diff --git a/clients/cascades-tucson/PROJECT_STATE.md b/clients/cascades-tucson/PROJECT_STATE.md
index dd6773e..333da97 100644
--- a/clients/cascades-tucson/PROJECT_STATE.md
+++ b/clients/cascades-tucson/PROJECT_STATE.md
@@ -53,18 +53,36 @@ Senior living community. Active project: HIPAA-compliant folder redirection GPO
 
 ## Pending / Next Up
 
+**Folder Redirection (ongoing):**
 - [ ] EncryptData flag on `\\CS-SERVER\homes` share (HIPAA workitem — currently false)
 - [ ] Second Life Enrichment machine folder redirection end-to-end
 - [ ] Desktop + other folders redirection GPOs
 - [ ] Matching GPOs for remaining departments
 - [ ] Folder redirection GPO verification across all enrolled machines
 
+**Intune MDM Rollout (started 2026-04-19, paused end of day 2026-04-20):**
+- [x] Prereq gap check (`reports/2026-04-19-intune-mdm-prereq-gap.md`)
+- [x] Create `MDMS@cascadestucson.com` service account - Business Premium, MFA, forwarding to howard@azcomputerguru.com (vault: `clients/cascades-tucson/mdm-service-account.sops.yaml`). Replaced an earlier mdm@ attempt that hit a Managed Play enterprise/consumer Google account collision.
+- [x] Managed Google Play enterprise bound (bindStatus=boundAndValidated, owner mdms@)
+- [x] Apple MDM Push Cert uploaded (Apple ID mdms@cascadestucson.com, serial 16FA0CAED8EEB74F, expires 2027-04-20). Renewal reminder task #9.
+- [x] CSCNet Wi-Fi password vaulted (`clients/cascades-tucson/wifi-cscnet.sops.yaml`)
+- [x] Entra group `Cascades - Shared Phones` + Android enrollment profile `CSC - Android Shared Phones` (token MVDVVDMPSHYJAGDAJOCN, expires 2026-06-22, linked to the Entra group)
+- [ ] **NEXT:** Android compliance policy (Phase B-1 in progress — walkthrough ready, Howard to execute)
+- [ ] Android configuration profile (CSCNet Wi-Fi + dedicated-device restrictions)
+- [ ] Required apps from Managed Play (Company Portal, Authenticator, Edge, Teams)
+- [ ] ALIS web shortcut (https://cascadestucson.alisonline.com/Login)
+- [ ] Microsoft Shared Device Mode app-configuration policy (for Authenticator/Teams)
+- [ ] Test-enroll first Samsung A15, validate, then roll the remaining 24
+- [ ] Rotate MDMS@ password (post-rollout hygiene, task #8)
+- [ ] iPads are on a generic Apple ID currently — bringing them into Intune is low-priority; ABM + DEM deferred until after phones are live
+
 ---
 
 ## Recent Changes
 
 | Date | By | Change | Status |
 |------|-----|--------|--------|
+| 2026-04-20 | Howard | Intune MDM rollout - service account MDMS@ + Google Play bind + Apple push cert + Entra group + Android enrollment profile (QR code) all live. Phone policies next session. | IN PROGRESS |
 | 2026-04-17 | Howard | Folder redirection validated on DESKTOP-DLTAGOI (Sharon Edwards); GPO `CSC - Folder Redirection (LE)` active | DEPLOYED |
 
