ICC logo IFAS logo

ICC Meeting:



A meeting of the ICC was held on Friday, April 11th, 2014 in the NEW UF/IFAS Communications Building. The meeting was chaired and called to order by Steve Lasley at about 10:00 am.

PRESENT: Twenty-two members participated.
Remote participants: David Bauldree, Bill Black, Dan Christophy, Dan Cromer, Russell Hunter, DeWayne Hyatt, Al Ibanez, Taylor Jamrok, Chris Leopold, Kamin Miller, Marvin Newman, Joel Parlin, Jonathan Potts, John Wells, and Gary Wilhite.
On-site participants: Jimmy Anuszewski, Dennis Brown, Winnie Lante, Steve Lasley, Matthew Nash, Karen Porter and Wendy Williams.

STREAMING AUDIO: available here


Agendas were distributed and the sign-up sheet was passed around.

Report from the chairman

Member news:

Updates not available...

Recap since last meeting:

As per his usual procedure, Steve pointed folks to the notes of the last meeting, without going into any details.


The Heartbleed Bug

A bug was discovered in OpenSSL that has been around for two years and potentially may have led to the leakage of encrypted SSL transactions via capture of a server's local certificates. Somewhere around one third of the HTTPS servers out there run some version of OpenSSL and some portion of those had the bug. There is no way to determine whether or not certs have been compromised; only honeypots can gauge how actively this might be being exploited currently.

There have been many articles telling folks to change all their password; that is only a good idea if and when the service in questions has been patched and new certs issued. Changing passwords prior to that might exacerbate the problem because we can assume that exploits will rise sharply now that the news is out. In any case, a list of sites that have been fixed and for which a password change might now be recommended may be found at Mashable. If you have been using LastPass to manage your passwords then you have an easy way of knowing which passwords should be changed and when. UFIT has a post about Heartbleed on its Facebook page.

There are a number of sites for testing SSL (including https://www.ssllabs.com/ssltest/) for this vulnerability and UF has been sending out IRTs for vulnerable systems. More details on the bug itself are available at http://heartbleed.com/ but XKCD has a comic that covers the basics of how it works.

Proposed Remote Access Policy

Updates not available...

Implementing the Mobile Computing Security policy (previous discussion)

Updates not available...

Patching updates... (previous discussion)


The April Microsoft patches included 4 bulletins (2 "Critical", and "2 Important") covering 11 CVEs in Windows, Office, and IE. A risk assessment is available here. There were a number of oddities, including the fact that the new update for Windows 8.1 doesn't work with WSUS.

There was a zero-day attack on Outlook users (actually Word) via a malicious RTF document for which Microsoft provided a workaround pending a true fix. The EMET apparently blocked related attacks as well, but this was all fixed in the April second-Tuesday patches in any case.


There was an Adobe Security Bulletin on Tuesday that included updates to Flash Player and Air. The latest versions of these are now: Flash and Air; note that Air was renumbered (jumped from version 4 to version 13) to keep it in-step with new Flash releases. Initially there was a problem where Adobe Flash Updates would not work with SCCM, but that has since been fixed.


Another scheduled update for version 7 is due on April 15th, but in the meantime, JREv8 has now been posted. Oh joy. At least it would appear that JRE7 updates will be continued through April 2015.


Apple patched 27 vulnerabilities in Safari on April 2nd. Another iOS patch is coming soon according to Jimmy Anuszewski.


Firefox 28 was released March 19th addressing 20 vulnerabilities. Version 29 is due on April 29th.

Videoconferencing and WAN discussion

[In order to make meeting participation more efficient for Patrick Pettus and James Moore, these two topics have been moved to reside at the top of our agendas.]

Videoconferencing topics (previous discussion)

Endpoint security concerns (previous discussion)

Dennis Brown said that he had received an SSL vulnerability notice (Heartbleed) for a couple of his codecs (Cisco and Tandberg). He called Patrick Pettus about this and Patrick said he intends to patch these as soon as the new code is available.

Replacing Polycom endpoints with some Lync-based solution (previous discussion)

Updates not available...

Possible end-point refresh in the works (previous discussion)

Updates not available...

Movi/Jabber Updates (previous discussion)

Updates not available...

End-user Scheduling (previous discussion)

Steve wanted to know if anyone had requested at least read-access to TMS from Patrick Pettus. Dan Cromer responded that Patrick is wanting to hold off on that because of the anticipated move to Acano coSpace. That system interfaces directly with Lync so you can drag-and-drop a contact from Lync into this system. You can also drag a videoconferencing endpoint into a videoconference. Patrick is apparently hopeful that this new system, with on-site hardware, can actually replace TMS as well as our aging Codian bridges. This is awaiting approval from Fedro Zazueta and Elias Eldayrie.

