ICC logo IFAS logo


ICC Meeting:

IFAS COMPUTER COORDINATORS
(ICC)

NOTES FROM May 9th 2014 REGULAR MEETING


A meeting of the ICC was held on Friday, May 9th, 2014 in the NEW UF/IFAS Communications Building. The meeting was chaired and called to order by Steve Lasley at about 10:00 am.

PRESENT: Twenty-three members participated.
 
Remote participants: Tom Barnash, David Bauldree, Dan Cromer, Kevin Hill, DeWayne Hyatt, Wayne Hyde, Al Ibanez, Chris Leopold, Marvin Newman, Helena Niblack, Scott Owens, Joel Parlin, Jonathan Potts, Javier Real, and John Wells.
 
On-site participants: Jimmy Anuszewski, Dennis Brown, Luis Coll, Winnie Lante, Steve Lasley, Matthew Nash, Karen Porter and Wendy Williams.
 

STREAMING AUDIO: available here


NOTES:

Agendas were distributed and the sign-up sheet was passed around.


Report from the chairman

Member news:

Luis Coll is a new IT Specialist at EREC in Belle Glade. Luis comes from Puerto Rico, but was born in Gainesville when his father was a student at UF; he has been in Puerto Rico since he was 4 years old, but is now back in Florida. His IT background is in web publishing and his path to IT lead through the arts rather than through computer science. Please join Steve in welcoming him to IFAS.

Recap since last meeting:

As per his usual procedure, Steve pointed folks to the notes of the last meeting, without going into any details.


Security:


The Heartbleed Bug

Updates not available...

Proposed Remote Access Policy

New draft documents for both Account Management and Remote Access are now available for review:

These and other documents are available via https://security.ufl.edu/it-workers/.

Implementing the Mobile Computing Security policy (previous discussion)

Updates not available...

Patching updates... (previous discussion)

Microsoft

A zero-day exploit in IE was reported on April 26th. This was over-hyped in Steve's opinion and resulted in an out-of-band patch that was released on May 1st.

The May Microsoft patches are expected to include 8 bulletins (2 "Critical", and "6 Important") covering numerous CVEs in the usual suspects. A risk assessment should soon be available here.

Adobe

Adobe released a security bulletin for Flash Player on April 28th. There is some indication that this updates "closes the ASLR hole that is needed by the VGX exploit to achieve a reliable ROP chain."

Security updates are coming for Adobe Reader and Acrobat next Tuesday as well.

Java

JREv7u55 was released on April 15th, along with JRE8u5 for those on the bleeding edge. 37 security flaws were addressed apparently.

Apple

Apple released a bunch of security updates for OS X, iOS, Apple TV, and AirPort Base Station on April 22nd. Apple also released iOS 7.1.1 on April 23rd. Steve noted an interesting article criticizing how Apple rolls out updates across their iOS and OS X platforms.

In other Apple news, a security issue was recently disclosed regarding email attachment encryption on iPhones and iPads.

Other

Firefox release version 29.0 on April 29th. This update has numerous interface changes/additions but no security fixes.


Videoconferencing and WAN discussion

[In order to make meeting participation more efficient for Patrick Pettus and James Moore, these two topics have been moved to reside at the top of our agendas.]

Videoconferencing topics (previous discussion)


Endpoint security concerns (previous discussion)

Updates not available...

Replacing Polycom endpoints with some Lync-based solution (previous discussion)

Updates not available...

Possible end-point refresh in the works (previous discussion)

Updates not available...

Movi/Jabber Updates (previous discussion)

Updates not available...

End-user Scheduling (previous discussion)

Updates not available...

Lync updates (previous discussion)

Updates not available...

Blue Jeans (previous discussion)

We now have large meeting capacity supporting up to 100 participants in a meeting for select accounts; the IFASICC account is so enabled. If you know that a large conference is needed, you should check with Dan Cromer to make sure that the account being used is enabled for this feature.