 ---
diff --git a/clients/cascades-tucson/session-logs/2026-04-20-howard-intune-mdm-prereqs-and-enrollment-profile.md b/clients/cascades-tucson/session-logs/2026-04-20-howard-intune-mdm-prereqs-and-enrollment-profile.md
new file mode 100644
index 0000000..c3a9a61
--- /dev/null
+++ b/clients/cascades-tucson/session-logs/2026-04-20-howard-intune-mdm-prereqs-and-enrollment-profile.md
@@ -0,0 +1,71 @@
+# Cascades Tucson — Intune MDM prereqs + Android enrollment profile
+
+## User
+- **User:** Howard Enos (howard)
+- **Machine:** ACG-TECH03L
+- **Role:** tech
+
+## Session
+- **Date:** 2026-04-19 → 2026-04-20 (spanned midnight UTC)
+- **Goal:** Take Cascades from zero Intune config to ready-to-enroll for 25 Samsung A15 caregiver phones + 9 kitchen iPads
+
+## Starting state
+Per `reports/2026-04-19-intune-mdm-prereq-gap.md` the tenant had Intune provisioned but zero configured. MDM authority null, no Apple push cert, Managed Play notBound, no compliance/config/enrollment profiles.
+
+## What we did
+
+### 1. MDM service account (`MDMS@cascadestucson.com`)
+First attempt was `mdm@cascadestucson.com`. Created the M365 user with Business Premium (one of 34 spare SPB seats, $0 new spend), enrolled Microsoft Authenticator for MFA, then pre-created a consumer Google account at accounts.google.com/signup for the Managed Play binding. **Turned out this was wrong** — the Managed Play enterprise signup flow rejects any email that already has a consumer Google account, throwing "Email address is associated with an existing consumer account." Dropped the whole mdm@ identity (deleted in M365 and Google) and recreated as `MDMS@cascadestucson.com` — this time went straight to the Intune "Launch Google" bind flow without pre-creating anything, and Google created the enterprise admin identity cleanly.
+
+- Account: `MDMS@cascadestucson.com`, display "MDMS Service Account", standard user (no admin roles), Business Premium
+- MFA: Microsoft Authenticator (Howard's personal device — transition later)
+- Forwarding: `ForwardingSmtpAddress: howard@azcomputerguru.com`, DeliverToMailboxAndForward=true, set via Exchange REST `Set-Mailbox`
+- MFA enforcement: already covered by tenant CA policy "Require multifactor authentication for all users" (8 CA policies total on the tenant, pre-existing)
+- Vault: `clients/cascades-tucson/mdm-service-account.sops.yaml`
+
+### 2. Managed Google Play enterprise bind
+Clicked "Launch Google to connect now" from Intune → Google signup flow created the Managed Play enterprise tied to MDMS@ → redirected back to Intune.
+
+- Graph verified: `bindStatus: boundAndValidated`, owner `mdms@cascadestucson.com`, organization "Cascades of Tucson"
+- Note: Intune auto-created a default "personally-owned work profile" Android enrollment profile during the bind. Harmless — we're using Dedicated mode, not work profile.
+
+### 3. Apple MDM Push Certificate
+Phase A (Intune) → download CSR. Phase B (Apple) → created Apple ID `mdms@cascadestucson.com`. Phase C → upload CSR to identity.apple.com/pushcert, download .pem. Phase D → upload .pem + Apple ID back to Intune.
+
+- Cert serial: `16FA0CAED8EEB74F`
+- Topic: `com.apple.mgmt.External.84214b0c-21cc-4b44-8fd0-e5ad569109ea`
+- Expires: **2027-04-20** → renewal task #9 scheduled for 2027-03-20
+- CRITICAL: at renewal time use SAME Apple ID and click "Renew" (not "Create"). Creating a new cert = all enrolled iPads wipe.
+
+### 4. Wi-Fi credential vaulted
+CSCNet WPA2-Personal password (`Ftfd85710#`) was only in Syncro customer notes. Added to vault: `clients/cascades-tucson/wifi-cscnet.sops.yaml`. Per-room VLAN assignment is handled at the UniFi controller level — phones on staff areas will land on VLAN 20 (INTERNAL).
+
+### 5. Android enrollment foundation
+- **Entra security group:** `Cascades - Shared Phones` (Assigned membership)
+- **Enrollment profile:** `CSC - Android Shared Phones` — Corporate-owned dedicated device (NOT AOSP multi-user)
+- **Token:** `MVDVVDMPSHYJAGDAJOCN`, QR code generated, expires 2026-06-22
+- Profile now linked to the Entra group (devices auto-join on enrollment)
+
+## Architecture notes for tomorrow
+- Hardware is Samsung Galaxy A15 (consumer) → **Android Enterprise Dedicated** + **Microsoft 365 Shared Device Mode**, not AOSP multi-user. Shared sign-in happens at the app layer (Teams/Authenticator/Edge use Entra ID with global sign-out clearing state between caregivers).
+- HIPAA audit trail: per-user identity is real (Entra sign-in into MS apps), not at the OS level. This matches what's acceptable for shared-device caregiver scenarios.
+- iPads are already on a generic Apple ID and physically deployed in the kitchen. Bringing them into Intune is lower priority than phones. ABM + DEM deferred until after phones are live.
+
+## What's next (pick up here)
+
+Phase B Android config — walkthrough started, paused at B-1:
+
+- **B-1:** Compliance policy `CSC - Android Compliance (HIPAA baseline)` — min Android 13, numeric-complex 6-digit PIN, 2-min inactivity lock, encryption required, block rooted devices. Walkthrough was written, Howard to execute first thing.
+- **B-2:** Configuration profile for CSCNet Wi-Fi + dedicated-device restrictions (block factory reset, no USB transfer, no unknown sources)
+- **B-3:** Required apps from Managed Play — Company Portal, Microsoft Authenticator, Microsoft Edge, Microsoft Teams
+- **B-4:** ALIS web app/shortcut pointing to `https://cascadestucson.alisonline.com/Login`
+- **B-5:** App configuration policy enabling Shared Device Mode on Authenticator + Teams
+- **B-6:** Test enroll 1 phone via QR code, validate, then roll remaining 24
+
+Estimated total time to finish Phase B + first test enroll: ~60-90 minutes.
+
+## Artifacts
+- Prereq gap report: `reports/2026-04-19-intune-mdm-prereq-gap.md`
+- Vault: `clients/cascades-tucson/mdm-service-account.sops.yaml` (full MDM identity + credentials)
+- Vault: `clients/cascades-tucson/wifi-cscnet.sops.yaml` (CSCNet WPA2 password)
+- Graph artifacts: `/tmp/remediation-tool/207fa277-e9d8-4eb7-ada1-1064d2221498/` (cached token + query responses)
diff --git a/projects/msp-tools/guru-rmm b/projects/msp-tools/guru-rmm
index 69ed647..b91ac5e 160000
--- a/projects/msp-tools/guru-rmm
+++ b/projects/msp-tools/guru-rmm
@@ -1 +1 @@
-Subproject commit 69ed6472c3059440b2cbe4cc89f77601f4812fd1
+Subproject commit b91ac5ecbfe7d9616925328b272862c357488ecf