- [Seed service status](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/seed-status?id=scheduled-maintenance) | Published the details for the upcoming scheduled deployment. | -| 10 January 2023 | - [General FAQ](faqs/seed-faq-general)
- [Glossary](additional-resources/glossary) | Updated the General FAQ and Glossary. | -| 18 December 2022 | - [SEED status page](seed-status) | Updated this page an integration issue between Cloudflare and Tanium which impacted our users. | -| 6 December 2022 | - [Onboarding FAQ](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/faqs/common-onboarding-issues)
- [Best practices](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/additional-resources/best-practices)
- [General FAQ](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/faqs/seed-faq-general) | - Updated FAQ related to password.
- Included the link to configure certificate authorities in firefox.
- Updated the onboarding FAQ on what to do if your access to SEED-protected resources are revoked. -| 30 November 2022 | [General FAQ](faqs/seed-faq-general) | Included additional questions. | -| 28 November 2022 | [Announcements](announcements)| Posted a latest advice from SingCERT. | -| 24 November 2022 | [Clone GitLab repository](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/faqs/how-to-clone-a-gitlab-repository-over-ssh-with-cloudflare-access)
[Clone Bitbucket repository](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/faqs/how-to-clone-a-bitbucket-repository-over-ssh-with-cloudflare-access) | Included notes for users cloning via Git client without using Cloudflare WARP. | -| 22 November 2022 | [Device clean-up policy](device-clean-up-policy)
[Device clean-up policy FAQ](faqs/device-clean-up-policy-faqs.md)| Published the context and the impact of the device clean-up policy and the related FAQs. | -| 10 November 2022 | [SEED post onboarding instructions for macOS 13(Ventura)](post-onboarding-instructions/mac-os-13)| Included post onboarding steps for macOS 13 users. | -| 07 November 2022 | [General FAQ](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/faqs/seed-faq-general) | Included a query for Mac users upgrading to macOS 13(Ventura). | -| 31 October 2022 | [Announcements](announcements) | Posted an announcement for GCC 1.0 users yet to onboard their Internet Device to SEED.| -| 29 October 2022 | [Configuration of common Developer CLI tools with Cloudflare WARP](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/faqs/configuration-of-common-developer-cli-tools-with-cloudflare-warp) | Updated the [Docker](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/faqs/configuration-of-common-developer-cli-tools-with-cloudflare-warp?id=docker). | -| 21 October 2022 | [Announcements](announcements) and [SEED status](seed-status) page | Updated announcements and status page for Cloudflare WARP issues. | -| 17 October 2022 | [Split tunnel allowlist](additional-resources/split-tunnel-allowlist) | Included information about split tunnel allowlist | -| 30 September 2022 | [Create support request](raise-an-incident-support-request) | From October 1, 2022, for any SEED issues, except SHIP-HATS users, all others must contact the TechPass and SEED support team. SHIP_HATS users must contact their support channel. | - 27 September 2022 | [SEED General FAQ](faqs/seed-faq-general) | Included the following information:
- Remote wipe is performed only if the device is stolen, lost or security is compromised.
- To perform remote the device, the device needs to be powered on and be connected to the internet so it can receive the communication for it to be wiped. | -| 26 September 2022 | - [Supported operating systems](https://docs.developer.tech.gov.sg/docs/staging-security-suite-for-engineering-endpoint-devices-seed/prerequisites-for-onboarding?id=supported-operating-systems-and-devices-for-seed)
- [SEED General FAQ](faqs/seed-faq-general) | You can now onboard Windows 11 Pro or Enterprise versions to SEED.
Included the steps to reinitiate the SEED onboarding invitation email. | -| 20 September 2022 | [Announcement](announcements) | Included a new announcement for an ongoing Cloudflare issue impacting users connecting to VPN that is not on the allowlist. | -| 16 September 2022 | - [Troubleshoot access issues with Cloudflare WARP](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/faqs/cloudflare-warp-known-issues)
- [Register Microsoft Intune Device ID](https://docs.developer.tech.gov.sg/docs/staging-security-suite-for-engineering-endpoint-devices-seed/onboard-device/mac-os?id=step-2-register-microsoft-intune-device-id)| -| 08 September 2022| [SEED service status](seed-status) | Included information about an incident with Cloudflare that impacted users accessing SGTS services. | -| 07 September 2022 | [General FAQ](faqs/seed-faq-general) | Included the information about the latest audit log retention policy and how to sync with it. | -| 02 September 2022|[Announcements](announcements) | Included information about Cloudflare's announcement on the removal of egress IP trial. | -| 30 August 2022 | [SEED status](seed-status) | SEED status page was updated for a Cloudflare incident. | -| 19 August 2022 | [Announcements](announcements) | Included information about the security updates released by Apple to address two zero-day vulnerabilities that affect its operating systems. | -| 18 August 2022 | [FAQ on onboarding](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/faqs/common-onboarding-issues) | Added information on how to verify if you have successfully onboarded your device to SEED. | -| 17 August 2022 | - [Prerequisites: Remove current antivirus solution on the device](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/prerequisites-for-onboarding?id=remove-existing-software-on-your-device)
- [Ensure Microsoft Defender is configured correctly for your OS](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/verify-microsoft-defender-is-configured-correctly-for-your-os)
- [Offboard macOS device from SEED](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/offboard-device/mac-os?id=step-4-remove-microsoft-defender-for-endpoint)
