ICC Meeting: |
IFAS COMPUTER COORDINATORS
|
Message from Erik Deumens to the IT-DISCUSSION-L: The question about sharing files with a researcher in China stimulated an active discussion. Unfortunately some of the posts contain factually incorrect information. This note will try to present the correct facts related to such statements. UF has been aware and has been working on the problem The UF administration and UFIT leadership are aware of the problem and its urgency. Work involves faculty and staff and governance bodies including the faculty senate and IT advisory committees as well as representative groups such as the IT directors. Projects are currently defined and published on the UFIT projects page UF (See http://www.it.ufl.edu/projects/:
Cloud solutions Solution provided by cloud providers were considered and continue to be considered. Use of cloud services is not simple for an institution like UF that has a medical center and other institutions in similar situations. Most vendors refuse to sign the business liability agreement required by law that ensures that restricted data private and secure, which places all liability on UF and its employees. This places liability on the institution and its employees over issues that are solely in the control of the vendor. Developing a comprehensive solution that woks for all data relevant to UF and all use cases, requires careful and cautious execution. UF was aware of the Box offering under NDA before it was made public. This solution has not been overlooked and it may still be part of the final solution. Other institutions The partial information about what other institutions are doing and have done may result in working conclusions. UF is fully aware of what all of its peer institutions are doing and how they are struggling with the very same very real issues and problems. None of them have a comprehensive solution either. All are working to get to a safer place both for their data against loss and theft and for the institution and the employees from risk and liability. We cannot gauge the ability for UF to implement a solution solely based whether another institution of higher learning has implemented the same solution. Rules, regulations, laws, privacy, and a myriad of other issues impact the ability to implement in our particular situation. Authentication Universal and standardized authentication such as InCommon is an important tool to improve ease of use. However, it does impose an obstacle that excludes some institutions and their employees that have not implemented the system. Thus, a comprehensive solution must allow and support multiple paths to authenticate, again increasing complexity. Responsibility and liability Of paramount importance are security and the legal and financial ramifications resulting from associated privacy issues. Use of unapproved tools and services not only means possibly steep financial consequences for the institution, but also implies legal and financial consequences to the individual such as termination of staff in permanent and tenured positions, as well as personal financial liability. See the acceptable use policy at http://www.it.ufl.edu/policies/acceptable-use/acceptable-use-policy/ (paragraph before the title Security, Privacy, and Public Records). Note that if an institutionally prohibited tool or service is used in a work capacity, the individual can be held personally liable. The security measures UF has in place are designed to protect everyone from any criminality, malfeasance and misuse. They is also to ensure that no one will ever be placed in a situation where he or she is required to write a check or sign over their house or car in a settlement. And while the overwhelming rebuttal is that the data any employee handles is harmless, it may not be or it may be used in an unintended or unexpected way. A list of cloud services and software products in stages of risk assessment and approval can be found at http://www.it.ufl.edu/community/guidelines/etools/etools-assessment/ Moving forward UFIT has been exploring solutions and seeking input from campus through various means such as focus groups, campus meetings, subcommittees, emails and this listserv. We want to keep this an open discussion working towards an implementable solution or solutions. Your input can be directed to your unit IT Director or to me. |
This was a very appreciated response and is mostly good news, but it begs the question of why IT support isn't kept better informed--improving that would certainly help avoid a good number of folks from chasing multiple alternatives.
Winnie Lante mentioned that one of her researchers had this need for file collaboration with some government grants and had purchased a license for Serv-U, not knowing that this required local hardware in order to implement. Dan Cromer supported getting ITSA to work on this via Santos Soler.
Notes from the November SIAC meeting
These notes are available on SharePoint thanks to Dan Cromer. Topics discussed included the IAM Strategy Project (including Timelines by Warren Curry), Common SIP Domain Name (John Pankow - n/a) , Office 365/SkyDrive (Iain Moffat and James Oulman), and GatorLink Credential Authentication in Labs (Dan Cromer).
Proposal to move "former students" to the Disabled Accounts OU
Dan Cromer broached the subject at the November SIAC meeting (see item 6) and wanted to get a consensus from the ICC on the matter. Steve noted that he has had retired professors who ended up in the Disabled Accounts OU due to whatever automated processes are currently in place; such action can be reversed under unit control via assigning the "departmental associate" role. Apparently, however, the automated processes do not handle "former students" similarly, however. Dan is proposing that processes be implemented to move those with the "former student" to the Disabled Accounts OU if they have no other role which would justify that their account remain active within UFAD.
