Here is the original message: ------------------------------------ The first line of questions seems pretty loaded...so, I'd feel more comfortable taking it offline, and get our research support director involved in the discussion. I would, however, say that the way that you would approach it depend on your organizational culture, and how your organizational hierarchy is setup. But if you have a committee or a central leader figure, then I would recommend that you get that person's support first before going forward with your Endeavour. You definitely need some executive sponsor to push something like this along. I believe that SAN and auto backup is not the only selling point (nor, to be blunt, a good selling point to the users), because really, users don't care about backend technical fixes, they would care about how this would help them function better or make their life easier. Some of the benefits that they would reap using the authentication would be (this is just off the top of my head): Single sign-on/biometrics/card readers: One thing users complain most about is having to sign-on multiple times with different password. If you have some sort of initiative around the near horizon to implement such systems mentioned above, you will need to have some sort of directory structure like AD or LDAP to authenticate. I believe that the Mac users or any users would welcome less password(s) or no passwords at all. Ability to only map your drive once: You can probably have (not 100% sure) the Mac authenticate, and have your drives mapped using some sort of script upon log-on, which makes thing a lot easier for Mac users. Sign-on will protect their privacy and protect their sensitive research data from preying eyes. There are I'm sure more selling point, but these are the only ones that I can think of....Before you present, you should do your homework on these topics and present them with facts. Also, maybe you can ask your Mac users what they would like to see resolved between Mac and Microsoft systems (compatibility or usability wise) that would facilitate the authentication to AD, a survey perhaps. Well, hopefully, this helps. Again, I will try to explain our approach offline. Maybe some of the other organizations can provide some insights to what their organizations are doing. -Peter ---------------------------------------------------------------------------- ---- From: NCIDSA list [mailto:[log in to unmask]] On Behalf Of Mineo, Mike Sent: Tuesday, November 16, 2004 1:23 PM To: [log in to unmask] Subject: Re: Requiring Domain Login? Do you think you will you have to "sell" the mac users on getting into the domain? How will you sell it? Or will it be a directive with a very good specific reason to do so? On the directive front it seems a strong hammer is that internet filtering (at least our system) does a much better job reporting if the user is logged in. Otherwise it only shows IP's. On the sell front we have tried to use the fact that SAN storage and auto backup is available, but, they often do not care. ---------------------------------------------------------------------------- ---- From: NCIDSA list [mailto:[log in to unmask]] On Behalf Of Choi, Peter Jae Sent: Tuesday, November 16, 2004 1:02 PM To: [log in to unmask] Subject: Re: Requiring Domain Login? Yes, we are requiring almost all of our machines to have a domain login. We are not on AD, but when we do, we are going to work on trying to get Mac users on AD by upgrading everyone to Mac OS 10.3. However, we do not require domain authentication for our nursing wings, because this would negatively affect patient care (Remember, HIPAA does not want to negatively affect operations to affect patient care, so if you have a justification, then I would think that it would be ok...as long as it's documented). My understanding is that as long as the patient care application is reasonably secured (password protected with a strong password, and reasonable time-out value is set), then you should be fine with regards to the HIPAA standards. However, you don't want to leave your nursing wings wide open, so what we do at City of Hope is we use an NT independent (which I will send more information about later...sorry, drafting it later this week) screen saver, and use a very simple password to protect it. Mike, If you'd like, I can have our Mac expert, who is our resident research support director that may be able to answer more of your questions regarding Macs and researcher support. -Peter -----Original Message----- From: NCIDSA list [mailto:[log in to unmask]] On Behalf Of Mineo, Mike Sent: Tuesday, November 16, 2004 9:40 AM To: [log in to unmask] Subject: Requiring Domain Login? In a mixed environment of patient care, research, and education - do you REQUIRE domain (active directory) login? Are you thinking about having Macs join and are keeping an eye on the product that does this called admit2mac. Arguing that domain login provides a central point of management for so many things still doesn't always win over many of the research community. Are you feeling that HIPAA slams this issue home as a "must do"? Any and all comments, success stories, or reasons not to run this road is appreciated. Thanks ----------------------------------------------------------- SECURITY/CONFIDENTIALITY WARNING: This message and any attachments are intended solely for the individual or entity to which they are addressed. This communication may contain information that is privileged, confidential, or exempt from disclosure under applicable law (e.g., personal health information, research data, financial information). Because this e-mail has been sent without encryption, individuals other than the intended recipient may be able to view the information, forward it to others or tamper with the information without the knowledge or consent of the sender. If you are not the intended recipient, or the employee or person responsible for delivering the message to the intended recipient, any dissemination, distribution or copying of the communication is strictly prohibited. If you received the communication in error, please notify the sender immediately by replying to this message and deleting the message and any accompanying files from your system. If, due to the security risks, you do not wish to receive further communications via e-mail, please reply to this message and inform the sender that you do not wish to receive further e-mail from the sender. ===========================================================