azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Session log: Cascades MHS kiosk fix + SDM bootstrap (mid-flight) + Sombra onboarding side-quest

Browse Source
This commit is contained in:
Howard Enos
2026-04-30 19:07:58 -07:00
parent 87789ed9bb
commit 72116ed443
1 changed files with 279 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

279
clients/cascades-tucson/session-logs/2026-04-30-howard-cascades-mhs-kiosk-fix-and-sdm-bootstrap.md Normal file
View File

@@ -0,0 +1,279 @@
# 2026-04-30 — Cascades caregiver pilot: MHS kiosk format fix, Tenant Admin scope expansion, SDM bootstrap (in flight) — plus Sombra Residential onboarding side-quest
## User
- **User:** Howard Enos (howard)
- **Machine:** HOWARD-HOME (and Howard's tech laptop onsite at Cascades)
- **Role:** tech
- **Session span:** 2026-04-30 ~13:00 PT through ~17:30 PT
## Resume point (READ THIS FIRST)
Pilot phones for Cascades are at the property. SDM bootstrap was mid-handshake when the session ended:
1. `pilot.test@cascadestucson.com` signed into Microsoft Authenticator on the pilot phone via the Microsoft Authentication Broker (sign-in event 2026-05-01T00:20:54Z, status 0 success). Edge took over to complete device registration / shared device mode handshake. Howard reports Edge "is thinking now."
2. **Next session resumes by checking whether SDM completed**: open Authenticator on the phone — should now show pilot.test as the registered account; look for a "Sign out from this device" indicator (only present in shared device mode). Then test the caregiver UX: open Outlook (should auto-SSO), open Teams (should auto-SSO), then sign out from Authenticator to verify all M365 apps log out together. Confirm via sign-in logs.
3. Two phones onsite (R9TTC0JSDPJ pilot + R92W315YRLL second pilot phone). Bootstrap each one. The third shared phone (R9TWB0WM55R) is NOT at Cascades; ignore for this session.
If SDM did NOT auto-engage after Authenticator sign-in:
- Check Authenticator's app-config has propagated to the device (config policy `a1bfbda0-a36c-45e5-8844-8470f80ecc8d` already had `shared_device_mode_enabled: true` and is correctly assigned to the shared phones group)
- Force Authenticator close + reopen
- Worst case: clear Authenticator data on the phone and re-add the account
## Session Summary
This session resumed the Cascades caregiver-shared-phone pilot from the 2026-04-30 early-morning save. Earlier in the day Howard separately asked about RAM upgrade options for `MDIRECTOR-PC` at Cascades; that was answered by pushing a WMI inventory query through GuruRMM, identifying an Acer Aspire C24-865 AIO with one 4 GB SK Hynix DDR4-2666 SODIMM in two SODIMM slots, max 32 GB total. Recommendation: 2× 8 GB matched DDR4-2400+ kit. No order placed.
Howard then rolled into the Cascades phone work. The pilot phone (re-enrolled 2026-04-30 04:17 UTC) had been sitting at "Syncing policies" overnight; sign-in logs and Entra device records showed nothing had progressed because off-property the Wi-Fi compliance config blocked Managed Play access. Howard took two phones onsite at Cascades to retry. Diagnosis required deeper Intune visibility than the existing Tenant Admin SP had, so the manifest was incrementally expanded across three patches: first `DeviceManagementManagedDevices.Read.All`, then `DeviceManagementApps.Read.All` + `DeviceManagementConfiguration.Read.All`, then `DeviceManagementConfiguration.ReadWrite.All`. Each patch was followed by a re-consent in the Cascades tenant via the standard `https://login.microsoftonline.com/{tenant}/adminconsent?...&prompt=consent` URL. Howard clicked through three consents during the session. The Tenant Admin SP now holds 14 Graph application roles total.
