ICC logo IFAS logo


ICC Meeting:

IFAS COMPUTER COORDINATORS
(ICC)

NOTES FROM December 13th 2013 REGULAR MEETING


A meeting of the ICC was held on Friday, December 13th, 2013 in the NEW UF/IFAS Communications Building. The meeting was chaired and called to order by Steve Lasley at about 10:00 am.

PRESENT: Eighteen members participated.
 
Remote participants: David Bauldree, Bill Black, Kevin Hill, Al Ibanez, Wayne Hyde, Marvin Newman, Joel Parlin, Mike Ryabin, and John Wells.
 
On-site participants: Jimmy Anuszewski, David Blackman, Dennis Brown, Francis Ferguson, Winnie Lante, Steve Lasley, Matthew Nash, Karen Porter, and Wendy Williams.
 

STREAMING AUDIO: available here


NOTES:

Agendas were distributed and the sign-up sheet was passed around.


Report from the chairman

Member news:

Updates as available...

Recap since last meeting:

As per his usual procedure, Steve pointed folks to the notes of the last meeting, without going into any details.


Security:


Steve decided that having Avi Baumstein attend each month was no longer necessary. Avi is still willing to be called in to one of our meetings in the future with sufficient notice, however, should the need arise.

Proposed Remote Access Policy

Updates as available...

Implementing the Mobile Computing Security policy (previous discussion)

Patching updates... (previous discussion)

Microsoft

Since we didn't meet in November, there are two months' worth of updates to discuss...

The November Microsoft patches included 8 bulletins (3 "Critical", and 5 "Important") covering 19 CVEs in the usual suspects. A risk assessment is available here.

The December Microsoft patches included 11 bulletins (5 "Critical", and 6 "Important") covering 24 CVEs in the usual suspects. A risk assessment is available here.

ISC has nice Microsoft November 2013 Patch Tuesday (the December equivalent was not available by meeting time) that shows at a glance which patches are most critical and where.

Updates as available...

Adobe

You may have heard how negligent Adobe was with a recent user account data breach. You can check if your account was hacked at https://lastpass.com/adobe/. A site that does a similar check but across multiple naughty vendors is http://haveibeenpwned.com/.

Back on the November Patch Tuesday, Adobe released security updates for Flash Player and Air and then did it yet again this month.

Java

Java v7u45 was released on the third Tuesday of October. It addressed at least 51 security vulnerabilities, 50 of which were remotely exploitable w/o any authentication. Note that these vulnerabilities exist in JRE6 and will never be patched.


Videoconferencing and WAN discussion

[In order to make meeting participation more efficient for Patrick Pettus and James Moore, these two topics have been moved to reside at the top of our agendas.]

Videoconferencing topics (previous discussion)


Endpoint security concerns (previous discussion)

Since the plan is to move to URI dialing with NATing at the UF boundary so our endpoints can all eventually be on private IP, Steve took the time a while back to configure SIP on Entomology's AVer HVC 310 endpoint. SIP registered correctly as far as Steve could tell and he had tested connecting to that endpoint from a PC via Lync, which worked. Consequently he had thought all was well. He recently discovered, however, that the unit had lost its ability to send content for some reason. After some investigation it was discovered that:

  1. having SIP enabled (using UDP as the transport protocol BTW), even with H.232 listed as the preferred protocol as shown here, causes the SIP protocol to be used when connecting to the bridge (according to the AVer’s own connection details page). Sending content from the AVer fails under these circumstances.
  2. When the Enable SIP checkbox is unchecked then connections occur via H.323 (again according to the AVer’s own connection details page) and content can then be sent through the bridge.

Steve has mentioned the problem to Patrick and an AVer Field Support Engineer; hopefully they will be able to figure out what is going on so we can enable to enable SIP but still send content through the bridge at UF Video Services.

Replacing Polycom endpoints with some Lync-based solution (previous discussion)

Francis Ferguson asked if there had been any more discussion about replacing videoconferencing endpoints; he has a number of CEOs with failing units--one for example will no longer focus. Steve said that he had heard that some on-campus locations had some systems refreshed via central funds but did not know the details. Dan Cromer has been pushing for replacement via computer based solutions and Nick Place is using Adobe Connect for regular "Extension Connections" meetings. CEOs may want to look in that direction instead.

