sync: auto-sync from HOWARD-HOME at 2026-06-04 21:22:05

Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-06-04 21:22:05
2026-06-04 21:22:13 -07:00
parent 4ab272faab
commit a87cb66b32
3 changed files with 136 additions and 1 deletions
--- a/clients/cascades-tucson/reports/2026-06-04-caregiver-alis-sso-worklist.md
+++ b/clients/cascades-tucson/reports/2026-06-04-caregiver-alis-sso-worklist.md
@@ -0,0 +1,88 @@
 # Cascades — Caregiver/MedTech restricted-bucket ALIS SSO worklist
 **Generated:** 2026-06-04
 **Purpose:** Every person in the restricted (caregiver/medtech) bucket must have their **ALIS staff-record Email = their Entra UPN** for SSO to resolve them. This is the per-user gate for phone (and laptop) ALIS sign-in.
 **Source:** live `SG-Caregivers` membership (38) + 2 adds (Feller, Nyanzunda). Tenant `207fa277-e9d8-4eb7-ada1-1064d2221498`.
 How to use: in ALIS admin -> Staff -> each record, set Email to the UPN below. Then test that user's "Sign in with Microsoft" on a phone before moving to the next. Native ALIS 2FA stays off for this bucket.
 ## Restricted device set (the only devices these users may sign in from, on-network only)
 Phones (`CSC-*`, SDM) + Laptop2 + LAPTOP-8P7HDSEI + LAPTOP-DRQ5L558 + LAPTOP-E0STJJE8 + ASSISTNURSE-PC + NURSESTATION-PC (hybrid-join pending).
 ---
 ## A. Clean matches — confirm ALIS Email = UPN (26)
 | Name | ALIS Email (= UPN) | Done |
 |---|---|---|
 | Agnes McFerren | a.mcferren@cascadestucson.com | [ ] |
 | Ashli Atwood | a.atwood@cascadestucson.com | [ ] |
 | Barb Johnson | b.johnson@cascadestucson.com | [ ] |
 | Cole Johnson | c.johnson@cascadestucson.com | [ ] |
 | Ederick Yuzon | e.yuzon@cascadestucson.com | [ ] |
 | Erica Sanchez | e.sanchez@cascadestucson.com | [ ] |
 | Gina Williams | g.williams@cascadestucson.com | [ ] |
 | Jahmeka Clarke | j.clarke@cascadestucson.com | [ ] |
 | Jinnelle Dittbenner | j.dittbenner@cascadestucson.com | [ ] |
 | Juan Andrade | j.andrade@cascadestucson.com | [ ] |
 | Karina Aziakpo | k.aziakpo@cascadestucson.com | [ ] |
 | Katrina Wyzykowski | k.wyzykowski@cascadestucson.com | [ ] |
 | Luke Hogan | l.hogan@cascadestucson.com | [ ] |
 | Luriz Fuster | l.fuster@cascadestucson.com | [ ] |
 | Marie Kastner | m.kastner@cascadestucson.com | [ ] |
 | Monique Lopez | m.lopez@cascadestucson.com | [ ] |
 | Patricia Camarena Doran | p.doran@cascadestucson.com | [ ] |
 | Richard Flores | r.flores@cascadestucson.com | [ ] |
 | Rosa Morales | r.morales@cascadestucson.com | [ ] |
 | Roseline Cooper | r.cooper@cascadestucson.com | [ ] |
 | Samuel Ramirez | s.ramirez@cascadestucson.com | [ ] |
 | Sandra Padilla | s.padilla@cascadestucson.com | [ ] |
 | Sarah Carroll | s.carroll@cascadestucson.com | [ ] |
 | Shontiel Nunn | s.nunn@cascadestucson.com | [ ] |
 | Thelma Abainza | t.abainza@cascadestucson.com | [ ] |
 | Whisper Reed | w.reed@cascadestucson.com | [ ] |
 ## B. ALIS name differs from UPN — verify carefully (4)
 | ALIS staff name | ALIS Email (= UPN) | Done |
 |---|---|---|
 | Sika, Bariffa | b.sika@cascadestucson.com | [ ] |
