Managed Workstation Newsletter (March 2016)

Welcome to the semi-annual Managed Workstation service newsletter, which brings you valuable updates and information to help you make the most of our services.

New Capabilities and Improvements

Windows 10 Self-service Upgrade: In January, we released a self-service mechanism that allows users to upgrade their Windows 7 or Windows 8.1 computer to Windows 10. More info here. This has been an overwhelming success, with over 20% of Managed Workstations having already made the switch to Windows 10. Customers running Windows 8 or 8.1 should strongly consider upgrading to Windows 10 as we have reduced the support capabilities provided to those operating systems.

‘What Does the Managed Workstation Rate Include?’ Documentation: A common source of confusion surrounding the Managed Workstation Service is understanding our business model and when something is included in the Managed Workstation rate versus something for which we charge an hourly consulting rate. We’ve tackled this question directly in some new documentation which conceptually explains where the line is, and then dives into concrete examples to help you understand the difference.

Capability Map: We developed a capability map for the Managed Workstation Service. Capability maps are a mechanism to facilitate discussion about what capabilities a given service, organization, or technology provides. The purpose for a capability map is that the audience is better able to engage–whether that is to ask for more details, identify and raise unmet needs, or understand the business better including what is planned for the future. Please do ask any questions this inspires–your question may help us to refine the map or prioritize our investments more appropriately.

Infrastructure Upgrades: There have been a series of replacements and improvements related to infrastructure mechanisms behind the Managed Workstation service. Most of these activities are hidden from you as a customer, and it’s great when we can keep these things from impacting the work you do. These include:

replacing an aging Sophos AntiVirus server,
replacing our aging System Center Configuration Manager servers (SCCM) – which provide software packages,
retiring the Internet Explorer Exempt mechanism

Self-service User Eligibility and Accounts: Since the last newsletter, we’ve completed the work to align the user eligibility group mechanism to automatically provision and deprovision the user-oriented capabilities provided by the Managed Workstation service. This puts you in the driver seat of adding and removing users from the Managed Workstation service. If you don’t understand the user eligibility group mechanism, either read the documentation at the link or ask us to explain–this is really important to understand.

This means you no longer request a “Nebula account” when a new employee or person joins your department. Instead, you simply add them to your eligibility group. If you need an Exchange mailbox, you can still ask us to help facilitate that. If you need the new user to have access to a Nebula file service location, in the future, you will also have a self-service mechanism to do that–see the Group Management item below. NOTE: The Managed Workstation service does not provide the Exchange mailbox, we are simply helping you ask the service which does provide that.

A corollary of not requesting a Nebula account is that the Nebula2 user account is no longer required for Managed Workstation services. Metrics suggest only 660 users are still using a Nebula2 user account. By default, we no longer create Nebula2 user accounts for customers because the Managed Workstation service design does not require them. Existing use of Nebula2 user accounts should stop, with customers encouraged to instead use NETID user accounts. We still provide assistance in making this change on your Managed Workstation at no additional cost.

Group Management Services Removed: We will no longer make group membership changes on your behalf. In the far past, the service design for Nebula file services required that the Managed Workstation service manage the groups which owned a given file directory. Several years ago, we changed that design to allow customers to manage the groups which owned a given file directory. We are now requiring customers to take over management of their groups, so if you request a change to one of the groups which currently only we can manage, we will transfer management of that group to you. More information about why we made this change and especially why we think you’ll agree this is a step in the right direction is available here.

Spotlights

Mac VPN – End of Life: We plan to move Nebula VPN services for Mac clients to end of life in the near future. At this time, we do not have a specific date to communicate as we are waiting for the general purpose campus VPN solution to be released. Existing customers of the Mac VPN will have a month after the campus VPN is released to transition to that general offering. We’ll send a separate announcement about this change.

Windows 10 and Office 2016 available: We made an Office 2016 software package available in early January. You can install it via the mechanism described here. Office 2016 is also standard in the Windows 10 image, and in a new Windows 7 image that should be available shortly. In December we made a Windows 10 image available via Lite Touch and full service. In early January we moved Windows 10 to baseline support status, released the self-service upgrade capability mentioned previously, and provided the Windows 10 image via CDW.

NOTE: We also updated our Windows 7 image. Both are available via CDW or Lite Touch.

