azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3c071069c7017fe88b53a5a74e06b47081d14c05
claudetools/wiki/clients/cascades-tucson.md
Howard Enos 3c071069c7 sync: auto-sync from HOWARD-HOME at 2026-06-05 14:04:58 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-05 14:04:58
2026-06-05 14:05:09 -07:00

47 KiB
Raw Blame History

type, name, display_name, last_compiled, compiled_by, sources, backlinks
type name display_name last_compiled compiled_by sources backlinks
client cascades-tucson Cascades of Tucson 2026-06-05 GURU-BEAST-ROG/claude-main
session-logs/2026-03-24-session.md
session-logs/2026-03-31-session.md
session-logs/2026-04-01-session.md
session-logs/2026-04-16-session.md
session-logs/2026-04-16-howard-client-docs-import.md
session-logs/2026-04-17-session.md
session-logs/2026-04-17-howard-session.md
session-logs/2026-04-18-session.md
session-logs/2026-04-20-session.md
session-logs/2026-04-20-mac-session.md
session-logs/2026-04-21-mac-vault-setup.md
session-logs/2026-04-21-howard-remediation-vault-gap.md
session-logs/2026-04-28-session.md
session-logs/2026-04-29-session.md
session-logs/2026-04-30-session.md
session-logs/2026-05-01-session.md
session-logs/2026-05-01-howard-syncro-billing-batch-and-tmp-path-incident.md
session-logs/2026-05-10-session.md
session-logs/2026-05-18-session.md
session-logs/2026-05-18-howard-billing-review-and-ticket-updates.md
session-logs/2026-05-20-session.md
session-logs/2026-05-21-session.md
session-logs/2026-05-23-session.md
session-logs/2026-05-24-GURU-KALI-session.md
clients/cascades-tucson/session-logs/2026-05-22-session.md
session-logs/2026-05-26-howard-session.md
clients/cascades-tucson/session-logs/2026-06-02-howard-efax-scanner-ticket.md
clients/cascades-tucson/session-logs/2026-06-03-session.md
clients/cascades-tucson/session-logs/2026-06-04-howard-email-delivery-investigation.md
clients/cascades-tucson/session-logs/2026-06-04-howard-caregiver-laptop-enrollment.md
clients/cascades-tucson/session-logs/2026-06-04-session.md
clients/cascades-tucson/session-logs/2026-06-05-session.md
clients/cascades-tucson/docs/overview.md
clients/cascades-tucson/docs/network/topology.md
clients/cascades-tucson/docs/network/vlans.md
clients/cascades-tucson/docs/servers/cs-server.md
clients/cascades-tucson/docs/billing-log.md
.claude/memory/project_cascades_admin_accounts.md
.claude/memory/project_cascades_ca_phased_rollout.md
.claude/memory/project_cascades_pilot_cleanup.md
.claude/memory/feedback_syncro_cascades_contact.md
.claude/memory/feedback_cascades_user_security_group.md
.claude/memory/project-cascades-migration-plan.md
.claude/memory/feedback_cascades_folder_redirect.md
projects/gururmm

Cascades of Tucson

Senior living / assisted living facility in Tucson, AZ. Single 6-floor building plus a MemCare (Memory Care) wing on floors 5-6. ACG took over from a previous MSP. Primary compliance driver is HIPAA. Active multi-phase migration project ongoing as of 2026-05-24.

Entra Access Architecture (canonical overview)

In one line: a HIPAA-driven, identity-based access-control system that splits staff into two security postures and enforces them with Microsoft Entra Conditional Access on top of hybrid identity (Entra Connect), with ALIS (clinical EHR) wired for SSO. Tickets: #109412123 (Entra setup), #110680053 (domain migration).

Foundation — hybrid identity

  • On-prem AD cascades.local synced to Entra/M365 via Entra Connect (PHS + Seamless SSO). UPN suffix cascadestucson.com, so a user's Windows login = email = M365/ALIS identity (one credential everywhere).

Two user buckets (the core design)

  1. Restricted — caregivers + medtechs (group SG-Caregivers, 8b8d9222): sign in only on the Cascades network and only on approved devices (shared Galaxy phones + a set of caregiver laptops/desktops). No MFA (no personal devices) — protected by location + device controls + 8h sign-in frequency instead. Effect: caregiver credentials are useless off-site or off an approved device — the anti-hacker / bad-employee-from-home control.
  2. Privileged — admins / directors / managers / nurses (NOT in SG-Caregivers): email + ALIS from anywhere, seamless onsite / 2FA offsite (Authenticator/PIN). Untouched by the caregiver lockdown.

Conditional Access enforcement (caregivers)

  • CSC - Block caregivers off Cascades network (e35614e1)
  • CSC - Block caregivers on non-compliant device (ede985e2) — being replaced by a device allow-list (CSC - Caregivers: allow-listed devices only, 1b7fd025): phones (displayName -startsWith "CSC-") + tagged caregiver machines (extensionAttribute1 -eq "CSCCaregiverDevice", or explicit deviceId). Note: extensionAttribute changes lag >70 min into CA's filter cache — deviceId matching is the lag-free lever for the small device set.
  • CSC - Caregiver sign-in frequency 8h (7d491c7a)
  • Rollout is per-user via group membership (test group SG-Caregivers-DeviceTest db5849ec carries the full rule set for one-at-a-time validation; promote to SG-Caregivers + disable compliance-block when validated).

Devices

  • Phones: Samsung A15s in Intune Shared Device Mode (Android Enterprise, device-token enrolled) — live.
  • Laptops/desktops: caregiver shared machines (Laptop2, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8, ASSISTNURSE-PC, NURSESTATION-PC) joined to Entra so CA recognizes them and they go on the allow-list (group Cascades - Caregiver Devices 02c6f698 for policy targeting).

ALIS SSO

  • Entra app registration -> OIDC SSO into ALIS; tenant-wide admin consent granted (2026-06-03). Per-user join key = ALIS staff Email must equal the Entra UPN. Caregivers SSO silently on phones (ALIS-native 2FA off); office users SSO with offsite MFA.

