sync: auto-sync from HOWARD-HOME at 2026-07-01 14:43:57
Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-07-01 14:43:57
This commit is contained in:
@@ -436,11 +436,11 @@ Cascades' line-of-business / reporting SaaS (the systems they pull data OUT of,
|
||||
- **Phased rollout -- never tenant-wide.** CA policies for caregivers now target `SG-Caregivers` (`8b8d9222-5d71-419a-936d-56d895c6c332`). The legacy "Require MFA for all users" policy stays in place. **All 40 real caregivers are now in `SG-Caregivers` + Business Premium licensed (2026-06-30).**
|
||||
- **Enforced caregiver CA policy set (unchanged as of 2026-06-03):**
|
||||
- `CSC - Block caregivers off Cascades network` (`e35614e1-e896-4a13-9407-076963af488f`) -- BLOCK if location not Cascades
|
||||
- `CSC - Block caregivers on non-compliant device` (`ede985e2-ee7e-4521-88b2-34c847c3db20`) -- BLOCK if device non-compliant. **Pending DISABLE** at allow-list cutover.
|
||||
- `CSC - Block caregivers on non-compliant device` (`ede985e2-ee7e-4521-88b2-34c847c3db20`) -- **DISABLED 2026-07-01** (interim: caretakers allowed on desktops + phones, on-network only, per Howard; phones-only lockdown deferred -- see `clients/cascades-tucson/docs/cloud/caretaker-phones-only-list.md`). Do not re-enable; superseded by the allow-list at final lockdown.
|
||||
- `CSC - Caregiver sign-in frequency 8h` (`7d491c7a-ad90-4420-9990-40a1e676a76c`)
|
||||
- **Caregiver device allow-list (2026-06-03 -- report-only):** `CSC - Caregivers: allow-listed devices only (REPORT-ONLY)` -- id `1b7fd025-1aad-47c8-9274-c32c3e0b163c`; state `enabledForReportingButNotEnforced`. Device filter (mode `exclude`): `(device.displayName -startsWith "CSC-") -or (device.extensionAttribute1 -eq "CSCCaregiverDevice")`. Includes: NURSESTATION-PC (deviceId `d3bf931f`), Laptop2, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8, LAPTOP-8P7HDSEI, ASSISTNURSE-PC (needs re-join + re-tag after Win11 reinstall).
|
||||
- **GDAP exclusion:** CA policy 3 must exclude "Service provider users" (GDAP foreign principals) + `SG-External-Signin-Allowed` + `SG-Break-Glass`, otherwise ACG partner admins lose access at CA cutover.
|
||||
- **Known bug:** `Require MFA for all users` policy (`7e87a1c7...`) excludes `SG-Caregivers-Pilot` instead of the live `SG-Caregivers` (`8b8d9222`). Functionally harmless today (pilot group still exists), but must be corrected.
|
||||
- **[FIXED 2026-07-01]** `Require MFA for all users` policy (`7e87a1c7...`) now excludes BOTH `SG-Caregivers-Pilot` and the live `SG-Caregivers` (`8b8d9222`); break-glass excludeUsers preserved. Caretakers get no MFA prompt -- protected by on-network block + 8h sign-in frequency instead. Remove the stale pilot-group exclude at pilot cleanup.
|
||||
- **Pilot cleanup required when done:** Delete `pilot.test@cascadestucson.com`, clean up `howard.enos@cascadestucson.com`, remove `SG-Caregivers-Pilot` from CA policy targets and delete the group.
|
||||
|
||||
### EXO / Message Trace
|
||||
|
||||
Reference in New Issue
Block a user