diff --git a/clients/cascades-tucson/session-logs/2026-06-05-session.md b/clients/cascades-tucson/session-logs/2026-06-05-session.md index 99e8507..26b23ab 100644 --- a/clients/cascades-tucson/session-logs/2026-06-05-session.md +++ b/clients/cascades-tucson/session-logs/2026-06-05-session.md @@ -156,3 +156,20 @@ The "set up Windows Hello" prompt persisted on pilot.test despite the local reg - [ ] Howard: confirm pilot.test ALIS staff Email = `pilot.test@cascadestucson.com` (ALIS resolved it this session, so likely set). - [ ] Promote rule set to `SG-Caregivers` (all 38 + Feller/Nyanzunda); for devices, prefer **deviceId matching** in the allow-list (reliable) — collect the 6 caregiver-device deviceIds. Then disable compliance-block + clean up test artifacts (pilot.test, test group). - [ ] LESSON: check Intune license provisioning (`INTUNE_A = Success`) before troubleshooting enrollment; CA device-filter extensionAttribute changes lag (use deviceId for immediacy). + +## Update: 14:05 MST — Decision: pivot to hybrid/domain-join (GPO) for device policies; wiki architecture overview added + +Because per-user Intune (`INTUNE_A`) is stuck PendingInput tenant-wide (MS case open), decided to **deliver the caregiver device settings via Group Policy instead of Intune** — i.e., **Hybrid Entra Join / domain join** the caregiver machines and push Hello-off + idle-lock + profile handling via GPO (which is already set up on CS-SERVER). The caregiver *access* model (CA off-network + device allow-list + ALIS SSO) is unchanged and works regardless of join type — it only needs the device to have an Entra object (hybrid join provides it; deviceId/extensionAttribute allow-list still applies). + +Added a canonical **Entra Access Architecture** overview to `wiki/clients/cascades-tucson.md` (two-bucket design, CA policies, devices, ALIS SSO, Intune blocker + hybrid pivot). + +### Key caveat for the hybrid path +Entra Connect syncs USERS (PHS + Seamless SSO) — that's set up. **Hybrid Azure AD *device* Join is a SEPARATE Entra Connect config (Device options / SCP) and is likely NOT enabled** (NURSESTATION's old record was `Workplace`, not `ServerAd`). So step 1 of the hybrid path = enable Hybrid Entra Join in Entra Connect on CS-SERVER. NURSESTATION is currently Entra-joined (un-joined from domain earlier today), so going hybrid means re-domain-joining it (new Entra device object -> re-tag for allow-list). + +### Next phase (in progress — "next few hours") +- [ ] Enable Hybrid Entra Join in Entra Connect (CS-SERVER) — verify it's on; if not, configure Device options/SCP. +- [ ] Domain-join the caregiver machines (laptops + NURSESTATION + ASSISTNURSE-PC) -> they hybrid-register into Entra. +- [ ] Re-tag the new hybrid device objects (`extensionAttribute1=CSCCaregiverDevice` and/or add deviceIds to the allow-list rule). +- [ ] GPO for caregiver devices: disable Windows Hello (`Use Windows Hello for Business`=Disabled), idle screen-lock (machine inactivity limit), security baseline; folder handling so no local data. +- [ ] Users sign in with **email/UPN** (works on domain/hybrid devices since UPN suffix = cascadestucson.com). Each caregiver uses their OWN account (shared device, individual logins) — required for ALIS SSO email-match + audit. +- [ ] Resume per-user testing via `SG-Caregivers-DeviceTest`, then promote to `SG-Caregivers`.