diff --git a/wiki/clients/cascades-tucson.md b/wiki/clients/cascades-tucson.md index 087fb5f6..0f93ddfc 100644 --- a/wiki/clients/cascades-tucson.md +++ b/wiki/clients/cascades-tucson.md @@ -2,8 +2,8 @@ type: client name: cascades-tucson display_name: Cascades of Tucson -last_compiled: 2026-06-26 -compiled_by: HOWARD-HOME/claude-main +last_compiled: 2026-06-30 +compiled_by: Howard-Home/claude-main sources: - session-logs/2026-03-24-session.md - session-logs/2026-03-31-session.md @@ -88,7 +88,6 @@ sources: - clients/cascades-tucson/docs/network/2026-06-19-vertical-5ghz-lock-request.md - clients/cascades-tucson/docs/runbooks/2026-06-23-planned-power-outage.md - clients/cascades-tucson/session-logs/2026-06/2026-06-23-howard-cascades-planned-outage-shutdown-verify.md - - clients/cascades-tucson/session-logs/2026-06/2026-06-24-howard-ticket-review-and-cascades-consolidation.md - clients/cascades-tucson/docs/REMAINING-WORK-PLAN.md - clients/cascades-tucson/session-logs/2026-06/2026-06-24-howard-carf-technology-plan.md - clients/cascades-tucson/session-logs/2026-06/2026-06-24-howard-csc-ent-voice-helpany-consolidation-plan.md @@ -98,6 +97,12 @@ sources: - clients/cascades-tucson/session-logs/2026-06/2026-06-25-howard-edr-rollout-bitdefender-removal.md - clients/cascades-tucson/session-logs/2026-06/2026-06-25-howard-cs-server-smb-migration-diagnosis.md - clients/cascades-tucson/session-logs/2026-06/2026-06-26-howard-cs-server-datto-removal-smb-rootcause.md + - clients/cascades-tucson/session-logs/2026-06/2026-06-26-howard-edr-bd-straggler-9am-pass.md + - clients/cascades-tucson/session-logs/2026-06/2026-06-26-howard-home-to-pro-upgrades-continued.md + - clients/cascades-tucson/session-logs/2026-06/2026-06-29-howard-alis-caregiver-phoneonly-caretaker-crosscheck.md + - clients/cascades-tucson/session-logs/2026-06/2026-06-30-howard-caregiver-phone-sso-license-onboarding.md + - clients/cascades-tucson/session-logs/2026-06/2026-06-30-howard-tamra-matthews-offboarding.md + - clients/cascades-tucson/session-logs/2026-06/2026-06-30-howard-vlan20-printer-migration.md backlinks: - projects/gururmm - wiki/systems/uos-server @@ -105,7 +110,7 @@ backlinks: # Cascades of Tucson -Senior living / assisted living facility in Tucson, AZ. Single 6-floor building plus a MemCare (Memory Care) wing on floors 5-6. ACG took over from a previous MSP. Primary compliance driver is HIPAA. Active multi-phase migration project ongoing as of 2026-05-24. +Senior living / assisted living facility in Tucson, AZ. Single 6-floor building plus a MemCare (Memory Care) wing on floors 5-6. ACG took over from a previous MSP. Primary compliance driver is HIPAA. Active multi-phase migration project ongoing as of 2026-06-30. --- @@ -133,6 +138,12 @@ Senior living / assisted living facility in Tucson, AZ. Single 6-floor building ### ALIS SSO - Entra app registration -> OIDC SSO into ALIS; **tenant-wide admin consent granted** (2026-06-03). Per-user join key = **ALIS staff Email must equal the Entra UPN**. Caregivers SSO silently on phones (ALIS-native 2FA off); office users SSO with offsite MFA. +### Caregiver phone SSO go-live (SUBSTANTIALLY DONE 2026-06-30 -- Entra/identity side complete) +The caregiver phone-SSO onboarding was executed 2026-06-30. To silently SSO into ALIS on a shared Samsung phone, each caregiver must be (1) in `SG-Caregivers` (bypasses the tenant-wide all-users-MFA CA policy, falls under the location+device posture), (2) M365-licensed (Business Premium, which also carries the Entra ID P1 the CA lockdown needs per-user), and (3) have ALIS staff `Email` = Entra UPN. **Live AD state:** `OU=Caregivers` holds 42 objects = 40 enabled real caregivers + `pilot.test` (test artifact) + `n.castro` (disabled). All 40 real caregivers had NEVER logged into the domain (bulk-created 2026-05-16/18) and were UNLICENSED before this session. +- **DONE (Entra/identity):** all 40 caregivers added to `SG-Caregivers` (was 38; added `c.lassey` + `p.sandoval-beck`), assigned **Microsoft 365 Business Premium** (`usageLocation=US` first, then `assignLicense`), and given unique phone-typeable AD temp passwords with **forced change at next logon** (hybrid PHS -> the AD password is also the M365/phone sign-in). Temp passwords vaulted at `clients/cascades-tucson/caregiver-temp-passwords-2026-06-30.sops.yaml` (40 entries; retrieve with `vault get`, NOT get-field -- keys contain dots; delivered to Howard via Discord DM). **`SG-Caregivers` is frontline caregivers ONLY** -- Veronica Feller + Christine Nyanzunda (admin-adjacent) and `pilot.test`/`n.castro` are intentionally excluded (reverses the earlier 6/4 plan to add Feller/Nyanzunda). +- **REMAINING gate (Howard handling -- ALIS side):** set each caregiver's ALIS staff `Email` = Entra UPN so "Sign in with Microsoft" resolves. Of the 40 AD caregivers: 23 confirmed ALIS caregivers (just need Email=UPN), 5 in ALIS with blank job role (confirm caregiver + Email=UPN), 5 Med Techs (Email=UPN; Howard earlier said "ignore for the moment" -- revisit), **7 have NO ALIS staff record (must be created before SSO can work)**, and **3 ALIS caregivers have no AD account** (Judith Palmer, Joey Ty, Alejandra Vallejo -- create AD accounts if they need phones). Also blanket-disable ALIS-native 2FA for the caregiver bucket as records are matched. NOTE: Zeke Huerta stays `e.huerta@cascadestucson.com` (do NOT "correct" to z.huerta) -- his ALIS Email must be `e.huerta@`. Build path: `alis` skill `build-import` -> upload .xls in ALIS UI (no staff-write API). +- **Prior crosscheck (2026-06-29):** phone-only caregivers = NONE (all caregiver rows are `D+P`; only the 3 Transportation drivers are phone-only and do not need ALIS). 7 caregiver-list people are present in ALIS only as **Discharged** records (Niel Castro, Kasey Flores, Bella Mendoza, Corey Tate, Gloria Williford, Mary Kariuki [DUP records 429856/429858], Maia Baker) -- decide reactivate-vs-recreate. Confirm Charity Sika (CSV) == Bariffa Sika (ALIS 309045). + ### Caregiver desktop/laptop management -- Hybrid Entra Join + GPO (the chosen path) Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingInput`; no Windows device ever Intune-enrolled -- MS case open), Windows caregiver devices are managed via **Hybrid Entra Join + on-prem Group Policy** instead. This needs no Intune. The CA access model is unchanged (hybrid join just gives the device an Entra object so the allow-list/deviceId still applies). - **Hybrid join proven on NURSESTATION-PC** (2026-06-05): SCP written (`ConfigureSCP.ps1`), `OU=Caregiver Devices,OU=Staff PCs,OU=Workstations` added to Entra Connect sync scope -> device synced to Entra as `trustType: ServerAd`, `dsregcmd` shows AzureAdJoined+DomainJoined YES, pilot.test gets `AzureAdPrt: YES`. On hybrid-joined machines `Ngc PreReqResult: WillNotProvision` (PolicyEnabled NO) -> **Windows Hello does not auto-provision** (no Hello popup) -- exactly what shared caregiver devices need, so no separate Hello-disable step. @@ -140,9 +151,10 @@ Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingIn - **App + printer delivery GPO `CSC - Caregiver Workstation`** (`{3B5CD9A6-A278-4676-A9FD-9396D21A8261}`, User-config GPP) -- **BUILT + VALIDATED on NURSESTATION as pilot.test (2026-06-05).** Linked at `OU=Caregivers,OU=Departments`; security filter = `SG-Caregivers-Test` (Apply, pilot.test only) + Authenticated Users (Read, for MS16-072). Go-live = swap filter to `SG-Caregivers`. Contents: 3 desktop shortcuts -- ALIS, LinkRx, **Helpany** (`https://app.safe-living.com/login` -- named "Helpany," the brand caregivers know) -- + 6 `\\CS-SERVER` shared printers (NursesPrinter, HealthServices, MCMedTech, MCReception, MCDirector, CopyRoom) with **default printer by device location** (Nurses for `SG-PC-MainTower`, MC MedTech for `SG-PC-MemoryCare`, computer-context ILT) + HKCU `LegacyDefaultPrinterMode=1` so the default sticks. Build scripts: `clients/cascades-tucson/scripts/build-caregiver-gpo.ps1` + `link-caregiver-gpo.ps1`. NOTE: the domain-wide `CSC - Printer Deployment` GPO is intentionally disabled (empty CSE / version 0) and is **not** to be used -- reference only. - **Device lockdown GPO `CSC - Caregiver Device Lockdown`** (`{E6174988-2721-4D96-ADF5-F5BB44E92769}`, computer-only, linked to `OU=Caregiver Devices`) -- **DEPLOYED 2026-06-05.** Auto-logoff is a HIPAA requirement (SS164.312(a)(2)(iii)) for shared PHI devices. Settings: screen **lock at 3 min**, **auto sign-out at 15 min** total idle, **90-second warning** before sign-out, **never sleep** (display off 10 min). Delivered via a computer **startup script** (`caregiver-lockdown.ps1`, in SYSVOL) that sets `InactivityTimeoutSecs=180`, powercfg, and registers a logon-triggered scheduled task running an idle monitor in each caregiver's session. Deploy script: `deploy-device-lockdown-gpo.ps1`. **Startup scripts run at boot -- NURSESTATION must reboot** to activate (not yet verified). **Companion:** ALIS app session timeout 20->15 min (Howard, ALIS admin) **PENDING.** Lock/logoff are **device-level** (affect any user on the device in `OU=Caregiver Devices`). -### Status (as of 2026-06-05) +### Status (as of 2026-06-30) +- **Caregiver phone SSO -- Entra/identity side COMPLETE** (group + Business Premium license + forced-change AD temp passwords for all 40). Remaining gate is the ALIS Email=UPN match (Howard) + creating ALIS records for the 7 with none + AD accounts for the 3 ALIS-only caregivers. - **Proven working end-to-end on a hybrid-joined desktop (NURSESTATION + pilot.test):** caregiver lockdown (CA off-network block + device allow-list) **and** silent ALIS SSO. The allow-list policy `1b7fd025` carries NURSESTATION's current deviceId `d3bf931f-f128-4261-8398-b46c34a4b342` and the device is tagged `extensionAttribute1=CSCCaregiverDevice`. -- **GPOs DEPLOYED:** `CSC - Caregiver Workstation` built and validated on pilot.test. `CSC - Caregiver Device Lockdown` deployed to `OU=Caregiver Devices` 2026-06-05 -- takes effect on next NURSESTATION reboot (verify lock@3min, 90s warning, sign-out@15min). **Monday go-live:** swap GPO filter `SG-Caregivers-Test` -> `SG-Caregivers`; CA allow-list test group -> `SG-Caregivers`; move real caregiver machines into `OU=Caregiver Devices` + correct `SG-PC-*` location group one at a time; ALIS email-match the 38 caregivers + medtechs. **Still pending:** lower ALIS app timeout 20->15 min; reboot NURSESTATION to verify lockdown. +- **GPOs DEPLOYED:** `CSC - Caregiver Workstation` built and validated on pilot.test. `CSC - Caregiver Device Lockdown` deployed to `OU=Caregiver Devices` 2026-06-05. **Go-live (still gated on all devices domain-ready):** swap GPO filter `SG-Caregivers-Test` -> `SG-Caregivers`; CA allow-list test group -> `SG-Caregivers`; move real caregiver machines into `OU=Caregiver Devices` + correct `SG-PC-*` location group one at a time. **Still pending:** lower ALIS app timeout 20->15 min; reboot NURSESTATION to verify lockdown. - **Independent open item:** Microsoft case for `INTUNE_A PendingInput` -- does NOT block caregiver access (hybrid+GPO path replaces the Intune dependency). --- @@ -161,14 +173,15 @@ Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingIn - Ashley Jensen -- Accountant (DESKTOP-U2DHAP0) - Shelby Trozzi -- MemCare Director (MDIRECTOR-PC) - Chris Knight -- Accounting / Business Office (same access tier as Lauren Hasselman); chris.knight@cascadestucson.com (alias: c.knight@cascadestucson.com). **Workstation setup 2026-06-08:** machine **DESKTOP-N5G1ROO** (Win 11 Pro for Workstations) domain-joined + GuruRMM-enrolled (agent `205025ee-2676-4498-8a27-e88562a6f69a`), Office installed. AD account `chris.knight` (OU=Administrative) finished to match Lauren. Mailbox remains cloud-only/unsynced (same split state as Lauren). - - JD Martin -- Syncro-confirmed contact (jd.martin@cascadestucson.com); role not yet documented. + - JD Martin -- Syncro-confirmed contact (jd.martin@cascadestucson.com); Chef's Office user on CHEF-PC (his default printer = USB Chef Printer). - Lupe Sanchez -- staff (DESKTOP-TRCIEJA). EOL workstation (Gateway ZX6971 AIO, i3-2120, 8 GB RAM, Win11 unsupported). **Decision 2026-06-18: replace machine** (dual-AV + EOL hardware causing slow Excel; no remediation on current box). GuruRMM agent `c9bf1a2d-bfdc-401e-9cc8-f9e90bb19587` (resolve live by hostname; UUIDs change on re-enroll). + - Tamra Matthews -- Move-In Coordinator (Marketing/Sales), SALES4-PC. **OFFBOARDED 2026-06-30** (left June 2026 -- see Access section). - **Syncro contact emails (authoritative):** ashley.jensen@, jd.martin@, crystal.rodriguez@, John.trozzi@, meredith.kuhn@, accounting@/accountingassistant@cascadestucson.com. - **Billing rate:** $175/hr all labor (prepaid block customer) -- **Hours remaining:** **46.75 hrs as of 2026-06-26 (live Syncro).** Prior: 47.75 hrs as of 2026-06-25 (post-Alma-offboarding session); 48.25 hrs as of 2026-06-24; 0.5h remote 2026-06-24 Executive restricted share #32193 (48.75->48.25). Prior: 7h remote+onsite 2026-06-19 voice VLAN + RF optimization (ticket #32444, 55.75->48.75). Prior: 0.5h remote 2026-06-12 shared mailboxes (ticket #32417, 56.25->55.75); 0.5h remote 2026-06-10 Meredith locked Word doc (ticket #32403, 56.75->56.25). Always live-check via `GET /customers/20149445` before billing. +- **Hours remaining:** **37.5 hrs as of 2026-06-30 (live Syncro).** Prior: 46.75 hrs as of 2026-06-26; 47.75 hrs as of 2026-06-25; 48.25 hrs as of 2026-06-24. Always live-check via `GET /customers/20149445` before billing. - **Syncro customer ID:** 20149445 -- **Managed devices (Syncro):** 29 (live 2026-06-26) -- **Active tickets:** **0 open Syncro tickets as of 2026-06-26 (live Syncro).** Previously open work tickets (#32194 spare machine, #32254 Chef-PC reinstall, #32319 WiFi rm343, #32342 Copy Room switch, #32370 eFax+scanner) are now closed/resolved per live Syncro pull. **#32230 (Karen->ALDOCS) RESOLVED** (earlier today). 4 hardware items Invoiced (work done): #32440 server SSDs, #32439 MemCare UPS, #32443 Front Desk battery backup, #32330 Chris Knight PC. See Active Work and session logs for ongoing project work. +- **Managed devices (Syncro assets):** 29 (live 2026-06-30) +- **Active tickets:** **0 open Syncro tickets as of 2026-06-30 (live Syncro).** See Active Work and session logs for ongoing project work (domain migration, EDR rollout, caregiver phone SSO, VLAN 20 printer migration). - #110680053 / #32303 -- Entra / domain migration project. Status: **Invoiced** as of 2026-06-05. Plan: `C:\Users\Howard\.claude\plans\wise-discovering-panda.md` - #109412123 -- Entra setup project (verify status) - #32403 -- Meredith locked Word doc (0.5h remote, billed 2026-06-10, Invoiced) @@ -183,11 +196,11 @@ Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingIn | Host | IP | Role | OS | Notes | |---|---|---|---|---| -| CS-SERVER | 192.168.2.254 | DC, DNS, DHCP (no scopes), File Server, Hyper-V host, Print Server | Windows Server 2019 Standard | Dell PowerEdge R610 (~2009 hardware, 16+ years old). **Single DC -- CRITICAL risk.** GuruRMM agent ID: `c39f1de7-d5b6-45ae-b132-e06977ab1713` (re-enrolled; always resolve live by hostname, never hardcode the UUID). **OS RAID-1 mirror DEGRADED (2026-06-15) -- see hardware warning below.** | +| CS-SERVER | 192.168.2.254 | DC, DNS, DHCP (no scopes), File Server, Hyper-V host, Print Server | Windows Server 2019 Standard | Dell PowerEdge R610 (~2009 hardware, 16+ years old). **Single DC -- CRITICAL risk.** GuruRMM agent ID: `c39f1de7-d5b6-45ae-b132-e06977ab1713` (re-enrolled; always resolve live by hostname, never hardcode the UUID). Clients reach SMB at **192.168.2.248** (registered DNS / Ethernet); .254 is the Hyper-V vEthernet NIC. **RAID HEALTHY per live OMSA 2026-06-24 -- see hardware note below.** **All Datto software fully removed 2026-06-26 (was DattoAV/EDR/RMM leftover, not GravityZone).** | | CS-SERVER iDRAC | 192.168.2.65 | Out-of-band management | -- | Dell OOB interface | | CS-QB (Hyper-V VM on CS-SERVER) | 192.168.2.228 | (label "VoIP server" -- STALE) | -- | **2026-06-16 recon: SMB/445 only, no SIP response -- NOT a live SIP PBX.** Phones appear cloud-registered (Vertical). Label predates the wireless-phone transition; revisit/retire. | | cascadesDS (Synology NAS) | 192.168.0.120 | NAS / legacy file storage | DSM 7.2.1-69057 | Port 5000 HTTP. Workgroup name is "CASCADES" -- same as AD short name, causing Kerberos auth failures from domain-joined machines. Slated to become backup-only. **Synology Drive Server 3.5.0-26088** (active, port 6690 SSL). Current Drive sync: CS-SERVER Drive Client (v7.5.0.16085, runs as sysadmin) syncs Sync-user My Drive (`/volume1/homes/Sync/Drive/`) -> `D:\Shares\Main` (one-way download). Real shared folders (Server 1.9 G, Management 5.5 G, Public ~50 G, SalesDept ~23 G, etc.) are NOT in scope -- Team Folder migration pending. | -| pfSense Firewall | 192.168.0.1 | Perimeter firewall, inter-VLAN routing, DHCP/DNS | pfSense Plus 25.07-RELEASE | Netgate device. cert CN=pfSense-685f277aa6886. Dual-WAN. All DHCP (CS-SERVER DHCP role has no scopes). 