azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from HOWARD-HOME at 2026-06-04 21:22:05

Browse Source 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-04 21:22:05
This commit is contained in:
Howard Enos
2026-06-04 21:22:13 -07:00
parent 4ab272faab
commit a87cb66b32
3 changed files with 136 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

88
clients/cascades-tucson/reports/2026-06-04-caregiver-alis-sso-worklist.md Normal file
View File

@@ -0,0 +1,88 @@
# Cascades — Caregiver/MedTech restricted-bucket ALIS SSO worklist
**Generated:** 2026-06-04
**Purpose:** Every person in the restricted (caregiver/medtech) bucket must have their **ALIS staff-record Email = their Entra UPN** for SSO to resolve them. This is the per-user gate for phone (and laptop) ALIS sign-in.
**Source:** live `SG-Caregivers` membership (38) + 2 adds (Feller, Nyanzunda). Tenant `207fa277-e9d8-4eb7-ada1-1064d2221498`.
How to use: in ALIS admin -> Staff -> each record, set Email to the UPN below. Then test that user's "Sign in with Microsoft" on a phone before moving to the next. Native ALIS 2FA stays off for this bucket.
## Restricted device set (the only devices these users may sign in from, on-network only)
Phones (`CSC-*`, SDM) + Laptop2 + LAPTOP-8P7HDSEI + LAPTOP-DRQ5L558 + LAPTOP-E0STJJE8 + ASSISTNURSE-PC + NURSESTATION-PC (hybrid-join pending).
---
## A. Clean matches — confirm ALIS Email = UPN (26)
| Name | ALIS Email (= UPN) | Done |
|---|---|---|
| Agnes McFerren | a.mcferren@cascadestucson.com | [ ] |
| Ashli Atwood | a.atwood@cascadestucson.com | [ ] |
| Barb Johnson | b.johnson@cascadestucson.com | [ ] |
| Cole Johnson | c.johnson@cascadestucson.com | [ ] |
| Ederick Yuzon | e.yuzon@cascadestucson.com | [ ] |
| Erica Sanchez | e.sanchez@cascadestucson.com | [ ] |
| Gina Williams | g.williams@cascadestucson.com | [ ] |
| Jahmeka Clarke | j.clarke@cascadestucson.com | [ ] |
| Jinnelle Dittbenner | j.dittbenner@cascadestucson.com | [ ] |
| Juan Andrade | j.andrade@cascadestucson.com | [ ] |
| Karina Aziakpo | k.aziakpo@cascadestucson.com | [ ] |
| Katrina Wyzykowski | k.wyzykowski@cascadestucson.com | [ ] |
| Luke Hogan | l.hogan@cascadestucson.com | [ ] |
| Luriz Fuster | l.fuster@cascadestucson.com | [ ] |
| Marie Kastner | m.kastner@cascadestucson.com | [ ] |
| Monique Lopez | m.lopez@cascadestucson.com | [ ] |
| Patricia Camarena Doran | p.doran@cascadestucson.com | [ ] |
| Richard Flores | r.flores@cascadestucson.com | [ ] |
| Rosa Morales | r.morales@cascadestucson.com | [ ] |
| Roseline Cooper | r.cooper@cascadestucson.com | [ ] |
| Samuel Ramirez | s.ramirez@cascadestucson.com | [ ] |
| Sandra Padilla | s.padilla@cascadestucson.com | [ ] |
| Sarah Carroll | s.carroll@cascadestucson.com | [ ] |
| Shontiel Nunn | s.nunn@cascadestucson.com | [ ] |
| Thelma Abainza | t.abainza@cascadestucson.com | [ ] |
| Whisper Reed | w.reed@cascadestucson.com | [ ] |
## B. ALIS name differs from UPN — verify carefully (4)
| ALIS staff name | ALIS Email (= UPN) | Done |
|---|---|---|
| Sika, Bariffa | b.sika@cascadestucson.com | [ ] |
| Esperance, Niyonsaba | e.esperance@cascadestucson.com | [ ] |
| Higdon, Jennifer | j.higdon@cascadestucson.com | [ ] |
| Huerta, Zeke (confirm first initial = E / Ezekiel) | e.huerta@cascadestucson.com | [ ] |
## C. No ALIS record found — create record (Email = UPN) or confirm not a day-1 ALIS user (8)
| Name | ALIS Email (= UPN) | Note | Done |
|---|---|---|---|
| Maia Baker | m.baker@cascadestucson.com | | [ ] |
| Diana Fierros | d.fierros@cascadestucson.com | | [ ] |
| Kasey Flores | k.flores@cascadestucson.com | ALIS only has Richard Flores | [ ] |
| Mary Kariuki | m.kariuki@cascadestucson.com | | [ ] |
| Bella Mendoza | b.mendoza@cascadestucson.com | | [ ] |
| Corey Tate | c.tate@cascadestucson.com | | [ ] |
| Gloria Williford | g.williford@cascadestucson.com | | [ ] |
| Tele Lassey-Assiakoley | t.lassey-assiakoley@cascadestucson.com | ALIS has "Celia Lassey" — confirm same person | [ ] |
## D. New adds to the restricted bucket (office-format UPN)
| Person | ALIS Email (= UPN) | Action | Done |
|---|---|---|---|
| Veronica Feller | veronica.feller@cascadestucson.com | add to SG-Caregivers after her device is enrolled; confirm she is on-site (inventory shows remote/PA) | [ ] |
| Christine Nyanzunda | christine.nyanzunda@cascadestucson.com | FIX directory surname typo "Nyanzuda"->"Nyanzunda" first; uses ASSISTNURSE-PC | [ ] |
## E. Pending classification (ALIS caregiver/medtech role, not yet bucketed)
Decide inside (restricted) or outside (privileged): Judith Palmer, Patricia Sandoval-Beck, Joey Ty, Alejandra Vallejo, Celia Lassey.
---
## Prerequisites already done
- Tenant-wide admin consent for ALIS app (2026-06-03) — SSO works for everyone matched.
- Native ALIS 2FA off for caregivers/medtechs (blanket).
- CA: off-network block + compliance block enforced on SG-Caregivers; allow-list policy staged (report-only).
## After the sweep
- Enroll/tag remaining devices (LAPTOP-8P7HDSEI + ASSISTNURSE-PC after Win11 25H2; NURSESTATION-PC via hybrid join).
- Cutover: enable allow-list policy + disable `CSC - Block caregivers on non-compliant device`.
- Add Feller + Nyanzunda to SG-Caregivers (after their device enrolled).
- Reclaim devices@ Business Premium seat.