Jimmy Anuszewski mentioned that the problem he had experienced with slow connections appears to be continuing.

Dan said that with the anticipated move to Acano we should expect codecs to have to dial-in to VCs in the future rather than be auto-connected from a bridge. It would appear that VC coordination will be much less centralized and more distributed down-the-road.


WAN (previous discussion)


Updates from James Moore

Updates not available...

Wireless printers (previous discussion)

Updates not available...

VoIP at RECs

Updates not available...

Phone bills to be paid for centrally? (previous discussion)

Updates not available...


Policy


Cloud Services For Students Accessible Now – Faculty and Staff Options Available Soon

OneDrive @ UF became available as a "soft" launch on April 28th. Details are available at http://www.it.ufl.edu/gatorcloud/ along with a FAQ page that includes links to some basic documentation.

OneDrive is really TwoDrives (or more)

Steve noted that Microsoft supports simultaneous Windows desktop clients for both OneDrive (consumer) and OneDrive for Business (Enterprise), maintaining separate synchronization folders within a user's profile. Steve also noted that initial synchronization to a desktop client is initiated from the web interface; there is a double credential prompt when accessing OneDrive for Business via the web but no password need be entered in the first prompt. Steve also noted that while there is a OneDrive client for Android, it is for the consumer side; the app one needs for the Enterprise side is Microsoft Office Mobile as there apparently is no separate OneDrive for Business app.

It is worth mentioning that URLs to shared documents can be a security risk in some surprising ways so one still needs to be careful. For example, if someone clicks on a link within a Dropbox document then the Dropbox Share Link to that document will be included in the referring URLS sent to the third-party site.

The Microsoft Student Advantage Program was announced as going live at 1 pm on April 30th. The notice said "In this new program, students can use an extended collection of Microsoft tools in up to five devices. The new service is available at http://www.it.ufl.edu/gatorcloud/microsoft-office-for-students/. The program for faculty and staff remains unchanged. Faculty and staff may purchase the software through the usual channels."

Spring 2014 Peer2Peer workshop

The Spring 2014 Peer2Peer workshop was be held April 16th covering the following agenda items:

 TopicPresenter/Group
8:00SetupMark / Richard Lowery Intro
8:30Terminal 4Brandon Vega, Pate Cantrell, Mike Masemore
8:45Document Management System / OneUF (Mobiquity)Brandon Vega, Pate Cantrell, Mike Masemore
9:00PrintSmartRob Luetjen, Lisa Deal, Xerox Rep, Eric Boomer, David Huelsman
9:45Break
10:00UF OnlineBrian Harfe, Jennifer Smith, TJ Summerford
10:20SCCMAndrew Carey
10:30Office 365Josh Davis
10:50Break
11:00HPC - Research Computing Matching ProgramMatt Gitzendanner
11:15Security - Phishing Threats and ImpactDerrius Marlin / UFIT Security Team

Recordings are available via the above links for those who missed this or would like to review.

Jimmy Anuszewski made a plea that IFAS IT Support folks get more involved with campus IT events and even ICC meetings. He urged all to get more involved; if we know some IT support folks that don't generally attend, then please make an effort to encourage them to do so.

Regarding Terminal 4, Jimmy has a problem with the way that ICS was communicating the need to move there from Word Press for one of his departmental sites that is undergoing a refresh. The (sole) reason for moving provided by ICS was that Terminal 4 allows users to update information on the site. Of course, Word Press allows that already and there are other reasons for preferring Terminal 4 related to technical support, integration with UFAD, etc. Jimmy believes "selling" Terminal 4 in the way ICS is attempting simply makes IT look bad.

Dan Cromer said that IFAS definitely intends to migrate to Terminal 4, but admitted that this is bound to be a very long and drawn out process.

Wayne Hyde mentioned that he made some changes to the WordPress database backend that he hoped might improve performance. He is looking for feedback if anyone using that has any to give.

Notes from last month's SIAC meeting

Updates not available...

Last month's IT Directors Meeting Notes

Updates not available...

