[Sysadmin] Improper Wireshark use has restarted the editor wars.

Cog

Side note, if your first issues are Certs and DNS, you just need to have a big printer kerfluffle and you've basically won "The Shittyist Issues" Bingo

Feral

Cog wrote: »

SniperGuy wrote: »

Cog wrote: »

SniperGuy wrote: »

it appears I need to manually add that security certificate to chrome or people's phones in order to let them use it to bypass the block. Is there an easy way to do that for all users on the network? Am I being too vague in this post?

Short answer: Fuck 'em.

Long answer: You would probably need an MDM to push out certificates to phones.

Best answer: Fuck 'em.

That's fair for phones, but for the laptops that are owned by our organization (and yet not managed, that's a longer term project at the moment) I'll have to go around and hand 'em out. We have jamf for managing all the ipads but haven't paid for laptop management.

If they're domain joined you can push the cert out through AD.

He specified unmanaged.

Here's the problem. His company is trying to do BYOB stuff without a BYOB strategy.

No, you cannot push SSL certs to laptops without some kind of laptop management. The management could be an MDM solution, or it could be Active Directory.

In lieu of that, you can put the certs somewhere your users can find them and download them, and provide them instructions for how to import them in their own machines.

Feral

Unless I'm misunderstanding what SniperGuy means by "unmanaged"

Radiation

PSA: cert tests are hard if you don't study for them.
I had 2 tests this week because I hate my future self (and past self) and put all the things off until the last possible moment. I took Net+ Wednesday and passed that so whoo! But my effort was so focused on that and the paper that I sort of put off Linux+ prep way longer than I should have and totally bombed it. I'm not very comfortable in linux, I mean, I can do stuff but not much, and this test very much highlighted that I don't know shit about shit.

Feral

I'm running into a similar organizational problem myself.

My boss: can we give $user a laptop?
Me: will it be for internal mobility within our offices, or is it intended for remote work?
Boss: internal mobility

Three weeks later, $user is calling the helpdesk

"I'm at (some other company) and I can't log in to the VPN..."

Feral

Me: we need some kind of cloud or public-access laptop management solution, like DirectAccess or InTune

Boss: I agree, but $user needs the laptop tomorrow

Me: then I don't want to touch it. Either let me do it right or give it to somebody else.

Feral

Being asked to do jack shit on a device I don't formally manage is a huge pet peeve for me

Cog

I pretty much assume everyone who has a laptop is going to VPN.

wunderbar

by the way Cog; another excellent TOTP.

SniperGuy

Feral wrote: »

Unless I'm misunderstanding what SniperGuy means by "unmanaged"

Nope it sounds like you got it. I need to convince someone to get us something to manage the laptops. Does active directory work for a primarily MacBook environment? Need to do some research into options I think. And also explain to my bosses why that would be a good thing to have.

LD50

The first step for a primarily macbook environment:

Throw all the macbooks in the garbage.

Feral

SniperGuy wrote: »

Feral wrote: »

Unless I'm misunderstanding what SniperGuy means by "unmanaged"

Nope it sounds like you got it. I need to convince someone to get us something to manage the laptops. Does active directory work for a primarily MacBook environment? Need to do some research into options I think. And also explain to my bosses why that would be a good thing to have.

You can connect macOS to Active Directory for the purposes of, for example, file share access. But you don't get the same management tools as you get with Windows workstations.

You'd need a mac-compatible management solution, like JAMF, Centrify, or Apple's first-party management tools.

Cog

Yeah I keep forgetting it’s a k-12 environment. Fuggin macs.

FF

SniperGuy wrote: »

Feral wrote: »

Unless I'm misunderstanding what SniperGuy means by "unmanaged"

Nope it sounds like you got it. I need to convince someone to get us something to manage the laptops. Does active directory work for a primarily MacBook environment? Need to do some research into options I think. And also explain to my bosses why that would be a good thing to have.

Jamf is $$$ for non-edu. If you're edu it'll be worth your while to look into it as they offer a pretty good discount. Having used Jamf for a while now, and previously used Apple's own management solutions. Use Jamf.

Feral

There's also Ivanti

I do not recommend Ivanti

At all

SiliconStew

Feral wrote: »

Cog wrote: »

SniperGuy wrote: »

Cog wrote: »

SniperGuy wrote: »

it appears I need to manually add that security certificate to chrome or people's phones in order to let them use it to bypass the block. Is there an easy way to do that for all users on the network? Am I being too vague in this post?

Short answer: Fuck 'em.

Long answer: You would probably need an MDM to push out certificates to phones.

Best answer: Fuck 'em.

That's fair for phones, but for the laptops that are owned by our organization (and yet not managed, that's a longer term project at the moment) I'll have to go around and hand 'em out. We have jamf for managing all the ipads but haven't paid for laptop management.

If they're domain joined you can push the cert out through AD.

He specified unmanaged.

Here's the problem. His company is trying to do BYOB stuff without a BYOB strategy.

No, you cannot push SSL certs to laptops without some kind of laptop management. The management could be an MDM solution, or it could be Active Directory.

In lieu of that, you can put the certs somewhere your users can find them and download them, and provide them instructions for how to import them in their own machines.

Yes, a BYOB strategy is key. Mine is to grab a sixpack of random singles to sample and fill the rest of the cooler with Miller Lite.

Feral

SiliconStew wrote: »

Feral wrote: »

Cog wrote: »

SniperGuy wrote: »

Cog wrote: »

SniperGuy wrote: »

it appears I need to manually add that security certificate to chrome or people's phones in order to let them use it to bypass the block. Is there an easy way to do that for all users on the network? Am I being too vague in this post?

Short answer: Fuck 'em.

Long answer: You would probably need an MDM to push out certificates to phones.

