sync: auto-sync from HOWARD-HOME at 2026-06-04 16:03:16

Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-06-04 16:03:16
2026-06-04 16:03:23 -07:00
parent 532be659de
commit a51715e0ba
2 changed files with 78 additions and 1 deletions
--- a/clients/cascades-tucson/session-logs/2026-06-04-howard-caregiver-laptop-enrollment.md
+++ b/clients/cascades-tucson/session-logs/2026-06-04-howard-caregiver-laptop-enrollment.md
@@ -0,0 +1,76 @@
 # Cascades — Caregiver laptop Intune enrollment prep (devices@ licensed)
 **Date:** 2026-06-04
 **Client:** Cascades of Tucson (Syncro 20149445, Tenant `207fa277-e9d8-4eb7-ada1-1064d2221498`)
 ## User
 - **User:** Howard Enos (howard)
 - **Machine:** Howard-Home
 - **Role:** tech
 ## Session Summary
 Resumed the caregiver device allow-list rollout (continued from `2026-06-03-session.md`). The plan: Entra-join the 4 caregiver/medtech laptops so they exist as Entra device objects, then tag them onto the report-only allow-list CA policy created 2026-06-03.
 Prepared the enrollment account. The dedicated provisioning account `devices@cascadestucson.com` (Cloud Device Administrator) was unlicensed, which would let a device Entra-join but skip Intune auto-enrollment. Set its `usageLocation` to US and assigned a Microsoft 365 Business Premium (SPB) license via the User Manager app so auto-MDM-enroll fires on join. The license is needed only transiently at enrollment time and can be reclaimed after the batch.
 Provided Howard the start-to-finish enrollment runbook: confirm Intune MDM user scope = All (portal), Entra-join each laptop with `devices@`, verify it lands in Intune, then report device names back for tagging (`extensionAttribute1=CSCCaregiverDevice`). Recommended doing one laptop end-to-end first to validate the flow before the rest. NURSESTATION-PC remains the separate Hybrid Entra Join track.
 No laptops were enrolled this session — enrollment is the next hands-on step for Howard. No repo changes beyond this log; the license assignment was a live Entra change.
 ## Key Decisions
 - Assigned Business Premium to `devices@` rather than to a user account, keeping a dedicated provisioning identity for device joins; the seat is reclaimable post-enrollment.
 - Set `usageLocation=US` on `devices@` (required before any license can be assigned).
 ## Problems Encountered
 - First license-assignment attempt failed (HTTP 404, "Resource '197609' does not exist"). Cause: `UID` is a read-only special variable in bash, so `UID=<guid>` silently failed and `$UID` resolved to the shell's numeric user id. Resolved by renaming the variable (`DEVID`).
 - Immediate license read-back showed `Business Premium=false` right after a 200 assignLicense — Entra eventual consistency. Confirmed assigned on re-read after a short delay.
 ## Configuration Changes
 - Live Entra change (no repo files): `devices@cascadestucson.com` — set `usageLocation=US`; assigned license SPB (`cbdc14ab-d96c-4c30-b9f4-6ada7cdc1d46`) via Graph `POST /users/{id}/assignLicense` (User Manager tier). Verified present.
 - Session log created (this file).
 ## Credentials & Secrets
 - `devices@cascadestucson.com` / `Gptf*77ttb!` — Cloud Device Administrator, user ID `aaca80c6-861b-4294-8068-1033c68d7667`. Now licensed Business Premium + usageLocation US. Vault: `clients/cascades-tucson/devices-account.sops.yaml`. Use this account to Entra-join the laptops. Reclaim the Business Premium seat after the enrollment batch.
 ## Infrastructure & Servers
 - Tenant `207fa277-e9d8-4eb7-ada1-1064d2221498`.
 - SKU: Business Premium (SPB) `cbdc14ab-d96c-4c30-b9f4-6ada7cdc1d46`.
 - Report-only allow-list policy (from 2026-06-03): `CSC - Caregivers: allow-listed devices only (REPORT-ONLY)` id `1b7fd025-1aad-47c8-9274-c32c3e0b163c`; device filter excludes `(displayName -startsWith "CSC-") -or (extensionAttribute1 -eq "CSCCaregiverDevice")`.
 - Target laptops (Entra join): Laptop2, LAPTOP-8P7HDSEI (Win10 — upgrade), LAPTOP-DRQ5L558, LAPTOP-E0STJJE8. NURSESTATION-PC = Hybrid join track (stale 2021 Entra record to clean).
 ## Commands & Outputs
 ```bash
 # Set usageLocation then assign Business Premium (note: do NOT use $UID as a var name in bash)
 DEVID=aaca80c6-861b-4294-8068-1033c68d7667
 SPB=cbdc14ab-d96c-4c30-b9f4-6ada7cdc1d46
 TOK=$(bash scripts/get-token.sh $TEN user-manager)
 curl -s -X PATCH ... -d '{"usageLocation":"US"}' .../users/$DEVID            # HTTP 204
 curl -s -X POST ... -d '{"addLicenses":[{"skuId":"'$SPB'"}],"removeLicenses":[]}' \
  .../users/$DEVID/assignLicense                                             # HTTP 200
 # Verify: assignedLicenses includes cbdc14ab-... (after ~6s, eventual consistency)
 ```
 ## Pending / Incomplete Tasks
 - [ ] Confirm Intune MDM user scope = All (Entra -> Devices -> Mobility (MDM and MAM) -> Microsoft Intune) — not verifiable via API.