PrintSmart initiative (previous discussion)

Updates not available...

New IT Service Management Initiative

Updates not available...

Content Management System (CMS) for UF: Entering purchasing phase (previous discussion)

A loading spot has been created for TerminalFour related training and instruction.

Authentication Management policy draft (previous discussion)

Updates not available...

New 'Trouble-Ticket' Entry Page for CNS (previous discussion)

Updates not available...

KACE (previous discussion)

Updates not available...

CNS working to implement NAC for UF wireless (previous discussion)

Updates not available...

UF Exchange updates (previous discussion)

Updates not available...

Outsourcing of student e-mail

Student eligibility may be found via the tool at https://helpdesk.ad.ufl.edu/. From Josh Davis's Peer2Peer talk on Office 365, Steve found out about documentation on Office 365 at the University of Florida.

Outlook asking for re-authentication

Updates not available...

Sakai e-Learning System now in production (previous discussion)

Updates not available...

Alternate IFAS domains in e-mail (previous discussion)

Updates not available...

Split DNS solution for UFAD problems (previous discussion)

Updates not available...


Projects


New web cluster (previous discussion)

Updates not available...

Windows 8 Deployment? (previous discussion)

Updates not available...

SCCM for IFAS

DeWayne mentioned that Horticultural Science has finally uninstalled all the old beta clients and the new ones should get applied at the next reboot. He also stated that local support will have access to the SCCM console so they can monitor and manage their own computer objects. DeWayne re-iterated that IFAS chose not to join the UF SCCM primarily because bandwidth considerations would dictate a need for remote distribution sites. At the MPS refresh next year DeWayne intends to look at adding remote distribution sites where needed. The next group that DeWayne will focus on is Wendy Williams's area whose machines are currently part of UF SCCM; he expects to get started on that next week.

Exit processes, NMB and permission removal (previous discussion)

Updates not available...

Services Documentation: Is a Wiki the way? (previous discussion)

Updates not available...


Operations


Moving from McAfee VirusScan to Microsoft Endpoint Protection? (previous discussion)

DeWayne believes we will move ahead away from Mcafee to System Center Endpoint Protection once SCCM gets into wide-spread use.

Print server (previous discussion)

Updates not available...

Recording lectures for Distance Education (previous discussion)

Updates not available...

New DHCP reservation site created (previous discussion)

You are reminded that Santos Soler has created a new DHCP reservation site which you may use to request reservations.

Restoration of back-ups on the file server

Wayne Hyde intends to document and announce proper usage as time permits.

Membership of ". IFAS-ICC" e-mail distribution group to be narrowed to ICC members only (previous discussion)

Steve will keep this as a standing item on our agendas for now as a reminder. The ICC distribution list is more targeted and restricted to IFAS IT support folks only.

Creating guest GatorLink accounts: singly or in bulk (previous discussion)

Steve had left this on the agenda in case further discussion was deemed warranted.

DirectAccess pilot (previous discussion)

Updates not available...

VDI desktops as admin workstations (previous discussion)

Updates not available...

Wayne's Power Tools (previous discussion)

Updates not available...

Computer compliance tool update (previous discussion)

Updates not available...

Folder permissioning on the IFAS file server (previous discussion)

You are reminded to please take the time to read and implement the new standards. If you have any questions get with Wayne or Steve.

Updates not available...

Disabling/deleting computer accounts based on computer password age (previous discussion)

This is yet another matter for which finding time for implementation is proving difficult. Steve wants folks to remember that Andrew Carey had a good plan for dealing with this which perhaps DeWayne Hyatt can find the time to address eventually. In the meantime, it would be very good of each OU Admin to consider mimicking the proposed plan manually by keeping their own records and deleting any computer object which have been disabled for 90 or more days; Wayne's Power Tools can identify those. Steve has finally begun doing that for his own unit and it has made his view within ADUC much more agreeable.