Home Directory Purge: In mid-February, we deleted undesired home directories. This constituted almost 5200 home directories using 6 TB of space. Under current practices, there is still a copy of that deleted data for a year but a change is pending to only retain deleted data 90 days. More info here.

FY17 Rates: We are in the period of the year where rates for cost-recovery services are under review and being submitted for central review. We can’t say anything definitive about what rates will be, but at this time, we don’t expect any of the rates to increase. Budgeting for approximately the same costs for Managed Workstation Services should be relatively safe. We’ll share more information about rates when they are finalized.

Staffing changes: In January we were sad to see service team member Kay Lutz retire. Kay had served on this team for many years, and we will miss her. Her position is still unfilled, but we hope to return to full strength soon. In September 2015, we welcomed Brian W Smith to the service team. Brian came to us from a customer department, and has shored up our depleted engineering ranks. Brian brings a positive, customer results focused attitude that the entire team has appreciated. Brian replaced the ancient server providing Sophos Antivirus services to Managed Workstations with a minimum of impact on customers, and helped put together the Windows 10 upgrade capability.

Additional Security Offerings: If you have confidential data needs and/or regulatory compliance issues that aren’t currently being addressed, please let us know. We’re designing a solution in this area with a customer. Knowing you would like such a solution will help us to secure central funding to build a capability that addresses this gap. We are currently exploring the following options (which would have some additional ongoing cost):

File service with encryption by default, with additional protections available based on metadata classification or manually intervention,
Audit log collection and analysis to detect undesired/anomalous activity,
More administrative controls on a per computer basis on who has access to desktops,
Managed Workstation encrypted drives (via Bitlocker) with the option to have this on by default,
Password manager (this helps users manage passwords by suggesting strong ones, storing them securely, and provides the option to supply them).

Send an email to help@uw.edu with “Managed Workstation high security” in the subject line if you have interest.

Trends

Below are metrics across the Nebula service. The takeaway statement following each graph compares metrics in the last 6 months to the prior 6 month period. For information specific to you or your department, the MyIT portal has more data: https://support.nebula.washington.edu/myIT/Default.aspx.

Operating System Versions

Takeaways: +0 Total Windows (~3300 today), +550 Windows 10 (~600 total today), -80 Windows 8.1 (~420 total today), -500 Windows 7 (~2250 total today), -10 MacOS (~10 total today)

IE Versions

Takeaways: +400 IE11 (~3200 total today), -215 IE10 (~85 total today), -165 IE9 (~35 total today), -35 IE8 (~15 total today).

VPN Use

Takeaways: +15 sessions on average (~55 sessions average with a peak of 80)

Network

Takeaways: +0 Public network (~2500 total today), +0 Private network (~550 total today)

_{NOTE: This is a new metric we are tracking so net change is not yet available}

Nebula2 User Account Status

Takeaways: +100 Enabled (~5300 total today), +100 Disabled (~4600 total today)

_{NOTE: This is a new metric we are tracking so net change is based on less than 6 month period}

Managed Workstation User Logons

Takeaways: +0 Active User (~2150 total today), -220 Nebula2 (~660 total today), +200 NETID (~2040 total today)

_{NOTE: This is a new metric we are reporting}

Support Requests

Takeaways: Support requests have decreased by 0.8%; 4166 Nebula support records resolved vs. 4203 in prior 6 month period.

Incidents

Takeaways: Incidents have increased by 406%; 73 Nebula incidents resolved vs. 18 in prior 6 month period.
_{NOTE: We believe this significant change reflects a couple factors:}

_{Our guidance to customers to ask for incidents when they are experiencing a work stoppage due to a non-functional Managed Workstation}
_{Increased maturity within the service team in tracking incidents}
_{An increase in unexplained anomalies with Nebula File Services. We have put in place some mechanisms to help us determine the cause for future instances of this, but there is some technical debt here which is part of the reason we do not consider this solution as viable long-term.}

What’s Next

Our objectives for the next six months include:

