ICC logo IFAS logo


ICC Meeting:

IFAS COMPUTER COORDINATORS
(ICC)

NOTES FROM June 14th 2013 REGULAR MEETING


A meeting of the ICC was held on Friday, June 14th, 2013 in the ICS conference room. The meeting was chaired and called to order by Steve Lasley at about 10:00 am.

PRESENT: Twenty-one members participated.
 
Remote participants: Bill Black, Dennis Brown, Dan Cromer, David DePatie, Kevin Hill, Al Ibanez, Russell Hunter, Wayne Hyde, Taylor Jamrok, Marvin Newman, Joel Parlin, Mike Ryabin, John Wells, and Gary Wilhite.
 
On-site participants: Jimmy Anuszewski, David Blackman, Francis Ferguson, Winnie Lante, Steve Lasley, Matthew Nash, and John Sowers.
 

STREAMING AUDIO: available here


NOTES:

Agendas were distributed and the sign-up sheet was passed around.


Report from the chairman


Member news:

John Sowers will be leaving SFRC for a position with Alachua County in the Tax Collector's office. We all wish John the best in his new endeavor.

Recap since last meeting:

As per his usual procedure, Steve pointed folks to the notes of the last meeting, without going into any details.


Videoconferencing and WAN discussion

[In order to make meeting participation more efficient for Patrick Pettus and James Moore, these two topics have been moved to reside at the top of our agendas.]

Videoconferencing topics (previous discussion)


Blue Jeans trial

After the successful test at last month's ICC meeting, we plan to incorporate this for each future meeting for the duration of our contract. This should be facilitated by the new knowledge that Blue Jeans supports direct dialing now via either H.323 or SIP. Steve scheduled the Blue Jeans meeting to begin at the same time as the bridge would connect to the conference room in Bldg 116 (i.e., 9:45am) and all worked well. As soon as the bridge connected to our room we heard an announcement from Blue Jeans that its parallel conference was connected from the bridge. Perfect.

Steve has updated the ICC Meetings page with the Blue Jeans connection instructions. Remember that room systems (codecs) should connect directly to the bridge in order to save on our 25 max Blue Jeans connection allotment.

Regarding this and other web-based collaboration tools such as Adobe Connect and Big Blue Button, Dan Cromer provided the following summary of our current situation for the eXtension.org's "extech mailing list":

Message from Dan Cromer to the extech mailing list:
"RE: [extech] Webinar Platform Recommendations" Fri 5/31/2013 8:32 AM


The max number of Adobe Connect participants depends on the license. Adobe has three licensing models. The “named account” license is licensed to only one user, and is limited to 100 connections, and can’t allow anyone else to set up a session, though others can be presenters as long as the named account person is logged onto the session at the same time. List price is $150/year for this license. UF/IFAS has 60 of these for those doing DE, only a few in Extension. A “seminar room” account is $15/seat, with minimum of 200 seats, but up to 500 now, and I understand that up to 2000 (or more) may be available in the future. Any number of people may be presenters, though only one session can be going at a time, it can’t be broken into several smaller sessions. UF/IFAS has three of these at 200 seats. Their last model is some cost per seat of fully flexible sessions/rooms/seats, so 100 seats could be broken to any number of sessions of any number of seats, as long as the licensed seat count isn’t exceeded. I don’t remember the cost for this one, but it was significantly more expensive than the others.

While I’m on the subject, UF is planning an implementation of Big Blue Button (http://www.bigbluebutton.org/) for the fall, integrated with our Sakai configuration. IFAS also has “all you can meet” for 25 accounts from Blue Jeans (http://bluejeans.com/). Anyone can be participant once the meeting is set up by an account holder, but a maximum of 25 seats per meeting. Blue Jeans is the most convenient for videoconferencing, since it allows connections from Web browser, Skype, Lync, Jabber, or H.323 room system. Our Tandberg bridge can also join a Blue Jeans conference, so more than 25 can attend a meeting if some are connected through the bridge.

Dan later added:

I’m sure others have thought of this, but we have been somewhat successful with a human bridge. Laptop computer user views the Connect or other Webinar session, while being connected to a Polycom and sharing the “content” to an H.323 CODEC.

Regarding Big Blue Button, Steve noted that this is for synchronous access like Elluminate or Adobe Connect but that the recording feature might allow an instructor to created materials for asynchronous access. It seems to Steve that asynchronous access is what our students want and need as increasingly they have busy schedules often including full-time jobs.