Status (as of 2026-06-05)

  • Proven working: the access model — caregiver lockdown + ALIS SSO — end-to-end on a desktop (pilot.test).
  • Blocker / pivot: device-level Intune policies (disable Windows Hello, idle-lock, Shared PC Mode profile-cleanup) can't deploy because the tenant's per-user Intune (INTUNE_A) won't provision — stuck PendingInput tenant-wide; no Windows device has ever Intune-enrolled (Android works via device-token, which needs no per-user Intune). Microsoft case open. Pivot: deliver those device settings via Group Policy (Hybrid Entra Join / domain join) or local policy — no Intune dependency. Caregiver access itself does NOT depend on Intune.

Profile

  • Contract type: Prepaid hour block
  • Key contacts:
    • Meredith Kuhn — Assistant Manager (ASSISTMAN-PC); internal billing contact. NEVER set her as ticket contact in Syncro — she is the wrong default that keeps being selected.
    • John Trozzi — Maintenance staff, Mac at 201cascades@gmail.com (shared facility account)
    • Lauren Hasselman — Accounting
    • Zachary Nelson — Accounting Assistant
    • Lois Lane — CareTakers department head (DESKTOP-KQSL232); resistant to domain migration; John Trozzi is liaison
    • Crystal Rodriguez — staff
    • Sharon Edwards — Life Enrichment Assistant (DESKTOP-DLTAGOI)
    • Ashley Jensen — Accountant (DESKTOP-U2DHAP0)
    • Shelby Trozzi — MemCare Director (MDIRECTOR-PC)
    • Chris Knight — staff; chris.knight@cascadestucson.com (alias: c.knight@cascadestucson.com); bill.com and BOK Financial recipient (issue investigated 2026-06-04)
  • Billing rate: $175/hr all labor (prepaid block customer)
  • Hours remaining: 15.75 hrs as of 2026-06-04 (after tickets #32381 0.5h onsite, #32382 1.5h onsite, #32383 1.5h remote billed 2026-06-04). Always live-check via GET /customers/20149445 before billing — balance is unreliable across sessions.
  • Syncro customer ID: 20149445
  • Active tickets:
    • #110680053 — Dept-by-dept domain migration (primary active project; plan: C:\Users\Howard\.claude\plans\wise-discovering-panda.md)
    • #109412123 — Entra setup project (may be invoiced as of 2026-05-18; verify status)
    • #109035475 — John Trozzi desktop WiFi upgrade (billed)
    • #32370 — eFax setup on Karen's and Christin's machines + portable scanner setup on both (Howard onsite; no appointment scheduled yet; ticket open/pending 2026-06-02)
    • #32381 — Tamra scanner onsite (0.5h onsite, billed 2026-06-04, prepaid block)
    • #32382 — Megan file access onsite (1.5h onsite, billed 2026-06-04, prepaid block)
    • #32383 — Chris Knight bill.com / BOK email delivery (1.5h remote, billed 2026-06-04, prepaid block; Syncro id 112201209)

Infrastructure

Servers & Services

Host IP Role OS Notes
CS-SERVER 192.168.2.254 DC, DNS, DHCP (no scopes), File Server, Hyper-V host, Print Server Windows Server 2019 Standard Dell PowerEdge R610 (~2009 hardware, 16+ years old). Single DC — CRITICAL risk. No backup. GuruRMM agent ID: 6766e973-e703-47c1-be56-76950290f87c
CS-SERVER iDRAC 192.168.2.65 Out-of-band management Dell OOB interface
CS-QB (Hyper-V VM on CS-SERVER) 192.168.2.228 VoIP server [REVIEW — transitioning away from traditional landlines to wireless phones; revisit this entry]
cascadesDS (Synology NAS) 192.168.0.120 NAS / legacy file storage DSM Port 5000 HTTP. Workgroup name is "CASCADES" — same as AD short name, causing Kerberos auth failures from domain-joined machines. Slated to become backup-only.
pfSense Firewall 192.168.0.1 Perimeter firewall, inter-VLAN routing pfSense 24.0 Dual-WAN. All DHCP served here (CS-SERVER DHCP role has no scopes). MAC: 00:f1:f5:34:b3:4a

[WARNING] CS-SERVER hardware: Dell R610 with mixed SATA laptop drives (OS array, no hot spare) and enterprise SAS drives from 2015-2016. No backup exists. No second DC. Hardware will fail — DC migration is urgent.

[WARNING] HIPAA violation: No backup for CS-SERVER (§164.308(a)(7)). Synology Active Backup for Business is blocked (ext4 filesystem, not Btrfs).

