Oct 23 2018 FACCUS meeting minutes


Location: PAS 2030

Present: Ryan G, Andrew M, Mary B, Steve B, Allan F, Scott P, Chris R, Lisa t, Steve C, Stephen M, Bill E, Will L, Jennifer K, Jason T


  1. Approval of minutes from last meeting
    1. Approved.
  2. Anything to add to today's agenda?
    1. No items added
  3. Various projects/initiatives/updates - Information Systems & Technology (IST)
    1. Also see https://uwaterloo.ca/information-systems-technology/about/projects
    2. 2FA update and web page (Andrew W, Jason T)
      1. Service was in pilot for a few years and was then acquired in early 2018 in response to an increase in phishing attacks
      2. A proposed timeline went out in the summer for implementing and making 2FA mandatory, however these dates are no longer applicable
      3. Recommendation is to use a personal device as the token, although there have been arguments against using personal cell phone. Statement that IST will provide a token if there is no other option.
      4. A decision needs to be made on what systems will require the use of 2FA, and which systems will require 2FA only for off-campus access
      5. A project has been established, now planning roll out, and sell it to leadership forum (heads of departments)
      6. 2FA is now available for opt-in, about 300 people have signed up
      7. 2FA will be enabled for SailPoint (WatIAM) and WorkDay. Preference would be that those who can change passwords should need to use 2FA, opt-in for everyone else. Self-serve changes of bank information in WorkDay is a concern and will likely require 2FA.
      8. Concern about targeted attacks (fin-phishing)
      9. There is no Windows app
      10. Question: Will re-enabling after compromise require 2FA?
        Answer: Maybe if compromised twice
      11. Discussion of password security policies
      12. Support by IST Service Desk to start, looking at ways to allow other service desks to have access to support tools
    3. iss-app and the compromised search tool (Ryan G)
      1. Account lockouts are mostly automatic but some are manual
      2. Examples of automatic lockouts:
        1. Microsoft based on edu emails, Microsoft detects suspicious patterns and locks out automatically
        2. Multiple logins from different geographic areas
      3. Information goes into RTIR
      4. In RTIR, can’t restrict access to certain types of tickets, e.g. allow service desks to see all compromised tickets. Can only choose to see all tickets, which includes lots of additional information around machines, etc. In RTIR, people could see one ticket but not the other (Incident/Investigation)
      5. Made interface to search for tickets
        1. https://iss-app.private.uwaterloo.ca
          1. Permissions based on NEXUS groups
          2. Requires DUO
          3. Shows open tickets that are locked accounts, investigation and incident
          4. Click resolve, has default text
          5. Auditing through RT
          6. Keeps track of previous lockouts
          7. Updates once an hour
          8. Features to come:
            1. Add ability to unblock connect/edu accounts
            2. Show current status of account
    4. Overleaf update (LaTeX collaborative writing and publishing tool) (tentative) (Steve C)
      1. Portal to sign up for account with an @uwaterloo.ca email address
      2. Report on usage, breakdown of users by department, status, and activity
      3. Thesis template is available in Overleaf
      4. December Grad Studies workshop on LaTeX
      5. PDAG seminar upcoming
    5. Windows 7 end of life, and updates (Stephen M)
      1. Recommend that all areas ensure patches up to date on Windows 7 machines. Windows 7 has a Jan 14, 2020 end of life.
      2. In Science, Windows 7 machines are now going directly to Microsoft for updates
      3. Work is underway to reconfigure IST-managed (Academic Support) machines to get updated from Microsoft
      4. Science is forcing reboots on Windows 7 machines to ensure updates are completed.
      5. IST Security noted that machines are still getting infected if missing MS1710 patches, and this spreads to other affected machines
      6. Discussion of embedded systems, and how to detect OS of un-managed machines
    6. DeliverPoint (Stephen M)
      1. Now available in SharePoint, there was a PDAG seminar, and there are notes on the https://sharepoint.uwaterloo.ca/help/sharepoint site
      2. Need admin/full control to see permissions on a structure
      3. Large sites overwhelm back-end service, so don’t generate a report at the faculty level
      4. Advantage is in seeing all the permissions that people have
    7. MS Teams update (Lisa T)
      1. Now available, teams can be created
      2. Single-page site with documentation and training
      3. Will replace Mattermost for most cases
      4. Teams will be the eventual replacement for Skype for Business
      5. Teams have their own file storage space
      6. AD Groups are not available
      7. Generic accounts can’t be added to Teams sites
      8. Can add external accounts such as Gmail
    8. personal.uwaterloo.ca update (Lisa T)
      1. Service is being phased out
      2. Existing sites will be left as is
      3. Researchers could move to a Waterloo Scholar site
      4. Future of staff personal sites under discussion
      5. Additional development will be done on Waterloo Scholar to improve service, and integrate with data sources
    9. RT updates (Lisa T)
      1. Version update to RT, only minor changes
      2. Update fixes issue with people being squelched (not receiving emails)