Steve supports Dan's notion and in fact wonders why such processes are not already in place. Steve suggests that the ICC support Dan in proposing that such a mechanism be instituted. Further Steve would like Dan to propose that the details of such processes (mechanism and timeframe) be documented where all might have access; as far as Steve knows, this is not the case with our current processes that do this same thing for certain other accounts.
Steve feels the same way about how email is handled at exit; there is no clear description of when email goes away as far as Steve can determine. There is an "I Am An Alumni Why Can't I Check My Email Anymore" topic in the Help Desk Wiki FAQs, but it uses vague statements such as "certain period of time" and "after a certain time past graduation" that are pretty useless in planning.
After discussion it would appear that ICC is of like mind with Steve on the matter: Dan should suggest that 1) these exit processes be automated in UFAD and that 2) the details of when and how the process works be published.
November's IT Directors Meeting Notes
Dan Cromer kindly made these notes available here on SharePoint.
For those of you not able to attend this session which took place on Tuesday, November 5th, there is a recording available.
Topics covered included: DCE & Conferences, Web Content Management/Doc Imaging/MyUF Workspace, Eduroam, Print Smart, UF Online, eLearning, BigBlueButton, TurnItIn, Qualtrics, Systems Center Configuration Manager (SCCM), Office 365, Mediasite/Camtasia Desktop, UFApps, ITSM Project, and Software Evaluation Updates. Whew!
PrintSmart initiative (previous discussion)
Dan Cromer had shared a UF Xerox Policy and Procedure for Deployment document with us back on October 18th. That document includes information that all interested parties should know.
Other than that, Steve believes that the latest information available on this topic was a presentation at the Fall 2013 Peer-to-Peer (see above discussion).
New IT Service Management Initiative
Updates as available...
Content Management System (CMS) for UF: Entering purchasing phase (previous discussion)
Updates as available...
Authentication Management policy draft (previous discussion)
Updates as available...
New 'Trouble-Ticket' Entry Page for CNS (previous discussion)
Updates as available...
KACE (previous discussion)
Updates as available...
CNS working to implement NAC for UF wireless (previous discussion)
Jimmy mentioned having issues with roaming wireless on Mac laptops. Essentially the thing just stopped working. Things to try include forgetting the various SSIDs, redoing the connection, and (yes) even rebooting. Matt Nash and Al Ibanez noted having seen similar issues. Matt said that he has seen preference for connection to UFinfo even when it had been "forgotten". Steve mentioned thinking this is all a plot of central services to make local IT support folks look stupid.
UF Exchange updates (previous discussion)
UF has quotes back from Dell on the Exchange 2013 upgrade hardware and plan to move ahead with purchasing. A pilot of the new platform is hoped to be available in late January. Note that Outlook 2003 will no longer be supported with Exchange 2013.
In the meantime, issues may remain for Win 8.1 users trying to access OWA. As James Oulman had reported on the ACTIVEDIR-L list back on October 21st:
Message from James Oulman: With Windows 8.1 generally available please be aware of issues with IE 11 and Exchange Outlook Web App outlined in the following KB. Because of a change in the User-Agent string in IE 11, clients connecting to Outlook Web App will get the OWA Light experience. Microsoft has not yet released a fix for Exchange 2010. http://support.microsoft.com/kb/2866064 Users can work around this issue by using Compatibility Mode or InPrivate browsing in IE 11. Please see the KB above for more information. Please contact us via Remedy at http://request.it.ufl.edu or e-mail at support@ad.ufl.edu with any questions or concerns regarding this issue. Steve said |
Steve notes that there is a fix now for Exchange 2010 in Update Rollup 3 for Exchange Server 2010 Service Pack 3 (mentioned in the since-updated KB article); Steve does not know if or when UF plans on installing that however.
There are other issues with OWA and Exchange 2013, however.
Outsourcing of student e-mail
The move to Office 365 for student e-mail has begun and a web site is now available. There seems to be information for students on the migration page and in SharePoint but little in the way of procedural recommendations/training for level one IT support folks.
Wendy Williams mentioned hearing that students are not jumping on this because they wouldn't be able to forward.
Steve mentioned awaiting instructions on creating role-based services accounts for students who are employed. There are both technical and non-technical questions on how best to handle that and Steve would prefer that a "proper" way be established and documented rather than having each IT support person try to figure this out for themselves. Unfortunately, central documentation already points users to use for support on this; that is putting the cart before the horse.
