NHSmail LOA webinarTuesday 23 August

Hayley Miller – Engagement Lead, NHS Digital

Chris Gibbons – Communications Lead, Accenture

Welcome to the NHSmail LOA webinar

• The webinar will begin at 2pm.

• Please synchronise your web and phone presence by inputting your Attendee ID into the phone (find it in the Meeting Info tab at the top of the screen).

• Participant lines will be muted during the presentation.

• The webinar will be recorded.

• You can use the chat messaging feature on the right of the screen to ask questions.

• You can click ‘raise hand’ above the chat feature on the right of the screen – this will signal us to unmute your line.

2

Agenda

• NHSmail account transition status.

• Update on NHSmail 2 Portal.

• Instant Messaging and Presence update.

• Automation of the data retention process.

• Data Loss Prevention – we’d like your views!

• Further updates and reminders.

• Questions.

3

NHSmail account transition status

• Most accounts left to transition are:

– True shared (generic) mailboxes.

– Those with shared folder permissions.

– Newly created user accounts.

• All transition related known issues are on the NHSmail

2 service status pages.

• Focus over coming weeks is on the NHSmail 2 Portal

and the pilot of instant messaging and presence.

4

NHSmail 2 Portal update

Update on NHSmail 2 Portal development and impacts5

NHSmail 2 Portal update

Go Live

• New Portal available from 7am on

Monday 29 August – continue to

consult Service Status Page.

• Periods of unavailability from 7pm on

26 August to 7am on 29 August.

• Email available throughout (Outlook

Web App, Outlook and mobile).

6

Communications & Training

• Portal communications for LOAs have

been published, including impacts relating

to TANSync, distribution lists and times of

unavailability.

• Communication to end users has been

issued.

• Recording of Portal LOA Webinar

available on Support Site.

• Recording of Portal LOA Training Webinar

available on Support Site.

NHSmail 2 Portal – schedule of change

7

There will be a number of steps in the cutover for the NHSmail Portal as outlined below:

* Subject to change, please continue to reference http://support.nhs.net/servicestatus for the latest dates

Aug Sep

15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 1 2 3 4 5 6 7 8 9 10 11

Portal Unavailability

Distribution List Change Freeze 26/08/2016 – w/c 05/09/2016

27/08/2016 - 09/09/2016

26/08/2016 (7pm) - 29/08/2016 (7am)

TANSync Switchover 31/08/2016 - Onwards

ADFS (Exchange & Portal)

Activity

ADFS (Portal Only)

25/08/2016

10/09/2016 - 11/09/2016

Pull Connector Retired

~ 05/09/2016Transition Mop-up

Volunteers Required – Portal Data Validation

• The NHSmail 2 Portal has undergone a series of testing activities ahead of the

release.

• An exercise will be run immediately after the Go Live to complete additional

validation of the live migrated data and identify any issues with the Portal.

• Looking for approx. 20 LOAs to support these activities on Monday 29 August.

• It will take about one hour to complete and feedback will be collected via a

survey.

Contact feedback@nhs.net by Thursday 25 August if you are able to

support these activities.

8

NHSmail 2 Portal - impacts

Date Impact What does this mean?

25 AugPull Connectors

Retired

LAs will need to manually create accounts and complete Directory updates until

TANSync deployed.

26 Aug (7pm)

– 29 Aug

(7am)

Portal UnavailablePortal may be unavailable during this time. The admin functions will not be

available during this time.

26 Aug – w/c

05 Sep

Distribution List

Freeze

Dynamic Distribution Lists will be available to use (i.e. send email to), but will not

be able to be created or amended.

29 AugNHSmail 2 Portal

Live

The NHSmail 2 Portal will Go Live and the new tools will be available. See key

changes for more information.

29 Aug – 09

Sep

ADFS Implemented

to Portal Only

The new sign-in screen will be implemented, however users will need to sign-in

twice; once for Portal (new login) and once to access email (old login).

31 Aug (Pilot)

05 Sep (All)TANSync Available

TANSync will replace Pull Connectors. Organisations will be able to deploy this

from 05 September. A deployment guide is available on the Support Site.

10 - 11 SepADFS Implemented

to Exchange & Portal

The new sign-in screen will be implemented for both the Portal and email. This

means the user will only need to sign-in once.

