ICC logo IFAS logo

ICC Meeting:



A meeting of the ICC was held on Friday, September 13th, 2013 in the ICS conference room. The meeting was chaired and called to order by Steve Lasley at about 10:00 am.

PRESENT: Twenty members participated.
Remote participants: Bill Black, Dennis Brown, Wei Cao, Kevin Hill, Al Ibanez, Wayne Hyde, Marvin Newman, Scott Owens, Mike Ryabin, and Wendy Williams.
On-site participants: Jimmy Anuszewski, David Blackman, Dan Cromer, Francis Ferguson, DeWayne Hyatt, Taylor Jamrok, Winnie Lante, Steve Lasley, Matthew Nash, and Karen Porter.
Guests: Avi Baumstein

STREAMING AUDIO: available here


Agendas were distributed and the sign-up sheet was passed around.

Report from the chairman

Member news:

DeWayne Hyatt has been hired as Alex York's replacement. Dewayne comes to us from the Marion County School System and has extensive experience with SCCM. We took the time to go around the room and introduce DeWayne to those participating today; we would all like to welcome him to IFAS and hope he truly enjoys working here.

Recap since last meeting:

As per his usual procedure, Steve pointed folks to the notes of the last meeting, without going into any details.


Last month Avi Baumstein was in attendance. He has graciously offered to continue attending these meetings until we feel more comfortable with our various security issues.

Proposed Remote Access Policy

Dan Cromer made a copy of a new Draft Remote Access Policy available on the ICC SharePoint site. Steve pointed out that the policy has been whittled down to about the bare minimum one would need if one was going to have a policy on the subject at all; basically it says that all system must be approved, documented and controlled for remote access.

Steve asked if there was an associated Standard being developed in parallel. Avi responded that they were still working on the policy draft currently and hoped to have a new version available fairly soon. Steve then asked Avi what he expected the impact of this policy to be on local IT staff and Avi said that he really couldn't say at this time; he wanted things to go through a few more revisions before commenting.

Implementing the Mobile Computing Security policy (previous discussion)

Steve wanted to know if there were any updates at all on some of the issues we had discussed at the last two ICC meetings.

Questions from the ICC

Q from Steve Lasley: Is there any update on documentation requirements for native encryption? Any news on native encryption reporting in an upcoming PGP client?

A: Avi responded that they had posted a Documentation of Non-Standard Device Encryption form on the web site. He pointed out that this really only applies, however, to Unsupported Operating Systems where a fully compliant encryption system is just not available. Avi gave the example of Windows 8 which Symantec Encryption Desktop (note new name!) does not yet support. This is not a way to side-step the reporting requirements for native encryption as suggested by Rob Adams at our July ICC meeting. Avi suggested that a later discussion with the lawyers may have changed things somewhat.

Steve then asked about the status of the PGP client regarding its proposed upcoming ability to report on native encryption status. Avi said that he had no good news to report on that and wasn't currently very hopeful.

Steve asked if Avi was aware on anyone using SCCM for monitoring BitLocker encryption status and AVI responded that he was not but did again mention having heard of Microsoft's BitLocker Administration and Monitoring (MBAM) tool as mentioned at the July meeting. Steve mentioned that tool can integrate with System Center Configuration Manager (SCCM) and might be the best route for IFAS to become complaint with native encryption on Windows--we will have to see.

Q from Steve Lasley: Has the idea of doing regular encryption training gained any traction?

A: Avi said that this has been discussed but nothing has been scheduled yet. Steve pointed out that the demand within IFAS for such a thing is rather high.

Q from Steve Lasley: How does one install PGP simply to access PGP encrypted external drives rather than to encrypt local fixed drive(s)?

A: Steve said that he had installed PGP (well, Symantec Encryption Desktop as it is now called) on his BitLockered laptop with the intention of investigating the use of PGP for external drive encryption, but became quickly confused as it tried to encrypt the local (already BitLocker encrypted) driver. Now the system comes up with this dialog at each boot:

Symantec Encryption Desktop authentication dialog

Avi responded that Steve needed to get a policy group set up for his unit by contacting Bruce Dew at Customer Technology Services (CTS). [Note: after the meeting Avi amended this saying that Bruce has asked that requests instead be directed to their ticketing system via helpdesk@admin.ufl.edu or http://cts.ufl.edu/helpdesk/default.asp.] This policy group would be tied into Steve's UFAD Users OU. At the enrollment step in the installation then Steve can enter his credentials, which are verified with the server, and then a policy package is downloaded from the PGP server. When that is set up with Bruce then Steve can decide which settings to turn on and push to all users. The default policy encrypts the local hard drive; if that is not wanted then Steve will have to get Bruce to turn that portion off.