Lync updates (previous discussion)

Updates not available...

Blue Jeans (previous discussion)

Dan Cromer has renewed our license for another year through March 31st, 2015. The price went up considerably, but it will provide us some advanced features such as up to 100 participants in any given conference.

WAN (previous discussion)

Updates from James Moore

Updates not available...

Wireless printers (previous discussion)

Updates not available...

VoIP at RECs

Updates not available...

Phone bills to be paid for centrally? (previous discussion)

Updates not available...


Notes from IAAC

Dan Cromer had shared the following notes from the Infrastructure Applications Advisory Committee via the ICC-L list:

In case you were wondering (Steve had to ask) IAAC is a standing sub-committee of the SIAC, with purpose of detailed review of Infrastructure Applications, such as e-mail, AD, etc. It actually preceded the SIAC, beginning as something Mike Conlon set up to discuss implementation of UF-wide AD and Exchange. Elias saw it as still helpful, so set it up under SIAC. Tim Fitzpatrick (former SIAC chair, now retired) saw "Infrastructure" and "Applications" as oxymoron; in his view infrastructure doesn't include applications, but Elias wanted the shared common software tools under Tim rather than move them under Dave Gruber and Enterprise Systems. Dan is of the opinion they should be Enterprise Systems.

Attending: Bill Paine, Kris Kirmse, Dan Cromer, Shawn Lander, Elwood Aust, Mark Robinson, Eric Olson, David Huelsman, Chris Easley, Iain Moffat

Agenda items:

* IAAC meeting frequency

Decision: keep current time booked (second Tuesday, 3pm) since that's easier than trying to schedule ad-hoc. Chair will request agenda items prior to meeting, cancel day before if nothing to discuss.

* OneDrive deployment.

Iain - very close, working with webadmin to enhance user friendliness. Will start with soft launch, then publicized release. Optimistic that it'll be in April.

* Anticipated EOL date for current Gatorlink webmail

Iain - no sunset dates have been set yet.
Discussion of attrition, attempts to encourage more rapid student migration, whether or not new employees should be forced to be provisioned in UFX instead of GatorLink webmail.

* Official business email address and email forwarding policy

Discussion of the need for technical means to enforce policy if it's to be effective.

* Kace vs. IBM Endpoint Management (IEM ) system.

Elwood believes intent is to get IEM fully operational, then consider whether Kace, PGP, SCCM, McAfee, Secunia can be eliminated.

Steve asked about getting some experience with this before our users are notified of availability. Dan responded that he will let us know when the soft launch occurs. He also mentioned that we can use a personal MS account to gain experience with this. You can access OneDrive either via the web or via an app (Windows, Macintosh, Android, and iOS). It sounds like you can only access a single account (e.g., personal vs. work) at a time; that is, it won't aggregate across accounts. Steve also wonders how OneDrive might handle offline usage and if this might be able to replace our personal files shares on the IFAS server, for example. Dan said that one nice feature is collaboration--including with outside individuals.

Cloud Services For Students Accessible Now – Faculty and Staff Options Available Soon

UFIT has published a UF Cloud Services web page that provides some information announcing that Faculty, Students, and Staff will be able to get a number of Microsoft cloud services soon.

Spring 2014 Peer2Peer workshop

The Spring 2014 Peer2Peer workshop will be held at the Law School, in 180 Holland Hall on April 16th. The agenda is available, but Wendy was able to add information on who would be speaking:

8:00SetupMark / Richard Lowery Intro
8:30Terminal 4Brandon Vega, Pate Cantrell, Mike Masemore
8:45Document Management System / OneUF (Mobiquity)Brandon Vega, Pate Cantrell, Mike Masemore
9:00PrintSmartRob Luetjen, Lisa Deal, Xerox Rep, Eric Boomer, David Huelsman
10:00UF OnlineBrian Harfe, Jennifer Smith, TJ Summerford
10:20SCCMAndrew Carey/td>
10:30Office 365Josh Davis
11:00HPC - Research Computing Matching ProgramMatt Gitzendanner
11:15Security - Phishing Threats and ImpactDerrius Marlin / UFIT Security Team

Notes from last month's SIAC meeting

Updates not available...

Last month's IT Directors Meeting Notes

Updates not available...

PrintSmart initiative (previous discussion)

Updates not available...

New IT Service Management Initiative

Dan Cromer had been contacted by Casey Whaley about scheduling a "IT Service Management Initiative" meeting with interested parties within IFAS during the coming week. Casey wanted to discuss the initiative and ask additional questions such as: who our customers are, what services we provide them, what we currently recognize as an incident, service, and a service request, estimated volume of how many requests we receive per month, methods of contact from customers, and what ticketing system we you currently using to track our IT support work?

