Skip to content

Archives: Service News

News content type for use by UW-IT Services on IT Connect

Network Incident -> Groups Incident -> UWWI incident

Some UWWI groups are not currently in complete sync with the Groups Service

 

What and When:

This past weekend there was a significant network incident. That led to a Groups Service incident. The impact of the Groups Service incident was that change notifications for groups changed during that part of the weekend were never sent to UWWI.

 

UWWI also had an incident because of the network incident and had to restart our group agent, but that only delayed the processing of group change notifications. However, most of the group change notifications were missing in action because the Groups Service was had its own incident.

 

9172 groups were changed during that period, but due to our efforts, there are now less than 7100 UWWI groups which are out of sync from the Groups Service. Affected course groups have already been fixed.

 

What You Need to Do:

Be aware that there may be some slight group inconsistencies in UWWI for a little while longer.

 

More Info:

We have a standard way of resyncing groups which are out of sync, and once a month every group is subjected to this examination to ensure that no group falls out of synchronicity. This process is more resource intensive (it examines the state, figures out what is missing, and then fixes it, instead of just applying the changes). We’re selectively applying this to the group changes that went missing during the Groups Service incident, but it’ll take a bit for that to reach completion.

 

There are ~91,000 total groups in UWWI so this affected about 1/10 of all UWWI groups.

 

Brian Arkills

UW Windows Infrastructure Service Manager

 

Nebula News (September 2015)

Welcome to the semi-annual Nebula service newsletter, which brings you valuable updates and information to help you make the most of our services.

New Capabilities and Improvements

  • Nebula file services ala carte: Nebula file services are available separate from Nebula Managed Desktop. Prior to FY16, customers which only wanted shared file services from Nebula needed to follow an awkward path and were charged in an awkward method. There were also some customers paying more than their fair share of file service costs. Nebula now charges for Nebula file services consistently regardless of whether you also use the Nebula Managed Desktop option. All customers pay $0.25/GB/month (unless you use the Windows file service option).
  • Access to Nebula services: Access is now based on eligibility groups managed by each customer.  Prior to FY16, Nebula access was based on a combination of factors and was rarely fully removed, as we were not always aware of when people came and went.  Now, as users are added and removed from eligibility groups, access to Nebula services will be added or removed and customers can directly manage the memberships of the UW Groups that control access to their services.
  • Rate reduction: The Nebula desktop rate was reduced for FY16. The rate fell from $36.50 to $34.50. We separated the Nebula file service cost from this rate, so that accounts for some, but not all of the reduction. Here’s the rate for an 8 year period for historical context:
  • Billing simplification: We added a new mechanism to benefit the majority of Nebula customers. Many of you wish to use the same budget for a given type of Nebula service charge. The default user budget field will associate the budget you provide with any Nebula home directory that doesn’t have one explicitly assigned. The default computer budget field will associate the budget you provide with any Nebula managed desktop that doesn’t have one explicitly assigned. If you use the same budget for all of your desktops or all of your home directories, this means you don’t have assign a budget to each individual desktop or home directory.

Spotlights

  • Customer meeting: A Nebula customer meeting is scheduled for Wednesday, September 16, from noon until 1pm in the UW Tower auditorium. The agenda is to review the material in this newsletter in more detail and take any questions. We look forward to seeing you there.
  • Nebula Account simplification: Nebula now uses department eligibility groups to determine which department a given user belongs to. Customers manage the membership of their eligibility group. This helps to reduce the chance that a user remains associated with a department long after they have moved to another department or left the UW. Nebula removes access if a user is no longer in an eligibility group. In the future, Nebula will create the necessary user accounts for Nebula services based on eligibility group membership. This means that instead of asking us to create an account, you can simply add the user to your eligibility group. This process will not cover an Exchange mailbox, but the MSCA service has future plans to automatically provision a mailbox in a variety of scenarios. In the meantime, if you need a Nebula user account or Exchange mailbox, continue to contact us.
  • NETID user account conversion: Converting from Nebula2 user accounts to NETID user accounts reduces how often you have to log in, reduces our service costs, simplifies the infrastructure needed, and will enable Nebula to leverage investments made in the service providing the NETID user accounts.