Email & Identity

  • M365 tenant: cascadestucson.com | Tenant ID: 207fa277-e9d8-4eb7-ada1-1064d2221498
  • M365 license: Business Premium (SPB) — 34 seats enabled, 3 consumed, 31 free. Business Standard (O365_BUSINESS_PREMIUM) — SUSPENDED, 31 users still assigned. Relicensing 31 users Business Standard → Business Premium is pending and time-sensitive — those users may have degraded service.
  • On-prem AD domain: cascades.local | UPN suffix: cascadestucson.com (added 2026-04-13 for Entra Connect SSO readiness)
  • MX / mail flow: Exchange Online (M365). SPF: v=spf1 a mx ip4:72.194.62.5 include:spf.protection.outlook.com include:spf-0.secureserver.net -all. DKIM: both M365 selectors published. DMARC: p=quarantine;pct=100 — upgraded from p=none. Reports to info@cascadestucson.com (unmonitored). No third-party email gateway (EOP direct MX).
  • MFA: CA policy "Require MFA for all users" is enabled. Caregiver bypass in progress — caregivers cannot satisfy MFA (no personal device), so three scoped CA policies use BLOCK instead. See Patterns section. Voice-call MFA is disabled tenant-wide (SMS + Authenticator are the allowed methods). Exception: security group "MFA - Voice Call Scoped (sysadmin)" (id 304f941e-3594-4705-b8e6-ee676297df11, single member sysadmin@) has Voice method enabled — created 2026-06-05 so Howard has a code-delivery path on the shared GA without a tenant-wide change. sysadmin@ phone methods after 2026-06-05: mobile/SMS +1 520-289-1912 (Mike); alternateMobile/voice +1 520-585-1310 (Howard, was +1 520-331-5551).
  • Entra Connect: Installed on CS-SERVER 2026-04-25. Exited staging 2026-05-14 — actively syncing (last sync confirmed 2026-05-27). OU=Administrative not yet in sync scope; UPN suffix updates for Administrative OU users pending before that OU can be added.
  • Break-glass accounts: Two planned (breakglass1-csc@cascadestucson.com, breakglass2-csc@cascadestucson.com). Confirmed not yet created as of 2026-05-27 (live tenant check). FIDO2 YubiKeys ordered — arrival unconfirmed. Vault entries not yet created.
  • Admin accounts:
    • admin@cascadestucson.com — Mike's working admin (cloud-only, Connect-excluded by design)
    • sysadmin@cascadestucson.com — Howard's working admin (cloud-only, Connect-excluded by design). Object id: 471b13dc-3cf8-416b-a132-f5f3bc8d1cc8. Password rotated by Mike 2026-06-04; vaulted by Howard 2026-06-05 at clients/cascades-tucson/m365-sysadmin.sops.yaml.
  • ALIS (clinical SaaS): https://cascadestucson.alisonline.com — Entra SSO live and working; proven end-to-end with pilot.test on Galaxy A15 caregiver phones. Install key: d796539d-356b-4190-9c17-35f0f1129376. Vault: clients/cascades-tucson/alis-sso-app-registration.sops.yaml (Entra app reg + ALIS Inbound Connections Basic Auth creds + install key). ALIS application ID d5108493-cba8-4f08-90b6-1bb0bc09eb2a, client secret expires 2028-05-06 (rotation reminder — expiry breaks ALIS SSO tenant-wide). Per-caregiver: ALIS staff-record Email must match Entra UPN exactly. BAA with Medtelligent not yet verified — confirm with Meredith.
    • Admin consent (2026-06-03): Tenant-wide admin consent (AllPrincipals User.Read) granted on ALIS Entra service principal (e1cae4ad-5beb-44ca-82d4-434c9bd835ad) via Graph API (oauth2PermissionGrant id reTK4etbykSC1ENMm9g1rTplOyzgVClCofKDVRrn-ds). This resolved AADSTS65001 sign-in failures that office/clinical staff (megan.hiatt, karen.rossini, memcarereceptionist) were hitting on non-phone devices. Root cause was missing admin consent — NOT Conditional Access, network, or password. Prior state: only two per-user (Principal) consent grants existed, so all other users hit 65001. CA policies had conditionalAccessStatus: success on all failing sign-ins; both WAN IPs were trusted Named Locations.
    • How to enable ALIS SSO for one user (procedure — confirmed 2026-06-03):
      1. User needs a valid Entra identity (synced or cloud-only both work).
      2. Tenant-wide admin consent for the ALIS app must exist — done globally 2026-06-03, so this is a one-time prerequisite, NOT per-user.
      3. In ALIS admin -> Staff -> the user's record, set the Email field = the user's exact Entra UPN (e.g. crystal.rodriguez@cascadestucson.com). This is the per-user SSO join key.
      4. User signs in via "Sign in with Microsoft" — not the ALIS username/password box.
      5. Turn off ALIS-native 2FA on that user's account (Entra is the second factor; native 2FA conflicts and locked out Karen Rossini on 2026-05-29).
      • Diagnostic signature: a user with zero ALIS-app sign-in events in the Entra sign-in logs is still on the old direct-login path (never reached Entra) — the fix is the ALIS Email match, not anything in Entra. Confirmed with Crystal Rodriguez (2026-06-03): identical to Megan Hiatt on identity, sync state, security group, and even held her own per-user consent grant — the ONLY difference was the missing ALIS Email match. Adding her email fixed SSO immediately. Megan worked because her ALIS record was already Email-matched and she used the Microsoft login; Crystal was falling back to direct ALIS login.
      • Sweep target: apply to all office/clinical users (Karen Rossini, MemCare reception, etc.) to standardize everyone onto SSO.
  • Caregiver phones: 22 Samsung Galaxy A15s enrolled in Intune Shared Device Mode (SDM). Enrollment profile: CSC - Android Shared Phones (Entra SDM) (9a0fcc6d-0a88-466e-aa53-44401bb74fca); 25 devices enrolled per 2026-06-03 Intune pull. Dynamic group: Cascades - Shared Phones (ea96f4b7-3000-45da-ab1f-ddb28f509526). Used by caregivers for Teams, Outlook, and ALIS. CA policies: block off-network, block non-compliant device (see below re: pending replacement with allow-list), 8h sign-in frequency. Android enrollment token expires 2027-05-08 — token is a join key only; expiry does NOT unenroll existing devices.
  • Audit retention: Approved 2026-04-29. Azure Log Analytics (90d) + Storage Account (6yr) in ACG subscription e507e953-2ce9-4887-ba96-9b654f7d3267, RG rg-audit-cascadestucson. Not yet built. Runbook: .claude/skills/remediation-tool/references/audit-retention-runbook.md.
  • Inky: No Inky deployment exists in this tenant. No connector, no transport rule, no OAuth app, no add-in. Confirmed 2026-06-04.
  • EXO MSP app auth note (2026-06-04): When the MSP app cert is not in the Windows cert store on a given machine, use client_credentials flow to obtain an EXO-scoped access token and connect via Connect-ExchangeOnline -AccessToken. This bypasses both the cert requirement and interactive MFA. App: ComputerGuru Exchange Operator (b43e7342-5b4b-492f-890f-bb5a4f7f40e9). Vault: msp-tools/computerguru-exchange-operator.sops.yaml.

Network

  • ISP / WAN: Dual-WAN Cox Fiber (primary, static 184.191.143.62/30, gateway 184.191.143.61) + Cox Coax (secondary, DHCP 72.211.21.217). Both WAN IPs added as Cascades Named Location in Entra (ID: 061c6b06-b980-40de-bff9-6a50a4071f6f).
  • Firewall: pfSense 24.0 at 192.168.0.1. All DHCP. Inter-VLAN routing. 236 resident room VLANs (per-room /28, 10.[floor].[room].0/28). Staff/infra VLAN 20 (10.0.20.0/24, gateway 10.0.20.1). Guest VLAN 50 (10.0.50.0/24, RFC1918 blocked).
  • Switching: Full UniFi. 82 APs + 5 managed switches (1st Floor USW-48 PoE core; floors 2-4 USW-Pro-24-PoE; MemCare USW-Pro-24-PoE; USW Lite 8 PoE; USW-16-PoE VoIP switch). Switch hardware replacement on floors 2/3/4 complete.
  • WiFi SSIDs:
    • CSCNet — staff, VLAN 20
    • CSC ENT — legacy SSID, main LAN (192.168.0.0/22), being deprecated as migration proceeds
    • Guest — isolated, VLAN 50
  • VoIP: AudioCodes phones (8 units) on USW-16-PoE. CS-QB VM at 192.168.2.228. Not MSP-managed but infra must stay static.