Content Management System (CMS) for UF: Entering purchasing phase (previous discussion)

Updates not available...

Authentication Management policy draft (previous discussion)

Updates not available...

New 'Trouble-Ticket' Entry Page for CNS (previous discussion)

Updates not available...

KACE (previous discussion)

Updates not available...

CNS working to implement NAC for UF wireless (previous discussion)

Updates not available...

UF Exchange updates (previous discussion)

Updates not available...

Outsourcing of student e-mail

Updates not available...

Outlook asking for re-authentication

Updates not available...

Sakai e-Learning System now in production (previous discussion)

Updates not available...

Alternate IFAS domains in e-mail (previous discussion)

Updates not available...

Split DNS solution for UFAD problems (previous discussion)

Updates not available...


New web cluster (previous discussion)

Updates not available...

Windows 8 Deployment? (previous discussion)

Updates not available...


Steve mentioned having deployed Windows 8.1 to a machine via PXE boot from the SCCM configuration that DeWayne Hyatt has developed. There is a wizard that suggests a computer name (IF-OU-SERVICETAG) but allows you to modify that as desired; the machine ends up in your Workstation sub-OU. This seemed to work well and can be used to deploy either Windows 7 or 8.1 The process checks for RAM installed and puts on a 64-bit image if memory is greater or equal to 4GB; otherwise it deploys a 32-bit image.

DeWayne said he is working on getting Horticultural Sciences upgraded to the new agent in order to bring them onto the new SCCM system. DeWayne also mentioned that IFAS will host its own SCCM rather than join the UF SCCM organization; that should provide us more flexibility. One main consideration was to be able to add remote distribution points. DeWayne expects this to coincide with our next MPS hardware rollout. Currently they are upgrading the MPS host OS to 2012 R2 Core along with the virtual servers. Later, when they get the new hardware, it should be fairly simple to migrate the VMs to a host on the new hardware platform.

Steve asked about getting other OUs migrated to SCCM once Horticultural Sciences is done and any bugs worked out. DeWayne said that this would definitely be the next step for any departments wishing to volunteer. DeWayne is still working on security scopes along with various settings and collection creations so that OU admins can have access to their machines within the console and administer them.

DeWayne thinks that Configman's antivirus solution will be used in the interim until we get more clarification about what is coming with the IBM product. IBM's solution may prove more robust, we will just have to see how manageable that solution will be. In the meantime, DeWayne will be looking at how ePO is configured currently and try to match that configuration as much as possible within SCCM. This would include scheduled on-demand scans, but the exact details are still being worked out.

Exit processes, NMB and permission removal (previous discussion)

Updates not available...

Services Documentation: Is a Wiki the way? (previous discussion)

Updates not available...


Moving from McAfee VirusScan to Microsoft Endpoint Protection? (previous discussion)

See later SCCM discussion.

Print server (previous discussion)

Updates not available...

Recording lectures for Distance Education (previous discussion)

Updates not available...

New DHCP reservation site created (previous discussion)

You are reminded that Santos Soler has created a new DHCP reservation site which you may use to request reservations.

Restoration of back-ups on the file server

Wayne Hyde intends to document and announce proper usage as time permits.

Membership of ". IFAS-ICC" e-mail distribution group to be narrowed to ICC members only (previous discussion)

Steve will keep this as a standing item on our agendas for now as a reminder. The ICC distribution list is more targeted and restricted to IFAS IT support folks only.

Creating guest GatorLink accounts: singly or in bulk (previous discussion)

Steve had left this on the agenda in case further discussion was deemed warranted.

DirectAccess pilot (previous discussion)

Updates not available...

VDI desktops as admin workstations (previous discussion)

Updates not available...

Wayne's Power Tools (previous discussion)

Updates not available...

Computer compliance tool update (previous discussion)

Chris Leopold reported to the ICC-L last week that the http://itsa.ifas.ufl.edu/compliance/ IPCC web site is now functioning again.

Steve asked if Chris had ever considered a means to grandfather out orphaned objects, as some long gone machines are "stuck" in the out-of-compliance folder currently. He responded that he has considered options but thinks that a manual process makes the most sense. If anyone needs some items cleaned out, just shoot Chris an email.

Dennis Brown asked if Chris would add a check for MS AV. Chris responded that we can certainly do that down-the-road, but he is also thinking that SCCM might just make IPCC obsolete before too very long.

Folder permissioning on the IFAS file server (previous discussion)

You are reminded to please take the time to read and implement the new standards. If you have any questions get with Wayne or Steve.