Once read access was granted, the cause of the empty MHS launcher became visible: `kioskModeApps` in `CSC - Android Shared Phones Restrictions` (id `070a76c2-a8c3-4f7f-9ba7-1f4ac5084184`) held Intune mobileApp GUIDs in the `appId` field. For Android Enterprise multi-app kiosk mode, MHS resolves icons by Android **package name** — sending a GUID gives MHS nothing to launch, even though the apps install fine via Managed Play. PATCH replaced GUIDs with package names for the two native apps (`com.microsoft.teams`, `com.microsoft.office.outlook`); the three webApp-type entries (ALIS, Helpany, LinkRx) were dropped from the kiosk for now since `#microsoft.graph.webApp` deployments are URL shortcuts, not packaged TWAs, and won't appear in MHS multi-app mode regardless. Phones picked up the new policy and Teams + Outlook icons rendered for the first time. Phase 2 (converting the three web apps into Managed Google Play web apps with real packages) is deferred.
Howard then reported the Outlook/Teams sign-in UX wasn't right: signing into Outlook prompted "add another account," and Teams asked for click-throughs. Investigation showed both Microsoft Authenticator AND its `shared_device_mode_enabled: true` app-config policy had already been built earlier in the project (configs `a1bfbda0-…` and `3c6a354c-…`) and assigned to the right group, but the Authenticator app was missing from MHS — caregivers had no way to launch it to bootstrap shared device mode. PATCHed `kioskModeApps` again to add Authenticator (`com.azure.authenticator`) as the first kiosk icon. Howard signed pilot.test into Authenticator on one phone, the Microsoft Authentication Broker accepted credentials on second attempt (one password typo), and Edge took over to complete device registration. Save was called while Edge was still processing.
Side-quest during the session: a new client, **Sombra Residential LLC**, was documented. Server2013 (a Server **2012** box mis-named — build 9200, EOL 2023-10-10) was enrolled in GuruRMM today. Howard provided the Administrator password (`Tick8800`); a `sysadmin` account also exists but its password was not captured. Created `clients/sombra-residential/CONTEXT.md` + a SOPS vault entry at `clients/sombra-residential/server2013.sops.yaml`, added a Sombra section to `credentials.md`, committed and pushed both repos. Also created Syncro ticket #32230 for Cascades — Karen Rossini needs ALDOCS share access on cascadesds (Synology) — assigned to Howard, no email, no contact (Karen isn't a Syncro contact yet).
## Key Decisions
- **Add Intune scopes to Tenant Admin SP incrementally rather than all at once.** Each new scope = one re-consent click for Howard in Cascades. Three round-trips (`ManagedDevices.Read.All``Configuration.Read.All` + `Apps.Read.All``Configuration.ReadWrite.All`) was acceptable because the diagnosis was iterative — first we needed to see the device, then the kiosk config, then we needed to write to the kiosk config. Avoided over-permissioning by skipping `PrivilegedOperations.All` and the `*.ReadWrite.All` variants of Managed Devices and Apps. Those can be added later if a real workflow demands them. Scope bloat in a multi-tenant app is a per-customer-tenant footprint expansion, so add only what's used.
- **Drop ALIS, Helpany, LinkRx from kiosk in Phase 1.** They're stored in Intune as `#microsoft.graph.webApp` (URL shortcuts), which don't get a real Android package on the device and therefore can't render in MHS multi-app mode no matter what `appId` we put. Phase 2 will convert them to Managed Google Play web apps with actual packages, but that's a separate Google Play Admin workflow and ~15-30 min of waiting on Google per app — not worth blocking tonight's test of Teams + Outlook.
- **Reorder kiosk apps so Authenticator is first.** Caregivers shouldn't need to interact with Authenticator daily, but for first-launch bootstrap and any future re-bootstrap, putting the icon front-and-center makes the SDM sign-out flow discoverable. We can revisit hiding it later if it's a UX irritant.
- **Save session log to `clients/cascades-tucson/`, not split between Cascades and Sombra.** Sombra's permanent record is in `clients/sombra-residential/CONTEXT.md` + the vault entry. The session work for Sombra was small enough (5-10 minutes of file creation + commits) that a separate session log would just be a redirect. Cross-reference inline here.
- **Use direct Claude-drafted narrative for /save instead of Ollama qwen3:14b.** Memory `feedback_complete_vault_operations_end_to_end` and the 2026-04-30 04:30 PT session log both flagged that qwen3:14b hallucinates cross-context when summarizing Cascades sessions. Same trap applies tonight; took the documented fallback rather than gamble on getting accurate narrative back.