External Vendors & Mail Senders

  • bill.com (BILL): Sends from inform.bill.com, hq.bill.com, hello.bill.com, mc.bill.com. MX via pphosted.com (Proofpoint). Confirmed delivering successfully to meredith.kuhn, ashley.jensen, lauren.hasselman, zachary.nelson as of 2026-06-04. Safe sender: account-services@inform.bill.com.
  • BOK Financial: Sends from bokfinancial.com. MX via pphosted.com (Proofpoint). DMARC p=reject. Zero emails to any cascadestucson.com user in 90-day history as of 2026-06-04 (likely wrong recipient address on BOK's side for the accounts in question).

Access

  • CS-SERVER: Via ScreenConnect or GuruRMM (agent ID: 6766e973-e703-47c1-be56-76950290f87c)
  • CS-SERVER iDRAC: 192.168.2.65
  • pfSense admin: https://192.168.0.1 — vault: clients/cascades-tucson/pfsense-firewall.sops.yaml
  • Synology DSM: http://192.168.0.120:5000 — vault: clients/cascades-tucson/ (existing entry)
  • M365 admin: admin@cascadestucson.com — vault: clients/cascades-tucson/m365-admin.sops.yaml
  • M365 sysadmin: sysadmin@cascadestucson.com — vault: clients/cascades-tucson/m365-sysadmin.sops.yaml
  • WiFi CSCNet: vault: clients/cascades-tucson/wifi-cscnet.sops.yaml
  • MDM service account: vault: clients/cascades-tucson/mdm-service-account.sops.yaml
  • ALIS SSO app registration: vault: clients/cascades-tucson/alis-sso-app-registration.sops.yaml
  • GuruRMM — RECEPTIONIST-PC: agent ID 9c91d324-1073-449c-8cc0-45c5bccfc218 (flaky WebSocket, may lag fleet updates)
  • Remediation tool: Full tiered app suite consented 2026-04-21. All six apps active: Security Investigator, Exchange Operator, User Manager, Tenant Admin, Defender Add-on, Intune Manager. Old app fabb3421 (ComputerGuru - AI Remediation) still present but superseded.
  • ComputerGuru Exchange Operator MSP app: b43e7342-5b4b-492f-890f-bb5a4f7f40e9 — vault: msp-tools/computerguru-exchange-operator.sops.yaml. Use access token auth when cert not in store (see Email & Identity section).
  • Vault root: clients/cascades-tucson/ in vault repo

Patterns & Known Issues

Syncro / Billing

  • Never set a contact on any Syncro ticket unless explicitly requested. This is a global rule, not Cascades-specific. At Cascades, Meredith Kuhn is the recurring wrong default that Syncro pre-selects — she is not the correct contact. Leave contact_id blank; Syncro routes to the correct distribution emails automatically. Source: feedback_syncro_blank_contact.md.
  • Billing product for prepaid block draw: Use a real labor type (Remote, Onsite, etc.) — NOT "Prepaid project labor" (exempt, won't decrement the block).
  • Always live-check hours before billing: GET /customers/20149445 in Syncro. The 2026-05-01 invoice debit may not have fired correctly — treat all cached hour counts as approximate.

Exchange Online / Message Tracing

  • Get-MessageTrace is hard-deprecated (Sept 2025). As of 2025-09-01, Get-MessageTrace returns BadRequest / ValidationException via EXO InvokeCommand. Use Get-MessageTraceV2 instead. Key parameter change: use ResultSize (not PageSize). The deprecation error may be silently swallowed by downstream jq filters — if a trace returns unexpectedly empty, check the raw response for a deprecation error string before assuming no mail. Source: 2026-06-04 Chris Knight investigation.
  • Sender-side suppression (SendGrid ESP): If a user never receives mail from a specific sender despite a healthy mailbox, and message trace shows zero records (not even bounces), consider a SendGrid suppression list. Resends will also fail silently. Fix requires contacting the sender's support to clear the suppression — there is no M365 action that can resolve this. Confirmed with bill.com / inform.bill.com. Pattern also applies to other high-volume senders using SendGrid.

Active Directory / User Management

  • Security group assignment is always explicit. When creating or adding any Cascades user, always ask which security group(s). OU → group auto-mirror was explicitly declined 2026-05-14. OU placement controls Entra Connect sync scope; group membership controls CA policy — two separate deliberate decisions. Source: feedback_cascades_user_security_group.md.

  • New user mandatory order (folder redirection):

    1. Create AD user
    2. Run New-HomeFolder -Username "<sam>" on CS-SERVER (creates root + Desktop/Documents/Downloads/Music/Pictures with correct ACL)
    3. Add to SG-FolderRedirect
    4. THEN first domain logon
    • Skipping step 2 causes fdeploy to cache a failure silently and never retry. Source: feedback_cascades_folder_redirect.md.

  • Folder redirect recovery: If fdeploy cached a failure ("No changes detected"), run clients/cascades-tucson/scripts/fix-shell-redirect.ps1 via GuruRMM while user is logged in. Must set both GUID-based and legacy-name registry keys. Folders must already exist on server.

  • fdeploy1.ini flags: Changed from Flags=1211 (included Grant Exclusive Rights bit 0x400, causing WRITE_DAC failures on new subfolders) to Flags=187. File at {512B43A4-F049-4CE5-BFAC-860AD13E92BE}\User\Documents & Settings\fdeploy1.ini on CS-SERVER.

  • Login-screen hide (SpecialAccounts\UserList): An enabled local admin that does not appear in the Windows sign-in picker is a SpecialAccounts\UserList suppression, not a disabled account. Registry path: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList, value <username>=0. Fix: delete the DWORD value (or set it to 1); account reappears after sign-out/reboot. Confirmed on NURSESTATION-PC (RMM agent f5a89784-834f-47b1-82e2-7e3e9dd337ff) 2026-06-05 — localadmin=0 removed; account was already enabled and in Administrators (unchanged).