 | Esperance, Niyonsaba | e.esperance@cascadestucson.com | [ ] |
 | Higdon, Jennifer | j.higdon@cascadestucson.com | [ ] |
 | Huerta, Zeke (confirm first initial = E / Ezekiel) | e.huerta@cascadestucson.com | [ ] |
 ## C. No ALIS record found — create record (Email = UPN) or confirm not a day-1 ALIS user (8)
 | Name | ALIS Email (= UPN) | Note | Done |
 |---|---|---|---|
 | Maia Baker | m.baker@cascadestucson.com | | [ ] |
 | Diana Fierros | d.fierros@cascadestucson.com | | [ ] |
 | Kasey Flores | k.flores@cascadestucson.com | ALIS only has Richard Flores | [ ] |
 | Mary Kariuki | m.kariuki@cascadestucson.com | | [ ] |
 | Bella Mendoza | b.mendoza@cascadestucson.com | | [ ] |
 | Corey Tate | c.tate@cascadestucson.com | | [ ] |
 | Gloria Williford | g.williford@cascadestucson.com | | [ ] |
 | Tele Lassey-Assiakoley | t.lassey-assiakoley@cascadestucson.com | ALIS has "Celia Lassey" — confirm same person | [ ] |
 ## D. New adds to the restricted bucket (office-format UPN)
 | Person | ALIS Email (= UPN) | Action | Done |
 |---|---|---|---|
 | Veronica Feller | veronica.feller@cascadestucson.com | add to SG-Caregivers after her device is enrolled; confirm she is on-site (inventory shows remote/PA) | [ ] |
 | Christine Nyanzunda | christine.nyanzunda@cascadestucson.com | FIX directory surname typo "Nyanzuda"->"Nyanzunda" first; uses ASSISTNURSE-PC | [ ] |
 ## E. Pending classification (ALIS caregiver/medtech role, not yet bucketed)
 Decide inside (restricted) or outside (privileged): Judith Palmer, Patricia Sandoval-Beck, Joey Ty, Alejandra Vallejo, Celia Lassey.
 ---
 ## Prerequisites already done
 - Tenant-wide admin consent for ALIS app (2026-06-03) — SSO works for everyone matched.
 - Native ALIS 2FA off for caregivers/medtechs (blanket).
 - CA: off-network block + compliance block enforced on SG-Caregivers; allow-list policy staged (report-only).
 ## After the sweep
 - Enroll/tag remaining devices (LAPTOP-8P7HDSEI + ASSISTNURSE-PC after Win11 25H2; NURSESTATION-PC via hybrid join).
 - Cutover: enable allow-list policy + disable `CSC - Block caregivers on non-compliant device`.
 - Add Feller + Nyanzunda to SG-Caregivers (after their device enrolled).
 - Reclaim devices@ Business Premium seat.
--- a/clients/cascades-tucson/session-logs/2026-06-04-howard-caregiver-laptop-enrollment.md
+++ b/clients/cascades-tucson/session-logs/2026-06-04-howard-caregiver-laptop-enrollment.md
@@ -74,3 +74,45 @@ curl -s -X POST ... -d '{"addLicenses":[{"skuId":"'$SPB'"}],"removeLicenses":[]}
 - Prior context: `clients/cascades-tucson/session-logs/2026-06-03-session.md` (admin consent + allow-list policy + join-model decisions).
 - Allow-list policy id `1b7fd025-1aad-47c8-9274-c32c3e0b163c`; ALIS admin-consent grant id `reTK4etbykSC1ENMm9g1rTplOyzgVClCofKDVRrn-ds`.
 - Tickets: #110680053 (domain migration), #109412123 (Entra setup).
 ## Update: 21:20 MST — device tagging, roster classifications, ALIS worklist, app shortcuts
 Continued the caregiver device rollout and finalized the restricted vs privileged user split for go-live (caregivers using phones start of next week).