 - [ ] Entra-join the 4 laptops with `devices@` (do one first, validate end-to-end).
 - [ ] Report device names -> tag each `extensionAttribute1=CSCCaregiverDevice`.
 - [ ] Confirm which printer(s) each laptop needs -> Intune printer push (FrontDesk Epson ET-5800 192.168.2.147; CopyRoom Canon C478iF 192.168.2.230; MCReception Epson ET-5800).
 - [ ] Confirm whether any laptop needs on-prem file shares (would push that one to hybrid).
 - [ ] NURSESTATION-PC Hybrid Entra Join (Entra Connect device options on CS-SERVER); clean stale 2021 record.
 - [ ] Review report-only sign-in results, then cutover: enable allow-list policy + disable `CSC - Block caregivers on non-compliant device`.
 - [ ] Reclaim Business Premium seat from `devices@` after enrollment batch.
 - [ ] LAPTOP-8P7HDSEI: upgrade Win10 -> Win11 before PHI use.
 ## Reference Information
 - Prior context: `clients/cascades-tucson/session-logs/2026-06-03-session.md` (admin consent + allow-list policy + join-model decisions).
 - Allow-list policy id `1b7fd025-1aad-47c8-9274-c32c3e0b163c`; ALIS admin-consent grant id `reTK4etbykSC1ENMm9g1rTplOyzgVClCofKDVRrn-ds`.
 - Tickets: #110680053 (domain migration), #109412123 (Entra setup).
--- a/wiki/clients/cascades-tucson.md
+++ b/wiki/clients/cascades-tucson.md
@@ -34,6 +34,7 @@ sources:
  - clients/cascades-tucson/session-logs/2026-06-02-howard-efax-scanner-ticket.md
  - clients/cascades-tucson/session-logs/2026-06-03-session.md
  - clients/cascades-tucson/session-logs/2026-06-04-howard-email-delivery-investigation.md
  - clients/cascades-tucson/session-logs/2026-06-04-howard-caregiver-laptop-enrollment.md
  - clients/cascades-tucson/docs/overview.md
  - clients/cascades-tucson/docs/network/topology.md
  - clients/cascades-tucson/docs/network/vlans.md
@@ -204,7 +205,7 @@ Senior living / assisted living facility in Tucson, AZ. Single 6-floor building
    | LAPTOP-E0STJJE8 | Win 11 | `4ac00700-9a9b-4e7f-a7aa-c51857b77661` |
  - **Join model (decided 2026-06-03):** The 4 laptops are **Entra-joined (cloud join)**, NOT domain-joined — a domain-only PC has no Entra device object, so the CA device filter cannot allow-list it. The laptops are shared ALIS/Teams/Outlook access points and do not need the on-prem GPO stack. NURSESTATION-PC stays domain-joined and gets **Hybrid Entra Join** (needs on-prem printers + ALDocs share); requires a one-time device-options config in Entra Connect on CS-SERVER, and its stale 2021 Entra record (Workplace, last seen 2021-07-03) should be cleaned. Mixed model is supported.
-  - **Enrollment account:** `devices@cascadestucson.com` (Cloud Device Administrator, `aaca80c6-861b-4294-8068-1033c68d7667`). Needs a **Business Premium** license **only at enrollment time** so auto-MDM-enroll fires; the device stays enrolled and allow-listed afterward regardless of the enroller's license, so the SPB seat can be reclaimed after the batch (30 SPB seats free as of 2026-06-03). One license covers sequential enrollments. Mark each laptop a shared device (remove primary user) to drop per-user license dependency. Confirm MDM user scope = All (Entra -> Devices -> Mobility) before joining — not verifiable via API.
+  - **Enrollment account:** `devices@cascadestucson.com` (Cloud Device Administrator, `aaca80c6-861b-4294-8068-1033c68d7667`). **Licensed Business Premium + usageLocation=US on 2026-06-04** and ready to join/auto-enroll. The license is needed **only at enrollment time** so auto-MDM-enroll fires; the device stays enrolled and allow-listed afterward regardless of the enroller's license, so the SPB seat can be reclaimed after the batch (30 SPB seats free as of 2026-06-03). One license covers sequential enrollments. Mark each laptop a shared device (remove primary user) to drop per-user license dependency. Confirm MDM user scope = All (Entra -> Devices -> Mobility) before joining — not verifiable via API.
  - **Printing:** does NOT require domain join — Entra-joined laptops print via direct IP network printers or an Intune-pushed `Add-Printer` config. Printers: FrontDesk Epson ET-5800 `192.168.2.147`, CopyRoom Canon C478iF `192.168.2.230`, MCReception Epson ET-5800.
  - **Cutover prerequisites (pending Howard OK):** Entra-join + Intune-enroll the 4 laptops; tag each `extensionAttribute1=CSCCaregiverDevice`; confirm NURSESTATION-PC Hybrid Entra Join; review report-only sign-in results; then enable allow-list policy AND disable `CSC - Block caregivers on non-compliant device`.
 - **GDAP exclusion:** CA policy 3 must exclude "Service provider users" (GDAP foreign principals) + `SG-External-Signin-Allowed` + `SG-Break-Glass`, otherwise ACG partner admins lose access at CA cutover.