wiki(rednour): Nick SMB share access set up; flag macOS RMM install fail (unsigned Apple Silicon binary); add return-visit + share docs
This commit is contained in:
@@ -31,7 +31,7 @@ sources:
|
||||
|---|---|---|---|---|
|
||||
| Carrie Rednour | Owner / attorney; M365 Global Admin | crednour@rednourlaw.com, sysadmin@rednourlaw.com | a0fc8517-1c2a-4d72-b774-c0d5c929167a | sysadmin@ is an alias on the same account; communicates via text with Mike directly |
|
||||
| Carla Skinner | Legal assistant / employee | carla@rednourlaw.com | 93074d1a-6db2-4794-8f7d-c84a619e4494 | Renamed from Emma on 2026-05-31; emma@ + dgarcia@ + alee@ aliases retained by design (see below) |
|
||||
| Nick Pafford | Employee | npafford@rednourlaw.com, nick@rednourlaw.com | fe859088-bcbc-49dc-aaea-4c6e68f7d5bb | nick@ added as alias on 2026-05-31; shared-drive access still pending |
|
||||
| Nick Pafford | Employee | npafford@rednourlaw.com, nick@rednourlaw.com | fe859088-bcbc-49dc-aaea-4c6e68f7d5bb | nick@ added as alias on 2026-05-31; SMB share access set up 2026-06-25 (local `nick` on REDNOURCARRIEVI -> `Documents`); on an Apple Silicon Mac (RMM enrollment pending fix) |
|
||||
| receptionist | Shared mailbox | receptionist@rednourlaw.com | — | No personal contact; 34 contacts in mailbox as of 2026-06-02 sweep |
|
||||
|
||||
System recipient: DiscoverySearchMailbox (Exchange system object — not a user).
|
||||
@@ -78,6 +78,15 @@ All three machines were enrolled by 2026-05-29. Onboarding diagnostic grade: RED
|
||||
- 2 pending Windows updates
|
||||
- Local admin account `guru` present (ACG account, expected)
|
||||
|
||||
### File Shares (workgroup, peer-to-peer)
|
||||
|
||||
REDNOURCARRIEVI (192.168.10.194 LAN / 10.147.17.253 ZeroTier) hosts the firm's shared files as peer-to-peer SMB shares (no server, no AD):
|
||||
|
||||
- **`Documents`** -> `C:\Users\Carrie\Documents` — the primary working share (also exposed redundantly as `ShareName`, same path). Mac/PC clients authenticate with a **local Windows account** on the box.
|
||||
- Local accounts with access to Documents: `Carrie`, `emma` (legacy local account, actively used — unrelated to the M365 Emma->Carla rename), `localadmin`, and **`nick`** (added 2026-06-25 for Nick Pafford; share Change + NTFS Modify; cred vaulted `clients/rednour/nick-smb-rednourcarrievi.sops.yaml`).
|
||||
- Other shares present: `Time Matters Shared Files`, `Timeslips`, `Program Files sage`, `Users`, `New folder`. **Security note:** several are over-broad (`Everyone=Full` on `Program Files`/`Users`/`Time Matters`) — cleanup candidate.
|
||||
- Mac mount string: `smb://192.168.10.194/Documents`.
|
||||
|
||||
### GuruRMM Site
|
||||
|
||||
- **Site name:** Main Office
|
||||
@@ -162,6 +171,18 @@ All four real-user mailboxes swept — only Carrie was affected:
|
||||
|
||||
No time billed on this follow-up per Mike's standing rule (never log time without explicit minutes + labor type).
|
||||
|
||||
### 2026-06-25 — SMB share access for Nick Pafford + Mac RMM enrollment attempt
|
||||
|
||||
**Operator: Howard Enos.** Resolved the long-deferred shared-drive access for Nick. The "shared drive" turned out to be the **`Documents` SMB share on REDNOURCARRIEVI** (`C:\Users\Carrie\Documents`); identified via `Get-SmbShare` across all three workstations. It was previously reached only through the local `emma` account.
|
||||
|
||||
Created a dedicated standard local account **`nick`** on REDNOURCARRIEVI (PasswordNeverExpires), granted **share = Change** and **NTFS = Modify** on the Documents folder. Credential vaulted at `clients/rednour/nick-smb-rednourcarrievi.sops.yaml`. Nick's Mac (Apple Silicon) mounts `smb://192.168.10.194/Documents` (Finder Cmd+K, `nick` + keychain-saved password; auto-reconnect via Login Items). Share confirmed working onsite.