- [Offboard Windows device from SEED](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/offboard-device/windows?id=step-4-remove-microsoft-defender-for-endpoint) | Earlier, users had to request for the script to remove Microsoft Defender for Endpoint. Users can now download the offboarding script and execute it to remove Microsoft Defender for Endpoint. | -| 10 August 2022 | Included articles on how to clone GitLab and Bitbucket repos with Cloudflare| - [How to clone GitLab repository with Cloudflare](faqs/how-to-clone-a-gitlab-repository-over-ssh-with-cloudflare-access)
- [How to clone Bitbucket repository with Cloudflare](faqs/how-to-clone-a-bitbucket-repository-over-ssh-with-cloudflare-access) -| 20 July 2022 | [SEED status](seed-status) | Included the SEED status page which lists the planned maintenance, ongoing incidents and past incidents.| -| 12 July 2022 | [Announcements](announcements) | Added a new announcement for the Windows password policy to be pushed by Intune for Windows users. | -| 07 July 2022 | [Prerequisites for onboarding device to SEED](prerequisites-for-onboarding) | A new prerequisite is added, and this is applicable only for users whose organisation uses a firewall or other policies restricting the Internet traffic. Provided the link to the Cloudflare resource, which tells about the changes. | -| 24 June 2022 | [Known issues](faqs/known-issues) | Added this topic to list the known issues and the available workarounds for them. | -| 21 June 2022 | [Announcements](announcements) | Added this topic to publish incidents and planned maintenance activities. | diff --git a/faqs/.DS_Store b/faqs/.DS_Store index 6545f155..7336809b 100644 Binary files a/faqs/.DS_Store and b/faqs/.DS_Store differ diff --git a/faqs/_sidebar-old.md b/faqs/_sidebar-old.md deleted file mode 100644 index add587c5..00000000 --- a/faqs/_sidebar-old.md +++ /dev/null @@ -1,15 +0,0 @@ -- **Troubleshoot** - - [Known issues](faqs/known-issues) -- **FAQs** - - [General](faqs/seed-faq-general) - - [Onboarding](faqs/common-onboarding-issues) - - [Cloudflare WARP](faqs/cloudflare-warp-known-issues) - - [Configuration of common Developer CLI tools in Cloudflare WARP](faqs/configuration-of-common-developer-cli-tools-with-cloudflare-warp) - - [Generate and upload Cloudflare diagnostic files](faqs/how-to-generate-and-upload-diagnostic-files-to-incident-support-request) - - [Clone GitLab repository](faqs/how-to-clone-a-gitlab-repository-over-ssh-with-cloudflare-access) - - [Clone Bitbucket repository](faqs/how-to-clone-a-bitbucket-repository-over-ssh-with-cloudflare-access) - - [Device clean-up policy FAQs](faqs/device-clean-up-policy-faqs) - - [Offboarding FAQs](faqs/seed-offboarding-faqs.md) - -- **Additional resources** - - [Back to main](/) diff --git a/faqs/cloudflare-warp-known-issues.md b/faqs/cloudflare-warp-known-issues.md index 45978f70..e5513407 100644 --- a/faqs/cloudflare-warp-known-issues.md +++ b/faqs/cloudflare-warp-known-issues.md @@ -1,257 +1 @@ -# Troubleshoot access issues with Cloudflare WARP - - -
-
-
-
-Unable to browse the internet using Cloudflare WARP
- -Check if you are connected to any VPN. If you are still connected to your VPN, you may not be able to access the internet as it conflicts with your DNS resolver configuration. - -**To resolve this** - -1. Disconnect from your VPN. -2. Make sure only Cloudflare WARP is connected. - -
-
-
-
-Unable to browse the internet when Cloudflare WARP automatically reconnected.
- -If you disconnect Cloudflare WARP on your device, it automatically gets reconnected after three hours. At that time, if you are connected to your VPN, you may not be able to access the internet as it conflicts with your DNS resolver configuration. - -**To resolve this** - -1. Disconnect the device from your WiFi. -2. Reconnect device to your WiFi to reset the DNS resolver settings or restart your device. - -In addition, make sure the VPN configuration does not route all the traffic and DNS queries to the VPN server. Our recommendation is not to turn on WARP and the VPN at the same time. - -
-
- -
-
-
-
-
-Unable to access a particular website. I get an Access restricted error or DNS error while accessing this website.
- -**The following can cause this issue**: - -- Gateway may have blocked these sites as WARP works with Cloudflare Gateway to block websites that are identified as malware sources or a security risk as per our security policy. - -- DNS resolution for the website may fail because of WARP and Gateway. - -**To resolve gateway issues for trusted sites** - -1. Turn off WARP. -2. Ensure Microsoft Defender is running to protect your device against malware. - -?> Note WARP connection will automatically reconnect after three hours. - -**To resolve DNS error for your device** - -macOS
- -1. Go to **Apple** menu > **System Preferences** > **Network**. - - - -2. Select **Wi-Fi** from the left pane and click **Advanced**. - -?> If the lock icon at the lower left appears locked, click it to unlock the preference pane. - - - -3. Go to the **DNS tab** and click the plus icon. - - - -4. Enter 1.1.1.1 and click the plus icon again. - - - -5. Enter 1.0.0.1 and click **OK**. - - - -6. Click **Apply** - - - -7. Restart your browser and verify if you can access the SEED-trusted websites such as GCC 2.0 CMP and any secured public website. -8. If you still cannot access SEED-trusted websites, [create a support request][raise-support-request]. -- -
Windows
- -1. Select **Start** > **Settings** > **Network & Internet**. - - - -2. In the **Status** page, under **Advanced network settings** , select **Change adapter options**. The **Network Connections** page is displayed. -3. Right-click **Wi-Fi** and select **Properties**. - - - -4. Select **Internet Protocol Version 4(TCP/IPv4)** and click **Properties**. - - - -5. In the **General** tab, select **Use the following DNS server addresses**. - - - -?> Note down your existing settings for future reference. - -6. Enter **1.1.1.1** as **Preferred DNS server** and **1.0.0.1** as **Alternate DNS server** addresses. - - - -7. Click **OK** and exit the window. -8. Restart your browser and verify if you can access the SEED-trusted websites such as GCC 2.0 CMP and any secured public website. -9. If you still cannot access SEED-trusted websites, [create a support request][raise-support-request]. - -
-
-
-
-While accessing a website, I get an Access restricted error followed by "Your access to this domain has been blocked as the domain has been identified as a Content Risk by Cloudflare". What can I do?