199 DHCP subnets (per-unit /28 VLANs, assisted-living L2 isolation). SSH shell access works (no interactive menu). Admin vault: `clients/cascades-tucson/pfsense-firewall`. OpenVPN user Howard: vault `clients/cascades-tucson/pfsense-openvpn-howard`. **Config vaulted 2026-06-17:** `clients/cascades-tucson/pfsense-config-backup-2026-06-17.sops.yaml`. pfSense is ZFS (power-loss resilient). Logs are PLAIN TEXT (not clog). | +| pfSense Firewall | 192.168.0.1 | Perimeter firewall, inter-VLAN routing, DHCP/DNS | pfSense Plus 25.07-RELEASE | Netgate device. cert CN=pfSense-685f277aa6886. Dual-WAN. All DHCP (CS-SERVER DHCP role has no scopes). 199 DHCP subnets (per-unit /28 VLANs, assisted-living L2 isolation). SSH shell access works from onsite (no interactive menu) but **tcp/22 is blocked from the OpenVPN subnet** -- use the GUI (443) remotely. Admin vault: `clients/cascades-tucson/pfsense-firewall`. OpenVPN user Howard: vault `clients/cascades-tucson/pfsense-openvpn-howard`. **Config vaulted 2026-06-17:** `clients/cascades-tucson/pfsense-config-backup-2026-06-17.sops.yaml`. pfSense is ZFS (power-loss resilient). Logs are PLAIN TEXT (not clog). | **[CORRECTED 2026-06-24 -- LIVE OMSA] CS-SERVER RAID is HEALTHY, not degraded.** Dell PowerEdge R610 (Service Tag **9MQFTK1**), basic **SAS 6/iR Integrated** controller (3 Gbps, no cache), Status Ok. A live `omreport` query (Dell OMSA on CS-SERVER via RMM) shows **both virtual disks Ok/Ready and all 5 physical disks Online/Ok, Failure Predicted: No, all LEDs green.** The 2026-06-15 "degraded" state (PD 0:0:3 Critical/Removed) **self-recovered** -- the flaky consumer drive dropped out and re-synced after a power cycle (the ESM hardware log shows repeated drive remove/install events across the 6/17 + 6/23 outages). **Do NOT pull a drive -- there is nothing failed to swap.** @@ -208,29 +221,29 @@ Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingIn **[INFO] Backup -- gap closed (2026-06-15); verified running 2026-06-24.** Mike installed ACG cloud backup (MSP360/CloudBerry -> ACG-backup server) on CS-SERVER, addressing the longstanding SS164.308(a)(7) "no backup" HIPAA gap. **Live check 2026-06-24:** last run (6/24 00:10) = "Plan status: Success", 0 failed; 575.7 GB / 248k-file dataset already in the cloud (only 465 MB changed -> full baseline exists, incrementals working). **Still to confirm: this looks FILE-LEVEL, not image/bare-metal/system-state -- for a DC that is a DR gap; confirm with Mike whether a separate image/system-state backup exists before treating it as full disaster coverage.** Set/confirm retention. -**[INFO] Endpoint security migration (2026-06-25, in progress):** Cascades is migrating from Syncro-deployed **Bitdefender GravityZone BEST** to **Datto EDR + Datto AV** (Infocyte/azcomp4587.infocyte.com) as the ACG-managed endpoint stack. Datto EDR org `2d5ea96e-3228-461b-9c60-13ae464b61d8`, target group `1dbd2b02-f7df-45d0-a7f2-18667f48447f`, reg key `6qw68y2rwl`. **Current state (end of session 2026-06-25):** 34 agents enrolled (was 27 at session start; 7 installed this session). **Bitdefender REMOVED from RECEPTIONIST-PC** (both physical boxes, serials MJ0KQH4R + MJ0KQHNP) via GravityZone console ("Uninstall client" task -- API `createUninstallTask` is dead in this version; no uninstall password was set on policy "GPS Default"). 6 orphaned `C:\Program Files\Bitdefender` folders deleted (BD was already uninstalled on those machines; safety-checked before deletion). **RECEPTIONIST-PC is two distinct physical machines sharing a hostname** -- dedup-by-hostname masks the second box in single-system inventory views. **Pending:** EDR install on 2 offline machines (DESKTOP-F94M8UT, NurseAssist); BD-check on 5 offline machines (DESKTOP-KQSL232, DESKTOP-MD6UQI3, DESKTOP-TRCIEJA, SALES4-PC, Laptop4); queued to auto-run on reconnect (background watcher `bfm81iqdz`). **Confirm Cascades is removed from Syncro's Bitdefender deployment** so BD does not redeploy onto cleaned machines (Syncro AV management is GUI-only). Also: GravityZone Cascades company `66b0448e1e0441d02508bad8` still has RECEPTIONIST-PC endpoint records in the portal (`66b04593e14f46ee79b1c87f`, `66b045ee2f4dee3f01f54630`) -- review/remove. **Separate cleanup still pending:** prior-MSP CentraStage RMM leftover on CS-SERVER; the Datto EDR agents on CS-SERVER have not yet been confirmed clean-enrolled vs leftover. +**[INFO] Endpoint security -- Datto EDR/AV is the ACG-managed stack (migration off Bitdefender substantially complete).** Cascades migrated from Syncro-deployed **Bitdefender GravityZone BEST** to **Datto EDR + Datto AV** (Infocyte/azcomp4587.infocyte.com). Datto EDR org `2d5ea96e-3228-461b-9c60-13ae464b61d8`, target group `1dbd2b02-f7df-45d0-a7f2-18667f48447f`, reg key `6qw68y2rwl`. **State as of 2026-06-26:** ~34 agents enrolled. Datto EDR installed on 7 machines 6/25 (org 27->34). **Bitdefender REMOVED from RECEPTIONIST-PC** (both physical boxes, serials MJ0KQH4R + MJ0KQHNP) via GravityZone console "Uninstall client" task -- the GravityZone Public API `createUninstallTask` is DEAD in this version and BEST anti-tampering (no uninstall password on policy "GPS Default") blocks endpoint-side uninstall, so removal is **console-only**. 6 orphaned `C:\Program Files\Bitdefender` folders deleted (safety-checked). **RECEPTIONIST-PC is two distinct physical machines sharing a hostname** -- dedup-by-hostname masks the second box. **Straggler pass 2026-06-26:** BD-checked reconnected machines -- DESKTOP-MD6UQI3, Laptop4, SALES4-PC all NO_BITDEFENDER (clean); **DESKTOP-TRCIEJA = BD_ACTIVE** (needs the GravityZone console uninstall; slated for replacement anyway). NurseAssist got its queued EDR install confirmed (agent `23c3c36e`, AV on, v3.17.1.5552) after its Home->Pro upgrade. DESKTOP-F94M8UT (Alma Montt's, powered off) BD-aware EDR install queued (cmd `a4623704`, auto-fires on reconnect); DESKTOP-KQSL232 (Lois Lane's old box) decommissioned -- removed from list. **CS-SERVER's endpoint AV was DattoAV, NOT GravityZone Bitdefender** (see SMB/AV pattern) -- all Datto software fully removed from CS-SERVER 2026-06-26. **Pending:** DESKTOP-TRCIEJA GravityZone console uninstall; confirm Cascades removed from Syncro's Bitdefender deployment (GUI-only) so BD doesn't redeploy; GravityZone portal cleanup of stale RECEPTIONIST-PC endpoint records; reconcile `laptop3` (EDR agent, no RMM agent); confirm/remove stale EDR agents laptop1 + cascades-laptop. **[WARN] Power outage (2026-06-17):** Building power outage took the entire Cascades network down. Root cause: pfSense was plugged into the **surge-only side of the UPS** (no battery) -- it hard-powered-off uncleanly. ZFS survived. Dirty boot caused a **duplicate dhcpd** and a **2nd-floor switch (USL24PB, 192.168.2.193) with one-way L2 forwarding** blocking DHCP OFFERs. Howard killed the duplicate dhcpd remotely; Mike re-seated pfSense onto battery outlets, restored config from on-box auto-backup (12:20 version, VLAN30 intact), reset+re-adopted Switch 2nd Floor #2. Network fully restored. Post-recovery casualties: devices that booted during DHCP-down window cached disconnected state (kitchen thermal printer fixed by power-cycle). Incident report: `clients/cascades-tucson/reports/2026-06-17-power-outage-incident.md`. -**[INFO] Planned power outage (2026-06-23, 05:30-09:00 MST) -- clean shutdown executed:** Building-wide electrical work scheduled a 3.5h power cut. To avoid a repeat of the 6/17 dirty-shutdown damage (and because CS-SERVER's OS mirror is degraded), all three core devices were armed the prior evening (2026-06-22 ~19:06) to **shut THEMSELVES down** on self-contained local schedules -- CS-SERVER (Windows task `ACG-PlannedOutage-Shutdown` -> stop CS-QB VM -> `Stop-Computer`, 05:28), Synology (`/sbin/poweroff`, 05:28), pfSense (`shutdown -p now`, 05:30) -- so they fired independent of any remote session or the OpenVPN tunnel, with the UPS carrying them through the 05:30 cut. **Verified clean (2026-06-23 05:31 MST):** CS-SERVER confirmed offline via GuruRMM cloud at last_seen 05:29:49 MST (the one out-of-band channel; expected ~1.5 min graceful-shutdown lag); pfSense + Synology unreachable as expected (pfSense is the VPN endpoint -- once down, all in-site paths drop). Pre-flight (2026-06-22) verified: cloud backup last full SUCCESS @ 6/22 00:11 (0 errors); iDRAC AC Power Recovery ON + Synology auto-restart ON (boot backstops); John Trozzi onsite for physical power-on ~09:00. Bring-up is bottom-up: pfSense first (verify SINGLE dhcpd, WAN up, reboot Cox modem if WAN fails) -> switches/APs re-adopt (12/12 + 77/77) -> CS-SERVER -> Synology -> straggler sweep. Runbook: `clients/cascades-tucson/docs/runbooks/2026-06-23-planned-power-outage.md`. +**[INFO] Planned power outage (2026-06-23, 05:30-09:00 MST) -- clean shutdown executed:** Building-wide electrical work scheduled a 3.5h power cut. To avoid a repeat of the 6/17 dirty-shutdown damage, all three core devices were armed the prior evening (2026-06-22 ~19:06) to **shut THEMSELVES down** on self-contained local schedules -- CS-SERVER (Windows task `ACG-PlannedOutage-Shutdown` -> stop CS-QB VM -> `Stop-Computer`, 05:28), Synology (`/sbin/poweroff`, 05:28), pfSense (`shutdown -p now`, 05:30) -- so they fired independent of any remote session or the OpenVPN tunnel, with the UPS carrying them through the 05:30 cut. **Verified clean (2026-06-23 05:31 MST):** CS-SERVER confirmed offline via GuruRMM cloud at last_seen 05:29:49 MST; pfSense + Synology unreachable as expected. Pre-flight (2026-06-22) verified: cloud backup last full SUCCESS @ 6/22 00:11 (0 errors); iDRAC AC Power Recovery ON + Synology auto-restart ON; John Trozzi onsite for physical power-on ~09:00. Bring-up bottom-up: pfSense first -> switches/APs re-adopt -> CS-SERVER -> Synology -> straggler sweep. Runbook: `clients/cascades-tucson/docs/runbooks/2026-06-23-planned-power-outage.md`. ### Email & Identity - **M365 tenant:** cascadestucson.com | Tenant ID: `207fa277-e9d8-4eb7-ada1-1064d2221498` -- **M365 license:** Business Premium (SPB) -- 34 seats enabled, 3 consumed, 31 free. Business Standard (O365_BUSINESS_PREMIUM) -- **SUSPENDED**, 31 users still assigned. Relicensing 31 users Business Standard -> Business Premium is pending and time-sensitive. (Alma Montt's SPB seat was freed on offboarding 2026-06-25.) +- **M365 license:** **Business Premium (SPB, SKU `cbdc14ab-d96c-4c30-b9f4-6ada7cdc1d46`) -- 45 seats enabled / 45 consumed / 0 free** (as of 2026-06-30; Howard bought 11 more seats on 6/30 and all 40 caregivers consumed seats -- was 34 enabled / 3 consumed). Business Premium includes Entra ID P1 (required per-user by the caregiver CA lockdown). **Legacy Office 365 Business Standard (O365_BUSINESS_PREMIUM) -- SUSPENDED** (0 enabled / 37 suspended). Relicensing the remaining suspended-Standard users onto Business Premium is pending. (Tamra Matthews' O365 Business Standard seat was freed on offboarding 2026-06-30; Alma Montt's SPB seat was freed 2026-06-25.) - **On-prem AD domain:** cascades.local | UPN suffix: cascadestucson.com (added 2026-04-13 for Entra Connect SSO readiness) - **MX / mail flow:** Exchange Online (M365). SPF: `v=spf1 a mx ip4:72.194.62.5 include:spf.protection.outlook.com include:spf-0.secureserver.net -all`. DKIM: both M365 selectors published. DMARC: `p=quarantine;pct=100` -- upgraded from p=none. Reports to `info@cascadestucson.com` (unmonitored). No third-party email gateway (EOP direct MX). - **MFA:** CA policy "Require MFA for all users" is enabled. Caregiver bypass in progress -- caregivers cannot satisfy MFA (no personal device), so three scoped CA policies use BLOCK instead. Voice-call MFA is **disabled tenant-wide** (SMS + Authenticator are the allowed methods). Exception: security group "MFA - Voice Call Scoped (sysadmin)" (id `304f941e-3594-4705-b8e6-ee676297df11`, single member `sysadmin@`) has Voice method enabled. -- **Entra Connect:** Installed on CS-SERVER 2026-04-25. Exited staging 2026-05-14 -- actively syncing (last sync confirmed 2026-05-27). OU=Administrative not yet in sync scope; UPN suffix updates for Administrative OU users pending before that OU can be added. +- **Entra Connect:** Installed on CS-SERVER 2026-04-25. Exited staging 2026-05-14 -- actively syncing (last sync confirmed 2026-05-27). `SG-Caregivers` is an on-prem AD group synced via Entra Connect -- **cloud/Graph group adds fail (HTTP 400); all membership writes must be done on-prem (CS-SERVER via RMM).** OU=Administrative not yet in sync scope; UPN suffix updates for Administrative OU users pending before that OU can be added. - **Break-glass accounts:** Two planned (`breakglass1-csc@cascadestucson.com`, `breakglass2-csc@cascadestucson.com`). Confirmed not yet created as of 2026-05-27. FIDO2 YubiKeys ordered -- arrival unconfirmed. - **Admin accounts:** - `admin@cascadestucson.com` -- Mike's working admin (cloud-only, Connect-excluded by design) - `sysadmin@cascadestucson.com` -- Howard's working admin (cloud-only, Connect-excluded by design). Object id: `471b13dc-3cf8-416b-a132-f5f3bc8d1cc8`. Vaulted at `clients/cascades-tucson/m365-sysadmin.sops.yaml`. -- **ALIS (clinical SaaS):** https://cascadestucson.alisonline.com -- Entra SSO live and working. Install key: `d796539d-356b-4190-9c17-35f0f1129376`. Vault: `clients/cascades-tucson/alis-sso-app-registration.sops.yaml`. ALIS application ID `d5108493-cba8-4f08-90b6-1bb0bc09eb2a`, client secret expires 2028-05-06 (rotation reminder -- expiry breaks ALIS SSO tenant-wide). Per-caregiver: ALIS staff-record Email must match Entra UPN exactly. BAA with Medtelligent not yet verified. +- **ALIS (clinical SaaS):** https://cascadestucson.alisonline.com -- Entra SSO live and working. communityId 622. Install key: `d796539d-356b-4190-9c17-35f0f1129376`. Vault: `clients/cascades-tucson/alis-sso-app-registration.sops.yaml` (API user cred: `clients/cascades-tucson/alis-api-howard-user.sops.yaml` -- username must be tenant-qualified `howard.enos@cascadestucson`). ALIS application ID `d5108493-cba8-4f08-90b6-1bb0bc09eb2a`, client secret expires 2028-05-06 (rotation reminder -- expiry breaks ALIS SSO tenant-wide). Per-caregiver: ALIS staff-record Email must match Entra UPN exactly. Staff endpoints are **read-only via API -- writes are done by uploading a `build-import` .xls in the ALIS UI.** BAA with Medtelligent not yet verified. - **Admin consent (2026-06-03):** Tenant-wide admin consent (`AllPrincipals` `User.Read`) granted on ALIS Entra service principal (`e1cae4ad-5beb-44ca-82d4-434c9bd835ad`). This resolved `AADSTS65001` sign-in failures. - **How to enable ALIS SSO for one user:** (1) Tenant-wide admin consent already done globally. (2) In ALIS admin -> Staff -> user's record, set **Email = exact Entra UPN**. (3) User signs in via "Sign in with Microsoft." (4) Turn off ALIS-native 2FA (Entra is the second factor; native 2FA conflicts and locked out Karen Rossini). - **Diagnostic signature:** a user with zero ALIS-app sign-in events in Entra sign-in logs is still on the old direct-login path -- fix is the ALIS Email match, not anything in Entra. -- **Caregiver phones:** 22 Samsung Galaxy A15s enrolled in Intune Shared Device Mode (SDM). Enrollment profile: `CSC - Android Shared Phones (Entra SDM)` (`9a0fcc6d`); 25 devices enrolled per 2026-06-03 Intune pull. Dynamic group: `Cascades - Shared Phones` (`ea96f4b7`). Android enrollment token expires 2027-05-08 -- expiry does NOT unenroll existing devices. +- **Caregiver phones:** 22 Samsung Galaxy A15s enrolled in Intune Shared Device Mode (SDM). Enrollment profile: `CSC - Android Shared Phones (Entra SDM)` (`9a0fcc6d`); 25 devices enrolled per 2026-06-03 Intune pull. Dynamic group: `Cascades - Shared Phones` (`ea96f4b7`). Android enrollment token expires 2027-05-08 -- expiry does NOT unenroll existing devices. **Caregiver identities now licensed + grouped + temp-passworded for phone SSO (2026-06-30) -- see Entra Access Architecture.** - **Audit retention:** Approved 2026-04-29. Azure Log Analytics (90d) + Storage Account (6yr) in ACG subscription `e507e953-2ce9-4887-ba96-9b654f7d3267`, RG `rg-audit-cascadestucson`. **Not yet built.** - **Inky:** No Inky deployment exists in this tenant. Confirmed 2026-06-04. - **EXO MSP app auth note (2026-06-04):** When the MSP app cert is not in the Windows cert store, use client_credentials flow to obtain an EXO-scoped access token and connect via `Connect-ExchangeOnline -AccessToken`. App: ComputerGuru Exchange Operator (`b43e7342-5b4b-492f-890f-bb5a4f7f40e9`). Vault: `msp-tools/computerguru-exchange-operator.sops.yaml`. @@ -239,13 +252,13 @@ Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingIn ### Network - **ISP / WAN:** Dual-WAN Cox. WAN1 igc0 `184.191.143.62/30` (Cox Fiber, primary, gateway `184.191.143.61`) + WAN2 igc3 `72.211.21.217/27` (Cox Coax, secondary, static); `WAN_Group` gateway group; both active full-duplex, no loss events (verified 2026-06-16). Both WAN IPs added as Cascades Named Location in Entra (ID: `061c6b06-b980-40de-bff9-6a50a4071f6f`). **Measured bandwidth (2026-06-18):** WAN1 fiber **upload ~522 Mbps**; RRD 3-day peaks ~680 Mbps down / 98 Mbps up (actual usage). WAN2 coax upload **unmeasured** (remote source-route test failed -- needs a WAN2-routed host or the Cox bill). 