azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7bffbfbb899bee6d58329c6d7a0ee1209134553b
claudetools/clients/cascades-tucson/PROJECT_STATE.md
Howard Enos f15862440e sync: auto-sync from HOWARD-HOME at 2026-04-21 15:07:39 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-04-21 15:07:39
2026-04-21 15:07:42 -07:00

7.1 KiB
Raw Blame History

Cascades of Tucson — Project State

READ THIS before starting work on this client. UPDATE THIS when you begin work (claim a lock) and when you finish (release lock + log changes). Last updated: 2026-04-21

Active Session Locks

Session Working On Status Started
Howard-Home/Claude (Howard) Intune Phase B-1: Android compliance policy IN_PROGRESS 20:40 UTC 2026-04-21

How to claim a lock: Add a row before starting work. Remove it when done. Locks older than 2 hours with no update are considered stale.

Current State

Status: ACTIVE Last Activity: 2026-04-17 (Howard)

Senior living community. Active project: HIPAA-compliant folder redirection GPO rollout across all departments. Folder redirection pattern validated on one user (Sharon Edwards, Life Enrichment) — Documents and Downloads redirecting to \\CS-SERVER\homes\<username>\. Next: second LE machine end-to-end, then Desktop and other folders, then matching GPOs for other departments.

Infrastructure / Access

Resource Address Vault path
pfSense firewall 192.168.0.1 clients/cascades-tucson/pfsense-firewall.sops.yaml
Synology NAS (cascadesds) 192.168.0.120:5000 (DSM) clients/cascades-tucson/synology-cascadesds.sops.yaml
CS-SERVER (DC + file server) 192.168.2.254, domain cascades.local clients/cascades-tucson/cs-server.sops.yaml

Syncro ID: 20149445 M365 Tenant ID: 207fa277-e9d8-4eb7-ada1-1064d2221498 (cascadestucson.com) Contact: Meredith Kuhn — meredith.kuhn@cascadestucson.com — (520) 886-3171

GuruRMM:

  • Client: Cascades of Tucson (CASC, id 42e1b0e3-f8b7-4fc5-86bd-06bdbb073b7f)
  • Site: CascadesTucson (GOLD-MOON-4620, id c157c399-82d3-4581-979a-b9fad70f4fef)
  • Enrolled agents: DESKTOP-DLTAGOI (0ed72c1c-40c7-4bd4-afed-e0bcb198936f), CS-SERVER (6766e973-e703-47c1-be56-76950290f87c)

Known traps:

  • ProfWiz-migrated users may have poisoned User Shell Folders — check/clean before testing redirection (scripts/hive-cleanup-shellfolders.ps1)
  • GPMC on Server 2019/2022 writes fdeploy1.ini incorrectly when adding + modifying in same session — one folder per save, close/reopen between adds
  • Explorer sidebar uses KnownFolder GUID form — mirror manually if sidebar doesn't resolve (scripts/fix-live-shellfolders.ps1)
  • Machines with OneDrive KFM must unlink OneDrive before applying GPO

GPO backup on CS-SERVER: C:\GPO-Backups\pre-fix-20260417-221701\ (backup ID 9c6ff7c9-0942-4cfb-b4a5-936913a3da87)

Pending / Next Up

Folder Redirection (ongoing):

  • EncryptData flag on \\CS-SERVER\homes share (HIPAA workitem — currently false)
  • Second Life Enrichment machine folder redirection end-to-end
  • Desktop + other folders redirection GPOs
  • Matching GPOs for remaining departments
  • Folder redirection GPO verification across all enrolled machines

Intune MDM Rollout (started 2026-04-19):