- -Cloudflare WARP works with Cloudflare Gateway to block websites that may have been classified under security risk categories. - -**To identify Cloudflare category of a domain**: - -1. Go to [Cloudflare Radar](https://radar.cloudflare.com/categorization-feedback/). -2. Enter the domain name of the website and check the categories under which it is classified. For more information on categories and their definitions, refer to [Cloudflare DNS categories](https://developers.cloudflare.com/cloudflare-one/policies/filtering/dns-policies/dns-categories/). -3. If the domain is incorrectly classified, select the relevant categories and click **Submit** to provide your feedback. - -
-
-
-
-While using some tools and applications with Cloudflare WARP Client, why do I get SSL errors?
- -Your tool or application may be using a certificate store that is separate from the trusted root certificate store of your system. - - 1. Download the Cloudflare CA certificate to your root system store(s) from the [Cloudflare documentation page][install-cloudflare-cert-operating-system]. - 2. Refer to your CLI tool documentation and configure it to trust the Cloudflare root certificate. - 3. You can also refer to the following links for instructions to configure your tool or application: - * [GovTech instructions for commonly used CLI tools across Singapore - Government developers][config-cli-tools-with-warp], or - * [Cloudflare instructions for configuring commonly used developer CLI - tools][install-cloudflare-cert-applications]. - -
-
-
-
-Unable to access the GCC 2.0 Cloud Management Portal, or a Singapore Tech Stack service using my GMD.
- -If you are unable to access the GCC 2.0 CMP or any SGTS service using your GMD, do the following: - -1. Confirm the following: - - If you have received the successfully onboarded email from DEEP. - - If you are using only the [supported browsers](additional-resources/best-practices). - - Ensure that Cloudflare WARP client is updated to the latest version and is connected. Go to Cloudflare WARP **Settings**, and ensure that **Gateway with WARP** is selected. - - If Tanium is listed in the **Start** menu for Windows and in **Finder** > **Applications** for macOS. - - If your device operating system is updated to the latest version. - - If Defender is up-to-date and in the running state. - - If your TechPass account has the required permissions to access the GCC 2.0 CMP or a particular SGTS service. - -2. Make sure the VPN configuration does not route all traffic and DNS queries to the VPN server. We recommend not to turn on WARP and the VPN at the same time. - -If you still have issues, [Generate diagnostic report](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/#/faqs/how-to-generate-and-upload-diagnostic-files-to-incident-support-request) and upload it to the [incident support request][raise-support-request]. - -
-
-
-
-I intermittently experience the error message: "That account does not have access" when accessing SGTS services using Cloudflare WARP.
- -This is a known issue with Cloudflare WARP. If you are unable to access any SGTS service, do the following: - -1. Confirm the following: - - If you have received the successfully onboarded email from DEEP. - - If you are using only the [supported browsers](additional-resources/best-practices). - - Ensure that Cloudflare WARP client is updated to the latest version and is connected. Go to the Cloudflare WARP **Settings**, and ensure that **Gateway with WARP** is selected. - - If Tanium is listed in the **Start** menu for Windows and in **Finder** > **Applications** for macOS devices. - - If your device operating system is updated to the latest version. - - If Defender is up-to-date and in the running state. - - If your TechPass account has the required permissions to access the GCC 2.0 CMP or a particular SGTS service. - - If you have restarted your machine. - -2. Make sure the VPN configuration does not route all traffic and DNS queries to the VPN server. We recommend not to turn on WARP and the VPN at the same time. - -If you still have issues, [Generate diagnostic report](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/#/faqs/how-to-generate-and-upload-diagnostic-files-to-incident-support-request) and upload it to the [incident support request][raise-support-request]. - -
-
-
-
-
-
-
- Tanium client returns a 400 Bad Request Error when contacted by the Cloudflare Access landing page via localhost. What should I do?
- -This is due to the time synchronisation issue between Cloudflare and Tanium client. To fix this, resynchronise the local time of your macOS or Windows machine. - -To check and synchronise your device time with the internet time server: - -For macOS device
- - 1. From the **Apple** menu, go to **System Preferences** > **Date & Time**. - 2. Click the lock icon and use your Touch ID or enter your password to unlock. - 3. Select the **Set date and time automatically** checkbox. - 4. To use a custom network time server, enter the domain name of the server in the . -  -For Windows device
- - 1. Open the **Start** menu and click **Settings**. - 1. Choose **Time & Language**. - 1. Turn on **Set time automatically**. - 1. Click **Sync now** to synchronise with the time server. - 1. If you’d like to use a custom network time server, click **Date, time & regional formatting** from **Related Settings** at the upper-right corner. The **Region** settings page is displayed. - 1. Click **Additional date, time & regional settings** from **Related settings** at the upper-right corner. The **Clock and Region settings** page is displayed. - 1. Click **Date and Time**. - 1. Go to the **Internet Time** tab and select **Change settings**. - 1. Enter the domain name of the server. - -
-
-
-
-
- Can I request to include IP addresses or domains in the Cloudflare WARP split tunnel list to exclude them from going through WARP and redirect them to go though other VPN?
- - We strongly encourage agencies to avoid requesting for split tunnel allowlisting to reduce or prevent harmful security attacks. However, if you still intend to allow a VPN IP, [create a support request to request](https://go.gov.sg/seed-techpass-support). Our team may need additional information to evaluate this request. - - For more information, refer to [split tunnel allowlist](additional-resources/split-tunnel-allowlist). - - -
-
-
-
-
-
-
-
-
-
-[raise-support-request]: raise-an-incident-support-request.md
-[install-cloudflare-cert-operating-system]: https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/install-cloudflare-cert/#add-the-certificate-to-your-system
-[config-cli-tools-with-warp]: faqs/configuration-of-common-developer-cli-tools-with-cloudflare-warp
-[install-cloudflare-cert-applications]: https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/install-cloudflare-cert/#adding-to-applications
-
-[cloudflare-troubleshooting]: https://developers.cloudflare.com/cloudflare-one/faq/teams-troubleshooting/
+!> This documentation is obsolete. Refer to [Cloudflare troubleshooting](https://support.cloudflare.com/hc/en-us/categories/200276217-Troubleshooting) for more details.
