azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0a264ee3fabfdfded7e2bb64dc86ece16c31d99e
claudetools/clients/cascades-tucson/PROJECT_STATE.md
Howard Enos 00fa539e4f cascades save: AD-side pilot prep done; CA reconciliation blocked on SP role gap (2026-04-28) 
Thread 1 (AD-side prep on CS-SERVER) completed:
- howard.enos password reset to memorable value (PHS will sync to M365 once staging exits)
- proxyAddresses=SMTP:howard.enos@cascadestucson.com added (G1 convention)

Thread 2 (CA reconciliation) blocked: ComputerGuru - Tenant Admin SP
(appId 709e6eed-...) has zero directory role assignments in Cascades.
Graph CA endpoints 403 despite Policy.ReadWrite.ConditionalAccess on token.

Decision pending: Path A (Graph-side role assignment via existing
RoleManagement.ReadWrite.Directory) vs Path B (portal click as admin@).
Target role: Conditional Access Administrator
(b1be1c3e-b65d-4f19-8427-f6fa0d97feb9) on SP objectId
a5fa89a9-b735-4e10-b664-f042e265d137.

Follow-up: extend onboard-tenant.sh to assign this role at onboard time
(parallels 16f95e8 Exchange Admin fix for Exchange Operator SP).

Pilot target slipped 2026-04-27 to 2026-04-28. ALIS App Store still
inaccessible — install-side of ALIS SSO still deferred regardless.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-28 07:19:11 -07:00