Steve mentioned that many don't realize that it takes serious (like equivalent to high-end Polycom) dollars to implement computer-based web conferencing solutions (Lync, Jabber, Bluejeans, Adobe Connect, you name it) properly in medium to large room settings. Instead of using a Polycom for the camera and microphones you need to buy expensive PTZ cameras, microphones, DSP equipment and the like in order to route and control the audio and video. Steve sees great promise in using the bridge to extend traditional videoconferencing setups via Bluejeans, however. Jimmy mentioned having had very good results tying Bluejeans into the bridge in that way.

Possible end-point refresh in the works (previous discussion)

Updates as available...

Movi/Jabber Updates (previous discussion)

Updates as available...

End-user Scheduling (previous discussion)

Dennis Brown asked if Steve had heard anything about the proposed TMS training that might lead to more having direct access to the full TMS system. Steve was sorry to say that he had not.

Lync updates (previous discussion)

UF is planning to move to the 2013 platform, perhaps in conjunction with the move to Exchange 2013.

Blue Jeans (previous discussion)

As Dan Cromer reported back in mid-November, the Blue Jeans for Android app is now available in the Google Play Store, joining the previously available Blue Jeans app for iPhone/iPad.


WAN (previous discussion)


Updates from James Moore

James was not available again, but Francis Ferguson noted that FMEL at Vero Beach has had a new connection installed now. This should provide them a bit more bandwidth, and maybe permit VoIP implementation there eventually.

Wireless printers (previous discussion)

Updates as available...

VoIP at RECs

Updates as available...

Phone bills to be paid for centrally? (previous discussion)

Updates as available...


Policy


Options for file sharing by faculty with others outside UF

There was considerable discussion at the UF level recently on the need for a means to easily share files, particularly for collaboration with outside individuals and groups. Erik Deumens, the Director of UF Research Computing gave what would appear to be the definitive response:

Message from Erik Deumens to the IT-DISCUSSION-L:
"Option for FILE SHARING by Faculty with Others Outside UF" Thu 12/5/2013 4:53 PM


The question about sharing files with a researcher in China stimulated an active discussion. Unfortunately some of the posts contain factually incorrect information. This note will try to present the correct facts related to such statements.

UF has been aware and has been working on the problem

The UF administration and UFIT leadership are aware of the problem and its urgency. Work involves faculty and staff and governance bodies including the faculty senate and IT advisory committees as well as representative groups such as the IT directors. Projects are currently defined and published on the UFIT projects page UF (See http://www.it.ufl.edu/projects/:

  1. Collaborative big-data storage, to be called GatorBox, estimated production start April 2014
  2. Collaborative research cloud storage, aka Office 365 for faculty and staff is in pilot for students now
  3. PHI compliant HPC system, estimated production start May 2014
The first project listed is particularly relevant to this thread. It has developed a solution together with 6 other universities in the state that are part of SSERCA, enable research collaborations across the state that will scale to 100 TB and more as well as provide easy, dropbox-like sharing across the world. See the recent press release by DDN, the vendor that will supply part of the infrastructure at http://www.storagenewsletter.com/rubriques/customer-wins/sunshine-state-education-research-computing-alliance-customer-of-ddn/, with a link from the UFIT news page at http://www.it.ufl.edu/vp-cio-office/ufit-in-the-news/

Cloud solutions

Solution provided by cloud providers were considered and continue to be considered. Use of cloud services is not simple for an institution like UF that has a medical center and other institutions in similar situations. Most vendors refuse to sign the business liability agreement required by law that ensures that restricted data private and secure, which places all liability on UF and its employees. This places liability on the institution and its employees over issues that are solely in the control of the vendor. Developing a comprehensive solution that woks for all data relevant to UF and all use cases, requires careful and cautious execution.

UF was aware of the Box offering under NDA before it was made public. This solution has not been overlooked and it may still be part of the final solution.

Other institutions

The partial information about what other institutions are doing and have done may result in working conclusions. UF is fully aware of what all of its peer institutions are doing and how they are struggling with the very same very real issues and problems. None of them have a comprehensive solution either. All are working to get to a safer place both for their data against loss and theft and for the institution and the employees from risk and liability.