Conditional Access / Caregiver Policies

  • Phased rollout — never tenant-wide. CA policies for caregivers now target SG-Caregivers (8b8d9222-5d71-419a-936d-56d895c6c332) (Entra Connect exited staging 2026-05-14; SG-Caregivers-Pilot superseded). The legacy "Require MFA for all users" policy stays in place. Expansion to other departments uses PATCH on excludeGroups, never replace. Source: project_cascades_ca_phased_rollout.md.
  • Enforced caregiver CA policy set (unchanged as of 2026-06-03):
    • CSC - Block caregivers off Cascades network (e35614e1-e896-4a13-9407-076963af488f) — BLOCK if location not Cascades
    • CSC - Block caregivers on non-compliant device (ede985e2-ee7e-4521-88b2-34c847c3db20) — BLOCK if device non-compliant. Pending DISABLE at allow-list cutover (see below).
    • CSC - Caregiver sign-in frequency 8h (7d491c7a-ad90-4420-9990-40a1e676a76c)
  • Caregiver device allow-list (2026-06-03 — report-only): The device restriction is being changed from compliance-based to an explicit device allow-list (phones matching displayName -startsWith "CSC-" plus 5 tagged laptops/PCs with extensionAttribute1=CSCCaregiverDevice). Rationale: tenant has no Windows compliance policy and secureByDefault=false, meaning compliance-only would admit any future-enrolled machine. New CA policy created in report-only:

    • CSC - Caregivers: allow-listed devices only (REPORT-ONLY) — id 1b7fd025-1aad-47c8-9274-c32c3e0b163c; state enabledForReportingButNotEnforced

    • Target group: SG-Caregivers (8b8d9222). Excludes: sysadmin@, admin@, SG-CA-BreakGlass (131e51ac-d69b-44b8-9c81-56890537a796)

    • Device filter (mode exclude): (device.displayName -startsWith "CSC-") -or (device.extensionAttribute1 -eq "CSCCaregiverDevice")

    • Allowed device list (target — 5 devices tagged CSCCaregiverDevice):

      Device OS GuruRMM agent
      NURSESTATION-PC Win 11 8164c6fa-62e7-4aa5-88e4-624f2f656932
      Laptop2 Win 11 dc8daf71-a2e6-4181-8cf2-c463c95dcd7d
      LAPTOP-8P7HDSEI Win 10 (EOL — upgrade) 9b74852c-623a-4d4a-bdda-1709ee75ae44
      LAPTOP-DRQ5L558 Win 11 f9e25b3b-da63-40ff-94a6-8cec3b9a19ce
      LAPTOP-E0STJJE8 Win 11 4ac00700-9a9b-4e7f-a7aa-c51857b77661

    • Join model (decided 2026-06-03): The 4 laptops are Entra-joined (cloud join), NOT domain-joined — a domain-only PC has no Entra device object, so the CA device filter cannot allow-list it. The laptops are shared ALIS/Teams/Outlook access points and do not need the on-prem GPO stack. NURSESTATION-PC stays domain-joined and gets Hybrid Entra Join (needs on-prem printers + ALDocs share); requires a one-time device-options config in Entra Connect on CS-SERVER, and its stale 2021 Entra record (Workplace, last seen 2021-07-03) should be cleaned. Mixed model is supported.

    • Enrollment account: devices@cascadestucson.com (Cloud Device Administrator, aaca80c6-861b-4294-8068-1033c68d7667). Licensed Business Premium + usageLocation=US on 2026-06-04 and ready to join/auto-enroll. The license is needed only at enrollment time so auto-MDM-enroll fires; the device stays enrolled and allow-listed afterward regardless of the enroller's license, so the SPB seat can be reclaimed after the batch (30 SPB seats free as of 2026-06-03). One license covers sequential enrollments. Mark each laptop a shared device (remove primary user) to drop per-user license dependency. Confirm MDM user scope = All (Entra -> Devices -> Mobility) before joining — not verifiable via API.

    • Printing: does NOT require domain join — Entra-joined laptops print via direct IP network printers or an Intune-pushed Add-Printer config. Printers: FrontDesk Epson ET-5800 192.168.2.147, CopyRoom Canon C478iF 192.168.2.230, MCReception Epson ET-5800.

    • Enrollment progress (2026-06-04): 3 of the laptops Entra-joined + tagged CSCCaregiverDevice — Laptop2, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8 (all Win11 26200). Pending Win11 25H2 upgrade then join+tag: LAPTOP-8P7HDSEI, ASSISTNURSE-PC. NURSESTATION-PC confirmed permanent caregiver device (hybrid-join pending). Full set = phones + those 6 machines. All joined laptops show isManaged=null (auto-MDM-enroll did not fire — MDM user scope likely not =All, and only local logins so far). Intune is OPTIONAL: the allow-list is tag-based and works on Entra-join alone; Intune only needed for printer-push / a Windows compliance policy. Intune/MDM decision deferred until all devices on Win11 25H2. Enrollment account devices@ (Cloud Device Admin), licensed Business Premium transiently (reclaim after batch).

    • Cutover (low-risk, can be all-at-once): verified no gap — only CSC- phones are compliant today and the allow-list also permits them, so enabling the allow-list ADDS the laptops without removing phone access; nobody on a phone gets locked out. Per-user go-live gate is the ALIS email-match + test sign-in (one at a time), not a CA change. Cutover = enable CSC - Caregivers: allow-listed devices only + disable CSC - Block caregivers on non-compliant device.

    • Restricted vs privileged classification (2026-06-04): Restricted/inside (SG-Caregivers) = the 38 + Veronica Feller (caretaker; inventory shows her remote/PA — confirm on-site) + Christine Nyanzunda (MC admin asst + PT medtech; uses ASSISTNURSE-PC; directory surname typo "Nyanzuda" to fix). Privileged/outside (NOT in SG-Caregivers; ALIS via SSO + offsite MFA) = Lois Lane, Karen Rossini, Christina DuPras, and all admins/directors/managers; nurses ruled OUTSIDE. Zachary Nelson is accounting/no-ALIS (not a caregiver). Still pending classification: Judith Palmer, Patricia Sandoval-Beck, Joey Ty, Alejandra Vallejo, Celia Lassey. Worklist: clients/cascades-tucson/reports/2026-06-04-caregiver-alis-sso-worklist.md.