 ### Devices
 - 3 of 5 laptops Entra-joined (workgroup -> AzureAd) and tagged `extensionAttribute1=CSCCaregiverDevice`: **Laptop2** (`3ade4bd4-527f-468a-b06b-b1fa304941c8`), **LAPTOP-DRQ5L558** (`eb5f6b98-0077-4c35-b029-ee6f9ada0eef`), **LAPTOP-E0STJJE8** (`4b5ee995-964c-4efc-8960-f1a2a7d6257d`). All Win11 26200.
 - Remaining 2 pending Win11 25H2 upgrade then join+tag: **LAPTOP-8P7HDSEI**, **ASSISTNURSE-PC** (both were Win10 19045). User upgraded 3 machines Home->Pro; 2 still need 25H2.
 - All 3 joined laptops show `isManaged=null` — auto-MDM-enroll did NOT fire (MDM user scope likely not = All, and devices were only logged into with local accounts so the enroll retry has no Entra user context). DECISION: defer Intune/MDM decision until all devices are on Win11 25H2. Intune is OPTIONAL — the allow-list is tag-based and works on Entra-join alone; Intune only needed for printer-push / Windows compliance policy.
 - **NURSESTATION-PC** confirmed as a permanent caregiver/medtech device. It is domain-joined, so it needs **Hybrid Entra Join** (Entra Connect device-options config on CS-SERVER) before it can be tagged — the only device on the hybrid track. Full caregiver device set = phones + Laptop2 + LAPTOP-8P7HDSEI + LAPTOP-DRQ5L558 + LAPTOP-E0STJJE8 + ASSISTNURSE-PC + NURSESTATION-PC (6 machines + phones).
 ### User-to-computer map (resolved a prior gap)
 Built the Cascades user<->computer map. Authoritative source = **Syncro `kabuto_information.last_user`** (GuruRMM does not expose logged-in user). Key mappings: DuPras=ALASSIST-PC, Lois Lane=DESKTOP-KQSL232, Karen Rossini=DESKTOP-LPOPV30, shared medtech=ASSISTNURSE-PC (`mc medtechs and care`), shared MemCare reception=MEMRECEPT-PC, the 4 caregiver laptops show generic `\User`. CONTEXT.md GuruRMM roster is stale (27->32 agents) — refresh pending.
 ### Classifications (restricted = inside-only / SG-Caregivers; privileged = outside access)
 - **Privileged/outside** (NOT in SG-Caregivers; ALIS via SSO + offsite MFA): Lois Lane, Karen Rossini (done), Christina DuPras. Nurses ruled OUTSIDE per user. All have Entra accounts.
 - **Restricted/inside**: the 38 SG-Caregivers + **Veronica Feller** (caretaker, moving depts later; inventory shows her remote/PA — confirm on-site before locking) + **Christine Nyanzunda** (MC admin asst + PT medtech; uses ASSISTNURSE-PC). Nyanzunda has an M365 account but with a **directory surname typo "Nyanzuda"** to fix; her UPN `christine.nyanzunda@cascadestucson.com`.
 - **Zachary Nelson removed** from caregiver consideration — accounting, no ALIS (his ALIS "Caregiver" role is noise).
 - **Still pending classification**: Judith Palmer, Patricia Sandoval-Beck, Joey Ty, Alejandra Vallejo, Celia Lassey.
 - MEMRECEPT-PC excluded from the caregiver allow-list (receptionist-only; user verifying). Outside users access from home/personal devices — managed laptops/desktops stay onsite, so no device management needed for privileged outside access.
 ### Phasing decision
 Per-user go-live gate = **ALIS email-match + a test sign-in**, done one caregiver at a time as the ALIS sweep proceeds. The CA restriction is already applied to all 38 (in SG-Caregivers, policies enabled). The allow-list cutover is LOW-RISK and can be all-at-once: verified there is no gap (only `CSC-` phones are compliant today, and the allow-list also permits them), so flipping the allow-list ADDS laptop access without removing phone access — nobody on a phone gets locked out.
 ### Deliverable: caregiver ALIS email-match worklist
 Wrote `clients/cascades-tucson/reports/2026-06-04-caregiver-alis-sso-worklist.md` — 40 restricted users (38 + Feller + Nyanzunda) with required ALIS Email = UPN, grouped: 26 clean matches, 4 name-variants (Sika/Esperance/Higdon/Huerta), 8 with no ALIS record, 2 new adds.