Best answer: Fuck 'em.

That's fair for phones, but for the laptops that are owned by our organization (and yet not managed, that's a longer term project at the moment) I'll have to go around and hand 'em out. We have jamf for managing all the ipads but haven't paid for laptop management.

If they're domain joined you can push the cert out through AD.

He specified unmanaged.

Here's the problem. His company is trying to do BYOB stuff without a BYOB strategy.

No, you cannot push SSL certs to laptops without some kind of laptop management. The management could be an MDM solution, or it could be Active Directory.

In lieu of that, you can put the certs somewhere your users can find them and download them, and provide them instructions for how to import them in their own machines.

Yes, a BYOB strategy is key. Mine is to grab a sixpack of random singles to sample and fill the rest of the cooler with Miller Lite.

I noticed that after I posted and decided to leave it

Bowen

I wiped my PC a few weeks ago and I forgot to backup ipoffice and now I can't seem to find the original install the phone company gave me.

And avaya won't let me download it.

What a fucking nightmare.

LD50

IMO... BYOD is hella bad, except for phones, and phones shouldn't have jack shit on them other than what can be installed in the app store.

mojojoeo

o365 is down. https://status.office365.com/

IT says- "Occasional downtime does occur... give it time."
Otherwise everyone else says - "EVERYONE PANIC"

LD50

One of the azure data centers in the mid west is on fire.

mojojoeo

LD50 wrote: »

One of the azure data centers in the mid west is on fire.

wunderbar

So yesterday I got a text from a cohort. "Hey, which account is the one for the tape backup restore again?"

So at least I knew I wasn't having the worst day.

Seidkona

So much for the promise of the distributed cloud.

wunderbar

Entaru wrote: »

So much for the promise of the distributed cloud.

I mean, technically it's more "cloud" now than it was before it was on fire.......

Cirira

I was wondering if any of you were seeing Azure problems also. It's a giant house fire at work due to everything we have going through Azure for SSO. Most of our products just aren't working so the users are all panicked. I get to sit here going "sorry can't do anything, all Microsoft"

mojojoeo

Cirira wrote: »

I was wondering if any of you were seeing Azure problems also. It's a giant house fire at work due to everything we have going through Azure for SSO. Most of our products just aren't working so the users are all panicked. I get to sit here going "sorry can't do anything, all Microsoft"

https://twitter.com/AzureSupport/status/1036970068058562560

the o365 problems are because the south/central azure region is down. It appears to be causing odd issues in other regions too- just not as all the way down as the main region.

Nothing you can do but wait. i like to meditate in times like this. Contemplate clouds. Fluffy ones. Tall ones. Black ones emanating from server farms.

twmjr

Cirira wrote: »

I was wondering if any of you were seeing Azure problems also. It's a giant house fire at work due to everything we have going through Azure for SSO. Most of our products just aren't working so the users are all panicked. I get to sit here going "sorry can't do anything, all Microsoft"

Yes, but did you escalate our ticket? We need status updates every 15 minutes, because that will absolutely fix the problem.

Cirira

Indeed. I had seen someone post about it as well Mojojoeo. I just thought it was funny that I was thinking it and there were several posts about it.

Seidkona

We're going to need you to get on a call and sit with us doing nothing until MS resolves this.

Thanks.

mojojoeo

Entaru wrote: »

We're going to need you to get on a call and sit with us doing nothing u tip MS resolves this.

Thanks.

HEY. Im a network guy. Sitting on the phone while nothing is happening to somehow speed along a fix is mandatory.

LD50

Engineers have isolated an issue with cooling in one part of the data center, which caused a localized spike in temperature, as the preliminary root-cause, which has now been mitigated. Automated data center procedures to ensure data and hardware integrity went into effect when temperatures hit a specified threshold and critical hardware entered a structured power down process. Engineers are now in the process of restoring power to affected devices as part of the ongoing mitigation process.

I wasn't lying when I said it was on fire.

twmjr

I feel like my company is having a competition to see which employee can be the stupidest today, and no one told me about it.

Cog

This is heavily affecting us.

On the positive side, meandering through the twitter threads did give me this.

wunderbar

I really like how they say that the "root cause of the temperature spike has been mitigated"

So... you mean you put a fire out?

Cog

twmjr wrote: »

I feel like my company is having a competition to see which employee can be the stupidest today, and no one told me about it.

Well are you accidentally winning or losing?

twmjr

Cog wrote: »

twmjr wrote: »

I feel like my company is having a competition to see which employee can be the stupidest today, and no one told me about it.

Well are you accidentally winning or losing?

I think I may have been selected as the blind-to-the-study judge, and I am therefore losing very badly.

Cog

Is losing at being the stupidest good or bad? I'm not sure.

SniperGuy

My bosses would like me to change our guest network into one that has no password for people to use after school and on weekends for sporting events and such.

Having a publicly posted password that I can give out to everyone seems safer than just having no password, but is there really a difference? We're using Ruckus Zonedirector to manage the WLAN stuff. It has a guest access service I can activate for that, though I'm not entirely sure what that would do.

I imagine a lot of my job is going to be convincing people that ease of access is not necessarily worth the security holes.

Cog

SniperGuy wrote: »

My bosses would like me to change our guest network into one that has no password for people to use after school and on weekends for sporting events and such.

Having a publicly posted password that I can give out to everyone seems safer than just having no password, but is there really a difference? We're using Ruckus Zonedirector to manage the WLAN stuff. It has a guest access service I can activate for that, though I'm not entirely sure what that would do.

I imagine a lot of my job is going to be convincing people that ease of access is not necessarily worth the security holes.

You want some sort of way to expire sessions and force people to re-authorize occasionally. Ideally a login page where people have to accept an acceptable use agreement or something. No password required, just a button to accept the agreement.