We cannot gauge the ability for UF to implement a solution solely based whether another institution of higher learning has implemented the same solution. Rules, regulations, laws, privacy, and a myriad of other issues impact the ability to implement in our particular situation.

Authentication

Universal and standardized authentication such as InCommon is an important tool to improve ease of use. However, it does impose an obstacle that excludes some institutions and their employees that have not implemented the system. Thus, a comprehensive solution must allow and support multiple paths to authenticate, again increasing complexity.

Responsibility and liability

Of paramount importance are security and the legal and financial ramifications resulting from associated privacy issues. Use of unapproved tools and services not only means possibly steep financial consequences for the institution, but also implies legal and financial consequences to the individual such as termination of staff in permanent and tenured positions, as well as personal financial liability. See the acceptable use policy at http://www.it.ufl.edu/policies/acceptable-use/acceptable-use-policy/ (paragraph before the title Security, Privacy, and Public Records). Note that if an institutionally prohibited tool or service is used in a work capacity, the individual can be held personally liable.

The security measures UF has in place are designed to protect everyone from any criminality, malfeasance and misuse. They is also to ensure that no one will ever be placed in a situation where he or she is required to write a check or sign over their house or car in a settlement. And while the overwhelming rebuttal is that the data any employee handles is harmless, it may not be or it may be used in an unintended or unexpected way. A list of cloud services and software products in stages of risk assessment and approval can be found at http://www.it.ufl.edu/community/guidelines/etools/etools-assessment/

Moving forward

UFIT has been exploring solutions and seeking input from campus through various means such as focus groups, campus meetings, subcommittees, emails and this listserv. We want to keep this an open discussion working towards an implementable solution or solutions. Your input can be directed to your unit IT Director or to me.

This was a very appreciated response and is mostly good news, but it begs the question of why IT support isn't kept better informed--improving that would certainly help avoid a good number of folks from chasing multiple alternatives.

Winnie Lante mentioned that one of her researchers had this need for file collaboration with some government grants and had purchased a license for Serv-U, not knowing that this required local hardware in order to implement. Dan Cromer supported getting ITSA to work on this via Santos Soler.

Notes from the November SIAC meeting

These notes are available on SharePoint thanks to Dan Cromer. Topics discussed included the IAM Strategy Project (including Timelines by Warren Curry), Common SIP Domain Name (John Pankow - n/a) , Office 365/SkyDrive (Iain Moffat and James Oulman), and GatorLink Credential Authentication in Labs (Dan Cromer).

Proposal to move "former students" to the Disabled Accounts OU

Dan Cromer broached the subject at the November SIAC meeting (see item 6) and wanted to get a consensus from the ICC on the matter. Steve noted that he has had retired professors who ended up in the Disabled Accounts OU due to whatever automated processes are currently in place; such action can be reversed under unit control via assigning the "departmental associate" role. Apparently, however, the automated processes do not handle "former students" similarly, however. Dan is proposing that processes be implemented to move those with the "former student" to the Disabled Accounts OU if they have no other role which would justify that their account remain active within UFAD.

Steve supports Dan's notion and in fact wonders why such processes are not already in place. Steve suggests that the ICC support Dan in proposing that such a mechanism be instituted. Further Steve would like Dan to propose that the details of such processes (mechanism and timeframe) be documented where all might have access; as far as Steve knows, this is not the case with our current processes that do this same thing for certain other accounts.

Steve feels the same way about how email is handled at exit; there is no clear description of when email goes away as far as Steve can determine. There is an "I Am An Alumni Why Can't I Check My Email Anymore" topic in the Help Desk Wiki FAQs, but it uses vague statements such as "certain period of time" and "after a certain time past graduation" that are pretty useless in planning.

After discussion it would appear that ICC is of like mind with Steve on the matter: Dan should suggest that 1) these exit processes be automated in UFAD and that 2) the details of when and how the process works be published.

November's IT Directors Meeting Notes

Dan Cromer kindly made these notes available here on SharePoint.

Fall 2013 Peer-to-peer

For those of you not able to attend this session which took place on Tuesday, November 5th, there is a recording available.