|
||||
|
||||
**GuruRMM macOS enrollment FAILED** on Nick's Apple Silicon Mac (site Main, `GREEN-FALCON-7214`). Server serves the agent fine (HTTP 200, 3.96 MB single-arch aarch64). Working hypothesis: the served binary is **unsigned**, so Apple Silicon SIGKILLs it (`agent/build-macos.sh` = unsigned cross-compile; `agent/build-macos-signed.sh` exists with Mike's Developer ID + notarization but is likely not what the server publishes). Fix path: publish the signed+notarized binary, or ad-hoc `codesign -s -` the binary inside the macOS install script. Deferred — Howard had only a limited ScreenConnect support session; "we will get the RMM installed" later.
|
||||
|
||||
**Return visit pending:** phone + printer setup at Rednour; may require running a new wire or installing a switch.
|
||||
|
||||
Operational note: PowerShell `Set-Acl` ACL propagation down Carrie's large Documents tree exceeded the RMM command timeout (twice), and since stdout is dropped on timeout a randomly-generated password was lost each time — generate passwords locally so they survive a timeout (logged to errorlog).
|
||||
|
||||
## Patterns & Known Issues
|
||||
|
||||
- **EWS required for personal contact work.** No app in the ComputerGuru suite holds `Contacts.Read` or `Contacts.ReadWrite` on Graph. Personal contact folder reads and modifications must go through EWS (`full_access_as_app` on the Exchange Operator SP with `ExchangeImpersonation`).
|
||||
@@ -170,6 +191,7 @@ No time billed on this follow-up per Mike's standing rule (never log time withou
|
||||
- **emma@ alias is live by design.** Mail to emma@rednourlaw.com routes to Carla Skinner. Do not remove unless the firm explicitly requests it.
|
||||
- **No MDE license — skip Defender tier.** Defender Add-on is consented but ATP endpoints 650052. Do not attempt Defender-tier calls for this tenant.
|
||||
- **Prior MSP agents still installed.** ScreenConnect, Splashtop, and Syncro on all workstations; Datto RMM on REDNOURCARRIEVI. Not yet remediated as of 2026-06-02.
|
||||
- **macOS RMM agent won't run on Apple Silicon if unsigned.** The site-code installer serves an unsigned aarch64 binary; Apple Silicon SIGKILLs unsigned Mach-O. Until the server publishes a signed/notarized build (`build-macos-signed.sh`), Apple Silicon Mac enrollment fails (blocks Nick's Mac; same root issue likely affects Scileppi's Mac).
|
||||
- **LEGALASST and REDNOURCARRIEVI are on Win 10 22H2 (EOL).** No security updates since 2025-10-14. Plan OS upgrade to Win 11 or Win 10 newer build.
|
||||
- **REDNOURCARRIEVI: Defender was off at onboarding.** Confirm it has been re-enabled; it is a critical finding.
|
||||
|
||||
@@ -180,7 +202,9 @@ No time billed on this follow-up per Mike's standing rule (never log time withou
|
||||
| P1 | Re-enable Defender on REDNOURCARRIEVI | Howard/Mike | Was off at onboarding 2026-05-29; confirm current state |
|
||||
| P1 | Remove prior MSP agents (ScreenConnect, Splashtop, Syncro, Datto RMM) | Mike/Howard | Present on all 3 machines; Datto RMM on REDNOURCARRIEVI only |
|
||||
| P1 | Upgrade LEGALASST and REDNOURCARRIEVI to a supported OS | Mike | Both on Win 10 22H2 (EOL 2025-10-14) |
|
||||
| P2 | Shared-drive access for Nick Pafford | Mike | Deferred from #32343; ticket Resolved without it |
|
||||
| DONE | Shared-drive access for Nick Pafford | Howard | 2026-06-25: created local `nick` account on REDNOURCARRIEVI; `Documents` share = Change + NTFS = Modify; cred vaulted `clients/rednour/nick-smb-rednourcarrievi.sops.yaml`; Nick's Apple Silicon Mac mounts `smb://192.168.10.194/Documents` |
|
||||
| P1 | Fix GuruRMM macOS agent install on Nick's Apple Silicon Mac | Howard/Mike | 2026-06-25 install failed. Likely cause: served aarch64 binary is **unsigned** -> Apple Silicon SIGKILLs it. Fix: serve the signed+notarized binary (`agent/build-macos-signed.sh`, Mike's Developer ID) or ad-hoc `codesign -s -` in the installer. Confirm with Mac log (`killed: 9`). Deferred (limited ScreenConnect session only) |
|
||||
| P2 | Return visit: phone + printer setup at Rednour | Howard | 2026-06-25: pending; may require running a new wire / installing a switch |
|
||||
| P2 | Final invoice on Syncro #32343 | Mike | 0.5h remote labor (line item 42654682) sitting on Resolved ticket |
|
||||
| P2 | Address BitLocker gap on FRONTDESKRECEPT | Mike/Howard | OS volume unencrypted at onboarding |
|
||||
| P3 | Remove stale local admin accounts (Ale, Emma on LEGALASST) | Howard | Left from prior user assignment |
|
||||
|
||||
Reference in New Issue
Block a user