azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
749a472089df42ef1301b7e835db4e4e8d40e217
claudetools/clients/cascades-tucson/PROJECT_STATE.md
Howard Enos 2f0bc654a1 sync: auto-sync from ACG-TECH03L at 2026-04-20 14:15:01 
Author: Howard Enos
Machine: ACG-TECH03L
Timestamp: 2026-04-20 14:15:01
2026-04-20 14:15:07 -07:00

95 lines
5.2 KiB
Markdown
Raw Blame History

# Cascades of Tucson — Project State
> READ THIS before starting work on this client.
> UPDATE THIS when you begin work (claim a lock) and when you finish (release lock + log changes).
> Last updated: 2026-04-20
---
## Active Session Locks
| Session | Working On | Status | Started |
|---------|-----------|--------|---------|
| ACG-TECH03L/Claude (Howard) | Intune Phase B-1: Android compliance policy | IN_PROGRESS | 19:15 UTC 2026-04-20 |
**How to claim a lock:** Add a row before starting work. Remove it when done. Locks older than 2 hours with no update are considered stale.
---
## Current State
**Status:** ACTIVE
**Last Activity:** 2026-04-17 (Howard)
Senior living community. Active project: HIPAA-compliant folder redirection GPO rollout across all departments. Folder redirection pattern validated on one user (Sharon Edwards, Life Enrichment) — Documents and Downloads redirecting to `\\CS-SERVER\homes\<username>\`. Next: second LE machine end-to-end, then Desktop and other folders, then matching GPOs for other departments.
---
## Infrastructure / Access
| Resource | Address | Vault path |
|----------|---------|------------|
| pfSense firewall | 192.168.0.1 | `clients/cascades-tucson/pfsense-firewall.sops.yaml` |
| Synology NAS (cascadesds) | 192.168.0.120:5000 (DSM) | `clients/cascades-tucson/synology-cascadesds.sops.yaml` |
| CS-SERVER (DC + file server) | 192.168.2.254, domain `cascades.local` | `clients/cascades-tucson/cs-server.sops.yaml` |
**Syncro ID:** 20149445
**M365 Tenant ID:** `207fa277-e9d8-4eb7-ada1-1064d2221498` (cascadestucson.com)
**Contact:** Meredith Kuhn — meredith.kuhn@cascadestucson.com — (520) 886-3171
**GuruRMM:**
- Client: Cascades of Tucson (`CASC`, id `42e1b0e3-f8b7-4fc5-86bd-06bdbb073b7f`)
- Site: CascadesTucson (`GOLD-MOON-4620`, id `c157c399-82d3-4581-979a-b9fad70f4fef`)
- Enrolled agents: DESKTOP-DLTAGOI (`0ed72c1c-40c7-4bd4-afed-e0bcb198936f`), CS-SERVER (`6766e973-e703-47c1-be56-76950290f87c`)
**Known traps:**
- ProfWiz-migrated users may have poisoned `User Shell Folders` — check/clean before testing redirection (`scripts/hive-cleanup-shellfolders.ps1`)
- GPMC on Server 2019/2022 writes `fdeploy1.ini` incorrectly when adding + modifying in same session — one folder per save, close/reopen between adds
- Explorer sidebar uses KnownFolder GUID form — mirror manually if sidebar doesn't resolve (`scripts/fix-live-shellfolders.ps1`)
- Machines with OneDrive KFM must unlink OneDrive before applying GPO
**GPO backup on CS-SERVER:** `C:\GPO-Backups\pre-fix-20260417-221701\` (backup ID `9c6ff7c9-0942-4cfb-b4a5-936913a3da87`)
---
## Pending / Next Up
**Folder Redirection (ongoing):**
- [ ] EncryptData flag on `\\CS-SERVER\homes` share (HIPAA workitem — currently false)
- [ ] Second Life Enrichment machine folder redirection end-to-end
- [ ] Desktop + other folders redirection GPOs
- [ ] Matching GPOs for remaining departments
- [ ] Folder redirection GPO verification across all enrolled machines
**Intune MDM Rollout (started 2026-04-19, paused end of day 2026-04-20):**
- [x] Prereq gap check (`reports/2026-04-19-intune-mdm-prereq-gap.md`)
- [x] Create `MDMS@cascadestucson.com` service account - Business Premium, MFA, forwarding to howard@azcomputerguru.com (vault: `clients/cascades-tucson/mdm-service-account.sops.yaml`). Replaced an earlier mdm@ attempt that hit a Managed Play enterprise/consumer Google account collision.
- [x] Managed Google Play enterprise bound (bindStatus=boundAndValidated, owner mdms@)
- [x] Apple MDM Push Cert uploaded (Apple ID mdms@cascadestucson.com, serial 16FA0CAED8EEB74F, expires 2027-04-20). Renewal reminder task #9.
- [x] CSCNet Wi-Fi password vaulted (`clients/cascades-tucson/wifi-cscnet.sops.yaml`)
- [x] Entra group `Cascades - Shared Phones` + Android enrollment profile `CSC - Android Shared Phones` (token MVDVVDMPSHYJAGDAJOCN, expires 2026-06-22, linked to the Entra group)
- [ ] **NEXT:** Android compliance policy (Phase B-1 in progress — walkthrough ready, Howard to execute)
- [ ] Android configuration profile (CSCNet Wi-Fi + dedicated-device restrictions)
- [ ] Required apps from Managed Play (Company Portal, Authenticator, Edge, Teams)
- [ ] ALIS web shortcut (https://cascadestucson.alisonline.com/Login)
- [ ] Microsoft Shared Device Mode app-configuration policy (for Authenticator/Teams)
- [ ] Test-enroll first Samsung A15, validate, then roll the remaining 24
- [ ] Rotate MDMS@ password (post-rollout hygiene, task #8)
- [ ] iPads are on a generic Apple ID currently — bringing them into Intune is low-priority; ABM + DEM deferred until after phones are live
---
## Recent Changes
| Date | By | Change | Status |
|------|-----|--------|--------|
| 2026-04-20 | Howard | Intune MDM rollout - service account MDMS@ + Google Play bind + Apple push cert + Entra group + Android enrollment profile (QR code) all live. Phone policies next session. | IN PROGRESS |
| 2026-04-17 | Howard | Folder redirection validated on DESKTOP-DLTAGOI (Sharon Edwards); GPO `CSC - Folder Redirection (LE)` active | DEPLOYED |
---
## How to Update
**When starting:** Add your session to Active Session Locks.
**When finishing:** Remove your lock row, add entries to Recent Changes, update Current State if needed.
Reference in New Issue View Git Blame Copy Permalink