claudetools/clients/cascades-tucson/PROJECT_STATE.md

# Cascades of Tucson — Project State

> READ THIS before starting work on this client.
> UPDATE THIS when you begin work (claim a lock) and when you finish (release lock + log changes).
> Last updated: 2026-04-21

---

## Active Session Locks

(no active locks)

**How to claim a lock:** Add a row before starting work. Remove it when done. Locks older than 2 hours with no update are considered stale.

**Last session paused:** 2026-04-25 ~15:30 PDT — see `session-logs/2026-04-25-howard-entra-connect-install-and-pilot-prep.md` for resume point. Entra Connect installed in staging mode, pilot account ready, mid-Track-A-Gate-2 prep when paused (existing CA architecture discovered, needs reconciliation before adding 184.191.143.62/32 to Cascades Named Location).

---

## Current State

**Status:** ACTIVE
**Last Activity:** 2026-04-17 (Howard)

Senior living community. Active project: HIPAA-compliant folder redirection GPO rollout across all departments. Folder redirection pattern validated on one user (Sharon Edwards, Life Enrichment) — Documents and Downloads redirecting to `\\CS-SERVER\homes\<username>\`. Next: second LE machine end-to-end, then Desktop and other folders, then matching GPOs for other departments.

---

## Infrastructure / Access

| Resource | Address | Vault path |
|----------|---------|------------|
| pfSense firewall | 192.168.0.1 | `clients/cascades-tucson/pfsense-firewall.sops.yaml` |
| Synology NAS (cascadesds) | 192.168.0.120:5000 (DSM) | `clients/cascades-tucson/synology-cascadesds.sops.yaml` |
| CS-SERVER (DC + file server) | 192.168.2.254, domain `cascades.local` | `clients/cascades-tucson/cs-server.sops.yaml` |

**Syncro ID:** 20149445
**M365 Tenant ID:** `207fa277-e9d8-4eb7-ada1-1064d2221498` (cascadestucson.com)
**Contact:** Meredith Kuhn — meredith.kuhn@cascadestucson.com — (520) 886-3171

**GuruRMM:**
- Client: Cascades of Tucson (`CASC`, id `42e1b0e3-f8b7-4fc5-86bd-06bdbb073b7f`)
- Site: CascadesTucson (`GOLD-MOON-4620`, id `c157c399-82d3-4581-979a-b9fad70f4fef`)
- Enrolled agents: DESKTOP-DLTAGOI (`0ed72c1c-40c7-4bd4-afed-e0bcb198936f`), CS-SERVER (`6766e973-e703-47c1-be56-76950290f87c`)

**Known traps:**
- ProfWiz-migrated users may have poisoned `User Shell Folders` — check/clean before testing redirection (`scripts/hive-cleanup-shellfolders.ps1`)
- GPMC on Server 2019/2022 writes `fdeploy1.ini` incorrectly when adding + modifying in same session — one folder per save, close/reopen between adds
- Explorer sidebar uses KnownFolder GUID form — mirror manually if sidebar doesn't resolve (`scripts/fix-live-shellfolders.ps1`)
- Machines with OneDrive KFM must unlink OneDrive before applying GPO

**GPO backup on CS-SERVER:** `C:\GPO-Backups\pre-fix-20260417-221701\` (backup ID `9c6ff7c9-0942-4cfb-b4a5-936913a3da87`)

---

## Pending / Next Up

**Folder Redirection (ongoing):**
- [ ] EncryptData flag on `\\CS-SERVER\homes` share (HIPAA workitem — currently false)
- [ ] Second Life Enrichment machine folder redirection end-to-end
- [ ] Desktop + other folders redirection GPOs
- [ ] Matching GPOs for remaining departments
- [ ] Folder redirection GPO verification across all enrolled machines