Avi added that CTS is working on documentation for configuring and using Symantec Desktop Encryption within the UF environment.

Q from Dennis Brown: Are there any issues with using PGP for encrypting machines not joined to UFAD?

A: Avi responded that the only connection with UFAD is at the point of enrollment where it asked for your credentials. All it is doing is validating those credentials in order to figure out which policy group in which to place the computer. Avi explained that the client utilizes an https (port 443) connection with the PGP server at the time of initial set up and again daily for reporting; thus this should report from most anywhere the computer has a network connection.

Q from Jimmy Anuszewski (and Kevin Hill): When some using Windows Defender (say a Windows 8 personal laptop) has out-of-date definitions and logons on to UF wireless they are given a link to Microsoft.com. Most don't know what to do with that. Could links be provided rather to the 32-bit and 64-bit versions of the definitions as described on the "How to manually download the latest definition updates for Windows Defender" page?

A: Avi said that Network Services maintains that page but he would pass this along to them. They have been looking into the Java quarantine messages and trying to respond to that need.

Note: Avi shared the following after the meeting. There was a concern that the UF Wireless NAC quarantine page that informs a user about out-of-date definitions for Windows Defender/Security Essentials providing a link only to Microsoft's homepage. I passed this along to Matt Grover, who noted that the current quarantine page did not include any links, but he has added one to a Microsoft page that includes instructions for both automatic and manual updates as well as links to download definitions. This may mean there is still a page out there that needs cleanup, so please have folks let or Matt Grover know if they run across it.

Q from Jimmy Anuszewski: The Microsoft Windows Instructions page on the new security site provides links to the PGP support page but the corresponding Apple Mac OS X page does not. Could that link possibly be added?

A: Avi said he should be able to fix that himself.

Q from Jimmy Anuszewski: Apple devices seem, on occasion, to fail to authenticate to wireless. This issue often corresponds with getting these:

Subject: Login Attempt
Date: Tue, 10 Sep 2013 09:42:02 -0400 (EDT)
From: noreply@nslog.cns.ufl.edu
To: unluckygator@ufl.edu

The system has detected at least 20 failed attempts to connect to the UF Wireless Network from a wireless device, such as a laptop, phone, or tablet. This may be a result of a recent change to your GatorLink password.

If a password change has occurred, you will need to update your GatorLink credentials on this wireless device.

If you do not update these credentials on your wireless device, it is possible your GatorLink account will become temporarily locked.

The last failed attempt happened at Sep 10 09:41:03. The device has a manufacturer ID of Apple Co. For diagnostic purposes, the device has a wireless hardware address of 0019e3e1e100.

If you are unsure on how to update your password please take the following steps:

  1. Visit the Help Desk website (helpdesk.ufl.edu)
  2. Select the Self Help Menu
  3. Select Connectivity Instructions
  4. Follow the instructions for UF Wireless Password Help and/or Exchange Email Passwords.

If you still need further assistance, please contact your local IT support group or the UF Computing Help Desk at (352) 392-HELP (4357).

Please do not reply to this automated message.

The solution seems to be to "forget" the UF connection, reaccept the certificate, and then it works--at least until the next time. What is up with that?

A: Avi responded that the three different networks on campus (CNS, DHNet, and HealthNet) each use different certificates and there are areas of bleed-over. If you are driving down Mowry road and go by the Cancer/Genetics Research Institute you might get some bleed-over from the Health Center provided wireless there. Avi said that if you don't configure manually but rather use the Auto Configuration button, then with Windows or the Macintosh this will download the XpressConnect client and on iOS devices it will download a configuration profile. Both of those will include all certificates for the wireless networks and this certificate issue should be avoided. Wayne Hyde thinks having separate SSIDs for each of the three networks might have been a simpler solution.

Jimmy said that there must be more to this issue than what Avi was saying because Jimmy has seen this with iPads that never leave McCarty Hall. Avi recommending using the device profile which installs a root certificate whereas the access points offer child certificates. Avi also recommended calling CNS if the problem persists.