Six months ago, we asked customers to self-elect to change to NETID user accounts by this time. We said that at the end of that time frame, we’d be phasing out Nebula2 user accounts. In the coming months, you can expect communication from us about this. We have many future planned steps:

  1. In September, we’ll start by automatically disabling any Nebula2 user account which isn’t being logged into regularly. We’ll provide a mechanism to temporarily re-enable your Nebula2 user account if it is still needed (Mac VPN is a known reason).
  2. For departments which let us know that they are done, we’ll disable all of their Nebula2 user accounts. Several departments have already prioritized their user migration, and this completes their journey by closing the door behind them.
  3. We’ll contact departments which still have active Nebula2 user accounts, and give them a target date on which we plan to disable their Nebula2 user accounts. This will include an offer to provide migration assistance before that date.
  4. When we have contacted every department, we’ll initiate moving the managed computers for each department into the NETID domain. We will accomplish this move via an automatic mechanism which will require a reboot. We’ll move each department based on a schedule we’ll coordinate with you. Temporary exceptions to the migration may be granted, given a compelling business need. This is likely 6 months away, and more details about this will develop in that time period, but if lengthy migration exceptions are needed, Nebula will need to recover the costs of managing the Nebula2 domain and computer management infrastructure (that is no longer core to the service), so there may be an additional charge.

If you’d like to get an early jump on your department (or just a single user) for conversion, please send us an email with “Nebula2 to Netid user conversion” in the subject line. There are self-service or assisted options (and we won’t charge extra for basic assistance). The self-service directions are at https://www.washington.edu/itconnect/wares/nebula/changing-to-netid-logins-in-nebula/

  • Windows 10: If you are eager to move to Windows 10, you can do that now, but you will lose some Nebula capabilities. In a month, we hope to provide the full set of Nebula capabilities to Windows 10. In a couple months, we hope to provide an automated upgrade mechanism that’ll allow you to initiate an upgrade to Windows 10. More details about our Windows 10 plans are here:  http://www.washington.edu/itconnect/wares/nebula/news/nebula-windows-10-readiness/ . Windows 7 will continue to enjoy the full set of Nebula support capabilities. More details about Nebula’s OS and browser support are available at https://www.washington.edu/itconnect/wares/nebula/operating-system-and-browser-support/
  • Customer routing improvements. We’ve heard from several customers that when you have an urgent issue which interrupts your ability to do UW work, it can be hard to get help in a timely way. We are planning on making some changes to improve this issue. More details will be forthcoming.

Trends

Below are metrics across the Nebula service. The takeaway statement following each graph compares metrics in the last 6 months to the prior 6 month period. For information specific to you or your department, the MyIT portal has more data: https://support.nebula.washington.edu/myIT/Default.aspx.

  • Overall usage

Takeaways: +0 computers (~3400 total today), +200 users (~5100 total today), +50 groups (~3050 total today)

  • IE Versions

Takeaways: +50 IE11 (~2800 total today), +0 IE10 (~300 total today), +0 IE9 (~200 total today), +0 IE8 (~50 total today).

NOTE: These 550 customers with down-level versions of IE will be upgraded in January 2016. Please see http://www.washington.edu/itconnect/wares/nebula/operating-system-and-browser-support/#browserLifecycle.

  • Operating System Versions

Takeaways: +50 Windows 10 (~50 total today), +150 Windows 8.1 (~500 total today), -150 Windows 7 (~2750 total today), +0 MacOS (~22 total today)

  • VPN Use

Takeaways: +15 sessions on average (~35 sessions average with a peak of 54)

  • Support Requests

Takeaways: Support requests have grown by 72.5%; 4203 Nebula support tickets resolved since 2/20/2015 vs. 2451 in prior 6 month period.

NOTE: We believe this increase is due to a couple factors:

      • We don’t take direct phone calls any longer, so prior to this many requests had no corresponding request record to track it.
      • We retired a parallel ticketing system (RT) which was only used for consulting requests. Some number of requests in that system were only represented in that system so weren’t included in our prior 6 month total.
      • There was an unusually high amount of service design change over the last 6 months, which resulted in a higher number of questions and interaction. This included completely revamping our customer relationship data, several billing changes, multiple organizations changing their departments to reflect past re-organizations or budgets, and other requests which would not have otherwise occurred.
  • Incidents

Takeaways: Incidents have fallen by 69%; 18 Nebula incidents resolved since 2/20/2015 vs. 58 in prior 6 month period.