Dan wanted to make it clear that Adobe Connect is the product that is being encouraged for formal Distance Education classes. Big Blue Button is envisioned as being used for distributed synchronous access by students for non-distance classes--study/review sessions and the like.

Endpoint security concerns

We have all seen the rash of UFIRTS related to Telnet and SNMP that affect, among other things, our VC endpoints and AV equipment. Dan Cromer had posted the following:

Message from Dan Cromer to the ICC-L:
"[ICC-L] FW: Vulnerability scan results for your subnets" Thu 5/16/2013 5:48 AM


All,

Security scans have revealed Polycoms and other video end-points with Telnet and SNMP vulnerabilities. They should all be configured to have Telnet and SNMP turned off, with Web access password-protected.

The issues with following Dan's instructions are many:

  1. VCS manages most of our endpoints--not local IT staff
  2. Many don't even have the password to get into the configuration on their endpoints should they wish to do so
  3. Telnet is a critical component of the TMS management system that permits centralized management
  4. Some endpoints have no way currently of disabling telnet at all; for example, the AVer HVC310

Of the concerns, only the SNMP community names have been addressed (for the most part).

Last month Joel Parlin was notified that one of his endpoints (an HDX 8000) was compromised. Although the means by which that was accomplished is not known for certain, it seems likely that it was due in part to these units residing on public IP with management ports (Web/Telnet/FTP/SNMP) un-encrypted and open to all. It is understandable that VCS might need one or more of the available protocols to manage/support these devices but this compromise along with all the vulnerability reports from UF security suggests that we need to get serious on this matter. One possibility might be to use access lists on the ports to which endpoints are attached that limit Telnet, SNMP and FTP access to only “trusted” IP addresses.

Steve has emails in to both Patrick Pettus and James Moore on the matter but has yet to hear back.

Replacing Polycom endpoints with some Lync-based solution (previous discussion)

Updates not available...

Possible end-point refresh in the works (previous discussion)

Steve mentioned that Lance Cozart had received an AVer EVC100 for testing purposes. Lance believes we can get these for around $800 and the unit seemed to work quite well. It is limited by the zoom feature being digital rather than optical but seemed more than adequate for smaller rooms and would be much less complicated than a software-based solution.

Regarding a centrally funded refresh, Dan Cromer said that he had provided the price information to Dr. Joyce but has heard nothing back. Dan wasn't sure if there would be carry-forward monies available after the first of the next fiscal year or not.

Dan Cromer mentioned that there is also an AVer EVC300 model that will be released shortly which may be around $2000 and have an optical zoom camera. He noted that rooms requiring two cameras could be equipped with two of these systems for considerably less than a single two-camera Polycom system. Plus you would get the benefit of being able to have both cameras working all the time showing both the speaker and the audience (via the bridge that is). Of course there are other considerations regarding housing and controlling all that equipment, but Dan feels it worth investigating. Steve pointed out that two years of maintenance on a Polycom alone could pay for one of these AVer units. The AVers have three year warranties at no extra cost as well as one year advanced replacement.

David Depatie mentioned that he was unable to connect to a Blue Jeans meeting via the AVer initially because doing so required an "*" key that wasn't on the AVer remote. He discovered, however, that the AVer displays a "pairing code" when trying to connect and that you can then connect to the meeting via a browser, enter that pairing code, and join the AVer endpoint to the meeting and let you control the whole thing from within Blue Jeans:

Connecting an AVer endpoint via a browser

Dan Cromer mentioned that he believes there is a way to get to the keyboard on an AVer unit. On a Polycom, for example, you press the "#" key twice. Dan also suspects that a "." will work in place of an "*".

Movi/Jabber Updates (previous discussion)

Patrick Pettus had let us know on May 22nd that there is a new version of Jabber Video available. You should be prompted to install the new version the next time you login. For new installations you can get Jabber Video here: http://video.ufl.edu/Jabber.zip

Other standing VC topics

End-user Scheduling (previous discussion)

Patrick and Steve worked out a scheme for unit distribution groups to which scheduling details could be emailed automatically from the bridge. This involves mail-enabled universal security groups within each OU following the naming convention: "IFAS-OUname-VCschedule." These groups must be configured without authentication to receive mail from outside Exchange (i.e., from video services). OU admins can then control who receives these messages by adding/removing user accounts from their group. This was tested with "IFAS-ENTNEM-VCschedule" and seemed to work very well. Note that individuals need not modify Outlook in order to view/receive these messages as they would have had to do if service accounts were utilized.