Since BitLocker stores its keys within the computer object in UFAD, Chris Leopold was considering scavenging those keys for secure storage elsewhere. That would provide a fallback for decrypting a drive should the associated computer object be deleted.

Core Services status (previous discussion)

Updates not available...

ePO updates (previous discussion)

Updates not available...

Status of SharePoint services (previous discussion)

IFAS migrating to centralized MOSS

Updates not available...

Public folder file deletion policies and procedures status (previous discussion)

Updates not available...

MS Office News update (previous discussion)

Updates not available...

Job Matrix Update status (previous discussion)

Updates not available...


Other Topics


Adobe licensing (previous discussion)

James Hardemon sent out the following notice on April 22nd:

Hello Department Liaisons,

We are pleased to announce that the Lab-based and Device-based licenses for the Adobe Enterprise Term Licensing Agreement (ETLA) are now available for ordering on our website for both the Adobe Creative Cloud Suite and Adobe Acrobat Professional product.

As you might already know, in the Adobe ETLA there are three license types for each product. User-based licensing, Device-based licensing and Lab-based licensing. The descriptions of each can be found below:

  • A User-based license allows the use of the Adobe products by a licensed individual (Primary User). The software is installed on the Primary User's Windows or Macintosh computer. In addition, the Primary User can use the software on a secondary computer, such as department-owned laptop or personally-owned computer.
  • A Device-based license allows the use of the Adobe products on a specific computer. The software can be used by UF faculty, staff, and students for educational work. A secondary installation of software is not allowed.
  • A Lab-based license can be installed on a computer residing in a facility controlled by the university and approved affiliates used by students in support of teaching programs. A secondary installation of software is not allowed.

For more information about the Adobe ETLA and to order the product please visit the website at this link: https://software.ufl.edu/agreements/adobe_ETLA/

Steve's department now has three lease-licenses for the Adobe Creative Cloud Suite; two User-based and one Device-based. He believes he has figured out how to deploy at least the Device-based licenses for Windows and wanted to share his experience so far.

On the UF SLS Adobe ETLA site there is a Downloads, Instructions, and Documentation link; from there is an Adobe Creative Suite Installation Utilities link to which department IT support staff may be provided access. This latter location is where one may view the "Instructions to All Authorized IT Support Personnel" and from there continue to the download site. Basically, this is an Enterprise level install consisting of a packager tool for creating software depots from where the software may actually be installed.

Although the Creative Cloud Packager Deployment Guide begins with a Getting Started section that talks about downloading the packager, SLS has already done that for us—one for Windows and one for Macintosh. So the first real step is to install the Packager on a machine that has no Adobe software currently. Here are some screenshots from running the resultant Creative Cloud Packager on Windows…

This first screen threw Steve at first, but he finally decided that one should pick the lower pane:

product selection

In his first test Steve created a depot of the x64 version specifying Serial Number License as the type.

package details

Initially Steve kept the default configuration. You can see the following (two screenshot due to the need to scroll) by clicking the “change” link in the above dialog.

advanced configuration page one

advanced configuration page two

Steve later decided to change the Adobe Update Manager Behavior to "Admin users update via Adobe Update Manager."

There is a Remote Update Manager tool that can be used for updating by IT support; see http://helpx.adobe.com/creative-cloud/packager/using-remote-update-manager.html. This is a cmdline tool that is installed on the client systems and can be run to update at least the core programs of the suite.

The Serial Number is on the SLS download site—you are prompted for that during the depot creation process; I’ve left out the screenshot of that dialog along with the Language choice, but it is as one would expect. Then you are asked what components to add; I selected all.

applications and updates

It takes a very long time to download all the stuff from the cloud but eventually one gets the following final dialog. Steve's first full depot ended up being a shade over 17 GB in size.

summary

Steve found a few oddities with this system. For example, Acrobat goes into an Exceptions folder and should be installed both separately and first. Other packages such as Lightroom go there as well but must be installed after the main suite. More details are available at http://helpx.adobe.com/creative-cloud/packager/using-exceptions-deployer.html. There is an Exceptions Deployer Application in that folder as well; it is a cmdline program that requires passed parameters per details on the previous link or via an ExceptionInfo.txt file within the exceptions folder itself.