What’s Next

Our objectives for the next six months include:

  • Customer routing improvements, as noted above.
  • Activities related to the Nebula2 user transitions, as noted above.
  • Make design changes related to the Mac VPN so it isn’t a blocker for letting go of the Nebula2 user account.
  • Begin planning for computer migrations to NETID domain, as noted above.
  • Replace the servers behind our aging software deployment infrastructure (System Center Configuration Manager or SCCM). We also will explore moving Nebula’s software deployment capabilities to the UW Windows Infrastructure service so a broader set of the UW can leverage this capability and contribute packages Nebula customers might use.
  • Activities related to Windows 10 support, as noted above.
  • Adding an OS deployment capability, including a self-service automated upgrade in place option
  • Provide a package for Office 2016, after it is released
  • Via a pilot with some higher risk departments, explore a solution that provides data encryption capabilities regardless of where the data is stored, has broad cross-platform support and advanced tracking capabilities (Azure RMS). We suspect this is a strategically important technology for risk mitigation, but we need to verify.

Your Feedback

Supporting your needs for Managed Workstation capabilities offered via the Nebula service is our priority, so we welcome feedback on how we can make the Nebula service more valuable to you. The nebula-announce and nebula-discuss mailing lists are good sources of information. We recommend that each customer have at least one individual join the nebula-announce mailing list. See https://www.washington.edu/itconnect/wares/nebula/contact-us/ for more on how to join.

You can voice your support for future objectives to help us rank priorities, ask for things that aren’t yet on our radar, or simply contact us via help@uw.edu.

Brian Arkills

UW-IT, Nebula Service Manager

Nebula IE version support changing in January 2016

Nebula will no longer support older versions of Internet Explorer.

 

What and When:

On January 12, 2016 Microsoft will drop support for older versions of Internet Explorer, leaving IE11 as the only supported version of Internet Explorer.

 

Following UW security guidelines, Nebula will also remove its support, because web browsers without vendor support no longer get patches for security vulnerabilities.

 

To implement Nebula’s change in support, Nebula will retire the mechanism it has provided to defer automatic IE version upgrades. The mechanism to defer allowed individual computers to avoid the automatic upgrade of IE version, but was available only upon request. Nebula will continue to provide the automatic update mechanism.

 

What you need to do:

Nebula computer has a version of IE older that version 11, then your computer will be affected, otherwise you are unaffected.

 

If you are affected, we encourage you to explore your alternatives. Options to pursue may include:

-try to use the latest IE version. If you’d like to remove your IE version upgrade exception before 1/11/2016, please let us know.

-try another browser. Most applications do support browsers other than IE.

-talk with the application vendor about their browser support plan given that Microsoft will no longer support older IE versions

 

If there’s anything else Nebula can do to assist, please feel free to contact us at help@uw.edu. We’d be happy to provide assistance on a consulting basis.

 

More info:

Microsoft’s announcement of this change came via the IEBlog over a year ago.

 

Nebula’s browser support is documented at http://www.washington.edu/itconnect/wares/nebula/operating-system-and-browser-support/.

 

Entra ID External User invitations enabled

The UW Windows Infrastructure has enabled External User invitations in our enterprise Entra ID.

 

What and When:

Entra ID External User invitations can now be initiated by any user in our enterprise Entra ID, i.e. anyone with a UW NetID. This enables the possibility of collaborative sharing with non-UW identities for those applications which rely on Entra ID for identity.

 

What You Need to Do:

No action is required, but if you run an application that relies on Entra ID you can now evaluate whether you want to enable External User sharing in your application. If you do enable External User sharing in your application, we advise the following:

  1. Regularly review access to your application and where no longer necessary, remove any External Users access. We suggest you do this at least once a year.
  2. If there is a setting to distinguish between UW users and External Users, we suggest you enable that setting to help avoid granting access to mistaken identities.