## Problems Encountered
- **Tenant Admin SP didn't have Intune read scopes despite earlier session log claiming a wipe was issued via this SP.** When I tried `GET /managedDevices/{id}` the SP returned 403 with the message "Application must have one of the following scopes: DeviceManagementManagedDevices.Read.All, DeviceManagementManagedDevices.ReadWrite.All". Token role audit confirmed no DeviceManagement scopes at all. The 2026-04-30 04:30 PT log claimed `POST /managedDevices/{id}/wipe` succeeded with HTTP 204 via this SP — that claim is suspect; the wipe was probably done via Mike's portal session or a different SP, and the session log was written from intent rather than verified output. Resolved by patching the manifest to add the necessary scopes.
- **Cached token didn't reflect newly-consented scopes.** After Howard clicked the consent URL, the first token fetch from `/tmp/remediation-tool/{tenant}/tenant-admin.jwt` was the pre-consent cached one. Cleared the cache file and re-fetched — new scopes appeared. Worth keeping in mind for any future "Howard just consented but the request still 403s" — it's almost always the cache.
- **Filtering Intune `managedDevices` on `enrollmentProfileName` returned BadRequest.** The Intune backend (`proxy.amsua0102.manage.microsoft.com`) doesn't accept that filter even though Graph documentation suggests it. Worked around by filtering on `operatingSystem eq 'Android'` + client-side jq filter on `deviceEnrollmentType == "androidEnterpriseDedicatedDevice"`. Works fine but worth remembering.
- **`detectedApps` came back empty for all dedicated devices**, even ones that visibly have Teams/Outlook installed. This is normal for Android Enterprise dedicated phones — Intune doesn't inventory installed apps the same way it does for personally-enrolled phones. Initially looked like a smoking gun for the stuck phone but turned out to be a red herring; correct signal was the stale `lastSyncDateTime`.
- **Authenticator did NOT show "shared device" indicator on first launch.** The welcome / "set up your first account" screen is the standard first-run UI; SDM bootstrap happens during the first work-account add via the Microsoft Authentication Broker, not on app launch. The Edge handoff for device registration is also normal. Will know if SDM actually engaged once Edge finishes by whether sign-out / SSO behavior is correct on subsequent app opens.
- **First Authenticator sign-in failed with `50126 invalid credentials`.** Howard typoed the password on the first attempt. Second attempt (00:20:54Z) succeeded with status 0. Minor friction; vault password is correct.
- **`isCompliant: false` and `deviceTrust: null` on the bootstrap sign-in.** Despite both phones showing Intune-side `complianceState: "compliant"` ~10 minutes earlier. This is expected for the first SDM registration sign-in: the Entra-side device-user identity hasn't been established yet at the moment that auth event is logged. Subsequent sign-ins should pass the deviceID through and tag isCompliant correctly. Not a blocker — but if subsequent sign-ins still show isCompliant:false, that's a real problem and we'll need to dig into the Authenticator broker registration.
