@obsolesce said in windows based FREE imaging app:
@dashrender said in windows based FREE imaging app:
they generally come with AV and other crap you don't want at purchase
Oh I see, that sucks. Are the company devices being bought from Walmart or something?
Seriously?
I order these from DCW. I haven't had a laptop not come with at least some third party AV in ages...
@obsolesce said in windows based FREE imaging app:
@notverypunny said in windows based FREE imaging app:
@obsolesce said in windows based FREE imaging app:
@dashrender said in windows based FREE imaging app:
@obsolesce said in windows based FREE imaging app:
@dashrender said in windows based FREE imaging app:
they generally come with AV and other crap you don't want at purchase
Oh I see, that sucks. Are the company devices being bought from Walmart or something?
Seriously?
I order these from DCW. I haven't had a laptop not come with at least some third party AV in ages...
I suppose one of the reasons to not order Dell/HP, or at least not the default stuff.
Can't speak to HP, but with Dell, unless you get setup with their imaging program (you provide them with your desired stock image and it's $$$ from what I recall) they're sending you their stock OEM image with a significant amount of bloat-ware. In a corporate / enterprise setup consistency is king so it's normal that you want to reimage with something that's tested and known to play nice in your environment.
Business class devices shipping with trial anti-virus software that is well known to be much worse than the default Windows Defender? That alone is reason enough not to go with that manufacturer (still not a showstopper, as automation can fix that in later steps). If you need to touch a device before an end user gets it, you're wasting a ton of time and money. That's decades old procedures... having your IT department receive the device, reimage, configure, maintain images, and all the requirements that go along? That is a huge waste of resources.
Wouldn't you rather have a device sent directly from CDW to the end-user, without needing a special image, ready to go for the user and the work environment... managed, configured, secured, and compliant as part of the OOBE?
Who besides maybe MS devices come with zero bloatware? None I've ever seen. And yes I'm talking business class machines, not shit ass consumer junk.
@jaredbusch said in Help with renaming PC:
Use powershell
Rename-Computer -NewName somename
It could easily take you longer to find a script than just type this command on each machine.
@hobbit666 said in Unifi Controller update for Log4J:
Does 6.5.55 support the older AP-LR's?
Sure when i updated to the release i'm on now it said later releases won't
Then I would guess not - really time to dump those old APs.
Are the APs vulnerable to Log4J? I would assume not - but who knows!
As far as updating - JB - you're saying they are still coming out with new firmware for the old devices that aren't supported by the new controllers - so you use an old controller to update them, then migrate them back to the new controller. hey if it works....
In normal times (i.e. easy to get new hardware) I won't think the hassle of doing that worth while.
If you have a real green field situation - I would seriously look at options to get rid of AD if possible.
I'm not sure I'll ever be able to do that because I have a large number of spots that need any number of 20+ persons be allowed to log into those computers. AD or some similar technology make that pretty easy. While you can script users over multiple machines - that seems painful, though I've never done it.
@gjacobse
what brand MFPs are those?
My Canon's do fine with 1.2 to MS.
@gjacobse said in kdevtmpfsi malware:
That is malware I have not encountered. But, in many cases the first most direct and preferred way to deal with any malware is to:
Nuke it.
Reloading the OS can be faster and more reliable that trying to remove any malware / virus. All mainly due to time/cost.
Yup - I never attempt to recover a machine that's been infected - backup the data to an online source if possible - like onedrive or Box, etc... then pave the machine and start over.
@travisdh1 said in Best practice MFP scanning to email for M365 shop?:
@dashrender said in Best practice MFP scanning to email for M365 shop?:
@travisdh1 said in Best practice MFP scanning to email for M365 shop?:
@pete-s said in Best practice MFP scanning to email for M365 shop?:
@dashrender said in Best practice MFP scanning to email for M365 shop?:
@gjacobse
what brand MFPs are those?My Canon's do fine with 1.2 to MS.
Do you set up the MFP with credentials from a M365 user?
Yep, need a licensed account, and the lowest priced one doesn't work. I forget what it's called at the moment, but you need a license that includes the local apps.
Even if you go with option 1, not sure why the lowest account with an email account wouldn't work?
Because the lowest cost email account is online only. A local device can't login.