Bring Mac VPN to end of life, assist Mac based customers in transitioning to new Husky OnNet VPN service, evaluate whether Windows VPN should also move to end of life
Infrastructure replacement, including:
- Complete the replacement of the servers behind our aging software deployment infrastructure (System Center Configuration Manager). There will be some customer noticeable changes which we’ll share before we make this transition.
- Replace the servers providing the database powering much of the Managed Workstation capabilities. This should not be customer noticeable.
- Replace the server providing the Windows File Services, transitioning that into an offering that can handle confidential data with the ability to encrypt data at-rest by default
Activities related to the Nebula2 user transitions.
Begin planning for computer migrations to NETID domain.
In concert with above computer migration planning, transition Nebula’s software deployment capabilities to the UW Windows Infrastructure service so a broader set of the UW can leverage this capability and contribute packages Managed Workstation customers might use.
Reorganize customer documentation and address any gaps
Continue explorations in our partnership with the UW-IT Service Desk to improve the quality of customer handling & routing, and reduce the Managed Workstation rate by identifying activities which they can provide

Of the objectives we listed 6 months ago, here is a summary of our progress:

4 complete: Office 2016, Windows 10 support, customer routing improvements, OS deployment
3 significant progress, work continues: Mac VPN, software deployment infrastructure replacement
3 some progress, work continues: Nebula2 user transitions, planning for computer migrations to NETID, confidential data/high security need explorations

Your Feedback

Supporting your needs for Managed Workstation capabilities is our priority, so we welcome feedback on how we can make the Managed Workstation service more valuable to you. The nebula-announce and nebula-discuss mailing lists are good sources of information. We recommend that each customer have at least one individual join the nebula-announce mailing list. See https://www.washington.edu/itconnect/wares/nebula/contact-us/ for more on how to join.

You can voice your support for future objectives to help us rank priorities, ask for things that aren’t yet on our radar, or simply contact us via help@uw.edu.

Brian Arkills

UW-IT, Managed Workstation Service Manager and Service Owner

Managed Workstation Group Management Changes

The Managed Workstation service will no longer make group membership changes on your behalf.

What and When:

On Friday, March 11^th, we changed our position on whether we’ll manage your group memberships. We no longer provide that assistance.

What you need to do:

No immediate action is required on your part. This notice is advisory so you know that if you request a change to one of the groups which currently only we can manage, we will transfer management of that group to you.

More info:

In the far past, the service design for Nebula file services required that the Managed Workstation service manage the groups which owned a given file directory. These are sometimes called “Nebula groups.” Several years ago, we changed that design to allow customers to manage the groups which owned a given file directory. A year ago, we moved group management to be an additional cost outside the core Managed Workstation rate. This is the next step in a progression based on a careful review of our practices in light of your needs.

We do not have adequate processes to provide group management services; in many cases you believe we are providing some process to ensure requests we receive are authorized or that we somehow know when to remove users who should no longer have access. This has led to many faulty assumptions, and we do not think your needs are being met. You are in the best position to manage your groups, so we believe from the perspective of needing good access control, this is the right step.

We do not provide any added value by making group membership changes for you. By having us make the changes you request, a delay is introduced while you wait for us to make your change. There is nothing special about the group membership changes we make—anyone can make that change. So from the perspective of timely changes made by those who decide who should have access, we believe this is the right step.

We do not think providing group membership management is a capability that is within the primary goal of the Managed Workstation Service. The core capability we provide is managing workstations. If you have a need for someone else to provide a group membership management offering, we believe the Groups Service would have the core competencies to provide that. The Groups Service provides customer assistance at no cost, so you can work with them if there is analysis or orientation needed. We’ll be happy to make sure you get connected with that service team.

The transition of your group will require three things:

The existing group name or the Nebula file service path (e.g. “pottery” or i:\groups\pottery or u_nebula_pottery)
A desired group name (e.g. we’d like to rename u_nebula_pottery to uw_pottery_filedir_pottery)
A desired group of administrators for the group (e.g. the admins should be uw_pottery_roles_groupadmins)

We’ll walk you through this when you have a group change request, so there isn’t need to worry too much about these, but being prepared will make the transition smoother.

We will continue to provide assistance with:

Setting permissions on Nebula file services (i:\groups included) –part of Managed Workstation core rate
Helping you get the right eligibility group(s) set for your department–part of Managed Workstation core rate
Getting a workaround for a Nebula file service failure–part of Managed Workstation core rate
Analysis of your IT problems, like how to model permissions within Nebula file services to achieve your goal—billable at hourly consulting rates
Analysis of your existing access management controls, like ‘what group memberships does Sally have so I can apply those same group memberships to Joe?’—billable at hourly consulting rates. Note1: we’ll help with this, but will not make the group membership changes on your behalf. Note2: The Groups Service would be a better choice to provide this kind of analysis.

