azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8944432941ab991c297e0eb33623797f2e6f6f29
claudetools/clients/cascades-tucson/PROJECT_STATE.md
Howard Enos a00f1b0c3e sync: auto-sync from ACG-TECH03L at 2026-04-20 00:02:36 
Author: Howard Enos
Machine: ACG-TECH03L
Timestamp: 2026-04-20 00:02:36
2026-04-20 00:02:38 -07:00

5.0 KiB
Raw Blame History

Cascades of Tucson — Project State

READ THIS before starting work on this client. UPDATE THIS when you begin work (claim a lock) and when you finish (release lock + log changes). Last updated: 2026-04-20

Active Session Locks

Session Working On Status Started
(none active)

How to claim a lock: Add a row before starting work. Remove it when done. Locks older than 2 hours with no update are considered stale.

Current State

Status: ACTIVE Last Activity: 2026-04-17 (Howard)

Senior living community. Active project: HIPAA-compliant folder redirection GPO rollout across all departments. Folder redirection pattern validated on one user (Sharon Edwards, Life Enrichment) — Documents and Downloads redirecting to \\CS-SERVER\homes\<username>\. Next: second LE machine end-to-end, then Desktop and other folders, then matching GPOs for other departments.

Infrastructure / Access

Resource Address Vault path
pfSense firewall 192.168.0.1 clients/cascades-tucson/pfsense-firewall.sops.yaml
Synology NAS (cascadesds) 192.168.0.120:5000 (DSM) clients/cascades-tucson/synology-cascadesds.sops.yaml
CS-SERVER (DC + file server) 192.168.2.254, domain cascades.local clients/cascades-tucson/cs-server.sops.yaml

Syncro ID: 20149445 Contact: Meredith Kuhn — meredith.kuhn@cascadestucson.com — (520) 886-3171

GuruRMM:

  • Client: Cascades of Tucson (CASC, id 42e1b0e3-f8b7-4fc5-86bd-06bdbb073b7f)
  • Site: CascadesTucson (GOLD-MOON-4620, id c157c399-82d3-4581-979a-b9fad70f4fef)
  • Enrolled agents: DESKTOP-DLTAGOI (0ed72c1c-40c7-4bd4-afed-e0bcb198936f), CS-SERVER (6766e973-e703-47c1-be56-76950290f87c)

Known traps:

  • ProfWiz-migrated users may have poisoned User Shell Folders — check/clean before testing redirection (scripts/hive-cleanup-shellfolders.ps1)
  • GPMC on Server 2019/2022 writes fdeploy1.ini incorrectly when adding + modifying in same session — one folder per save, close/reopen between adds
  • Explorer sidebar uses KnownFolder GUID form — mirror manually if sidebar doesn't resolve (scripts/fix-live-shellfolders.ps1)
  • Machines with OneDrive KFM must unlink OneDrive before applying GPO

GPO backup on CS-SERVER: C:\GPO-Backups\pre-fix-20260417-221701\ (backup ID 9c6ff7c9-0942-4cfb-b4a5-936913a3da87)

Pending / Next Up

Folder Redirection (ongoing):

  • EncryptData flag on \\CS-SERVER\homes share (HIPAA workitem — currently false)
  • Second Life Enrichment machine folder redirection end-to-end
  • Desktop + other folders redirection GPOs
  • Matching GPOs for remaining departments
  • Folder redirection GPO verification across all enrolled machines

Intune MDM Rollout (started 2026-04-19, paused end of day 2026-04-20):

  • Prereq gap check (reports/2026-04-19-intune-mdm-prereq-gap.md)
  • Create MDMS@cascadestucson.com service account - Business Premium, MFA, forwarding to howard@azcomputerguru.com (vault: clients/cascades-tucson/mdm-service-account.sops.yaml). Replaced an earlier mdm@ attempt that hit a Managed Play enterprise/consumer Google account collision.
  • Managed Google Play enterprise bound (bindStatus=boundAndValidated, owner mdms@)
  • Apple MDM Push Cert uploaded (Apple ID mdms@cascadestucson.com, serial 16FA0CAED8EEB74F, expires 2027-04-20). Renewal reminder task #9.
  • CSCNet Wi-Fi password vaulted (clients/cascades-tucson/wifi-cscnet.sops.yaml)
  • Entra group Cascades - Shared Phones + Android enrollment profile CSC - Android Shared Phones (token MVDVVDMPSHYJAGDAJOCN, expires 2026-06-22, linked to the Entra group)
  • NEXT: Android compliance policy (Phase B-1 in progress — walkthrough ready, Howard to execute)
  • Android configuration profile (CSCNet Wi-Fi + dedicated-device restrictions)
  • Required apps from Managed Play (Company Portal, Authenticator, Edge, Teams)
  • ALIS web shortcut (https://cascadestucson.alisonline.com/Login)
  • Microsoft Shared Device Mode app-configuration policy (for Authenticator/Teams)
  • Test-enroll first Samsung A15, validate, then roll the remaining 24
  • Rotate MDMS@ password (post-rollout hygiene, task #8)
  • iPads are on a generic Apple ID currently — bringing them into Intune is low-priority; ABM + DEM deferred until after phones are live

Recent Changes

Date By Change Status
2026-04-20 Howard Intune MDM rollout - service account MDMS@ + Google Play bind + Apple push cert + Entra group + Android enrollment profile (QR code) all live. Phone policies next session. IN PROGRESS
2026-04-17 Howard Folder redirection validated on DESKTOP-DLTAGOI (Sharon Edwards); GPO CSC - Folder Redirection (LE) active DEPLOYED

How to Update

When starting: Add your session to Active Session Locks. When finishing: Remove your lock row, add entries to Recent Changes, update Current State if needed.

Reference in New Issue View Git Blame Copy Permalink