\ No newline at end of file
diff --git a/faqs/common-onboarding-issues.md b/faqs/common-onboarding-issues.md
index b0b87a1a..a327ac7a 100644
--- a/faqs/common-onboarding-issues.md
+++ b/faqs/common-onboarding-issues.md
@@ -1,308 +1 @@
-# Onboarding FAQ
-
-What happens when I request for split tunnel allowlisting?
- - We will assess the split tunnel allowlisting requests on a case-by-case basis to ensure that the request does not compromise GCC 2.0 or SGTS applications. - - As part of our security review processes, we will periodically review split tunnel entries to check if they are still necessary. - - For more information, refer to [split tunnel allowlist](additional-resources/split-tunnel-allowlist). - - -
-
-
-
-Can I onboard my GSIB device to SEED?
- - No, you can't onboard your GSIB device to SEED. SEED is an MDM solution only for an Internet Device, which is not a GSIB device. - -
-
-
-
-What should I do if profile installation fails while installing the management profile?
- - - -1. Ensure you received an email from us confirming the licence required for SEED onboarding has been assigned to you. If yes, proceed to step 2. -2. Go to the **Apple** menu > **System Preferences** > **Profiles**. -3. If **Management Profile** is already an existing profile, select it and remove it by clicking the minus icon at the lower-left corner. -4. If you are unable to remove Management Profile, uninstall **Company Portal**. -5. Reinstall [Company Portal](https://go.microsoft.com/fwlink/?linkid=853070). -6. [Onboard your device to SEED](onboard-device/onboard-device-to-seed). - - -
-
-
-
- Microsoft Defender does not get automatically installed after enrolling to Company Portal?
- - This can happen if Defender or any other antivirus solution previously installed on the device was not completely removed before onboarding to SEED. - - To confirm this, [Verify if Microsoft Defender is configured correctly on your device][verify-defender-configuration]. - -
-
-
-
- While onboarding to Microsoft Intune, I get an error Could not download the identity profile from the Encrypted Profile Service. The credentials within the Device Enrolment profile may have expired.
- - One of the possible reasons could be that your device was earlier onboarded to Microsoft Intune by a different user and was not offboarded properly during the pre-onboarding steps. - - To confirm if that is the case, [create a support request][raise-support-request] with your device serial number. - - The SEED team can verify if your device was previously enrolled to Microsoft Intune under a different user. If this is confirmed, choose on the following to offboard it from Microsoft Intune and then retry onboarding your device to SEED. - - - If you are a Windows user, refer to [SEED offboarding steps][seed-offboarding-steps]. - - - If you are a macOS user, go to **System Preferences** and locate the old Management Profile. Refer to [SEED offboarding steps][seed-offboarding-steps]. - -
-
-
-
-What should I do if my device does not get renamed automatically after onboarding to SEED?
- - This can happen if Defender or any other antivirus already installed on the device was not completely removed before onboarding to SEED. To confirm this, [Verify if Microsoft Defender is configured correctly on your device][verify-defender-configuration]. - -
-
-
-
-While enabling Full Disk Access (FDA), I can't find TaniumClient. What should I do?
- - 1. Open the **Terminal** application and run the command: ``sudo chmod 755 /Library/Tanium/TaniumClient``. - 2. Go to the **Apple** menu > **System Preferences** > **Security & Privacy**. - 3. Click the **Privacy** tab. - 4. From the left pane, choose **Full Disk Access**. - 5. Click the lock icon at the lower left and use your Touch ID or enter your password to unlock. - 6. Click the plus icon on the **Full Disk Access** pane. - 7. Go to **Macintosh HD** > **Library** > **TaniumClient** and select the application file **TaniumClient**. - 8. Ensure the checkbox beside **TaniumClient** is selected. - -
-
-
-
-While enabling Full Disk Access (FDA), I can't find Microsoft Intune Agent and Microsoft Defender for Endpoint. What should I do?
- -1. Go to the **Apple** menu > **System Preferences** > **Security & Privacy**. -2. Click the **Privacy** tab. -3. From the left pane, choose **Full Disk Access**. -4. Click the lock icon at the lower left and use your Touch ID or enter your password to unlock. -5. Click the plus icon on the Full Disk Access pane and do the following as required: - - To add **Microsoft Intune Agent**, go to **Macintosh HD** > **Library** > **Intune** and open **Microsoft Intune Agent.app**. - - To add **Microsoft Defender for Endpoint**, go to **Application** > select **Microsoft Defender for Endpoint** and click **Open**. -While enabling Full Disk Access (FDA), I can't find Microsoft Defenders Endpoint Security Extension. Can I proceed with my onboarding?
- -Yes, you may proceed with your SEED onboarding and the Microsoft Defenders Endpoint Security Extension should be available within four hours. If it is still not available after four hours, please create a [Support Request](raise-an-incident-support-request) as it is required to ensure the completeness of your onboarding. - -
-
-
-
-
-When enabling FileVault or Full Disk Access, I am unable to unlock Security & Privacy preferences using my current password.
- -This is because a new password policy has been enforced and you are required to reset your password. - -1. Go to the **Apple** menu and choose **Lock Screen** or press **Command+Control+Q**. -2. Enter your current password and press **Return**. -3. You will be prompted to reset your password. -How do I reset the password for my macOS device?
- -*To reset password while enabling FileVault or FDA* : -1. Go to the **Apple** menu > **Lock Screen** or use keyboard shortcut **Command+Control+Q** . -2. Enter your password and press **return**. You will be prompted to reset password. -3. Reset your password and make sure it meets the following requirements: - - - should contain at least 12 characters - - should not be the same as the previous three passwords - - same character cannot be used consecutively. - - cannot have three sequential characters - - should contain at least one number and one alphabetic character - - -
-
-
-
-After onboarding to SEED, I did not receive the successfully onboarded email. What should I do?