Patching updates... (previous discussion)

If you aren't serious about patching yet, consider the latest in ransomware that encrypts your data. See also here, here, and here. Thorough patching, a careful backup strategy, and least privilege access to files all play an important role in surviving such assaults. Avi pointed out that this category of malware is not new and Kevin Hill mentioned having a friend who got hit with this and it is extremely nasty.


The September Microsoft patches included 13 bulletins (4 "Critical", and 10 "Important") covering 47 CVEs in the usual suspects. A risk assessment is available here.

McAfee generally provides podcasts on the highlights of each month's offerings.

This month's updates for Office were extensive, including a whole bunch of non-security updates. One such Update caused a problem with Outlook 2013 in some instances; the symptom is a missing/blank Folder Pane. Also, there is a detection problem with some Office 2007 updates whereby they get continually reoffered (KB2760411, KB2760588, and KB2760583) and there was another issue with an Access 2013 security update not installing. All told this was a very messed up batch of updates that raises concerns about Microsoft's quality control processes. Microsoft has posted a September 2013 Security Bulletin Webcast Q&A that discussing many of the issues seen.

Jimmy said that there were also two Microsoft updates for the Mac: one for Office (which Jimmy believed had a number of things for Outlook) and another for Lync that fixes the problem with trying to join an online meeting. Steve asked if Microsoft updates could be scheduled on the Mac and Jimmy responded that they can be scheduled on a weekly basis. This particular Lync update, however, has problems with the auto update for some reason and must be downloaded from the link provided and installed manually.


Adobe had updates for Flash Player, Reader and Acrobat as well as Shockwave Player this patch Tuesday. Don't forget to update Adobe Air if you have that as well; the current version is


In case you have been wondering whether or not you can keep JRE version 6 around, consider that an exploit targeting an unpatched vulnerability in Java 6 has been found in the wild. It is time to move on and deal with the consequences. Don't forget that JMP, Hoboware, and other applications still install version 6 by default--not good.

In other news, running a Java applet now pops up a security dialog box that presents users with information about the application (to warn people apparently); but it turns out that the information displayed can be changed by malware; basically, Oracle is allowing unsigned information into their security dialogs.

Just for fun, Oracle released JRE version 7 update 40 on Tuesday. This is not a security update, but UFIRT vulnerability notices are acting as if it was via this added statement:

*** NOTE ***
As of 09/12/2013, all versions of Java 1.7 prior to 1.7.0_40 exploitable 
by the by at least one critical vulnerability.  You are receiving this 
notice because you are running a version of Java that puts your system 
and University resources at serious risk to compromise.

Java 1.6 is has reached its end-of-life. We do not recommend you 
continue to use 1.6 . 
*** NOTE ***

There would seem to be no real security advantage in upgrading from update 25 to update 40 other than to avoid these vulnerability notices.

Among other things, this latest update puts the following on the Start Menu:

JREv7u40 start menu items

A new Deployment Rule Set feature was also introduced; time will tell how useful this feature might be. If you are curious about the update numbering scheme (jumped from 25 to 40, really?) check here.

Winnie Lante was under the mistaken impression that SAS 9.3 required JREv6 but Steve said that nearly everything works with JREv7 and that the switch can be made by editing a configuration file as documented previously.

Francis Ferguson mentioned the CEU reporting site that still only works with JREv6. Steve has his people email those to their contact at the Florida Department of Agriculture and Consumer Services and lets them deal with it. Maybe that way DACS will have some incentive to update their server-side application.

Steve asked if anyone was aware of other web apps that required Java. Steve mentioned that the monitoring portion of TMS requires Java and Dan Cromer said that portions of BigBlueButton require the Java plugin be installed as well. This is somewhat surprising as this is a new service just starting up at UF. Dan said that he believes that the company is working on moving away from Java to HTML5.


Apple released an update for OSX.8 (Mountain Lion) which included some security updates and also released security updates for both OSX.7 (Lion) and OSX.6 (Snow Leopard).


There is an extremely critical remote code execution vulnerability in WordPress versions earlier than 3.6.1 that should be addressed immediately. Dan said that Santos Soler had patched the IFAS WordPress installation last night to address this.

