cascades: caretaker roster + phone-login remediation updates
- Document forced-change-at-logon gotcha + fleet-wide fix (shared-phone err 50126) - Record PSO-Caregivers (never-expire FGPP on SG-Caregivers) - Log hard-delete of 7 offboarded leavers; Juan Andrade offboard scheduled 2026-07-11 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -32,7 +32,7 @@ Transportation drivers, who do not get ALIS/M365 caregiver access at all.
|
||||
| Erica Sanchez | e.sanchez | D+P | TBD |
|
||||
| Ederick Yuzon | e.yuzon | D+P | TBD |
|
||||
| Gina Williams | g.williams | D+P | TBD |
|
||||
| Juan Andrade | j.andrade | D+P | TBD |
|
||||
| Juan Andrade | j.andrade | D+P | **LEAVING** — last day 2026-07-11; held active until then, offboard on 07-11 |
|
||||
| Jahmeka Clarke | j.clarke | D+P | TBD |
|
||||
| Jinnelle Dittbenner | j.dittbenner | D+P | TBD |
|
||||
| Jen Higdon | j.higdon | D+P | TBD |
|
||||
|
||||
@@ -174,7 +174,9 @@ Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingIn
|
||||
- **App + printer delivery GPO `CSC - Caregiver Workstation`** (`{3B5CD9A6-A278-4676-A9FD-9396D21A8261}`, User-config GPP) -- **BUILT + VALIDATED on NURSESTATION as pilot.test (2026-06-05).** Linked at `OU=Caregivers,OU=Departments`; security filter = `SG-Caregivers-Test` (Apply, pilot.test only) + Authenticated Users (Read, for MS16-072). Go-live = swap filter to `SG-Caregivers`. Contents: 3 desktop shortcuts -- ALIS, LinkRx, **Helpany** (`https://app.safe-living.com/login` -- named "Helpany," the brand caregivers know) -- + 6 `\\CS-SERVER` shared printers (NursesPrinter, HealthServices, MCMedTech, MCReception, MCDirector, CopyRoom) with **default printer by device location** (Nurses for `SG-PC-MainTower`, MC MedTech for `SG-PC-MemoryCare`, computer-context ILT) + HKCU `LegacyDefaultPrinterMode=1` so the default sticks. Build scripts: `clients/cascades-tucson/scripts/build-caregiver-gpo.ps1` + `link-caregiver-gpo.ps1`. NOTE: the domain-wide `CSC - Printer Deployment` GPO is intentionally disabled (empty CSE / version 0) and is **not** to be used -- reference only.
|
||||
- **Device lockdown GPO `CSC - Caregiver Device Lockdown`** (`{E6174988-2721-4D96-ADF5-F5BB44E92769}`, computer-only, linked to `OU=Caregiver Devices`) -- **DEPLOYED 2026-06-05.** Auto-logoff is a HIPAA requirement (SS164.312(a)(2)(iii)) for shared PHI devices. Settings: screen **lock at 3 min**, **auto sign-out at 15 min** total idle, **90-second warning** before sign-out, **never sleep** (display off 10 min). Delivered via a computer **startup script** (`caregiver-lockdown.ps1`, in SYSVOL) that sets `InactivityTimeoutSecs=180`, powercfg, and registers a logon-triggered scheduled task running an idle monitor in each caregiver's session. Deploy script: `deploy-device-lockdown-gpo.ps1`. **Startup scripts run at boot -- NURSESTATION must reboot** to activate (not yet verified). **Companion:** ALIS app session timeout 20->15 min (Howard, ALIS admin) **PENDING.** Lock/logoff are **device-level** (affect any user on the device in `OU=Caregiver Devices`).
|
||||
|
||||
### Status (as of 2026-07-01)
|
||||
### Status (as of 2026-07-02)
|
||||
- **[ROSTER 2026-07-02] 7 already-disabled leavers HARD-DELETED from AD** (client roster update): `b.mendoza`, `c.tate`, `g.williford`, `k.flores`, `d.fierros`, `m.baker`, `m.kariuki` -- all disabled/never-logged-in since the 7/1 reconcile; now removed (cloud objects soft-delete on next Entra Connect sync, 30-day recycle bin). **`SG-Caregivers` stays 35** (they were already out of the group; deleting disabled non-members doesn't change the count). Live-verified gone (RMM cmd `a5f337fd`).
|
||||
- **[ROSTER 2026-07-02] Juan Andrade (`j.andrade`) gave 2-week notice** -- still active and in `SG-Caregivers`, deliberately **HELD** (do NOT disable while he's working). **Last day 2026-07-11 -- offboard that day:** disable + remove from `SG-Caregivers` + reclaim Business Premium. Tracked in `docs/cloud/caretaker-phones-only-list.md` + coord todo.
|
||||
- **Caregiver phone SSO -- Entra/identity side COMPLETE for the current 35-member roster** (group + Business Premium license + AD temp passwords, **must-change flag cleared fleet-wide 2026-07-02** -- see the forced-change gotcha above; temp passwords now valid for phone sign-in). Remaining gate is the ALIS Email=UPN match (Howard) + creating ALIS records for the 3 brand-new hires (Munezero, Cota, Robinson) + setting Vallejo's ALIS Email=UPN + the outstanding items from 6/30 (7 discharged-record decisions, Kariuki ALIS dup 429856/429858 dedupe if she returns).
|
||||
- **Caregiver CA lockdown is LIVE (interim posture, 2026-07-01):** caretakers sign in on desktops and phones, on-network only -- see the 7/1 update above and Conditional Access / Caregiver Policies. Phones-only lockdown deferred to end of rollout.
|
||||
- **Proven working end-to-end on a hybrid-joined desktop (NURSESTATION + pilot.test):** caregiver lockdown (CA off-network block + device allow-list) **and** silent ALIS SSO. The allow-list policy `1b7fd025` carries NURSESTATION's current deviceId `d3bf931f-f128-4261-8398-b46c34a4b342` and the device is tagged `extensionAttribute1=CSCCaregiverDevice`.
|
||||
|
||||
Reference in New Issue
Block a user