30 calls ~= 3 Mbps vs ~522 Mbps fiber headroom -> **the WAN is NOT the everyday voice bottleneck** (RF is); voice QoS is insurance for WAN2 failover + rare WAN1 saturation. -- **Firewall:** pfSense Plus **25.07-RELEASE** (Netgate) at `192.168.0.1`, cert CN=pfSense-685f277aa6886. Admin vault: `clients/cascades-tucson/pfsense-firewall`. SSH shell access works (no interactive menu). OpenVPN user Howard: vault `clients/cascades-tucson/pfsense-openvpn-howard` (split-tunnel; `route 192.168.0.0/22`; use OpenVPN GUI or OpenVPN Connect with DCO disabled for stability). pfSense-ssh.sh (unifi-wifi skill) provides scripted audit/dhcp/run access. **Logs are PLAIN TEXT on 25.07 -- read with tail/grep, NOT clog.** pfSense has an **OpenVPN `--inactive` idle timeout (~300s)** on the server; it disconnects clients after ~5 min of no tunnel data (keepalive pings do NOT reset this counter). Fix proposed 2026-06-18; not applied. **[OUTAGE 2026-06-17] pfSense was on UPS surge-only side -- moved to battery-backed outlets by Mike. On-box auto-backup restored; config vaulted. Enable Netgate AutoConfigBackup to prevent future off-box gap.** +- **Firewall:** pfSense Plus **25.07-RELEASE** (Netgate) at `192.168.0.1`, cert CN=pfSense-685f277aa6886. Admin vault: `clients/cascades-tucson/pfsense-firewall`. SSH shell access works onsite (no interactive menu) but **tcp/22 is blocked from the OpenVPN subnet -- use the GUI (443) remotely** (the unifi-wifi `pfsense-ssh.sh` skill silently returns empty over VPN). OpenVPN user Howard: vault `clients/cascades-tucson/pfsense-openvpn-howard` (split-tunnel; `route 192.168.0.0/22`; use OpenVPN GUI or OpenVPN Connect with DCO disabled for stability). **Logs are PLAIN TEXT on 25.07 -- read with tail/grep, NOT clog.** pfSense has an **OpenVPN `--inactive` idle timeout (~300s)** on the server; it disconnects clients after ~5 min of no tunnel data (keepalive pings do NOT reset this counter). Fix proposed 2026-06-18; not applied. **[ROUTING GOTCHA 2026-06-30] The LAN "Default allow LAN to any" rule has Gateway = WAN_Group (dual-WAN policy routing), which shoves LAN->internal-VLAN traffic (e.g. CS-SERVER -> VLAN 20 printers) OUT THE WAN.** This is NOT a firewall block. Fixed with a top LAN pass rule: source CS-SERVER `192.168.2.248`, dest `10.0.20.0/24`, Gateway = default -- restores full server access to VLAN 20 (printers etc.) without matching resident/guest ingress. **[OUTAGE 2026-06-17] pfSense was on UPS surge-only side -- moved to battery-backed outlets by Mike. On-box auto-backup restored; config vaulted. Enable Netgate AutoConfigBackup to prevent future off-box gap.** - **[INFO] pfSense health check (2026-06-16):** gateway ruled out as WiFi factor -- DHCP not exhausted, unbound DNS up, both WANs full-duplex/stable, firewall states 28-31k/790k, load 0.6. -- **LAN / VLAN layout:** Primary staff/AP network `192.168.0.0/22` (pfSense .0.1, cascadesDS .0.120, UniFi APs + most WiFi clients on 192.168.2.x/3.x). DHCP pool 192.168.2.2-192.168.3.254 (~507 cap, ~270 active ~53%). Per-unit /28 VLANs: **199 DHCP subnets** total, mostly `10.x.y.0/28` per apartment (assisted-living L2 isolation) + Staff/Internal VLAN 20 (`10.0.20.0/24`, gw `10.0.20.1`) + Guest VLAN 50 (`10.0.50.0/24`, RFC1918 blocked) + **Voice VLAN 30** (`10.0.30.0/24`, gw `10.0.30.1`). DHCP backend: ISC (Kea config present, dormant). Unbound DNS. +- **LAN / VLAN layout:** Primary staff/AP network `192.168.0.0/22` (pfSense .0.1, cascadesDS .0.120, UniFi APs + most WiFi clients on 192.168.2.x/3.x). DHCP pool 192.168.2.2-192.168.3.254 (~507 cap, ~270 active ~53%). Per-unit /28 VLANs: **199 DHCP subnets** total, mostly `10.x.y.0/28` per apartment (assisted-living L2 isolation) + **Staff/Internal VLAN 20** ("CSCNET", `10.0.20.0/24`, gw `10.0.20.1` -- the target VLAN staff machines + printers are being migrated onto, off the flat old LAN "CSC ENT" 192.168.0.0/22) + Guest VLAN 50 (`10.0.50.0/24`, RFC1918 blocked) + **Voice VLAN 30** (`10.0.30.0/24`, gw `10.0.30.1`). DHCP backend: ISC (Kea config present, dormant). Unbound DNS. - **Switching:** Full UniFi. **77 U7-Pro APs** + **12 managed switches** (1st Floor USW-48 PoE core; floors 2-4 USW-Pro-24-PoE; MemCare USW-Pro-24-PoE; USW Lite 8 PoE; USW-16-PoE VoIP switch). **[WARN] ~25 switch ports linked at 100 Mbps but gig-capable** (systematic cabling/NIC issue, 1st/2nd/3rd-floor switches; investigate after WiFi Phase A). 3 offline switches: Switch 2nd Floor #2, Switch 4th Floor #2, USW Pro Max 16. PoE budgets healthy. Port p38 (1st Floor USW) 4.0% tx-drop rate. All managed on the shared UOS controller (172.16.3.29, HTTPS 11443; see [[uos-server]]); Cascades site short name `va6iba3v`, site_id `685f39068e65331c46ef6dd2`. **Mesh topology:** 2nd Floor Atrium is wireless-mesh parent for CC Bridge + salon (5 GHz backhaul ch36); 206 U7 Pro carries AP 108. Note: Switch 2nd Floor #2 (USL24PB, 192.168.2.193) was reset+re-adopted after the 2026-06-17 power outage. - **WiFi SSIDs:** - **CSCNet -- shared PPSK SSID.** `private_preshared_keys_enabled`; ~230-242 per-key->network mappings (most keys -> per-room resident VLANs 101-631; a few -> Default; one phone key -> Internal/VLAN 20; one voice PPSK -> VOICE/VLAN 30). ~1,190 historical clients (residents' IoT/TVs, staff, phones). **Do NOT repoint the SSID to move a subset of clients** -- move at the PPSK level. wlanconf `685f39078e65331c46ef7ee5`; cred vault `clients/cascades-tucson/wifi-cscnet.sops.yaml`. - - CSC ENT -- legacy SSID, main LAN (192.168.0.0/22), being deprecated as migration proceeds + - CSC ENT -- legacy SSID, main LAN (192.168.0.0/22), being deprecated as migration proceeds (planned to become the permanent 5 GHz-only WPA2 "device island" for Poly voice + Helpany sensors -- see VoIP/network section) - Guest -- isolated, VLAN 50 - **Wireless RF status (applied 2026-06-19 -- ~587 concurrent clients):** - **2.4 GHz is the primary pain band:** avg TX-retry ~10%, cu_total 69-94% live, catastrophic external neighbor BSSID density (ch6 ~33k BSSIDs, ch1 ~19k, ch11 ~17k). 27 of the 40 worst clients on 2.4 GHz (retry 11-42%), mostly IoT/legacy. Root cause: extreme radio density; external saturation limits benefit of any 1/6/11 channel re-plan. @@ -291,10 +304,10 @@ Cascades' line-of-business / reporting SaaS (the systems they pull data OUT of, ## Access -- **CS-SERVER:** Via ScreenConnect or GuruRMM (live agent ID `c39f1de7-d5b6-45ae-b132-e06977ab1713` as of 2026-06-08; re-enrolls -- resolve live by hostname, do not hardcode) +- **CS-SERVER:** Via ScreenConnect or GuruRMM (live agent ID `c39f1de7-d5b6-45ae-b132-e06977ab1713` as of 2026-06-30; re-enrolls -- resolve live by hostname, do not hardcode). Vaulted domain-admin cred: `clients/cascades-tucson/cs-server.sops.yaml` (username `sysadmin`). - **CS-SERVER iDRAC:** 192.168.2.65 - **pfSense admin (HTTPS):** https://192.168.0.1 -- vault: `clients/cascades-tucson/pfsense-firewall.sops.yaml` -- **pfSense SSH:** `ssh admin@192.168.0.1` (system OpenSSH; drops to shell directly, no interactive menu) -- vault admin cred: `clients/cascades-tucson/pfsense-firewall.sops.yaml`; pfsense-ssh.sh (unifi-wifi skill) for scripted access. +- **pfSense SSH:** `ssh admin@192.168.0.1` (system OpenSSH; drops to shell directly, no interactive menu) -- **tcp/22 blocked from the OpenVPN subnet; use the GUI remotely** -- vault admin cred: `clients/cascades-tucson/pfsense-firewall.sops.yaml`; pfsense-ssh.sh (unifi-wifi skill) for scripted access onsite. - **pfSense OpenVPN (Howard):** split-tunnel; vault: `clients/cascades-tucson/pfsense-openvpn-howard.sops.yaml` (user `Howard`; route 192.168.0.0/22). Use OpenVPN GUI or OpenVPN Connect with DCO disabled for stability. Howard-Home is 10.137.42.0/24 (renumbered 2026-06-16). Server has a configured `--inactive` idle timeout (~300s) that silently drops idle clients. - **pfSense config backup (2026-06-17):** `clients/cascades-tucson/pfsense-config-backup-2026-06-17.sops.yaml` - **Synology DSM:** http://192.168.0.120:5000 -- vault: `clients/cascades-tucson/synology-cascadesds.sops.yaml` (admin). Drive Server port 6690 (SSL). **[SECURITY] Synology Cloud Signin Portal credential (`clients/cascades-tucson/synology-signin-portal.sops.yaml`) was committed plaintext at vault commit 1fbc0e1 -- exposed in git history; encrypted go-forward but credential should be rotated.** @@ -304,17 +317,19 @@ Cascades' line-of-business / reporting SaaS (the systems they pull data OUT of, - **WiFi Voice PPSK (VLAN 30):** vault: `clients/cascades-tucson/wifi-voice-ppsk.sops.yaml` - **MDM service account:** vault: `clients/cascades-tucson/mdm-service-account.sops.yaml` - **svc-scan (scan-to-folder service account):** vault: `clients/cascades-tucson/svc-scan.sops.yaml`. AD account on CS-SERVER for the Accounting Brother's SMB scans. -- **ALIS SSO app registration:** vault: `clients/cascades-tucson/alis-sso-app-registration.sops.yaml` +- **ALIS SSO app registration:** vault: `clients/cascades-tucson/alis-sso-app-registration.sops.yaml`; ALIS API user: `clients/cascades-tucson/alis-api-howard-user.sops.yaml`. +- **Caregiver AD temp passwords (2026-06-30):** vault: `clients/cascades-tucson/caregiver-temp-passwords-2026-06-30.sops.yaml` (40 caregiver AD temp passwords, all forced-change-at-next-login; keys = sAMAccountName). Hybrid PHS -> these are also the M365/phone sign-in. Retrieve with `vault get` (NOT get-field -- dotted keys). Do NOT inline any values. - **UOS controller SSH (root):** vault: `infrastructure/uos-server-ssh-key` -- SSH/Mongo access for `unifi-wifi` skill and `uos-mongo.sh`. Vaulted 2026-06-15 by Mike. - **UOS controller RW admin (Network API):** vault: `infrastructure/uos-server-network-api-rw` -- required to apply any radio/config changes. Vaulted 2026-06-15 by Mike. - **UniFi AP device auth (Cascades):** vault: `clients/cascades-tucson/unifi-ap-ssh` -- direct AP SSH via site VPN (needed for `watch-ap.sh` live stream; L3 reach to 192.168.2.x/3.x via split-tunnel VPN). Vaulted 2026-06-15 by Mike. - **UOS controller (HTTPS):** https://172.16.3.29:11443 (HTTPS 11443, not 8443) -- site `va6iba3v` / site_id `685f39068e65331c46ef6dd2` -- **GuruRMM -- RECEPTIONIST-PC:** agent ID `9c91d324-1073-449c-8cc0-45c5bccfc218` (flaky WebSocket, may lag fleet updates) +- **GuruRMM -- RECEPTIONIST-PC (frontdesk box, serial MJ0KQHNP):** agent `2e8d8b73-82f6-4151-a3ce-879c55de4b82` (front desk). The Memory Care box (serial MJ0KQH4R, agent `57f19e17-8792-46cc-b9fd-f1909836cd17`) shares the hostname -- **rename to MEMCARE-STATION STAGED 2026-06-30** (applies on next reboot). - **GuruRMM -- ASSISTMAN-PC (Meredith Kuhn):** agent ID `cf86fa5e-96a2-494d-9cb1-8be22a518ad0` - **GuruRMM -- DESKTOP-TRCIEJA (Lupe Sanchez):** agent ID `c9bf1a2d-bfdc-401e-9cc8-f9e90bb19587` (resolve live by hostname; UUIDs change on re-enroll) -- **Remediation tool:** Full tiered app suite consented 2026-04-21. All six apps active: Security Investigator, Exchange Operator, User Manager, Tenant Admin, Defender Add-on, Intune Manager. +- **Remediation tool:** Full tiered app suite consented 2026-04-21. All six apps active: Security Investigator (`bfbc12a4`), Exchange Operator (`b43e7342`), User Manager (`64fac46b`), Tenant Admin (`709e6eed`), Defender Add-on, Intune Manager. - **[SECURITY -- OPEN 2026-06-25] Tenant Admin SP holds a STANDING Privileged Authentication Administrator (PAA) role.** During Alma Montt's offboarding the `ComputerGuru - Tenant Admin` SP was JIT-elevated to PAA to reset her password; Graph then blocked the automatic teardown ("removing self from built-in role is not allowed"), leaving the role assigned. Needs a Global Admin to remove in Entra (Roles & admins -> Privileged Authentication Administrator -> remove the SP); **leave its standing Conditional Access Administrator role (intentional)**. Pending Mike's decision (coord message sent 2026-06-25). Recommended posture: keep JIT, fix the teardown so resets stop stranding PAA. - **Alma Montt -- OFFBOARDED 2026-06-25** (terminated; MC Life Enrichment; no PHI/ALIS access). M365 sign-in blocked, 0 licenses, mailbox -> SharedMailbox (Shelby Trozzi FullAccess+AutoMap), hidden from GAL, groups removed; on-prem AD disabled + moved to `OU=Excluded-From-Sync`. No litigation hold (no PHI). Verified live end-to-end and reconciled out of all active plans/rosters. Emergency password: vault `clients/cascades-tucson/alma-montt` (do NOT re-enable without authorization). Record: `docs/security/offboarding-2026-06-25-alma-montt.md`. +- **Tamra Matthews -- OFFBOARDED 2026-06-30** (Move-In Coordinator, Marketing/Sales; left June 2026). M365 object `2d9cf0d1-2b0b-424e-9cd1-91eaac408837` was **cloud-only** (single O365 Business Standard license) -- sessions revoked, sign-in blocked, password reset+vaulted, mailbox -> SharedMailbox (Crystal Rodriguez, Megan Hiatt, Meredith Kuhn, Ashley Jensen all FullAccess+AutoMap), hidden from GAL, license removed (seat freed), removed from `Sales`/`All Cascades`/`SG-SSPR-Eligible`. On-prem `Tamra.Matthews` (separate non-synced object in OU=Marketing) disabled + moved to `OU=Excluded-From-Sync`. **No litigation hold despite PHI-adjacent (resident-intake) role** -- Howard authorized the Alma-style preserve-but-no-hold posture (documented in the record; hold remains available -- tenant has Exchange Plan 2). Emergency passwords: vault `clients/cascades-tucson/tamra-matthews` (m365_password + ad_password; do NOT re-enable without authorization). Record: `docs/security/offboarding-2026-06-30-tamra-matthews.md`. ALIS profile disable pending (Howard, if she had one). Follow-up: breach check on Megan Hiatt (April CREDENTIAL_STUFFING marker -- verify the April remediation held). - **ComputerGuru Exchange Operator MSP app:** `b43e7342-5b4b-492f-890f-bb5a4f7f40e9` -- vault: `msp-tools/computerguru-exchange-operator.sops.yaml`. - **Vault root:** `clients/cascades-tucson/` in vault repo @@ -327,15 +342,19 @@ Cascades' line-of-business / reporting SaaS (the systems they pull data OUT of, - **Never set a contact on any Syncro ticket unless explicitly requested.** At Cascades, Meredith Kuhn is the recurring wrong default that Syncro pre-selects -- she is not the correct contact. Leave `contact_id` blank. Source: `feedback_syncro_blank_contact.md`. - **Billing product for prepaid block draw:** Use a real labor type (Remote, Onsite, etc.) -- NOT "Prepaid project labor" (exempt, won't decrement the block). - **Always live-check hours before billing:** `GET /customers/20149445` in Syncro. Treat all cached hour counts as approximate. +- **Windows Home->Pro upgrade billing:** Syncro product "Windows Pro Upgrade" id 23571919 ($99/machine); machine-named lines + optional labor. MAK: vault `infrastructure/windows-pro-mak.sops.yaml`. ### Exchange Online / Message Tracing - **Get-MessageTrace is hard-deprecated (Sept 2025).** Use `Get-MessageTraceV2` instead. Key parameter change: use `ResultSize` (not `PageSize`). The deprecation error may be silently swallowed by downstream jq filters -- if a trace returns unexpectedly empty, check the raw response for a deprecation error string before assuming no mail. - **Sender-side suppression (SendGrid ESP):** If a user never receives mail from a specific sender despite a healthy mailbox, and message trace shows zero records (not even bounces), consider a SendGrid suppression list. Fix requires contacting the sender's support -- there is no M365 action. Confirmed with bill.com / inform.bill.com. +- **AutoMapping rolls back on rapid sequential grants.** Granting FullAccess with `AutoMapping:$true` to several delegates in a rapid loop can silently lose the middle writes -- they contend on the same `msExchDelegateListLink` multivalued attribute on the target mailbox and a failed link-write aborts the whole `Add-MailboxPermission`. **Fix:** grant one user at a time, spaced ~6-8s, `Remove-MailboxPermission` -> poll-until-NONE -> `Add-MailboxPermission -AutoMapping $true` -> verify-persists. The REST Exchange Operator schema does not expose `msExchDelegateListLink`, so use grant-persistence as the success signal. (Tamra Matthews offboarding 2026-06-30.) ### Active Directory / User Management - **Security group assignment is always explicit.** When creating or adding any Cascades user, always ask which security group(s). OU -> group auto-mirror was explicitly declined 2026-05-14. +- **`SG-Caregivers` = frontline caregivers ONLY** (Howard 2026-06-30). Admin-adjacent staff (e.g. Veronica Feller in OU=Care-Assisted Living, Christine Nyanzunda in OU=Care-Memorycare), `pilot.test`, and disabled accounts are EXCLUDED -- this reverses the earlier 6/4 plan to add Feller/Nyanzunda. +- **`SG-Caregivers` is an on-prem AD group synced by Entra Connect.