 ### App shortcuts (in progress)
 Built a PowerShell script to drop ALIS/LinkRx/HelpAny shortcuts on the Public Desktop, launched in Edge `--app` mode (kiosk-like, preserves SSO device-claim). URLs: ALIS `https://cascadestucson.alisonline.com`, LinkRx `https://pharmcare.linkrxnow.com/`, HelpAny `https://app.safe-living.com/login`. Intune web-link apps only store the Managed Google Play wrapper URL, so the real LinkRx/HelpAny URLs came from the user. Deployment via GuruRMM offered (awaiting go-ahead); targets are the 6 caregiver machines.
 ### Username-only login question
 Answered: Entra/Microsoft sign-in (and ALIS SSO) REQUIRES the full UPN — no tenant setting allows a bare username for cloud accounts. Reduce typing instead via Windows Hello PIN on the laptops + silent ALIS SSO once signed in, and pursue ALIS Login PINs (Medtelligent limited-release). NURSESTATION-PC (domain-joined) Windows login can be short, but ALIS SSO behind it still uses the full UPN.
 ### Pending (this update)
 - [ ] Finish Win11 25H2 on LAPTOP-8P7HDSEI + ASSISTNURSE-PC -> Entra-join -> tag.
 - [ ] NURSESTATION-PC Hybrid Entra Join.
 - [ ] ALIS email-match sweep (worklist file) — the day-1 gate for phones.
 - [ ] Deploy app-shortcut script via GuruRMM to the 6 caregiver machines (awaiting go-ahead).
 - [ ] Classify last 5 straddlers; confirm Feller on-site; fix Nyanzunda surname typo.
 - [ ] Add Feller + Nyanzunda to SG-Caregivers after their devices ready.
 - [ ] Cutover (enable allow-list + disable compliance block); reclaim devices@ license.
 - [ ] Windows Hello PIN plan for laptops; ALIS Login PINs support ask.
--- a/wiki/clients/cascades-tucson.md
+++ b/wiki/clients/cascades-tucson.md
@@ -217,7 +217,12 @@ Senior living / assisted living facility in Tucson, AZ. Single 6-floor building
  - **Join model (decided 2026-06-03):** The 4 laptops are **Entra-joined (cloud join)**, NOT domain-joined — a domain-only PC has no Entra device object, so the CA device filter cannot allow-list it. The laptops are shared ALIS/Teams/Outlook access points and do not need the on-prem GPO stack. NURSESTATION-PC stays domain-joined and gets **Hybrid Entra Join** (needs on-prem printers + ALDocs share); requires a one-time device-options config in Entra Connect on CS-SERVER, and its stale 2021 Entra record (Workplace, last seen 2021-07-03) should be cleaned. Mixed model is supported.
  - **Enrollment account:** `devices@cascadestucson.com` (Cloud Device Administrator, `aaca80c6-861b-4294-8068-1033c68d7667`). **Licensed Business Premium + usageLocation=US on 2026-06-04** and ready to join/auto-enroll. The license is needed **only at enrollment time** so auto-MDM-enroll fires; the device stays enrolled and allow-listed afterward regardless of the enroller's license, so the SPB seat can be reclaimed after the batch (30 SPB seats free as of 2026-06-03). One license covers sequential enrollments. Mark each laptop a shared device (remove primary user) to drop per-user license dependency. Confirm MDM user scope = All (Entra -> Devices -> Mobility) before joining — not verifiable via API.
  - **Printing:** does NOT require domain join — Entra-joined laptops print via direct IP network printers or an Intune-pushed `Add-Printer` config. Printers: FrontDesk Epson ET-5800 `192.168.2.147`, CopyRoom Canon C478iF `192.168.2.230`, MCReception Epson ET-5800.