 

More Info:

The External User capability allows a user account in another Entra ID tenant or a Microsoft account to be represented as a guest in our Entra ID tenant. As a guest, they can be granted access to applications and data, but they do not have the same default level of permissions as a UW user. At this time, guests can not invite other External Users. External users authenticate to their Entra ID tenant or the Microsoft Account identity provider.

 

If you’d like to read more about the Entra ID External User capability, we recommend the following:

-See https://msdn.microsoft.com/en-us/library/azure/hh967632.aspx, review the section entitled “Create and use external users”

-See https://support.office.com/en-us/article/Manage-external-sharing-for-your-SharePoint-Online-environment-C8A462EB-0723-4B0B-8D0A-70FEAFE4BE85, for the Office 365 application settings related to External Users.

 

NOTE: Just as other applications may need to do something to take advantage of this change, this change does not enable External User capability for any Office 365 application. The MSCA service will need to separately enable that capability for each Office 365 application, as it deems appropriate.

 

Our enterprise Entra ID is uwnetid.onmicrosoft.com, but has domains such as uw.edu, u.washington.edu, and washington.edu associated with it.

 

The UWWI service is following the guidance of the Entra ID governance team, put into place by the UW Enterprise Architecture program. Many thanks to the sage advice of that team.

 

Brian Arkills

UW Windows Infrastructure Service Manager

Nebula Windows 10 Readiness

Nebula has been hard at work getting ready for Windows 10 for many months. Since this is a popular topic of interest, here’s a status update.

Basic Readiness

If you want to deploy a computer with Windows 10 enterprise, you can do that now. Contact us if you need help with that. The most basic of our processes are ready for that, but at this time, there are significant limitations to our support capabilities (see Full Support below), so we’d suggest you hold off a month.

If you wait a month, the story will improve significantly, and if you wait a couple months, we hope to manage the upgrade for you (see Special New Capabilities below).

Looking further out, we’ll be adjusting the specific operating systems we support (see Consequences of a New Windows OS below).

We plan to have more detailed messaging about Windows 10 support in the future, covering expectations and actions to take if you are ready to upgrade.

Full Support

There are several missing support capabilities which might lead you to delay a little longer:

  1. We do not yet have a Windows 10 image. We plan to have one ready within the next couple of months.
  2. There is not yet a Sophos version (the anti-virus software supported by Nebula ) released in Nebula that is compatible with Windows 10. The vendor has released a compatible version, but Nebula has a policy of not deploying the latest version to avoid “broken” versions (which have happened often enough in the past to justify this). If a newer Sophos version doesn’t come out by 8/30/2015, we’ll manually override our policy to address this.
  3. We have not yet had a chance to evaluate and implement the configuration settings needed to support Windows 10 in a managed environment like ours.
  4. We do not yet support basic computer inventory or software distribution to Windows 10. This capability is blocked by a project to update our software delivery and management system. With the Nebula file service design change complete and more engineering resources available in September, we plan to complete this in September.

With respect to #3, we expect that some of these settings will represent major changes to the status quo. For some of these settings, we are still waiting on information from Microsoft while for others, we simply need time to figure out what’s new and plan our desired design. For example, with Windows 10 Microsoft plans to change how updates work. We know this means our existing mechanism that allows customers to defer IE upgrades has reached its end (Microsoft’s stated end of life for IE8-10 on 1/12/2016 is another reason that mechanism has reached end of life) . But Microsoft hasn’t fully shared the details of the update options it imagines for enterprise customers, so we still need time to evaluate what our approach will be.

If you do choose to deploy Windows 10 in Nebula at this time, you should expect that we will implement settings that will affect you later.

Special New Capabilities

Nebula plans to build a new operating system deployment mechanism. We’re hoping to provide an automated upgrade in place experience as part of this new mechanism, which would save you time and money, cut down on our overall costs, and improve our future agility to new operating system releases. We do not have an estimate for when this capability will be ready–it partially depends on the project to update our software deliver and management system, but also will require additional work. We’re hoping to have this ready in the Fall timeframe.

