sync: auto-sync from HOWARD-HOME at 2026-06-03 11:51:39

Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-03 11:51:39
This commit is contained in:
2026-06-03 11:51:47 -07:00
parent d3c22a9894
commit b78805ebc4
2 changed files with 42 additions and 0 deletions

View File

@@ -157,3 +157,42 @@ The real difference was the **login path**: Megan had 10 ALIS sign-in events thr
Symptom signature: a user with zero ALIS app sign-in events in the Entra logs is on the old direct-login path (not SSO) — the fix is the ALIS Email match, not anything in Entra.
Sweep target: apply this to all office/clinical users (Karen Rossini, MemCare reception, etc.) to standardize everyone onto SSO.
## Update: 11:50 MST — Caregiver device allow-list rollout: enrollment approach + join-model decisions
Resumed the caregiver device allow-list workstream. Live check confirmed none of the 5 target devices are usable yet: the 4 laptops (Laptop2, LAPTOP-8P7HDSEI, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8) are not in Entra; NURSESTATION-PC has only a stale 2021 Workplace-registered record (OS build 18363, last seen 2021-07-03, unmanaged) to be ignored/cleaned. Tenant holds 91 Windows device objects, mostly previous-MSP cruft.
Decided the join model per device. Laptops will be **Entra-joined (cloud join)**, not domain-joined: the allow-list is a CA device filter that can only match a device with an Entra device object, and a domain-join-only PC has no Entra object — so domain-only cannot be allow-listed and is ruled out. The laptops are shared ALIS/Teams/Outlook access points and do not need the on-prem GPO stack (folder redirection, mapped drives). NURSESTATION-PC stays domain-joined and gets **Hybrid Entra Join** (it needs on-prem printers/ALDocs share) — requires a one-time device-options config in Entra Connect on CS-SERVER. Mixed model (Entra-joined laptops + hybrid NURSESTATION) is supported.
Printing does not require domain join. Entra-joined laptops print via direct IP network printers or an Intune-pushed printer config (Add-Printer against the printer IP). Printing alone is not a reason to domain-join; only the full domain experience (GPO printers + folder redirect + seamless shares) would justify hybrid, which these laptops do not need.
License/account analysis: Business Premium (SPB) = 34 seats, 4 consumed, 30 free. `sysadmin@` carries only Power Automate Free (FLOW_FREE); `admin@` and `devices@` are unlicensed. Device-join policy allows all users to join (quota 50). Recommended join account is the dedicated `devices@cascadestucson.com` (Cloud Device Administrator), which needs a Business Premium license assigned at enrollment time so auto-MDM-enroll fires.
Clarified Intune licensing lifecycle: the enrolling account's license is needed only at the moment of join. After enrollment the device stays Entra-joined and Intune-managed, and the CA allow-list (which keys on the device object) is unaffected by the enroller's later license state. One license covers sequential enrollments of all devices; the Business Premium seat can be reclaimed from `devices@` after the batch. Per-user Intune licensing for ongoing use is satisfied by the caregivers (Business Premium) and/or by marking each laptop a shared device (remove primary user in Intune).
### Key Decisions (this update)
- Laptops = Entra join, not domain join: domain-only produces no Entra device object, breaking the CA allow-list. The laptops do not need the on-prem GPO stack.
- NURSESTATION-PC = domain-joined + Hybrid Entra Join (needs on-prem resources); ignore/clean its stale 2021 Entra record.
- Printing handled via direct IP / Intune push — not a justification to domain-join.
- Use `devices@` (Cloud Device Administrator) as the join account, licensed with Business Premium only transiently for enrollment, then reclaim the seat.
### Configuration Changes (this update)
- None applied. Planning + live read-only checks only. Business Premium license assignment to `devices@` offered but NOT yet executed (awaiting go-ahead).
### Credentials (this update)
- `devices@cascadestucson.com` / `Gptf*77ttb!` — Cloud Device Administrator, user ID `aaca80c6-861b-4294-8068-1033c68d7667`. Vault: `clients/cascades-tucson/devices-account.sops.yaml`. Currently UNLICENSED — needs Business Premium at enrollment.
### Reference (this update)
- SPB (Business Premium) skuId `cbdc14ab-d96c-4c30-b9f4-6ada7cdc1d46` (34 seats, 30 free). O365_BUSINESS_PREMIUM (Business Standard, suspended) skuId `f245ecc8-75af-4f8e-b61f-27d8114de5f3` (0 enabled, 31 consumed).
- Printers (CS-SERVER print server): FrontDesk = Epson ET-5800 `192.168.2.147`; CopyRoom = Canon imageRunner C478iF `192.168.2.230`; MCReception = Epson ET-5800 (Memory Care reception). 13 total.
- Device join policy: `allDeviceRegistrationMembership` (all users may join), userDeviceQuota 50.
- MDM auto-enroll scope (Entra -> Devices -> Mobility (MDM and MAM) -> Microsoft Intune -> MDM user scope) NOT verifiable via API (BadRequest) — confirm = All in portal before joining.
### Pending (this update)
- [ ] Assign Business Premium to `devices@` (offered; awaiting go-ahead).
- [ ] Confirm MDM user scope = All in portal.
- [ ] Confirm which printer(s) each laptop needs -> Intune printer push.
- [ ] Confirm whether any laptop needs on-prem file shares (would push that one to hybrid).
- [ ] Entra-join 4 laptops with `devices@`; reclaim license after batch.
- [ ] Hybrid Entra Join for NURSESTATION-PC (Entra Connect device options on CS-SERVER); clean stale 2021 record.
- [ ] After enrollment: tag devices `extensionAttribute1=CSCCaregiverDevice`, validate report-only, then cutover.