azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

merge: sync from Howard's laptop - Cascades Intune MDM work + submodule update

Browse Source 
Merged Howard's work from ACG-TECH03L:
- Cascades Tucson PROJECT_STATE updated with Intune MDM enrollment
- New session log: Howard's Intune prerequisites and enrollment profile setup
- GuruRMM submodule updated to b91ac5e (parallel build improvements)

Resolved submodule conflict by taking latest origin/main (b91ac5e).

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
Mike Swanson
2026-04-20 05:44:29 -07:00
parent 245454b155 a00f1b0c3e
commit 8944432941
3 changed files with 90 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
clients/cascades-tucson/PROJECT_STATE.md
View File

@@ -53,18 +53,36 @@ Senior living community. Active project: HIPAA-compliant folder redirection GPO
## Pending / Next Up ## Pending / Next Up
**Folder Redirection (ongoing):**
- [ ] EncryptData flag on `\\CS-SERVER\homes` share (HIPAA workitem — currently false) - [ ] EncryptData flag on `\\CS-SERVER\homes` share (HIPAA workitem — currently false)
- [ ] Second Life Enrichment machine folder redirection end-to-end - [ ] Second Life Enrichment machine folder redirection end-to-end
- [ ] Desktop + other folders redirection GPOs - [ ] Desktop + other folders redirection GPOs
- [ ] Matching GPOs for remaining departments - [ ] Matching GPOs for remaining departments
- [ ] Folder redirection GPO verification across all enrolled machines - [ ] Folder redirection GPO verification across all enrolled machines
**Intune MDM Rollout (started 2026-04-19, paused end of day 2026-04-20):**
- [x] Prereq gap check (`reports/2026-04-19-intune-mdm-prereq-gap.md`)
- [x] Create `MDMS@cascadestucson.com` service account - Business Premium, MFA, forwarding to howard@azcomputerguru.com (vault: `clients/cascades-tucson/mdm-service-account.sops.yaml`). Replaced an earlier mdm@ attempt that hit a Managed Play enterprise/consumer Google account collision.
- [x] Managed Google Play enterprise bound (bindStatus=boundAndValidated, owner mdms@)
- [x] Apple MDM Push Cert uploaded (Apple ID mdms@cascadestucson.com, serial 16FA0CAED8EEB74F, expires 2027-04-20). Renewal reminder task #9.
- [x] CSCNet Wi-Fi password vaulted (`clients/cascades-tucson/wifi-cscnet.sops.yaml`)
- [x] Entra group `Cascades - Shared Phones` + Android enrollment profile `CSC - Android Shared Phones` (token MVDVVDMPSHYJAGDAJOCN, expires 2026-06-22, linked to the Entra group)
- [ ] **NEXT:** Android compliance policy (Phase B-1 in progress — walkthrough ready, Howard to execute)
- [ ] Android configuration profile (CSCNet Wi-Fi + dedicated-device restrictions)
- [ ] Required apps from Managed Play (Company Portal, Authenticator, Edge, Teams)
- [ ] ALIS web shortcut (https://cascadestucson.alisonline.com/Login)
- [ ] Microsoft Shared Device Mode app-configuration policy (for Authenticator/Teams)
- [ ] Test-enroll first Samsung A15, validate, then roll the remaining 24
- [ ] Rotate MDMS@ password (post-rollout hygiene, task #8)
- [ ] iPads are on a generic Apple ID currently — bringing them into Intune is low-priority; ABM + DEM deferred until after phones are live
--- ---
## Recent Changes ## Recent Changes
| Date | By | Change | Status | | Date | By | Change | Status |
|------|-----|--------|--------| |------|-----|--------|--------|
| 2026-04-20 | Howard | Intune MDM rollout - service account MDMS@ + Google Play bind + Apple push cert + Entra group + Android enrollment profile (QR code) all live. Phone policies next session. | IN PROGRESS |
| 2026-04-17 | Howard | Folder redirection validated on DESKTOP-DLTAGOI (Sharon Edwards); GPO `CSC - Folder Redirection (LE)` active | DEPLOYED | | 2026-04-17 | Howard | Folder redirection validated on DESKTOP-DLTAGOI (Sharon Edwards); GPO `CSC - Folder Redirection (LE)` active | DEPLOYED |
--- ---

71
clients/cascades-tucson/session-logs/2026-04-20-howard-intune-mdm-prereqs-and-enrollment-profile.md Normal file
View File