Note: all of these examples are included in the recently published ‘What does the Managed Workstation rate include?’ document.

In summary:

we will happily transition management of your existing groups to you at no cost,
there is no expected loss in functionality, and
we suspect that this will mean lowered costs for the service (which could translate into a lower future rate you’d pay).

If you have concerns or questions about this update, please send email to help@uw.edu with “Managed Workstation Services group management change” in the subject line.

Managed Workstation service catalog update

A change to our service catalog entry occurred.

What and When:

On Friday, March 11^th an updated service catalog entry was published at https://it.uw.edu/service/managed-workstation-services/

What you need to do:

Nothing. This is purely an advisory to you that we’ve updated the catalog entry that describes the service, so you aren’t caught off-guard.

More info:

This update consisted of a couple minor updates:

-We updated the name used for the service to be more consistent: Managed Workstation Services

-We removed one of the optional service options at additional cost: group management

This last item needs more explanation, and we’ll cover that in a separate email.

There will be some additional changes to the service catalog entry in the near future to add links to customer documentation that didn’t exist a year ago when we last updated the service catalog entry, and also to add links to a couple new customer documents we’re writing now. A highly relevant document that will be linked in the near future is one which covers in much greater detail what services are included in the Managed Workstation Services rate and what is billable separately as consulting. We will send a separate note when that document is available, because we believe it’ll be of high interest to most if not all of our customers.

If you have concerns or questions about this update, please send email to help@uw.edu with “Managed Workstation Services service catalog update” in the subject line.

Windows 10 Upgrade

The Managed Desktop service has a self-service capability to upgrade your Windows 7 or Windows 8.1 computer to Windows 10.

What and When:

We’ve released documentation and will shortly release a desktop shortcut which enables customers to perform an upgrade to Windows 10.

This allows users to upgrade their computer to Windows 10 at a time of their choice without intervention by someone else, similar to how users can choose to install software packages on their computers.

We will be sending a notice to all Managed Desktop users about this new capability because their desktop will noticeably change with an icon which enables the upgrade and because we believe all customers should get the information about the ability to upgrade.

What you Need to Do:

If you have additional questions, feel free to ask them via help@uw.edu or nebula-discuss@uw.edu.

If you run into an upgrade problem, send an email to help@uw.edu for assistance. If the upgrade problem causes an interruption in your ability to use your desktop, call 221-5000, and let the UW-IT Service Center know that you are experiencing an incident with your Managed Desktop. This will result in a more urgent notification to our service team, and a quicker response.

More Info:

Documentation:

Should I upgrade my computer to Windows 10?

https://it.uw.edu/wares/mws/design/operating-system-support/should-i-upgrade-my-computer-to-windows-10/

Upgrading to Windows 10

https://it.uw.edu/wares/mws/design/operating-system-support/upgrading-to-windows-10/

As noted at the 2^nd link above, customers double-click an icon we’ve placed on their desktop to initiate the upgrade. We advise customers leave plenty of time for the upgrade to happen—the computer won’t be available during the upgrade. Consider starting the upgrade before you leave for the day. You should reboot your computer before starting the upgrade to clear any pending updates, as pending updates could interfere with the upgrade. After the upgrade to Windows 10, the upgrade icon on your desktop will go away—it is only provided to Windows 7 and Windows 8.1 computers.

You may have tried upgrading a computer to a prior version of Windows in the past and had a bad experience. That might have left you reluctant to try an upgrade to Windows 10. However, Microsoft completely re-engineered its upgrade process for Windows 10 to make it extremely reliable. If a problem is encountered which prevents the upgrade from cleanly completing, the upgrade can cleanly back out to the original Windows OS without losing anything or introducing any new problems. The reported number of cases where Windows 10 can’t cleanly upgrade is extremely low, to the point that you’ll be hard-pressed to find someone who has experienced it. We haven’t heard of any cases where a Windows 10 upgrade was backed out and wasn’t returned to the same state it was in prior to the upgrade.

Please note: Some icons on your desktop or in the task bar may stop working and will need to be recreated after the upgrade.

Setting Up a Managed Workstation & Lite Touch

The Managed Workstation service has revised and added documentation for the commonly recurring task of setting up a managed workstation, including new documentation for a capability we provide that you may not be familiar with.

