|
|
ICC Meeting: |
IFAS COMPUTER COORDINATORS
|
|
Message from Dan Cromer to the ICC-L: IFAS now has a 12-month contract with Blue Jeans Network, starting April 23rd. We can have 250 room/moderator accounts for simultaneous use, with up to 25 participants per room. Participants do not need an account to join a meeting, only the moderator needs the account to set up a meeting. The video bridges can join a Blue Jeans meeting, thus allowing a bridged session to have up to 39 other end-points connected. Jason Nickels, jason@bluejeansnet.com, is our technical support contact. Blue Jeans videoconferences allow connection using browser, H.323 (Polycom-type) end points, Lync, Skype, Jabber, or phone. If you don’t yet have a Blue Jeans account and want one, let me know, and I’ll send you an invitation. |
Dan has currently designated Patrick Pettus, Ron Thomas, and himself as Blue Jeans administrators. There is a concern that our 250 accounts be assigned to best suite IFAS DE and videoconferencing needs and Dan is seeking guidance on that. Winnie Lante pointed out that there is an option for a moderator-less meeting, so unit support staff should be able to configure meetings for groups within their own unit via https://ufl.bluejeans.com/ without having to attend/monitor those. With moderator-less meetings the meeting begins as soon as the second participant joins. Dan reports that an account holder may create any number of meetings--concurrent or not.
Dennis Brown mentioned having performed a test connection to a Blue Jeans meeting prior via his iPhone. He experienced an echo which he suspects would be eliminated were he to utilize headphones.
When Steve mentioned that it would be nice if a bridge to Blue Jeans connection could be done without interaction so it could be scheduled, Dan Cromer responded that it was his intention to talk to Blue Jeans about that; this would be a fairly high priority request on our part. Both Polycom and Cisco/Tandberg have methods for passing information with the connection IP that permit such a thing.
Dan added that codecs can join Blue Jeans meetings directly and that this method was already being used as a convenient means for interviews with outside folks.
Patrick Pettus said that the Blue Jeans functionality is something that everyone wants and for which Video Services is investigating options. Blue Jeans is just one of the available vendors providing similar services. VCS just had a demo of Polycom's solution early this week and others are planned. Patrick asked those wishing to participate to let him know.
From what Patrick has seen there are a number of products that all work quite well, including Blue Jeans that we were using today. Ease of integration with our current infrastructure may be the factor that tips a selection one way or another.
Replacing Polycom endpoints with some Lync-based solution (previous discussion)
Updates not available...
Possible end-point refresh in the works (previous discussion)
Refresh may just pertain to teaching facilities
The latest news from Dan Cromer is that administration is looking at limiting centrally-funded replacements to endpoints that are installed in classrooms.
Marion Douglas has created an XML stylesheet transform that converts the Polycom directory listing (directory.xml) to the AVer format (phonebook.xml). Marion can thus supply AVer owners with a pre-built directory listing for IFAS.
Dan Cromer said that he and Patrick recently were able to look at some new Polycom endpoints that support Lync directly. Dan is waiting to see if that will work as advertised; he has received some quotes and they are supposed to get a machine for testing purposes. If that works it would provide some other options that we don't currently enjoy. The system does require Lync 2013 on the server-side, but UF is planning to upgrade to that perhaps late Summer or early Fall. Right now when we connect to the bridge with Lync we are getting NTSC-level resolution on the video, but this new system utilizes H.264 encoding that will greatly improve the video quality. Dan pointed out that the move to Office 365 for student e-mail will offer Lync to students as well.
Steve mentioned that AVer is coming out with some new "EVC" codecs that could really lower the entry cost of a hardware VC solution. Lance Cozart is currently working on getting the details on those, but it sounds like we might have an entry-level hardware solution at around the $1000 mark. When you consider that AVer doesn't insist on a maintenance plan for firmware updates and the like, this price point might be very attractive.
Dan said that it is unfortunate that funding for the proposed end-point refresh has to be spent shortly because new options are appearing all the time that might better suit our needs. The Polycom 300 or the AVer HVC310 will be recommended in some situations. The Polycom Realpresence Group 700 is being considered for classrooms that currently have the Polycom HDX systems; those can support dual cameras. Once Dan pins down the prices he plans to get back with us as to our preference.