There are a host of "events" that can be set to trigger messages related to the endpoints at each unit and the granularity of those can be set per distribution group:

  • Authentication Failure
  • Boot
  • Connected
  • Connection Error
  • Disconnected
  • Downspeeding
  • Encryption Status
  • Flow Control
  • Gatekeeper Registration
  • Got Response
  • IP Conflict
  • Link Down
  • Link Up
  • Lost Response
  • Low Battery on Remote Control
  • Other
  • Preregistered System Activated
  • Scheduling
  • Scheduling Error
  • System Activity
  • System Type Changed
  • Upgrade
  • User Assistance Requested

The scheduling and connection events will be the most useful and the rest really depend on how involved each unit wants to be. The one that is the most interesting, perhaps, is the User Assistance Requested; that email gets sent when a user in the room press the help button on the remote (if it exists). With the Lost Response event enabled, a unit would get an email every 15 minutes should an endpoint be shut off; that is likely the one event that has the greatest potential for creating "noise."

Lync updates (previous discussion)

Updates not available...

SIP may replace H.323 as preferred protocol for endpoints

Patrick Pettus had related to Steve that UF's IP phone Call Manager will be moving from H.323 to SIP with an upgrade in September and will be able to implement URI dialing at that time. [Note:URI dialing is the way we specify connecting Lync to a bridged VC currently.] Video Services is working with Telecom to get prepared for an eventual shift in preferred dialing protocol. Most endpoints can use both protocols, and they are trying to configure them to do so. Steve noted that he has figured out how to do this with his AVer HVC310 for example.

WAN (previous discussion)


Updates from James Moore

Updates not available...

Wireless printers

This isn't really just a WAN issue as it affects campus as well. Currently there is no way to connect wireless printers to the UF wireless network. James Moore had said that they are looking at possible ways to address that need.

VoIP at RECs

Updates not available...

Phone bills to be paid for centrally? (previous discussion)

Updates not available...


Policy


DDD list is now Administrative-Memo-L

The long-standing Deans, Directors, and Department Chairs Memoranda (DDD) list and website have been revamped. The new archive location is http://www.administrativememo.ufl.edu/.

Public IP Address Space at the University of Florida

The following was recently announced via Tracy Gale:

IP Address Assignment Policy: http://www.it.ufl.edu/policies/ip-address-policy.html

IP Address Assignment Standard: http://www.it.ufl.edu/policies/ip-address-standard.html

IT Community:

The need for public IPv4 address space remains high and the university’s supply of free space is low. Since it is nearly impossible to acquire additional space from Internet Service Providers, UFIT is now engaging with campus to ask them to renumber and return unused IP addresses.

When evaluating your department or unit’s IP addresses please consider the following:

  1. Only devices that require a public IP address to function should be assigned a public IP (i.e., a mail server)
  2. Workstations should not reside on public IP addresses

A member of the UFIT staff may be contacting you soon to discuss this issue.

Thank you in advance for assisting us in this effort!

Off campus SMTP filtering for Gatorlink remote access VPN clients

Here are the announcement details:

Starting on 6/9/2013 at 6am, SMTP (TCP port 25) traffic leaving campus from Gatorlink VPN clients will be filtered. All VPN clients will need to relay email via authorized on-campus SMTP servers. This follows the same restrictions which are currently in place for all other campus systems. Instructions for setting up your email client to properly relay can be found at http://helpdesk.ufl.edu/self-help/gatorlink-e-mail-setup

If you already use email on campus without the VPN client, your configuration is most likely already correct, requiring no changes on your part.

Note: This only applies to "full tunnels". Campus only tunnels (username@ufl.edu/campus or username@ufl.edu/dept-campus) would not place off campus traffic into the tunnel, thus it will not be affected by this policy change. Using a campus-only tunnel is an appropriate work-around to mitigate the effects of this change.

PrintSmart initiative (previous discussion)

The "PrintSmart initiative to introduce managed print services" was announced to the DDD list the last day of May. Dan Cromer had mentioned this at our last meeting. This appears to be the end result of what started out as the "Electronic Copy - Print Output Cost Reduction program."

