nhsmail loa webinar - amazon s3 · welcome to the nhsmail loa webinar • the webinar will begin at...
TRANSCRIPT
NHSmail LOA webinarTuesday 23 August
Hayley Miller – Engagement Lead, NHS Digital
Chris Gibbons – Communications Lead, Accenture
Welcome to the NHSmail LOA webinar
• The webinar will begin at 2pm.
• Please synchronise your web and phone presence by inputting your Attendee ID into the phone (find it in the Meeting Info tab at the top of the screen).
• Participant lines will be muted during the presentation.
• The webinar will be recorded.
• You can use the chat messaging feature on the right of the screen to ask questions.
• You can click ‘raise hand’ above the chat feature on the right of the screen – this will signal us to unmute your line.
2
Agenda
• NHSmail account transition status.
• Update on NHSmail 2 Portal.
• Instant Messaging and Presence update.
• Automation of the data retention process.
• Data Loss Prevention – we’d like your views!
• Further updates and reminders.
• Questions.
3
NHSmail account transition status
• Most accounts left to transition are:
– True shared (generic) mailboxes.
– Those with shared folder permissions.
– Newly created user accounts.
• All transition related known issues are on the NHSmail
2 service status pages.
• Focus over coming weeks is on the NHSmail 2 Portal
and the pilot of instant messaging and presence.
4
NHSmail 2 Portal update
Update on NHSmail 2 Portal development and impacts5
NHSmail 2 Portal update
Go Live
• New Portal available from 7am on
Monday 29 August – continue to
consult Service Status Page.
• Periods of unavailability from 7pm on
26 August to 7am on 29 August.
• Email available throughout (Outlook
Web App, Outlook and mobile).
6
Communications & Training
• Portal communications for LOAs have
been published, including impacts relating
to TANSync, distribution lists and times of
unavailability.
• Communication to end users has been
issued.
• Recording of Portal LOA Webinar
available on Support Site.
• Recording of Portal LOA Training Webinar
available on Support Site.
NHSmail 2 Portal – schedule of change
7
There will be a number of steps in the cutover for the NHSmail Portal as outlined below:
* Subject to change, please continue to reference http://support.nhs.net/servicestatus for the latest dates
Aug Sep
15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 1 2 3 4 5 6 7 8 9 10 11
Portal Unavailability
Distribution List Change Freeze 26/08/2016 – w/c 05/09/2016
27/08/2016 - 09/09/2016
26/08/2016 (7pm) - 29/08/2016 (7am)
TANSync Switchover 31/08/2016 - Onwards
ADFS (Exchange & Portal)
Activity
ADFS (Portal Only)
25/08/2016
10/09/2016 - 11/09/2016
Pull Connector Retired
~ 05/09/2016Transition Mop-up
Volunteers Required – Portal Data Validation
• The NHSmail 2 Portal has undergone a series of testing activities ahead of the
release.
• An exercise will be run immediately after the Go Live to complete additional
validation of the live migrated data and identify any issues with the Portal.
• Looking for approx. 20 LOAs to support these activities on Monday 29 August.
• It will take about one hour to complete and feedback will be collected via a
survey.
Contact [email protected] by Thursday 25 August if you are able to
support these activities.
8
NHSmail 2 Portal - impacts
Date Impact What does this mean?
25 AugPull Connectors
Retired
LAs will need to manually create accounts and complete Directory updates until
TANSync deployed.
26 Aug (7pm)
– 29 Aug
(7am)
Portal UnavailablePortal may be unavailable during this time. The admin functions will not be
available during this time.
26 Aug – w/c
05 Sep
Distribution List
Freeze
Dynamic Distribution Lists will be available to use (i.e. send email to), but will not
be able to be created or amended.
29 AugNHSmail 2 Portal
Live
The NHSmail 2 Portal will Go Live and the new tools will be available. See key
changes for more information.
29 Aug – 09
Sep
ADFS Implemented
to Portal Only
The new sign-in screen will be implemented, however users will need to sign-in
twice; once for Portal (new login) and once to access email (old login).
31 Aug (Pilot)
05 Sep (All)TANSync Available
TANSync will replace Pull Connectors. Organisations will be able to deploy this
from 05 September. A deployment guide is available on the Support Site.
10 - 11 SepADFS Implemented
to Exchange & Portal
The new sign-in screen will be implemented for both the Portal and email. This
means the user will only need to sign-in once.