Videoconferencing and WAN discussion

[In order to make meeting participation more efficient for Patrick Pettus and James Moore, these two topics have been moved to reside at the top of our agendas.]

Videoconferencing topics (previous discussion)

Endpoint security concerns (previous discussion)

Steve had heard indirectly that Patrick Pettus is concerned that our endpoint management system will be crippled if Telnet access is blocked. Steve wasn't clear on exactly what features would be lost but Dan Cromer suggested this would be limited to non-necessary things such as directory updates which currently don't work anyway for our oldest and newest units. Steve really suspects that other features would be eliminated as well and would like to know exactly what we might have to look forward to as videoconferences via managed endpoints have become very much a daily activity within his unit and any disruption to that could be quite critical.

Patrick Pettus responded to Steve the following Monday describing what the removal of Telnet would mean:

Essentially it removes all of the management capabilities from TMS and turns it into a simple scheduling system. Telnet is used by TMS to make configuration changes to the endpoints. Things like software management, phonebooks, configuration templates, configuration enforcement, automated ticketing, and scheduling support for mobile hardware codecs will go away. We would no longer be able to deal with configuration changes in bulk. For example, the recent DNS changes were made by updating a couple of templates in TMS. Without TMS we would have had to log into 200 + endpoints to configure them. What took about 15 minutes to change, would have taken over 2 days (200 endpoints X 5 minutes = 16.6 hours).

To some extent this is happening already. The Aver and Lifesize codecs are not supported by TMS for management and so are already treated this way. This is my primary complaint about purchasing them. While the codecs themselves are inexpensive and perform well, they don't fit into the current centralized support model. Taking a service that is already starved for support and removing the management tools is certainly not going to improve it. If something must be done about the unsecure telnet connections then I suggest adding an ACL to each endpoint and limiting telnet access to TMS only.

The major stumbling point currently is that TMS doesn't work with SSH and Patrick is discussing that need with Cisco. While we clearly need non-Telnet solutions moving ahead we also have a huge investment in equipment that we really need to keep running well in the short-term. The impression from the ICC was that the vast majority of our videoconferences are being hosted on the bridge with point-to-point connections making up somewhere around only 10% or the total. Using the bridge has various advantages such as speed and protocol matching.

Replacing Polycom endpoints with some Lync-based solution (previous discussion)

There was some discussion about software-based videoconferencing solutions via the ICC-L since our last meeting. Dan Cromer gave his take at the time:

Message from Dan Cromer:
"Re: [ICC-L] Student online courses, video access" Wed 8/21/2013 10:13 AM

...The “best” video connection to a bridged conference is with Jabber. I’ve set that up for several students at Immokalee. Try it, you’ll like it. Disadvantage of Jabber is that you need to request the GatorLink username be added to the Movi security group, but that’s a two-minute job that I usually handle immediately upon request; Chris, Scott, Dan Christophy, Marion, and Lance can all do it, plus requiring the additional client install on the local computer. Jabber has the advantage of being able to clearly display the content, while showing the active speaker in a small picture-in-picture, or swapping the content with the camera. Lync displays content using NTSC conversion, so is lower resolution. Lync 2013 doesn’t currently work with the bridge.

Blue Jeans is next best to Jabber, it can use the browser rather than other client (though it can also work with Lync, Skype, or Jabber client), and offers viewing of more than one camera at a time, up to 16 (same as the bridge and Jabber). Blue Jeans can work without having a microphone on the client; Lync won’t start unless there is a microphone. It also has the ability to resize the content and camera windows. Lync, until coming upgrade, only shows the active speaker unless it’s a Lync conference and the CX5000 camera is used to add the panorama view.

John Wells responded that he is very pro-Jabber and shared a setup/troubleshooting guide that he gives out to users in his district.

Possible end-point refresh in the works (previous discussion)

Updates not available...

Movi/Jabber Updates (previous discussion)

See above discussion.

End-user Scheduling (previous discussion)

Steve asked how people were liking the new Smart Scheduler. Jimmy said that he likes it personally but that it has been confusing his end users who have tried it. Steve said that he encourages his users to get with him for scheduling in any case, but he hoped that this new system would be helpful to those in each unit that would have previously used the old event request form. Multiple comments suggested that this was indeed the case in many instances. Many noted that it is difficult to find and add endpoints via this new system as most requests come to us in IP# form. Steve pointed out that there is a search form on the video site that might help somewhat. The problem is, however, that the Smart Scheduler only seems to work with endpoints that TMS can manage; our older endpoints are mostly out-of maintenance and cannot be updated with the latest firmware to allow the necessary inter-communication. That's why Steve is hoping Video Services can come through on the proposed training that would permit individuals direct access to TMS.