Consequences of a New Windows OS

Nebula has long had a policy of supporting the most recent OS, plus one prior OS, with a grace period for previous OSes, but hasn’t been especially clear which OSes were specifically supported. That’s been addressed in a new document: https://it.uw.edu/wares/nebula/operating-system-and-browser-support/

The short version with respect to Windows 10 is that it’s supported, but with limited capabilities (see above). We’ll continue to consider Windows 7 supported as the prior OS we will continue to support. After we’ve addressed #1-4 noted above, we’ll consider Windows 8.1 to be in a grace status for a year–in other words, we’d like anyone running Windows 8.1 to upgrade to Windows 10. We’re choosing to drop support for Windows 8.1 instead of Windows 7, following Microsoft’s lead in terms of the support it is providing.

The intention here is not to inconvenience anyone, but to encourage everyone to move to a well-supported operating system, so we’ll tweak our plans as needed to follow that intention. So if for some reason, we don’t provide the automated upgrade capability for quite a long time, we’ll extend the grace period for Windows 8.1.

Changing from Nebula2 to UW NetID login

Changing from Nebula2 to UW NetID login 

The Nebula service has set a goal for its UW-IT customers to stop using their Nebula2 user accounts and switch to using their NETID user accounts before April 2015. This is part of a larger initiative consolidating Windows domains, supports the IM Infrastructure Refresh project, and is a blocker for several other Nebula goals such as splitting off a separate Software Distribution Service.

Any customer can make the switch themselves. Hundreds of other Nebula customers have made the switch to only using a NETID user account, and there is no risk to trying the switch because you can revert back to using the Nebula2 user account. There is helpful documentation to assist customers that want to do this self-service at https://it.uw.edu/wares/nebula/contact-us/news/netid-logins/.

Alternatively, Nebula will provide 30 minutes of assistance (at no additional cost beyond the Nebula core fee) to help customers make the switch. We will have dedicated staff available during a specific period for your UW-IT division, but you can also send a request for help at any time to help@uw.edu. If you believe you are no longer using your Nebula2 user account, you can send a request to disable the account, which will help you ensure you don’t have any hidden lingering dependencies on it.

Entra ID device join

The UW Windows Infrastructure has limited who can join devices to our enterprise Entra ID . This capability is more broadly possible with the release of Windows 10.

 

What and When:

The UWWI service is following the decision/guidance of the Entra ID governance team, put into place by the UW Enterprise Architecture program. Many thanks to the sage advice of that team.

 

Entra ID device join has been put into a limited, exploratory stage. It changed from the default setting where anyone with a user account in our enterprise Entra ID (currently anyone with a UW NetID) could join any capable device, to a very small group.

 

What You Need to Do:

No action is required. If you Entra ID joined one of the 50 devices already Entra ID joined, we’ll be contacting you to ensure you know the implications, our guidance, and that you have the option of disconnecting from Entra ID. See https://cloudpuzzles.net/2015/03/disconnecting-a-windows-10-device-from-azure-ad/ for a walkthrough of disconnecting.

 

More Info:

This notice will be sent to techsupport@uw.edu on the existing Windows 10 thread.

 

Our enterprise Entra ID is uwnetid.onmicrosoft.com, but has domains such as uw.edu, u.washington.edu, and washington.edu associated with it. So when a user enters a username of <uwnetid>@uw.edu in the Entra ID device join experience, they end up in our enterprise Entra ID.

 

The Entra ID device join capability has:

-no delegated administration

-requires InTune licensing or another MDM product to realize the same device management value as AD join

-the ability to centrally do a partial device wipe

-the ability to join mobile devices which are incapable of AD join

 

While there are some new and exciting capabilities here, we believe this represents an immature offering for our environment, so are limiting its availability at this time. We will continue to explore this capability, reviewing it for positive steps in maturity and utility for the UW.

 

NOTE: This capability is different from Workplace Join (which we don’t currently support), and also separate from the Entra ID Conditional Access capability which can use AD joined devices as part of access control decisions.

 

If you’d like to read more about the Entra ID Device Join capability, we recommend the following:

-http://blogs.technet.com/b/in_the_cloud/archive/2015/05/28/managing-azure-active-directory-joined-devices-with-microsoft-intune.aspx

-http://blogs.technet.com/b/ad/archive/2015/05/28/azure-ad-join-on-windows-10-devices.aspx

 

If you have reason to partner with us to explore this capability, please contact UWWI via help@uw.edu.