Steve tried making a couple of other depots; for his Device-based license he created one with Acrobat, Photoshop, Illustrator, and Lightroom as the original desire was for Photoshop and these other programs would seem related to the likely use of that. Steve was looking for how User vs Device licensing might be handled, but found no such distinction. He was expecting some way to offer a User-based license only to a specific individual on a machine, but once the software is installed to a machine it appears to be available to anyone who logs on. Steve has asked SLS if he is missing something or if there really is no installation difference between User-based and Device-based licenses other than the legalities of who may use the software.

Here are the commands one would run (from the client machine via a CMD prompt elevated to IF-ADMN credentials) to install the suite, pretty much regardless of what the depot contained:

  1. First one would install Acrobat via:
    \\servername\sharename\DepotName\Exceptions\ExceptionDeployer --workflow=install --mode=pre --installLanguage=en_US
  2. Next is the main suite:
    \\servername\sharename\DepotName\Build\setup.exe
  3. Finally you would install the other programs in the exceptions folder via:
    \\servername\sharename\DepotName\Exceptions\ExceptionDeployer --workflow=install --mode=post

Another oddity is that one gets two entries for Acrobat in the installed programs list:

double Acrobat install listing

Steve likes the enterprise-ready aspect of the offered deployment options, but knows that IFAS isn’t quite ready with SCCM. Though that may be an option for deployment down-the-road, it will continue to be problematic for certain remote sites for the foreseeable future due to bandwidth, so Steve is really looking for a universal method closer to the old-fashioned install from discs method. He has asked SLS for feedback on that as well.

In case you are wondering if previous perpetual-licensed Creative Suite editions can coexist with the new Creative Cloud applications the answer is yes according to Adobe. We will have to see how that works out.

Regarding home use for User-based licenses, Steve received the following information from SLS:

If your department allows, the Primary User (registered to the Adobe User-based license) can obtain a home use license (at a nominal cost) through Kivuto’ OntheHub portal. Kivuto will offer a 12-month Adobe Certificate that can be redeemed at the Adobe web site. Once they redeem the certificate with Adobe (according to the information provided by Kivuto), they will have access to all of the Adobe products that we have at UF plus any other services that come with the lease of the license.

Currently, Software Licensing Services is developing a portal to easily authenticate the registered users and allow them to acquire the home-use license. This portal is in a testing phase. So if you experience any issues, please let us know immediately. The web site can be found at this link: https://portal-test.helpdesk.ufl.edu/. You can direct your Primary users to this location to acquire the licenses.

ICC Elections in August (previous discussion)

Updates not available...

Getting rid of Windows XP

"Windows XP Unsupported" UFIRT vulnerability notices have started going out and we got hit with a ton of them on Wednesday afternoon. At least several false positive detections have been noted by Joel Parlin, Winnie Lante, and Steve Lasley. It appears that they are checking the platform token of the browser user-agent string for "Windows NT 5.1"; Winnie and Steve both were flagged when connected to premier.dell and it looks like Joel's detection may have been related to accessing instagram in some fashion.

Wayne related that ePO still reports 235 computers running Windows XP, so it appears we still have a good deal of cleanup to do. Wayne later sent the list of machines to the ICC.

Identity Management

Dan Cromer mentioned that UF has an Identity Management project in progress that will hopefully eventually lead to automated exit notifications so we can remove access for folks who have left.

Joe Joyce is moving on (and needs a printer)

Dan mentioned he was looking for printer recommendation for Dr. Joyce in his new office as they will not deploy Print Smart printers for a singled office. Wendy Williams suggested a model which had been recommended to her from Laser Action Plus and which has performed well; Steve reiterated that LAP is a good place to ask for recommendations.


The meeting was adjourned early at about 11:30 AM.