20160106: Certificate Services for delegated OUs

A new automated X.509 certificate enrollment and issuance capability is now available to delegated OU customers.

What and When:

Delegated OU customers can use the group service to cause a X.509 certificate to be automatically issued to a Windows computer in their delegated OU. Other than adding the computer to the group, there is no manual effort required, and the certificate will be automatically renewed when it approaches its end date.

The Certificate Authority which issues the certificate is not signed by a publicly trusted root CA but is trusted by all computers joined to the NETID domain. This CA meets the same kinds of use cases as the “UW CA”, but there is no labor involved in certificate deployment and none of the ugly certificate expiration problems, so we believe you’ll find this highly useful as an IT cost-savings measure.

What You Need to Do:

If you’d like to make use of this new capability, we’d recommend you read https://wiki.cac.washington.edu/x/_69NB, especially the ‘How to Use this Service Option’ section.

More Information:

Behind the scenes, the group membership change triggers application of a domain GPO which enables auto-enrollment on that computer, and grants the autoenroll permission to a specific certificate. The client computer does a little dance with AD to find issuing CAs and templates it has permissions for, and requests all certificates for which it is entitled via an RPC connection to the CA. The CA automatically approves/issues the requested cert and the client computer places the cert in its local certificate store.

It’s pretty neat stuff that seems like magic compared to the highly manual certificate process involved with the UW CA and InCommon CA that consumes lots of time.

There’s lots more information at the customer documentation URL above.

As noted previously, if you have another use case you’d like to explore, let us know.

We are exploring a couple use cases for the future, including a custom template paired with auto-enrollment, possibly leveraging this new infrastructure to enable a multi-factor authentication solution like Microsoft Passport, and will also consider adding a web service enrollment agent which would allow non-Windows and non-domain joined computers to get in on the automated goodness. J

Brian Arkills

UW Windows Infrastructure Service Manager

UW-IT

From: Brian Arkills Sent: Friday, December 18, 2015 9:57 AM To: ‘uwwi-announce@uw.edu’ <uwwi-announce@uw.edu> Subject: new domain GPO

A new group policy object at the root of the NETID domain is being created. This GPO will only apply to computers which are opted into applying it.

What and When:

Today UWWI will create a new GPO called ‘AD-CS Auto-enrollment’ at the domain root.

This GPO will enable auto-enrollment for the certificate services client. This GPO will only apply to computers which:

Are members of the group u_windowsinfrastructure_adcs_autoenroll
Do not have GPO inheritance blocking.

What You Need to Do:

Nothing. There is no immediate impact to you.

At this time, none of your computers are affected. You may choose to opt your computers into this as part of the emerging Active Directory Certificate Services (AD-CS) service option. More on this is forthcoming.

More Info:

The specific setting in this GPO is:

Computer/Policies/Windows Settings/Security Settings/Public Key Policies/Certificate Services Client – Auto-Enrollment Settings/

Automatic certificate management=Enabled

Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates=Enabled

Update and manage certificates that use certificate templates from Active Directory=Enabled

Enabling this client computer setting is required to provide the AD-CS service option with auto-enrollment. We’ve purposely scoped this change so you retain management of your computers; you need to take an action for this computer configuration to affect you. Our goal is to respect your autonomy in how you manage your computers. However, it makes a lot of sense to have a single toggle which enables a desired outcome, so we’ve designed this mechanism in such a way that your intention and the desired outcome is directly connected.

Put in a more concrete way, in the future, you may choose to have some of your computers automatically get a certificate by adding them to a group. By adding them to this group, you’ll be allowing this GPO to configure the client-side setting and allow access to a specific certificate template. The end result will be that those computers will automatically end up with a certificate. J

If you have computers in an OU which blocks inheritance, there are workarounds that are in our customer documentation, so no worries.

We’re pretty close to releasing this new service option, and will be sending a little more info to the uwwi-discuss@uw.edu mailing list for eager folks to kick the tires. You can expect further details here soon. For your benefit, below I’ve included the prior change we made to enable this emerging service option.