See also above discussion.

Lync updates (previous discussion)

Dan Cromer mentioned having recently tried to record a Lync conference for the first time. He discovered that this feature was available only within a Live Meeting session and not a regular Lync call. Recording of a Live Meeting session seemed to be easy to perform and worked well. After you stop the recording it asks where you want to save the recording. It can create an mp4 version for distribution as well.

SIP may replace H.323 as preferred protocol for endpoints (previous discussion)

Updates not available...

Blue Jeans (previous discussion)

Dan Cromer had shared with us some of the details concerning Blue Jeans Release 2.1 which became available on August 17th.

Steve noted that Bluejeans supposedly is adding a chat feature that should be available by the end of September. Dan explained that IFAS has a $12k/year "All You Can Meet" license that allows 250 accounts (for creating conferences) and up to 25 simultaneous connections per conference. Bluejeans is working on being able to manage more than 25 simultaneous connections, but currently that is a technical limitation to their service.

WAN (previous discussion)

Updates from James Moore

Updates not available...

Wireless printers (previous discussion)

Updates not available...

VoIP at RECs

Dan Cromer said that Jay and Milton are now using UF VoIP and that we have similar plans for Marianna, Homestead, and Vero Beach. Indian River is waiting on the proposed centralized payment of the current $11/month/phone charges. Belle Glade is apparently investigating VoIP as well.

Phone bills to be paid for centrally? (previous discussion)

This is planned to be added into RCM for the next fiscal year.


Notes from August SIAC meeting

Late Tuesday Dan Cromer made the notes from the August SIAC meeting available on the ICC SharePoint site along with the June 2013 SIAC Annual Report. Those were not posted on the Shared Infrastructure site as of Wednesday so Dan is providing us a "scoop" of sorts. Thanks Dan!

August's IT Directors Meeting Notes

Dan Cromer kindly made the August Campus IT Directors Meeting notes available on the ICC SharePoint site.

PrintSmart initiative (previous discussion)

Information about this program was discussed at the August SIAC meeting. Steve asked if anyone had gone this route with Xerox yet. Dan Cromer mentioned that he wants to do this for IFAS IT as soon as he can get around to it and Matt Nash said he believe FRE might go that route as well.

Wendy Williams shared later via e-mail that she had one Xerox machine that had been accepted for Print Smart, had received decals for it and has been ordering via the new method. She also noted that during the E&G IT Managers meeting others who had to get new units were waiting up to 6 weeks, which seemed a bit long. She said folks that have Degree Audits printing to one of the Print Smart printers would be wise to make sure it works because there is some VLAN issue that must be addressed.

Avi wanted to reiterate the need to wipe the hard drives of any machines that were being replaced prior to disposal. Such a procedure is going to be worked into the new program but we still have a large number of machines that are owned or leased separately.

New IT Service Management Initiative

Tricia Cook is the Remedy remediation project manager. This project is concurrent but separate from the ITSM project and seeks to improve Remedy systems stability, performance and reporting capabilities. An online meeting was scheduled for Tuesday, September 10, from 2:00p.m. to 2:30 p.m. to provide more information about the Remedy remediation effort.

Dan Cromer said that he was awaiting progress on finding a Remedy replacement prior to re-considering offering training on Remedy regardless of what interim changes might be made. Dan reiterated his desire to have data on what IT does so he can make the case to Dr. Payne that we provide a valuable service; having IT support staff utilize a ticketing system could permit Dan to "justify our existence" to administration. Winnie Lante pointed out, however, that our local departmental faculty, staff, and students all already aware that we are doing our job and providing a valuable service. She pointed out that adding metrics would cost us valuable time and hence worsen our already stretched support capabilities. Dan said he is aware of the paradox, but in an increasingly centralized management model such metrics are likely to be demanded whether or not they serve to actually improve local service or not.