9ADFS for local Authentication added later in the year

ADFS implementation impact

Signing In

When the NHSmail 2 Portal goes live, Active Directory Federation Services (ADFS) will be implemented for the Portal. This will be

implemented for Exchange on 29 August to 9 September. This means that users will need to sign-in twice as shown below:

1. Portal Sign-in

10

2. Outlook Web App Sign-In

LOA roles on NHSmail 2

• The NHSmail 2 Portal admin guide outlines:

– What permissions each admin role has on NHSmail 2.

– What tasks each role can and cannot carry out.

• In line with NHS Directory changes (practices become an independent

organisation unit), there are some important changes to the Practice

Admin role.

• Important roles to familiarise yourself with from Day 1 are Primary

Local Admin, Local Admin and Helpdesk Admin.

• Process for audit and authorising admins yet to be confirmed.

11

Admin Roles – Primary & Local Admin

Purpose Service Owner for NHSmail within a local organisation

Admin Rights • Create User

• Read User

• Update User

• Create Contact

• Read Contact

• Update Contact

• Delete Contact

• Create Shared Mailbox

• Read Shared Mailbox

• Update Shared Mailbox

• Delete Shared Mailbox

• Create Distribution List

• Read Distribution List

• Update Distribution List

• Delete Distribution List

• Create Organisation Unit

• Read Organisation Unit

• Update Organisation Unit

• Delete Organisation Unit

• Read Audit

Delegation

Rights

Primary Local Admin, Local Admin, Helpdesk Admin and

Connector Admin

12* Additional Primary Local Admin access rights shown in red

Admin Roles – Helpdesk Admin

Purpose Basic NHSmail administration functions for local helpdesks to

support users

Admin Rights Read User

Update User

Read Contact

Update Contact

Read Shared Mailbox

Update Shared Mailbox

Read Distribution List

Update Distribution List

Read Organisation Unit

Delegation

Rights

None

13

Admin Roles – Other

Role Audit – Added by NHS Digital/National Services Scotland

Purpose Provide read-only access across an organisation of the forensic email

archive and ability to complete audits of Portal activity

Admin Rights • Read User

• Read Contact

• Read Shared Mailbox

• Read Distribution List

• Read Audit

• Read Email Forensic Archive

14

Role Connector

Purpose Provides dedicated admin role for connector accounts synchronising with

the NHSmail service

Admin Rights • Create User

• Read User

• Update User

• Create Contact

• Read Contact

• Update Contact

• Create Distribution List

• Read Distribution List

• Update Distribution List

Local Forensic Archive Access will be made available later in the year through a tightly managed process

Admin Roles – Other

Role Authorisations - Added by Accenture

Purpose Provides a dedicated role for users who are authorised to provision top-up

services from NHSmail – e.g. larger mailboxes.

Admin Rights • Top-up updates

15

NHSmail to NHSmail 2 Role Mapping

NHSmail NHSmail 2

Primary LOA Primary Local Admin

Secondary LOA Local Admin

Practice LOA Local Admin

Department LOA Helpdesk Admin

16

Local Organisation Administrators will be renamed Local Administrators. The

current roles will be mapped as outlined below for England and Scotland:

Role Mapping Scenario: Practice LOAs

17

Organisation

Dept. Practice

Organisation

(Practice)

Primary

Admin

Secondary /

Local Admin

Department /

Helpdesk Admin

Practice /

Local Admin

• From Day 1 following

Portal Go Live, Practice

Admin becomes a Local

Administrator within own

organisation unit.

• Primary LOA and

Secondary LOAs retain

administration rights over

the practice.

• Primary LOA can choose to

retain the Primary Local

Administrator role or

delegate it to the Practice

Admin that has become a

Local Administrator.

Changes for Practice LOAs

• Changes for Practice LOAs include:

– Becoming Local Admins for their organisation unit (GP practice, dental

practice etc.).

– Ability to create user accounts within their unit.

– Ability to create and delete shared mailboxes within their unit.

– Managing distributions within their unit.

• If the Primary Local Admin of the ‘parent’ CCG/Health Board chooses to devolve

responsibility, the practice organisation unit can have its own Primary Local

Admin.

• Will communicate out to Practice LOAs to let them know of upcoming changes

and links to training materials.

18

Self-service password resets on NHSmail 2

• Users are able to complete a self-password reset on the new NHSmail 2

Portal.

• It requires users to enter a mobile phone number in the NHS Directory,

to which a temporary password is sent when resetting the password.