Outlook asking for re-authentication
Steve has been telling his users that he did not have a cure for this issue. Finally, one of his professors got very irate about it and Steve asked Scott Owens about it again. Scott suggested a Credentials Manager fix that Steve had somehow missed hearing about. Steve tried this fix for one of his users to no avail; he then made a new Outlook profile for them and is waiting to hear how that works out.
Francis Ferguson said that every time he has seen this it has been due to a person having changed their password but not having logged off/on. This may have been the problem for Steve's user all along because Steve found that his password had expired just prior and had to get that changed before he could even set up a new profile.
Sakai e-Learning System now in production (previous discussion)
Steve mentioned that Sakai had big problems during finals week along with a rumor that Sakai will be replaced with Canvas. Others mentioned having heard the same thing and Jimmy said that he believed the move to Canvas is pretty definite. Matt Nash said a couple of his users are using Canvas for some things currently and like it.
Alternate IFAS domains in e-mail (previous discussion)
Updates as available...
Split DNS solution for UFAD problems (previous discussion)
Updates as available...
New web cluster (previous discussion)
Updates as available...
Windows 8 Deployment? (previous discussion)
Updates as available...
SCCM for IFAS
Andrew Carey announced at the Fall 2013 Peer-to-peer that SCCM is now officially in production. There is a SharePoint site available that documents Getting started with UF SCCM".
DeWayne Hyatt said that they are working on OS deployment via the UF-hosted site. They have images for Windows 7 and Windows 8.1 (both 32 and 64-bit). They have imported drivers for all Dell OptiPlex models from 760 and up and for Latitude E2110 and up. There are a few basic apps included; currently it is Adobe Reader and Office 2013. DeWayne is interested in hearing if there are any core apps that we consider universal across all machines; those could be wrapped into the image. Other apps can be deployed shortly after by the OU Admin whenever this is all rolled out.
Steve asked about plans for moving Dennis's department which is currently using a beta version of SCCM 2101 SP1. DeWayne said that he is going to have to get with Dennis and Kamin to work out the details. The beta version client agent they are using currently is not upgradeable, so one challenge will be to uninstall that prior to migration.
Steve mentioned his hope that we can get some training on SCCM down-the-road and DeWayne agreed that training would be needed--both in order to learn how to use the tools and perhaps more importantly what to avoid--as SCCM is perfectly capable of handling an inadvertent click once destroy all mission.
DeWayne hopes to develop scripts that name and place machines into the proper OU and will be getting with the ICC later to discuss further details.
Kevin Hill asked whether these deployments were initiated via PXE boot or USB stick. When DeWayne replied that it is PXE currently Kevin asked if this will be usable by remote sites. DeWayne responded that Alex York is testing Adaptiva which will hopefully make that possible; there will be challenges getting the image bits out to remote locations in some instances, however. DeWayne thinks on-campus will be the initial rollout; remote distribution points or possibly the Adaptiva solution will then follow for remote sites--at least that is the plan. DeWayne wants to get OS deployment everywhere if at all possible; he had experience with that in his last job and it worked well.
Exit processes, NMB and permission removal (previous discussion)
Updates as available...
Services Documentation: Is a Wiki the way? (previous discussion)
Updates as available...
Moving from McAfee VirusScan to Microsoft Endpoint Protection?
A slideshow by Geof Gowan on UF's investigation into End Point Protection was made available at the November Campus IT Directors meeting. This presentation presented IBM Endpoint Manager (IEM) as the committee's recommendation for a UF-wide solution.
Print server (previous discussion)
Updates as available...
Recording lectures for Distance Education (previous discussion)
Updates as available...
New DHCP reservation site created (previous discussion)
You are reminded that Santos Soler has created a new DHCP reservation site which you may use to request reservations.
Restoration of back-ups on the file server
Wayne Hyde intends to document and announce proper usage as time permits.
Membership of ". IFAS-ICC" e-mail distribution group to be narrowed to ICC members only (previous discussion)
Steve will keep this as a standing item on our agendas for now as a reminder. The ICC distribution list is more targeted and restricted to IFAS IT support folks only.
Creating guest GatorLink accounts: singly or in bulk (previous discussion)
Steve had left this on the agenda in case further discussion was deemed warranted.
DirectAccess pilot (previous discussion)
Updates as available...
VDI desktops as admin workstations (previous discussion)
Updates as available...
Wayne's Power Tools (previous discussion)
Updates as available...
