ICC logo IFAS logo


ICC Meeting:

IFAS COMPUTER COORDINATORS
(ICC)

NOTES FROM October 11th 2013 REGULAR MEETING


A meeting of the ICC was held on Friday, October 11th, 2013 in Entomology room 2218. The meeting was chaired and called to order by Steve Lasley at about 10:00 am.

PRESENT: Fifteen members participated.
 
Remote participants: David Bauldree, Bill Black, Dennis Brown, Dan Cromer, Kevin Hill, Al Ibanez, Wayne Hyde, Chris Leopold, Marvin Newman, Scott Owens, Joel Parlin, John Wells, and Wendy Williams.
 
On-site participants: David Blackman, and Steve Lasley.
 

STREAMING AUDIO: available here


NOTES:

Agendas were distributed and the sign-up sheet was passed around.


Report from the chairman

Member news:

Updates not available...

Recap since last meeting:

As per his usual procedure, Steve pointed folks to the notes of the last meeting, without going into any details.


Security:


Avi Baumstein was unable to make the meeting today, so any questions we might have for him will have to wait or be handled via e-mail.

Proposed Remote Access Policy

Updates not available...

Implementing the Mobile Computing Security policy (previous discussion)

There was some discussion about the problems district support were having regarding meeting this policy for their Extension Agents who are using county managed laptops; this is the case in some counties apparently. Obviously any solution there is out of our hands. Steve would recommend that individuals be apprised of what exactly constitutes restricted data. It may be the case that Extension Agents rarely deal with such things, in which case they should be fairly immune from any consequences currently though they are still technically responsible for compliance with policy. Beyond that, they would have to work with their county support staff to address any encryption needs.

Steve had mentioned that MBAM is the piece which Avi had referred to which could be used to make BitLocker compliant. DeWayne Hyatt has begun looking into the issue and he has discovered that ConfigMan can tell by default (via its hardware inventory feature) whether or not a volume is encrypted. DeWayne said that the interval is configurable, but he generally sets hardware inventory to run every 24 hours. This means that MBAM itself should not be necessary in our case.

Patching updates... (previous discussion)

Microsoft

The October Microsoft patches included 8 bulletins (4 "Critical", and 4 "Important") covering 26 CVEs in the usual suspects. A risk assessment is available here.

ISC has a nice Microsoft October 2013 Patch Tuesday assessment that shows at a glance which patches are most critical and where.

Updates not available...

Adobe

Adobe suffered a source code and customer data breach so we can likely expect more security vulnerabilities and updates before long. This month, Adobe released new Security updates for Adobe Reader and Acrobat; this affects version 11 only.

Java

No updates this month (so far...knock wood).


Videoconferencing and WAN discussion

[In order to make meeting participation more efficient for Patrick Pettus and James Moore, these two topics have been moved to reside at the top of our agendas.]

Videoconferencing topics (previous discussion)


Endpoint security concerns (previous discussion)

Patrick Pettus met with folks from Network Services and the UF Security Team earlier this week in order to work out how to best handle TMS communications given its current reliance on Telnet. According to an e-mail from Avi, Network Services is working on a template for ACLing endpoints to restrict port 23 access to TMS.

Patrick let Steve know that they are implementing a firewall traversal solution that will allow endpoints to be called by sites on other networks via SIP URI instead of IP#. Nothing would change from our standpoint for outgoing calls from UF sites to outside endpoints. Once that is in place we won't lose functionality by moving to private IP. Moving to private IP will be recommended though not required. Endpoints will be able to start using the SIP URI without changing the IP, and once things seem to be working then look at pulling the IP back. Patrick said that Video Services will be doing the same with the MCU's and internal Gatekeeper.

Patrick added that VCS is including closer integration with the UF Health VC infrastructure in this process. UF Health's VC infrastructure is nearly identical to UF's and both are working to be able to share resources.

Replacing Polycom endpoints with some Lync-based solution (previous discussion)

Dan Cromer said that Dr. Nick Place, Dean & Director of Florida Cooperative Extension Service, is asking all the IFAS Extension Offices to participate in a monthly extension outreach via Adobe Connect. He is expecting those people to use their computers or go to a conference room with a suitable setup with a projector in order to participate. This means configuring conference rooms with something akin to the Logitech BCC950 ConferenceCam.