102 lines
9.1 KiB
Markdown
Raw Blame History

# Cascades of Tucson — Project State
> READ THIS before starting work on this client.
> UPDATE THIS when you begin work (claim a lock) and when you finish (release lock + log changes).
> Last updated: 2026-04-28
---
## Active Session Locks
(no active locks)
**How to claim a lock:** Add a row before starting work. Remove it when done. Locks older than 2 hours with no update are considered stale.
**Last session paused:** 2026-04-28 ~07:15 PDT — see `session-logs/2026-04-28-howard-ca-reconciliation-blocked-on-sp-role.md` for full resume point. AD-side pilot prep is DONE (`howard.enos` password reset + proxyAddresses set on CS-SERVER). CA reconciliation BLOCKED: `ComputerGuru - Tenant Admin` SP has zero directory role assignments in Cascades, so all Graph CA endpoints 403 despite token carrying `Policy.ReadWrite.ConditionalAccess`. Howard to pick Path A (Graph-side role assignment via existing `RoleManagement.ReadWrite.Directory`) or Path B (portal click as `admin@`) to grant **Conditional Access Administrator** (`b1be1c3e-b65d-4f19-8427-f6fa0d97feb9`) to SP objectId `a5fa89a9-b735-4e10-b664-f042e265d137`. After that lands: add `184.191.143.62/32` to existing `Cascades` Named Location, verify all-users MFA policy state, then Gate A3 (Entra App Reg for ALIS SSO — ALIS App Store still down so install-side is still deferred), Gate A5 (exit staging), Gate A6 (phone enroll), Gate A7 (flip CA On). Pilot target slipped from 2026-04-27 to 2026-04-28.
---
## Current State
**Status:** ACTIVE
**Last Activity:** 2026-04-17 (Howard)
Senior living community. Active project: HIPAA-compliant folder redirection GPO rollout across all departments. Folder redirection pattern validated on one user (Sharon Edwards, Life Enrichment) — Documents and Downloads redirecting to `\\CS-SERVER\homes\<username>\`. Next: second LE machine end-to-end, then Desktop and other folders, then matching GPOs for other departments.
---
## Infrastructure / Access
| Resource | Address | Vault path |
|----------|---------|------------|
| pfSense firewall | 192.168.0.1 | `clients/cascades-tucson/pfsense-firewall.sops.yaml` |
| Synology NAS (cascadesds) | 192.168.0.120:5000 (DSM) | `clients/cascades-tucson/synology-cascadesds.sops.yaml` |
| CS-SERVER (DC + file server) | 192.168.2.254, domain `cascades.local` | `clients/cascades-tucson/cs-server.sops.yaml` |
**Syncro ID:** 20149445
**M365 Tenant ID:** `207fa277-e9d8-4eb7-ada1-1064d2221498` (cascadestucson.com)
**Contact:** Meredith Kuhn — meredith.kuhn@cascadestucson.com — (520) 886-3171
**GuruRMM:**
- Client: Cascades of Tucson (`CASC`, id `42e1b0e3-f8b7-4fc5-86bd-06bdbb073b7f`)
- Site: CascadesTucson (`GOLD-MOON-4620`, id `c157c399-82d3-4581-979a-b9fad70f4fef`)
- Enrolled agents: DESKTOP-DLTAGOI (`0ed72c1c-40c7-4bd4-afed-e0bcb198936f`), CS-SERVER (`6766e973-e703-47c1-be56-76950290f87c`)
**Known traps:**
- ProfWiz-migrated users may have poisoned `User Shell Folders` — check/clean before testing redirection (`scripts/hive-cleanup-shellfolders.ps1`)
- GPMC on Server 2019/2022 writes `fdeploy1.ini` incorrectly when adding + modifying in same session — one folder per save, close/reopen between adds
- Explorer sidebar uses KnownFolder GUID form — mirror manually if sidebar doesn't resolve (`scripts/fix-live-shellfolders.ps1`)
- Machines with OneDrive KFM must unlink OneDrive before applying GPO
**GPO backup on CS-SERVER:** `C:\GPO-Backups\pre-fix-20260417-221701\` (backup ID `9c6ff7c9-0942-4cfb-b4a5-936913a3da87`)
---
## Pending / Next Up
**Folder Redirection (ongoing):**
- [ ] EncryptData flag on `\\CS-SERVER\homes` share (HIPAA workitem — currently false)
- [ ] Second Life Enrichment machine folder redirection end-to-end
- [ ] Desktop + other folders redirection GPOs
- [ ] Matching GPOs for remaining departments
- [ ] Folder redirection GPO verification across all enrolled machines
**Intune MDM Rollout (started 2026-04-19):**
- [x] Prereq gap check (`reports/2026-04-19-intune-mdm-prereq-gap.md`)
- [x] Create `MDMS@cascadestucson.com` service account - Business Premium, MFA, forwarding to howard@azcomputerguru.com (vault: `clients/cascades-tucson/mdm-service-account.sops.yaml`). Replaced an earlier mdm@ attempt that hit a Managed Play enterprise/consumer Google account collision.
- [x] Managed Google Play enterprise bound (bindStatus=boundAndValidated, owner mdms@)
- [x] Apple MDM Push Cert uploaded (Apple ID mdms@cascadestucson.com, serial 16FA0CAED8EEB74F, expires 2027-04-20). Renewal reminder task #9.
- [x] CSCNet Wi-Fi password vaulted (`clients/cascades-tucson/wifi-cscnet.sops.yaml`)