- **`conditionalAccessStatus: notApplied` on the bootstrap sign-in.** Was momentarily concerning until we confirmed it's expected: pilot.test is in `SG-Caregivers-Pilot` which is excluded from legacy all-users-MFA, and the three new caregiver-scoped CA policies are still Report-only. So no CA was enforced. **The bypass is working as designed — pilot.test got in with just a password, no MFA prompt.**
---
## Configuration Changes
### ACG home tenant — Tenant Admin app manifest
Three PATCHes to `https://graph.microsoft.com/v1.0/applications/18ad80fd-ad17-4915-acf0-eb2c52e5feb9` adding Graph application permissions. Each was followed by a `POST /servicePrincipals/{TA_SP}/appRoleAssignments` grant in the home tenant. New permissions added (in patch order):
| Permission | Permission ID | Role granted (home tenant) |
|---|---|---|
| `DeviceManagementManagedDevices.Read.All` | `2f51be20-0bb4-4fed-bf7b-db946066c75e` | `cH9qBAi7CUOuFF-16eeLYqy9FDY1gR9Kot3rguFi5xE` |
| `DeviceManagementConfiguration.Read.All` | `dc377aa6-52d8-4e23-b271-2a7ae04cedf3` | `cH9qBAi7CUOuFF-16eeLYunKH5C1C5NFn15F1pnXWn8` |
| `DeviceManagementApps.Read.All` | `7a6ee1e7-141e-4cec-ae74-d9db155731ff` | `cH9qBAi7CUOuFF-16eeLYiERHfCbQS1MuhNDJu3-4vg` |
| `DeviceManagementConfiguration.ReadWrite.All` | `9241abd9-d0e6-425a-bd4f-47ba86e767a4` | `cH9qBAi7CUOuFF-16eeLYtAfS7ye3LNFpfLei8iEEG0` |
**Tenant Admin SP token now holds 14 Graph application roles total.** Full set:
```
AppRoleAssignment.ReadWrite.All
Application.ReadWrite.All
DeviceManagementApps.Read.All (NEW this session)
DeviceManagementConfiguration.Read.All (NEW this session)
DeviceManagementConfiguration.ReadWrite.All (NEW this session)
DeviceManagementManagedDevices.Read.All (NEW this session)
Directory.ReadWrite.All
Policy.Read.All
Policy.ReadWrite.ConditionalAccess
RoleManagement.ReadWrite.Directory
SecurityEvents.Read.All
Sites.FullControl.All
Sites.ReadWrite.All
User.ReadWrite.All
UserAuthenticationMethod.ReadWrite.All
```
### Cascades tenant (`207fa277-e9d8-4eb7-ada1-1064d2221498`)
- Re-consented Tenant Admin app **three times** during the session (after each manifest patch). Consent URL: `https://login.microsoftonline.com/207fa277-e9d8-4eb7-ada1-1064d2221498/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent`
- **`CSC - Android Shared Phones Restrictions`** (id `070a76c2-a8c3-4f7f-9ba7-1f4ac5084184`) — TWO PATCHes during the session:
- **v6 → v7** (PATCH 1, 2026-05-01T00:08:40Z): replaced `kioskModeApps` GUIDs with package names; dropped 3 webApps. Result: `[{name:"Microsoft Teams", appId:"com.microsoft.teams"}, {name:"Microsoft Outlook", appId:"com.microsoft.office.outlook"}]`.
- **v7 → v8** (PATCH 2, 2026-05-01T00:28:32Z): added Microsoft Authenticator at the top of the list. Final result: `[{Authenticator, com.azure.authenticator}, {Outlook, com.microsoft.office.outlook}, {Teams, com.microsoft.teams}]`.
### claudetools repo (already pushed)
- **NEW** `clients/sombra-residential/CONTEXT.md` — client stub for Sombra Residential LLC (server identity, GuruRMM IDs, EOL flag on the Server 2012 box).
- `credentials.md` — added "Client - Sombra Residential LLC" section pointing at the vault.
Pushed in commit `02e690c` (after rebase from origin's `1f23f66`).
### Vault repo (already pushed)
- **NEW** `clients/sombra-residential/server2013.sops.yaml` — encrypted with both age recipients per `.sops.yaml`. Contains Administrator/Tick8800. Sysadmin password not captured.
Pushed in commit `16696e8` (range `abfa955..16696e8`).
### Syncro
- **NEW Cascades ticket #32230** ("Karen Rossini needs ALDOCS access") — Service Request, 2 Normal, assigned to Howard, contact blank, do_not_email=true on initial issue comment, no appointment. Initial Issue body: "Karen Rossini (karen.rossini@cascadestucson.com) needs access to the ALDOCS share on cascadesds (Synology). Grant access and confirm she can reach it." URL: `https://computerguru.syncromsp.com/tickets/109712471`
---
## Credentials & Secrets (UNREDACTED)
### Cascades — pilot test user (unchanged from prior session, used during SDM bootstrap)
- **UPN:** `pilot.test@cascadestucson.com`
- **Password:** `8ajau==j2_MeBdW5XccKUEwx`
- Vault: `clients/cascades-tucson/pilot-test-user.sops.yaml`
- User ID: `43919c7b-638c-4d38-9f94-89c1d07ce724`
- Group: `SG-Caregivers-Pilot` (`0674f0bc-6ff4-49c7-802d-2abf591ba371`)
### Sombra Residential — Server2013 Administrator (NEW)
- **Hostname:** Server2013 (actually Windows Server 2012, build 9200, **EOL 2023-10-10**)
- **Username:** Administrator
- **Password:** `Tick8800`
- **Remote access:** ScreenConnect (ACG SC instance)
- **Sysadmin account:** exists, password TBD
- Vault: `clients/sombra-residential/server2013.sops.yaml`
### GuruRMM Dashboard (used for MDIRECTOR-PC inventory query)
- URL: `https://rmm.azcomputerguru.com`
- API: `https://rmm-api.azcomputerguru.com`
- Email: `admin@azcomputerguru.com`
- Password: `GuruRMM2025`
- (Also in `D:/vault/projects/gururmm/dashboard.sops.yaml`.)