42
clients/cascades-tucson/session-logs/2026-06-04-howard-caregiver-laptop-enrollment.md
View File

@@ -74,3 +74,45 @@ curl -s -X POST ... -d '{"addLicenses":[{"skuId":"'$SPB'"}],"removeLicenses":[]}
- Prior context: `clients/cascades-tucson/session-logs/2026-06-03-session.md` (admin consent + allow-list policy + join-model decisions).
- Allow-list policy id `1b7fd025-1aad-47c8-9274-c32c3e0b163c`; ALIS admin-consent grant id `reTK4etbykSC1ENMm9g1rTplOyzgVClCofKDVRrn-ds`.
- Tickets: #110680053 (domain migration), #109412123 (Entra setup).
## Update: 21:20 MST — device tagging, roster classifications, ALIS worklist, app shortcuts
Continued the caregiver device rollout and finalized the restricted vs privileged user split for go-live (caregivers using phones start of next week).
### Devices
- 3 of 5 laptops Entra-joined (workgroup -> AzureAd) and tagged `extensionAttribute1=CSCCaregiverDevice`: **Laptop2** (`3ade4bd4-527f-468a-b06b-b1fa304941c8`), **LAPTOP-DRQ5L558** (`eb5f6b98-0077-4c35-b029-ee6f9ada0eef`), **LAPTOP-E0STJJE8** (`4b5ee995-964c-4efc-8960-f1a2a7d6257d`). All Win11 26200.
- Remaining 2 pending Win11 25H2 upgrade then join+tag: **LAPTOP-8P7HDSEI**, **ASSISTNURSE-PC** (both were Win10 19045). User upgraded 3 machines Home->Pro; 2 still need 25H2.
- All 3 joined laptops show `isManaged=null` — auto-MDM-enroll did NOT fire (MDM user scope likely not = All, and devices were only logged into with local accounts so the enroll retry has no Entra user context). DECISION: defer Intune/MDM decision until all devices are on Win11 25H2. Intune is OPTIONAL — the allow-list is tag-based and works on Entra-join alone; Intune only needed for printer-push / Windows compliance policy.
- **NURSESTATION-PC** confirmed as a permanent caregiver/medtech device. It is domain-joined, so it needs **Hybrid Entra Join** (Entra Connect device-options config on CS-SERVER) before it can be tagged — the only device on the hybrid track. Full caregiver device set = phones + Laptop2 + LAPTOP-8P7HDSEI + LAPTOP-DRQ5L558 + LAPTOP-E0STJJE8 + ASSISTNURSE-PC + NURSESTATION-PC (6 machines + phones).
### User-to-computer map (resolved a prior gap)
Built the Cascades user<->computer map. Authoritative source = **Syncro `kabuto_information.last_user`** (GuruRMM does not expose logged-in user). Key mappings: DuPras=ALASSIST-PC, Lois Lane=DESKTOP-KQSL232, Karen Rossini=DESKTOP-LPOPV30, shared medtech=ASSISTNURSE-PC (`mc medtechs and care`), shared MemCare reception=MEMRECEPT-PC, the 4 caregiver laptops show generic `\User`. CONTEXT.md GuruRMM roster is stale (27->32 agents) — refresh pending.
### Classifications (restricted = inside-only / SG-Caregivers; privileged = outside access)
- **Privileged/outside** (NOT in SG-Caregivers; ALIS via SSO + offsite MFA): Lois Lane, Karen Rossini (done), Christina DuPras. Nurses ruled OUTSIDE per user. All have Entra accounts.
- **Restricted/inside**: the 38 SG-Caregivers + **Veronica Feller** (caretaker, moving depts later; inventory shows her remote/PA — confirm on-site before locking) + **Christine Nyanzunda** (MC admin asst + PT medtech; uses ASSISTNURSE-PC). Nyanzunda has an M365 account but with a **directory surname typo "Nyanzuda"** to fix; her UPN `christine.nyanzunda@cascadestucson.com`.