What and When:

There are two events in this notification:

Notification of new documentation for a capability we believe should have been documented previously.
Notification that there are a few things changing about that capability.

New documentation:

We’ve renamed the ‘Hardware and Repair’ document at https://it.uw.edu/wares/nebula/hardware-2/ to be ‘Setting Up a Managed Workstation’ to make it more clear that this documentation is where you go to find out how to do that task. There are three options listed: full service, self-service via CDW, and self-service via Lite Touch.

Linked from the ‘Setting Up a Managed Workstation’ document, we’ve also added documentation for a self-service option that provides Windows OS image deployment over the UW Network: https://it.uw.edu/wares/nebula/hardware-2/lite-touch/. Some customers have previously been told about this capability, and may be using it, while others have never been advised it exists.

Note: I expect we’ll have future additions to the ‘Setting Up a Managed Workstation’ document, as we are exploring other possible capabilities.

Changes to the Lite Touch capability:

We are retiring the legacy server providing the OS images for the Lite Touch capability, and already have in place a new server that provides up to date OS images. The customer interface provided by the legacy server advises customers to use the new server. Existing customers leveraging the Lite Touch capability should update their existing flash drive to use the new server that provides this capability. The legacy server will be unavailable for customer use after Friday, March 11.

What You Need to Do:

No action is required, unless you are currently leveraging the Lite Touch network-based OS deployment option. If you are, you need to update your existing flash drives before using it. See the Lite Touch documentation noted above for how to get a fresh flash drive.

More Info:

I want to express my apologies to customers who were not previously aware of this capability. Obviously, in the past we failed to document this capability and how you could leverage it. Some customers found out about it by asking, but we really should have represented this capability in our customer documentation before now. The good news is that this is now a capability all Managed Workstation customers can leverage.

Many customers use the self-service via CDW option to get their Managed Workstations setup. If that describes your usual approach, you may want to review your options afresh. The CDW option is excellent if you have little or no IT expertise within your department. If you have more than 5 computers to setup at once, we believe it is more cost effective for you to use the full service option (the CDW supplied image option does cost an incremental amount per computer). Finally, if you do have some IT expertise available within your department, you probably want to consider the self-service via Lite Touch option as that does not require any additional payment.

If you need to rebuild an existing Managed Workstation, the CDW option isn’t possible, so you may find the Lite Touch option is a good fit if you don’t want to pay for the full service option we provide. One scenario where you may need to rebuild an existing Managed Workstation is if it is compromised. Making sure that everyone has a way to rebuild an existing Managed Workstation that does not require the full service option is one of several reasons this gap in documentation came to light. J

2016 January

Here’s our semi-annual newsletter update on recent happenings with the UW Windows Infrastructure.

==== New Capabilities and Improvements ====

* Self-service certificates for Delegated OUs. An AD-integrated certificate authority (AD Certificate Services) has been deployed. This allows Windows domain joined computers to automatically get a certificate which is automatically renewed. See https://wiki.cac.washington.edu/x/_69NB for more details.

* Azure Active Directory (AD) External User Invitations. Invitations to users outside the UW can be initiated by anyone with a UW NetID. This allows sharing of data, applications, and services where the method of authentication is Entra ID based. The most commonly used resource leveraging Entra ID that you might want to invite external users to share is likely Sharepoint Online, which supports this for sites but not yet for OneDrive for Business. However, external users are useful beyond just Sharepoint Online—think of them as federated users on steroids—where not only do you have to provide a user account, but you have a meaningful way to control their access to your resources which works just the same way as it does for a UW user. We have more orientation material on this capability planned.

* Entra ID device registration. There are many different ways to get a device registered with Entra ID , across varying operating system platforms. For example, there are three ways to get a Windows 10 device Entra ID registered. Registering your device with Entra ID enables certain data protection and security capabilities. If you take it one step further and join your device to Entra ID (only possible with Windows 10), you get interactive logon using your Entra ID user account. Many of the various ways to do this are not enabled today, but a few are. We have more orientation material on this capability planned, to help everyone wade through all the details.

* Microsoft Advanced Threat Analytics. This product provides machine learning capabilities to evaluate activity on domain controllers to identify anomalous events. This tool is capable of identifying attacks and persistent “hidden” compromises of highly privileged accounts.