Computer compliance tool update (previous discussion)
ITSA wanted to know if it would help IT Support find their Windows XP machines if Chris added a check for that into his program prior to April 2014. Steve feels every IT support person should be able to locate their managed Windows XP machines easily by searching within ADUC:
It is Steve's opinion that adding a check into the IPCC app now would simply cause noise to sort through. In Steve's case, for example, one can’t judge overall preparedness by the numbers on this; he has 29 WinXP boxes in his list currently and one might assume that they represent a crisis brewing for him that he is somehow ignoring. That is not the case, however. Steve knows exactly why each of these machines is listed, where they are located, and what he is going to do with them to make sure they are gone from the network by April. [for the record, they will be unplugged and for the most part surveyed as obsolete]
Steve has been planning this for years and is confident that he has it well in hand. Steve always appreciates ITSA's support but he don’t see this as being a problem that central IT need solve (other than perhaps to block via DHCP filters once the deadline passes and machines continue to show up—a service I would applaud).
Most ICCers, at least on campus, appeared to agree with Steve that we have the situation covered regardless of what the numbers may look like. Steve doesn't know if the campus units supported solely by the Help Desk are in as good a situation, however.
Also, Kevin Hill said that the CEOs may be a different story because of the lack of funds--and Francis agreed. Kevin suggested that Dan Cromer might want to get with Nick Place and the District Support folks to see if some money might be freed up for computer upgrades. Steve said that he suspects Dan has had some plans along those lines already but it would be good to start a discussion detailing the needs as soon as possible. Kevin added that if we could get those systems imaged on campus and be ready to rollout that would be even better.
It was discussed that we might want to record the MAC addresses of machines expected to remain on WinXP (but off network) after April. Those could then be blocked via DHCP filters to avoid problems from someone plugging them back into the network unawares.
Folder permissioning on the IFAS file server (previous discussion)
You are reminded to please take the time to read and implement the new standards. If you have any questions get with Wayne or Steve.
Updates as available...
Disabling/deleting computer accounts based on computer password age (previous discussion)
This is yet another matter for which finding time for implementation is proving difficult. Steve wants folks to remember that Andrew Carey had a good plan for dealing with this which perhaps DeWayne Hyatt can find the time to address eventually. In the meantime, it would be very good of each OU Admin to consider mimicking the proposed plan manually by keeping their own records and deleting any computer object which have been disabled for 90 or more days; Wayne's Power Tools can identify those. Steve has finally begun doing that for his own unit and it has made his view within ADUC much more agreeable.
Since BitLocker stores its keys within the computer object in UFAD, Chris Leopold was considering scavenging those keys for secure storage elsewhere. That would provide a fallback for decrypting a drive should the associated computer object be deleted.
Core Services status (previous discussion)
Updates as available...
ePO updates (previous discussion)
Updates as available...
Status of SharePoint services (previous discussion)
IFAS migrating to centralized MOSS
Updates as available...
Public folder file deletion policies and procedures status (previous discussion)
Updates as available...
MS Office News update (previous discussion)
Updates as available...
Job Matrix Update status (previous discussion)
Chris Leopold has updated both the ITSA Staff page and the Current Job Matrix!
Updated guidelines for licensing Windows for use on Apple Macs
Andrew Carey had reported the following via the ACTIVEDIR-L list:
Message from Andrew Carey: Updates to activation scripts now available Microsoft has recently updated their guidelines for licensing Windows for use with Macs.As a result, Mac users are now licensed to install Windows as a second full operating system as a guest operating system in a virtual machine on third party virtualization software, such as Parallels Desktop or VMWare Fusion. Previously this benefit of the Microsoft campus agreement was only extended to Windows Guests running under Apple Boot Camp. For more information on this change, see the http://www.microsoft.com/licensing/about-licensing/briefs/apple-mac.aspx Please let me know if you have any questions. |
Steve mentioned having to take Andrew's word on this as he finds Microsoft licensing documentation to be beyond esoteric.
Updates to activation scripts now available (previous discussion)
Santos updated his "MicrosoftActivation.bat" file (available at \\ad.ufl.edu\ifas\SOFTWARE\MicrosoftActivateBatchFile\New) to handle Windows 8.1 and Office 2013.
Adobe licensing
Wendy said they have moved to Foxit from Acrobat. Jimmy noted that Preview works well on the Mac with one workaround; instead of saving after filling out the form, go to print and use the "save as PDF" option from there to save the file.
The meeting was adjourned nearly an hour early at about 11:30 AM.