The announcement from Matt Fajack, Vice President and Chief Financial Officer, included the following information:

Beginning this summer, in an effort to free up resources for departments, UF Purchasing will introduce a new PrintSmart initiative designed to help departments save money on scanning, faxing, printing and copying. Research at other universities has demonstrated that implementing a campus-wide managed print solution provides significant savings and increased efficiencies.

PrintSmart begins with a departmental assessment to determine the sizes and types of equipment-including multifunctional devices (MFDs) and workgroup printers-will best meet a unit's needs. MFDs can scan, fax, print and copy-and have the ability to be networked to multiple users.

UF has negotiated a contract with Xerox to partner with UF units to help determine the "best fit" for each area by evaluating the proper blend of services and technology required. As UF copier leases expire, units will replace their current devices with equipment provided and maintained by Xerox.

We are currently piloting this program with offices under the auspices of the Chief Information Officer, the Chief Financial Officer and Human Resource Services. After this initial pilot, we will begin rolling out the program to departments throughout campus. Please watch for further campus communications about the program in the months ahead.

If your area currently has needs or would like to become an early adopter of this program, please contact UF Purchasing at purchasing@ufl.edu. For more information about the PrintSmart initiative, including frequently asked questions, please visit http://www.purchasing.ufl.edu/printsmart or contact UF Purchasing (352) 392-1335 or purchasing@ufl.edu.

It would be nice to hear some of the technical aspects of this deployment relating to network access to and output storage from such devices.

New IT Service Management Initiative

Elias Eldayrie announced a new IT Service Management Initiative on May 30th. Details are available at http://www.it.ufl.edu/itsm/. It is worth noting that both Dan Cromer and Dennis Brown have assigned roles in this initiative.

Drafts of revised Authentication Management policy available

Dan Cromer had shared the following from the last SIAC meeting via e-mail:

IT-Discussion list now available (previous discussion)

This new list is a result of the initial try at changing the ALL_IT distribution into a more general discussion forum. Fedro sent out the following notice on this May 21st:

Message from Fedro Zaueta to the IT-Discussion-L:
"IT-Discussion list serv. (To opt out see last bullet)" Tue 5/21/2013 3:27 PM


As previously announced the IT-DISCUSSION list was created for providing a secure communication mode for the exchange of ideas, solutions to problems, questions to the community, feedback to governance, and discussion of policy and initiatives towards improving IT across UF.

Information about this listserv:

If you have question about the list, please email Anne Allen, alallen@ufl.edu. If you have IT related questions or comments please email the list.

Implementing the Mobile Computing Security policy (previous discussion)

New website available detailing mobile device compliance

The Office of Information Security and Compliance has posted a new website detailing which devices meet UF requirements.

Inviting Rob Adams to our July meeting

Wendy Williams has kindly arranged for Rob Adams (UF's Information Security Officer) and Avi Baumstein (UF' Information Security Policy Manager) to attend our July meeting to discuss various security-related issues.

You are encouraged to develop specific questions and submit them to Steve; our brief time will be much more efficient if we have our questions/concerns well organized ahead of time. Here is the beginnings of a list that was compiled via discussion on the ICC distribution list:

  • How and when will this new policy be enforced?
  • The majority of IFAS laptops are domain-joined Windows machines and BitLocker can be implemented transparently for the user. Can we agree that BitLocker will suffice until such time that there is an implementation in place to permit reporting?
  • In reference to the previous question, how about Apple's FileVault on the Macintosh?
  • Whole device encryption of smartphones drains performance and battery life. If email is the only sensitive data kept on an Android phone then why wouldn't Nitrodesk's Touchdown in-built security via Activesync suffice?
  • How are users expected to handle password management with their hardware encrypted USB devices? The assumption is that cost and inconvenience may lead many to ignore policy.

Kevin Hill mentioned that there seems to be a considerable reluctance on the part of the security team to even mention a Microsoft-based solution. He wondered if there was any reason beyond the reporting capabilities, which could of course be handled via SCCM. Steve responded with his feeling that FileVault on the Mac and Bit Locker on the PC are the only two products which most of us would consider worth our time in implementing. Those are essentially transparent to the user while Steve's experience with PGP would suggest it would try the patience of our users--particularly relating to password changes. Dan Cromer had mentioned that PGP may be able to report on FileVault down-the-road, and possibly Bit Locker. The best answer for the majority of our machines however would be SCCM, which would also provide a host of other benefits related to patching and deployment.