** Cloud/Graph adds fail (HTTP 400). Do all membership writes on CS-SERVER via RMM (`Add-ADGroupMember`). - **New user mandatory order (folder redirection):** 1. Create AD user @@ -361,31 +380,46 @@ Cascades' line-of-business / reporting SaaS (the systems they pull data OUT of, - **`svc-scan`** = dedicated AD service account (CN=Users, PasswordNeverExpires, CannotChangePassword) for the Brother's SMB auth. Vault: `clients/cascades-tucson/svc-scan.sops.yaml`. - **REUSE `svc-scan` for EVERY future scanner->network-folder setup at Cascades** (Howard, 2026-06-09) -- do NOT create a per-printer/per-folder scan account. - **Brother MFC-L8900CDW "Business Office" printer (10.0.20.220) -- Scan-to-Network profile (working 2026-06-09):** Network Folder Path `\\192.168.2.254\AcctDept\Scans`; **Auth Method NTLMv2** (not Auto/Kerberos -- printer can't KDC across VLAN); Username `cascades\svc-scan`; PDF Multi-Page. -- **[CORRECTED 2026-06-24, live] CS-SERVER CAN reach VLAN 20 -- server-hosted printing to VLAN-20 printers works.** CS-SERVER routes to `10.0.20.0/24` via the default gateway (pfSense `192.168.0.1`) and **pings the VLAN-20 gateway `10.0.20.1` fine**. The VLAN-20 print queues already on the server (Business Office/AcctDept Brother L8900CDW `10.0.20.220`, Memory Care Reception Epson `10.0.20.78`, Life Enrichment Canon `10.0.20.94`) print through it. **Caveat:** the printers often **don't answer ICMP ping when asleep** (and 9100 may show closed while idle) -- that is NOT a firewall block; a real print job wakes them. (Supersedes the earlier "main-LAN -> VLAN 20 blocked at pfSense" note, which was a stale/over-broad reading -- likely the printer being asleep or a since-changed rule. The printer's web-UI config from CS-SERVER may still be hit-or-miss when the device is idle; use a VLAN-20 PC if the GUI won't load.) +- **[CORRECTED 2026-06-24, live] CS-SERVER CAN reach VLAN 20 -- server-hosted printing to VLAN-20 printers works.** CS-SERVER routes to `10.0.20.0/24` via the default gateway (pfSense `192.168.0.1`) and **pings the VLAN-20 gateway `10.0.20.1` fine**. The VLAN-20 print queues already on the server print through it. **Caveat:** the printers often **don't answer ICMP ping when asleep** (and 9100 may show closed while idle) -- that is NOT a firewall block; a real print job wakes them. **[REFINED 2026-06-30] The one real block was policy-routing, not the firewall:** the LAN "allow LAN to any" rule's Gateway=WAN_Group sent CS-SERVER->VLAN 20 out the WAN. A top LAN pass rule (src 192.168.2.248, dst 10.0.20.0/24, gw=default) fixed it -- see pfSense Operations. - **Persistent drive maps to `\\cs-server\AcctDept`:** Chris (DESKTOP-N5G1ROO) Y:, Zachary (ACCT2-PC) Y:, Lauren (DESKTOP-H6QHRR7) X:. - **`\\CS-SERVER\BusinessOffice` (Business Office - Brother L8900CDW, `10.0.20.220`) = the "Accounting Assistant" printer in room 101** -- one physical L8900CDW, already a shared print queue on CS-SERVER. Attached to Chris Knight's PC (DESKTOP-N5G1ROO) 2026-06-24. Do NOT create a duplicate "Accounting Assistant Printer" queue -- it's this one. -- **Executive restricted share (built 2026-06-24, ticket #32193):** `D:\Shares\Executive` on CS-SERVER, shared as **`\\cs-server\Executive`**; inheritance broken; SYSTEM / BUILTIN\Administrators = Full; `CASCADES\Ashley.Jensen` + `CASCADES\Meredith.Kuhn` = Modify (no Everyone); share-access limited to the same two + Admins. Mapped persistent `E:` on DESKTOP-U2DHAP0 (Ashley) and ASSISTMAN-PC (Meredith), RW-verified. NOTE: clients reach CS-SERVER SMB at **192.168.2.248** (registered DNS / Ethernet idx16), NOT the .254 Hyper-V vEthernet NIC -- the `phase3-pre-join-verify.ps1` hardcodes .254 and should be updated. RMM dispatch gotcha: build UNC from `[char]92` (heredoc+jq eats `\\`->`\`); surface a remotely-mapped drive in the user's running Explorer with `SHChangeNotify(SHCNE_DRIVEADD)` in their session. +- **Executive restricted share (built 2026-06-24, ticket #32193):** `D:\Shares\Executive` on CS-SERVER, shared as **`\\cs-server\Executive`**; inheritance broken; SYSTEM / BUILTIN\Administrators = Full; `CASCADES\Ashley.Jensen` + `CASCADES\Meredith.Kuhn` = Modify (no Everyone); share-access limited to the same two + Admins. Mapped persistent `E:` on DESKTOP-U2DHAP0 (Ashley) and ASSISTMAN-PC (Meredith), RW-verified. NOTE: clients reach CS-SERVER SMB at **192.168.2.248** (registered DNS / Ethernet idx16), NOT the .254 Hyper-V vEthernet NIC. RMM dispatch gotcha: build UNC from `[char]92` (heredoc+jq eats `\\`->`\`); surface a remotely-mapped drive in the user's running Explorer with `SHChangeNotify(SHCNE_DRIVEADD)` in their session. + +### Printers / VLAN 20 Migration (2026-06-30) + +- **Server-share model is preferred** (Howard) for domain-joined machines: `\\CS-SERVER\` print queue rather than direct-IP. **Workgroup (not-yet-domain-joined) machines get a direct-IP local printer installed as SYSTEM (machine-wide/all users)** -- no share, no domain auth, no point-and-print prompt -- switch to `\\CS-SERVER\` once domain-joined. +- **Point-and-Print policy is the correct "apply our admin rights" fix** for standard users pulling a driver from CS-SERVER (NOT making users local admins). Symptom without it: mapping elevation prompt `0x800702e4` and per-machine `/ga` silently failing at logon (PrintService event 513 / error 0xBCB) -- both are the default `RestrictDriverInstallationToAdministrators` blocking the driver pull. Set `HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers`: `RestrictDriverInstallationToAdministrators=0` + subkey `PointAndPrint` (`Restricted=1, TrustedServers=1, ServerList=CS-SERVER, NoWarningNoElevationOnInstall=1, UpdatePromptSettings=2`), scoped to CS-SERVER. Caregiver machines already have this (why their printer GPO works); this is the prerequisite layer a printer-deployment GPO needs fleet-wide. +- **Canon MF741CDW / MF743CDW are UFR II ONLY -- NOT PCL.** A PCL6 driver produces **Error #822** (spools but nothing prints). CS-SERVER only staged PCL6/PS3/XPS; pulled `Canon Generic Plus UFR II V250` (INF `cnlb0ma64.inf`) from a client DriverStore to CS-SERVER (client -> `\\CS-SERVER\C$`, since CS-SERVER off-subnet can't reach a client's C$). +- **Static VLAN 20 printer IPs (2026-06-30):** Front Desk Epson ET-5800 = `10.0.20.221` (share `\\CS-SERVER\FrontDesk`); Life Enrichment Canon MF741CDW = `10.0.20.94` (share `\\CS-SERVER\LifeEnrichment`, **UFR II**; sharon.edwards + susan.hicks, default stays Copy Room); Business Office Brother L8900CDW = `10.0.20.220`; Dining Room Canon MF743CDW = `10.0.20.228` (DESKTOP-MD6UQI3, direct-IP UFR II); Chef Office Brother MFC-9330CDW = `10.0.20.236` (CHEF-PC, direct-IP; JD Martin's default stays USB Chef Printer); MedTech Brother MFC-L8900CDW = `10.0.20.74` (memcare box + DESKTOP-LPOPV30/Karen); MC Reception Epson ET-5800 = `10.0.20.78` (MEMREct-PC, not yet set up). Running map: `docs/printer-gpo-map.md`. +- **[PLANNED] Printer GPO:** put the Point-and-Print policy in a fleet-wide computer GPO; repoint `CSC - Life Enrichment Printers` GPO to `\\CS-SERVER\LifeEnrichment` (old ref `1F-132-RecRoom-Canon`); build per-room printer-deployment items as machines domain-join. `CSC - Printer Deployment` is the known disabled/empty/reference-only GPO. Howard floated packaging the migration how-to (VLAN routing/pfSense bypass, server-share repoint, Point-and-Print, UFR II, [char]92 UNC) into a reusable Cascades printer skill. ### Synology NAS (cascadesDS) / Shared File Access -- **Device specs (confirmed live 2026-06-25 via `synology` skill):** **DS718+**, **DSM 7.2.1-69057 Update 11**, **6 GB RAM**, serial 1920PEN537202. Filesystem **ext4** (NOT Btrfs); 2x WD10EZEX 1 TB (volume1). 10 shares (homes, Public, SalesDept, Server, Management + hidden `pacs`, `Activities`, `chat`, `Sandra Fish`, `web`). 30 packages running incl. **Active Backup for Business 3.1.0** (works on ext4 -- only ABB dedup/self-healing needs Btrfs), **Synology Drive Server 3.5.0**, Chat, VPN Server, Hybrid Share. Reachable only with the Cascades site VPN up. +- **Device specs (confirmed live 2026-06-25 via `synology` skill):** **DS718+**, **DSM 7.2.1-69057 Update 11**, **6 GB RAM**, serial 1920PEN537202. Filesystem **ext4** (NOT Btrfs); 2x WD10EZEX 1 TB (volume1). 10 shares (homes, Public, SalesDept, Server, Management + hidden `pacs`, `Activities`, `chat`, `Sandra Fish`, `web`). 30 packages running incl. **Active Backup for Business 3.1.0**, **Synology Drive Server 3.5.0**, Chat, VPN Server, Hybrid Share. Reachable only with the Cascades site VPN up. - **Stale Word owner (lock) files on cascadesDS shares:** Word creates a hidden `~$` owner file when a document is opened; orphaned on abrupt session end. **Fix:** delete the `~$` file(s). Confirmed 2026-06-10. - **Accessing cascadesDS from RMM -- always use a user session, not CS-SERVER SYSTEM.** The domain-joined CS-SERVER machine account cannot authenticate to the Synology `Public` share because cascadesDS uses workgroup "CASCADES" (same short name as the AD domain), causing Kerberos auth failures. Run the command in `user_session` context of a machine where the target user is actively logged in. -- **Synology Drive sync scope (as of 2026-06-18):** The Drive Client on CS-SERVER syncs only the **Sync DSM user's My Drive** (`/volume1/homes/Sync/Drive/`) into `D:\Shares\Main` -- one-way download. The real department shared folders (`/volume1/Server`, `/volume1/Management`, `/volume1/Public`, `/volume1/SalesDept`, etc.) are **NOT** in this scope. Note: `synopkg status SynologyDrive` falsely returns "stopped" (status 263) even when active -- verify via `systemctl is-active pkgctl-SynologyDrive` and `netstat -tlnp | grep 6690`. +- **Synology Drive sync scope (as of 2026-06-18):** The Drive Client on CS-SERVER syncs only the **Sync DSM user's My Drive** (`/volume1/homes/Sync/Drive/`) into `D:\Shares\Main` -- one-way download. The real department shared folders are **NOT** in this scope. Note: `synopkg status SynologyDrive` falsely returns "stopped" (status 263) even when active -- verify via `systemctl is-active pkgctl-SynologyDrive` and `netstat -tlnp | grep 6690`. ### CS-SERVER SMB & Endpoint AV (2026-06-26) -- **The "CS-SERVER SMB error 67 outage" was a TEST-METHOD ARTIFACT, not a real outage.** RMM-dispatched SMB client commands (`net use`/`net view`/`Test-Path`/`Get-SmbConnection`, even in `user_session`) **false-negative** -- they return error 67 (BAD_NETWORK_NAME) / RPC 1702 / "none" even for KNOWN-GOOD targets (proven: a user's daily-use NAS failed the same way; a client with a live server-side session showed "no connections" locally). **CS-SERVER SMB is healthy** -- `Get-SmbSession` showed 7 live SMB 3.1.1 users / 30 open files / new sessions forming. **VALIDATE SMB server-side (`Get-SmbSession`/`Get-SmbOpenFile`) or with a REAL interactive test -- never from RMM client-side results.** A drive-map `verify` failure is NOT proof of a problem (skill caveat added; errorlog `rmm/smb-testing`). +- **The "CS-SERVER SMB error 67 outage" was a TEST-METHOD ARTIFACT, not a real outage.** RMM-dispatched SMB client commands (`net use`/`net view`/`Test-Path`/`Get-SmbConnection`, even in `user_session`) **false-negative** -- they return error 67 (BAD_NETWORK_NAME) / RPC 1702 / "none" even for KNOWN-GOOD targets. **CS-SERVER SMB is healthy** -- `Get-SmbSession` showed 7 live SMB 3.1.1 users / 30 open files / new sessions forming. **VALIDATE SMB server-side (`Get-SmbSession`/`Get-SmbOpenFile`) or with a REAL interactive test -- never from RMM client-side results.** A drive-map `verify` failure is NOT proof of a problem (skill caveat added; errorlog `rmm/smb-testing`). - **CS-SERVER endpoint AV was DattoAV, not GravityZone Bitdefender.** It was the Datto EDR "Endpoint Protection SDK" (Bitdefender engine + Avira "Sentry" driver -> drivers `BdSentry`/`rtp1`/`rtp2`), managed by Datto RMM (CentraStage/`CagService`) + Datto EDR Agent (`HUNTAgent`/Infocyte HUNT, tenant azcomp4587). Removing the box from the GravityZone console did nothing because GravityZone never managed it. **ALL Datto software was fully removed from CS-SERVER 2026-06-26** (services deleted, `infocyte`/`CentraStage` dirs gone, registry + kernel drivers cleared). CS-SERVER was already de-enrolled from the EDR tenant, so no uninstall token could be issued -- forced removal once the tamper drivers were gone. - **Karen Rossini share access -- RESOLVED.** `CASCADES\karen.rossini` (reset + vaulted `clients/cascades-tucson/karen-rossini.sops.yaml`, member of `SG-IT-RW`) verified able to open `\CS-SERVER\Server` shares **interactively** from another PC. Her ALDocs desktop shortcut + Quick Access pin were set on DESKTOP-LPOPV30 (`\CS-SERVER\Server\ALDocs`) via the `drive-map` skill. Note: her earlier move to CSCNet (WPA3-SAE) broke NAS-by-name resolution (unrelated side effect). +### Datto EDR / Bitdefender Decommission + +- **Datto EDR/AV (Infocyte/azcomp4587) is the ACG-managed endpoint stack** (org `2d5ea96e`, target group `1dbd2b02`, reg key `6qw68y2rwl`). Install one-liner via `/rmm`: `Install-EDR -URL "https://azcomp4587.infocyte.com" -RegKey 6qw68y2rwl`. +- **Bitdefender GravityZone BEST removal is CONSOLE-ONLY.** The GravityZone Public API `createUninstallTask` is DEAD in this version and BEST anti-tampering (no uninstall password on policy "GPS Default") blocks endpoint-side uninstall. Use the console "Uninstall client" task (Network -> Cascades company `66b0448e` -> machine -> Tasks). New/replacement machines: provision Datto EDR/AV only, never Bitdefender, and never carry over prior-MSP Datto RMM/CentraStage artifacts. +- **RECEPTIONIST-PC is two physical boxes sharing a hostname** (frontdesk MJ0KQHNP, MemCare MJ0KQH4R -> being renamed MEMCARE-STATION). Reconcile fleets by SERIAL, not hostname -- dedup-by-hostname masks the second box's coverage gaps. +- **BD detection script:** services `^EP(Security|Protected|Update|Redline|Integration)Service$` + uninstall-registry DisplayName ~ `Bitdefender|GravityZone` + `Test-Path 'C:\Program Files\Bitdefender'`. + ### Browser / Edge - **[BUG - FLEET] Edge 149 cannot open Office files via download-list when Downloads is a UNC-redirected folder (Chromium issue 519243472).** A regression introduced in Chromium 149 prepends `\\?\` to UNC paths without converting to the correct `\\?\UNC\` form. **Symptom:** clicking `.xlsx` or `.docx` in the Edge download panel shows "Windows cannot find '\\?\\\cs-server\...'". Text files and PDFs open fine. **Trigger:** Downloads folder redirected via GPO Folder Redirection to a UNC path. **Affected build:** Edge stable 149.0.4022.52. **Fix options (none applied as of 2026-06-08):** (1) Update Edge past the fix; (2) Interim: `--disable-features=LaunchShellExecuteViaExplorer`; (3) Zero-config: use "Show in folder" then double-click from Explorer; (4) Rollback to 148. Note: pinning to 148 forfeits security fixes; prefer option 1 or 3 for HIPAA machines. ### Conditional Access / Caregiver Policies -- **Phased rollout -- never tenant-wide.** CA policies for caregivers now target `SG-Caregivers` (`8b8d9222-5d71-419a-936d-56d895c6c332`). The legacy "Require MFA for all users" policy stays in place. +- **Phased rollout -- never tenant-wide.** CA policies for caregivers now target `SG-Caregivers` (`8b8d9222-5d71-419a-936d-56d895c6c332`). The legacy "Require MFA for all users" policy stays in place. **All 40 real caregivers are now in `SG-Caregivers` + Business Premium licensed (2026-06-30).** - **Enforced caregiver CA policy set (unchanged as of 2026-06-03):** - `CSC - Block caregivers off Cascades network` (`e35614e1-e896-4a13-9407-076963af488f`) -- BLOCK if location not Cascades - `CSC - Block caregivers on non-compliant device` (`ede985e2-ee7e-4521-88b2-34c847c3db20`) -- BLOCK if device non-compliant. **Pending DISABLE** at allow-list cutover. @@ -418,8 +452,8 @@ Cascades' line-of-business / reporting SaaS (the systems they pull data OUT of, - **Tooling (`unifi-wifi` skill -- feature-complete as of 2026-06-19):** - Collectors: `audit-site.sh`, `live-stats.sh`, `model-rank.sh`, `radio-usage.sh`, `coverage-thin.sh`, `neighbor-collect.sh`, `survey-collect.sh`, `dfs-check.sh`, `switch-audit.sh`, `gw-audit.sh`, `monitor-run.sh`, `sites.sh`. - **`survey-report.py` (NEW 2026-06-19) -- the channel-decision driver:** rolls `survey-collect` JSON into the fleet per-channel/per-band-group measured busy% table + cleanest/dirtiest ranking + suggested clean 40 MHz palette. Run it BEFORE any channel change; it's what makes the DFS-vs-non-DFS call from facts. Previously `survey-collect`'s report AND `channel-plan`'s palette had a non-DFS bias baked in -- both fixed 2026-06-19. - - Apply (gated + rollback): `apply-radio.sh` (power/width/channel/minrssi/disable/enable, --zone/--ap), `apply-wlan.sh` (minrate/bandsteer/bands/steer/bsstm/dtim/isolation/etc.), `client-control.sh` (block/unblock/kick MAC), `device-control.sh` (poe-cycle; adopt/restart/locate/upgrade), **`channel-plan.sh` (DATA-DRIVEN: `--channels ` or `--dfs ok|avoid|only`; default ranks ALL 40 MHz primaries by measured busy%; load-balance + local-search -> 0 strong co-channel).