@@ -0,0 +1,71 @@
# Cascades Tucson — Intune MDM prereqs + Android enrollment profile
## User
- **User:** Howard Enos (howard)
- **Machine:** ACG-TECH03L
- **Role:** tech
## Session
- **Date:** 2026-04-19 → 2026-04-20 (spanned midnight UTC)
- **Goal:** Take Cascades from zero Intune config to ready-to-enroll for 25 Samsung A15 caregiver phones + 9 kitchen iPads
## Starting state
Per `reports/2026-04-19-intune-mdm-prereq-gap.md` the tenant had Intune provisioned but zero configured. MDM authority null, no Apple push cert, Managed Play notBound, no compliance/config/enrollment profiles.
## What we did
### 1. MDM service account (`MDMS@cascadestucson.com`)
First attempt was `mdm@cascadestucson.com`. Created the M365 user with Business Premium (one of 34 spare SPB seats, $0 new spend), enrolled Microsoft Authenticator for MFA, then pre-created a consumer Google account at accounts.google.com/signup for the Managed Play binding. **Turned out this was wrong** — the Managed Play enterprise signup flow rejects any email that already has a consumer Google account, throwing "Email address is associated with an existing consumer account." Dropped the whole mdm@ identity (deleted in M365 and Google) and recreated as `MDMS@cascadestucson.com` — this time went straight to the Intune "Launch Google" bind flow without pre-creating anything, and Google created the enterprise admin identity cleanly.
- Account: `MDMS@cascadestucson.com`, display "MDMS Service Account", standard user (no admin roles), Business Premium
- MFA: Microsoft Authenticator (Howard's personal device — transition later)
- Forwarding: `ForwardingSmtpAddress: howard@azcomputerguru.com`, DeliverToMailboxAndForward=true, set via Exchange REST `Set-Mailbox`
- MFA enforcement: already covered by tenant CA policy "Require multifactor authentication for all users" (8 CA policies total on the tenant, pre-existing)
- Vault: `clients/cascades-tucson/mdm-service-account.sops.yaml`
### 2. Managed Google Play enterprise bind
Clicked "Launch Google to connect now" from Intune → Google signup flow created the Managed Play enterprise tied to MDMS@ → redirected back to Intune.
- Graph verified: `bindStatus: boundAndValidated`, owner `mdms@cascadestucson.com`, organization "Cascades of Tucson"
- Note: Intune auto-created a default "personally-owned work profile" Android enrollment profile during the bind. Harmless — we're using Dedicated mode, not work profile.
### 3. Apple MDM Push Certificate
Phase A (Intune) → download CSR. Phase B (Apple) → created Apple ID `mdms@cascadestucson.com`. Phase C → upload CSR to identity.apple.com/pushcert, download .pem. Phase D → upload .pem + Apple ID back to Intune.
- Cert serial: `16FA0CAED8EEB74F`
- Topic: `com.apple.mgmt.External.84214b0c-21cc-4b44-8fd0-e5ad569109ea`
- Expires: **2027-04-20** → renewal task #9 scheduled for 2027-03-20
- CRITICAL: at renewal time use SAME Apple ID and click "Renew" (not "Create"). Creating a new cert = all enrolled iPads wipe.
### 4. Wi-Fi credential vaulted
CSCNet WPA2-Personal password (`Ftfd85710#`) was only in Syncro customer notes. Added to vault: `clients/cascades-tucson/wifi-cscnet.sops.yaml`. Per-room VLAN assignment is handled at the UniFi controller level — phones on staff areas will land on VLAN 20 (INTERNAL).
### 5. Android enrollment foundation
- **Entra security group:** `Cascades - Shared Phones` (Assigned membership)
- **Enrollment profile:** `CSC - Android Shared Phones` — Corporate-owned dedicated device (NOT AOSP multi-user)
- **Token:** `MVDVVDMPSHYJAGDAJOCN`, QR code generated, expires 2026-06-22
- Profile now linked to the Entra group (devices auto-join on enrollment)
## Architecture notes for tomorrow
- Hardware is Samsung Galaxy A15 (consumer) → **Android Enterprise Dedicated** + **Microsoft 365 Shared Device Mode**, not AOSP multi-user. Shared sign-in happens at the app layer (Teams/Authenticator/Edge use Entra ID with global sign-out clearing state between caregivers).
- HIPAA audit trail: per-user identity is real (Entra sign-in into MS apps), not at the OS level. This matches what's acceptable for shared-device caregiver scenarios.
- iPads are already on a generic Apple ID and physically deployed in the kitchen. Bringing them into Intune is lower priority than phones. ABM + DEM deferred until after phones are live.
## What's next (pick up here)
Phase B Android config — walkthrough started, paused at B-1:
- **B-1:** Compliance policy `CSC - Android Compliance (HIPAA baseline)` — min Android 13, numeric-complex 6-digit PIN, 2-min inactivity lock, encryption required, block rooted devices. Walkthrough was written, Howard to execute first thing.
- **B-2:** Configuration profile for CSCNet Wi-Fi + dedicated-device restrictions (block factory reset, no USB transfer, no unknown sources)
- **B-3:** Required apps from Managed Play — Company Portal, Microsoft Authenticator, Microsoft Edge, Microsoft Teams
- **B-4:** ALIS web app/shortcut pointing to `https://cascadestucson.alisonline.com/Login`
- **B-5:** App configuration policy enabling Shared Device Mode on Authenticator + Teams
- **B-6:** Test enroll 1 phone via QR code, validate, then roll remaining 24
Estimated total time to finish Phase B + first test enroll: ~60-90 minutes.
## Artifacts
- Prereq gap report: `reports/2026-04-19-intune-mdm-prereq-gap.md`
- Vault: `clients/cascades-tucson/mdm-service-account.sops.yaml` (full MDM identity + credentials)
- Vault: `clients/cascades-tucson/wifi-cscnet.sops.yaml` (CSCNet WPA2 password)
- Graph artifacts: `/tmp/remediation-tool/207fa277-e9d8-4eb7-ada1-1064d2221498/` (cached token + query responses)

2
projects/msp-tools/guru-rmm

Submodule projects/msp-tools/guru-rmm updated: 69ed6472c3...b91ac5ecbf