**Intune MDM Rollout (started 2026-04-19):**
- [x] Prereq gap check (`reports/2026-04-19-intune-mdm-prereq-gap.md`)
- [x] Create `MDMS@cascadestucson.com` service account - Business Premium, MFA, forwarding to howard@azcomputerguru.com (vault: `clients/cascades-tucson/mdm-service-account.sops.yaml`). Replaced an earlier mdm@ attempt that hit a Managed Play enterprise/consumer Google account collision.
- [x] Managed Google Play enterprise bound (bindStatus=boundAndValidated, owner mdms@)
- [x] Apple MDM Push Cert uploaded (Apple ID mdms@cascadestucson.com, serial 16FA0CAED8EEB74F, expires 2027-04-20). Renewal reminder task #9.
- [x] CSCNet Wi-Fi password vaulted (`clients/cascades-tucson/wifi-cscnet.sops.yaml`)
- [x] Entra group `Cascades - Shared Phones` + Android enrollment profile `CSC - Android Shared Phones` (token MVDVVDMPSHYJAGDAJOCN, expires 2026-06-22, linked to the Entra group). **Converted to dynamic 2026-04-21** with rule `(device.enrollmentProfileName -eq "CSC - Android Shared Phones")` — any phone enrolled via that QR auto-joins within 5-30 min (was the root cause of Phone 1 not receiving any policies: enrolled via correct profile but never added to the static group).
- [x] **B-1 Android compliance policy** `CSC - Android Compliance` (id `27eeaeda-8390-462e-a514-7d2a558f412c`) — Android 14+, 6-digit numericComplex PIN, 1-min inactivity lock, encryption required, block rooted, SafetyNet certified, Intune App Integrity. Assigned to Shared Phones. Patched 2026-04-21 to spec.
- [x] **B-2 Config profiles** — `CSC - Android Shared Phones Restrictions` (factoryResetBlocked, no USB, no unknown sources, screenCaptureBlocked, no developer settings, system updates windowed 02:00-06:00 UTC) + `CSC - CSCNet Wi-Fi (WPA2-Personal)`. Both assigned.
- [x] **B-3 Required apps** — Company Portal, Managed Home Screen, Authenticator, Edge, Microsoft Intune, Teams (+ ALIS web app). All 7 required-assigned to Shared Phones. Company Portal assignment gap closed 2026-04-21.
- [x] **B-4 ALIS web app** (id `fcbf803d-ceb7-4f4e-93ed-2be1b91a05f3`) — https://cascadestucson.alisonline.com/Login, required-assigned.
- [x] **B-5 MSDM app config** — `CSC - Microsoft Shared Device Mode (Authenticator)` + `CSC - Microsoft Shared Device Mode (Teams)` (id `3c6a354c-1616-434b-ac81-4dad7795e67b`, created 2026-04-21). Both `shared_device_mode_enabled=true`, assigned to Shared Phones.
- [x] **B-6 Test enrollment** — Samsung SM-A146U (Galaxy A15 5G) serial R9TWB0WM55R, Android 15, enrolled 2026-04-20 18:17Z, showing compliant and syncing daily.
- [ ] **NEXT:** Roll remaining 24 Samsung A15 phones (factory reset each, enroll via QR from `CSC - Android Shared Phones` profile, verify caregiver sign-in via MSDM)
- [ ] Rotate MDMS@ password (post-rollout hygiene, task #8)
- [ ] iPads are on a generic Apple ID currently — bringing them into Intune is low-priority; ABM + DEM deferred until after phones are live
- [ ] **DEFERRED:** 2-hour inactivity auto-logout — not achievable via MSDM app config (no inactivity knob). Real options: Conditional Access sign-in frequency (Mike's call — tenant-wide sensitivity) or rely on 1-min screen lock + explicit caregiver sign-out. Current posture accepted.

---

## Recent Changes

| Date | By | Change | Status |
|------|-----|--------|--------|
| 2026-04-21 | Howard | Post-DMARC spoofing recheck — Mike's `p=quarantine` fix confirmed working (26h clean window). Purged 2 missed phishes (`accounting@` Inbox + `jd.martin` Deleted Items) via Graph permanentDelete. IP blocks skipped (DMARC covering). | DONE |
| 2026-04-21 | Mike | DMARC policy published as `p=quarantine; pct=100` (was `p=none`). Enforcement propagated sometime after 18:28Z on 4/20. | DEPLOYED |
| 2026-04-20 | Howard | Intune MDM rollout - service account MDMS@ + Google Play bind + Apple push cert + Entra group + Android enrollment profile (QR code) all live. Phone policies next session. | IN PROGRESS |
| 2026-04-17 | Howard | Folder redirection validated on DESKTOP-DLTAGOI (Sharon Edwards); GPO `CSC - Folder Redirection (LE)` active | DEPLOYED |

---

## How to Update

**When starting:** Add your session to Active Session Locks.
**When finishing:** Remove your lock row, add entries to Recent Changes, update Current State if needed.