diff --git a/clients/cascades-tucson/docs/cloud/caretaker-phones-only-list.md b/clients/cascades-tucson/docs/cloud/caretaker-phones-only-list.md new file mode 100644 index 00000000..69752187 --- /dev/null +++ b/clients/cascades-tucson/docs/cloud/caretaker-phones-only-list.md @@ -0,0 +1,71 @@ +# Cascades — Caretaker phones-only tracking list + +**Purpose (Howard, 2026-07-01):** for the interim, ALL caretakers may sign in on both +desktops and phones (on-network only). Near the end of the rollout, the phones-only +cohort gets locked down to just the phones (device allow-list scoped to `CSC-*`). +This file is the tracking list for that lockdown. + +**Enforcement mechanism when the time comes:** a dedicated group (e.g. +`SG-Caregivers-PhonesOnly`) targeted by a block policy whose device filter excludes +only `device.displayName -startsWith "CSC-"` — or promote the existing allow-list +policy `1b7fd025` with a narrowed filter. Do NOT re-enable the compliance-block +policy `ede985e2` (disabled 2026-07-01, superseded). + +## Current knowledge (from the 2026-04-22 staff CSV, verified 2026-06-29) + +Every caretaker row in the client's CSV was `Access = D+P` (desktop + phone) — +**phones-only = NONE confirmed yet.** The only phone-only staff were the 3 +Transportation drivers, who do not get ALIS/M365 caregiver access at all. + +## Roster (35 in SG-Caregivers, 2026-07-01) — phones-only column to fill with client + +| Caretaker | Account | Device access | Phones-only? | +|---|---|---|---| +| Agnes McFerren | a.mcferren | D+P (CSV 4/22) | TBD | +| Ashli Atwood | a.atwood | D+P | TBD | +| Alejandra Vallejo | a.vallejo | new hire 7/1 | TBD | +| Barb Johnson | b.johnson | D+P | TBD | +| Charity Sika | b.sika | D+P | TBD | +| Cole Johnson | c.johnson | D+P | TBD | +| Celia Lassey | c.lassey | D+P | TBD | +| Espe Esperance | e.esperance | D+P | TBD | +| Erica Sanchez | e.sanchez | D+P | TBD | +| Ederick Yuzon | e.yuzon | D+P | TBD | +| Gina Williams | g.williams | D+P | TBD | +| Juan Andrade | j.andrade | D+P | TBD | +| Jahmeka Clarke | j.clarke | D+P | TBD | +| Jinnelle Dittbenner | j.dittbenner | D+P | TBD | +| Jen Higdon | j.higdon | D+P | TBD | +| Jeanpabtiste Munezero | j.munezero | new hire 7/1 | TBD | +| Karina Aziakpo | k.aziakpo | D+P | TBD | +| Katlyn Robinson | k.robinson | new hire 7/1 | TBD | +| Katrina Wyzykowski | k.wyzykowski | D+P | TBD | +| Luriz Fuster | l.fuster | D+P | TBD | +| Luke Hogan | l.hogan | D+P | TBD | +| Marie Kastner | m.kastner | D+P | TBD | +| Monique Lopez | m.lopez | D+P | TBD | +| Nicole Cota | n.cota | new hire 7/1 | TBD | +| Patricia Camarena Doran | p.doran | D+P | TBD | +| Patricia Sandoval-Beck | p.sandoval-beck | D+P | TBD | +| Roseline Cooper | r.cooper | D+P | TBD | +| Richard Flores | r.flores | D+P | TBD | +| Rosa Morales | r.morales | D+P | TBD | +| Sarah Carroll | s.carroll | D+P | TBD | +| Shontiel Nunn | s.nunn | D+P | TBD | +| Sandra Padilla | s.padilla | D+P | TBD | +| Samuel Ramirez | s.ramirez | D+P | TBD | +| Thelma Abainza | t.abainza | D+P | TBD | +| Whisper Reed | w.reed | D+P | TBD | + +Not in the group: e.huerta (front desk as of 7/1), christine.nyanzunda (admin-adjacent, +frontline-only rule). + +## Interim CA posture (as of 2026-07-01) + +| Policy | State | Effect on caretakers | +|---|---|---| +| Require MFA for all users | enabled, SG-Caregivers EXCLUDED (fix applied 7/1) | no MFA prompt | +| CSC - Block caregivers off Cascades network | enabled | on-network only | +| CSC - Block caregivers on non-compliant device | **DISABLED 7/1** | no device restriction | +| CSC - Caregiver sign-in frequency 8h | enabled | 8h re-auth | +| CSC - Caregivers: allow-listed devices only | enabled, TEST group only | no effect on live group | diff --git a/clients/cascades-tucson/reports/2026-07-01-caretaker-roster-update.md b/clients/cascades-tucson/reports/2026-07-01-caretaker-roster-update.md index 1002516a..e0ab1339 100644 --- a/clients/cascades-tucson/reports/2026-07-01-caretaker-roster-update.md +++ b/clients/cascades-tucson/reports/2026-07-01-caretaker-roster-update.md @@ -77,6 +77,15 @@ Disable 7 leavers + 1 Lassey