Movi/Jabber Updates (previous discussion)Updates not available...
Other standing VC topics
End-user Scheduling (previous discussion)
Patrick Pettus was on hand to discuss plans for finally enabling "end-user" videoconference scheduling for at least selected individuals. The goal is to implement this by the first week of Summer B in roughly six weeks. Selected individuals will be able to use the TMS web console directly to schedule VCs:
The form will look different than what we have now, but will still ask the same basic questions. The biggest difference will really be in how VC details are communicated. The system will generate automatic e-mails providing all the VC details to a single e-mail address at each of the sites scheduled for automatic connection; those e-mails will happen when the VC is created and again whenever it is changed. Patrick believes this should improve the overall communication about events.
Patrick said that additional documentation is being developed which will be sent out to the ICC as soon as it is ready. Pushing these capabilities out to individuals at the various sites should make things easier for everyone and VCS staff will still be on-hand monitoring the conferences and assisting with any issues that arise.
For those who are interested Patrick said that there is a possibility of providing conference monitoring control via the web as well. This would allow you to be able to mute microphones and the like...the sorts of things that VCS has always had to do for us. They will look at that once they get the scheduling aspects done.
Dennis Brown asked Patrick what had to be done on their end to prepare for this. Patrick responded that this project has been in the works for quite some time. The database behind TMS has now been migrated to CNS where it resides on a redundant SQL cluster. VCS has multiple TMS servers running now as well, whereas they had been running on a single box for the longest time. It had been decided that these reliability improvements had to occur prior to turning things over as an end-user service. A video is being created to demonstrate how to schedule and edit conferences and other documentation is being readied for this transition as well along with a new redesigned video web site.
Possible end-point refresh in the works
Updates not available...
Lync updates (previous discussion)
Updates not available...
WAN (previous discussion)
Updates from James Moore
Updates not available...
VoIP at RECs
Updates not available...
Network issues for RECs using Brighthouse intermediary to FLR at Tampa
Kevin Hill reported that this issue was causing out-of-sequence packets over the WAN link that presented to the remote sites as very poor upload throughput. A workaround has been implemented and though Kevin hadn't had time to test thoroughly, empirical evidence suggested that the workaround had been successful; it is not perfect but it is much better than it was. Kevin could only hope that Brighthouse can get around to fixing this properly in the not too distant future. This problem affected GCREC, CREC and SWFREC would all use Brighthouse as their intermediate feed to FLR.
Phone bills to be paid for centrally?
Dan Cromer related that this proposal has been deferred until the fiscal year beginning July 2014. This might influence the decisions of some of the people looking to go to VoIP.
ALL_IT@mail.ufl.edu list open for discussion
Tracy Gale announced on Wednesday that the ALL_IT list is now available to nearly 1,100 UF employees with the UF_N_ALL_IT_WORKERS security role for discussion related to UF IT.
There was a nearly immediate rash of "take me off this list" messages that led to a decision announced via Fedro Zazueta to:
Implementing the Mobile Computing Security policy (previous discussion)
Steve had attempted to start a discussion on this topic via a post to the ICC distribution list to little avail:
|
Message from Steve Lasley to the ICC distribution list: Fedro Zazueta sent the following which raises all sorts of questions from our faculty and offers us up as the resource for answers. I’m unsure how we are supposed to have acquired all of what is being expected of us. Though I have considered many of these issues and do have my own practical take on how many might best be handled, there are a number of questions for which I feel quite unprepared. I would be surprised if I was alone in that feeling. My weakest areas relate to the following points from the standard
but there are many points where practicality must be balanced with blind compliance IMO. Perhaps some discussion would be of benefit to us all. How are the rest of you handling all this? |
Eliciting discussion proved difficult
Steve was disappointed by the lack of response and would encourage all to become more engaged with this topic. He would like to note that while he has been using BitLocker on all laptops (because the extra effort is not too great and more importantly it is generally not even noticed by the user) he plans to stress to his users that they avoid the need for encryption on external storage by:
If those two criteria can’t be met, then and only then would Steve recommend an encrypted drive; password management for such things would be onerous and likely lead to data loss. Steve has yet to run into such a circumstance, but then he's not consulted on all situations.