### Syncro — Howard's API key (used for ticket #32230)
- `Tde5174a6e9e312d14-02fd5bfe0f0ee40c87d027507c680e18` (per-user; baked into `/syncro` skill — already in repo)
- Howard's Syncro user_id: `1750`
---
## Cascades — current pilot phone state at session end
| Phone | Intune ID | Serial | Last sync | Compliance | Onsite? |
|---|---|---|---|---|---|
| Pilot (re-enrolled 4/30) | `1207c415-5a82-41a9-9bfd-eb37c0d680eb` | R9TTC0JSDPJ | 2026-04-30T23:52Z | compliant | YES |
| Phone 2 | `1235047d-a6c7-4cf3-89b6-1edd9be65469` | R92W315YRLL | 2026-04-30T23:51Z | compliant | YES |
| Phone 3 (stale) | `8f712f39-3eb7-431a-a34d-76e6a107c1a9` | R9TWB0WM55R | 2026-04-23T22:21Z | noncompliant | NO (off-property, ignore) |
Phones 1+2 are at Cascades and on Cascades Wi-Fi (sign-in IP `184.191.143.62`). MHS now displays 3 icons (Authenticator, Outlook, Teams) per kiosk config v8. Apps install via Managed Play correctly.
### SDM bootstrap status (mid-flight at save)
- pilot.test signed into Microsoft Authenticator on the pilot phone at **2026-05-01T00:20:54Z** via "Microsoft Authentication Broker" (status 0 success). Edge took over for device registration. Save was called while Edge was still processing.
- Earlier failed attempt at 00:20:05Z (50126 invalid credentials) — Howard typo. Second attempt succeeded.
- `conditionalAccessStatus: notApplied` on bootstrap sign-in — **expected and correct** (pilot.test is excluded from legacy all-users-MFA, three new caregiver CA policies still Report-only).
- `isCompliant: false` on bootstrap sign-in — expected for first registration; should flip on subsequent sign-ins once device-user identity is established by Authenticator.
### MDIRECTOR-PC (Cascades) RAM upgrade recommendation (session start)
- Acer Aspire C24-865 AIO, i5-8250U, currently 1× 4 GB SK Hynix DDR4-2666 SODIMM in DIMM2/BANK2 (DIMM1 empty).
- Max 32 GB total, 2 SODIMM slots, DDR4-2400+ 1.2V non-ECC.
- **Recommended buy:** 2× 8 GB matched DDR4-2400+ kit = 16 GB dual-channel (best price/perf for marketing-director M365 workload). 2× 16 GB if Howard wants to max it.
- Pull the existing 4 GB stick when upgrading.
---
## Pending / Incomplete
1. **SDM bootstrap completion verification (next session, blocking).** When Edge finishes on the pilot phone:
- Authenticator should show pilot.test registered, ideally with a "shared device" or "Sign out from this device" indicator
- Open Outlook → expect auto-SSO, no add-account prompt
- Open Teams → expect auto-SSO, no click-throughs
- Tap "Sign out" in Authenticator → expect all three M365 apps to sign out
- Re-open Outlook → expect a fresh sign-in screen
2. **Bootstrap the second phone (R92W315YRLL).** Same flow as pilot. Both phones should end up in shared device mode.