Topics covered included: DCE & Conferences, Web Content Management/Doc Imaging/MyUF Workspace, Eduroam, Print Smart, UF Online, eLearning, BigBlueButton, TurnItIn, Qualtrics, Systems Center Configuration Manager (SCCM), Office 365, Mediasite/Camtasia Desktop, UFApps, ITSM Project, and Software Evaluation Updates. Whew!

PrintSmart initiative (previous discussion)

Dan Cromer had shared a UF Xerox Policy and Procedure for Deployment document with us back on October 18th. That document includes information that all interested parties should know.

Other than that, Steve believes that the latest information available on this topic was a presentation at the Fall 2013 Peer-to-Peer (see above discussion).

New IT Service Management Initiative

Updates as available...

Content Management System (CMS) for UF: Entering purchasing phase (previous discussion)

Updates as available...

Authentication Management policy draft (previous discussion)

Updates as available...

New 'Trouble-Ticket' Entry Page for CNS (previous discussion)

Updates as available...

KACE (previous discussion)

Updates as available...

CNS working to implement NAC for UF wireless (previous discussion)

Jimmy mentioned having issues with roaming wireless on Mac laptops. Essentially the thing just stopped working. Things to try include forgetting the various SSIDs, redoing the connection, and (yes) even rebooting. Matt Nash and Al Ibanez noted having seen similar issues. Matt said that he has seen preference for connection to UFinfo even when it had been "forgotten". Steve mentioned thinking this is all a plot of central services to make local IT support folks look stupid.

UF Exchange updates (previous discussion)

UF has quotes back from Dell on the Exchange 2013 upgrade hardware and plan to move ahead with purchasing. A pilot of the new platform is hoped to be available in late January. Note that Outlook 2003 will no longer be supported with Exchange 2013.

In the meantime, issues may remain for Win 8.1 users trying to access OWA. As James Oulman had reported on the ACTIVEDIR-L list back on October 21st:

Message from James Oulman:
"[ACTIVEDIR-L] IE 11 issues with Exchange OWA." Mon 10/21/2013 1:48 PM


With Windows 8.1 generally available please be aware of issues with IE 11 and Exchange Outlook Web App outlined in the following KB. Because of a change in the User-Agent string in IE 11, clients connecting to Outlook Web App will get the OWA Light experience. Microsoft has not yet released a fix for Exchange 2010.

http://support.microsoft.com/kb/2866064

Users can work around this issue by using Compatibility Mode or InPrivate browsing in IE 11. Please see the KB above for more information.

Please contact us via Remedy at http://request.it.ufl.edu or e-mail at support@ad.ufl.edu with any questions or concerns regarding this issue. Steve said

Steve notes that there is a fix now for Exchange 2010 in Update Rollup 3 for Exchange Server 2010 Service Pack 3 (mentioned in the since-updated KB article); Steve does not know if or when UF plans on installing that however.

There are other issues with OWA and Exchange 2013, however.

Outsourcing of student e-mail

The move to Office 365 for student e-mail has begun and a web site is now available. There seems to be information for students on the migration page and in SharePoint but little in the way of procedural recommendations/training for level one IT support folks.

Wendy Williams mentioned hearing that students are not jumping on this because they wouldn't be able to forward.

Steve mentioned awaiting instructions on creating role-based services accounts for students who are employed. There are both technical and non-technical questions on how best to handle that and Steve would prefer that a "proper" way be established and documented rather than having each IT support person try to figure this out for themselves. Unfortunately, central documentation already points users to use for support on this; that is putting the cart before the horse.

Outlook asking for re-authentication

Steve has been telling his users that he did not have a cure for this issue. Finally, one of his professors got very irate about it and Steve asked Scott Owens about it again. Scott suggested a Credentials Manager fix that Steve had somehow missed hearing about. Steve tried this fix for one of his users to no avail; he then made a new Outlook profile for them and is waiting to hear how that works out.

Francis Ferguson said that every time he has seen this it has been due to a person having changed their password but not having logged off/on. This may have been the problem for Steve's user all along because Steve found that his password had expired just prior and had to get that changed before he could even set up a new profile.

Sakai e-Learning System now in production (previous discussion)

Steve mentioned that Sakai had big problems during finals week along with a rumor that Sakai will be replaced with Canvas. Others mentioned having heard the same thing and Jimmy said that he believed the move to Canvas is pretty definite. Matt Nash said a couple of his users are using Canvas for some things currently and like it.