If you have questions about this change, please send an email to help@uw.edu with “UWWI AD-CS autoenrollment change” in the subject line.

Brian Arkills

UW Windows Infrastructure Service Manager

UW-IT

From: Brian Arkills Sent: Monday, November 2, 2015 1:09 PM To: ‘uwwi-announce@uw.edu’ <uwwi-announce@uw.edu> Subject: Certificate services for delegated OUs

The UW Windows Infrastructure has deployed a public key infrastructure consisting of a 2 tier certificate authority, whose initial purpose is to provide automatic certificate enrollment and certificate deployment for delegated OU computers running Windows.

What and When:

On 10/16/2015, UWWI deployed an Active Directory published root certificate authority named netid-root-CA. Being AD published means that domain-joined computers trust it by default.

On 10/23/2015, UWWI deployed an Active Directory integrated issuing certificate authority named netid-issuing-CA. Being AD integrated means that:

domain-joined computers trust it by default,
domain users and computers can request and retrieve certificates from it, leveraging the secure channel trust already in place
issued certificates can be published to the appropriate AD object (which enables a variety of uses)
certificate revocation lists are published to AD, enabling domain-joined computers to reliably determine whether a given certificate is still valid

Like the UW Services CA, these certificate authorities are not publicly trusted. This limits their usefulness to UW internal purposes—for example, you wouldn’t use this CA to enable HTTPS for a public website.

In the near future, on a per OU basis, we’ll provide a group which OU admins will be member managers for. You can add computers as members to this group to direct them to automatically enroll for a “Computer” certificate, with client authentication and server authentication uses. Unlike most other certs you’ve used, these certs automatically get renewed, and require no further human involvement. More details on the nature of these certs is available below. More details on this coming capability will be shared when this is ready.

What You Need to Do:

At this time nothing. We wanted to let security conscious customers know that we changed the certificate authority trust of domain-joined computers intentionally as part of a planned release. We’ve mentioned this intention several times over the last year, and the deployment of capabilities is now approaching.

We’ll let you know when we have enabled this new capability for your OU. At that time, you can add computers to a group and get automatic certificate enrollment to these computers.

More Info:

This capability was added due to strong customer interest in lowered costs for certificate management. Based on customer need analysis, there were enough internal-only uses and cost-savings to move forward, even though this may make the UW certificate story a little more complicated. Given how handy an AD integrated CA is, we believe there will be more use cases identified and future capabilities–in fact, there is currently customer interest in exploring three other use cases. More information on these use cases and future capabilities will be coming over the next few months.

Do be aware that for UW internal use cases you may need to ask a service to trust the netid-root-CA and netid-issuing-CA in order to leverage the client authentication capability. For example, the Groups Web Service does not currently trust these certificates.

If you need to get a copy of the CA certs, they are available at:

http://thrawn.uw.edu/CertEnroll/cracken.netid.washington.edu_netid-issuing-CA.crt

http://thrawn.uw.edu/CertEnroll/madine.netid.washington.edu_netid-root-CA.crt

Additional details on the “Computer” certificate:

Validity: 1 year

Renewal: 6 weeks

Private key is not exportable

Minimum key size of 2048

Subject name is based on dnsHostname attribute of AD computer object

Additional technical details on the two new certificate authorities:

Both are implemented in a manner such that if we later needed to, we can meet FIPS compliance, although at this time we are not using a HSM module for private key storage. The root CA is designed to be an “offline” CA hosted in Azure, brought online at least once a year to republish the certificate revocation list (CRL). Hosting this CA in Azure allows us to save costs since it is offline most of the time, and their hosting practices are as good or better than ours (e.g. they have rolling audits to meet various regulatory certifications). We are hoping that in the future Microsoft provides a virtual HSM capability for AD-CS integrated with its Azure Key Vault.

Brian Arkills

UW Windows Infrastructure Service Manager

20160422: Rename: UW Windows Infrastructure -> Microsoft Infrastructure

What and When:

Over the next month or so, we’ll be updating our references to UW Windows Infrastructure (and UWWI) to Microsoft Infrastructure. You will see documentation and mailing lists like this one be updated to reflect this name change. We will likely also update our name in more obscure places, e.g. we are considering a change to our Groups Service stem.

