azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from HOWARD-HOME at 2026-06-05 12:18:49

Browse Source 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-05 12:18:49
This commit is contained in:
Howard Enos
2026-06-05 12:18:57 -07:00
parent 08e194f592
commit ef23753956
2 changed files with 29 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
wiki/clients/cascades-tucson.md
View File

@@ -226,7 +226,7 @@ Senior living / assisted living facility in Tucson, AZ. Single 6-floor building
- **User<->computer map source:** Syncro `kabuto_information.last_user` (GuruRMM does not expose logged-in user). DuPras=ALASSIST-PC, Lois Lane=DESKTOP-KQSL232, Karen Rossini=DESKTOP-LPOPV30, shared medtech=ASSISTNURSE-PC, shared MemCare reception=MEMRECEPT-PC (excluded from caregiver allow-list, receptionist-only). CONTEXT.md GuruRMM roster stale (27->32) — refresh pending.
- **Caregiver desktop app shortcuts:** ALIS (`https://cascadestucson.alisonline.com`), LinkRx (`https://pharmcare.linkrxnow.com/`), HelpAny (`https://app.safe-living.com/login`) — deploy via a Public-Desktop PowerShell script launching Edge `--app` mode (preserves SSO device-claim), pushed via GuruRMM to the 6 caregiver machines.
- **Login UX:** Entra/Microsoft sign-in (and ALIS SSO) requires the full UPN — no bare-username option for cloud accounts. Minimize typing via Windows Hello PIN on laptops + silent ALIS SSO once signed in; pursue ALIS Login PINs (Medtelligent limited-release).
- **Caregiver test rig (2026-06-05, in progress):** Phased-test infra before promoting to all caregivers. `SG-Caregivers-DeviceTest` (`db5849ec`, USERS) carries the full caregiver rule set (off-network block + sign-in-freq + allow-list, excluded from compliance-block); `Cascades - Caregiver Devices` (`02c6f698`, STATIC devices) targets Intune profiles (NURSESTATION only for now); `SG-Intune-Enrollment` (`13d94f6e`, holds devices@) scopes MDM auto-enroll. Test acct `pilot.test@cascadestucson.com` (`d26e0e5a`, Business Premium, ephemeral). Intune profiles on the device group: idle-lock 5min + disable-WHfB (OMA-URI); Shared PC Mode deferred to portal. NURSESTATION-PC un-joined domain + Entra-joined (Win11 25H2) + tagged, NOT yet Intune-enrolled (MDM scope is a portal toggle). **Open:** test ALIS sign-ins blocked CA 53003 = device-tag propagation lag (device claim flowed, trusted IP) — retry after propagation. Windows shared-device UX differs from phone SDM and is NOT yet proven. Promotion: point allow-list at SG-Caregivers + disable compliance-block once validated.
- **Caregiver test rig (2026-06-05, in progress):** Phased-test infra before promoting to all caregivers. `SG-Caregivers-DeviceTest` (`db5849ec`, USERS) carries the full caregiver rule set (off-network block + sign-in-freq + allow-list, excluded from compliance-block); `Cascades - Caregiver Devices` (`02c6f698`, STATIC devices) targets Intune profiles (NURSESTATION only for now); `SG-Intune-Enrollment` (`13d94f6e`, holds devices@) scopes MDM auto-enroll. Test acct `pilot.test@cascadestucson.com` (`d26e0e5a`, Business Premium, ephemeral). Intune profiles on the device group: idle-lock 5min + disable-WHfB (OMA-URI); Shared PC Mode deferred to portal. NURSESTATION-PC un-joined domain + Entra-joined (Win11 25H2) + tagged, NOT yet Intune-enrolled (MDM scope is a portal toggle). **PROVEN 2026-06-05:** pilot.test on NURSESTATION-PC -> ALIS opened via SSO with lockdown holding (off-network blocked, only allow-listed device passes). ALIS first threw CA 53003 because the `extensionAttribute1` tag takes >70 min to propagate into CA's device-filter cache; fixed by adding NURSESTATION's **deviceId** directly to the allow-list rule (immediate, lag-free) — for the small caregiver device set, **deviceId matching is the reliable lever**. **Open:** Intune enrollment blocked — `INTUNE_A` service plan is `PendingInput` (not provisioned) on the newly-licensed accounts (devices@, pilot.test); established users fine. A device can't enroll through an account whose Intune plan isn't active. Re-kicked devices@'s Business Premium license to force re-provisioning; re-check for `Success`. Until enrolled, the scoped disable-Hello/Shared-PC profiles can't apply (Hello prompt is dismissible meanwhile; tenant WHfB left `notConfigured` so office users keep PIN+Authenticator). Windows shared-device UX differs from phone SDM. Promotion: once enrolled+validated, point allow-list at SG-Caregivers (prefer deviceId list) + disable compliance-block.
- **Threat model (confirmed 2026-06-05):** off-network + device allow-list specifically defeats remote credential abuse (hacker / bad employee from home) — stolen caregiver creds unusable off-site/off-device because CA blocks the cloud sign-in before ALIS/email. Risk-based MFA policies are inert (tenant has no Identity Protection P2 license).
- **GDAP exclusion:** CA policy 3 must exclude "Service provider users" (GDAP foreign principals) + `SG-External-Signin-Allowed` + `SG-Break-Glass`, otherwise ACG partner admins lose access at CA cutover.
- **Pilot cleanup required when done:** Delete `pilot.test@cascadestucson.com`, clean up `howard.enos@cascadestucson.com`, remove `SG-Caregivers-Pilot` from CA policy targets and delete the group. Source: `project_cascades_pilot_cleanup.md`.