Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Warning

Irrelevant, see /wiki/spaces/SI/pages/2439577614

This document details what  needs to be done to help new starters get up and running.

...

Before the new starter arrives they need their NBT account set up. This is done through https://servicedesk.nbt.nhs.uk/app/itdesk/HomePage.do  all new accounts need to be signed off by an authorised user currently this is Tim Whitlock (Deactivated) (This is being changed to include Joel Collins and Jennifer Barwell) so requests are best done by them to avoid complications and delays. In the default signees absence Retha is able to authroise a new account. NBT now quotes >8 days to set up an account. As part of the setup the appropriate group memberships need to be added to the account and access to shared mailboxes setup. This is most readily done by suggesting another user form the same team's memberships to be copied. New accounts require a DOB which is used when authenticating the user for their initial password when they first login. After the account is set up the new starter will need to call the NBT IT Support on ext 2020 (0117 414 2020 if not in office) quoting the ticket number of the request to get their initial password which they will be required to change when they  first logon. First logon needs to be done in the office. ANy new laptop needs to have been login to in the office before it can be used remotely.

...

Staff members with @renal.org email (there is a request in to update this to ukkidney.org) are slightly more complicated because they are configured with both a @renalregistry.nhs.uk email and @renal.org email but with send set to default to using @renal.org They will also need a redirect setup on the renal.org and ukkidney.org that forwards incoming mail to these domains for them to their email @renalregistry.nhs.uk. There are often difficulties now with the setup of this since the switch to O365 where the email is setup but the login details are expecting the @renalregistry account and not the the @renal.org account.

Shared Mailboxes

The form for getting a new account created (Access Request) is the same as used for adding shared mailbox access. When creating new users it is better to add any shared mailboxes there. Just telling them they need the same access as a.n.other user is nolonger sufficient due to the move to O365. Shared Mailboxes are (awaiting a confirmed list from NBT):

  • UK Renal Registry Systems

  • UK Kidney Association

  • UK Renal Registry

  • UK renal Registry Admin

  • ukrr-research

  • KQUIP

  • Think Kidneys

  • British Association for Paediatric Nephrology

  • Events-Renal Association

  • Nephwork

User Security Groups

We have anumber of security groups setup in the AD to help manage rights for different teams they are:

  • RR Systems

  • RR Statitstics

  • RR SMT

  • RR Informatics

  • RR Data Managers

  • RR Business Support

  • RR Validation Test

  • RR Renal Association

  • UK RR Renal Registry

We still have some local version on rr-storage-live (which were used to define ACLs before the AD versions and are still in use to some degree) these probably should be moved to the AD

  • RR Research - in use

  • RR Programmes

  • RR PersonnelAccess - in use

Missing - RR Information Governance ?

MFA Authentication

All users should setup their MFA account settings (add a phone number to their microaoft profile) this should then allow for proper authetnication when trying to use things like virtual desktop. Users shoudl go to the url https://myprofile.microsoft.com (If on the NBT network you should get logged in, if not you will be asked your password). Once there select security settings and add a phone number to your profile. This will be used to text/call a number through as part of the two factor authentication process.

NBT Documentation is here Remote working - IT information - LINK (nbt.nhs.uk) and here Multifactor authentication security requirement - (Work in Progress) - LINK (nbt.nhs.uk)

Atlassian Logins

All new starters will need adding to Atlassian with access to confluence and the appropriate JIRA groups. This can be done via  https://www.okta.com/uk/login/ and using renalregistry or just using the url https://renalregistry.okta.com. Once they have the OKTA account configured with the approriate group memebrships then their account can be activated and they will get an email to configure their password etc. This can only be done once their account is configured and active otherwise the email will never arrive. It is usually useful to point new starters to the urls for Jira and confluence.

...

Expand
titleOld Method

Setting up a new user on the laptop involves configuring their Mcafee Encryption password and logging in to windows on it for the first time. This is best done whilst physically connected to the NBT network. This is possible either in the meeting room or at Tim Whitlock (Deactivated)desk.

When the laptop is first switched on it asks for the Mcafee login this consists of the NBT login id of the user and a unique password. If the user account is not recognised by the Mcafee software then NBTIT will be required to do some re configuring of the laptop. The usual UKRR setup is allow any member of the UKRR to use Mcafee and if a user hasn't been configured on Mcafee yet they will need to use the default password the first time which will then require them to set their chosen password and answer some security questions (which allow the user to reset their password should they need to). The default password is held in the system team password vault. Once configured this password should work on all UKRR laptops though it may be necessary to be connected to the NBT network when first used on a different laptop if that laptop has not recently been connected to the NBT server and picked up the updated password files.

Having negotiated the encryption a new remote worker needs to login to windows on the laptop. This creates the initial user profile locally on the laptop and allows the user to login to windows without connecting to the NBT network. This must be done with the laptop connected to the NBT network. After successfully logging in the laptop should be ready for remote working.

VPN

In order to connect back to the NBT network remote users will need a VPN connection. This requires an app on a smartphone Android RSA SecureID or IOS RSA SecureID Token dependng on the phone OS. NBT IT will send an email to the user with  a link to the certificate that needs to be clicked on the phone this will then load the certificate in to the phone app during this process it will ask for a password which is  NBT user login account and then it can provide the token ids for logging in.

To configure the VPN for the first time a user pin needs to be configured. By default the account will be in "New Pin Mode" which should false the user to configure a new pin. The VPN can only be used when the laptop is not connected to the NBT network. so to configure whilst in the office a mobile phone must be used to provide the internet connection. Login to the laptop and then follow the below instuctions.

  1. Click on the Aventail Icon on the desktop.

  2. Input your username in the top box and in the bottom box the VPN token code from the app.  The box will then appear empty.

  3. Create a new password. The requirements should appear on the box. Again the box will then appear empty.

  4. Input the password you have just created and then wait for the VPN token to change, then input the token number directly after the password with no spaces.

  5. The account should then connect.

Warning

IF THE TOKEN HAS NOT BEEN USED IN 3 MONTHS IT MAY BE REMOVED AND REDISTRIBUTED.


Personal Devices

As part of a security update NBT have removed access to any NBT services from an non NBT device unless it is registered using the intune InTune software (What is Intune? - LINK (nbt.nhs.uk)). So if you want to access NBT emails from your personal phone or laptop you need to register your device with NBTIT. Non NBT laptops are not supported their documentation states: "In Tune is not supported on these devices and will not work. Please use Windows Virtual Desktop " The access provided is only via the web and not via email clients unless the device is a registered NBT device. This change is particually annoying for Phones.

Phone

Some remote workers have a separate work phone. These should be set up in the normal way but if emails are required on the phone they will need to be registered in the same wayas way as Personal devices.

Workshare (This is now no longer used)

...

Expand
titleOld Workshare Details

This software needs to be installed on any new remote worker laptop. Accounts for workshare are managed by the programme teams themselves but the Systems Team can if required configure a user and the information is held in the password vault. If the software needs to be installed access to the installer is best done by logging in to the workshare connect web interface https://my.workshare.com/m#signin and then selecting the menu in the top right which gives access to the download center.


title
Warning

Workshare Compatibility

As of 2020 workshare dropped support for office 2010 integration so until our Office installations are updated to a newer version only older versions of Workshare will work on our machines.

Image Removed


Image Added

This will then offer the appropriate download for the desktop application. There is a known issue with the latest Dell Laptops where the interface doesn't display properly unless the graphic properties for the app don't use the opengl rendering. http://workshare.force.com/knowledgebase/articles/Troubleshooting_Article/Graphics-drivers-not-compatible


...