- -Possible reasons could be: - -- Defender or any other antivirus solution previously installed on the device was not completely removed before onboarding to SEED. -- Tanium and Cloudflare did not get installed while onboarding to SEED. - -Before raising a support request, confirm the following: - -- [Verify if Microsoft Defender is configured correctly on your device][verify-defender-configuration]. - -- Check if Tanium and Cloudflare are installed. These applications will be automatically installed while enrolling your device to SEED. If they are not installed, [create a support request][raise-support-request]. - -While enrolling my device to SEED, I get an error Couldn’t add your device. Wait a few minutes, then try again or contact your company support. What should I do? -
- -As suggested wait for few minutes, retry enrolling your device to Microsoft Intune and click **Approve** in the management profile. - -
-
-
-
-While approving the management profiles, I get a message Profiles cannot be approved while using remote or automated input method. What should I do?
- - Upgrade to the [latest macOS version][upgrade-macos] and ensure there is enough disk space available on your Mac device before retrying. - -What should I do when I get an error You can’t use this version of the application Company Portal with this version of OS X.
- - Upgrade to the [latest macOS version][upgrade-macos]. - -
-
-
-How to confirm if I have successfully onboarded my Internet Device to SEED?
- -When you complete onboarding your device to SEED, within the next two hours, you should receive the successfully onboarded email in your inbox (organisational email address). - -If you don't receive this email after two hours, please submit an [incident request](https://go.gov.sg/seed-techpass-support). - -
-
-
-Do I need to change my SEED onboarding password after a year, and what are the password requirements for it?
- - Yes, you are required to change your SEED onboarding password after a year. The password requirements for SEED onboarding are as follows: - -- It should contain at least 12 characters. -- It should not be the same as the previous three passwords. -- The same character cannot be used consecutively. -- It cannot have three sequential characters. -- It should contain at least one number and one alphabetic character. -
-
-
-
-
-
-
-
-
-After resetting my macOS password, I am unable to log in using the new password, why?
- -This may occur if your new password does not meet the following password requirements: - - - should contain at least 12 characters. - - should not be the same as the previous three passwords. - - same character cannot be used consecutively. - - cannot have three sequential characters. - - should contain at least one number and one alphabetic character. - -Following are the three options available to reset your password: - -Reset password using Apple ID
- - Refer to [Reset your Mac login password uisng Apple ID](https://support.apple.com/en-gb/guide/mac-help/mh35902/mac) for step-by-step instructions. - -Reset password using recovery key
- - **To reset password using recovery key** - - 1. Click the question mark next to the password field in the login window. - - ?> If you don't see a question mark, press and hold the power button until your Mac shuts down, then press the power button to restart your Mac. Alternatively, enter any password three times. - - 2. Click **If you forgot your password, you can reset it using your Recovery Key**. - 3. Enter the recovery key. Make sure to use uppercase letters and to enter the hyphens. - 4. Reset your password. - -
-
-Reset password using recovery mode
- - If you have do not have an Apple ID or a recovery key, depending on the chip on your Mac device, start your Mac in recovery mode to reset password. - - - -#### **M1 chip** - 1. Restart or shutdown the device by pressing the power button until the screen is black and any lights (including in the Touch Bar) are off. - 1. Press and hold the power button on your Mac until the **Loading startup options** appears. After a few seconds you’ll see two icons: **Macintosh HD** and **Options**. - 1. Click **Options** and choose the user account for which you know the password and click **Next**. - 1. Enter the password to continue. - 1. Go to **Applications** > **Utilities** > **Terminal**. - 1. Enter `resetpassword` and press `return`. The **Reset Password** assistant will be displayed. - 1. Select **My password doesn’t work when logging in** and click **Next**. - 1. If prompted, select the user account for which you need to change password. - 1. Type the old password and new password in the respective fields. - 1. Type the new password in **Verify password** and specify a **Password hint**. - 1. Click **Next**. - 1. Restart your device and in the login screen, choose your user account and type your new password. - - - > **Notes**: - > - >1. If you are still unable to reset your password, repeat steps 1-6. - >2. Select **My keyboard isn't working when typing my password to log in** and click **Next**. - >3. Disable FileVault on the volume **Macintosh HD**. - >4. Restart your device and in the login screen, choose your user account and type your new password. - -#### **Intel chip** - - 1. Restart the device by pressing the power button while holding down the `Command + R` keys. - 1. Release the keys when you see the load bar. - 1. Go to **Applications** > **Utilities** > **Terminal**. - 1. Enter `resetpassword` and press `return`. The **Reset Password** assistant will be displayed. - 1. Select **My password doesn’t work when logging in** and click **Next**. - 1. If prompted, select the user account for which you need to change password. - 1. Type the old password and new password in the respective fields. - 1. Type the new password in **Verify password** and specify a **Password hint**. - 1. Click **Next**. - 1. Restart your device and in the login screen, choose your user account and type your new password. - - - > **Notes**: - > - >1. If you are still unable to reset your password, repeat steps 1-4. - >2. Select **My keyboard isn't working when typing my password to log in** and click **Next**. - >3. Disable FileVault on the volume **Macintosh HD**. - >4. Restart your device and in the login screen, choose your user account and type your new password. - - - -
-
1. Ensure the device you are onboarding to SEED has a stable internet connectivity until you see the **Onboarded** Status on the TechPass portal.
2. Go to the [TechPass portal](https://portal.techpass.gov.sg/).
3. At the top right, go to your user name and click **My Account**. Your profile details are displayed.
4. Go to the **SEED Devices** section and click **Retry**.
5. If the error persists, [Create a support request](https://go.gov.sg/seed-techpass-support). | -| Software Installation Error | 1. Restart the device you are onboarding to SEED.
2. After 10-15 minutes, go to the [TechPass portal](https://portal.techpass.gov.sg/).
3. At the top right, go to your user name and click **My Account**. Your profile details are displayed.
4. Go to the **SEED Devices** section and click **Retry**.
5. If the error persists, [Create a support request](https://go.gov.sg/seed-techpass-support).| -| Internal Error | 1. Restart the device you are onboarding to SEED.