Alternate IFAS domains in e-mail (previous discussion)

Updates as available...

Split DNS solution for UFAD problems (previous discussion)

Updates as available...


Projects


New web cluster (previous discussion)

Updates as available...

Windows 8 Deployment? (previous discussion)

Updates as available...

SCCM for IFAS

Andrew Carey announced at the Fall 2013 Peer-to-peer that SCCM is now officially in production. There is a SharePoint site available that documents Getting started with UF SCCM".

DeWayne Hyatt said that they are working on OS deployment via the UF-hosted site. They have images for Windows 7 and Windows 8.1 (both 32 and 64-bit). They have imported drivers for all Dell OptiPlex models from 760 and up and for Latitude E2110 and up. There are a few basic apps included; currently it is Adobe Reader and Office 2013. DeWayne is interested in hearing if there are any core apps that we consider universal across all machines; those could be wrapped into the image. Other apps can be deployed shortly after by the OU Admin whenever this is all rolled out.

Steve asked about plans for moving Dennis's department which is currently using a beta version of SCCM 2101 SP1. DeWayne said that he is going to have to get with Dennis and Kamin to work out the details. The beta version client agent they are using currently is not upgradeable, so one challenge will be to uninstall that prior to migration.

Steve mentioned his hope that we can get some training on SCCM down-the-road and DeWayne agreed that training would be needed--both in order to learn how to use the tools and perhaps more importantly what to avoid--as SCCM is perfectly capable of handling an inadvertent click once destroy all mission.

DeWayne hopes to develop scripts that name and place machines into the proper OU and will be getting with the ICC later to discuss further details.

Kevin Hill asked whether these deployments were initiated via PXE boot or USB stick. When DeWayne replied that it is PXE currently Kevin asked if this will be usable by remote sites. DeWayne responded that Alex York is testing Adaptiva which will hopefully make that possible; there will be challenges getting the image bits out to remote locations in some instances, however. DeWayne thinks on-campus will be the initial rollout; remote distribution points or possibly the Adaptiva solution will then follow for remote sites--at least that is the plan. DeWayne wants to get OS deployment everywhere if at all possible; he had experience with that in his last job and it worked well.

Exit processes, NMB and permission removal (previous discussion)

Updates as available...

Services Documentation: Is a Wiki the way? (previous discussion)

Updates as available...


Operations


Moving from McAfee VirusScan to Microsoft Endpoint Protection?

A slideshow by Geof Gowan on UF's investigation into End Point Protection was made available at the November Campus IT Directors meeting. This presentation presented IBM Endpoint Manager (IEM) as the committee's recommendation for a UF-wide solution.

Print server (previous discussion)

Updates as available...

Recording lectures for Distance Education (previous discussion)

Updates as available...

New DHCP reservation site created (previous discussion)

You are reminded that Santos Soler has created a new DHCP reservation site which you may use to request reservations.

Restoration of back-ups on the file server

Wayne Hyde intends to document and announce proper usage as time permits.

Membership of ". IFAS-ICC" e-mail distribution group to be narrowed to ICC members only (previous discussion)

Steve will keep this as a standing item on our agendas for now as a reminder. The ICC distribution list is more targeted and restricted to IFAS IT support folks only.

Creating guest GatorLink accounts: singly or in bulk (previous discussion)

Steve had left this on the agenda in case further discussion was deemed warranted.

DirectAccess pilot (previous discussion)

Updates as available...

VDI desktops as admin workstations (previous discussion)

Updates as available...

Wayne's Power Tools (previous discussion)

Updates as available...