This is one of those cases where Steve feels we have to be practical. He hopes the powers that be can trust his judgment on these recommendations but there are many aspects of this whole policy that seem to be open to interpretation--assuming there isn't some plan to actually enforce any of these policies.
Steve mentioned the concern of his faculty over whether or not the use of encryption would be strictly enforced as it is in the military and in some other federal governmental organizations; questions like how would they get an outside presenter's talk onto one of our machines for a seminar for example. While such enforcement may be possible for Windows managed machines, we don't have anything close to that level of control on the Apple side of things. Steve hasn't heard and does not expect that any such enforcement plans exists as the pushback would be enormous.
Dan Cromer's view
Dan Cromer said he told the IFAS Administrative Council last Friday that he does not expect himself or any of the IF support staff within IFAS to serve in the role of "IT Police." We have no plans to audit or enforce. By publishing the policy and standard with regards to mobile computing and storage devices, Dan feels it is UF's intent is to distribute formal responsibility out to the end user. If restricted data is lost or otherwise exposed then the end user will be clearly established as the responsible party; the individual might be fired but UF will not be itself responsible for the large fines that might be levied.
There was some discussion about the requirements for the encrypting and remote wiping of phones. With all the different phones out there it is extremely difficult to make recommendations, or even learn the methods one might take to comply with the policy. Dan Cromer responded with his feeling that if we are responsible for helping our faculty and staff with this then the security office needs to provide us a list of what phones will and will not meet their requirements and provide us documentation on how to configure them.
More discussion ensued discussing our uncomfortable position of being asked on the one hand to implement quite restrictive policies without any additional resources and very few procedural guidelines while our faculty, staff, students are looking to us for answers on how to efficiently carrying out their work. We realize that no security policy measures can 100% ensure that restricted data won't be mishandled and that we have to balance things between the security we are being asked to implement and the ability of those we support to efficiently get their work done.
The smartphone policy is particularly difficult
Marvin Newman said that he pay for his own phone and doesn't use it to access e-mail; consequently he feels there should be no need to encrypt it. Kevin Hill mentioned that he saw a 25% reduction in performance after he encrypted his phone, so there are real consequences for doing so as well. Dan Cromer pointed out that some phones are paid for by UF and that those phones definitely can and should follow the policy. David DePatie asked how he could get UF to pay for his phone and Dan Cromer responded that he would need to talk to his supervisor. Steve pointed out that it might be preferable for us to pay for our own phones considering all these issues.
Kevin Hill said that part of this boils down to what is easy and what is not. BitLocker on a laptop is a no-brainer; you do it once and it is done forever and there is really no overhead or anything else that the user notices. When you start talking about phones, however, the picture changes completely; these policies can be extremely difficult to figure out how to implement due to the wide variety of devices and the users see the inconvenience immediately. Kevin also said that he doesn't understand how the ActiveSync restrictions for smartphones can really be effective when one can simply connect via IMAP to circumvent those. What good is a policy that can be so easily circumvented?
Mike Ryabin mentioned that the connection to Exchange from his iPhone (Activesync) required that a PIN be established and he asked if encryption was still required as an additional step. Kevin Hill said he believed encryption was still necessary because one could hook the phone up to an external computer and retrieve the information. That may not be true; however, as Jimmy Anuszewski mentioned that the iPhone in-built security will not permit this. Steve noted that he uses Touchdown on his Android phone and he believes that this encrypts the e-mail cache; if so, Steve wonders why the rest of the phone would require encryption. These are just a few examples that demonstrate our need for better instructional guidance from the security office.
Encryption of laptops
Dennis Brown asked if folks were using PGP for the encryption of Mac laptops. Steve responded that he believed his Mac guy had utilized Apples in-built FileVault whole disk encryption. This doesn't meet the reporting requirements of the security office but it does meet our requirements in that it is easy to do and causes no problems for the user. Jimmy said that FileVault is really easy and works well; it can handle external drives as well. Jimmy said that this is the only method he would consider using as PGP as too many issues in his opinion.
Dennis Brown mentioned having used BitLocker on his first laptop but noted he was unable to view the recovery key in UFAD via ADUC. Alex York investigated and resolved that issue for Dennis. If others have this issue please contact Alex.