Steve isn't clear on how conference rooms at CEOs are generally laid out, but he did note that all the rooms in Entomology that currently support videoconferencing (save one that is appropriate for only 2-3 participants) have computers that are well away from where such a camera/speaker/mic device would need to be located. Readily available USB extenders generally support HID devices (mice, keyboards) but Steve is not aware of any extenders that can support the more rigorous needs of this particular situation. Research needs to be done to find suitable solutions before moving wholesale to this model. Codecs (Polycom, AVer, etc.) would continue to provide better results for quite some time in Steve's opinion, but Dr. Place has already made this decision so we will need to do our best to find solutions to support that.

Dan Cromer mentioned his preference to moving our ICC meetings to Lync only so that each of us might participate from our desks or from a conference room with a Lync camera. Steve remains skeptical at this time.

Possible end-point refresh in the works (previous discussion)

Updates not available...

Movi/Jabber Updates (previous discussion)

Updates not available...

End-user Scheduling (previous discussion)

Updates not available...

Lync updates (previous discussion)

Updates not available...

SIP may replace H.323 as preferred protocol for endpoints (previous discussion)

See above discussion...

Blue Jeans (previous discussion)

Dan Cromer had mentioned via the ICC-L back on September 26th that the UF Bluejeans landing page has been branded with the UF logo.


WAN (previous discussion)


Updates from James Moore

Updates not available...

Wireless printers (previous discussion)

Dan Cromer said that network services is continuing to work on a solution for connecting wireless printers to UF wireless but Dan wasn't sure of where things were with that.

VoIP at RECs

Updates not available...

Phone bills to be paid for centrally? (previous discussion)

Updates not available...


Policy


Notes from September SIAC meeting

These notes were not available, at least at the time of our meeting.

September's IT Directors Meeting Notes

These notes were not available, at least at the time of our meeting.

PrintSmart initiative (previous discussion)

Dennis Brown asked about the mention in today's NET-MANAGERS-L notice about new VLANs being configured to support the new Xerox printing infrastructure. Steve believes those relate to the need to supply remote page count monitoring capabilities for the vendor of that service.

Wendy Williams said that they had an existing Xerox machine that was accepted into this program after-the-fact, but it is her understanding that departments looking to get new Xerox machines are in waiting mode (up to six weeks) currently.

New IT Service Management Initiative

Updates not available...

Content Management System (CMS) for UF: Entering purchasing phase (previous discussion)

Updates not available...

Authentication Management policy draft (previous discussion)

Updates not available...

New 'Trouble-Ticket' Entry Page for CNS (previous discussion)

Updates not available...

KACE (previous discussion)

Updates not available...

CNS working to implement NAC for UF wireless (previous discussion)

Updates not available...

UF Exchange updates (previous discussion)

Updates not available...

Outsourcing of student e-mail

Dan Cromer explained that the rollout of Office 365 had been complicated by needed separate e-mail addresses for a student who is also an employee. That can be implemented by having role-based mail-enabled service accounts with access to those being permissioned via a security group. That would make the accounts more easily manageable via simply moving user accounts in and out of the associated group.

Dan is not aware of a current solution for employees with an Exchange account who then become students, but the requirement for separating e-mail between student and employee roles for an individual has been made policy.

Dan mentioned there were also some issues with students having access to HIPAA data; such users would need to be barred from using the SkyDrive cloud-base storage component.

Supposedly this will be open for optional migration by November, but not all details are yet firm apparently. Steve asked Dan if there was any chance of getting information on this new system that would help us in our support roles, but he didn't know of any.

Outlook asking for re-authentication

Updates not available...

Sakai e-Learning System now in production (previous discussion)

Updates not available...

Alternate IFAS domains in e-mail (previous discussion)

Updates not available...

Split DNS solution for UFAD problems (previous discussion)

Updates not available...


Projects


New web cluster (previous discussion)

Updates not available...

Windows 8 Deployment? (previous discussion)

Steve asked if anyone was deploying Windows 8 machines as a matter of course. Responses indicated that while there are a few Windows 8 machines here and there, few profess to be rolling out Windows 8 in general. The one exception was David Bauldree who shared via e-mail after the meeting that he has installed almost twenty Windows 8 desktops with very few problems (mostly slight incompatibility with old video cards on computers over 4 years old). He noted that all have Classic Desktop installed so they boot directly to the desktop. He has no touch screens on the desktops and most have 2 monitors. David has also just installed 3 Win 8 tablets with touch screens. Wayne noted to Steve after the meeting that there are currently 53 Windows 8 machines in ePO (compared to 47 for Vista).