9ADFS for local Authentication added later in the year
ADFS implementation impact
Signing In
When the NHSmail 2 Portal goes live, Active Directory Federation Services (ADFS) will be implemented for the Portal. This will be
implemented for Exchange on 29 August to 9 September. This means that users will need to sign-in twice as shown below:
1. Portal Sign-in
10
2. Outlook Web App Sign-In
LOA roles on NHSmail 2
• The NHSmail 2 Portal admin guide outlines:
– What permissions each admin role has on NHSmail 2.
– What tasks each role can and cannot carry out.
• In line with NHS Directory changes (practices become an independent
organisation unit), there are some important changes to the Practice
Admin role.
• Important roles to familiarise yourself with from Day 1 are Primary
Local Admin, Local Admin and Helpdesk Admin.
• Process for audit and authorising admins yet to be confirmed.
11
Admin Roles – Primary & Local Admin
Purpose Service Owner for NHSmail within a local organisation
Admin Rights • Create User
• Read User
• Update User
• Create Contact
• Read Contact
• Update Contact
• Delete Contact
• Create Shared Mailbox
• Read Shared Mailbox
• Update Shared Mailbox
• Delete Shared Mailbox
• Create Distribution List
• Read Distribution List
• Update Distribution List
• Delete Distribution List
• Create Organisation Unit
• Read Organisation Unit
• Update Organisation Unit
• Delete Organisation Unit
• Read Audit
Delegation
Rights
Primary Local Admin, Local Admin, Helpdesk Admin and
Connector Admin
12* Additional Primary Local Admin access rights shown in red
Admin Roles – Helpdesk Admin
Purpose Basic NHSmail administration functions for local helpdesks to
support users
Admin Rights Read User
Update User
Read Contact
Update Contact
Read Shared Mailbox
Update Shared Mailbox
Read Distribution List
Update Distribution List
Read Organisation Unit
Delegation
Rights
None
13
Admin Roles – Other
Role Audit – Added by NHS Digital/National Services Scotland
Purpose Provide read-only access across an organisation of the forensic email
archive and ability to complete audits of Portal activity
Admin Rights • Read User
• Read Contact
• Read Shared Mailbox
• Read Distribution List
• Read Audit
• Read Email Forensic Archive
14
Role Connector
Purpose Provides dedicated admin role for connector accounts synchronising with
the NHSmail service
Admin Rights • Create User
• Read User
• Update User
• Create Contact
• Read Contact
• Update Contact
• Create Distribution List
• Read Distribution List
• Update Distribution List
Local Forensic Archive Access will be made available later in the year through a tightly managed process
Admin Roles – Other
Role Authorisations - Added by Accenture
Purpose Provides a dedicated role for users who are authorised to provision top-up
services from NHSmail – e.g. larger mailboxes.
Admin Rights • Top-up updates
15
NHSmail to NHSmail 2 Role Mapping
NHSmail NHSmail 2
Primary LOA Primary Local Admin
Secondary LOA Local Admin
Practice LOA Local Admin
Department LOA Helpdesk Admin
16
Local Organisation Administrators will be renamed Local Administrators. The
current roles will be mapped as outlined below for England and Scotland:
Role Mapping Scenario: Practice LOAs
17
Organisation
Dept. Practice
Organisation
(Practice)
Primary
Admin
Secondary /
Local Admin
Department /
Helpdesk Admin
Practice /
Local Admin
• From Day 1 following
Portal Go Live, Practice
Admin becomes a Local
Administrator within own
organisation unit.
• Primary LOA and
Secondary LOAs retain
administration rights over
the practice.
• Primary LOA can choose to
retain the Primary Local
Administrator role or
delegate it to the Practice
Admin that has become a
Local Administrator.
Changes for Practice LOAs
• Changes for Practice LOAs include:
– Becoming Local Admins for their organisation unit (GP practice, dental
practice etc.).
– Ability to create user accounts within their unit.
– Ability to create and delete shared mailboxes within their unit.
– Managing distributions within their unit.
• If the Primary Local Admin of the ‘parent’ CCG/Health Board chooses to devolve
responsibility, the practice organisation unit can have its own Primary Local
Admin.
• Will communicate out to Practice LOAs to let them know of upcoming changes
and links to training materials.
18
Self-service password resets on NHSmail 2
• Users are able to complete a self-password reset on the new NHSmail 2
Portal.