2. After 10-15minutes, go to the [TechPass portal](https://portal.techpass.gov.sg/).
3. At the top right, go to your user name and click **My Account**. Your profile details are displayed.
4. Go to the **SEED Devices** section and click **Retry**.
5. If the error persists, [Create a support request](https://go.gov.sg/seed-techpass-support).| -| Device that is trying to onboard is a DWP device. Please onboard with a non-DWP device.| You can't onboard DWP device to SEED. You can onboard only an Internet Device to SEED. | - -
-
-
-
-
-
-
-
-
-
-
-[verify-defender-configuration]: verify-microsoft-defender-is-configured-correctly-for-your-os.md
-[raise-support-request]: raise-an-incident-support-request.md
-[seed-offboarding-steps]: offboard-device/offboard-device-from-seed.md
-[upgrade-macos]: https://support.apple.com/downloads/macos
+!> This documentation has moved to [Onboarding FAQ](/post-onboarding-instructions/onboarding-faq).
\ No newline at end of file
diff --git a/faqs/configuration-of-common-developer-cli-tools-with-cloudflare-warp.md b/faqs/configuration-of-common-developer-cli-tools-with-cloudflare-warp.md
new file mode 100644
index 00000000..ce34403c
--- /dev/null
+++ b/faqs/configuration-of-common-developer-cli-tools-with-cloudflare-warp.md
@@ -0,0 +1 @@
+!> This documentation is obsolete. Refer to [SHIP-HATS documentation](https://docs.developer.tech.gov.sg/docs/ship-hats-docs/) for more details.
\ No newline at end of file
diff --git a/faqs/device-clean-up-policy-faqs.md b/faqs/device-clean-up-policy-faqs.md
index c9782eca..fefaa48d 100644
--- a/faqs/device-clean-up-policy-faqs.md
+++ b/faqs/device-clean-up-policy-faqs.md
@@ -1,57 +1 @@
-# Device clean-up policy FAQs
-
-While I register my Intune Device ID on the TechPass portal, what should I do if my onboarding fails due to one of the following reasons?
- -As a prerequisite, ensure the device you are onboarding to SEED has a stable internet connectivity until you see the **Onboarded** Status on the TechPass portal. - - - -| Reason for failed onboarding | Action required | -| ---|---| -| Unexpected Error| [Create a support request](https://go.gov.sg/seed-techpass-support). | -| Software Misconfiguration Error | [Create a support request](https://go.gov.sg/seed-techpass-support).| -| Endpoint Error |1. Ensure the device you are onboarding to SEED has a stable internet connectivity until you see the **Onboarded** Status on the TechPass portal.
2. Go to the [TechPass portal](https://portal.techpass.gov.sg/).
3. At the top right, go to your user name and click **My Account**. Your profile details are displayed.
4. Go to the **SEED Devices** section and click **Retry**.
5. If the error persists, [Create a support request](https://go.gov.sg/seed-techpass-support). | -| Software Installation Error | 1. Restart the device you are onboarding to SEED.
2. After 10-15 minutes, go to the [TechPass portal](https://portal.techpass.gov.sg/).
3. At the top right, go to your user name and click **My Account**. Your profile details are displayed.
4. Go to the **SEED Devices** section and click **Retry**.
5. If the error persists, [Create a support request](https://go.gov.sg/seed-techpass-support).| -| Internal Error | 1. Restart the device you are onboarding to SEED.
2. After 10-15minutes, go to the [TechPass portal](https://portal.techpass.gov.sg/).
3. At the top right, go to your user name and click **My Account**. Your profile details are displayed.
4. Go to the **SEED Devices** section and click **Retry**.
5. If the error persists, [Create a support request](https://go.gov.sg/seed-techpass-support).| -| Device that is trying to onboard is a DWP device. Please onboard with a non-DWP device.| You can't onboard DWP device to SEED. You can onboard only an Internet Device to SEED. | - -
-
-
-
-I am regularly using TechPass account on my GSIB device, is my GMD considered to be active?
- -No, GMD is considered to be active only if you regularly log in to it. Your GMD becomes inactive if you have not logged into it for 90 consecutive days. - -What happens if my device become inactive?
- -If your GMD becomes inactive, its records are "soft deleted" from the Intune portal. - -When your device records are "soft deleted", it does not wipe or retire the device. The device record is temporarily deleted from Intune. - -How to restore my device records on Intune?
- - -Log in to your GMD device provided: - -- Your TechPass account is still active. Note to re-enable a disabled TechPass account, see [TechPass Account Management FAQ](https://docs.developer.tech.gov.sg/docs/techpass-user-guide/support/account) -- Your MDM certificate is still active, or is within 180 days after its expiry. For more information, refer to MDM certificate on [MDM certificate and device clean-up policy](device-clean-up-policy). - -I am back to work after taking leave for 3 or more months, do I need to re-onboard my device to SEED?
- - -Refer to MDM certificate on [MDM certificate and device clean-up policy](device-clean-up-policy). - -Will I receive any notification regarding MDM certificate expiration?
- - -No, you won’t receive any notification for this. - -How should I re-onboard to SEED?
- - -1. [Offboard the device from SEED](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/offboard-device/offboard-device-from-seed) -2. [Request for SEED provisioning](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/prerequisites-for-onboarding) -3. [Onboard the device to SEED](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/onboard-device/onboard-device-to-seed). - -What data can I store on a Government Managed Device (GMD)?
+ +GMDs are intended to facilitate development work for accessing GCC 2.0 and SGTS securely. Do not store production or live data on GMDs. + +Can I install unlicensed software or tools on my Government Managed Device (GMD)?
+ +Installing unlicensed software on your GMD is strictly prohibited. GMDs are government-managed, and this policy ensures security and compliance. Unauthorised software compromises security and violates regulations. + +If you need a particular software for your development work, please follow your organisation's processes to obtain the legitimate version. Refer to [Terms of policies](/additional-resources/terms-and-policies.md)for details. + +Can I bring and use my Government Managed Device (GMD) overseas?