Steve also mentioned having some interest in trying out touch pads with Windows 8 such as the Logitech Wireless Rechargeable Touchpad T650. Apparently no one in the ICC has used one yet, however.

According to KACE reports, Dan has found roughly 600 machines running Windows XP within IFAS and about half of those have 2GB or great RAM and could conceivably be migrated to either Windows 7 or Windows 8. Dan Cromer is wondering if Windows 8.1 that is due in a week or so might actually run better than Windows 7 on these older machines. In either case, Dan has tasked DeWayne with some SCCM-based OS deployment solution which DeWayne is investigating.

There was a lot of discussion that indicated most IT support folks would be quite hesitant to move to Windows 8.1 for these machines even if it ran somewhat better. While startup times are obviously better, most feel the user interface would cause too many problems for their users.

Steve asked if there was anyone out there that did not have a plan for getting Windows XP boxes off the network by April 2014 and received no responses.

SCCM for IFAS

Kevin Hill asked what the holdup has been in getting UF's centralized SCCM infrastructure up and running. Kevin is trying to decide whether to put more effort into his own deployment solution or to hold off longer in the hope that the proposed SCCM might prove more desirable. His main concern is to have a local repository so the WAN is not saturated by any deployment processes.

Dan Cromer suggested that Office 365 was keeping Alex York and the AD team quite busy and that might be one cause of delays. DeWayne responded that Dennis Brown has Kamin Miller using a beta version of ConfigMan with his unit and this would be the first thing to move as a pilot towards production. Kevin's need for a remote repository is something that is problematic, however. DeWayne cannot supply that piece himself and we would have to rely on CNS for another SCCM site server. CNS may be looking toward the proposed UF EPP solution rather than SCCM per se for such functionality. Kevin expressed to DeWayne his interest in being part of that discussion should it be ongoing.

Exit processes, NMB and permission removal (previous discussion)

Updates not available...

Services Documentation: Is a Wiki the way? (previous discussion)

Updates not available...


Operations


Moving from McAfee VirusScan to Microsoft Endpoint Protection?

Updates not available...

Print server (previous discussion)

Updates not available...

Recording lectures for Distance Education (previous discussion)

Updates not available...

New DHCP reservation site created (previous discussion)

You are reminded that Santos Soler has created a new DHCP reservation site which you may use to request reservations.

Restoration of back-ups on the file server

Wayne Hyde intends to document and announce proper usage as time permits.

Membership of ". IFAS-ICC" e-mail distribution group to be narrowed to ICC members only (previous discussion)

Steve will keep this as a standing item on our agendas for now as a reminder. The ICC distribution list is more targeted and restricted to IFAS IT support folks only.

Creating guest GatorLink accounts: singly or in bulk (previous discussion)

Steve had left this on the agenda in case further discussion was deemed warranted.

DirectAccess pilot (previous discussion)

Chris Leopold said that they would like to go ahead with deploying this to IFAS. A number of folks then asked how we could begin to get test machines into this. Wayne Hyde suggested that the DirectAccess GPO should be tied to a security group so we could include machines by adding their computer accounts to that. Steve suggests contacting Wayne should you wish to get going on this.

VDI desktops as admin workstations (previous discussion)

Updates not available...

Wayne's Power Tools (previous discussion)

Updates not available...

Computer compliance tool update (previous discussion)

Updates not available...

Folder permissioning on the IFAS file server (previous discussion)

You are reminded to please take the time to read and implement the new standards. If you have any questions get with Wayne or Steve.

Updates not available...

Disabling/deleting computer accounts based on computer password age (previous discussion)

This is yet another matter for which finding time for implementation is proving difficult. Steve wants folks to remember that Andrew Carey had a good plan for dealing with this which perhaps Alex York's replacement can find the time to address eventually. In the meantime, it would be very good of each OU Admin to consider mimicking the proposed plan manually by keeping their own records and deleting any computer object which have been disabled for 90 or more days; Wayne's Power Tools can identify those. Steve has finally begun doing that for his own unit and it has made his view within ADUC much more agreeable.

Since BitLocker stores its keys within the computer object in UFAD, Chris Leopold was considering scavenging those keys for secure storage elsewhere. That would provide a fallback for decrypting a drive should the associated computer object be deleted.

Core Services status (previous discussion)

Updates not available...

ePO updates (previous discussion)

Updates not available...

Status of SharePoint services (previous discussion)

IFAS migrating to centralized MOSS

Updates not available...

Public folder file deletion policies and procedures status (previous discussion)

Updates not available...