 

Brian Arkills

UW Windows Infrastructure Service Manager

 

 

1st Nebula billing cycle for FY16

We are approaching the 1st FY16 monthly billing cycle for Nebula. This is an informational update so you have a chance to update information feeding that billing cycle. We are also providing an update on our plans related to removing Nebula resources that are not claimed (paid for).

 

What and When:

Earlier today, Nebula processed all the eligibility groups for departments for the first time, re-assigning users based on the membership of your eligibility group.

 

This was the bulk user “purge” we asked everyone to patiently wait for—thanks for waiting, it saved us a lot of time and kept our costs down. For many reasons, we didn’t actually purge any users—we simply just marked users who no one claimed for their department for later action (more about that below). If you review your users in MyIT, you will see that it reflects your eligibility groups.

 

Nebula will submit billing charges for July 2015 at the end of the month.

 

You can review your expected charges for Nebula file services and Nebula desktops via MyIT. What is represented in MyIT is based on 3 things:

  1. Which desktops are assigned to your department
  2. Which users are in your department’s eligibility group, which by extension determines which Nebula home directories are associated with your department
  3. Which shared file service paths or Windows file service paths are assigned to your department

 

You can expect that what you see in MyIT is what we’ll submit billing charges for.

 

With respect to our plans for Nebula resources who have no one willing to pay for them, here are our intentions:

  • We will remove access to the home directories of users who are no longer in an eligibility group. All Nebula home directories have a snapshot with a 1 year retention beyond deletion, so even if something is undesired now but you later need access, this is a fallback. We plan to delay deletion of undesired home directories for a month to provide a grace period for mistakes.
  • We will remove access to shared file service paths which have no department assigned. Prior to doing so, we plan to contact all users who have access to the file service path to let them know of the impending action, so there is an opportunity for a department to step forward and pay to continue. Again, we plan to delay deletion for a month to provide a grace period.

 

There are other Nebula configuration we will take action on in the future. Future actions we’ll take include removing “unclaimed” user accounts (and by extension access) on the shared file services, removing access to Nebula VPN services, and removing the “Nebula supported” flag which the UW-IT service desk uses in routing requests.

 

What you need to do:

The mechanisms we’ve created over the last 4 months and may not be as accurate as everyone would like. Since there will be billing charges based on these soon as well as the additional actions I mentioned, it would be best to fix up any inaccuracies now.

 

If you are a contact for a Nebula department, here are the specific things you should do to review:

  • Go to MyIT and review the ‘Users in My Department’ report: https://support.nebula.washington.edu/myIT/myNebulaUsers.aspx. This should only include the users in your eligibility group. If there are missing or additional users, you need to update your eligibility group. NOTE: if you visited MyIT this morning, you are very likely to see a different set of users listed now because we processed the eligibility groups for the first time today. We plan to process eligibility groups once daily, so if you do make changes, you should expect MyIT to reflect those changes the following day.
  • Go to MyIT and review the ‘File Services’ report: https://support.nebula.washington.edu/myIT/fileServices.aspx. This should only include those group directories and home directories for your department (i.e. that you will pay for). If there are missing or additional paths, then send a request to help@uw.edu to resolve the file service assignments. If the amount of usage for a given file service path is unexpectedly large, you may want to take action to reduce the use to reduce your cost. If there are home directories you do not want, you can adjust your eligibility group membership. If you do not want to remove a user from your eligibility group, but also don’t want that user to have a Nebula home directory, we have a solution for that, but at this time you’ll need to send a request to help@uw.edu for that solution.

 

We are aware of a number of eligibility groups which have no members, and have separately already contacted departments where this is the case. You may need to take action if you were contacted about that.

 

We are aware of several shared file service paths which have no department assigned to them because our initial assignment was requested to be removed. As noted above, we plan to contact the users with access to these locations. You may need to take action if you are contacted about that in the future.

 

More info:

If you are wondering what a Nebula eligibility group is—see http://www.washington.edu/itconnect/wares/nebula/tools/view-and-manage-nebula-resources/#What.

 

If you are having problems getting your eligibility group to have the right set of users, we can provide a list of which users were associated with your department prior to today.

 

That document includes a variety of assistance for departmental contacts who use MyIT to review their Nebula use. We are happy to help you if you need further assistance or explanation—just send us a request at help@uw.edu.