====Spotlights====

* UWWI service staffing availability has been down over the past 12 months—this is because other UW-IT services have had higher priority work and staffing shortages. You may notice a smaller amount of new capabilities again in this 6 month period, which is attributable to this smaller investment. We’re waiting for a new employee to start who will help backfill this staffing gap.

* An Entra ID governance team spent an intensive amount of time this summer working through the many emerging capabilities Microsoft is providing that are tied to this technology, including identity, access management, device management, and application support. We should have an Entra ID Application Request process soon, thanks to efforts here. And again, we have more orientation material planned. J

* The Enterprise Architecture program has encouraged the use of capability maps to facilitate communication about what’s provided and what’s needed. UWWI has created two capability maps, one for the overall service and one for Entra ID . You can view them at:

UWWI Capability Map: https://wiki.cac.washington.edu/x/sx5JB

Entra ID Capability Map: https://wiki.cac.washington.edu/x/sh1JB

Other services are developing capability maps, and over time you will likely be able to see connections. For example, you may also be interested in the Managed Desktop Capability Map: https://wiki.cac.washington.edu/x/LCBJB.

A brief description of the format used may help orient you. The use of color highlights specific capabilities and future planned initiatives in a broad capability area. The left side denotes some desired customer needs and outcomes. What’s within the rectangle with rounded corners is what is provided, although in some cases we haven’t yet provided an item or are planning to retire or divest (see the key to find those cases). The right side is a high level “roadmap” of imagined investment in initiatives. Between the key and rectangle with rounded corners is a laundry list of possible capabilities that we can imagine. Unfortunately, space constrains our imagination, so there are definitely things we’ve imagined but don’t list—we had to make a judgment call.

And that’s a really good note to end the description on—within a single page, it is hard to represent something like this, but the goal is not to create a perfect representation, but to encourage good conversations. Please do ask questions about this, either via the uwwi-discuss mailing list or help@uw.edu.

* UWWI plans to implement a design to address inactive user accounts. Of the ~770K NETID user accounts, only ~110K have been logged into over the last two year period. Reducing the risk and costs associated with the large set of unused user accounts is the primary goal of this design change. We are still refining the design after gathering some initial feedback within UW-IT, and when we have something we’re happy with, we’ll share it more broadly.

* We know that our customer documentation is currently split between two locations and this is not a good situation. We are exploring some options which should greatly improve this, which hopefully will come just in time for all the orientation material mentioned above. J

==== Trends ====

* Since July, UWWI has sustained growth: +9 delegated OUs (112 total), +2 trusts (55 total), +~1750 computers (12389 total), +18k users (772k total), -12k groups (96k total).

* UWWI support requests are steady. 224 UWWI support records resolved since the last newsletter (vs. 241 in prior period).

You can see metrics about UWWI at http://www.netid.washington.edu/dirinfo/stats.

==== What’s Next ====

Our objectives for the 6 months ahead include:

* Explore possible expanded uses of AD-integrated Certificate Authority, as identified by customer business needs

* Explore LAPS-E, a local administrator password management solution. See current discussion on uwwi-discuss about possibilities here.

* Explore Azure MFA and Microsoft Passport as possible Microsoft MFA solutions for the UW, so we are ready for a broader discussion about MFA at the UW later in the year.

* Enable Entra ID Applications, via releasing a request and approval process, working with Microsoft to extend its user consent framework, and providing integration guidance for developers

* Entra ID Application Proxy deployment. This enables on-premises applications to use Entra ID based authentication without making any changes to their existing Windows Integrated configuration. They gain a hardened, cloud-based endpoint, the possibility of leveraging conditional access capabilities such as Azure MFA, and can leverage the logging and security anomaly analysis investments Microsoft is building.

* Deploy Azure Rights Management infrastructure to support RMS pilot exploration for customers with confidential data

* Partner with Nebula to build a high security Windows file service offering in connection with a high security managed desktop offering

* Partner with Nebula to support new Software Deployment Service via SCCM deployment in NETID

* Support growing Nebula migration efforts into the NETID domain

* Explore possibility of offering basic managed desktop offering for a nominal cost (or possibly no cost), re-using the infrastructure Nebula brings to the NETID domain.

* Implement ‘inactive user design’

* UW firewall GPO template to provide customers with a simple way to leverage Windows Firewall

* Deploy Microsoft Identity Manager’s Privileged Account Management capability to provide ‘just in time’ domain admin privileges instead of ‘always on’. This will reduce enterprise risk.