What You Need to Do:

Nothing. This is an advisory note to keep you informed so you aren’t taken by surprise by planned service offering name change activities.

More Info:

This mailing list is replaced with mi-announce@uw.edu. This is the last email you’ll see to uwwi-announce@uw.edu.

Uwwi-discuss@uw.edu is replaced by mi-discuss@uw.edu. I’ll send a separate note to that list.

Brian Arkills

Microsoft Infrastructure Service Manager

UW-IT

Nebula VPN Service Change for Mac Users

The Nebula VPN service for Mac users is being retired. All Mac Users will be required to switch to the new campus VPN service “Husky OnNet” before Tuesday, May 31, 2016.

There is no charge for the “Husky OnNet” service. This service is provided as part of the Technology Recharge Fee. The new service is available to UW Staff, Faculty, and Students.

When:

Wednesday, June 1st the vpn.nebula.washington.edu and the associated VPN server will no longer be available. The legacy Nebula VPN server is being replaced by vpn.netid.washington.edu.

What You Need to Do:

If you are a Nebula VPN customer using a Mac, you need to switch and begin using the new campus VPN service “Husky OnNet” before May 31, 2016.

Instructions for downloading “Husky OnNet” for MacOS users are available at:

https://it.uw.edu/connect/uw-networks/about-husky-onnet/use-husky-onnet/

Note: Make sure your Mac only users, are removed from your VPN only eligible users group. If you are unsure of what your VPN eligibility group is, send an e-mail to help@uw.edu.

If you are a Nebula VPN customer not using a Mac, it is unlikely you will be impacted by this change. However, if after this change you encounter a problem with your Nebula VPN services, it is likely the VPN configuration on your computer is misconfigured to use the legacy Nebula VPN server. In that case, you should follow the instructions using the link below and reinstall your Nebula VPN client configuration.

https://it.uw.edu/wares/nebula/using-computer/connecting-remotely/nebula-vpn-service/

More Info:

We are evaluating the new “Husky OnNet” VPN service for our Windows based clients to see if it makes sense to continue to offer the Nebula VPN service. If you would like to provide feedback

Microsoft Infrastructure documentation migration/consolidation

We’re combining our documentation into IT Connect. A few exceptions that don’t work well on that platform will remain in the UW-IT Wiki.

What and When:

Over the next several weeks, we will be migrating the Microsoft Infrastructure documentation into IT Connect (https://it.uw.edu). Our documentation will live under https://it.uw.edu/wares/msinf/.

Our content has been splattered across multiple locations, including a web hosting platform we run for ourselves. It doesn’t make sense for us to run something separate, and consolidating on IT Connect should improve discoverability of that content.

Related to the service rename previously announced, we’ve already moved most of the content that was previously in the UW-IT wiki space named UW Windows Infrastructure to the IT Connect location noted above.

What You Need to Do:

This notice is partly advisory so you know to expect some changes, but you may also have an action to take.

If you host links to our content or have bookmarked pages, you may want to update them. Where we can, we’ll put in page redirects to the new location and maintain those old pages for 3 months to facilitate this. Because this documentation migration is not complete and will span a couple week period, we’ll send another note when we’re done so you know when to do that activity.

More Information:

Unfortunately, not all of our content can move to IT Connect. A few things will need to be on the UW-IT Wiki platform. We’ll clearly link to those pages, have navigation aids from those pages back to IT Connect, and clearly note that this wiki space is an ancillary location. That ancillary UW-IT Wiki space is https://wiki.cac.washington.edu/display/MSINF/Microsoft+Infrastructure, and it’ll have things like request forms, the public proposals with analysis we’ve previously shared, and other documents with flexible editing needs.

The web location www.netid.washington.edu will retire in about 3 months. It served us nicely for 10 years. J

Brian Arkills

Microsoft Infrastructure Service Manager

UW-IT

Nebula2 domain end of life: April 3, 2017

The Managed Workstation Service plans to move the Nebula2 domain to end of life on April 3, 2017.

