sync: auto-sync from HOWARD-HOME at 2026-07-01 14:43:57
Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-07-01 14:43:57
This commit is contained in:
@@ -0,0 +1,71 @@
|
||||
# Cascades — Caretaker phones-only tracking list
|
||||
|
||||
**Purpose (Howard, 2026-07-01):** for the interim, ALL caretakers may sign in on both
|
||||
desktops and phones (on-network only). Near the end of the rollout, the phones-only
|
||||
cohort gets locked down to just the phones (device allow-list scoped to `CSC-*`).
|
||||
This file is the tracking list for that lockdown.
|
||||
|
||||
**Enforcement mechanism when the time comes:** a dedicated group (e.g.
|
||||
`SG-Caregivers-PhonesOnly`) targeted by a block policy whose device filter excludes
|
||||
only `device.displayName -startsWith "CSC-"` — or promote the existing allow-list
|
||||
policy `1b7fd025` with a narrowed filter. Do NOT re-enable the compliance-block
|
||||
policy `ede985e2` (disabled 2026-07-01, superseded).
|
||||
|
||||
## Current knowledge (from the 2026-04-22 staff CSV, verified 2026-06-29)
|
||||
|
||||
Every caretaker row in the client's CSV was `Access = D+P` (desktop + phone) —
|
||||
**phones-only = NONE confirmed yet.** The only phone-only staff were the 3
|
||||
Transportation drivers, who do not get ALIS/M365 caregiver access at all.
|
||||
|
||||
## Roster (35 in SG-Caregivers, 2026-07-01) — phones-only column to fill with client
|
||||
|
||||
| Caretaker | Account | Device access | Phones-only? |
|
||||
|---|---|---|---|
|
||||
| Agnes McFerren | a.mcferren | D+P (CSV 4/22) | TBD |
|
||||
| Ashli Atwood | a.atwood | D+P | TBD |
|
||||
| Alejandra Vallejo | a.vallejo | new hire 7/1 | TBD |
|
||||
| Barb Johnson | b.johnson | D+P | TBD |
|
||||
| Charity Sika | b.sika | D+P | TBD |
|
||||
| Cole Johnson | c.johnson | D+P | TBD |
|
||||
| Celia Lassey | c.lassey | D+P | TBD |
|
||||
| Espe Esperance | e.esperance | D+P | TBD |
|
||||
| Erica Sanchez | e.sanchez | D+P | TBD |
|
||||
| Ederick Yuzon | e.yuzon | D+P | TBD |
|
||||
| Gina Williams | g.williams | D+P | TBD |
|
||||
| Juan Andrade | j.andrade | D+P | TBD |
|
||||
| Jahmeka Clarke | j.clarke | D+P | TBD |
|
||||
| Jinnelle Dittbenner | j.dittbenner | D+P | TBD |
|
||||
| Jen Higdon | j.higdon | D+P | TBD |
|
||||
| Jeanpabtiste Munezero | j.munezero | new hire 7/1 | TBD |
|
||||
| Karina Aziakpo | k.aziakpo | D+P | TBD |
|
||||
| Katlyn Robinson | k.robinson | new hire 7/1 | TBD |
|
||||
| Katrina Wyzykowski | k.wyzykowski | D+P | TBD |
|
||||
| Luriz Fuster | l.fuster | D+P | TBD |
|
||||
| Luke Hogan | l.hogan | D+P | TBD |
|
||||
| Marie Kastner | m.kastner | D+P | TBD |
|
||||
| Monique Lopez | m.lopez | D+P | TBD |
|
||||
| Nicole Cota | n.cota | new hire 7/1 | TBD |
|
||||
| Patricia Camarena Doran | p.doran | D+P | TBD |
|
||||
| Patricia Sandoval-Beck | p.sandoval-beck | D+P | TBD |
|
||||
| Roseline Cooper | r.cooper | D+P | TBD |
|
||||
| Richard Flores | r.flores | D+P | TBD |
|
||||
| Rosa Morales | r.morales | D+P | TBD |
|
||||
| Sarah Carroll | s.carroll | D+P | TBD |
|
||||
| Shontiel Nunn | s.nunn | D+P | TBD |
|
||||
| Sandra Padilla | s.padilla | D+P | TBD |
|
||||
| Samuel Ramirez | s.ramirez | D+P | TBD |
|
||||
| Thelma Abainza | t.abainza | D+P | TBD |
|
||||
| Whisper Reed | w.reed | D+P | TBD |
|
||||
|
||||
Not in the group: e.huerta (front desk as of 7/1), christine.nyanzunda (admin-adjacent,
|
||||
frontline-only rule).
|
||||
|
||||
## Interim CA posture (as of 2026-07-01)
|
||||
|
||||
| Policy | State | Effect on caretakers |
|
||||
|---|---|---|
|
||||
| Require MFA for all users | enabled, SG-Caregivers EXCLUDED (fix applied 7/1) | no MFA prompt |
|
||||
| CSC - Block caregivers off Cascades network | enabled | on-network only |
|
||||
| CSC - Block caregivers on non-compliant device | **DISABLED 7/1** | no device restriction |
|
||||
| CSC - Caregiver sign-in frequency 8h | enabled | 8h re-auth |
|
||||
| CSC - Caregivers: allow-listed devices only | enabled, TEST group only | no effect on live group |
|
||||
@@ -77,6 +77,15 @@ Disable 7 leavers + 1 Lassey dup = 8 seats freed; 4-5 new hires need seats
|
||||
Passwords DM'd to Howard (Discord msg 1521981205443117116).