I don't understand - why can't a local device login? Sure it likely can't use modern auth - but normal SMTP logon should work (though I think MS is killing that)
Also, as I mentioned - i'm using a totally free account (a shared account - shared only with me :P) through option 2 in the link I provided.
I've recently moved my email to M365, so SAAS for that.
We're about to start planning our move of file share data to Sharepoint/ODfB - again SAAS.
That leaves me with two items left on-prem - and old EMR I have to keep alive for at least 2 more years and our accounting software.
Additionally, we have a laboratory interface for some of our testing equipment that only runs on Windows Server (legally) so that needs to live somewhere as well.
We'll definitely keep the old EMR on-prem until we retire it.
It looks like we can buy a hosted solution of BusinessWorks if we really want to go that route - it's slow as molasses over a VPN connection pulls all kinds of data down locally - very old school solution. So for good performance I'd assume we'd have to remote into a desktop that's more local to the host of BusinessWorks, driving the price up.
I'd love to move the laboratory software to a tiny 'nix box, lock it down and forget about it - basically only allowing it to talk to a control IP inside my network and the Lab itself, but again, the software is for Windows only. I suppose I can do the same with Windows, but that would require potentially 3 licenses so I don't have to worry about VPNs back to a central server for all three locations.
@dustinb3403 said in Where are MSP managed on-prem workloads moving?:
Even colod workloads make little sense to a lot of our customers.
If you've seen Scott's old posts, that doesn't really seem possible - unless the cost of a big pipe between the colo and you is to expensive.
@jaredbusch said in New customer - greenfield setup:
But even 2 years ago I would have asked why they actually need filtering.
Can they not just discipline employees? Because this is jsut stupid talking.
We've all asked this question over the years. And in general I agree with you. Sadly there's more requirements for companies to keep their workspaces harassment free, etc.
But really, the best reason for DNS filtering is - defense in depth. If the DNS server can keep a computer from even visiting a known good bad IP, that's just one more helper in the war. Sure there are false positives, assuming there aren't many of those, you just fix it and move on. If there are - then you find a new provider who it's so bad at it.
@gjacobse said in New customer - greenfield setup:
Not knowing all of the aspects you will run into, something we have here - and is a pain point sometimes is the WI-Fi and vLans.
We have iPads for certain tasks,.. we have a few RING cameras as well, In some cases - they only need to go to the internet - so they are routed as such.
The iPads are used as interruptor stations - so only need to hit that web site (iPads are MDM'ed), and the Ring camea only needs access to RING.
These are my thoughts as well, it's one of the draw backs to Ubiquiti gear - limited to 4 VLANs on WiFi (at least used to be). For now, I think four will do me.
Production
IOT - internet only
Guest
medical equipment - future potential
@jaredbusch said in Import a QCOW2 Into Proxmox:
@dashrender said in Import a QCOW2 Into Proxmox:
@scottalanmiller said in Import a QCOW2 Into Proxmox:
@jaredbusch good point, Linux doesn't "detect non-local" like Windows does.
ug.. what a pain that is!
ummm wut?
that windows detects SMB shares as remote.
@scottalanmiller said in New customer - greenfield setup:
@dashrender said in New customer - greenfield setup:
but SSL inspection on guest - nope, not interested... Hell I'd be more worried about being sue for breach of privacy.
Well you CAN'T do it without seriously breaking the law (and pulling some magic super computing stuff.) It's federally criminal to attempt without the customer voluntarily handing over their computer to you which absolutely no one will do. And it's a lot of work for someone just sitting in an office trying to watch porn.
You missed the reality of what I was saying -
I've been on guest wifi networks that sent you to a captive portal and required you to install their SSL cert so you could surf, and they could intercept all your traffic.
I was saying I was unwilling to make that a requirement on this client's network (they haven't asked for it, and I as their current IT wouldn't recommend it if they did).
@scottalanmiller said in New customer - greenfield setup:
@jaredbusch said in New customer - greenfield setup:
@scottalanmiller said in New customer - greenfield setup:
Well you CAN'T do it without seriously breaking the law (and pulling some magic super computing stuff.) It's federally criminal to attempt without the customer voluntarily handing over their computer to you which absolutely no one will do. And it's a lot of work for someone just sitting in an office trying to watch porn.