What and When

On April 3, 2017, the Managed Workstation Service plans to shut down the Nebula2 domain.

The Managed Workstation Service has planned to migrate to the NETID domain for many years. Moving the Nebula2 domain to end of life by April 2017 will allow us to remove that cost from the Managed Workstation Service core rate for FY18, greatly simplify the infrastructure, and allow the Managed Workstation service to leverage additional capabilities provided at no additional cost via that service.

Over the course of the next year, you will see a series of changes to transition the design of the Managed Workstation service from the Nebula2 domain to the NETID domain. We will communicate about those changes separately, but from a big picture, these will include:

-Automatically disable any unused Nebula2 user account (~May 2016)

-Move Mac VPN services to end of life; replaced by Husky OnNet VPN (~May 2016)

-By department, disable still active Nebula2 user accounts; will allow self-service re-enable to mitigate impact (~May-July 2016)

-Work with customers who have included Nebula2 in their server/application designs outside the scope of the Managed Workstation service (~May 2016-March 2017)

[Note: Standard Managed Servers customers leveraging Nebula2 will receive assistance via that service]

-Begin workstation migrations of departments with no active Nebula2 user accounts (~August 2016)

-Complete workstation migrations (~December 2016)

What you need to do

If you have a server in the Nebula2 domain, it is time to migrate it.

If you have an application or other IT infrastructure which depends on the Nebula2 domain, it is time to begin planning how to change it to the NETID domain.

If you are still using a Nebula2 user account, it is time to stop using it, and instead use a NETID user account. The only remaining part of the Managed Workstation service design which requires a Nebula2 user account is the Mac VPN, which will move to end of life very soon. You can follow our self-service instructions here: https://it.uw.edu/wares/nebula/adding-users/changing-to-netid-logins/

More Info

Customers still using the Nebula2 domain beyond April 3, 2017 will likely need to bear the full cost of that infrastructure, as it is not fair for all customers to bear that cost beyond this timeframe.

If you have questions about this planned change a year from now, please send an email to help@uw.edu with “Nebula2 domain shutdown” in the subject.

If you have a server or application you need help with, please send an email to help@uw.edu with “Nebula2 server/application domain migration” in the subject.

Brian Arkills

Managed Workstation Service Owner

Backup retention period adjustment for deleted files

The Managed Workstation Service plans to align its retention practices for deleted files with a newly approved UW reference architecture practice; deleted files will not persist in backups beyond 90 days.

What and When

In concert with the supplier which provides the infrastructure for Nebula File services, we plan to implement changes to our backup retention. We will implement this change over the coming weeks.

We will retain deleted files in Nebula File services no longer than 90 days. Files which still exist may have prior versions available for a longer period. To be available for restore, a file must have been backed up previously.

What you need to do

Nothing. This announcement is purely advisory so you are aware of a change in our practice. If you do regularly delete files stored in Nebula File Services, but have previously counted on the fact that we retain those files for a longer period, you may want to implement a practice of reviewing for accidentally deleted content on a recurring schedule shorter than 90 days.

More Info

Information about using Nebula File Services is available at https://it.uw.edu/wares/nebula/nebula-file-services/

This specific practice is documented at https://it.uw.edu/wares/nebula/nebula-file-services/recovering-files/, along with details about the self-service way to recover files in Nebula File Services and our backup practices.

If you have questions about this planned change, please send an email to help@uw.edu with “MWS backup retention for deleted files” in the subject.

Brian Arkills

Managed Workstation Service Owner

Nebula2 user account disable activity

Unused Nebula2 user accounts will be automatically disabled when they meet a variety of conditions, including after 37 days of no logon activity.

What and When:

On April 11th, 2016, the Managed Workstation service will put into place a new automated practice where Nebula2 user accounts without logons for 37 days will be disabled. When a Nebula2 user account hasn’t been used for 30 days, an email notification will be sent to the associated user, notifying them of the impending action.

We also plan to initiate a disable of all Nebula2 user accounts on a per department basis. For each department, we will contact the department to let them know when we plan to take action.