• It requires users to enter a mobile phone number in the NHS Directory,
to which a temporary password is sent when resetting the password.
• Feedback from LOAs is that lots of users do not have a work mobile
number and may not want to have a personal mobile number visible in
the NHS Directory.
• The ability to hide a mobile number will be added to the NHSmail 2
Portal after the first release goes live.
19
Instant Messaging & Presence
Update on pilot and rollout schedule20
Instant Messaging & Presence
• Available for all NHSmail users through Outlook Web App providing basic instant messaging and presence functionality.
• Accessible using a mobile or desktop application (Skype for Business) if an organisation chooses to deploy it.
• Please note: Skype for Business is different from Skype (consumer). The two applications are not integrated and Skype (consumer) cannot be used with NHSmail.
• Training and guidance available on:– Using Outlook Web App instant messaging and presence
– Using Skype for Business (desktop) instant messaging and presence
– Installing Skype for Business on a mobile device
– Microsoft guidance on Skype for Business Server 2015 compatibility
21
Instant Messaging & Presence
The rollout approach is outlined below:
22
Initial pre-pilot checks
Pilot group 1
Pilot group 2
Mass enablement
In Progress No earlier than
05 September
After group 1 TBC based on
pilot – approx.
October
Updates and reminders
Updates and reminders on NHSmail 2 transition actions23
Data retention process
• Scope of NHSmail data held is covered in the Information Management
Policy and recovery of data in the Data Retention Policy.
• Deletion of data outlined in these policies will be automated and
followed vigorously. This includes user accounts and shared
mailboxes.
• Users should be changing their password at least every 90 days to
ensure that their account is kept active.
24
Data retention process
25
Disabled after 90
days of inactivity
Deleted after 180
days of inactivity
Permanently
purged following
30 days in
deleted state
Account Inactivity Monitor (Automated Deletion)
Account disabled
by administrator
(suspended)
Deleted after 18
months of
inactivity
Permanently
purged following
30 days in
deleted state
Local Administrator Disablement (Suspension)
Data Loss Prevention (DLP)
What is DLP?
• Capability designed to detect potential
data breaches / data ex-filtration and
prevent them.
• Does it by monitoring, detecting and
blocking or protecting sensitive data.
• NHSmail 2 has the ability to look for
emails that contain specific content
going to specific places and either
block it with a warning message or
automatically encrypt it.
26
NHSmail Progress
• Investigated to see if any of the default
pattern matching templates identified
any areas that could benefit from this
protection.
• Found that a number of emails each
day are sent from NHSmail to the
Internet unencrypted with a NHS
Number in them.
• Welcome your views on whether we
should employ any protection for
emails going to the Internet
unencrypted with a NHS Number in
them.
Data Loss Prevention (DLP)
How should the NHSmail DLP tools treat emails containing NHS numbers?
1. Take no action.
2. Do not deliver and inform the sender why and how they can manually encrypt it if they wish.
3. Automatically encrypt the message and deliver.
Feedback will be presented to the NHSmail Operations Board for consideration in the coming weeks.
Please submit feedback by 02 September via Survey Monkey on: https://www.surveymonkey.co.uk/r/DLPNHSmail
27
Reminders
Activity Impact if not completed Deadline
Complete Relay IP
addressing activities.
Unable to use the NHS Relay service. Overdue
Web browser upgrades LOAs – not able to use the Portal tools.
Users – use OWA Light (which does not
include IM&P).
Overdue
TANSync set-up for
current active pull
connector organisations
Organisations will have to manage
people data manually using the Portal.
29 August
28
Reminders: Locked Accounts
• The NHSmail Helpdesk has seen a large number of contacts from users with locked accounts.
• This issue is typically caused by:– Old cached or auto-filled passwords when accessing via a browser
– Old stored credentials in Windows Credential Manager or Apple Keychain
– Mobile devices polling to NHSmail with the old password
• To help reduce the likelihood or resolve this issue, users should:– Clear browser cache and auto-fill from the browser before trying to re-access via a
browser
– Remove stored credentials from Windows Credential Manager or Apple Keychains. Users would then be prompted to re-enter the password by the desktop application
– Update the password on all mobile devices connecting to NHSmail following a password change. If the issue continued, remove NHSmail from all devices and re-add one at a time to identify the device causing the issue. Users can view the devices connecting to NHSmail in the Outlook Web App Settings (Options – Phone).
29
Questions?
30