- [x] Entra group `Cascades - Shared Phones` + Android enrollment profile `CSC - Android Shared Phones` (token MVDVVDMPSHYJAGDAJOCN, expires 2026-06-22, linked to the Entra group). **Converted to dynamic 2026-04-21** with rule `(device.enrollmentProfileName -eq "CSC - Android Shared Phones")` — any phone enrolled via that QR auto-joins within 5-30 min (was the root cause of Phone 1 not receiving any policies: enrolled via correct profile but never added to the static group).
- [x] **B-1 Android compliance policy** `CSC - Android Compliance` (id `27eeaeda-8390-462e-a514-7d2a558f412c`) — Android 14+, 6-digit numericComplex PIN, 1-min inactivity lock, encryption required, block rooted, SafetyNet certified, Intune App Integrity. Assigned to Shared Phones. Patched 2026-04-21 to spec.
- [x] **B-2 Config profiles**`CSC - Android Shared Phones Restrictions` (factoryResetBlocked, no USB, no unknown sources, screenCaptureBlocked, no developer settings, system updates windowed 02:00-06:00 UTC) + `CSC - CSCNet Wi-Fi (WPA2-Personal)`. Both assigned.
- [x] **B-3 Required apps** — Company Portal, Managed Home Screen, Authenticator, Edge, Microsoft Intune, Teams (+ ALIS web app). All 7 required-assigned to Shared Phones. Company Portal assignment gap closed 2026-04-21.
- [x] **B-4 ALIS web app** (id `fcbf803d-ceb7-4f4e-93ed-2be1b91a05f3`) — https://cascadestucson.alisonline.com/Login, required-assigned.
- [x] **B-5 MSDM app config**`CSC - Microsoft Shared Device Mode (Authenticator)` + `CSC - Microsoft Shared Device Mode (Teams)` (id `3c6a354c-1616-434b-ac81-4dad7795e67b`, created 2026-04-21). Both `shared_device_mode_enabled=true`, assigned to Shared Phones.
- [x] **B-6 Test enrollment** — Samsung SM-A146U (Galaxy A15 5G) serial R9TWB0WM55R, Android 15, enrolled 2026-04-20 18:17Z, showing compliant and syncing daily.
- [ ] **NEXT:** Roll remaining 24 Samsung A15 phones (factory reset each, enroll via QR from `CSC - Android Shared Phones` profile, verify caregiver sign-in via MSDM)
- [ ] Rotate MDMS@ password (post-rollout hygiene, task #8)
- [ ] iPads are on a generic Apple ID currently — bringing them into Intune is low-priority; ABM + DEM deferred until after phones are live
- [ ] **DEFERRED:** 2-hour inactivity auto-logout — not achievable via MSDM app config (no inactivity knob). Real options: Conditional Access sign-in frequency (Mike's call — tenant-wide sensitivity) or rely on 1-min screen lock + explicit caregiver sign-out. Current posture accepted.
---
## Recent Changes
| Date | By | Change | Status |
|------|-----|--------|--------|
| 2026-04-28 | Howard | AD-side pilot prep on CS-SERVER: `howard.enos` password reset to memorable value + `proxyAddresses=SMTP:howard.enos@cascadestucson.com` added (matches G1 convention). PHS will sync this password to M365 once staging exits. | DONE |
| 2026-04-28 | Howard/Claude | Discovered Tenant Admin SP has zero directory role assignments in Cascades → blocks all CA Graph endpoints despite scope being on token. Decision pending: Graph-side role assignment vs portal click. Follow-up: patch `onboard-tenant.sh` to assign Conditional Access Admin at onboard time (mirror of `16f95e8` Exchange Op fix). | BLOCKED |
| 2026-04-25 | Howard | Entra Connect Sync installed in staging mode on CS-SERVER (PHS + Seamless SSO, scope `OU=Caregivers`). Pilot AD account `howard.enos@cascadestucson.com` created in Caregivers OU + SG-Caregivers. `admin@` re-promoted to Global Administrator after Sandra Fish residue cleanup. 7 deleted mailboxes restored from soft-delete (HIPAA retention remediation). Existing Cascades CA architecture discovered (Named Location `72.211.21.217/32`, all-users MFA policy from 2026-02-11). | IN PROGRESS |
| 2026-04-21 | Howard | Post-DMARC spoofing recheck — Mike's `p=quarantine` fix confirmed working (26h clean window). Purged 2 missed phishes (`accounting@` Inbox + `jd.martin` Deleted Items) via Graph permanentDelete. IP blocks skipped (DMARC covering). | DONE |
| 2026-04-21 | Mike | DMARC policy published as `p=quarantine; pct=100` (was `p=none`). Enforcement propagated sometime after 18:28Z on 4/20. | DEPLOYED |
| 2026-04-20 | Howard | Intune MDM rollout - service account MDMS@ + Google Play bind + Apple push cert + Entra group + Android enrollment profile (QR code) all live. Phone policies next session. | IN PROGRESS |
| 2026-04-17 | Howard | Folder redirection validated on DESKTOP-DLTAGOI (Sharon Edwards); GPO `CSC - Folder Redirection (LE)` active | DEPLOYED |
---
## How to Update
**When starting:** Add your session to Active Session Locks.
**When finishing:** Remove your lock row, add entries to Recent Changes, update Current State if needed.
Reference in New Issue View Git Blame Copy Permalink