    • User<->computer map source: Syncro kabuto_information.last_user (GuruRMM does not expose logged-in user). DuPras=ALASSIST-PC, Lois Lane=DESKTOP-KQSL232, Karen Rossini=DESKTOP-LPOPV30, shared medtech=ASSISTNURSE-PC, shared MemCare reception=MEMRECEPT-PC (excluded from caregiver allow-list, receptionist-only). CONTEXT.md GuruRMM roster stale (27->32) — refresh pending.

    • Caregiver desktop app shortcuts: ALIS (https://cascadestucson.alisonline.com), LinkRx (https://pharmcare.linkrxnow.com/), HelpAny (https://app.safe-living.com/login) — deploy via a Public-Desktop PowerShell script launching Edge --app mode (preserves SSO device-claim), pushed via GuruRMM to the 6 caregiver machines.

    • Login UX: Entra/Microsoft sign-in (and ALIS SSO) requires the full UPN — no bare-username option for cloud accounts. Minimize typing via Windows Hello PIN on laptops + silent ALIS SSO once signed in; pursue ALIS Login PINs (Medtelligent limited-release).

    • Caregiver test rig (2026-06-05, in progress): Phased-test infra before promoting to all caregivers. SG-Caregivers-DeviceTest (db5849ec, USERS) carries the full caregiver rule set (off-network block + sign-in-freq + allow-list, excluded from compliance-block); Cascades - Caregiver Devices (02c6f698, STATIC devices) targets Intune profiles (NURSESTATION only for now); SG-Intune-Enrollment (13d94f6e, holds devices@) scopes MDM auto-enroll. Test acct pilot.test@cascadestucson.com (d26e0e5a, Business Premium, ephemeral). Intune profiles on the device group: idle-lock 5min + disable-WHfB (OMA-URI); Shared PC Mode deferred to portal. NURSESTATION-PC un-joined domain + Entra-joined (Win11 25H2) + tagged, NOT yet Intune-enrolled (MDM scope is a portal toggle). PROVEN 2026-06-05: pilot.test on NURSESTATION-PC -> ALIS opened via SSO with lockdown holding (off-network blocked, only allow-listed device passes). ALIS first threw CA 53003 because the extensionAttribute1 tag takes >70 min to propagate into CA's device-filter cache; fixed by adding NURSESTATION's deviceId directly to the allow-list rule (immediate, lag-free) — for the small caregiver device set, deviceId matching is the reliable lever. Open: Intune enrollment blocked — INTUNE_A service plan is PendingInput (not provisioned) on the newly-licensed accounts (devices@, pilot.test); established users fine. A device can't enroll through an account whose Intune plan isn't active. Re-kicked devices@'s Business Premium license to force re-provisioning; re-check for Success. Until enrolled, the scoped disable-Hello/Shared-PC profiles can't apply (Hello prompt is dismissible meanwhile; tenant WHfB left notConfigured so office users keep PIN+Authenticator). Windows shared-device UX differs from phone SDM. Promotion: once enrolled+validated, point allow-list at SG-Caregivers (prefer deviceId list) + disable compliance-block.

    • Threat model (confirmed 2026-06-05): off-network + device allow-list specifically defeats remote credential abuse (hacker / bad employee from home) — stolen caregiver creds unusable off-site/off-device because CA blocks the cloud sign-in before ALIS/email. Risk-based MFA policies are inert (tenant has no Identity Protection P2 license).

  • GDAP exclusion: CA policy 3 must exclude "Service provider users" (GDAP foreign principals) + SG-External-Signin-Allowed + SG-Break-Glass, otherwise ACG partner admins lose access at CA cutover.
  • Pilot cleanup required when done: Delete pilot.test@cascadestucson.com, clean up howard.enos@cascadestucson.com, remove SG-Caregivers-Pilot from CA policy targets and delete the group. Source: project_cascades_pilot_cleanup.md.

EXO / Message Trace

  • Get-MessageTrace is deprecated. Use Get-MessageTraceV2 instead. V2 has a 10-day max window — loop 9 consecutive windows to cover 90 days. A wildcard sender with a 30-day window returns false positives due to the window-limit violation; keep windows to 10 days and use specific sender domains.
  • EXO access token auth: When Connect-ExchangeOnline -Credential fails (MFA/modern auth block) and the app cert is not in the Windows cert store, use client_credentials flow to get an EXO-scoped token and pass it via -AccessToken. See access note in the Access section above.

Known Issues / Pending Hygiene (as of 2026-06-04)

  • [BUG] Stale exclude-group on MFA-all-users policy: The Require multifactor authentication for all users policy (7e87a1c7…) currently excludes SG-Caregivers-Pilot (0674f0bc…) instead of the live SG-Caregivers (8b8d9222…). Functionally harmless today (pilot group still exists), but this is a known bug that must be corrected. Fix: PATCH excludeGroups to replace SG-Caregivers-Pilot with SG-Caregivers.
  • [DESIGN] ALIS-native 2FA is not a perimeter control. The Require MFA for all users policy excludes AllTrusted locations, so Entra never prompts on the Cascades network. A non-SSO ALIS user can reach ALIS from anywhere with only ALIS credentials — Entra never sees that login. The correct permanent model: force all ALIS logins through Entra SSO (SSO-only, credential fallback disabled), so Entra enforces onsite-seamless / offsite-MFA. Office/privileged users should be standardized onto ALIS SSO as a separate workstream; ALIS-native 2FA should then be disabled per-user then globally.
  • [INFO] Android enrollment token expiry (2027-05-08) does NOT unenroll devices. The CSC - Android Shared Phones (Entra SDM) enrollment token (9a0fcc6d) is a join key only. Existing enrolled devices (25 as of 2026-06-03) are unaffected by token expiry. Renewal is needed only before enrolling new devices after that date.
  • [INFO] Chris Knight bill.com/BOK Financial emails (2026-06-04): Zero bill.com or BOK Financial emails ever delivered to chris.knight@ or c.knight@ in 90 days. bill.com confirmed delivering to other Cascades users (no tenant-wide block). Root cause: bill.com and BOK Financial backends likely still have Chris Knight's old email address. Resolved externally by Howard. No tenant config changes needed.