-  - **Cutover prerequisites (pending Howard OK):** Entra-join + Intune-enroll the 4 laptops; tag each `extensionAttribute1=CSCCaregiverDevice`; confirm NURSESTATION-PC Hybrid Entra Join; review report-only sign-in results; then enable allow-list policy AND disable `CSC - Block caregivers on non-compliant device`.
+  - **Enrollment progress (2026-06-04):** 3 of the laptops Entra-joined + tagged `CSCCaregiverDevice` — Laptop2, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8 (all Win11 26200). Pending Win11 25H2 upgrade then join+tag: LAPTOP-8P7HDSEI, ASSISTNURSE-PC. NURSESTATION-PC confirmed permanent caregiver device (hybrid-join pending). Full set = phones + those 6 machines. All joined laptops show `isManaged=null` (auto-MDM-enroll did not fire — MDM user scope likely not =All, and only local logins so far). Intune is OPTIONAL: the allow-list is tag-based and works on Entra-join alone; Intune only needed for printer-push / a Windows compliance policy. Intune/MDM decision deferred until all devices on Win11 25H2. Enrollment account `devices@` (Cloud Device Admin), licensed Business Premium transiently (reclaim after batch).
  - **Cutover (low-risk, can be all-at-once):** verified no gap — only `CSC-` phones are compliant today and the allow-list also permits them, so enabling the allow-list ADDS the laptops without removing phone access; nobody on a phone gets locked out. Per-user go-live gate is the ALIS email-match + test sign-in (one at a time), not a CA change. Cutover = enable `CSC - Caregivers: allow-listed devices only` + disable `CSC - Block caregivers on non-compliant device`.
  - **Restricted vs privileged classification (2026-06-04):** Restricted/inside (SG-Caregivers) = the 38 + Veronica Feller (caretaker; inventory shows her remote/PA — confirm on-site) + Christine Nyanzunda (MC admin asst + PT medtech; uses ASSISTNURSE-PC; directory surname typo "Nyanzuda" to fix). Privileged/outside (NOT in SG-Caregivers; ALIS via SSO + offsite MFA) = Lois Lane, Karen Rossini, Christina DuPras, and all admins/directors/managers; nurses ruled OUTSIDE. Zachary Nelson is accounting/no-ALIS (not a caregiver). Still pending classification: Judith Palmer, Patricia Sandoval-Beck, Joey Ty, Alejandra Vallejo, Celia Lassey. Worklist: `clients/cascades-tucson/reports/2026-06-04-caregiver-alis-sso-worklist.md`.
  - **User<->computer map source:** Syncro `kabuto_information.last_user` (GuruRMM does not expose logged-in user). DuPras=ALASSIST-PC, Lois Lane=DESKTOP-KQSL232, Karen Rossini=DESKTOP-LPOPV30, shared medtech=ASSISTNURSE-PC, shared MemCare reception=MEMRECEPT-PC (excluded from caregiver allow-list, receptionist-only). CONTEXT.md GuruRMM roster stale (27->32) — refresh pending.
  - **Caregiver desktop app shortcuts:** ALIS (`https://cascadestucson.alisonline.com`), LinkRx (`https://pharmcare.linkrxnow.com/`), HelpAny (`https://app.safe-living.com/login`) — deploy via a Public-Desktop PowerShell script launching Edge `--app` mode (preserves SSO device-claim), pushed via GuruRMM to the 6 caregiver machines.
  - **Login UX:** Entra/Microsoft sign-in (and ALIS SSO) requires the full UPN — no bare-username option for cloud accounts. Minimize typing via Windows Hello PIN on laptops + silent ALIS SSO once signed in; pursue ALIS Login PINs (Medtelligent limited-release).
 - **GDAP exclusion:** CA policy 3 must exclude "Service provider users" (GDAP foreign principals) + `SG-External-Signin-Allowed` + `SG-Break-Glass`, otherwise ACG partner admins lose access at CA cutover.
 - **Pilot cleanup required when done:** Delete `pilot.test@cascadestucson.com`, clean up `howard.enos@cascadestucson.com`, remove `SG-Caregivers-Pilot` from CA policy targets and delete the group. Source: `project_cascades_pilot_cleanup.md`.