|
||||
- [x] Verified: 8 offboarded = accountEnabled=false + 0 licenses; 4 new = SPB licensed.
|
||||
SG-Caregivers = 35 members. SPB pool: 45 enabled / 41 consumed (4 free).
|
||||
- [x] **Phone-login verification + CA cutover (2026-07-01, Howard's go):** all 35
|
||||
SG-Caregivers members verified enabled/unlocked in AD and enabled/licensed in
|
||||
Entra (cloud group synced, 4 new hires present). Root cause of would-be login
|
||||
failure found and fixed: (1) `Require MFA for all users` excluded only the stale
|
||||
pilot group — added `SG-Caregivers` (8b8d9222) to excludeGroups, break-glass
|
||||
preserved; (2) `CSC - Block caregivers on non-compliant device` DISABLED (phones
|
||||
are Intune-noncompliant; interim posture = caretakers on desktops + phones,
|
||||
on-network only). Allow-list policy left test-scoped. Phones-only lockdown
|
||||
deferred — tracking list: `docs/cloud/caretaker-phones-only-list.md`.
|
||||
- [ ] ALIS: create staff records for Munezero/Cota/Robinson (need job roles:
|
||||
Certified vs Resident Caregiver); Vallejo exists — set Email=a.vallejo@ (UPN).
|
||||
Import .xls via `alis` skill `build-import`.
|
||||
|
||||
@@ -436,11 +436,11 @@ Cascades' line-of-business / reporting SaaS (the systems they pull data OUT of,
|
||||
- **Phased rollout -- never tenant-wide.** CA policies for caregivers now target `SG-Caregivers` (`8b8d9222-5d71-419a-936d-56d895c6c332`). The legacy "Require MFA for all users" policy stays in place. **All 40 real caregivers are now in `SG-Caregivers` + Business Premium licensed (2026-06-30).**
|
||||
- **Enforced caregiver CA policy set (unchanged as of 2026-06-03):**
|
||||
- `CSC - Block caregivers off Cascades network` (`e35614e1-e896-4a13-9407-076963af488f`) -- BLOCK if location not Cascades
|
||||
- `CSC - Block caregivers on non-compliant device` (`ede985e2-ee7e-4521-88b2-34c847c3db20`) -- BLOCK if device non-compliant. **Pending DISABLE** at allow-list cutover.
|
||||
- `CSC - Block caregivers on non-compliant device` (`ede985e2-ee7e-4521-88b2-34c847c3db20`) -- **DISABLED 2026-07-01** (interim: caretakers allowed on desktops + phones, on-network only, per Howard; phones-only lockdown deferred -- see `clients/cascades-tucson/docs/cloud/caretaker-phones-only-list.md`). Do not re-enable; superseded by the allow-list at final lockdown.
|
||||
- `CSC - Caregiver sign-in frequency 8h` (`7d491c7a-ad90-4420-9990-40a1e676a76c`)
|
||||
- **Caregiver device allow-list (2026-06-03 -- report-only):** `CSC - Caregivers: allow-listed devices only (REPORT-ONLY)` -- id `1b7fd025-1aad-47c8-9274-c32c3e0b163c`; state `enabledForReportingButNotEnforced`. Device filter (mode `exclude`): `(device.displayName -startsWith "CSC-") -or (device.extensionAttribute1 -eq "CSCCaregiverDevice")`. Includes: NURSESTATION-PC (deviceId `d3bf931f`), Laptop2, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8, LAPTOP-8P7HDSEI, ASSISTNURSE-PC (needs re-join + re-tag after Win11 reinstall).
|
||||
- **GDAP exclusion:** CA policy 3 must exclude "Service provider users" (GDAP foreign principals) + `SG-External-Signin-Allowed` + `SG-Break-Glass`, otherwise ACG partner admins lose access at CA cutover.
|
||||
- **Known bug:** `Require MFA for all users` policy (`7e87a1c7...`) excludes `SG-Caregivers-Pilot` instead of the live `SG-Caregivers` (`8b8d9222`). Functionally harmless today (pilot group still exists), but must be corrected.
|
||||
- **[FIXED 2026-07-01]** `Require MFA for all users` policy (`7e87a1c7...`) now excludes BOTH `SG-Caregivers-Pilot` and the live `SG-Caregivers` (`8b8d9222`); break-glass excludeUsers preserved. Caretakers get no MFA prompt -- protected by on-network block + 8h sign-in frequency instead. Remove the stale pilot-group exclude at pilot cleanup.
|
||||
- **Pilot cleanup required when done:** Delete `pilot.test@cascadestucson.com`, clean up `howard.enos@cascadestucson.com`, remove `SG-Caregivers-Pilot` from CA policy targets and delete the group.
|
||||
|
||||
### EXO / Message Trace
|
||||
|
||||
Reference in New Issue
Block a user