What you need to do:

Users which receive a notification can logon to their Nebula2 user account if they don’t want it to be disabled. Users can ignore the notification if they have no further need of their Nebula2 user account.

For those whose account has been disabled, if there is a significant need to regain the Nebula2 user account, each user can re-enable their Nebula2 user account themselves (using their UW NetID). Users should make note of what their need is so that we can later assist the user with resolving that issue.

More info:

Nebula2 user accounts are in containment (we don’t create them any more without a compelling justification). The Managed Workstation service expects to retire all Nebula2 user accounts during fiscal year 2017, and this will help everyone by making it clear which Nebula2 user accounts are still in use. The Managed Workstation service design does not require a Nebula2 user account–a NETID user account is recommended.

Your department may have designed your own services so that they are dependent on a Nebula2 user account. If so, you should prioritize design changes to the NETID user account.

If you need assistance transitioning to a NETID user account, please refer to http://www.washington.edu/itconnect/wares/nebula/changing-to-netid-logins-in-nebula/ or send a request for assistance to help@uw.edu.

This activity does not relate to eligibility groups, nor will it result in loss of an Nebula home directory—it is only about whether a given Nebula2 user account is enabled or disabled. J

Run Advertised Programs -> Software Center

The Managed Workstation Service is upgrading the software we use to deploy applications to managed workstations.

What and When

Beginning April 5^th through April 19^th, we will be migrating all managed workstations to a new management infrastructure which provides improved capabilities.

Most of the improvements won’t be visible, however, this will change how you install additional applications on your computer. A new “Software Center” will replace ‘Run Advertised Programs’. While Software Center is functionally similar to ‘Run Advertised Programs’, the Software Center provides a better user experience and is more fully integrated into Windows 10. The link in the More Info section describes the Software Center user experience.

The migrations of managed workstations to this new management infrastructure will start on April 5^th and will take up to two weeks to complete. During this time, there is no change in behavior or service for those computers that haven’t yet migrated—they will continue to use the ‘Run Advertised Programs’ mechanism until migrated.

What you need to do

No immediate action is required. Prior to your computer migrating, software will remain available via “Run Advertised Programs”. Once your computer has migrated, the new “Software Center” will become available.

More Info

See https://it.uw.edu/wares/nebula/software/ for more info on Software Center. If you need to reference the old instructions for Run Advertised Programs, that will remain available at https://it.uw.edu/wares/nebula/news/software-old/#RunAdvertisedPrograms until the end of April.

This change represents a lot of work we’ve been doing behind the scenes to keep the infrastructure we provide current and relevant. The user experience change noted here is accompanied by a number of new capabilities which we’ll look to leverage in the coming year. We’ve also started work to deploy a duplicate of this management infrastructure in the NETID domain so we are ready to begin computer migrations later this year. We’ll let you know more about new capabilities when they are relevant, but this is a good opportunity to let you know that we continue to invest in improving what we provide to you.

Managed Workstation Newsletter (March 2016)

Welcome to the semi-annual Managed Workstation service newsletter, which brings you valuable updates and information to help you make the most of our services.

New Capabilities and Improvements

Windows 10 Self-service Upgrade: In January, we released a self-service mechanism that allows users to upgrade their Windows 7 or Windows 8.1 computer to Windows 10. More info here. This has been an overwhelming success, with over 20% of Managed Workstations having already made the switch to Windows 10. Customers running Windows 8 or 8.1 should strongly consider upgrading to Windows 10 as we have reduced the support capabilities provided to those operating systems.

‘What Does the Managed Workstation Rate Include?’ Documentation: A common source of confusion surrounding the Managed Workstation Service is understanding our business model and when something is included in the Managed Workstation rate versus something for which we charge an hourly consulting rate. We’ve tackled this question directly in some new documentation which conceptually explains where the line is, and then dives into concrete examples to help you understand the difference.

Capability Map: We developed a capability map for the Managed Workstation Service. Capability maps are a mechanism to facilitate discussion about what capabilities a given service, organization, or technology provides. The purpose for a capability map is that the audience is better able to engage–whether that is to ask for more details, identify and raise unmet needs, or understand the business better including what is planned for the future. Please do ask any questions this inspires–your question may help us to refine the map or prioritize our investments more appropriately.