Invite Rob Adams to an upcoming meeting?
Steve asked if anyone felt it would be useful to get someone from the security office to come speak to the ICC at an upcoming meeting and it seemed many felt that it would. Steve mentioned that the security folks don't seem to have much of a public face. They don't respond to the CCC list for example when questions are posted to which it would seem they should be the ones providing the answers. Steve has even had instances where he has written to directly their security-l@lists.ufl.edu address as requested in one of their PGP presentations and yet received no response at all. Anything that could get them to be more responsive would be a plus in Steve's mind.
HighEdWeb conference: comments from attendees
Jimmy Anuszewski attended and Steve asked what he felt about the experience. Jimmy said that he felt positive overall though the quality and usefulness of the presentations varied greatly in his opinion. He particularly enjoyed our local presenters saying that Carlos Morales of our Academic Health Center was amazing. Jimmy said that he had had high hopes for the WordPress presentation but it turned out to be rather disappointing. Jimmy mentioned that he won a National Conference registration so he will be going to Buffalo in October.
Spring 2013 Peer2Peer workshop: comments from attendees
In case you weren't able to attend there is now a recording available.
Steve asked how people felt about the "Managing Mac clients in UFAD" and whether or not it might be useful to pursue for IFAS. Jimmy said that he has had this conversation before with Santos Soler and that they had found links that were duplicates of Kevin Hanson's presentation; Jimmy thought Kevin did a good job, however, and is glad there is someone here at UF that has had some experience with these things and to whom we might turn with to with our questions.
Jimmy believes this would be worth the effort and has been looking into Centrify for Mac OS X which he feels could handle most of the UFAD integration work for us.
Steve said that he doesn't see this as being a way to "lock down" Macs but rather to make things easier for them. He would feel the effort well worthwhile if it could allow us to provide Macs some of the same advantages which Steve feels the Windows side already enjoy. Chief among those, Steve feels, would be the use of folder redirection so that users were automatically encourage to store files on the server rather than locally. Steve is still amazed at how few units utilize folder redirection; in fact, Steve believes his unit might be the only one in IFAS.
Content Management System (CMS) for UF: Entering purchasing phase
The Web Content Management System (WCMS) Selection Team is in the process of evaluating three vendors; Recorded sessions are/will be available.
Authentication Management policy draft (previous discussion)
Updates not available...
New 'Trouble-Ticket' Entry Page for CNS (previous discussion)
See remedy section below...
KACE (previous discussion)
Updates not available...
CNS working to implement NAC for UF wireless (previous discussion)
SafeConnect Policy Update
Apparently our Security office feels it is appropriate to let us hear about changes from our users as a new SafeConnect Policy Update was announced via the IT news site without prior heads-up to support staff. Wendy Williams had commented on the subject via the CCC-L suggesting that this update wait until SCCM or other some patch management was in place. She noted that these policies are inconveniencing our users and pushing IT support to follow less-than-best practices regarding granting local admin access for our users to their computers.
UF Exchange updates (previous discussion)
Outsourcing of student e-mail?
Steve noted seeing an article by Don Jones (PowerShell guru) that cautioned about reading the fine print if you are considering Office 365.
Outlook asking for re-authentication
Updates not available...
Sakai e-Learning System now in production (previous discussion)
Updates not available...
Alternate IFAS domains in e-mail (previous discussion)
Updates not available...
Split DNS solution for UFAD problems (previous discussion)
Updates not available...
New web cluster (previous discussion)
Updates not available...
Windows 8 Deployment? (previous discussion)
Marvin Newman asked if anyone has been considering rolling out Windows 8 and Steve responded that he didn't feel it was yet ready for prime time. Dennis Brown suggested that the upcoming "Blue" version may re-introduce the Start Button, but Steve noted that an article in Windows IT Pro magazine suggested that most of the improvement in this new edition will be on the Modern (aka Metro) side of things. Paul Thurrott even suggested that the desktop would eventually go away over time.
There was discussion about the decline in PC sales with Marvin noting the common perception that Windows 8 is "killing" the PC. Steve said he believes a good part of that may be due to the fact that many home users can get all they need from a tablet or smartphone; many don't much require the traditional Office suite applications without which business users can't function.