Content Management System (CMS) for UF: Entering purchasing phase (previous discussion)

Jimmy Anuszewski had shared the following to the Web-Managers-L list from the August IT Directors Meeting:

UFIT will start implementing TerminalFour, the new web content management system (WCM) for campus. A project manager will be assigned soon and work will be underway to provide support and training for the new system. Eric Olson was recognized for his leadership on the WCM Task Force.

In parallel with the WCM system, a document management system will also be deployed by UFIT. A survey has been sent to identify the use cases for this system. The Transition will begin the summer of 2014 and will focus on the colleges first, research second and Enterprise Systems last. For more information, please contact Brandon Vega at (352) 273-1392 or brandonvega@ufl.edu.

Dan Cromer said that there are hopes that this may be available as early as Spring 2014.

Authentication Management policy draft (previous discussion)

Updates not available...

New 'Trouble-Ticket' Entry Page for CNS (previous discussion)

Updates not available...

KACE (previous discussion)

Updates not available...

CNS working to implement NAC for UF wireless (previous discussion)

David Huelsman posted the following message regarding current posture assessment practices on the wireless network:

Message from David Huelsman to the ". All-IT" list:
"UF Wireless Update" Tue 9/3/2013 8:58 AM

UF Community,

The Unified Wireless Committee set a schedule to begin blocking network access at the end of every semester's drop/add period. On August 28th at 7:00AM UF began blocking machines that do not meet minimum security policies. The required minimum requirements are:

  • Have current anti-virus installed and up-to-date virus definitions (Macintosh & Windows only)
  • Have Windows Automatic Update turned on (Windows only)
  • Not have peer-to-peer file-sharing applications running on the host (Macintosh & Windows only)
  • If Adobe Flash is installed have the latest version (Macintosh & Windows only)

At the moment, UF is only notifying users who are running out dated versions of Java every 6 hours. On September 8th 7:00AM, UF will also begin blocking network access based on out of date Java browser plugin versions. If installed, Java should be running the current distribution version, Java plugins that are older than 15 days will be blocked. As we get closer to the 8th UF will be decrementing the notification window to encourage users to self update or disable. Note that this check is only for installed Java browser plugins and not all Java on the machine. UF Housing network began blocking on this at the start of the blocking period.

If you have any applications that require specific versions of Java, please contact us via email at: security@ufl.edu

Steve mentioned that the simplest way to get around an out-of-date Java preventing wireless access would be to uninstall it, but Avi added that he has run into cases where it wouldn't uninstall properly. Avi mentioned that disabling the browser plug-in within the browser would solve this but was unaware of the Java Control Panel app for doing that which became available back with JREv7r10 in December of last year. Steve believes this is a "per machine" setting and not a "per user" setting; it requires admin access to change that setting.

UF Exchange updates (previous discussion)

A UF Exchange system upgrade, specifically the "Update Rollup 2 for Exchange 2010 SP3" is planned for this weekend. This should be transparent to Users but folks like Scott Owens will need to update their management tools.

Outsourcing of student e-mail

In a response to Mari Jayne Frederick about "cloud storage" options, Dan Cromer wrote the following:

“Real soon now” UF will provide 25 GB Skydrive storage accounts for all UF faculty, staff, and students, except for those who deal with private health information (PHI). Pilot accounts are being set up immediately, for students who also are OPS workers at the UF Help Desk. I hope this will be available to all sometime in the next six months. Dropbox use is prohibited by UF security rules, due to lack of institutional control. UF requires a business agreement with cloud storage providers to protect ownership of content and access for legal discovery requirements. I’m well aware that our users are using Dropbox and other such options, but have remained inactive on this topic since we don’t yet have a good alternative. Remember that for internal use we have our shared folder system at \\ad.ufl.edu\IFAS, and for transient sharing we have http://file-express.ufl.edu.

In response to a question from Kamin Miller about whether or not the 25 GB could be increased, Dan said:

I don’t know about optional expansion, but I’ll ask. The first plan was just 5GB, so I was happy with the 25GB. I’ll let everyone know whenever I learn more. This is part of the movement of students to Office365 off of the old Gatormail. At some point, the plan is for all faculty and staff to be in Exchange (which means some who still use Gatormail will have to move), and students to be in Office365. Strategic direction is for everyone to be in Office365, as soon as security and management can be arranged, but I see this as several years away, since my personal guess is that Gatormail system will be retired at the end of fall term 2014.