Kevin asked if there was any way to report on the encryption status of mobile devices on any platform. No one knew of any. Steve pointed out the irony that Windows Phone 8 will not be allowed -- not because they can't encrypt but because "UF's environment" doesn't support doing so. Steve would like to understand the details behind that a little better; it sounds like we have the means but not the motivation.

Content Management System (CMS) for UF: Entering purchasing phase

Recorded sessions from demos by the three potential vendors for UF's new Web Content Management System (WCMS) are now available. Jimmy noted that the sandbox committee voted for TerminalFour with Adobe running an extremely close second. Oracle apparently drew some vigorous criticism.

Authentication Management policy draft (previous discussion)

Updates not available...

New 'Trouble-Ticket' Entry Page for CNS (previous discussion)

Updates not available...

KACE (previous discussion)

Updates not available...

CNS working to implement NAC for UF wireless (previous discussion)

SafeConnect Policy Update

Steve noted what at first seemed like a "catch 22" with this policy. He fired up a laptop that had been turned off for a couple of weeks and the laptop connected to the UF SSID:

Apparent dead-end in link for remediation

However, the antivirus DAT files were obviously out-of-date:

SafeConnect Quarantine message

The link listed for remediation was unhelpful, however:

IFAS logo

In this instance the machine must have had access to automatically update the DATs because after a few minutes things began to work. Steve is concerned, however, how this all would seem to an end-user and wonders whether they would successfully connect or not without undue frustration.

UF Exchange updates (previous discussion)

Outsourcing of student e-mail?

Steve heard from a recent "State of UFIT" talk by Elias Eldayrie that this will include SharePoint and Lync as well as Outlook.

More details were mentioned in a recent article in the Independent Florida Alligator and UF has a web site up for this now.

Outlook asking for re-authentication

Updates not available...

Sakai e-Learning System now in production (previous discussion)

As mentioned earlier a UF implementation of Big Blue Button is planned for integration with Sakai in the Fall.

Alternate IFAS domains in e-mail (previous discussion)

Updates not available...

Split DNS solution for UFAD problems (previous discussion)

Updates not available...


Projects


New web cluster (previous discussion)

Updates not available...

Windows 8 Deployment? (previous discussion)

Updates not available...

SCCM for IFAS

Work continues on the central SCCM plans.

Updates not available...

Exit processes, NMB and permission removal (previous discussion)

Updates not available...

Services Documentation: Is a Wiki the way? (previous discussion)

Updates not available...


Operations


Moving from McAfee VirusScan to Microsoft Forefront Endpoint Protection?

The following notice provided some hope that SCCM is still in the running:

Message from Geof Gowan to the IT-DISCUSSION-L:
"Symantec EPP demo Friday 9:30-11:30 in Smathers 1A" Wed 6/12/2013 9:10 PM


Hello,

As you may know, the University has been evaluating End Point Protection (EPP) solutions. This effort is to potentially consolidate and replace various tools such as:

  • McAfee,
  • Kace,
  • Secunia,
  • PGP

We are also investigating the vendor’s ability to provide new tools to the IT community for Mobile Device management, Data Loss Preventions ( DLP), and Macintosh and Linux Management.

One additional goal is to minimize the number of agents being deployed and merge the functionality of as many different management consoles as possible.

After initial evaluations, we have narrowed down the choice to three vendors: Symantec, IBM, and UFAD SCCM2012.

The next phase is for each vendor to present a detailed, real world, demonstration of their EPP solution. This will be our opportunity to put the vendors and their solutions to the test. We encourage you and/or a representative from your team to join us for these presentations and participate in testing the demo environments. Your input will be integral to the decision and the more varied the participation the better.

This is our chance to kick the tires, check out the horse's teeth, and sample the wares.

We invite you to consider the variety of managed, semi-managed, and unmanaged devices in your unit and come see how these vendor's products can help you take care of them.

The first presentation is this week:

Vendor: Symantec
Time: 9:30-11:30, Friday June 14th, 2013
Location: Smathers Library, Room 1A

We will be sending information for the remainder of the presentations soon.

In all cases, we plan to have the demo environments remain running for evaluation and comparisons.

See you Friday,

-Geof

It is unfortunate that the first vendor session is running concurrent with our meeting, but Wendy Williams plans to attend the Symantec session and has offered to let us know her take on that later.

Print server (previous discussion)

Updates not available...

Recording lectures for Distance Education (previous discussion)

Updates not available...