Wayne Hyde said that after he upgrades the VDI infrastructure this weekend he'll see about deploying a Windows 8 VDI pool so faculty/staff can experiment on it.
Kevin Hill showed how he now has "Gadgets" back on his Windows 8 box and Steve mentioned there are a number of add-ons to make Windows 8 more Windows 7-like including the Stardock's Start 8 (used by Marvin Newman), Decor8, and 8GadgetPack that Deb Shindler uses. Joel Parlin said he likes the Classic Shell application and Steve also noted having recently heard of IObit's free Start Menu 8 as another option.
There was some discussion about problems with IE10 and Dan Cromer re-iterated his IE10 F12 trick for setting the browser mode. This setting has solved most of Dan's problems (including with PeopleSoft) although pop-ups seem to revert to the IE10 mode even with this setting and force one to redo that setting for that new window.
SCCM for IFAS
Work continues on the central SCCM plans.
Updates not available...
Exit processes, NMB and permission removal (previous discussion)
Updates not available...
Services Documentation: Is a Wiki the way? (previous discussion)
Updates not available...
Moving from McAfee VirusScan to Microsoft Forefront Endpoint Protection?
Updates not available...
Print server (previous discussion)
Updates not available...
Recording lectures for Distance Education (previous discussion)
Updates not available...
New DHCP reservation site created (previous discussion)
You are reminded that Santos Soler has created a new DHCP reservation site which you may use to request reservations.
Restoration of back-ups on the file server
Wayne Hyde intends to document and announce proper usage as time permits.
Membership of ". IFAS-ICC" e-mail distribution group to be narrowed to ICC members only (previous discussion)
Steve will keep this as a standing item on our agendas for now as a reminder. The ICC distribution list is more targeted and restricted to IFAS IT support folks only.
IFAS efforts toward Green IT (previous discussion)
Updates not available...
Creating guest GatorLink accounts: singly or in bulk (previous discussion)
Steve had left this on the agenda in case further discussion was deemed warranted.
DirectAccess pilot (previous discussion)
Updates not available...
VDI desktops as admin workstations (previous discussion)
Updates not available...
Wayne's Power Tools (previous discussion)
Updates not available...
Computer compliance tool in production (previous discussion)
Updates not available...
Folder permissioning on the IFAS file server (previous discussion)
You are reminded to please take the time to read and implement the new standards. If you have any questions get with Wayne or Steve.
Disabling/deleting computer accounts based on computer password age (previous discussion)
This is yet another matter for which finding time for implementation is proving difficult. Steve wants folks to remember that Andrew Carey had a good plan for dealing with this which perhaps Alex York can find the time to address eventually. In the meantime, it would be very good of each OU Admin to consider mimicking the proposed plan manually by keeping their own records and deleting any computer object which have been disabled for 90 or more days; Wayne's Power Tools can identify those. Steve has finally begun doing that for his own unit and it has made his view within ADUC much more agreeable.
Since BitLocker stores its keys within the computer object in UFAD, Alex York and Chris Leopold are considering scavenging those keys for secure storage elsewhere. That would provide a fallback for decrypting a drive should the associated computer object be deleted.
Core Services status (previous discussion)
Wayne reported having ordered new VDI servers to add new VDI 3D graphics capabilities. This will support Autocad, SolidWorks, Google Earth, etc. The ABE, CALS, Fac/Staff, and SWS GIS pools will be 3D-enabled on the new cluster. The other pools will remain on the old server.
Dennis Brown asked about what information is retained for a user between VDI sessions. Wayne Hyde responded that the VDI session is refreshed by to its original state at each logon and users should utilize the file server for document storage to retain those. However, the desktop, document area, and application profile are redirected/saved across sessions. This means things like desktop shortcuts and pinned applications remain set between sessions.
Dennis then asked if folks could install applications that might be unique to themselves. Wayne responded that they don't do dedicated desktops for individuals currently as it is cost prohibitive.
ePO updates (previous discussion)
Wayne plans to upgrade the current ePO console to version 4.6.6 to address multiple vulnerabilities--depending on how long it takes to move to ePO 5, which is currently in limited test mode. There is a new McAfee Anti-Malware Engine 5600 available which Wayne intends to deploy as well; we are currently using 5400.