Updates on this topic were discussed at the August SIAC meeting. Dan noted that IFAS didn't have a chance for involvement in the pilot program but intends to ask if that can be expanding to include us.

Steve noted that Windows 8.1 and Windows Server 2012 R2 will support a new "Work Folders" feature that would let folks keep files on their local device which would then be automatically synced to the server--in other words, a local enterprise-level "Dropbox-like" feature. It will obviously take us a long time to get there, but Steve thinks this is an encouraging trend that will really help eliminate a considerable number of support issues down-the-road.

Outlook asking for re-authentication

Updates not available...

Sakai e-Learning System now in production (previous discussion)

It turns out that Firefox version 23 enables mixed content blocking by default. This has caused some support issues with Sakai (see Blank Pages in Firefox under Announcements). Ironically, one suggestion is to use a web browser that is less security conscientious in this regard.

Also, multiple file uploads via WebDAV to Sakai hasn't been working recently, even with the CyberDuck client; there is no word on why or when a fix might be coming.

Alternate IFAS domains in e-mail (previous discussion)

Updates not available...

Split DNS solution for UFAD problems (previous discussion)

Updates not available...


New web cluster (previous discussion)

When Steve noted that his department was still on the old web server and wondered if it would stay that way until the hardware died, Wayne Hyde noted that the old web server had been virtualized...something that had escaped Steve's notice for some reason.

Windows 8 Deployment? (previous discussion)

Updates not available...


Work continues on the central SCCM plans and Steve is very excited about the potential now that we have DeWayne Hyatt and his extensive experience on-board. This platform could do so much for IFAS if we could find the time and energy to devote towards setting it up and distributing out its use to local IT admins (with training).

Exit processes, NMB and permission removal (previous discussion)

Updates not available...

Services Documentation: Is a Wiki the way? (previous discussion)

Updates not available...


Moving from McAfee VirusScan to Microsoft Forefront Endpoint Protection?

DeWayne Hyatt mentioned having experience with System Center 2012 Endpoint Protection at his previous job; this is good news should IFAS go that route eventually. Dan Cromer said that DeWayne has replaced Alex as the IFAS representative on the EPP project. Wayne Hyde shared with Steve his understanding that EPP may go with the IBM/bigfix solution which includes Trend Micro AV.

Print server (previous discussion)

Updates not available...

Recording lectures for Distance Education (previous discussion)

Steve noted that the bridge failed to connect to the media server today for some reason so that this meeting will not be recorded (other than the audio recording that Steve always does). Steve will email video services to ask that someone please investigate the cause. Since IFAS has 16 expensive local Accordent Lecture Capture appliances that are nearing end of life (April 2014--as they are Windows XP based) and Steve has been told that recording via the bridge should be an acceptable substitute for our critical need for recording lectures at Entomology and elsewhere, he would greatly appreciate anything that might make recording via the bridge more robust and that would provide acknowledgement and feedback when the inevitable problems do occur.

Here is the response that Steve received from Patrick Pettus on Monday:

During the duration of the ICC meeting 5 other meetings were successfully recorded. The content server was scheduled correctly for the meeting, but just refused to connect. At no time was it over booked so I can't see any reason for it to reject the call. I'll have to dig deeper to figure out what was going on. I'll let you know what I find.

The Content Server is the last piece of the VC infrastructure that is not fully redundant. It is in our plans to beef up that service, but that likely won't happen until the next FY.

While it is extremely useful to be able to record presentations from any videoconference facility with the Content Server, I would not consider it a replacement for Mediasite or Accordent where high end recordings are needed. Those platforms offer have several features like content searches, slide indexing, and higher resolution that produce a much higher quality end product. The 16 Accordent rooms should be looked at individually to determine their recording needs. For rooms like McCarty G001, a Mediasite recorder is a must. For the others, the Content Server may or may not meet those needs. Just something to keep in mind.

New DHCP reservation site created (previous discussion)

You are reminded that Santos Soler has created a new DHCP reservation site which you may use to request reservations.

Restoration of back-ups on the file server

Wayne Hyde intends to document and announce proper usage as time permits.

Membership of ". IFAS-ICC" e-mail distribution group to be narrowed to ICC members only (previous discussion)

Steve will keep this as a standing item on our agendas for now as a reminder. The ICC distribution list is more targeted and restricted to IFAS IT support folks only.