Infrastructure Upgrades: There have been a series of replacements and improvements related to infrastructure mechanisms behind the Managed Workstation service. Most of these activities are hidden from you as a customer, and it’s great when we can keep these things from impacting the work you do. These include:

replacing an aging Sophos AntiVirus server,
replacing our aging System Center Configuration Manager servers (SCCM) – which provide software packages,
retiring the Internet Explorer Exempt mechanism

Self-service User Eligibility and Accounts: Since the last newsletter, we’ve completed the work to align the user eligibility group mechanism to automatically provision and deprovision the user-oriented capabilities provided by the Managed Workstation service. This puts you in the driver seat of adding and removing users from the Managed Workstation service. If you don’t understand the user eligibility group mechanism, either read the documentation at the link or ask us to explain–this is really important to understand.

This means you no longer request a “Nebula account” when a new employee or person joins your department. Instead, you simply add them to your eligibility group. If you need an Exchange mailbox, you can still ask us to help facilitate that. If you need the new user to have access to a Nebula file service location, in the future, you will also have a self-service mechanism to do that–see the Group Management item below. NOTE: The Managed Workstation service does not provide the Exchange mailbox, we are simply helping you ask the service which does provide that.

A corollary of not requesting a Nebula account is that the Nebula2 user account is no longer required for Managed Workstation services. Metrics suggest only 660 users are still using a Nebula2 user account. By default, we no longer create Nebula2 user accounts for customers because the Managed Workstation service design does not require them. Existing use of Nebula2 user accounts should stop, with customers encouraged to instead use NETID user accounts. We still provide assistance in making this change on your Managed Workstation at no additional cost.

Group Management Services Removed: We will no longer make group membership changes on your behalf. In the far past, the service design for Nebula file services required that the Managed Workstation service manage the groups which owned a given file directory. Several years ago, we changed that design to allow customers to manage the groups which owned a given file directory. We are now requiring customers to take over management of their groups, so if you request a change to one of the groups which currently only we can manage, we will transfer management of that group to you. More information about why we made this change and especially why we think you’ll agree this is a step in the right direction is available here.

Spotlights

Mac VPN – End of Life: We plan to move Nebula VPN services for Mac clients to end of life in the near future. At this time, we do not have a specific date to communicate as we are waiting for the general purpose campus VPN solution to be released. Existing customers of the Mac VPN will have a month after the campus VPN is released to transition to that general offering. We’ll send a separate announcement about this change.

Windows 10 and Office 2016 available: We made an Office 2016 software package available in early January. You can install it via the mechanism described here. Office 2016 is also standard in the Windows 10 image, and in a new Windows 7 image that should be available shortly. In December we made a Windows 10 image available via Lite Touch and full service. In early January we moved Windows 10 to baseline support status, released the self-service upgrade capability mentioned previously, and provided the Windows 10 image via CDW.

NOTE: We also updated our Windows 7 image. Both are available via CDW or Lite Touch.

Home Directory Purge: In mid-February, we deleted undesired home directories. This constituted almost 5200 home directories using 6 TB of space. Under current practices, there is still a copy of that deleted data for a year but a change is pending to only retain deleted data 90 days. More info here.

FY17 Rates: We are in the period of the year where rates for cost-recovery services are under review and being submitted for central review. We can’t say anything definitive about what rates will be, but at this time, we don’t expect any of the rates to increase. Budgeting for approximately the same costs for Managed Workstation Services should be relatively safe. We’ll share more information about rates when they are finalized.

Staffing changes: In January we were sad to see service team member Kay Lutz retire. Kay had served on this team for many years, and we will miss her. Her position is still unfilled, but we hope to return to full strength soon. In September 2015, we welcomed Brian W Smith to the service team. Brian came to us from a customer department, and has shored up our depleted engineering ranks. Brian brings a positive, customer results focused attitude that the entire team has appreciated. Brian replaced the ancient server providing Sophos Antivirus services to Managed Workstations with a minimum of impact on customers, and helped put together the Windows 10 upgrade capability.