- **Zachary Nelson removed** from caregiver consideration — accounting, no ALIS (his ALIS "Caregiver" role is noise).
- **Still pending classification**: Judith Palmer, Patricia Sandoval-Beck, Joey Ty, Alejandra Vallejo, Celia Lassey.
- MEMRECEPT-PC excluded from the caregiver allow-list (receptionist-only; user verifying). Outside users access from home/personal devices — managed laptops/desktops stay onsite, so no device management needed for privileged outside access.
### Phasing decision
Per-user go-live gate = **ALIS email-match + a test sign-in**, done one caregiver at a time as the ALIS sweep proceeds. The CA restriction is already applied to all 38 (in SG-Caregivers, policies enabled). The allow-list cutover is LOW-RISK and can be all-at-once: verified there is no gap (only `CSC-` phones are compliant today, and the allow-list also permits them), so flipping the allow-list ADDS laptop access without removing phone access — nobody on a phone gets locked out.
### Deliverable: caregiver ALIS email-match worklist
Wrote `clients/cascades-tucson/reports/2026-06-04-caregiver-alis-sso-worklist.md` — 40 restricted users (38 + Feller + Nyanzunda) with required ALIS Email = UPN, grouped: 26 clean matches, 4 name-variants (Sika/Esperance/Higdon/Huerta), 8 with no ALIS record, 2 new adds.
### App shortcuts (in progress)
Built a PowerShell script to drop ALIS/LinkRx/HelpAny shortcuts on the Public Desktop, launched in Edge `--app` mode (kiosk-like, preserves SSO device-claim). URLs: ALIS `https://cascadestucson.alisonline.com`, LinkRx `https://pharmcare.linkrxnow.com/`, HelpAny `https://app.safe-living.com/login`. Intune web-link apps only store the Managed Google Play wrapper URL, so the real LinkRx/HelpAny URLs came from the user. Deployment via GuruRMM offered (awaiting go-ahead); targets are the 6 caregiver machines.
### Username-only login question
Answered: Entra/Microsoft sign-in (and ALIS SSO) REQUIRES the full UPN — no tenant setting allows a bare username for cloud accounts. Reduce typing instead via Windows Hello PIN on the laptops + silent ALIS SSO once signed in, and pursue ALIS Login PINs (Medtelligent limited-release). NURSESTATION-PC (domain-joined) Windows login can be short, but ALIS SSO behind it still uses the full UPN.
### Pending (this update)
- [ ] Finish Win11 25H2 on LAPTOP-8P7HDSEI + ASSISTNURSE-PC -> Entra-join -> tag.
- [ ] NURSESTATION-PC Hybrid Entra Join.
- [ ] ALIS email-match sweep (worklist file) — the day-1 gate for phones.
- [ ] Deploy app-shortcut script via GuruRMM to the 6 caregiver machines (awaiting go-ahead).
- [ ] Classify last 5 straddlers; confirm Feller on-site; fix Nyanzunda surname typo.
- [ ] Add Feller + Nyanzunda to SG-Caregivers after their devices ready.
- [ ] Cutover (enable allow-list + disable compliance block); reclaim devices@ license.
- [ ] Windows Hello PIN plan for laptops; ALIS Login PINs support ask.