      3. New tickets can be assigned to different people on a rotating basis (round-robin) that can be enabled for particular queues if desired
      4. Please provide feedback on desired features
    10. IST Networks group update (Lisa T)
      1. New ONA is being developed by portal team (Pavel)
      2. Net ID update – new solution for guest WiFi
        1. CTSC working group reviewed how guest WiFI is provided
        2. Current solution for events, provides a key to use
      3. Campus switch refresh progressing
      4. New VPN is going live November 6
    11. New Help & Support page (Lisa T)
      1. Matt Harford asked to share new page
      2. Forms for the most common request types
      3. Submit an RT by email
    12. Email accounts when people leave UW (Lisa T)
      1. Undergrads
        1. Keep their O365 email accounts but lose features (details at https://uwaterloo.ca/information-systems-technology/services/microsoft-office-365-education/access-by-audience )
        2. If they don’t graduate they don’t keep their @edu
      2. Current Alumni are on one of three different mail platforms:
        1. Undergrads who graduated since we’ve moved to Office 365 will have an Office 365 email account (@edu).
        2. Undergrads who graduated prior to this will have mailservices (if they had that during school).
        3. Undergrads who graduated prior to mailservices may have no email account, but they can still use a mail forward to have “@uwaterloo.ca” mail delivery address, if they wish.
        4. Grad student alumni may have connect accounts, depending on when they graduated. Lisa is looking into more details for grad student accounts
      3. Graduate students
        1. Grad students have connect accounts. Lisa is looking into more details about graduate student accounts.
      4. Staff/faculty:
        1. https://uwaterloo.ca/information-systems-technology/services/faculty-and-staff-email/about-faculty-and-staff-email/status-changes-affecting-accounts
        2. If they leave before retirement they cannot keep their UW email (this is technically at the discretion of the department).
      5. Post docs 
        1. Currently manual sponsorships in WatIAM, to create. This may change in the future. Currently their email would stop working properly once they leave unless another assertion is made.
      6. Discussion of email being discontinued immediately upon a status change, e.g. post doc appointment ends
    13. Exchange/connect email limits and alternatives (Lisa T)
      1. Max number of messages a connect account can send within a 24 hour period is 1000. There are also other limits (see urls below)
      2. We recommend using a mailman mail list instead, using software such as GroupMail, or registering with our bulkmail server. Details are at:
        1. https://uwaterloo.ca/information-systems-technology/about/policies-standards-and-guidelines/email/sending-email-many-recipients-mass-email
        2.  https://uwaterloo.ca/information-systems-technology/services/bulk-mailing
    14. Reminder of change in Graduate Students status, as of Jan 1, 2019
      1. Graduate students not paid by Human Resources will no longer be included in the employee security group. All graduate students are in the IdM-SA-Graduate Studies security group.
      2. If you control access to a system(s) that includes graduate students, you may need to allow access to all grad students via this security group, instead of using the employee status.
  4. Should part-time employees who are also full-time ugrad students have their N: drive on fileu or on files? (Jennifer K)
    1. WatIAM automatically moves N drive for employees from student server to employee server and removes profile path
    2. User experience: Lose all files and profile
    3. Full-time undergrads are TAs or markers
    4. Action Item: Lisa and Jennifer to discuss and recommend change in process
  5. Follow up from May brainstorming (Lisa T)
    1. see https://uwaterloo.ca/faculty-computing-user-support-group/may-31-2018-faccus-meeting-minutes
    2. Discuss action planning for
      1. Opportunities to collaborate and work together on things that impact multiple area's.
      2. Report on new projects
      3. Mattermost channel (MS Teams instead...)
      4. Informal communications for emerging issues
      5. Planning new initiatives
  6. Faculty/area updates (all)
    1. Introductions for any new members
    2. Jennifer/ENV
    3. Will/Arts
      1. ACO using Teams
    4. Bill/Psych
      1. Qualtrics license merge Dec
      2. Sharing with others
      3. Video on demand solution for Psychology clinic
    5. Science (Stephen/Allan)
      1. Labs upgraded to Windows 10
      2. Domain-join account was leaked in a script uploaded to GitHub
      3. Labs rebuilt
    6. Steve/ENG
    7. Lisa/CRS
      1. Mac management project to use Parallels in AcSup (Cassandra Bechard)
      2. Desktop rollover project
      3. Bomgar investigation (Will)
      4. DTRI (inventory) project
    8. Chris/Math
      1. Survived August power shut down
    9. Scott/Arts
      1. OFAS getting a rewrite
      2. Collaborating with Science on Scinage documentation
      3. Podium machine stolen
      4. Improve information on services offered in Arts
    10. Steve/Pharm
      1. 10 year anniversary
    11. Mary/ENV
      1. Survived two-week power shut down
      2. Meeting rooms using Crestron AirMedia wireless stopped working with Macs, ITMS has updated firmware
      3. Reviewing job descriptions to introduce career paths
      4. Problems getting phones onto eduroam, login user id changed
    12. Ryan/IST Security
      1. For iss-app submit RT to request access via  IST-ISSgeneral
  7. Who to host next FACCUS meeting? (AHS?)