Most common people will simply get the portal, tap anything it says and thus agree to it all. So yeah, you are wrong that no one does it.
Is that all that it takes to get the phone or computer to install the certs and hand over man in the middle access? I've not done it, because... only a crazy person would.... but I thought it took several steps and a lot of warnings from most mobile devices.
Yeah - there are a few warnings... but most people will simply accept it and start surfing - it's crazy... they have no clue what they are giving up. and even worse a surprising number wouldn't care even if you got them to actually understand it.
@scottalanmiller said in New customer - greenfield setup:
@dashrender said in New customer - greenfield setup:
@scottalanmiller said in New customer - greenfield setup:
@dashrender said in New customer - greenfield setup:
but SSL inspection on guest - nope, not interested... Hell I'd be more worried about being sue for breach of privacy.
Well you CAN'T do it without seriously breaking the law (and pulling some magic super computing stuff.) It's federally criminal to attempt without the customer voluntarily handing over their computer to you which absolutely no one will do. And it's a lot of work for someone just sitting in an office trying to watch porn.
You missed the reality of what I was saying -
I've been on guest wifi networks that sent you to a captive portal and required you to install their SSL cert so you could surf, and they could intercept all your traffic.
I was saying I was unwilling to make that a requirement on this client's network (they haven't asked for it, and I as their current IT wouldn't recommend it if they did).
I thought that that WAS what they were asking for as it is the only means of doing the thing that they requested. Requesting web monitoring and filtering, and demanding the end users (guests) install a cert are one and the same in this case.
no - web filtering simply based on DNS query was MY thinking on the guests.
SSL interception would only be for employee devices.
@notverypunny said in New customer - greenfield setup:
@dashrender said in New customer - greenfield setup:
@notverypunny said in New customer - greenfield setup:
For the filtering piece, I don't know that anything relying on DNS filtering alone would be adequate in a business environment. I'd come back to your firewall option from Sophos or an equivalent FortiNet product (just because that's what I'm used to) with a web-filtering subscription. That way even if you've got devices that are getting around your DNS (especially mobile devices) to look up the undesirable sites and services, the FW would still block traffic to and from the destination based on it's web-filtering. This should be possible without any MiTM type inspection as well.
Yeah - this is where I'm leaning. I care less about the virus filtering on the guest network - where all the phones and guest devices should be.
Depending on how petty and litigious the guest network users might be, that could be a dangerous stance with regards to the guest network.
I personally do refuse to use any guest WiFi that requires the installation of a third party cert to use. That said - I can only recall this happening one time.
I'm not against DNS filtering - all the things Pete.S mentioned, but SSL inspection on guest - nope, not interested... Hell I'd be more worried about being sue for breach of privacy.
@pete-s said in What do you think about .app domain names?:
@dashrender said in What do you think about .app domain names?:
here's a question - does it even matter?
There was a time when .net was only for ISPs (or at least that's what I recall reading), but is that case now? heck no.
TLDs rarely if ever stay within their "specified" purposes.
Heck, just look at this site - mangolassi.it - .it - as in an Italian website, but we definitely aren't that.
Long run - normal people have no idea what the purpose of a TLD is other than it's part of the name of the website they are visiting.
Among IT pros there might not be much difference. But I think it depends on what it was. If it was mangolassi.ru would you be as likely to visit?
But I don't know about business users. If they think it's odd and suspicious it might have some negative effect.
I might be willing to visit the site with a .ru TLD. The reality is that any TLD can be bad, any can be good.
really the only one I'm really worried about is .cn 
@phlipelder said in What do you think about .app domain names?:
@scottalanmiller said in What do you think about .app domain names?:
@pete-s said in What do you think about .app domain names?:
@scottalanmiller said in What do you think about .app domain names?:
If it is under the hood, why bother. If it isn't under the hood, I think customers get confused.
So you mean if it's customer facing it's better to stick to .com and there will be no confusion?
Right, asking customers to type in .app typically comes with problems.
So that's myprog.app.com then?
We've been doing a fair amount of DOMAIN.Social lately (Mastodon on Ubuntu 20.04) with folks not having much of an issue with either typing the site's URL in or clicking the link for it.
No surprise there - people don't care - they will simply click anything and everything they see. Hell, You could send an email with - this will infect your computer and I'm guessing half will still click on it.