3. **Phase 2 — Convert ALIS, Helpany, LinkRx to Managed Google Play web apps** so they get real Android packages and can render in MHS. Requires Google Play Admin / Managed Play console. ~15-30 min wait per app for Google to issue packages.
4. **Validation period for the three Report-only caregiver CA policies.** Watch sign-in logs for 24-48h (`CSC - Block caregivers off Cascades network`, `CSC - Block caregivers on non-compliant device`, `CSC - Caregiver sign-in frequency 8h`). Once satisfied, flip Report-only → On in three PATCHes.
5. **Sombra Residential follow-ups:**
- Capture sysadmin password from Server2013 → update vault entry
- Discuss Server 2012 EOL refresh path with Mike — running unpatched
- Discover and document workstations, network, primary contact, business purpose (CONTEXT.md is currently a stub)
6. **Syncro #32230 — work the actual ALDOCS share access for Karen Rossini.** Synology DSM at `192.168.0.120:5000`; share lives on cascadesds; permissions logic on the share (Domain Users? specific group?) needs to be checked.
7. **Stuck phone R9TWB0WM55R recovery (deferred per Howard).** Off-property, not synced since 4/23. Either bring back to Cascades and let it auto-sync, or wipe + re-enroll like the pilot. Not a blocker for now.
8. **Decide whether to add `DeviceManagementManagedDevices.PrivilegedOperations.All`** to the Tenant Admin manifest. Without it we can't issue `syncDevice` / `wipe` / `restart` from API for these dedicated devices. Last session log claimed wipe-from-API worked but that's likely wrong; it was probably done via Mike's portal session. Revisit when a real workflow demands it (e.g. the next stuck phone needing wipe).
9. **Decide whether to also add `DeviceManagementApps.ReadWrite.All`** for app config policy edits / new app assignments via API. Not blocking now since the SDM configs are already in place.
---
## Reference Information
### Cascades tenant
- Tenant ID: `207fa277-e9d8-4eb7-ada1-1064d2221498`
- Tenant Admin SP appId: `709e6eed-0711-4875-9c44-2d3518c47063`
- Default domain: `cascadestucson.com`
### Cascades Intune objects (reference)
- Restrictions config: `070a76c2-a8c3-4f7f-9ba7-1f4ac5084184` (`CSC - Android Shared Phones Restrictions`, currently v8)
- Authenticator SDM config: `a1bfbda0-a36c-45e5-8844-8470f80ecc8d` (`shared_device_mode_enabled: true`)
- Teams SDM config: `3c6a354c-1616-434b-ac81-4dad7795e67b` (`shared_device_mode_enabled: true`)
- Microsoft Authenticator app: `db75462a-7032-4d81-8f07-5f32ee518b22` (`com.azure.authenticator`)
- Microsoft Edge app: `ec440435-c415-4281-8fbb-8e134d162d3f` (`com.microsoft.emmx`)
- Microsoft Teams app: `0eb81676-299b-4eb2-bfd9-8be914a82f91` (`com.microsoft.teams`)
- Microsoft Outlook app: `6920b747-9b07-49d2-b420-67116d38f0b8` (`com.microsoft.office.outlook`)
- ALIS (webApp): `fcbf803d-ceb7-4f4e-93ed-2be1b91a05f3` (URL `https://cascadestucson.alisonline.com/Login`)
- Helpany (webApp): `97c294de-03ec-4053-b272-a4c956e408e9` (URL `https://app.helpany.com/login`)
- LinkRx (webApp): `e4157faf-c47d-443d-96b3-59d7c4ba9ac2` (URL `https://pharmcare.linkrxnow.com/`)
- Cascades - Shared Phones group: `ea96f4b7-3000-45da-ab1f-ddb28f509526`
### Sombra Residential
- Slug: `sombra-residential`
- GuruRMM client: `4143369f-de59-42e6-b1a0-e9939aa42a2d` ("Sombra Residential LLC")
- GuruRMM site: `787d497a-eb1d-4468-a8ac-51d3c23954cb` ("main office")
- Server2013 GuruRMM agent: `5383e9c1-56e1-4389-9c89-1991a77bbc3a`
- Server2013 GuruRMM device id: `win-e59d7c6c-9bd6-4b49-a892-71788039bf14`
### MDIRECTOR-PC (Cascades, RAM lookup)
- GuruRMM agent: `018663fc-c676-4374-8c10-086a47d034eb`
- Hardware: Acer Aspire C24-865 AIO, S/N `DBBBS11001909065FC30A1`