MS Office News update (previous discussion)

Steve asked if anyone had understood Mari Jayne Frederick's recent post:

Message from Mari Jayne Frederick:
"[ICC-L] Grayed areas in Ofc 2010 & 2013" Thu 10/10/2013 2:36 PM


I know I have asked this some time ago, but notice even with Ofc 2013 there are grayed areas just like in 2010. Why are we not able to use both programs to the full extent? The products are activated. I looked online for a fix and it mentions activation is the key. Then there seems to be much going on with 2013 and that 365 is the way to go. When will that be available in volume licensing?

From the lack of response, Steve assumes that he wasn't alone in not understanding. Perhaps Mari Jayne will clarify her concern in the future.

Job Matrix Update status (previous discussion)

Updates not available...


Other Topics


Updates to activation scripts now available

Recently, Nick Smith followed by Santos Soler updated the scripts that to activate via KMS any Microsoft Windows and Office products that are not on the UF domain. This helps cut down on the use of MAK’s and also allows for a faster activation solution in some cases. Nick added support for Office 2013 and Santos made the script interactive.

Currently the new scripts are available at \\ad.ufl.edu\ifas\SOFTWARE\MicrosoftActivateBatchFile\New. They are as follows:

  1. MicrosoftActivation.bat = No user interaction. Activates Windows itself along with whatever version of Office is installed.
  2. MicrosoftActivationMenu.bat = User interaction. Asks which package to activate before proceeding.
  3. MicrosoftActivationNoMenu.bat = Expects a parameter to be passed in specifying the package to be updated. Acceptable parameters are: "o201364", "o201332", "o201064", "o201032", or "windows"

Extension to Disk Cleanup Wizard for Windows SP1 removes "outdated" updates to save space

This is being offered as a "recommended update" via Windows Update and details are available in a blog post by Charity Shelbourne. You are cautioned to read thoroughly and understand the consequences before proceeding with such cleanup, however.

SAS 9.4 installation point now available

James Hardemon supplied Steve a "depot" which he has uploaded to \\ad.ufl.edu\ifas\SOFTWARE\SAS\SAS9.4. You can install from there via an "if-admn-" elevated setup.exe. Remember that this version is x64 only and supports Windows 8. Here are the dialogs and the choices Steve made during install on a Win8x64 test system. The selections are just his best guess, but seemed to work:

SAS install wizard

SAS install wizard

SAS install wizard

SAS install wizard

Not knowing what to install exactly, Steve took the defaults:

SAS install wizard

You have to get the license key elsewhere, either off the installation media or directly from SLS. Then you point to it during the install:

SAS install wizard

Steve cleared the extra languages in order to save time:

SAS install wizard

SAS install wizard

Steve really has no idea of the difference at this time, but selected "SAS Foundation":

SAS install wizard

This next step bothered Steve a bit as he really doesn't want to install listening services on client computers; this can be un-installed later via the Control Panel, or the service could be set to manual start, and this likely can be unchecked for install at an earlier step as well. Steve isn't sure if this component is really used by anyone in his department but the following description was found on-line: "The SAS Document Conversion Server is a helper service that extracts plain text from file formats, so that the text can be analyzed by SAS Text Miner. File formats include PDF, Microsoft Office (DOC, DOCX, PPT, PPTX, XLS, XLSX), OpenOffice.org (ODT, ODP, ODS), and RTF."

SAS install wizard

SAS install wizard

SAS install wizard

Steve received a pending reboot notice after the Stage 1 portion and had to run through the whole set of wizard dialogs again after the reboot to continue. Gotta love SAS. After that the installation took approximately 30 minutes and added 10GB of files to the system. The test program available at http://icc.ifas.ufl.edu/ICCminutes/sastest.txt worked anyway, so Steve assumes all is good.

SAS seems to install its own private version of Java runtime components beneath %programfiles%\SASHome\SASPrivateJavaRuntimeEnvironment (version 7.0.150.3) and does not include any browser plugin component. This all would seem to Steve to indicate that we need not worry about installing or updating JRE--to support SAS 9.4 in any case. That would be a welcome relief. Note that SPSS follows a similar model of using a private JRE which it installs beneath its own program directory.

James is working on depots for a new release of 9.3 (both x86 and x64 Steve assumes) that supposedly "officially" supports JREv7. Steve will replace the current install points at \\ad.ufl.edu\ifas\SOFTWARE\SAS\ with those if and when they become available.

Adobe licensing

Updates not available...


The meeting was adjourned nearly and hour early at about 11:02 AM.