New DHCP reservation site created (previous discussion)

You are reminded that Santos Soler has created a new DHCP reservation site which you may use to request reservations.

Restoration of back-ups on the file server

Wayne Hyde intends to document and announce proper usage as time permits.

Membership of ". IFAS-ICC" e-mail distribution group to be narrowed to ICC members only (previous discussion)

Steve will keep this as a standing item on our agendas for now as a reminder. The ICC distribution list is more targeted and restricted to IFAS IT support folks only.

IFAS efforts toward Green IT (previous discussion)

Updates not available...

Creating guest GatorLink accounts: singly or in bulk (previous discussion)

Steve had left this on the agenda in case further discussion was deemed warranted.

DirectAccess pilot (previous discussion)

Updates not available...

VDI desktops as admin workstations (previous discussion)

Wayne had delivered the following news:

Message from Wayne Hyde to the ICC-L:
"[ICC-L] ICC Management VM pool updated" Sun 5/19/2013 12:31 PM


I have upgraded the ICC Management VM pool as we have upgraded the VDI environment to VMware Horizon View 5.2 on vSphere 5.1 Update 1.

The pool has been increased to 30 VMs and the “logoff after disconnect” timer has been increased to 25 hours. Depending on usage I may increase or eliminate this timeout so you don’t lose your sessions over a weekend, etc.

Internet Explorer should be working again without long network delays. Other various software was also upgraded (Adobe Flash/Reader, Java, etc). You can now print to printers connected to the local machine.

See the pool notes after you log in for all changes.

A few days later he provided this update:

Message from Wayne Hyde to the ICC-L:
"Re: [ICC-L] ICC Management VM pool updated" Thu 5/23/2013 9:46 AM


I went ahead and changed the “Automatic logoff after disconnect” setting to 5,760 minutes – aka 4 days.

Wayne's Power Tools (previous discussion)

Updates not available...

Computer compliance tool in production (previous discussion)

Updates not available...

Folder permissioning on the IFAS file server (previous discussion)

You are reminded to please take the time to read and implement the new standards. If you have any questions get with Wayne or Steve.

Disabling/deleting computer accounts based on computer password age (previous discussion)

This is yet another matter for which finding time for implementation is proving difficult. Steve wants folks to remember that Andrew Carey had a good plan for dealing with this which perhaps Alex York can find the time to address eventually. In the meantime, it would be very good of each OU Admin to consider mimicking the proposed plan manually by keeping their own records and deleting any computer object which have been disabled for 90 or more days; Wayne's Power Tools can identify those. Steve has finally begun doing that for his own unit and it has made his view within ADUC much more agreeable.

Since BitLocker stores its keys within the computer object in UFAD, Alex York and Chris Leopold are considering scavenging those keys for secure storage elsewhere. That would provide a fallback for decrypting a drive should the associated computer object be deleted.

Core Services status (previous discussion)

Updates not available...

ePO updates (previous discussion)

Wayne had provided the following update...

Message from Wayne Hyde to the ICC-L:
"[ICC-L] ePO 5 status update" Fri 6/7/2013 11:47 AM


Update: ePO 5.0 testing is going well and I am almost ready to release it to the masses in about two weeks. I am *not* upgrading the ePO 4.6 server to ePO 5 which means admins will need to push the new agent to their clients to migrate to the new version. This can be done either via tagging inside the new ePO 5 console or manually installing the agent which will be put in our security-tools DFS share. The new agent is version 4.8.0.641.

McAfee 8.7i is not a supported managed product on ePO 5, which means many of you have some work to do getting your systems updated to 8.8i. Across IFAS we still have about 1300 machines that are running 8.7i. As I have stated over the years, it is the responsibility of the desktop admin to install/upgrade McAfee*. Same version updates (patches, hotfixes) are handled automatically by ePO but version updates (8.5 to 8.7, 8.7 to 8.8) are not. Systems must be tagged with “PushAV” to be upgraded.

Clients attached to the ePO 5 server will also be upgraded to the new 5600 engine.

* Regarding why IFAS ITSA does not push major updates or McAfee to your clients: Some admins have installed other anti-virus products on their desktops and we at ITSA don’t want to have a situation where we blow machines up due to software products that don’t get along. Please note, non-central managed AV installations (aka: not McAfee for the time being) are only allowed per IMM 6C1-6.150-3 (http://imm.ifas.ufl.edu/6_150/6150-3.htm) after a written request is made to the VP via the IT Director. Many machines are also locked down (Deep Freeze, etc) or refreshed regularly from images which need to be handled by the local IT admin.