Status of SharePoint services (previous discussion)
IFAS migrating to centralized MOSS
Updates not available...
Public folder file deletion policies and procedures status (previous discussion)
Updates not available...
Patching updates... (previous discussion)
Microsoft
Microsoft had released KB2823324 last month and it caused a number of problems. It has since been replaced by KB2840149 and those with the previous patch are advised to remove that.
There is a vulnerability in IE8 that may not get patched this month; in a remediation attempt, Microsoft has released a "Fit-it" that addresses the issue.
The May Microsoft patches are expected to include 10 bulletins (2 "Critical", and 8 "Important") covering 33 CVEs in the usual suspects. A risk assessment will be available here.
McAfee provides podcasts on the highlights of each month's offerings.
Adobe
Reader/Acrobat has a reported minor vulnerability that is likely to be fixed in a May 14th release.
Java
Oracle brought out more patches for Java--both version 7 and version 6 (which is supposedly end-of-life). Yes, there are reports of new vulnerabilities now.
MS Office News update (previous discussion)
Updates not available...
Job Matrix Update status (previous discussion)
Updates not available...
UF apps
Updates not available...
Spreadsheet plugin to be required for new budget application
Dan Cromer noted that an Oracle Hyperion plugin will need to be installed to support a new budget application and that this installation requires temporarily disabling UAC due to the poor manner in which the installation program was written. This can be managed via a local admin account.
New UF printer contract (previous discussion)
Dan Cromer shared an e-mail from Rob Luetjen about the new UF printing contract:
|
As you know, UF recently awarded our MFD and Managed Print Solutions contract to Xerox. We recently held a kick off meeting with Xerox to formulate a game plan to roll out the program. The initial plan is to pilot three areas including HR, CIO and CFO offices. A significant part of the overall program comprises of the Managed Print Solutions (MPS) component. The MPS includes a comprehensive assessment of each department on campus to produce a recommendation based on current inventory of print devices, past print production, voice of the customer needs and the physical layout/floor plan of the department. Each device installed under this program will be networked in order for end user to print to either a networked printer or MFD device. Attached is a list of buildings on campus. In order to proceed with our process, we need your assistance in completing the attached form. The information needed for your area includes the following;
Once you’ve reviewed the attached form, feel free to contact me if you have any questions. I have a conference call Tuesday morning with Xerox. If possible, I need to receive this information by COB on Monday 5/13. Thanks again for your willingness to assist in this very important initiative. |
The latest word is that Dan Cromer plans to handle answering this information gathering request from Rob.
Steve noted from a previous posting to the CCC list that information on the contract is available here and that this involves a straight usage (click) charge, with no lease or purchase cost. Scans are free and everything but paper is included. The only charge is per/page: $.0137 for B/W, $.049 for color.
Dan Cromer said he wasn't sure that this contract would be available outside of main campus but Mike Ryabin said his Director and had looked into it and was told that this would apply to RECs. Mike questioned how the vendor would monitor page counts remotely (which apparently they intend to do) and whether or not any details of the networking issues had been worked out yet. Dan Cromer was not aware of the answers at this time. Wendy believed the intention was for the vendor to have access to a computer on our network which could access and read this information from each device.
Security Group rename
In case you hadn't noticed, Alex York has removed the initial ". " from all the IFAS security groups. Please follow that convention in the future when creating new groups as the period causes troubles syncing UFAD up to Office 365 in preparation to out-sourcing student e-mail.
The change had the temporary unintended consequence of breaking Remote Assistance. Apparently the GPO that controls the settings specifies the group by name and has to be edited to remove the old prefix. In Steve's case, this was a setting with the "IF-ENTNEM-Computer" GPO under Computer Configuration > Policies > Administrative Templates > System > Remote Assistance > Configure Offer Remote Assistance > "Show..." button.
Free AMX training to be offered
Please contact Marion Douglas if you are interested in free AMX training. AMX will do on-site training if we can locate ten people who wish to attend. Training is expected to be two days in August or September and the prerequisites are a couple of online classes.
The meeting was adjourned a bit early at about 11:40 am.