dup = 8 seats freed; 4-5 new hires need seats Passwords DM'd to Howard (Discord msg 1521981205443117116). - [x] Verified: 8 offboarded = accountEnabled=false + 0 licenses; 4 new = SPB licensed. SG-Caregivers = 35 members. SPB pool: 45 enabled / 41 consumed (4 free). +- [x] **Phone-login verification + CA cutover (2026-07-01, Howard's go):** all 35 + SG-Caregivers members verified enabled/unlocked in AD and enabled/licensed in + Entra (cloud group synced, 4 new hires present). Root cause of would-be login + failure found and fixed: (1) `Require MFA for all users` excluded only the stale + pilot group — added `SG-Caregivers` (8b8d9222) to excludeGroups, break-glass + preserved; (2) `CSC - Block caregivers on non-compliant device` DISABLED (phones + are Intune-noncompliant; interim posture = caretakers on desktops + phones, + on-network only). Allow-list policy left test-scoped. Phones-only lockdown + deferred — tracking list: `docs/cloud/caretaker-phones-only-list.md`. - [ ] ALIS: create staff records for Munezero/Cota/Robinson (need job roles: Certified vs Resident Caregiver); Vallejo exists — set Email=a.vallejo@ (UPN). Import .xls via `alis` skill `build-import`. diff --git a/wiki/clients/cascades-tucson.md b/wiki/clients/cascades-tucson.md index 569bbedd..ca4971e0 100644 --- a/wiki/clients/cascades-tucson.md +++ b/wiki/clients/cascades-tucson.md @@ -436,11 +436,11 @@ Cascades' line-of-business / reporting SaaS (the systems they pull data OUT of, - **Phased rollout -- never tenant-wide.** CA policies for caregivers now target `SG-Caregivers` (`8b8d9222-5d71-419a-936d-56d895c6c332`). The legacy "Require MFA for all users" policy stays in place. **All 40 real caregivers are now in `SG-Caregivers` + Business Premium licensed (2026-06-30).** - **Enforced caregiver CA policy set (unchanged as of 2026-06-03):** - `CSC - Block caregivers off Cascades network` (`e35614e1-e896-4a13-9407-076963af488f`) -- BLOCK if location not Cascades - - `CSC - Block caregivers on non-compliant device` (`ede985e2-ee7e-4521-88b2-34c847c3db20`) -- BLOCK if device non-compliant. **Pending DISABLE** at allow-list cutover. + - `CSC - Block caregivers on non-compliant device` (`ede985e2-ee7e-4521-88b2-34c847c3db20`) -- **DISABLED 2026-07-01** (interim: caretakers allowed on desktops + phones, on-network only, per Howard; phones-only lockdown deferred -- see `clients/cascades-tucson/docs/cloud/caretaker-phones-only-list.md`). Do not re-enable; superseded by the allow-list at final lockdown. - `CSC - Caregiver sign-in frequency 8h` (`7d491c7a-ad90-4420-9990-40a1e676a76c`) - **Caregiver device allow-list (2026-06-03 -- report-only):** `CSC - Caregivers: allow-listed devices only (REPORT-ONLY)` -- id `1b7fd025-1aad-47c8-9274-c32c3e0b163c`; state `enabledForReportingButNotEnforced`. Device filter (mode `exclude`): `(device.displayName -startsWith "CSC-") -or (device.extensionAttribute1 -eq "CSCCaregiverDevice")`. Includes: NURSESTATION-PC (deviceId `d3bf931f`), Laptop2, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8, LAPTOP-8P7HDSEI, ASSISTNURSE-PC (needs re-join + re-tag after Win11 reinstall). - **GDAP exclusion:** CA policy 3 must exclude "Service provider users" (GDAP foreign principals) + `SG-External-Signin-Allowed` + `SG-Break-Glass`, otherwise ACG partner admins lose access at CA cutover. -- **Known bug:** `Require MFA for all users` policy (`7e87a1c7...`) excludes `SG-Caregivers-Pilot` instead of the live `SG-Caregivers` (`8b8d9222`). Functionally harmless today (pilot group still exists), but must be corrected. +- **[FIXED 2026-07-01]** `Require MFA for all users` policy (`7e87a1c7...`) now excludes BOTH `SG-Caregivers-Pilot` and the live `SG-Caregivers` (`8b8d9222`); break-glass excludeUsers preserved. Caretakers get no MFA prompt -- protected by on-network block + 8h sign-in frequency instead. Remove the stale pilot-group exclude at pilot cleanup. - **Pilot cleanup required when done:** Delete `pilot.test@cascadestucson.com`, clean up `howard.enos@cascadestucson.com`, remove `SG-Caregivers-Pilot` from CA policy targets and delete the group. ### EXO / Message Trace