Additional Security Offerings: If you have confidential data needs and/or regulatory compliance issues that aren’t currently being addressed, please let us know. We’re designing a solution in this area with a customer. Knowing you would like such a solution will help us to secure central funding to build a capability that addresses this gap. We are currently exploring the following options (which would have some additional ongoing cost):

File service with encryption by default, with additional protections available based on metadata classification or manually intervention,
Audit log collection and analysis to detect undesired/anomalous activity,
More administrative controls on a per computer basis on who has access to desktops,
Managed Workstation encrypted drives (via Bitlocker) with the option to have this on by default,
Password manager (this helps users manage passwords by suggesting strong ones, storing them securely, and provides the option to supply them).

Send an email to help@uw.edu with “Managed Workstation high security” in the subject line if you have interest.

Trends

Below are metrics across the Nebula service. The takeaway statement following each graph compares metrics in the last 6 months to the prior 6 month period. For information specific to you or your department, the MyIT portal has more data: https://support.nebula.washington.edu/myIT/Default.aspx.

Operating System Versions

Takeaways: +0 Total Windows (~3300 today), +550 Windows 10 (~600 total today), -80 Windows 8.1 (~420 total today), -500 Windows 7 (~2250 total today), -10 MacOS (~10 total today)

IE Versions

Takeaways: +400 IE11 (~3200 total today), -215 IE10 (~85 total today), -165 IE9 (~35 total today), -35 IE8 (~15 total today).

VPN Use

Takeaways: +15 sessions on average (~55 sessions average with a peak of 80)

Network

Takeaways: +0 Public network (~2500 total today), +0 Private network (~550 total today)

_{NOTE: This is a new metric we are tracking so net change is not yet available}

Nebula2 User Account Status

Takeaways: +100 Enabled (~5300 total today), +100 Disabled (~4600 total today)

_{NOTE: This is a new metric we are tracking so net change is based on less than 6 month period}

Managed Workstation User Logons

Takeaways: +0 Active User (~2150 total today), -220 Nebula2 (~660 total today), +200 NETID (~2040 total today)

_{NOTE: This is a new metric we are reporting}

Support Requests

Takeaways: Support requests have decreased by 0.8%; 4166 Nebula support records resolved vs. 4203 in prior 6 month period.

Incidents

Takeaways: Incidents have increased by 406%; 73 Nebula incidents resolved vs. 18 in prior 6 month period.
_{NOTE: We believe this significant change reflects a couple factors:}

_{Our guidance to customers to ask for incidents when they are experiencing a work stoppage due to a non-functional Managed Workstation}
_{Increased maturity within the service team in tracking incidents}
_{An increase in unexplained anomalies with Nebula File Services. We have put in place some mechanisms to help us determine the cause for future instances of this, but there is some technical debt here which is part of the reason we do not consider this solution as viable long-term.}

What’s Next

Our objectives for the next six months include:

Bring Mac VPN to end of life, assist Mac based customers in transitioning to new Husky OnNet VPN service, evaluate whether Windows VPN should also move to end of life
Infrastructure replacement, including:
- Complete the replacement of the servers behind our aging software deployment infrastructure (System Center Configuration Manager). There will be some customer noticeable changes which we’ll share before we make this transition.
- Replace the servers providing the database powering much of the Managed Workstation capabilities. This should not be customer noticeable.
- Replace the server providing the Windows File Services, transitioning that into an offering that can handle confidential data with the ability to encrypt data at-rest by default
Activities related to the Nebula2 user transitions.
Begin planning for computer migrations to NETID domain.
In concert with above computer migration planning, transition Nebula’s software deployment capabilities to the UW Windows Infrastructure service so a broader set of the UW can leverage this capability and contribute packages Managed Workstation customers might use.
Reorganize customer documentation and address any gaps
Continue explorations in our partnership with the UW-IT Service Desk to improve the quality of customer handling & routing, and reduce the Managed Workstation rate by identifying activities which they can provide

Of the objectives we listed 6 months ago, here is a summary of our progress:

4 complete: Office 2016, Windows 10 support, customer routing improvements, OS deployment
3 significant progress, work continues: Mac VPN, software deployment infrastructure replacement
3 some progress, work continues: Nebula2 user transitions, planning for computer migrations to NETID, confidential data/high security need explorations

Your Feedback

Supporting your needs for Managed Workstation capabilities is our priority, so we welcome feedback on how we can make the Managed Workstation service more valuable to you. The nebula-announce and nebula-discuss mailing lists are good sources of information. We recommend that each customer have at least one individual join the nebula-announce mailing list. See https://www.washington.edu/itconnect/wares/nebula/contact-us/ for more on how to join.

You can voice your support for future objectives to help us rank priorities, ask for things that aren’t yet on our radar, or simply contact us via help@uw.edu.

Brian Arkills

UW-IT, Managed Workstation Service Manager and Service Owner

Managed Workstation Group Management Changes

The Managed Workstation service will no longer make group membership changes on your behalf.

What and When:

On Friday, March 11^th, we changed our position on whether we’ll manage your group memberships. We no longer provide that assistance.

What you need to do:

No immediate action is required on your part. This notice is advisory so you know that if you request a change to one of the groups which currently only we can manage, we will transfer management of that group to you.

More info:

In the far past, the service design for Nebula file services required that the Managed Workstation service manage the groups which owned a given file directory. These are sometimes called “Nebula groups.” Several years ago, we changed that design to allow customers to manage the groups which owned a given file directory. A year ago, we moved group management to be an additional cost outside the core Managed Workstation rate. This is the next step in a progression based on a careful review of our practices in light of your needs.

We do not have adequate processes to provide group management services; in many cases you believe we are providing some process to ensure requests we receive are authorized or that we somehow know when to remove users who should no longer have access. This has led to many faulty assumptions, and we do not think your needs are being met. You are in the best position to manage your groups, so we believe from the perspective of needing good access control, this is the right step.

We do not provide any added value by making group membership changes for you. By having us make the changes you request, a delay is introduced while you wait for us to make your change. There is nothing special about the group membership changes we make—anyone can make that change. So from the perspective of timely changes made by those who decide who should have access, we believe this is the right step.

We do not think providing group membership management is a capability that is within the primary goal of the Managed Workstation Service. The core capability we provide is managing workstations. If you have a need for someone else to provide a group membership management offering, we believe the Groups Service would have the core competencies to provide that. The Groups Service provides customer assistance at no cost, so you can work with them if there is analysis or orientation needed. We’ll be happy to make sure you get connected with that service team.

The transition of your group will require three things:

The existing group name or the Nebula file service path (e.g. “pottery” or i:\groups\pottery or u_nebula_pottery)
A desired group name (e.g. we’d like to rename u_nebula_pottery to uw_pottery_filedir_pottery)
A desired group of administrators for the group (e.g. the admins should be uw_pottery_roles_groupadmins)

We’ll walk you through this when you have a group change request, so there isn’t need to worry too much about these, but being prepared will make the transition smoother.

We will continue to provide assistance with:

Setting permissions on Nebula file services (i:\groups included) –part of Managed Workstation core rate
Helping you get the right eligibility group(s) set for your department–part of Managed Workstation core rate
Getting a workaround for a Nebula file service failure–part of Managed Workstation core rate
Analysis of your IT problems, like how to model permissions within Nebula file services to achieve your goal—billable at hourly consulting rates
Analysis of your existing access management controls, like ‘what group memberships does Sally have so I can apply those same group memberships to Joe?’—billable at hourly consulting rates. Note1: we’ll help with this, but will not make the group membership changes on your behalf. Note2: The Groups Service would be a better choice to provide this kind of analysis.

Note: all of these examples are included in the recently published ‘What does the Managed Workstation rate include?’ document.

In summary:

we will happily transition management of your existing groups to you at no cost,
there is no expected loss in functionality, and
we suspect that this will mean lowered costs for the service (which could translate into a lower future rate you’d pay).

If you have concerns or questions about this update, please send email to help@uw.edu with “Managed Workstation Services group management change” in the subject line.