Long story short:

  1. Update your desktops to McAfee 8.8i in the ePO 4.6 console via the PushAV tag if they aren’t on 8.8i.
  2. Wait for ePO 5.0 access.
  3. Log in to ePO 5.0 and tag systems with Push_MA/Push_MA_Mac/Push_MA_Linux or manually install new agent on your desktops.

Some light reading:

Supported products on ePO 5: https://kc.mcafee.com/corporate/index?page=content&id=KB76736
Datasheet on 5600 engine: http://www.mcafee.com/us/resources/data-sheets/ds-5600-scan-engine-dats.pdf

Steve demonstrated (or tried to anyway) going into the current ePO console [you must use your if-admn account with a "ufad\" prefix for access -- get with Wayne if you still do not have access] and looking on the "Your Systems (new)" Dashboard to see which systems have which version of VirusScan loaded:

Finding which machines need VSE 8.8

You can then tag these machines that have the older version with the "PushAV" tag (select machines > Actions > Tag > Apply Tag > PushAV) to automate their upgrade to 8.8. After a couple of days most of the machines should get that. You can then investigate the rest of them manually. Some may be having communication troubles. You can always uninstall the agent and VSE and start afresh to fix any trouble machines.

When it comes time to migrate you can logon to the new ePO console and migrate machines in by tagging them with the "PushMA" tag. The easiest way is to click on the System Tree link at top and set the "Preset:" field to "This Group and All Subgroups" so you can see all your machines. Then you select one or more and use the Actions dropdown box at bottom to tag them:

Tagging machines to push new agent for migration

Remember: ePO 5 requires that the clients are running VSE 8.8. Wayne doesn't think there will be any huge issues if you put a machine with 8.7i on ePO 5, it just won't be able to apply any policies so the exclusions and antivirus settings may just go to "default" or hopefully will just keep using the last policy pushed by ePO4. Steve's advice is to be "proactive" on this.

Status of SharePoint services (previous discussion)

IFAS migrating to centralized MOSS

Updates not available...

Public folder file deletion policies and procedures status (previous discussion)

Updates not available...

Patching updates... (previous discussion)

Microsoft

The June Microsoft patches included 5 bulletins (1 "Critical", and 4 "Important") covering 23 CVEs in the usual suspects. A risk assessment is available here.

McAfee generally provides podcasts on the highlights of each month's offerings.

Adobe

Reader/Acrobat had a reported minor vulnerability that was fixed in a May 14th release.

Flash didn't want to be left out either; the details are here. Don't forget that updates to Flash mean updates to Air.

Java

Are you ready for more Java updates? Good, because more are due on June 18th. It will be interesting to see if they continue updates for v6 (which is supposedly end-of-life).

It should also be noted that Microsoft recently released a "Fix it" that will block all Java web-attack vectors in Internet Explorer. This can be used to reduce the attack surface in those instances where Java is needed for desktop applications but not inside a browser.

Apple

A new version of QuickTime Player for Windows (7.7.4) was released on May 22nd; this patched numerous vulnerabilities. The last version of QuickTime Player came out way back in November of 2011 (see the Apple security updates page). There was an iTunes security update as well (though there is now an even newer version out).

MS Office News update (previous discussion)

Microsoft Office for iOS is now available. No iPad version (!?) yet but this will run on the iPhone and iPod Touch should one feel the need.

Job Matrix Update status (previous discussion)

Alex and Wei still missing from the board

Other Topics

Preparing for the removal of Windows XP from the network

As you should know, unless Microsoft changes their plan and extends the deadline we will have to remove Windows XP off our networks after April 8th 2014. Dan Cromer had talked to the VP about this and provided a list of roughly 500 IFAS machines running XP that aren't easily upgradable to run Windows 7. Elias has been talking to our VP about IFAS trying the Citrix-based UF virtual solution. Dan is looking for on-campus volunteers.

It amazes Steve that Dan wouldn't have pushed our own superior VMware-based VDI solution to the VP instead.

Free AMX training to be offered

Please contact Marion Douglas if you are interested in free AMX training which is being planned for July 8-12th. The first day will cover system design and the remainder will cover installation, setup, configuration, and troubleshooting.


The meeting was adjourned well early just after 11:00 am and right when a nice rainstorm blew through.