Updates not available...

Disabling/deleting computer accounts based on computer password age (previous discussion)

This is yet another matter for which finding time for implementation is proving difficult. Steve wants folks to remember that Andrew Carey had a good plan for dealing with this which perhaps DeWayne Hyatt can find the time to address eventually. In the meantime, it would be very good of each OU Admin to consider mimicking the proposed plan manually by keeping their own records and deleting any computer object which have been disabled for 90 or more days; Wayne's Power Tools can identify those. Steve has finally begun doing that for his own unit and it has made his view within ADUC much more agreeable.

Since BitLocker stores its keys within the computer object in UFAD, Chris Leopold was considering scavenging those keys for secure storage elsewhere. That would provide a fallback for decrypting a drive should the associated computer object be deleted.

Core Services status (previous discussion)

Updates not available...

ePO updates (previous discussion)

Updates not available...

Status of SharePoint services (previous discussion)

IFAS migrating to centralized MOSS

Updates not available...

Public folder file deletion policies and procedures status (previous discussion)

Updates not available...

MS Office News update (previous discussion)

Updates not available...

Job Matrix Update status (previous discussion)

Updates not available...

Other Topics

PeopleSoft IE Blues

Marvin Newman has run into an issue where one of his users cannot get PeopleSoft to work with IE. He has tried everything he can think of to no avail. Marvin was under the impression that this is a server-side issue, but Steve suspects that it has more to do with the individual client machine. After some discussion the consensus was that Marvin should have them use Firefox. Steve mentioned having had issues with IE on some machines--not just with PeopleSoft but with all sorts of sites. The symptom is generally that IE crashes frequently. Steve has never been particularly successful in fixing this when it occurs. A complete wipe and rebuild might do the trick, but Steve (and others) suggested that simply changing browsers is likely the easiest cure by far.

Windows XP networking kludges?

David Depatie asked via the ICC-L if some workaround might allow Windows XP boxes to retain some network access. He proposed a sort of XP DMZ but was not clear on the details for doing such a thing. Mike Ryabin was also interested in exploring the matter.

Chris Leopold made it obvious that he is strongly against leaving any Windows XP boxes on the network at all. He did offer to address situations on a case-by-case basis but would not be easily convinced.

Russell Hunter has one WinXP machine that gathers data which is then made available via the network. It would be very difficult to ferry things manually via USB. Upgrading often comes down to spending a lot of money which is not available. Others may have similar situations.

Steve also raised the issue of the Accordent Capture Stations. If some IPSEC configuration could allow these to talk to the Web and Media servers only (and perhaps one or two management machines as well) then this could potentially save $15K per appliance. This seems to Steve to be a reasonable thing to pursue but Chris didn't seem convinced that the unit savings would be worth the trouble it would cause him; Steve isn't clear on how difficult IPSec is to configure and maintain, but it does seem promising for this particular situation. Steve does know that he would not like unqualified individuals attempting this without some oversight from Chris. There is some question, of course, whether or not this would violate any UF policies, but the bang for the buck is undeniable.

Dennis Brown has a situation where USB shuttling of data is a concern. They have a Windows XP based imaging machine that uses Ethidium Bromide (http://en.wikipedia.org/wiki/Ethidium_bromide) which is a substance of potential danger to our DNA. If it were to get on the outside of the flash drive it would be dangerous to people not wearing protective gloves which is the norm in an office environment.

After the meeting, Chris sent a couple of spreadsheets with computer object information. One listed 2821 disabled computer objects and a second listed 362 non-expired XP computer objects. Chris made a plea for all OU admins to delete orphaned computer objects from UFAD.

Adobe licensing

Apparently a contract for a new Adobe Enterprise Term Licensing Agreement has been negotiated. From the Instructions to All Authorized IT Support Personnel it is not particularly clear how user licenses are tied to a user other than the installer (assuming that is done by IT support). Lab-based (per computer?) licensing is mentioned as another deployment option but is currently not available apparently.

ICC Elections in August (previous discussion)

Updates not available...

Getting rid of Windows XP

You all no doubt saw the following from Elias Eldayrie that Dan Cromer forwarded on to the IFAS-All-L:

On Tuesday, April 8, 2014, support and updates for Windows XP will end. It is extremely important to keep your computer and its contents protected—if you continue using Windows XP after support ends, your computer will become more vulnerable to security risks and viruses. Also as of April 8, any compromised device running Windows XP will be filtered from UF’s network. At the close of the Spring semester, all XP devices will be filtered from UF’s network. Faculty and staff with machines running Windows XP should consult their local desktop support team to identify a solution.

The meeting was adjourned early at about 11:30 AM.