  • Prereq gap check (reports/2026-04-19-intune-mdm-prereq-gap.md)
  • Create MDMS@cascadestucson.com service account - Business Premium, MFA, forwarding to howard@azcomputerguru.com (vault: clients/cascades-tucson/mdm-service-account.sops.yaml). Replaced an earlier mdm@ attempt that hit a Managed Play enterprise/consumer Google account collision.
  • Managed Google Play enterprise bound (bindStatus=boundAndValidated, owner mdms@)
  • Apple MDM Push Cert uploaded (Apple ID mdms@cascadestucson.com, serial 16FA0CAED8EEB74F, expires 2027-04-20). Renewal reminder task #9.
  • CSCNet Wi-Fi password vaulted (clients/cascades-tucson/wifi-cscnet.sops.yaml)
  • Entra group Cascades - Shared Phones + Android enrollment profile CSC - Android Shared Phones (token MVDVVDMPSHYJAGDAJOCN, expires 2026-06-22, linked to the Entra group). Converted to dynamic 2026-04-21 with rule (device.enrollmentProfileName -eq "CSC - Android Shared Phones") — any phone enrolled via that QR auto-joins within 5-30 min (was the root cause of Phone 1 not receiving any policies: enrolled via correct profile but never added to the static group).
  • B-1 Android compliance policy CSC - Android Compliance (id 27eeaeda-8390-462e-a514-7d2a558f412c) — Android 14+, 6-digit numericComplex PIN, 1-min inactivity lock, encryption required, block rooted, SafetyNet certified, Intune App Integrity. Assigned to Shared Phones. Patched 2026-04-21 to spec.
  • B-2 Config profilesCSC - Android Shared Phones Restrictions (factoryResetBlocked, no USB, no unknown sources, screenCaptureBlocked, no developer settings, system updates windowed 02:00-06:00 UTC) + CSC - CSCNet Wi-Fi (WPA2-Personal). Both assigned.
  • B-3 Required apps — Company Portal, Managed Home Screen, Authenticator, Edge, Microsoft Intune, Teams (+ ALIS web app). All 7 required-assigned to Shared Phones. Company Portal assignment gap closed 2026-04-21.
  • B-4 ALIS web app (id fcbf803d-ceb7-4f4e-93ed-2be1b91a05f3) — https://cascadestucson.alisonline.com/Login, required-assigned.
  • B-5 MSDM app configCSC - Microsoft Shared Device Mode (Authenticator) + CSC - Microsoft Shared Device Mode (Teams) (id 3c6a354c-1616-434b-ac81-4dad7795e67b, created 2026-04-21). Both shared_device_mode_enabled=true, assigned to Shared Phones.
  • B-6 Test enrollment — Samsung SM-A146U (Galaxy A15 5G) serial R9TWB0WM55R, Android 15, enrolled 2026-04-20 18:17Z, showing compliant and syncing daily.
  • NEXT: Roll remaining 24 Samsung A15 phones (factory reset each, enroll via QR from CSC - Android Shared Phones profile, verify caregiver sign-in via MSDM)
  • Rotate MDMS@ password (post-rollout hygiene, task #8)
  • iPads are on a generic Apple ID currently — bringing them into Intune is low-priority; ABM + DEM deferred until after phones are live
  • DEFERRED: 2-hour inactivity auto-logout — not achievable via MSDM app config (no inactivity knob). Real options: Conditional Access sign-in frequency (Mike's call — tenant-wide sensitivity) or rely on 1-min screen lock + explicit caregiver sign-out. Current posture accepted.

Recent Changes

Date By Change Status
2026-04-21 Howard Post-DMARC spoofing recheck — Mike's p=quarantine fix confirmed working (26h clean window). Purged 2 missed phishes (accounting@ Inbox + jd.martin Deleted Items) via Graph permanentDelete. IP blocks skipped (DMARC covering). DONE
2026-04-21 Mike DMARC policy published as p=quarantine; pct=100 (was p=none). Enforcement propagated sometime after 18:28Z on 4/20. DEPLOYED
2026-04-20 Howard Intune MDM rollout - service account MDMS@ + Google Play bind + Apple push cert + Entra group + Android enrollment profile (QR code) all live. Phone policies next session. IN PROGRESS
2026-04-17 Howard Folder redirection validated on DESKTOP-DLTAGOI (Sharon Edwards); GPO CSC - Folder Redirection (LE) active DEPLOYED

How to Update

When starting: Add your session to Active Session Locks. When finishing: Remove your lock row, add entries to Recent Changes, update Current State if needed.

Reference in New Issue View Git Blame Copy Permalink