+ +Users should assess the risk and seek approval from their Reporting Officer (RO) before doing so. + +I have lost my Government Managed Device (GMD). What should I do?
+ +1. Notify your manager and operations manager to approve data deletion on the lost device. +2. [Raise a service request](https://go.gov.sg/seed-techpass-support) to notify the SEED team about the lost device. +3. Mention any sensitive data in the request to prioritise remote wiping. +4. Attach manager approvals for necessary actions to prevent data breaches. + +What happens when the security of a Government Managed Device (GMD) is compromised?
+ + When SEED detects a compromised device, it contacts the owner for disconnection. After obtaining owner and manager approvals, SEED performs a remote wipe. + +> **Note**: +> The device must be powered on and connected to the internet for remote wiping. + +What happens when a remote wipe is performed on a Government Managed Device (GMD)?
+ + Remote wipe erases all data on the device, performed only for theft, loss, or security compromise. For more information, refer to the [Terms and policies](/additional-resources/terms-and-policies). + +Is remote wipe done only on devices that belong to public sector agencies?
+ + No, remote wipe applies to any lost or compromised GMD to prevent data breaches. For more information, refer to the [Terms and policies](/additional-resources/terms-and-policies). + +What should I do if my device has been inactive for 180 days?
+ +If your device is no longer required to access SEED, please offboard your device. For detailed steps on offboarding your Mac, click [here](/offboard-device/macos-offboarding-guide.md), and for Windows, click [here](/offboard-device/windows-offboarding-guide.md). If you still require access after being inactive for 180 days, please email enquiries_seed@tech.gov.sg for assistance. + +What should I do if I want to check if my device record has been deleted?
+ +Log in to [SEED Dashboard](https://dashboard.seed.tech.gov.sg/) after 26 October 2023 to see whether your device record still exists. If your device record does not exist, or you are unable to log into SEED Dashboard, your device records have been cleaned up. + +What should I do if my device record has been deleted even though it is still active?
+ +Please email enquiries_seed@tech.gov.sg for assistance. + +Why am I prompted to turn on my system integrity protection on my macOS device?
+ + This is a SEED policy requirement. System Integrity Protection enhances macOS security and is designed to help prevent potentially malicious software from modifying protected files and folders on your macOS. System Integrity Protection restricts the root user account and limits the actions that the root user can perform on protected parts of the macOS. + + +Why do I need to turn on File Vault encryption?
+ + FileVault encryption is essential to ensure device security and compliance. + +Why does my device slow down after onboarding to Microsoft Intune?
+ + SEED uses **Microsoft Defender for Endpoint** for security. Other antivirus software may impact performance. Disable or uninstall non-**Microsoft Defender for Endpoint** antivirus software. + +Previously, I have successfully onboarded my Internet Device to SEED, but now I received an email indicating limited access to SEED-protected resources. Why, and what should I do?
+ +This suggests SEED detected device configuration issues. For example, an unhealthy Microsoft Defender. For resolution: + +- Offboard your device if access is no longer needed. + +- [Raise a service request](https://go.gov.sg/seed-techpass-support) to restore access to SEED-protected resources. Specify that your SEED access was revoked due to device misconfiguration, allowing us to process the request accordingly. + +Why did I receive the successfully onboarded email again?
+ +Receiving this email again indicates that services ensuring SEED compliance may have had configuration issues, temporarily affecting SEED access. + +Do I need to re-onboard my device to SEED after returning from a long leave?
+ +If you belong to the TechPass Entra ID and your GMD has not been logged into for 90 consecutive days, the GMD becomes inactive, and its' records are softly removed from the Intune portal. + +It is important to understand that when your device records are softly removed, it does not perform a device wipe or retirement. Instead, the device record is temporarily taken out of Intune. + +Consequently, SEED administrators will no longer have access to details such as the device's health status, and they will not be able to manage it from the SEED Dashboard. + +Will I receive any notification of MDM certificate expiration?
+ +No, you will not receive any notification for this. + +
+
diff --git a/faqs/how-to-clone-a-bitbucket-repository-over-ssh-with-cloudflare-access.md b/faqs/how-to-clone-a-bitbucket-repository-over-ssh-with-cloudflare-access.md
new file mode 100644
index 00000000..ce34403c
--- /dev/null
+++ b/faqs/how-to-clone-a-bitbucket-repository-over-ssh-with-cloudflare-access.md
@@ -0,0 +1 @@
+!> This documentation is obsolete. Refer to [SHIP-HATS documentation](https://docs.developer.tech.gov.sg/docs/ship-hats-docs/) for more details.
\ No newline at end of file
diff --git a/faqs/how-to-clone-a-gitlab-repository-over-ssh-with-cloudflare-access.md b/faqs/how-to-clone-a-gitlab-repository-over-ssh-with-cloudflare-access.md
new file mode 100644
index 00000000..ce34403c
--- /dev/null
+++ b/faqs/how-to-clone-a-gitlab-repository-over-ssh-with-cloudflare-access.md
@@ -0,0 +1 @@
+!> This documentation is obsolete. Refer to [SHIP-HATS documentation](https://docs.developer.tech.gov.sg/docs/ship-hats-docs/) for more details.
\ No newline at end of file
diff --git a/faqs/how-to-generate-and-upload-diagnostic-files-to-incident-support-request.md b/faqs/how-to-generate-and-upload-diagnostic-files-to-incident-support-request.md
index 38568ae8..da5d6f6c 100644
--- a/faqs/how-to-generate-and-upload-diagnostic-files-to-incident-support-request.md
+++ b/faqs/how-to-generate-and-upload-diagnostic-files-to-incident-support-request.md
@@ -1,83 +1 @@
-# How to generate and upload diagnostic files to incident support request
-
-If you have connectivity issues while accessing GCC 2.0 CMP or SGTS services, refer to [create support request](#raise-an-incident-support-request).
-
-- To troubleshoot Cloudflare WARP, Tanium, Defender or Intune issues, attach [diagnostic file for Cloudflare Access](#generate-cloudflare-access-diagnostic-file) and [diagnostic file for Cloudflare WARP](#generate-cloudflare-warp-diagnostic-logs) to the service request.