Computer compliance tool update (previous discussion)

ITSA wanted to know if it would help IT Support find their Windows XP machines if Chris added a check for that into his program prior to April 2014. Steve feels every IT support person should be able to locate their managed Windows XP machines easily by searching within ADUC:

ADUC search for Windows XP boxes

It is Steve's opinion that adding a check into the IPCC app now would simply cause noise to sort through. In Steve's case, for example, one can’t judge overall preparedness by the numbers on this; he has 29 WinXP boxes in his list currently and one might assume that they represent a crisis brewing for him that he is somehow ignoring. That is not the case, however. Steve knows exactly why each of these machines is listed, where they are located, and what he is going to do with them to make sure they are gone from the network by April. [for the record, they will be unplugged and for the most part surveyed as obsolete]

Steve has been planning this for years and is confident that he has it well in hand. Steve always appreciates ITSA's support but he don’t see this as being a problem that central IT need solve (other than perhaps to block via DHCP filters once the deadline passes and machines continue to show up—a service I would applaud).

Most ICCers, at least on campus, appeared to agree with Steve that we have the situation covered regardless of what the numbers may look like. Steve doesn't know if the campus units supported solely by the Help Desk are in as good a situation, however.

Also, Kevin Hill said that the CEOs may be a different story because of the lack of funds--and Francis agreed. Kevin suggested that Dan Cromer might want to get with Nick Place and the District Support folks to see if some money might be freed up for computer upgrades. Steve said that he suspects Dan has had some plans along those lines already but it would be good to start a discussion detailing the needs as soon as possible. Kevin added that if we could get those systems imaged on campus and be ready to rollout that would be even better.

It was discussed that we might want to record the MAC addresses of machines expected to remain on WinXP (but off network) after April. Those could then be blocked via DHCP filters to avoid problems from someone plugging them back into the network unawares.

Folder permissioning on the IFAS file server (previous discussion)

You are reminded to please take the time to read and implement the new standards. If you have any questions get with Wayne or Steve.

Updates as available...

Disabling/deleting computer accounts based on computer password age (previous discussion)

This is yet another matter for which finding time for implementation is proving difficult. Steve wants folks to remember that Andrew Carey had a good plan for dealing with this which perhaps DeWayne Hyatt can find the time to address eventually. In the meantime, it would be very good of each OU Admin to consider mimicking the proposed plan manually by keeping their own records and deleting any computer object which have been disabled for 90 or more days; Wayne's Power Tools can identify those. Steve has finally begun doing that for his own unit and it has made his view within ADUC much more agreeable.

Since BitLocker stores its keys within the computer object in UFAD, Chris Leopold was considering scavenging those keys for secure storage elsewhere. That would provide a fallback for decrypting a drive should the associated computer object be deleted.

Core Services status (previous discussion)

Updates as available...

ePO updates (previous discussion)

Updates as available...

Status of SharePoint services (previous discussion)

IFAS migrating to centralized MOSS

Updates as available...

Public folder file deletion policies and procedures status (previous discussion)

Updates as available...

MS Office News update (previous discussion)

Updates as available...

Job Matrix Update status (previous discussion)

hot news!

Chris Leopold has updated both the ITSA Staff page and the Current Job Matrix!


Other Topics


Updated guidelines for licensing Windows for use on Apple Macs

Andrew Carey had reported the following via the ACTIVEDIR-L list:

Message from Andrew Carey:
"[ACTIVEDIR-L] Updated guidelines for licensing Windows for use on Apple Macs" Mon 11/18/2013 11:33 AM


Updates to activation scripts now available

Microsoft has recently updated their guidelines for licensing Windows for use with Macs.

As a result, Mac users are now licensed to install Windows as a second full operating system as a guest operating system in a virtual machine on third party virtualization software, such as Parallels Desktop or VMWare Fusion. Previously this benefit of the Microsoft campus agreement was only extended to Windows Guests running under Apple Boot Camp.

For more information on this change, see the http://www.microsoft.com/licensing/about-licensing/briefs/apple-mac.aspx

Please let me know if you have any questions.

Steve mentioned having to take Andrew's word on this as he finds Microsoft licensing documentation to be beyond esoteric.

Updates to activation scripts now available (previous discussion)

Santos updated his "MicrosoftActivation.bat" file (available at \\ad.ufl.edu\ifas\SOFTWARE\MicrosoftActivateBatchFile\New) to handle Windows 8.1 and Office 2013.

Adobe licensing

Wendy said they have moved to Foxit from Acrobat. Jimmy noted that Preview works well on the Mac with one workaround; instead of saving after filling out the form, go to print and use the "save as PDF" option from there to save the file.


The meeting was adjourned nearly an hour early at about 11:30 AM.