** - - pfSense: `pfsense-ssh.sh` (audit/dhcp/run -- SSH backend, no RESTAPI package needed). + - Apply (gated + rollback): `apply-radio.sh`, `apply-wlan.sh`, `client-control.sh`, `device-control.sh`, **`channel-plan.sh` (DATA-DRIVEN: `--channels ` or `--dfs ok|avoid|only`)**. + - pfSense: `pfsense-ssh.sh` (audit/dhcp/run -- SSH backend, no RESTAPI package needed; **blocked over VPN -- onsite only**). - **Creds (vault refs only):** `infrastructure/uos-server-ssh-key` (SSH/Mongo), `infrastructure/uos-server-network-api-rw` (RW API), `clients/cascades-tucson/unifi-ap-ssh` (per-AP SSH, needs site VPN), `clients/cascades-tucson/pfsense-firewall` (pfSense admin for pfsense-ssh.sh). ### VoIP / Network Device Migration @@ -429,6 +463,7 @@ Cascades' line-of-business / reporting SaaS (the systems they pull data OUT of, - **UniFi controller PUT 403 / CSRF:** rapid controller writes can 403 -- read the CSRF token from the `x-updated-csrf-token` response header (TOKEN-cookie JWT as fallback). - **API scratch files must be written OUTSIDE the repo.** Controller-scratch written CWD-relative got swept into commits. Use `mktemp -d` outside the repo; `.gitignore` patterns (`.fleet*`, `.ap[0-9]*`, `.vq[0-9]*`, `.q[0-9]*`) added as a backstop. - **Verify VLAN membership via the client `vlan` field, not the controller's displayed IP.** IP field caches/lags (Kitchen server phone showed stale 192.168.1.126 while actually on vlan:30). +- **Build UNC from `[char]92` in RMM PowerShell payloads.** Literal `\\` collapses to a single `\` through jq/agent, mangling the path. Recurs across printer + share dispatch. ### Voice QoS (VLAN 30) -- design (2026-06-18, NOT yet built) @@ -442,11 +477,13 @@ Full design: `docs/network/phase1-voice-qos-design.md`. Status DESIGN -- nothing ### pfSense Operations - **pfSense 25.07 logs are PLAIN TEXT, not binary clog.** Read with `tail`/`grep` directly. Using `clog` returns empty output and will cause false conclusions. -- **pfSense OpenVPN `--inactive` idle timeout:** The Cascades OpenVPN server has a configured `--inactive` timeout (~300s). This disconnects idle clients after ~5 min of no tunnel data. Keepalive pings do NOT reset this counter. Fix: raise or disable the `--inactive` parameter on the server profile. Fix proposed 2026-06-18; not yet applied. +- **[2026-06-30] LAN "allow LAN to any" rule policy-routes internal-VLAN traffic out the WAN.** The rule's Gateway = WAN_Group (dual-WAN), so CS-SERVER -> VLAN 20 (and any LAN -> internal-VLAN) traffic gets shoved out a WAN and fails -- NOT a firewall block. Fix: a **top LAN pass rule, Gateway = default**, scoped to the source (e.g. src CS-SERVER `192.168.2.248`, dst `10.0.20.0/24`) so residents/guests on other ingress interfaces don't match. Do it in the GUI (SSH/22 is blocked from the OpenVPN subnet). +- **pfSense OpenVPN `--inactive` idle timeout:** ~300s; disconnects idle clients after ~5 min of no tunnel data. Keepalive pings do NOT reset it. Fix: raise/disable `--inactive` on the server profile. Proposed 2026-06-18; not applied. +- **pfSense SSH/22 is blocked from the OpenVPN subnet** (GUI 443 open). The unifi-wifi `pfsense-ssh.sh` skill silently returns empty over VPN (sends ssh stderr to /dev/null) -- use the GUI remotely, or SSH from onsite. - **pfSense dirty-boot / duplicate dhcpd:** After an unclean pfSense shutdown, dhcpd may start twice. Fix: `killall dhcpd && echo "services_dhcpd_configure();" | /usr/local/sbin/pfSsh.php`; verify one instance: `pgrep -f "dhcpd -user" | wc -l` == 1. Note: `pfSsh.php` is slow (~20-40s); use timeout 60s+. - **Post-outage device stragglers:** Devices that booted during a DHCP-down window cache a disconnected state and do not retry once the network recovers. Realistic plan: reactive power-cycle as reports come in. Cox modem must be rebooted after a pfSense configuration restore. -### Known Issues / Pending Hygiene (as of 2026-06-20) +### Known Issues / Pending Hygiene (as of 2026-06-30) - **[BUG] Stale exclude-group on MFA-all-users policy:** The `Require multifactor authentication for all users` policy (`7e87a1c7...`) excludes `SG-Caregivers-Pilot` (`0674f0bc...`) instead of the live `SG-Caregivers` (`8b8d9222...`). Fix: PATCH `excludeGroups`. - **[DESIGN] ALIS-native 2FA is not a perimeter control.** Force all ALIS logins through Entra SSO (SSO-only, credential fallback disabled); disable ALIS-native 2FA per-user then globally. @@ -454,16 +491,17 @@ Full design: `docs/network/phase1-voice-qos-design.md`. Status DESIGN -- nothing - **[WARN] ~25 switch ports at 100 Mbps but gig-capable.** Investigate after WiFi optimization is stable. - **[WARN] 3 offline switches** (Switch 4th Floor #2, USW Pro Max 16 -- root cause unknown; Switch 2nd Floor #2 was reset+re-adopted 2026-06-17). Investigate onsite. - **[SECURITY] Synology Cloud Signin Portal credential exposed in vault git history (commit 1fbc0e1).** Encrypted go-forward but credential must be rotated. -- **[FLEET] Endpoint security migration in progress (2026-06-25).** Datto EDR/AV (Infocyte/azcomp4587) is the new ACG-managed endpoint stack -- 34 agents enrolled; target is all GuruRMM-managed devices. Bitdefender removed from RECEPTIONIST-PC (both boxes); orphaned BD folders cleaned on 6 machines. Pending: 2 offline machines need EDR install (DESKTOP-F94M8UT, NurseAssist); 5 offline machines need BD-check; Cascades must be removed from Syncro's BD deployment to prevent redeploy. CS-SERVER still has the prior-MSP CentraStage RMM leftover -- cleanup pending separately. +- **[FLEET] Endpoint security migration substantially complete (2026-06-30).** Datto EDR/AV (Infocyte/azcomp4587) is the ACG-managed endpoint stack -- ~34 agents enrolled. Bitdefender removed from RECEPTIONIST-PC (both boxes); orphaned BD folders cleaned; CS-SERVER fully Datto-free. **Pending:** DESKTOP-TRCIEJA BD_ACTIVE (needs GravityZone console uninstall; box slated for replacement); DESKTOP-F94M8UT (Alma's, powered off) queued EDR install; confirm Cascades removed from Syncro's BD deployment; GravityZone portal cleanup of stale RECEPTIONIST-PC records; reconcile laptop3 (EDR, no RMM agent); confirm/remove stale EDR agents laptop1 + cascades-laptop. ### Security Incidents (historical) -- **Megan Hiatt (2026-04-16):** Active credential-stuffing -- 126 failed sign-ins, bursts from Belfast GB, Hamburg DE. Password reset and SMTP AUTH disable were action items. Mailbox was clean (not breached). +- **Megan Hiatt (2026-04-16):** Active credential-stuffing -- 126 failed sign-ins, bursts from Belfast GB, Hamburg DE. Password reset and SMTP AUTH disable were action items. Mailbox was clean (not breached). **Re-verify the April remediation held** (flagged again during Tamra offboarding 2026-06-30). - **John Trozzi (2026-04-16, 2026-04-20):** Investigated twice -- both times NO BREACH. First: credential stuffing flag (clean). Second: inbound phishing email (clean). - **Crystal Rodriguez (2026-04-19):** Phishing investigation. Report: `clients/cascades-tucson/reports/2026-04-19-crystal-rodriguez-phish-investigation.md`. - **Canva email delivery (2026-05-20):** Alma Montt not receiving Canva invites. Resolved by adding canva.com domains to AllowedSenderDomains in EOP policies. - **ALIS AADSTS65001 (2026-06-03):** megan.hiatt, karen.rossini, memcarereceptionist could not sign in to ALIS on non-phone devices. Root cause: missing tenant-wide admin consent on ALIS SP (`e1cae4ad`). Resolved by granting `AllPrincipals` `User.Read` via Graph API. - **dunedolly21@gmail.com:** External guest invited 2026-04-14 by Lauren Hasselman from mobile. Status unknown -- confirm with Lauren. [unverified] + - **Chris Knight bill.com / BOK email delivery (2026-06-04):** Root cause was SENDER-SIDE: bill.com address on SendGrid suppression list; BOK had wrong recipient email. Resolved externally by Howard. No tenant config changes needed. Ticket #32383, Resolved. ### HIPAA Compliance @@ -472,7 +510,7 @@ Full design: `docs/network/phase1-voice-qos-design.md`. Status DESIGN -- nothing - **Critical open gaps:** No audit logging on D:\Homes (SS164.312(b)); Object Access auditing disabled; no SMB encryption on homes share. Audit retention infra (LAW 90d + Storage 6yr) approved but not yet built. - **Backup gap closed (2026-06-15):** Mike installed ACG cloud backup (MSP360/CloudBerry) on CS-SERVER. Verify first full completes + confirm image-based / bare-metal + system-state + retention before any drive work. - **Restored 7 deleted mailboxes (2026-04-25)** for HIPAA SS164.316(b)(2) 7-year retention. -- **Termination policy established:** Convert to shared mailbox, hide from GAL, retain 7 years. +- **Termination policy established:** Convert to shared mailbox, hide from GAL, retain 7 years. Litigation Hold is available (Exchange Plan 2) but has been waived for the two 2026-06 offboardings (Alma, Tamra) per Howard's explicit no-PHI/PHI-adjacent-but-authorized calls. - **Voice VLAN 30 (HIPAA-isolated):** All voice gear on an isolated network with internet/cloud-PBX egress only; blocked from PHI/LAN/VLAN20/mgmt. **Migration COMPLETE 2026-06-19: 37 devices on VOICE (28 Poly + 8 AudioCodes + desktop).** --- @@ -482,77 +520,73 @@ Full design: `docs/network/phase1-voice-qos-design.md`. Status DESIGN -- nothing > **Canonical remaining-work plan: `docs/REMAINING-WORK-PLAN.md`** (built 2026-06-24 from a live > AD+RMM domain-join diff). 7 sequenced workstreams + every open ticket mapped to one. Work from it. -Syncro live pull 2026-06-25 (end of day): **0 open Syncro tickets.** Previously open work tickets (#32194 spare machine, #32254 Chef-PC reinstall, #32319 WiFi Room 343, #32342 Copy Room switch, #32370 eFax+scanner) are now closed/resolved per Syncro. **#32230 (Karen Rossini -> ALDOCS) RESOLVED** earlier today. #32193 (Executive restricted share) closed/billed 2026-06-24. See session logs for active project work (domain migration, EDR rollout, CARF tech plan). -Invoiced hardware (work done): #32440 server SSDs, #32439 MemCare UPS, #32443 Front Desk battery backup, #32330 Chris Knight PC. +Syncro live pull 2026-06-30: **0 open Syncro tickets; 37.5 prepaid hours; 29 managed devices.** See session logs for active project work (domain migration, EDR rollout, caregiver phone SSO, VLAN 20 printer migration). -**Device-readiness for domain migration (2026-06-24 live audit, 15 un-joined online machines):** -- **READY to join** (Pro/Enterprise, internal): DESKTOP-LPOPV30 (Karen), MAINTENANCE-PC (Bruce), LAPTOP-E0STJJE8; after a reboot: ASSISTMAN-PC (Meredith), ANN-PC, Laptop2; CHEF-PC after #32254. -- **BLOCKED -- Windows Home (cannot domain-join until Pro):** LAPTOP-8P7HDSEI, MDIRECTOR-PC (Shelby), MEMRECEPT-PC, NurseAssist (Veronica), SALES4-PC (Tamra, departing). **Howard handling the Home->Pro upgrades** (list DM'd 2026-06-24). -- **OneDrive KFM ON** (unlink before folder-redirect): LAPTOP-8P7HDSEI, NurseAssist. **Pending reboots + KFM held for onsite.** -- **LAPTOP-DRQ5L558** is off the Cascades LAN (public DNS, no DC reach) -- get on-site before join. +- **[IN PROGRESS 2026-06-30] Caregiver phone SSO -- ALIS email-match (Howard handling).** Entra/identity side DONE (all 40 caregivers in `SG-Caregivers`, Business Premium licensed, forced-change AD temp passwords vaulted `clients/cascades-tucson/caregiver-temp-passwords-2026-06-30.sops.yaml`). Remaining: set each caregiver's ALIS staff `Email` = Entra UPN (23 confirmed just need Email=UPN; 5 blank-role confirm+match; 5 Med Techs revisit; **7 need an ALIS record created; 3 ALIS-only caregivers need AD accounts** -- Judith Palmer, Joey Ty, Alejandra Vallejo). Blanket-disable ALIS-native 2FA for the bucket as matched. Zeke Huerta stays `e.huerta@`. Also decide reactivate-vs-recreate for the 7 Discharged ALIS records (from the 6/29 crosscheck). Build path: `alis` skill `build-import` -> upload .xls in ALIS UI. +- **[IN PROGRESS] VLAN 20 (CSCNET) staff + printer migration.** Front Desk Epson (.221), Life Enrichment Canon MF741 (.94, UFR II), Dining Canon MF743 (.228), Chef Brother 9330 (.236), MedTech Brother L8900 (.74) done 2026-06-30; MC Reception Epson (.78) marked but not set up. pfSense CS-SERVER->VLAN20 policy-route bypass rule added. **Next:** Point-and-Print into a fleet-wide computer GPO; repoint `CSC - Life Enrichment Printers` GPO to `\\CS-SERVER\LifeEnrichment`; reboot MEMCARE-STATION to apply rename; domain-join the workgroup boxes (DESKTOP-MD6UQI3, CHEF-PC, MEMCARE-STATION, MEMREct-PC, DESKTOP-LPOPV30) then swap direct-IP printers to server shares. Map: `docs/printer-gpo-map.md`. +- **[SECURITY -- needs Global Admin] Remove the standing Privileged Authentication Administrator role from the `ComputerGuru - Tenant Admin` SP** (left over from Alma's offboarding password reset). Entra -> Roles & admins -> Privileged Authentication Administrator -> remove the SP; leave its Conditional Access Administrator role. Pending Mike's decision. See Access section. +- **[FOLLOW-UP 2026-06-30] Megan Hiatt breach re-check.** Her account carried a `CREDENTIAL_STUFFING_ACTIVE` marker in the April tenant inventory; verify the April remediation held (`/remediation-tool check megan.hiatt@`). +- **[PLANNED -- CARF accreditation] Technology and System Plan deliverable** (requested by Ashley Jensen 2026-06-24). One of the five required CARF Section-1 plans (Aging Services); must be an action document covering 8 canonical areas with per-area current tech + projected need + timeline + vendor + cost + responsible person + target/completion date, annual dated leadership sign-off. Done: gap analysis, project memory `project_cascades_carf_tech_plan`, an on-brand PDF first pass (via `impeccable`), and a pre-filled CARF intake worksheet. **Next: gather Cascades' inputs, then build the final plan branded as Cascades' (ACG as preparer); confirm the exact standard citation + review cadence.** Standing rule: all client/vendor-facing deliverables run through the `impeccable` skill before delivery. +- **[URGENT] Order replacement workstation for Lupe Sanchez (DESKTOP-TRCIEJA).** Decision made 2026-06-18. EOL Gateway ZX6971 / i3-2120 / 8 GB / Win11-unsupported. On new machine: provision GuruRMM + Datto EDR/AV only; do NOT install Bitdefender. Do not carry over any prior-MSP Datto RMM/CentraStage artifacts. (TRCIEJA is currently BD_ACTIVE -- needs GravityZone console uninstall if kept in service before replacement.) +- **[IN PROGRESS] Datto EDR/AV rollout + Bitdefender decommission.** ~34 agents enrolled (org `2d5ea96e`). Remaining: DESKTOP-TRCIEJA GravityZone console uninstall (BD_ACTIVE); DESKTOP-F94M8UT (Alma's, powered off) queued BD-aware EDR install (cmd `a4623704`); (1) Remove Cascades from Syncro's Bitdefender deployment (GUI-only). (2) GravityZone portal cleanup of stale RECEPTIONIST-PC endpoint records (company `66b0448e`). (3) Reconcile laptop3 (EDR active, no RMM agent). (4) Confirm/remove stale EDR agents laptop1 + cascades-laptop. CS-SERVER Datto stack already fully removed 2026-06-26. +- **[URGENT] Rotate exposed Synology Cloud Signin Portal credential.** Vault commit 1fbc0e1 committed it plaintext; encrypted go-forward but exposed in git history. Also verify MDM service account + WiFi CSCNet from that commit were never plaintext. +- **[DONE 2026-06-19] Voice VLAN (VLAN 30) migration COMPLETE -- 37 devices on VOICE.** All Poly re-keyed. RF optimized (2.4 power->medium, 5 GHz clean DFS, retry halved). Billed ticket #32444 (7h prepaid). +- **[PENDING - hardware] Bistro phone replacement.** Kitchen server phone was bad (John pulled it 2026-06-19); Bistro phone relocated to Kitchen, so the **Bistro has no phone**. Set up + re-key the replacement to the voice PPSK when it arrives. +- **[WAITING ON VERTICAL - the last voice item] Set Poly handsets to 5 GHz-only.** Residual dropped-calls are a band-selection problem: phones on saturated 2.4 GHz despite strong 5 GHz signal; band-steering won't hold the Poly fleet on 5 GHz. Phone-side 5 GHz lock is the fix (or the CSC ENT device-island plan) -- request sent to Richard Turner 2026-06-19 (`docs/network/2026-06-19-vertical-5ghz-lock-request.md`), **awaiting response**. +- **[INVESTIGATE] Phone `.210`** -- on 5 GHz at -65 dBm but ~64% retry on a clean channel; anomalous. +- **[PENDING - build] Voice QoS for VLAN 30** (pfSense HFSC 3-queue on both WANs matching `10.0.30.0/24` + UniFi WMM/switch QoS). Design done, not built. Blocker for sizing: WAN2 coax upload number. +- **[PENDING - deferred] Enable 6 GHz on CSCNet.