Creating guest GatorLink accounts: singly or in bulk (previous discussion)

Steve had left this on the agenda in case further discussion was deemed warranted.

DirectAccess pilot (previous discussion)

Dan Cromer wants to get individuals into a pilot program and plans to stage some of the Help Desk laptop into that.

VDI desktops as admin workstations (previous discussion)

Wayne recently updated this pool:

Message from Wayne Hyde to the "ICC-L" list:
"Re: [ICC-L] ICC Management VM pool updated" Thu 8/29/2013 9:45 AM

The ICC Management VM pool has been updated. The changes include:

  • Windows updates
  • Java update
  • Flash update
  • Google Chrome installed
  • Configuration Manager 2012 console installed

Java and other annoying “update is available” popups should (finally) be disabled. If not, I’ll use a bigger hammer.

You will need to log off and back in to get an updated VM image.

Wayne had previously changed the "Automatic logoff after disconnect" setting to 4 days. The only other update Wayne has planned for this is the Exchange Management Console which will be important mainly to Scott Owens.

Wayne's Power Tools (previous discussion)

Updates not available...

Computer compliance tool update (previous discussion)

Updates not available...

Folder permissioning on the IFAS file server (previous discussion)

You are reminded to please take the time to read and implement the new standards. If you have any questions get with Wayne or Steve.

Steve mentioned that Santos Soler has developed a Powershell script to help OU Admins who do not understand how to do this and other management tasks properly. Steve may dedicate a portion of an upcoming meeting to this topic but wants to give Santos time to fully hone the script prior. Most of the functions this script can do will provide little time advantage but should certainly make obtaining a correct result possible without fully understanding the underlying processes. There is one aspect that is a real time saver, however, and that involves removing an individual user account from all the security groups to which it belongs. Steve finds that a great time saver when decommissioning user accounts over running WPT to find the groups and then deleting them individually by hand.

Disabling/deleting computer accounts based on computer password age (previous discussion)

This is yet another matter for which finding time for implementation is proving difficult. Steve wants folks to remember that Andrew Carey had a good plan for dealing with this which perhaps Alex York's replacement can find the time to address eventually. In the meantime, it would be very good of each OU Admin to consider mimicking the proposed plan manually by keeping their own records and deleting any computer object which have been disabled for 90 or more days; Wayne's Power Tools can identify those. Steve has finally begun doing that for his own unit and it has made his view within ADUC much more agreeable.

Since BitLocker stores its keys within the computer object in UFAD, Chris Leopold was considering scavenging those keys for secure storage elsewhere. That would provide a fallback for decrypting a drive should the associated computer object be deleted.

Core Services status (previous discussion)

Updates not available...

ePO updates (previous discussion)

Updates not available...

Status of SharePoint services (previous discussion)

IFAS migrating to centralized MOSS

Updates not available...

Public folder file deletion policies and procedures status (previous discussion)

Updates not available...

MS Office News update (previous discussion)

Updates not available...

Job Matrix Update status (previous discussion)

Updates not available...

Other Topics

Password expiration times (previous discussion)

Francis Ferguson noted that he has already received positive feedback from people who are very happy not to have to change their password as often as before. The new policy requires a change every six months for account with the P4 and P5 (high and rigorous) role and yearly for others.

Steve noted that he wanted to utilize the new passphrase capability but found out that a space was not an allowable character; Steve finds it very difficult to type a passphrase without hitting the spacebar between words so he had stayed with his previous algorithm for devising his new passwords. Avi said that the long-term plan is to replace the current password component (presumably with something that would permit spaces) but how long that may take is anybody's guess.

Local MPS backup storage

ITSA is starting to use Synology NAS boxes as iSCSI targets for multipurpose server backups.

Adobe licensing

The Adobe licensing situation remains unresolved. We commiserated on this topic for a while and all hope the issue is resolved before too much longer.

Steve mentioned having continuing issues with activation of CS6. This began originally with Acrobat installed as part of CS6. That aspect seemed to be resolved via the afore-linked solution, but now Steve is finding that the other parts of the Suite are asking users to logon to Adobe and enter the license key in order to get out of trial mode. This is on system which Steve already activated (sometimes multiple times) under his own profile. The solutions provided by Adobe do not seem to work. See here for many examples of people having issues; my "favorite" horror story is this one.

The meeting was adjourned just a trifle early at about 11:55 AM.