Security Incidents (historical)

  • Megan Hiatt (2026-04-16): Active credential-stuffing — 126 failed sign-ins, bursts from Belfast GB, Hamburg DE. Password reset and SMTP AUTH disable were action items. Mailbox was clean (not breached).
  • John Trozzi (2026-04-16, 2026-04-20): Investigated twice — both times NO BREACH. First: credential stuffing flag (clean). Second: inbound phishing email (clean). Reports in clients/cascades-tucson/reports/.
  • Crystal Rodriguez (2026-04-19): Phishing investigation. Report: clients/cascades-tucson/reports/2026-04-19-crystal-rodriguez-phish-investigation.md.
  • Canva email delivery (2026-05-20): Alma Montt not receiving Canva invites. Resolved by adding canva.com domains to AllowedSenderDomains in EOP policies.
  • ALIS AADSTS65001 (2026-06-03): megan.hiatt, karen.rossini, memcarereceptionist could not sign in to ALIS on non-phone devices. Root cause: missing tenant-wide admin consent on ALIS SP (e1cae4ad). Resolved by granting AllPrincipals User.Read via Graph API. CA was NOT the cause — all failures showed conditionalAccessStatus: success from trusted IPs.
  • dunedolly21@gmail.com: External guest invited 2026-04-14 by Lauren Hasselman from mobile. Status unknown — confirm with Lauren. [unverified]
  • Chris Knight bill.com / BOK email delivery (2026-06-04): chris.knight@cascadestucson.com (alias: c.knight@cascadestucson.com) not receiving bill.com or BOK Financial emails. M365 mailbox confirmed healthy: 24 inbound messages traced over prior 48h, no inbox rules, no forwarding, no junk/quarantine hits, no transport rules or connectors blocking. Root cause: SENDER-SIDE, not M365. bill.com sends via SendGrid (inform.bill.com); the address was on SendGrid's ESP suppression list — mail dropped before SMTP, so nothing appeared in message trace and repeated resends never arrived. BOK diagnosis confirmed: correcting the email in BOK's portal produced a "Welcome to Exchange!" delivery from alerts@exchange.bokfinancial.com within minutes. bill.com fix requires calling bill.com support — the account email cannot be changed in the web UI (it is the locked login identity); support must update it AND clear the SendGrid suppression. Ticket #32383, 1.5h remote.

HIPAA Compliance

  • Primary objective. Cascades stores PHI on CS-SERVER and uses ALIS for clinical records.
  • Critical open gaps: No backup (§164.308(a)(7)); no audit logging on D:\Homes (§164.312(b)); Object Access auditing disabled; no SMB encryption on homes share; no file access auditing.
  • Restored 7 deleted mailboxes (2026-04-25) for HIPAA §164.316(b)(2) 7-year retention.
  • Termination policy established: Convert to shared mailbox, hide from GAL, retain 7 years.

Active Work

Primary active project as of 2026-05-24: dept-by-dept domain migration (Syncro #110680053).

Migration phase status (as of 2026-05-26):

Machine / User Status
Sharon Edwards (DESKTOP-DLTAGOI) Domain-joined, folder redirect working via registry workaround
Ashley Jensen (DESKTOP-U2DHAP0) Domain-joined, folder redirect manually fixed
Crystal Rodriguez (CRYSTAL-PC) Domain-joined, folder redirect confirmed working 2026-05-21
RECEPTIONIST-PC (frontdesk) Domain-joined 2026-05-22; loopback Replace mode, no folder redirect by design
NURSESTATION-PC Domain-joined, folder redirect complete
Lauren Hasselman Domain-joined, folder redirect complete 2026-05-23
Megan Hiatt (Marketing) COMPLETE 2026-05-27 — domain joined via ProfWiz, folder redirection live, data on server
DESKTOP-KQSL232 (Lois Lane — CareTakers) Blocked — Lois Lane resistant to change; John Trozzi working with her
CHEF-PC, SALES4-PC, MDIRECTOR-PC Not yet started

Blocking issues / pending:

  • M365 relicensing: 31 Business Standard → Business Premium (SUSPENDED — time-critical, 31 SPB seats free)
  • Break-glass accounts: not created (confirmed 2026-05-27)
  • Audit retention infra: not built
  • RECEPTIONIST-PC GuruRMM agent (9c91d324): flaky WebSocket, lagging fleet
  • Entra Connect: OU=Administrative not yet in sync scope; UPN suffix updates for that OU pending
  • NURSESTATION-PC: auto-lock GPO (HIPAA, ~10 min idle) not yet applied
  • #32370 (open): Howard onsite — eFax setup on Karen's and Christin's machines; portable scanner setup on both. No appointment scheduled as of 2026-06-02.
  • #32383 (open — pending customer action): bill.com email delivery for Chris Knight. Cascades must CALL bill.com support to update account email to chris.knight@cascadestucson.com AND clear it from the SendGrid suppression list (cannot be done via web UI). BOK side near-resolved (address corrected; Chris to complete registration). Ticket logged 2026-06-04; investigation billed 1.5h remote.
  • Caregiver device allow-list: 4 laptops need Entra-join + Intune-enroll + extensionAttribute1 tagging before cutover (see Patterns section)
  • ALIS office/privileged standardization: move office/managers/nurses to ALIS SSO-only; disable ALIS-native 2FA per-user then globally (separate workstream)
  • Fix stale SG-Caregivers-Pilot exclude-group on Require MFA for all users policy (known bug, see Known Issues)
  • LAPTOP-8P7HDSEI: upgrade Win 10 → Win 11 before PHI use
  • Chris Knight bill.com/BOK Financial addresses: confirm updated in bill.com backend and at BOK Financial (resolved externally 2026-06-04 but no confirmation of actual address update on vendor side)