** Blocked on `Wpa3MandatoryFor6GHzBand` -- converting CSCNet from WPA2/PPSK to WPA3+PMF touches all 427 clients. Howard's supervised decision + coordinated change window. +- **[PENDING] Measure WAN2 (coax) upload** -- remote source-route test failed; get from a WAN2-routed host or the Cox bill. +- **[PENDING] Re-enable 3 AM AP auto-upgrade** (left OFF after 2026-06-19 overnight run). +- **[PENDING] Stand up recurring `dfs-check.sh` radar monitor** on the DFS channels (fold into network-logging plan). +- **[PENDING - next week] MemCare min-RSSI (floors 5/6)** -- deferred until Howard adds new APs to floors 5/6. +- **[PLANNED] Network logging / observability** -- Synology cascadesDS (DSM Log Center syslog server) as collector; pfSense + UniFi + AP syslog sources; `/stat/sta` client snapshotter. Spec: `docs/network/network-logging-plan.md`. Log Center package not yet confirmed installed. +- **[PENDING] Synology Drive Team Folder migration (department shares -> CS-SERVER).** Current Drive sync covers only the Sync-user's My Drive. Pilot on `/volume1/Server` (1.9 G) first. +- **[PENDING] Watch for post-outage device stragglers.** Fix each by power-cycle. +- **[PENDING] pfSense OpenVPN `--inactive` timeout fix.** Raise/disable the ~300s idle timeout on the Cascades OpenVPN server profile. +- **[PENDING] Enable Netgate AutoConfigBackup** on pfSense. Also verify UPS covers all core infra + PoE switches on battery-backed outlets (pfSense rectified; others not confirmed). +- **[PLANNED] KPI dashboard (Ashley Jensen):** scoped 2026-06-17; client one-pager drafted. Parked pending Ashley's day-one KPIs, data-freshness need, POS/Focus-HR specifics. Confirm ALIS analytics availability with Medtelligent. +- **[HOME->PRO upgrades]** NurseAssist + DESKTOP-MD6UQI3 upgraded to Pro for Workstations 2026-06-26 (2 x $99 = $198, not yet invoiced -- Syncro product 23571919). SALES4-PC upgraded by its supplier (no ACG charge). **CascadesProxess deferred to a late-night window** (Proxess access-control server, in active use for the access-control hardware install -- reboot briefly interrupts door access; verify ProxessIQ Server restarts). + +**Device-readiness for domain migration (2026-06-24 audit + 6/26 upgrades):** +- **READY to join** (Pro/Enterprise, internal): DESKTOP-LPOPV30 (Karen), MAINTENANCE-PC (Bruce), LAPTOP-E0STJJE8; after a reboot: ASSISTMAN-PC (Meredith), ANN-PC, Laptop2; CHEF-PC after #32254. NurseAssist + DESKTOP-MD6UQI3 now Pro (6/26). +- **BLOCKED -- Windows Home (until Pro):** LAPTOP-8P7HDSEI, MDIRECTOR-PC (Shelby), MEMREct-PC. CascadesProxess deferred (appliance, late-night). +- **OneDrive KFM ON** (unlink before folder-redirect): LAPTOP-8P7HDSEI, NurseAssist. +- **LAPTOP-DRQ5L558** is off the Cascades LAN -- get on-site before join. - **Decision 2026-06-24:** caregivers stay TEST-scoped -- do NOT flip the lockdown to go-live until all devices are domain-ready first. -**Non-Syncro follow-ups open as of 2026-06-25:** - -- **[SECURITY -- needs Global Admin] Remove the standing Privileged Authentication Administrator role from the `ComputerGuru - Tenant Admin` SP** (left over from Alma's offboarding password reset; Graph blocked the auto-teardown). Entra -> Roles & admins -> Privileged Authentication Administrator -> remove the SP; leave its Conditional Access Administrator role. Pending Mike's decision (coord message sent 2026-06-25). See Access section. -- **[PLANNED -- CARF accreditation] Technology and System Plan deliverable** (requested by Ashley Jensen 2026-06-24). One of the five required CARF Section-1 plans (Aging Services); must be an action document covering 8 canonical areas (hardware, software, security, confidentiality, backup, assistive technology, disaster recovery, virus protection) with per-area current tech + projected need + timeline + vendor + cost + responsible person + target/completion date, annual dated leadership sign-off. Done: gap analysis, project memory `project_cascades_carf_tech_plan`, an on-brand PDF first pass (via `impeccable`), and a pre-filled CARF intake worksheet with a costed open-items table. **Next: gather Cascades' inputs, then build the final plan branded as Cascades' (ACG as preparer); confirm the exact standard citation + review cadence against their Aging Services manual year.** NOTE standing rule: all client/vendor-facing deliverables run through the `impeccable` skill before delivery. - -- **[TODAY 2026-06-23 ~09:00] Planned-outage bring-up + monitoring.** Power returns ~09:00 MST; John Trozzi powers on CS-SERVER + Synology. Howard monitors bottom-up: pfSense (verify SINGLE dhcpd `pgrep -f "dhcpd -user" | wc -l`==1, WAN up -- **reboot Cox modem if WAN doesn't establish**, the missed 6/17 step) -> switches/APs re-adopt (watch UOS controller for 12/12 switches + 77/77 APs) -> CS-SERVER (AD/DNS, DHCP, Hyper-V CS-QB, shares) -> Synology -> straggler sweep (known: kitchen thermal printer). **Watch-list (6/17 casualties):** Switch 2nd Floor #2 (USL24PB 192.168.2.193, one-way L2 break -- reset+re-adopt if floors 2/3/4 don't return); duplicate dhcpd. Clean shutdown verified at 05:31 (CS-SERVER offline via RMM cloud). Runbook: `docs/runbooks/2026-06-23-planned-power-outage.md`. -- **[OPEN -- from runbook pre-flight] Confirm pfSense + core/PoE switches are on the BATTERY side of the UPS.** pfSense was on surge-only on 6/17 until Mike moved it; the other gear's battery-vs-surge placement was still "TODO -- John/onsite" at the 2026-06-22 pre-flight. Verify onsite. - -- **[URGENT] Order replacement workstation for Lupe Sanchez (DESKTOP-TRCIEJA).** Decision made 2026-06-18. EOL Gateway ZX6971 / i3-2120 / 8 GB / Win11-unsupported. On new machine: provision GuruRMM + Datto EDR/AV only; do NOT install Bitdefender (Datto EDR/AV is the new endpoint stack as of 2026-06-25). Do not carry over any prior-MSP Datto RMM/CentraStage artifacts. -- **[IN PROGRESS 2026-06-25] Datto EDR/AV rollout + Bitdefender decommission.** 34 agents now enrolled (org `2d5ea96e`). Remaining gaps: install EDR on DESKTOP-F94M8UT + NurseAssist (offline; queued auto-run on reconnect via watcher `bfm81iqdz`); BD-check on DESKTOP-KQSL232, DESKTOP-MD6UQI3, DESKTOP-TRCIEJA, SALES4-PC, Laptop4 (offline). **Action required:** (1) Remove Cascades from Syncro's Bitdefender deployment (GUI-only) to prevent BD redeploying onto cleaned machines. (2) Verify/remove RECEPTIONIST-PC endpoint records in GravityZone console (company `66b0448e`). (3) Reconcile laptop3 (EDR active v5552, no matching GuruRMM agent). (4) Confirm/remove stale EDR agents: laptop1 (last seen 2026-05-08) and cascades-laptop (2026-06-23). (5) CS-SERVER: confirm the CentraStage RMM leftover is removed (separate from EDR). Session log: `2026-06-25-howard-edr-rollout-bitdefender-removal.md`. -- **[URGENT] Rotate exposed Synology Cloud Signin Portal credential.** Vault commit 1fbc0e1 committed it plaintext; encrypted go-forward but credential is exposed in git history. Also verify MDM service account + WiFi CSCNet from that same commit were never plaintext. -- **[DONE 2026-06-19] Voice VLAN (VLAN 30) migration COMPLETE -- 37 devices on VOICE** (28 Poly, 8 AudioCodes `.224-.231`, Vertical desktop `.201`). All Poly re-keyed by Howard. RF optimized (2.4 power->medium, 5 GHz clean DFS, retry halved). Billed: ticket #32444 (7h prepaid -- 4 onsite + 3 remote). -- **[PENDING - hardware] Bistro phone replacement.** Kitchen server phone was bad (John pulled it 2026-06-19); the Bistro phone was relocated to the Kitchen to cover it, so the **Bistro has no phone**. Set up + re-key the replacement to the voice PPSK when it arrives. -- **[WAITING ON VERTICAL - the last voice item] Set Poly handsets to 5 GHz-only.** Residual dropped-calls are a band-selection problem: phones sit on saturated 2.4 GHz despite strong 5 GHz signal, and controller band-steering (already on) won't hold the Poly fleet on 5 GHz. Phone-side 5 GHz lock is the fix -- request sent to Richard Turner 2026-06-19 (`docs/network/2026-06-19-vertical-5ghz-lock-request.md`), **awaiting their response**. After they push it: re-pull per-phone data + confirm all on 5 GHz. -- **[INVESTIGATE] Phone `.210`** -- on 5 GHz at -65 dBm (good signal) but ~64% retry on a clean channel; anomalous (AP-217 or per-phone issue). -- **[PENDING - build] Voice QoS for VLAN 30** (pfSense HFSC 3-queue on both WANs matching `10.0.30.0/24` + UniFi WMM/switch QoS). Design done, not built (Howard drives pfSense GUI). Blocker for sizing: the WAN2 coax upload number. Design: `docs/network/phase1-voice-qos-design.md`. -- **[PENDING - deferred] Enable 6 GHz on CSCNet.** Blocked on `Wpa3MandatoryFor6GHzBand` -- converting CSCNet from WPA2/PPSK to WPA3+PMF touches all 427 clients. Largest untapped RF relief valve. Howard's supervised decision + coordinated change window. -- **[PENDING] Measure WAN2 (coax) upload** -- remote source-route test failed; get from a WAN2-routed host or the Cox bill (sizes the failover voice shaper). -- **[PENDING] Re-enable 3 AM AP auto-upgrade** (left OFF after 2026-06-19 overnight run; re-enable when ready). -- **[PENDING] Stand up recurring `dfs-check.sh` radar monitor** on the DFS channels (fold into network-logging plan) -- UniFi auto-vacates one AP on radar hit; the monitor tells us if it ever fires. -- **[PENDING - next week] MemCare min-RSSI (floors 5/6)** -- deferred until Howard adds new APs to floors 5/6; rooms 515/210/204 have weak clients that would be orphaned by min-RSSI today. -- **[PLANNED] Network logging / observability (spec written, build later).** Plan: **Synology cascadesDS (DSM Log Center syslog server)** as on-site collector, pfSense + UniFi-controller + AP syslog as sources, `/stat/sta` client snapshotter to fill the controller's history gap. Spec: `docs/network/network-logging-plan.md`. Synology specs **confirmed 2026-06-25: DS718+, DSM 7.2.1-69057 Update 11, 6 GB RAM, ext4** (see NAS section above) -- Log Center package not yet confirmed installed; check with `apis logcenter` before build. -- **[PENDING] Synology Drive Team Folder migration (department shares -> CS-SERVER).** Current Drive sync covers only the Sync-user's My Drive, not the real shared folders. Pilot on `/volume1/Server` (1.9 G) first. Pending: confirm in-scope share list, get go-ahead to execute. -- **[PENDING] Watch for post-outage device stragglers.** Devices that booted during the 2026-06-17 DHCP-down window may have cached a disconnected state. Kitchen thermal printer resolved by power-cycle. Expect additional IoT/printer/POS reports; fix each by power-cycle. -- **[PENDING] pfSense OpenVPN `--inactive` timeout fix.** Raise/disable the `--inactive` idle timeout (~300s) on the Cascades OpenVPN server profile. Proposed, not applied. -- **[PENDING] Enable Netgate AutoConfigBackup** on pfSense (no off-box config backup existed before 2026-06-17 manual vault). Also verify UPS covers all core infra + PoE switches on battery-backed outlets (pfSense rectified; others not confirmed). -- **[PLANNED] KPI dashboard (Ashley Jensen):** scoped 2026-06-17; client one-pager drafted. Parked pending Ashley's day-one KPIs, data-freshness need, and POS/Focus-HR specifics. Next: deliver one-pager; confirm ALIS analytics availability with Medtelligent. - -**Migration phase status (as of 2026-05-26):** +**Migration phase status (as of 2026-06-30):** | Machine / User | Status | |---|---| -| Sharon Edwards (DESKTOP-DLTAGOI) | Domain-joined, folder redirect working via registry workaround | +| Sharon Edwards (DESKTOP-DLTAGOI) | Domain-joined, folder redirect working via registry workaround. LifeEnrichment printer (UFR II) mapped 6/30. | | Ashley Jensen (DESKTOP-U2DHAP0) | Domain-joined, folder redirect manually fixed | | Crystal Rodriguez (CRYSTAL-PC) | Domain-joined, folder redirect confirmed working 2026-05-21 | -| RECEPTIONIST-PC (frontdesk) | Domain-joined 2026-05-22; loopback Replace mode, no folder redirect by design | +| RECEPTIONIST-PC (frontdesk box, MJ0KQHNP) | Domain-joined 2026-05-22; FrontDesk printer (.221) mapped 6/30 | +| RECEPTIONIST-PC (MemCare box, MJ0KQH4R) | **Rename to MEMCARE-STATION STAGED 6/30** (applies next reboot); MedTech printer (.74) set up | | NURSESTATION-PC | Domain-joined, folder redirect complete | | Lauren Hasselman | Domain-joined, folder redirect complete 2026-05-23 | -| Megan Hiatt (Marketing) | COMPLETE 2026-05-27 -- domain joined via ProfWiz, folder redirection live, data on server | -| DESKTOP-KQSL232 (Lois Lane -- CareTakers) | Blocked -- Lois Lane resistant to change; John Trozzi working with her | -| CHEF-PC, SALES4-PC, MDIRECTOR-PC, MEMRECEPT-PC, NurseAssist, LAPTOP-8P7HDSEI | **On Windows Home -- blocked until Home->Pro upgrade** (2026-06-24 audit; Howard handling keys). CHEF-PC also pending #32254 reinstall. | -| ASSISTMAN-PC (Meredith), ANN-PC, DESKTOP-LPOPV30 (Karen), MAINTENANCE-PC (Bruce) | Pro/Enterprise + internal -- **READY to join** (clear pending reboot onsite first where flagged) (2026-06-24 audit) | -| HEALTH-SERVICES (Lois Lane) | Domain-joined (confirmed 2026-06-24; supersedes the old DESKTOP-KQSL232 "resistant" note for her primary box) | -| DESKTOP-TRCIEJA (Lupe Sanchez) | **EOL hardware -- replace instead of migrate.** Decision 2026-06-18. | +| Megan Hiatt (Marketing) | COMPLETE 2026-05-27 | +| DESKTOP-KQSL232 (Lois Lane -- old box) | Decommissioned (removed from EDR straggler list 6/26) | +| HEALTH-SERVICES (Lois Lane) | Domain-joined (confirmed 2026-06-24) | +| CHEF-PC (JD Martin), MDIRECTOR-PC, MEMREct-PC, LAPTOP-8P7HDSEI | Workgroup / Home-blocked -- direct-IP printers now; domain-join + GPO migration pending | +| NurseAssist, DESKTOP-MD6UQI3 (Dining/Alyssa) | **Upgraded to Pro 6/26**; DESKTOP-MD6UQI3 got direct-IP Dining printer (.228). Domain-join pending. | +| SALES4-PC (Tamra -- OFFBOARDED) | User offboarded 6/30; machine upgraded to Pro by supplier | +| ASSISTMAN-PC (Meredith), ANN-PC, DESKTOP-LPOPV30 (Karen), MAINTENANCE-PC (Bruce) | Pro/Enterprise + internal -- **READY to join** | +| DESKTOP-TRCIEJA (Lupe Sanchez) | **EOL hardware -- replace instead of migrate.** BD_ACTIVE (needs console uninstall if kept). | **Blocking issues / pending:** -- M365 relicensing: 31 Business Standard -> Business Premium (SUSPENDED -- time-critical, 31 SPB seats free) +- M365 relicensing: remaining suspended Business Standard users -> Business Premium (O365 Standard SKU SUSPENDED) - Break-glass accounts: not created (confirmed 2026-05-27); YubiKey arrival unconfirmed - Audit retention infra: approved 2026-04-29, not yet built -- RECEPTIONIST-PC GuruRMM agent (9c91d324): flaky WebSocket, lagging fleet - Entra Connect: OU=Administrative not yet in sync scope; UPN suffix updates for that OU pending -- NURSESTATION-PC: reboot required to activate `CSC - Caregiver Device Lockdown` GPO (deployed 2026-06-05; verify lock@3min, 90s warning, sign-out@15min, never-sleep) -- Caregiver device allow-list: ASSISTNURSE-PC needs re-join + re-tag after Win11 reinstall; LAPTOP-8P7HDSEI Win11 upgrade + join/tag still pending; then cutover (enable allow-list policy, disable compliance-block) +- NURSESTATION-PC: reboot required to activate `CSC - Caregiver Device Lockdown` GPO (deployed 2026-06-05) +- Caregiver device allow-list: ASSISTNURSE-PC needs re-join + re-tag after Win11 reinstall; LAPTOP-8P7HDSEI Win11 upgrade + join/tag pending; then cutover - ALIS office/privileged standardization: move office/managers/nurses to ALIS SSO-only; disable ALIS-native 2FA per-user then globally - Fix stale `SG-Caregivers-Pilot` exclude-group on `Require MFA for all users` policy -- LAPTOP-8P7HDSEI: upgrade Win 10 -> Win 11 before PHI use -- Edge UNC download bug (Chromium 149): decide fix path for Ashley Jensen + Lois Lane and fleet; no fix applied as of 2026-06-08 - ALIS app session timeout: lower from 20 to 15 min (Howard, ALIS admin) -- PENDING -- **[CORRECTED 2026-06-24] CS-SERVER RAID is HEALTHY (live OMSA), not degraded.** The 6/15 degraded state self-recovered after a power cycle; both mirrors Ok, all 5 disks Online, all LEDs green, 1:0:4 = global hot spare. **No emergency drive swap.** Planned reliability upgrade: replace the 2 consumer 320 GB drives (esp. flaky WD 0:0:3) with the 2x enterprise SSD already purchased, on a scheduled window with a confirmed image/system-state backup. **[WARN] PSU redundancy lost** (one PSU not delivering -- check onsite). Service Tag 9MQFTK1. See Infrastructure for the full live disk map. -- **[INFO] CS-SERVER cloud backup (MSP360/CloudBerry):** **verified running 2026-06-24** -- last run Success, 0 failed, 575.7 GB baseline in cloud (incrementals working). Still confirm it's image-based/bare-metal/system-state (looks file-level) + retention. -- **[CLEANUP] CS-SERVER agent sprawl:** remove the previous MSP's leftover Datto RMM (CentraStage) + Datto EDR (Infocyte) stack. +- **[CORRECTED 2026-06-24] CS-SERVER RAID is HEALTHY (live OMSA), not degraded.** No emergency drive swap. Planned reliability upgrade: replace the 2 consumer 320 GB drives with the 2x enterprise SSD already purchased, on a scheduled window. **[WARN] PSU redundancy lost.