). 13 total. +- Device join policy: `allDeviceRegistrationMembership` (all users may join), userDeviceQuota 50. +- MDM auto-enroll scope (Entra -> Devices -> Mobility (MDM and MAM) -> Microsoft Intune -> MDM user scope) NOT verifiable via API (BadRequest) — confirm = All in portal before joining. + +### Pending (this update) +- [ ] Assign Business Premium to `devices@` (offered; awaiting go-ahead). +- [ ] Confirm MDM user scope = All in portal. +- [ ] Confirm which printer(s) each laptop needs -> Intune printer push. +- [ ] Confirm whether any laptop needs on-prem file shares (would push that one to hybrid). +- [ ] Entra-join 4 laptops with `devices@`; reclaim license after batch. +- [ ] Hybrid Entra Join for NURSESTATION-PC (Entra Connect device options on CS-SERVER); clean stale 2021 record. +- [ ] After enrollment: tag devices `extensionAttribute1=CSCCaregiverDevice`, validate report-only, then cutover. diff --git a/wiki/clients/cascades-tucson.md b/wiki/clients/cascades-tucson.md index 3f5f3ba..bacc73f 100644 --- a/wiki/clients/cascades-tucson.md +++ b/wiki/clients/cascades-tucson.md @@ -194,6 +194,9 @@ Senior living / assisted living facility in Tucson, AZ. Single 6-floor building | LAPTOP-DRQ5L558 | Win 11 | `f9e25b3b-da63-40ff-94a6-8cec3b9a19ce` | | LAPTOP-E0STJJE8 | Win 11 | `4ac00700-9a9b-4e7f-a7aa-c51857b77661` | + - **Join model (decided 2026-06-03):** The 4 laptops are **Entra-joined (cloud join)**, NOT domain-joined — a domain-only PC has no Entra device object, so the CA device filter cannot allow-list it. The laptops are shared ALIS/Teams/Outlook access points and do not need the on-prem GPO stack. NURSESTATION-PC stays domain-joined and gets **Hybrid Entra Join** (needs on-prem printers + ALDocs share); requires a one-time device-options config in Entra Connect on CS-SERVER, and its stale 2021 Entra record (Workplace, last seen 2021-07-03) should be cleaned. Mixed model is supported. + - **Enrollment account:** `devices@cascadestucson.com` (Cloud Device Administrator, `aaca80c6-861b-4294-8068-1033c68d7667`). Needs a **Business Premium** license **only at enrollment time** so auto-MDM-enroll fires; the device stays enrolled and allow-listed afterward regardless of the enroller's license, so the SPB seat can be reclaimed after the batch (30 SPB seats free as of 2026-06-03). One license covers sequential enrollments. Mark each laptop a shared device (remove primary user) to drop per-user license dependency. Confirm MDM user scope = All (Entra -> Devices -> Mobility) before joining — not verifiable via API. + - **Printing:** does NOT require domain join — Entra-joined laptops print via direct IP network printers or an Intune-pushed `Add-Printer` config. Printers: FrontDesk Epson ET-5800 `192.168.2.147`, CopyRoom Canon C478iF `192.168.2.230`, MCReception Epson ET-5800. - **Cutover prerequisites (pending Howard OK):** Entra-join + Intune-enroll the 4 laptops; tag each `extensionAttribute1=CSCCaregiverDevice`; confirm NURSESTATION-PC Hybrid Entra Join; review report-only sign-in results; then enable allow-list policy AND disable `CSC - Block caregivers on non-compliant device`. - **GDAP exclusion:** CA policy 3 must exclude "Service provider users" (GDAP foreign principals) + `SG-External-Signin-Allowed` + `SG-Break-Glass`, otherwise ACG partner admins lose access at CA cutover. - **Pilot cleanup required when done:** Delete `pilot.test@cascadestucson.com`, clean up `howard.enos@cascadestucson.com`, remove `SG-Caregivers-Pilot` from CA policy targets and delete the group. Source: `project_cascades_pilot_cleanup.md`.