History Highlights

Date Event
2026-03-06 ACG onboarding begins. Initial audit (CS-SERVER Dell R610, pfSense, UniFi, Synology). 19 machines. No backup, no HIPAA compliance.
2026-03-09 AD security hardening: Monica Ramirez removed from Domain Admins, lockout policy fixed, AD Recycle Bin enabled, MachineAccountQuota set to 0.
2026-03-31 Cascades onboarded to remediation tool. Tenant ID documented. 50 users, Secure Score 34%.
2026-04-13 Major onsite: 13 stale AD accounts deleted, OU structure cleaned, UPNs migrated to cascadestucson.com, Homes share created, Folder Redirection GPO deployed (registry workaround), first domain joins.
2026-04-14 Sandra Fish global admin revoked. ALIS SSO confirmed. Business Premium proposal created.
2026-04-16 Breach checks: Megan Hiatt (credential stuffing, not breached; password reset). John Trozzi (clean). Crystal Rodriguez phish. /remediation-tool skill built.
2026-04-17 Howard onsite: folder redirect Sharon Edwards diagnosis. John Trozzi WiFi (TP-Link + UniFi roaming instability).
2026-04-25 Entra Connect installed on CS-SERVER (staging mode). 7 deleted mailboxes restored for HIPAA. Dual-WAN discovered.
2026-04-28-29 CA policy reconciliation. Audit retention architecture (ACG-billed, LAW 90d + Storage 6yr). Break-glass design (2 accounts, YubiKeys). Caregiver pilot scope corrected (phased only).
2026-04-30 CA rollout (Report-only mode): 3 caregiver policies created. SDM bootstrap.
2026-05-01 Howard billed 33.5 hrs against prepaid block on Entra project ticket #32214 ($0 invoice).
2026-05-07-08 SDM phone provisioning. SDM token success. ALIS SSO app registration values captured to vault.
2026-05-14-16 Caregiver AD accounts created. Security groups always deliberate (no OU→group automation). Wireless diagnostic.
2026-05-18 Billing review. 39.5 hrs remaining before session. 7 hrs billed separately.
2026-05-20 Canva email delivery resolved (canva.com domains added to EOP).
2026-05-21 Crystal Rodriguez folder redirect confirmed working. Lauren Hasselman + Crystal Rodriguez domain join attempted — passwords didn't work initially.
2026-05-22 Ashley Jensen domain-joined. RECEPTIONIST-PC domain-joined. GPO ILT fixes (FrontDesk printer + R: drive). cascadesDS auth failure diagnosed (workgroup collision) and deferred.
2026-05-14 Entra Connect exited staging mode — actively syncing. CA pilot re-pointed to SG-Caregivers.
2026-05-23 Lauren Hasselman folder redirect complete. Megan Hiatt (Marketing) confirmed in AD, domain join pending.
2026-05-24 RECEPTIONIST-PC GuruRMM agent noted as 0.6.37 straggler while fleet at 0.6.38. Flaky WebSocket.
2026-05-26 Access control vendor meeting onsite (ticket #32324). 0.5h Howard + 0.5h Mike billed against prepaid block. Block at 28.0h. Remote diagnosis of UniFi controller confirmed impossible (no Tailscale route, GuruRMM WebSocket-only, pfSense SSH blocked).
2026-06-03 ALIS AADSTS65001 diagnosed and resolved: granted tenant-wide admin consent (AllPrincipals User.Read) on ALIS SP e1cae4ad. Caregiver device allow-list CA policy created in report-only (CSC - Caregivers: allow-listed devices only (REPORT-ONLY), id 1b7fd025). Allow-list = CSC- phones + 5 tagged devices (NURSESTATION-PC, Laptop2, LAPTOP-8P7HDSEI, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8). Cutover pending laptop Intune enrollment + validation. Three existing enforced caregiver CA policies left untouched.
2026-06-04 Three same-day tickets: #32381 Tamra scanner (0.5h onsite), #32382 Megan file access (1.5h onsite), #32383 Chris Knight bill.com/BOK email delivery (1.5h remote). Chris Knight mailbox investigation: full EXO/EOP/quarantine/message trace analysis — no tenant config issues found. No Inky in tenant (confirmed). bill.com delivering to other users; zero delivery to chris.knight/c.knight in 90 days. Root cause: wrong address in bill.com/BOK backends + SendGrid suppression on bill.com side. BOK resolved by correcting email in portal (delivery within minutes). bill.com fix requires support call. Resolved externally by Howard; no tenant config changes needed. EXO access token auth method documented (cert not in BEAST cert store). Prepay block: 17.25 → 15.75 hrs.
2026-06-05 NURSESTATION-PC localadmin login-screen issue: diagnosed as SpecialAccounts\UserList hide (localadmin=0) — account was already enabled and in Administrators; removed the registry value via RMM (agent f5a89784-834f-47b1-82e2-7e3e9dd337ff); account will appear after sign-out/reboot. Vault hygiene: sysadmin@ GA (object id 471b13dc-3cf8-416b-a132-f5f3bc8d1cc8) password rotated by Mike 2026-06-04 and vaulted by Howard 2026-06-05 (clients/cascades-tucson/m365-sysadmin.sops.yaml). Voice MFA scoped group created: "MFA - Voice Call Scoped (sysadmin)" (304f941e-3594-4705-b8e6-ee676297df11), single member sysadmin@; Voice method enabled scoped to that group (tenant-wide voice still disabled); alternateMobile updated to +1 520-585-1310 (Howard; was +1 520-331-5551).

Compilation Notes

Session logs read: 25 root session logs + client-specific logs in clients/cascades-tucson/session-logs/ + 7 memory files + 5 structured docs. Date range: 2026-03-06 through 2026-06-05.

Client folder: clients/cascades-tucson/ (NOT clients/cascades/ — that directory does not exist).

Open items flagged as unverified:

  • Hour balance — always live-check; treat cached counts as approximate (15.75 hrs derived from session log; not a live Syncro pull)
  • Break-glass accounts + YubiKeys — confirmed not created as of 2026-05-27; YubiKey arrival unconfirmed
  • Audit retention infra — approved 2026-04-29, not yet built
  • dunedolly21@gmail.com guest invite — confirm with Lauren
  • Windows MDM auto-enroll scope — confirm in portal (Entra → Devices → Mobility → Microsoft Intune → MDM user scope)
  • #32381 / #32382 ticket details (Tamra scanner, Megan file access) — referenced in 2026-06-04 session log reference table only; full ticket details not documented in session logs
  • Chris Knight bill.com/BOK Financial vendor-side address updates — resolved externally but no confirmation of actual update on vendor side

Resolved since last compile:

  • New tiered remediation app suite — confirmed consented 2026-04-21 (all 6 apps active)
  • DMARC — confirmed upgraded to p=quarantine;pct=100
  • ALIS AADSTS65001 sign-in failures — resolved 2026-06-03 by granting admin consent
  • BOK Financial email delivery for Chris Knight — resolved 2026-06-04 by correcting email in BOK portal (bill.com side still requires support call); no tenant config changes needed

Backlinks

  • projects/gururmm — RECEPTIONIST-PC enrolled (site CascadesTucson); CS-SERVER enrolled
Reference in New Issue View Git Blame Copy Permalink