** Service Tag 9MQFTK1. +- **[INFO] CS-SERVER cloud backup (MSP360/CloudBerry):** verified running 2026-06-24. Still confirm image-based/bare-metal/system-state + retention. --- @@ -583,78 +617,40 @@ Invoiced hardware (work done): #32440 server SSDs, #32439 MemCare UPS, #32443 Fr | 2026-06-04 | Three same-day tickets: #32381 Tamra scanner (0.5h onsite), #32382 Megan file access (1.5h onsite), #32383 Chris Knight bill.com/BOK email delivery (1.5h remote). Root cause sender-side. | | 2026-06-05 | NURSESTATION-PC localadmin login-screen issue resolved. Caregiver test rig built. Hybrid Entra Join + GPOs deployed: `CSC - Caregiver Workstation` validated; `CSC - Caregiver Device Lockdown` deployed to `OU=Caregiver Devices`. Ticket #32303 billed 7.0h, invoice #67782 ($0.00 prepaid). | | 2026-06-08 | **Chris Knight workstation setup (onsite).** DESKTOP-N5G1ROO domain-joined + GuruRMM-enrolled. **MAJOR: root-caused native Folder Redirection failure** -- FR GPO targets were in misnamed `fdeploy1.ini`; fixed by writing correct `fdeploy.ini` + version bump. **ASSISTNURSE-PC reinstalled (Win10->Win11).** Edge UNC download bug diagnosed (no fix applied). | -| 2026-06-09 | **Accounting scan-to-folder built.** `D:\Shares\Accounting` on CS-SERVER; shared as `\\CS-SERVER\AcctDept`; `svc-scan` service account vaulted; Brother MFC-L8900CDW Scan-to-Network configured (NTLMv2, confirmed). Persistent drive maps set (Chris Y:, Zachary Y:, Lauren X:). | -| 2026-06-10 | **Meredith Kuhn locked Word doc -- stale owner files on cascadesDS.** Five orphaned `~$` files deleted via RMM in Meredith's user session. Ticket #32403, 0.5h remote, block 56.75->56.25. | +| 2026-06-09 | **Accounting scan-to-folder built.** `D:\Shares\Accounting` on CS-SERVER; shared as `\\CS-SERVER\AcctDept`; `svc-scan` service account vaulted; Brother MFC-L8900CDW Scan-to-Network configured (NTLMv2, confirmed). Persistent drive maps set. | +| 2026-06-10 | **Meredith Kuhn locked Word doc -- stale owner files on cascadesDS.** Five orphaned `~$` files deleted via RMM. Ticket #32403, 0.5h remote, block 56.75->56.25. | | 2026-06-12 | **Created shared mailboxes grievances@ + Surveys@ and delegated to Meredith & Ashley.** All 8 permission grants verified. Ticket #32417, 0.5h remote, block 56.25->55.75. | | 2026-06-15 | **Wireless RF full audit -- controller access gained.** Mike vaulted SSH key + RW admin + AP SSH. Live audit confirmed 77 U7-Pro APs, ~574->587 clients, 2.4 GHz saturation as primary pain band. | -| 2026-06-15 | **CS-SERVER slowness root-caused to degraded RAID-1; cloud backup started; pfSense OpenVPN password reset.** PD 0:0:3 (320 GB WD SATA) Critical/Removed; C: on single 320 GB Hitachi 5400 RPM spindle. MSP360/CloudBerry cloud backup installed on CS-SERVER (closes HIPAA backup gap). | -| 2026-06-16 | **Voice VLAN plan for Vertical phones (PLANNED, not executed).** Designed VLAN 30 VOICE (10.0.30.0/24, isolated, internet-only egress); cutover runbook written. Floor-4 2.4 GHz power-down pilot applied (first production RF change): 14/15 radios to 6 dBm, retry 13.2->9.5%. `dfs-check.sh` confirmed ZERO real radar events fleet-wide. `unifi-wifi` skill feature-complete. | -| 2026-06-16 | **pfSense confirmed as pfSense Plus 25.07-RELEASE; health verified; Howard-Home LAN renumbered** (192.168.0.0/24 -> 10.137.42.0/24; removed collision with Cascades). `pfsense-ssh.sh` built and validated. | -| 2026-06-17 | **Voice VLAN 30 built + verified; Vertical desktop + initial Poly phones migrated.** Richard Turner confirmed window; pfSense igc1.30 interface + isolation rules built. Vertical desktop migrated (port-16 bounce via controller API + CSRF); key learnings: desktop is DHCP, Vertical uses LogMeIn. | -| 2026-06-17 | **Power outage -- full site down + recovery.** pfSense on UPS surge-only side -> unclean shutdown -> duplicate dhcpd + 2nd-floor switch one-way L2. Howard killed duplicate dhcpd; Mike moved pfSense to battery, restored on-box config, reset+re-adopted Switch 2nd Floor #2, rebooted Cox modem. 5GHz auto-channel applied (co-channel 25->30, worse). pfSense config vaulted. Pre-existing plaintext Synology signin credential found (vault history commit 1fbc0e1). | -| 2026-06-17 | **KPI dashboard scoping (advisory).** 9 reporting systems catalogued. Recommended Phase 1 (exports->SharePoint->Power BI Pro). Proposals drafted. Parked pending Ashley's KPIs. | -| 2026-06-18 | **Voice VLAN 30 cutover COMPLETE (8 AudioCodes added; 22 Poly done).** AudioCodes required physical power-cycle (externally powered, PoE bounce was no-op). Per-phone diagnosis: dropped-calls are RF (band selection), not VLAN. 6 GHz root-caused dark (CSCNet not broadcasting 6g). Holistic optimization master plan built. | -| 2026-06-18 | **DESKTOP-TRCIEJA (Lupe Sanchez) perf diagnosed; replace decision.** Root causes: EOL hardware (i3-2120) + dual real-time AV (Bitdefender + leftover Datto stack). | -| 2026-06-18 | **Synology Drive sync architecture diagnosed.** Current scope: Sync-user My Drive only; real shared folders NOT mirrored. Team Folder migration plan produced. | -| 2026-06-18 | **Power outage follow-ups: OpenVPN flapping root-caused (--inactive timeout, not a fault); kitchen printer straggler resolved by power-cycle.** | -| 2026-06-19 | **PRODUCTION RF OPTIMIZATION APPLIED (autonomous 2 AM window) -- 5 GHz retry HALVED.** 2.4 power -> MEDIUM on 47 radios (over-thinning fix + MemCare off full power; per-AP targeting). CSCNet BSS-transition ON. 6 GHz attempted but BLOCKED (`Wpa3MandatoryFor6GHzBand`). Blind non-DFS 5 GHz reshuffle tried, failed, rolled back. Howard's correction: scan FIRST, decide from data. Full channel survey (74/74 APs) proved DFS channels here 4-5x cleaner (2-3%) than non-DFS (ch149=12%, ch157=28%). Data-driven clean-DFS plan (8 DFS 40MHz channels, per-AP cleanest + neighbor graph-color, 0 co-channel) applied to 72 non-mesh APs. **Result: 5 GHz retry 8.7->3.8 avg (median 8.2->2.1), satisfaction median 99, all 72 APs holding DFS, 0 radar vacates.** `survey-report.py` added; `channel-plan.sh` made data-driven. | -| 2026-06-19 | **Voice VLAN migration COMPLETE (29/29 Poly) + band-selection diagnosis + Vertical 5 GHz handoff.** Howard walked the building, re-keyed all remaining Poly handsets to voice PPSK. Per-phone re-look: most phones on clean 5 GHz (Lauren .202: 2.4/50% -> 5GHz/12%), but several stuck on 2.4 despite -50 to -60 dBm signal -- controller band-steering not holding Poly OUI on 5 GHz. Phone-side fix: **5 GHz-only lock request sent to Richard Turner (Vertical)**, awaiting response = the last voice item. Kitchen server phone bad (pulled by John); Bistro phone relocated to Kitchen; Bistro now has no phone (replacement pending). Billed ticket #32444 (7h: 4 onsite + 3 remote), block 55.75->48.75. | -| 2026-06-23 | **Planned power outage (05:30-09:00 MST) -- clean shutdown executed + verified.** Building electrical work; to avoid the 6/17 dirty-shutdown damage (and given CS-SERVER's degraded OS mirror), all three core devices were armed 6/22 ~19:06 to self-shut-down on local schedules (CS-SERVER task 05:28, Synology 05:28, pfSense 05:30) -- firing independent of any remote session/tunnel, UPS carrying them through the cut. Verified clean at 05:31: CS-SERVER offline via RMM cloud (last_seen 05:29:49 MST); pfSense/Synology unreachable as expected (pfSense = VPN endpoint). Pre-flight confirmed cloud backup last full SUCCESS (0 errors), iDRAC AC-recovery + Synology auto-restart backstops ON. Bring-up (~09:00, John onsite) pending. Runbook: `docs/runbooks/2026-06-23-planned-power-outage.md`. | -| 2026-06-24 | **Syncro ticket review + #32193 Executive share + device-readiness audit + consolidated plan.** Reviewed/closed a batch of tickets; built restricted share `\\cs-server\Executive` for Ashley.Jensen + Meredith.Kuhn (NTFS+share scoped, E: mapped both machines RW-verified, billed 0.5h block, invoice #1650785728, block 48.75->48.25). Diagnosed two real RMM gotchas (UNC `\\` eaten in dispatch -> build from [char]92; mapped drive not shown until SHChangeNotify DRIVEADD). Fixed malformed priority on #32193/#32194 (Winter flag -> memory). Live AD+RMM domain-join diff: 12 staff PCs joined, ~17 to migrate; **5 on Windows Home blocked until Home->Pro** (Howard handling). Built `docs/REMAINING-WORK-PLAN.md` (7 workstreams). Decision: caregivers stay TEST-scoped until all devices domain-ready. | -| 2026-06-24 | **CS-SERVER RAID live-verified -- the "degraded/failing" flag was STALE; mirror is healthy.** Howard onsite ready to hot-swap a failing drive; live Dell OMSA (`omreport` via RMM) showed both virtual disks Ok, all 5 physical disks Online/Ok, Failure Predicted No, all LEDs green. The 6/15 "degraded" (PD 0:0:3 WD) self-recovered after a power cycle (ESM log shows repeated drive remove/install across the outages). The "5th unused drive" (1:0:4) is the **GLOBAL HOT SPARE** for the D: mirror -- NOT removable. Also surfaced: **PSU redundancy lost** (one PSU not delivering). Backup verified running (last run Success, 0 failed, 575 GB baseline; confirm BMR/system-state). **Outcome:** no drive pulled; the 2x enterprise SSD already purchased become a *planned* upgrade, not an emergency. Lesson logged: always pull live OMSA/iDRAC before acting on a stale hardware flag. Service Tag 9MQFTK1. | -| 2026-06-24 | **CARF Technology and System Plan deliverable started (Ashley Jensen request).** Built a first-pass technology-plan packet mapped to the 8 areas, then -- after the user clarified it is for **CARF accreditation** (Aging Services) -- verified the actual CARF standard via web research, produced a conformance gap analysis, an on-brand client PDF (via the `impeccable` skill, ACG design tokens), and a pre-filled CARF intake worksheet with a costed open-items table. Established a standing rule: all outbound client/vendor deliverables run through `impeccable` (memory `feedback_impeccable_on_outbound`). Project memory `project_cascades_carf_tech_plan`. Status: gathering inputs before building the final plan. | -| 2026-06-24 | **CSC ENT device-island consolidation plan (voice + Helpany).** Merged the Poly 5 GHz fix with the Helpany "Paul" sensor rollout: repurpose the existing CSC ENT SSID as a permanent 5 GHz-only WPA2 PPSK "device island" carrying both the Poly voice handsets (PPSK -> VLAN 30) and the Helpany radar sensors (PPSK -> new VLAN 40), separated at the VLAN layer; both vendors transition their devices remotely. Onsite gate: verify per-room 5 GHz coverage before the band flip. CSC ENT is NOT deleted -- it becomes the WPA2 island that later unblocks moving CSCNet to WPA3/WiFi7/6 GHz. Plan: `docs/network/csc-ent-device-island-plan.md`. | -| 2026-06-25 | **Alma Montt OFFBOARDED (terminated; MC Life Enrichment; no PHI/ALIS).** M365: sessions revoked, sign-in blocked, password reset+vaulted, mailbox -> SharedMailbox (Shelby Trozzi FullAccess+AutoMap), SPB license removed (seat freed), hidden from GAL, removed from groups. On-prem AD: disabled, groups stripped, moved to `OU=Excluded-From-Sync`. No litigation hold (no PHI). **Verified live end-to-end** (Graph + EXO + AD via RMM) and reconciled out of all active plans/rosters. Left a tenant-security item for Mike: the Tenant Admin SP still holds a standing Privileged Authentication Administrator role (Graph blocked the JIT teardown) -- needs GA removal. Record: `docs/security/offboarding-2026-06-25-alma-montt.md`. | -| 2026-06-25 | **Endpoint security migration: Datto EDR/AV rollout + Bitdefender decommission.** Reconciled 33 GuruRMM devices vs 27 Datto EDR agents (org `2d5ea96e`); found 8 coverage gaps. Deployed EDR to 6 online clean machines (reg key `6qw68y2rwl`, target group `1dbd2b02`); fleet count 27->33. Discovered RECEPTIONIST-PC is two distinct physical machines sharing a hostname (serials MJ0KQH4R, MJ0KQHNP); only one had EDR -- installed on the second box (33->34 agents). Removed Bitdefender BEST 8.26.6.644 from both RECEPTIONIST-PC boxes via GravityZone console "Uninstall client" task (API uninstall dead; no uninstall password on policy). Cleaned 6 orphaned `C:\Program Files\Bitdefender` folders (safety-checked). Queued EDR installs + BD-checks on 5-7 offline machines; background watcher `bfm81iqdz` left polling. **Datto EDR/AV is now the ACG-managed endpoint stack; Bitdefender (GravityZone BEST) being fully decommissioned.** | -| 2026-06-26 | **CS-SERVER: full Datto stack removal + SMB "outage" debunked.** The endpoint AV was DattoAV (Datto EDR "Endpoint Protection SDK", Bitdefender engine + Avira Sentry), managed by Datto RMM (CentraStage) + Datto EDR Agent (HUNTAgent/Infocyte, tenant azcomp4587) -- NOT GravityZone Bitdefender (so the console removal did nothing). Removed ALL Datto software (uninstallSdk cleared rtp1/rtp2/BdSentry; CentraStage `/VERYSILENT`; EDR agent force-removed since CS-SERVER was already de-enrolled and the tamper drivers were gone). **The long "SMB error 67" investigation was a TEST-METHOD ARTIFACT** -- RMM-dispatched SMB client cmds false-negative even for good targets; CS-SERVER SMB is healthy (`Get-SmbSession` = 7 users / 30 open files). Karen Rossini share access verified interactively; ALDocs shortcut set on DESKTOP-LPOPV30. Built the `drive-map` skill; logged the RMM-SMB-test friction. | - ---- - -## Compilation Notes - -**2026-06-26 recompile (HOWARD-HOME/claude-main):** Refreshed dynamic fields (46.75 hrs, 29 devices, 0 tickets as of 2026-06-26). Added the **CS-SERVER SMB & Endpoint AV (2026-06-26)** pattern: full Datto stack removal, the "error 67" RMM-test-artifact correction (server is healthy), and Karen ALDocs resolution. Patterns/History preserved. - -**2026-06-25 recompile #2 (HOWARD-HOME/claude-main) changes vs. prior (2026-06-25 #1, compiled during Alma offboarding session):** -- Main new source: `2026-06-25-howard-edr-rollout-bitdefender-removal.md`. Largest security-posture change since ACG onboarding: endpoint protection is migrating from Syncro-deployed Bitdefender GravityZone BEST to Datto EDR/AV (Infocyte/azcomp4587). -- Infrastructure > endpoint warning block replaced: stale "agent sprawl / clean up the Datto stack" replaced with the active migration status (34 agents enrolled, BD removed from RECEPTIONIST-PC, pending offline machines, confirm Syncro BD deployment removed). -- Known Issues > [FLEET] Datto stack item updated: now describes EDR migration in progress rather than "leftover from prior MSP". -- Active Work: added [IN PROGRESS 2026-06-25] EDR rollout follow-up item (offline machines, GravityZone portal cleanup, stale agents, CentraStage leftover). Lupe Sanchez replacement note updated: provision Datto EDR/AV, not Bitdefender. -- Billing: hours updated **47.75 -> 46.75** (Syncro live). Active tickets: **5 -> 0** (Syncro live end-of-day). -- History Highlights: added 2026-06-25 EDR rollout entry. Patterns & Known Issues preserved verbatim (except [FLEET] item updated for migration). All other History entries preserved verbatim. -- Sources: added EDR session log. - -**2026-06-25 recompile #1 (HOWARD-HOME/claude-main) changes vs. prior (2026-06-24):** -- Billing re-verified live (Syncro): **47.75 hrs / 29 devices / 5 open tickets** (was 48.25 / 29 / 6). #32230 (Karen->ALDOCS) RESOLVED. -- Profile: hours + active-tickets updated. Access: Alma Montt offboarding entry + Tenant Admin SP standing PAA item. Email & Identity: SPB seat count (Alma's freed). History Highlights: 2026-06-25 Alma offboarding + CARF tech plan + CSC ENT device-island entries. Active Work: Tenant Admin PAA open item; CARF deliverable status. -- Sources: added 2026-06-25 synology-skill-verify, alma-offboarding-recovery-verify, and offboarding record. - -**2026-06-24 recompile (HOWARD-HOME/claude-main) changes vs. prior (2026-06-23):** -- Surgical/additive update -- prior compile was 1 day old; preserved all sections verbatim, folded in the 2026-06-24 work. -- Billing re-verified live (Syncro): **48.25 hrs / 29 devices / 6 open tickets** (was 48.75 / 0 open). Block draw: 0.5h #32193. -- Profile: hours + active-tickets lines updated; Active Work now points at the new `docs/REMAINING-WORK-PLAN.md` and carries the 2026-06-24 device-readiness audit (Home-edition blockers, ready-to-join set, caregiver-test-scoped decision). -- Migration phase-status table: added 2026-06-24 domain-join reality (Home-blocked set, ready set, HEALTH-SERVICES/Lois joined). -- History Highlights: added 2026-06-24 entry. Sources: added the 2026-06-24 session log + REMAINING-WORK-PLAN.md. -- **[CORRECTION 2026-06-24, live OMSA] CS-SERVER RAID is HEALTHY, not degraded.