Here is the original message:
------------------------------------
The first line of questions seems pretty loaded...so, I'd feel more
comfortable taking it offline, and get our research support director
involved in the discussion.

I would, however, say that the way that you would approach it depend on your
organizational culture, and how your organizational hierarchy is setup.  But
if you have a committee or a central leader figure, then I would recommend
that you get that person's support first before going forward with your
Endeavour.  You definitely need some executive sponsor to push something
like this along.

I believe that SAN and auto backup is not the only selling point (nor, to be
blunt, a good selling point to the users), because really, users don't care
about backend technical fixes, they would care about how this would help
them function better or make their life easier.  Some of the benefits that
they would reap using the authentication would be (this is just off the top
of my head):
Single sign-on/biometrics/card readers:  One thing users complain most about
is having to sign-on multiple times with different password.  If you have
some sort of initiative around the near horizon to implement such systems
mentioned above, you will need to have some sort of directory structure like
AD or LDAP to authenticate.  I believe that the Mac users or any users would
welcome less password(s) or no passwords at all.
Ability to only map your drive once:  You can probably have (not 100% sure)
the Mac authenticate, and have your drives mapped using some sort of script
upon log-on, which makes thing a lot easier for Mac users.
Sign-on will protect their privacy and protect their sensitive research data
from preying eyes.
There are I'm sure more selling point, but these are the only ones that I
can think of....Before you present, you should do your homework on these
topics and present them with facts.  Also, maybe you can ask your Mac users
what they would like to see resolved between Mac and Microsoft systems
(compatibility or usability wise) that would facilitate the authentication
to AD, a survey perhaps.  Well, hopefully, this helps.  Again, I will try to
explain our approach offline.  Maybe some of the other organizations can
provide some insights to what their organizations are doing.

-Peter



----------------------------------------------------------------------------
----
From: NCIDSA list [mailto:[log in to unmask]] On Behalf Of Mineo, Mike
Sent: Tuesday, November 16, 2004 1:23 PM
To: [log in to unmask]
Subject: Re: Requiring Domain Login?


Do you think you will you have to "sell" the mac users on getting into the
domain?  How will you sell it?  Or will it be a directive with a very good
specific reason to do so?



On the directive front it seems a strong hammer is that internet filtering
(at least our system) does a much better job reporting if the user is logged
in.  Otherwise it only shows IP's.



On the sell front we have tried to use the fact that SAN storage and auto
backup is available, but, they often do not care.




----------------------------------------------------------------------------
----

From: NCIDSA list [mailto:[log in to unmask]] On Behalf Of Choi, Peter
Jae
Sent: Tuesday, November 16, 2004 1:02 PM
To: [log in to unmask]
Subject: Re: Requiring Domain Login?



Yes, we are requiring almost all of our machines to have a domain login.  We
are not on AD, but when we do, we are going to work on trying to get Mac
users on AD by upgrading everyone to Mac OS 10.3.  However, we do not
require domain authentication for our nursing wings, because this would
negatively affect patient care (Remember, HIPAA does not want to negatively
affect operations to affect patient care, so if you have a justification,
then I would think that it would be ok...as long as it's documented).  My
understanding is that as long as the patient care application is reasonably
secured (password protected with a strong password, and reasonable time-out
value is set), then you should be fine with regards to the HIPAA standards.
However, you don't want to leave your nursing wings wide open, so what we do
at City of Hope is we use an NT independent (which I will send more
information about later...sorry, drafting it later this week) screen saver,
and use a very simple password to protect it.  Mike, If you'd like, I can
have our Mac expert, who is our resident research support director that may
be able to answer more of your questions regarding Macs and researcher
support.

-Peter

-----Original Message-----
From: NCIDSA list [mailto:[log in to unmask]] On Behalf Of Mineo, Mike
Sent: Tuesday, November 16, 2004 9:40 AM
To: [log in to unmask]
Subject: Requiring Domain Login?

In a mixed environment of patient care, research, and education - do you
REQUIRE domain (active directory) login?  Are you thinking about having Macs
join and are keeping an eye on the product that does this called admit2mac.

Arguing that domain login provides a central point of management for so many
things still doesn't always win over many of the research community.  Are
you feeling that HIPAA slams this issue home as a "must do"?

Any and all comments, success stories, or reasons not to run this road is
appreciated.

Thanks


-----------------------------------------------------------
SECURITY/CONFIDENTIALITY WARNING:  This message and any attachments are intended solely for the individual or entity to which they are addressed. This communication may contain information that is privileged, confidential, or exempt from disclosure under applicable law (e.g., personal health information, research data, financial information). Because this e-mail has been sent without encryption, individuals other than the intended recipient may be able to view the information, forward it to others or tamper with the information without the knowledge or consent of the sender. If you are not the intended recipient, or the employee or person responsible for delivering the message to the intended recipient, any dissemination, distribution or copying of the communication is strictly prohibited. If you received the communication in error, please notify the sender immediately by replying to this message and deleting the message and any accompanying files from your system. If, due to the
security risks, you do not wish to receive further communications via e-mail, please reply to this message and inform the sender that you do not wish to receive further e-mail from the sender.
===========================================================