* Preferred Name (assuming this work has investment from the Directory Services service)

* Support emerging Monitoring Service by sharing Windows expertise

Of the 14 forecasted objectives we listed in the last UWWI News, here’s a review on how they turned out:

3 were successfully completed: AD-CS, ATA, AAD gov
4 were started and continue: RMS, Software Deployment (SCCM), Nebula Migration, AuthN restrictions
3 were started by dependent service, but hasn’t yet reached the point where we can start: Preferred Name, MFA project, Monitoring service
4 were not started: ADMT, Firewall GPO, PAM, LDAP signing

==== Your Feedback ====

Supporting your needs for UWWI capabilities offered via the Basic Services Bundle is our priority, so we welcome feedback on how we can make the UWWI service more valuable to you.

The UWWI service has a capability map publicly visible at https://wiki.cac.washington.edu/x/sx5JB. This capability map includes a high-level summary of our roadmap. We can also provide more detailed information about our backlog if you have questions.

You can voice your support for future objectives to help us rank priorities by voting in customer surveys when we have them, ask for things that aren’t yet on our radar, or simply contact us via help@uw.edu.

Brian Arkills

UW-IT, UWWI Service Manager

Office 2016

Office 2016 is now available to install through Run Advertised Programs. To install Office 2016, you can follow these instructions. Adding software from Nebula

IE Browser Support

Browser support changes will be coming on 1/12/2016. Microsoft will drop support for older versions of Internet Explorer, leaving IE11 as the only supported version of Internet Explorer. Go to the OS and Browser Support page for information.

Undesired H: Drive Purge

H: drive deletions coming for those without departmental eligibility groups

Current staff members who are not in your department’s eligibility group will have their home directory (H:drive) deleted on 1/15/2015. Please verify that all of your staff members have been added to the correct eligibility group before that date.

More info:

Last summer we revealed that there were a significant number of Nebula home directories which we believed were undesired, primarily associated with individuals who had long since stopped having an association with the university. That was primarily because the Managed Workstation service didn’t have an active mechanism to capture when individuals should lose their eligibility for our service. We implemented the user eligibility mechanism which puts you as a customer in the driver seat of provisioning and deprovisioning home directories and some other user related access. As detailed above we didn’t complete connecting those eligibility groups with the home directory provisioning and deprovisioning until the end of February.

In December we notified those users with an “undesired” home directory who were still accessing that home directory to let them know that unless a customer marked them as eligible and paid for that home directory, that the home directory would be deleted.

In late January we removed access to undesired home directories.

In mid February, we deleted undesired home directories. This constituted almost 5200 home directories using 6 TB of space. Under current practices, there is still a copy of that deleted data for a year.

Nebula to disable SSLv3

Nebula will disable SSLv3 on Nebula workstations and servers which still have it enabled.

What and When:

On Tuesday, January 5^th, 2016, Nebula will configure managed desktops and its servers to no longer permit SSLv3.

SSLv3 is broadly used to encrypt sessions, but it is also very old and now considered insecure. Disabling SSLv3 should have little to no impact because there is broad support for TLS and no obvious impact on the user experience to using TLS instead of SSLv3. While the most secure option should be chosen when a client connects to a server, there are situations where that doesn’t happen, so this change will ensure that Nebula does not permit a less secure scenario.

What You Need to Do:

Nothing, unless you are responsible for a web server or other service that uses this protocol, in which case you should update to a stronger encryption protocol as soon as possible.

This is primarily an advisory to let you know that we’re making a design change to make Nebula more secure.

More Info:

There is a vulnerability in the cryptographic protocol Secure Sockets Layer version 3, or SSLv3 (see https://technet.microsoft.com/en-us/library/security/3009008.aspx). In order to prevent malicious actors intercepting your data, Nebula is disabling the weakened protocol SSLv3 for all Nebula managed desktops and all Nebula servers.

This change could affect anyone still using a service protected with SSLv3, and anyone using a version of Internet Explorer prior to 11. Since this protocol is being dropped across the industry, it is unlikely that you will be affected unless you use a site or service still only using SSLv3. If you anticipate or experience any difficulties that you believe are related to this change, please email help@uw.edu with the subject line “Nebula SSLv3 Change”.