- Currently installed: 1× SK Hynix `HMA851S6CJR6N-VK` 4 GB DDR4-2666 SODIMM in slot DIMM2/BANK2
### Useful API patterns from this session
- Force kiosk app icons by Android package name, not Intune GUID:
```bash
# PATCH kioskModeApps with packageId-style appId for Android dedicated multi-app
curl -X PATCH "https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations/{id}" \
-H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
-d '{"@odata.type":"#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration",
"kioskModeApps":[{"@odata.type":"#microsoft.graph.appListItem","name":"Microsoft Teams","appId":"com.microsoft.teams","publisher":"Microsoft","appStoreUrl":"https://play.google.com/store/apps/details?id=com.microsoft.teams"}]}'
```
- Decode Intune Authenticator SDM config payload (base64 → JSON):
```
echo "<payloadJson_base64>" | base64 -d
# → {"kind":"androidenterprise#managedConfiguration","productId":"app:com.azure.authenticator","managedProperty":[{"key":"shared_device_mode_enabled","valueBool":true}]}
```
- Filter `enrollmentProfileName` on Intune managedDevices is unsupported (`HTTP 400 BadRequest`). Use OS filter + client-side jq filter on `deviceEnrollmentType`:
```bash
curl -s "$BASE/deviceManagement/managedDevices?\$filter=operatingSystem%20eq%20'Android'" \
-H "Authorization: Bearer $TOKEN" \
| jq '.value[] | select(.deviceEnrollmentType == "androidEnterpriseDedicatedDevice")'
```
- After patching the Tenant Admin manifest, **clear the cached token** before re-fetching to see new scopes:
```bash
rm -f /tmp/remediation-tool/$TENANT/tenant-admin.jwt
TOKEN=$(bash .../get-token.sh "$TENANT" tenant-admin | tail -1)
```
---
## Note for Mike
Three things to flag from this session:
1. **Tenant Admin SP scope expansion.** Added four new Intune-related Graph permissions to the manifest (`DeviceManagementManagedDevices.Read.All`, `DeviceManagementConfiguration.Read.All`, `DeviceManagementApps.Read.All`, `DeviceManagementConfiguration.ReadWrite.All`) and re-consented in Cascades. The SP now holds 14 Graph application roles. Other consented customer tenants are NOT auto-updated — they'll only get the new perms when re-consented in those tenants. That's the intended least-privilege-per-tenant posture; you can decide tenant-by-tenant whether to opt into the new scopes via the same `adminconsent?prompt=consent` URL pattern.
2. **MHS kiosk format gotcha.** The `kioskModeApps[].appId` field on `androidDeviceOwnerGeneralDeviceConfiguration` resolves by **Android package name** (e.g. `com.microsoft.teams`), NOT Intune mobileApp GUID. The Intune portal UI auto-resolves picker selections to package names; Graph PATCHes must do the same. Yesterday's session log showed us writing GUIDs into that field — that's why the pilot phone's MHS was empty for the last 24h. Worth a heads-up if you ever PATCH this field manually for another customer.
3. **Sombra Residential's "Server2013" is actually Server 2012 (EOL 2023-10-10).** Hostname is just a label; build 9200 = Server 2012 RTM. Running unpatched on production. Documented in `clients/sombra-residential/CONTEXT.md` as an open item — needs a refresh / migration plan when there's bandwidth. Current docs assume `Administrator/Tick8800` for daily admin; sysadmin account also exists but password not captured.
---
**Session duration:** ~4.5 hours (2026-04-30 ~13:00 PT through ~17:30 PT)
**Status at save:** Pilot phone in mid-SDM-bootstrap (Authenticator → Edge handshake in progress); Cascades MHS now correctly rendering 3 icons (Authenticator, Outlook, Teams); Tenant Admin SP scope expanded; Sombra Residential client baseline created; Syncro #32230 open for Karen Rossini ALDOCS access.