** Replaced the stale `[CRITICAL] RAID degraded (2026-06-15)` Infrastructure block + Active-Work blocking line with the live disk map: both mirrors Ok, all 5 disks Online/green, 1:0:4 = global hot spare; the 6/15 degraded self-recovered after a power cycle. Flagged PSU redundancy lost (Service Tag 9MQFTK1). Backup verified running. The 2x SSD already purchased are now a *planned* (not emergency) reliability upgrade. Lesson saved to memory `feedback_verify_live_before_acting`. - -**2026-06-23 recompile (HOWARD-HOME/claude-main) changes vs. prior (2026-06-20, GURU-5070):** -- Surgical/additive full recompile -- the prior compile was current; the only new knowledge was the 2026-06-23 planned power outage. All other sections preserved verbatim. -- Billing re-verified live (Syncro): 48.75 hrs / 29 devices / 0 open tickets -- unchanged since 2026-06-20; "as of" dates advanced to 2026-06-23. Outage day is monitoring, not yet billed. -- Infrastructure: added [INFO] planned-outage block (clean self-shutdown armed 6/22, executed + verified clean 6/23 05:31). -- Active Work: added [TODAY] bring-up/monitoring item + [OPEN] UPS battery-side verification (from runbook pre-flight). -- History Highlights: added 2026-06-23 planned-outage entry. Sources: added the runbook + the 2026-06-23 session log. - -**2026-06-20 recompile (GURU-5070/claude-main) changes vs. prior (2026-06-19, HOWARD-HOME):** -- Billing updated: 48.75 hrs as of 2026-06-20 (Syncro authoritative); ticket #32444 (7h) reflected in block balance and ticket list. -- Infrastructure > Network > Wireless RF section updated: replaced stale "OVER-THINNED (as of 2026-06-17)" and "NOT applied (pending go-ahead)" narrative with the actual applied 2026-06-19 state (2.4 Medium, 5 GHz clean DFS 40MHz, results). -- Patterns > Wireless: replaced stale "Remediation status (as of 2026-06-17 -- OVER-THINNED)" block with "APPLIED 2026-06-19" block; removed Phase C disable list (advisory, superseded by current state); removed stale "non-DFS only recommended" text from 5 GHz line. -- Active Work: removed stale "Wireless RF Phase 0 + Phase 1 (pending go-ahead)" item (executed); updated master plan item (P2b and P3 done, remaining P1/P4/P5 and 6GHz deferred); added new RF follow-ups (re-enable auto-upgrade, DFS radar monitor, MemCare min-RSSI, 6GHz deferred/Howard decision). -- All other sections preserved verbatim from prior compile. - -**Client folder:** `clients/cascades-tucson/` (NOT `clients/cascades/` -- that directory does not exist). +| 2026-06-15 | **CS-SERVER slowness root-caused to (then) degraded RAID-1; cloud backup started; pfSense OpenVPN password reset.** MSP360/CloudBerry cloud backup installed on CS-SERVER (closes HIPAA backup gap). | +| 2026-06-16 | **Voice VLAN plan for Vertical phones (PLANNED).** Designed VLAN 30 VOICE; cutover runbook written. Floor-4 2.4 GHz power-down pilot applied. `dfs-check.sh` confirmed ZERO real radar events fleet-wide. `unifi-wifi` skill feature-complete. | +| 2026-06-16 | **pfSense confirmed as pfSense Plus 25.07-RELEASE; health verified; Howard-Home LAN renumbered** (removed collision with Cascades). `pfsense-ssh.sh` built. | +| 2026-06-17 | **Voice VLAN 30 built + verified; Vertical desktop + initial Poly phones migrated.** pfSense igc1.30 interface + isolation rules built. | +| 2026-06-17 | **Power outage -- full site down + recovery.** pfSense on UPS surge-only side -> unclean shutdown -> duplicate dhcpd + 2nd-floor switch one-way L2. Recovered; pfSense moved to battery, config vaulted. Pre-existing plaintext Synology signin credential found (vault commit 1fbc0e1). | +| 2026-06-17 | **KPI dashboard scoping (advisory).** 9 reporting systems catalogued. Recommended Phase 1 (exports->SharePoint->Power BI Pro). Parked. | +| 2026-06-18 | **Voice VLAN 30 cutover (8 AudioCodes added; 22 Poly done).** AudioCodes required physical power-cycle. Per-phone diagnosis: dropped-calls are RF (band selection). 6 GHz root-caused dark. Optimization master plan built. | +| 2026-06-18 | **DESKTOP-TRCIEJA (Lupe Sanchez) perf diagnosed; replace decision.** EOL hardware + dual real-time AV. | +| 2026-06-18 | **Synology Drive sync architecture diagnosed.** Sync-user My Drive only; real shared folders NOT mirrored. Team Folder plan produced. | +| 2026-06-18 | **Power outage follow-ups: OpenVPN flapping root-caused (--inactive timeout); kitchen printer straggler resolved.** | +| 2026-06-19 | **PRODUCTION RF OPTIMIZATION APPLIED (2 AM window) -- 5 GHz retry HALVED.** 2.4 power -> MEDIUM on 47 radios. CSCNet BSS-transition ON. Full channel survey (74/74 APs) proved DFS 4-5x cleaner than non-DFS; data-driven clean-DFS plan applied to 72 non-mesh APs (retry 8.7->3.8 avg, 0 co-channel, 0 radar). `survey-report.py` added. | +| 2026-06-19 | **Voice VLAN migration COMPLETE (29/29 Poly) + band-selection diagnosis + Vertical 5 GHz handoff.** Howard re-keyed all remaining Poly handsets. 5 GHz-only lock request sent to Richard Turner (Vertical) = last voice item. Kitchen server phone bad (pulled); Bistro relocated to Kitchen; Bistro now has no phone. Billed ticket #32444 (7h), block 55.75->48.75. | +| 2026-06-23 | **Planned power outage (05:30-09:00 MST) -- clean shutdown executed + verified.** All three core devices self-shut-down on local schedules (independent of tunnel), UPS carried them through. Verified clean at 05:31. Pre-flight confirmed cloud backup SUCCESS + iDRAC/Synology auto-restart backstops. Runbook logged. | +| 2026-06-24 | **Syncro ticket review + #32193 Executive share + device-readiness audit + consolidated plan.** Built restricted share `\\cs-server\Executive` (billed 0.5h). Live AD+RMM domain-join diff; 5 on Windows Home blocked. Built `docs/REMAINING-WORK-PLAN.md` (7 workstreams). Caregivers stay TEST-scoped. | +| 2026-06-24 | **CS-SERVER RAID live-verified -- the "degraded/failing" flag was STALE; mirror is healthy.** Live Dell OMSA showed both virtual disks Ok, all 5 disks Online/green; the 6/15 degraded self-recovered. 1:0:4 = GLOBAL HOT SPARE. PSU redundancy lost surfaced. No drive pulled; the 2x SSD become a *planned* upgrade. Service Tag 9MQFTK1. | +| 2026-06-24 | **CARF Technology and System Plan deliverable started (Ashley Jensen).** First-pass technology-plan packet mapped to the 8 CARF areas; conformance gap analysis + on-brand PDF (via `impeccable`) + pre-filled intake worksheet. Standing rule: outbound deliverables run through `impeccable`. | +| 2026-06-24 | **CSC ENT device-island consolidation plan (voice + Helpany).** Repurpose CSC ENT as a permanent 5 GHz-only WPA2 PPSK island carrying Poly voice (-> VLAN 30) + Helpany radar sensors (-> new VLAN 40); both vendors transition remotely. Unblocks later CSCNet WPA3/6 GHz move. | +| 2026-06-25 | **Alma Montt OFFBOARDED (terminated; MC Life Enrichment; no PHI/ALIS).** M365: sessions revoked, sign-in blocked, password vaulted, mailbox -> SharedMailbox (Shelby FullAccess+AutoMap), SPB seat freed, hidden from GAL, groups removed. On-prem AD: disabled, moved to `OU=Excluded-From-Sync`. No litigation hold. Left tenant-security item: Tenant Admin SP holds standing PAA (Graph blocked teardown) -- needs GA removal. | +| 2026-06-25 | **Endpoint security migration: Datto EDR/AV rollout + Bitdefender decommission begins.** Reconciled 33 GuruRMM devices vs 27 Datto EDR agents; found 8 gaps. Deployed EDR to 6 online clean machines (27->33). Discovered RECEPTIONIST-PC is two physical boxes sharing a hostname (serials MJ0KQH4R, MJ0KQHNP); only one had EDR -- installed on the second (33->34). Removed Bitdefender BEST 8.26.6.644 from both RECEPTIONIST boxes via GravityZone console (API uninstall dead). Cleaned 6 orphaned BD folders. Queued EDR/BD-checks on offline machines; watcher `bfm81iqdz` left polling. | +| 2026-06-26 | **CS-SERVER: full Datto stack removal + SMB "outage" debunked.** The endpoint AV was DattoAV (Datto EDR "Endpoint Protection SDK", Bitdefender engine + Avira Sentry), managed by Datto RMM (CentraStage) + Datto EDR Agent (HUNTAgent/Infocyte, tenant azcomp4587) -- NOT GravityZone (so the console removal did nothing). Removed ALL Datto software. **The long "SMB error 67" investigation was a TEST-METHOD ARTIFACT** -- RMM-dispatched SMB client cmds false-negative even for good targets; CS-SERVER SMB is healthy (`Get-SmbSession` = 7 users / 30 open files). Karen Rossini share access verified interactively; ALDocs shortcut set. Built the `drive-map` skill. | +| 2026-06-26 | **EDR/Bitdefender straggler 9am pass.** BD-checked reconnected machines: DESKTOP-MD6UQI3, Laptop4, SALES4-PC clean; **DESKTOP-TRCIEJA = BD_ACTIVE** (needs GravityZone console uninstall). NurseAssist queued EDR install confirmed (agent `23c3c36e`). DESKTOP-F94M8UT (Alma's, powered off) EDR install queued; DESKTOP-KQSL232 (Lois's old box) decommissioned/removed from list. | +| 2026-06-26 | **Windows Home->Pro upgrades continued.** NurseAssist + DESKTOP-MD6UQI3 upgraded to Pro for Workstations (changepk edition flip as SYSTEM -> 2-min user reboot warning -> slmgr MAK/ato). Both VOLUME_MAK Licensed. Confirmed NurseAssist is a distinct machine from Assistnurse-pc. SALES4-PC done by supplier. CascadesProxess deferred to a late-night window (access-control appliance in active use). 2 x $99 to bill. | +| 2026-06-29 | **ALIS caregiver phone-only + caretaker-only crosscheck.** Cross-checked the staff CSV against the live ALIS roster (107 Hired, communityId 622): phone-only caregivers = NONE (only the 3 Transportation drivers are phone-only, and they don't need ALIS); 30 caretaker-only; 2 caregivers carry extra roles (Feller, Nyanzunda); 3 "Care" entries are directors/nurses; **7 caregiver-list people exist in ALIS only as Discharged records** (decide reactivate-vs-recreate). | +| 2026-06-30 | **Caregiver phone SSO -- license + group + temp-password onboarding.** Completed the Entra/identity side for all 40 frontline caregivers: added the 2 missing to `SG-Caregivers` (now 40), assigned Business Premium (Howard bought 11 more seats -> SPB 34->45 enabled), and set unique forced-change AD temp passwords (vaulted `caregiver-temp-passwords-2026-06-30.sops.yaml`, delivered via Discord DM). `SG-Caregivers` corrected to frontline caregivers ONLY (excl. Feller/Nyanzunda). Remaining gate: ALIS Email=UPN match (Howard) + create ALIS records for 7 + AD accounts for 3 ALIS-only caregivers. | +| 2026-06-30 | **Tamra Matthews OFFBOARDED (Move-In Coordinator; left June 2026).** Cloud-only M365 object: sessions revoked, sign-in blocked, password vaulted, mailbox -> SharedMailbox (Crystal/Megan/Meredith/Ashley FullAccess+AutoMap), O365 Standard seat freed, hidden from GAL, 3 groups stripped. On-prem AD disabled + moved to `OU=Excluded-From-Sync`. No litigation hold despite PHI-adjacent role (Howard authorized). AutoMapping rollback on rapid grants root-caused (spaced one-at-a-time fix). Follow-up: Megan Hiatt breach re-check. | +| 2026-06-30 | **VLAN 20 (CSCNET) printer migration.** Migrated Front Desk Epson ET-5800 (.221) + Life Enrichment Canon MF741 (.94) onto VLAN 20 server shares, then dining/chef/medtech/MC-reception. Root-caused a hard blocker: CS-SERVER couldn't reach VLAN 20 printers because the LAN "allow LAN to any" rule policy-routed internal traffic out the WAN (WAN_Group gateway) -- fixed with a top LAN pass rule (gw=default, src CS-SERVER). Established the Point-and-Print policy fix for standard-user driver installs and the Canon UFR-II-only driver requirement (PCL6 -> Error #822). Staged RECEPTIONIST-PC (MemCare box) rename to MEMCARE-STATION. GPO planning doc `docs/printer-gpo-map.md` created. | --- ## Backlinks -- [[projects/gururmm]] -- RECEPTIONIST-PC enrolled (site CascadesTucson); CS-SERVER enrolled +- [[projects/gururmm]] -- RECEPTIONIST-PC + CS-SERVER enrolled (site CascadesTucson); fleet EDR/BD + Home->Pro + printer work driven via GuruRMM - [[wiki/systems/uos-server]] -- shared UOS controller hosts the Cascades UniFi site (site_id `685f39068e65331c46ef6dd2`); SSH/Mongo access via `infrastructure/uos-server-ssh-key` diff --git a/wiki/index.md b/wiki/index.md index def64aac..a1bba333 100644 --- a/wiki/index.md +++ b/wiki/index.md @@ -1,6 +1,6 @@ # Wiki Index -Last updated: 2026-06-29 +Last updated: 2026-06-30 Compiled by: HOWARD-HOME/claude-main This wiki is LLM-maintained. Do not edit articles manually — run `/wiki-compile` to update. @@ -18,7 +18,7 @@ Run `/wiki-lint` to check for stale entries and broken backlinks. | Article | Summary | Last Compiled | |---|---|---| -| [Cascades of Tucson](clients/cascades-tucson.md) | Prepaid block $175/hr, **46.75 hrs remaining** (live 2026-06-26); senior living; active domain migration + HIPAA caregiver-lockdown project (GPOs deployed; Entra Hybrid Join + CA allow-list + ALIS SSO model proven); single DC (CS-SERVER) on aging R610 -- RAID **live-verified HEALTHY 2026-06-24** (the 6/15 "degraded" self-recovered; both mirrors Ok, 1:0:4 = global hot spare; consumer 320GB drives + lost-PSU-redundancy are planned follow-ups, NOT an emergency); cloud backup verified running; **Planned power outage 2026-06-23** clean self-shutdown executed + verified (bring-up ~09:00, John onsite); **Voice VLAN 30 migration COMPLETE 2026-06-19** (~38 devices: 29 Poly + 8 AudioCodes + desktop; awaiting Vertical to set Poly 5GHz-only); **UniFi RF optimized 2026-06-19** (77 U7-Pro APs/~587 clients: 2.4GHz power->Medium on 47 radios + 5GHz clean-DFS 40MHz channel plan -> 5GHz retry halved; 6GHz blocked by WPA3 on PPSK SSID); Syncro 0 open tickets (live EOD 2026-06-25), device-readiness audit done (5 PCs on Win Home need Home->Pro before join); **Alma Montt offboarded 2026-06-25** (Tenant Admin SP left holding a standing PAA role -- removal pending Mike); **CARF Technology & System Plan** deliverable in progress for Ashley Jensen; **endpoint security migration started 2026-06-25** (Datto EDR/AV replacing Bitdefender; 34 agents enrolled); **CS-SERVER: all Datto software removed 2026-06-26**, and the CS-SERVER "SMB error 67" proved to be an RMM-test artifact -- server is healthy, Karen share access verified interactively; remaining-work plan: docs/REMAINING-WORK-PLAN.md | 2026-06-26 | +| [Cascades of Tucson](clients/cascades-tucson.md) | Prepaid block $175/hr, **37.5 hrs remaining** (live 2026-06-30); senior living; active domain migration + HIPAA caregiver-lockdown project (GPOs deployed; Entra Hybrid Join + CA allow-list + ALIS SSO model proven); single DC (CS-SERVER) on aging R610 -- RAID **live-verified HEALTHY 2026-06-24** (the 6/15 "degraded" self-recovered; both mirrors Ok, 1:0:4 = global hot spare; consumer 320GB drives + lost-PSU-redundancy are planned follow-ups, NOT an emergency); cloud backup verified running; **Planned power outage 2026-06-23** clean self-shutdown executed + verified (bring-up ~09:00, John onsite); **Voice VLAN 30 migration COMPLETE 2026-06-19** (~38 devices: 29 Poly + 8 AudioCodes + desktop; awaiting Vertical to set Poly 5GHz-only); **UniFi RF optimized 2026-06-19** (77 U7-Pro APs/~587 clients: 2.4GHz power->Medium on 47 radios + 5GHz clean-DFS 40MHz channel plan -> 5GHz retry halved; 6GHz blocked by WPA3 on PPSK SSID); Syncro 0 open tickets (live EOD 2026-06-25), device-readiness audit done (5 PCs on Win Home need Home->Pro before join); **Alma Montt offboarded 2026-06-25** (Tenant Admin SP left holding a standing PAA role -- removal pending Mike); **CARF Technology & System Plan** deliverable in progress for Ashley Jensen; **endpoint security migration started 2026-06-25** (Datto EDR/AV replacing Bitdefender; 34 agents enrolled); **CS-SERVER: all Datto software removed 2026-06-26**, and the CS-SERVER "SMB error 67" proved to be an RMM-test artifact -- server is healthy, Karen share access verified interactively; **caregiver phone SSO 2026-06-30: all 40 frontline caregivers licensed (Business Premium) + in SG-Caregivers + forced-change AD temp passwords -- Entra side DONE, ALIS Email=UPN match pending**; remaining-work plan: docs/REMAINING-WORK-PLAN.md | 2026-06-30 | | [Dataforth Corporation](clients/dataforth.md) | Prepaid block ~$2,099/mo, **31.5 hrs remaining** (live 2026-06-23); signal-conditioning manufacturer; 64 DOS test stations; 2025 ransomware recovery + incomplete file restore (migration-gap audit); 2026-03 phishing + MFA rollout; test-datasheet pipeline (DSCA cert publish via Hoffman API + testdatadb UI on AD2); mail stack INKY->Mailprotector CloudFilter->EXO; FreePBX 17 outage fixed 2026-06-08/09 (qualify_frequency=0; no RTP-forward); shares-ACL project (all open to staff; Phase 2 target-state strawman drafted 2026-06-22); Syncro asset reconciliation 2026-06-02; GuruRMM fleet ~45; Bitdefender phase-off | 2026-06-23 | | [Instrumental Music Center](clients/instrumental-music-center.md) | Prepaid block $175/hr, 12.5 hrs remaining; music retail/repair; AIMsi POS on SQL Server 2019; phantom DC causing slow logons; GuruRMM enrolled (IMC1) | 2026-05-24 | | [Jimmy Company](clients/jimmy.md) | Break-fix, $150/hr; single aging workstation BLASTER2 (Win10 22H2 EOL, i5-3470/3.8GB — replace); backups the recurring theme (QuickBooks data); onboarded to GuruRMM 2026-06-19 (RDP NLA + Kaseya removal + cleanup); MSP360 local backup drive full, 90-day retention set, space reclaim pending in console (cloud B2 healthy) | 2026-06-19 |