• Feedback from LOAs is that lots of users do not have a work mobile

number and may not want to have a personal mobile number visible in

the NHS Directory.

• The ability to hide a mobile number will be added to the NHSmail 2

Portal after the first release goes live.

19

Instant Messaging & Presence

Update on pilot and rollout schedule20

Instant Messaging & Presence

• Available for all NHSmail users through Outlook Web App providing basic instant messaging and presence functionality.

• Accessible using a mobile or desktop application (Skype for Business) if an organisation chooses to deploy it.

• Please note: Skype for Business is different from Skype (consumer). The two applications are not integrated and Skype (consumer) cannot be used with NHSmail.

• Training and guidance available on:– Using Outlook Web App instant messaging and presence

– Using Skype for Business (desktop) instant messaging and presence

– Installing Skype for Business on a mobile device

– Microsoft guidance on Skype for Business Server 2015 compatibility

21

Instant Messaging & Presence

The rollout approach is outlined below:

22

Initial pre-pilot checks

Pilot group 1

Pilot group 2

Mass enablement

In Progress No earlier than

05 September

After group 1 TBC based on

pilot – approx.

October

Updates and reminders

Updates and reminders on NHSmail 2 transition actions23

Data retention process

• Scope of NHSmail data held is covered in the Information Management

Policy and recovery of data in the Data Retention Policy.

• Deletion of data outlined in these policies will be automated and

followed vigorously. This includes user accounts and shared

mailboxes.

• Users should be changing their password at least every 90 days to

ensure that their account is kept active.

24

Data retention process

25

Disabled after 90

days of inactivity

Deleted after 180

days of inactivity

Permanently

purged following

30 days in

deleted state

Account Inactivity Monitor (Automated Deletion)

Account disabled

by administrator

(suspended)

Deleted after 18

months of

inactivity

Permanently

purged following

30 days in

deleted state

Local Administrator Disablement (Suspension)

Data Loss Prevention (DLP)

What is DLP?

• Capability designed to detect potential

data breaches / data ex-filtration and

prevent them.

• Does it by monitoring, detecting and

blocking or protecting sensitive data.

• NHSmail 2 has the ability to look for

emails that contain specific content

going to specific places and either

block it with a warning message or

automatically encrypt it.

26

NHSmail Progress

• Investigated to see if any of the default

pattern matching templates identified

any areas that could benefit from this

protection.

• Found that a number of emails each

day are sent from NHSmail to the

Internet unencrypted with a NHS

Number in them.

• Welcome your views on whether we

should employ any protection for

emails going to the Internet

unencrypted with a NHS Number in

them.

Data Loss Prevention (DLP)

How should the NHSmail DLP tools treat emails containing NHS numbers?

1. Take no action.

2. Do not deliver and inform the sender why and how they can manually encrypt it if they wish.

3. Automatically encrypt the message and deliver.

Feedback will be presented to the NHSmail Operations Board for consideration in the coming weeks.

Please submit feedback by 02 September via Survey Monkey on: https://www.surveymonkey.co.uk/r/DLPNHSmail

27

Reminders

Activity Impact if not completed Deadline

Complete Relay IP

addressing activities.

Unable to use the NHS Relay service. Overdue

Web browser upgrades LOAs – not able to use the Portal tools.

Users – use OWA Light (which does not

include IM&P).

Overdue

TANSync set-up for

current active pull

connector organisations

Organisations will have to manage

people data manually using the Portal.

29 August

28

Reminders: Locked Accounts

• The NHSmail Helpdesk has seen a large number of contacts from users with locked accounts.

• This issue is typically caused by:– Old cached or auto-filled passwords when accessing via a browser

– Old stored credentials in Windows Credential Manager or Apple Keychain

– Mobile devices polling to NHSmail with the old password

• To help reduce the likelihood or resolve this issue, users should:– Clear browser cache and auto-fill from the browser before trying to re-access via a

browser

– Remove stored credentials from Windows Credential Manager or Apple Keychains. Users would then be prompted to re-enter the password by the desktop application

– Update the password on all mobile devices connecting to NHSmail following a password change. If the issue continued, remove NHSmail from all devices and re-add one at a time to identify the device causing the issue. Users can view the devices connecting to NHSmail in the Outlook Web App Settings (Options – Phone).

29

Questions?

30

www.digital.nhs.uk

@nhsdigital

enquiries@nhsdigital.nhs.uk

0300 303 5678