-
-- To troubleshoot connectivity issues for GCC 2.0 CMP or SGTS services, [Generate HAR file](#generate-har-file) and attach it to the service request.
-
-
-## Generate Cloudflare Access diagnostic file
-
-1. Log in to [Cloudflare Access Application Launcher](https://gccgovsg.cloudflareaccess.com).
-2. Click your profile name in the upper-right corner and choose **Account**.
-3. Go to **Diagnostics** section and click **Click to copy**.
-5. Paste the copied information to a text file and attach it to the support request.
-
-## Generate Cloudflare WARP diagnostic logs
-
-1. Depending on your OS, run the provided command to get the Cloudflare WARP diagnostics.
-
-Do I need to change my SEED onboarding password after a year, and what are the password requirements for it?
+ + Yes, you are required to change your SEED onboarding password after a year. The password requirements for SEED onboarding are as follows: + +- It should contain at least 12 characters. +- It should not be the same as the previous three passwords. +- The same character cannot be used consecutively. +- It cannot have three sequential characters. +- It should contain at least one number and one alphabetic character. +
-
-
- Windows
- - ``` - C:\Program Files\Cloudflare\Cloudflare WARP\warp-diag.exe - - ``` - -
-
-
-Logs and diagnostic information captured by Cloudflare WARP will be saved as a zip file on your Desktop.
-
-2. Attach the zip file to the support request.
-
-
-## Generate HAR file
-
-This section provides the instructions to generate HAR file for the [supported browsers](additional-resources/best-practices) when you experience problems connecting to the GCC 2.0 CMP or SGTS services.
-
-- [Google Chrome](#generate-har-file-for-google-chrome)
-
-- [Mozilla Firefox](#generate-har-file-for-mozilla-firefox)
-
-- [Microsoft Edge](#generate-har-file-for-microsoft-edge)
-
-### Generate HAR file for Google Chrome
-
-1. Open Google Chrome and right-click anywhere and select **Inspect** or press Command+Option+C (Mac) or Control+Shift+C (Windows). The Developer tools panel will be displayed.
-1. Go to **Network** and select **Preserve log**.
-1. Log in to the [GCC 2.0 CMP](https://cmp.gcc.gov.sg/) or access the SGTS service through Cloudflare Access.
-1. Verify if a request was made to 127.0.0.1/zero_trust/auth with a 200 ok response. If not, please specify this in your support request.
-1. Right click on any item within the **Network** tab and click **Save All as HAR with content**.
-1. Save the HAR file.
-
-### Generate HAR file for Mozilla Firefox
-
-?> Note: Make sure your Mozilla Firefox is configured to trust your system's trusted root certificate store.
-
-1. Open Firefox and go to application menu > **More tools** > **Web Developer Tools** or press Ctrl+Shift+I (Windows) or Command+Option+I (macOS) and click **Network**. The Developer Tools will be displayed.
-2. Click **Network Settings** in the upper-right of the Developer Tools panel and enable **Persist Logs**.
-3. Log in to the [GCC 2.0 CMP](https://cmp.gcc.gov.sg/) or access the SGTS service through Cloudflare Access.
-4. Verify that a request was made to 127.0.0.1/zero_trust/auth with a 200 ok response. If not, please specify this in your support request.
-6. Right click the log of network requests and choose **Save All as HAR**.
-7. Save the HAR file.
-
-### Generate HAR file for Microsoft Edge
-
-1. Open Microsoft Edge and go to application menu > **More tools** > **Developer tools** or or Control+Shift+I (Windows) or Command+Option+I (macOS). The Developer tools will be displayed.
-2. Go to **Network** and select **Preserve log**.
-4. Try to login to the [GCC 2.0 CMP](https://cmp.gcc.gov.sg/) or access the SGTS service through Cloudflare Access
-5. Verify that a request was made to 127.0.0.1/zero_trust/auth with a 200 ok response. If not, please specify this in your support request.
-6. Right click the log of network requests and click **Save All as HAR with content**.
-7. Save the HAR file.
+!> This documentation has moved to [Generate diagnostic files](/support/generate-diagnostic-files.md) for more details.
\ No newline at end of file
diff --git a/faqs/known-issues.md b/faqs/known-issues.md
index 2377b6dc..ffdface1 100644
--- a/faqs/known-issues.md
+++ b/faqs/known-issues.md
@@ -1,132 +1 @@
-# Known issues
-
-Following is the list of known issues that may impact SEED users:
-
-**Issues**
-
-- [Issue 1: Intermittently experience the error *Account does not have access*](#issue-1)
-- [Issue 2: Users may experience connectivity issues](#issue-2)
-- [Issue 3: User experience issues while accessing or loading Slack](#issue-3)
-- [Issue 4: Unable to access AWS documentation](#issue-4)
-
-
-## Issue 1
-
-**Intermittently experience the error *Account does not have access*.**
-
-When accessing SGTS services using Cloudflare WARP, user intermittently experience an error message which states *That account does not have access*.
-
-**Workaround**
-
-1. Confirm the following:
-
- - If you have received the successfully onboarded email from DEEP.
- - If you are using only the [supported browsers](additional-resources/best-practices).
- - Is your Cloudflare WARP client connected and is it the latest version.
- - Open Cloudflare WARP **Settings**, and verify if **Gateway with WARP** is selected.
- - If your device is a Windows device, go to the **Start** menu and verify if Tanium is listed.
- - If your device is a macOS device, go to **Finder** > **Applications** and search for Tanium.
- - If your device operating system is updated to the latest version.
- - If Defender is up-to-date and in the running state.
- - If your TechPass account has the required permissions to access the GCC 2.0 CMP or a particular SGTS service.
-
-> **Note**
->- SEED does not support running other VPN clients together with Cloudflare WARP.
->- We recommend not to turn on WARP and the VPN at the same time.
-
-2. Verify if you are running any VPN client concurrently with WARP turned on and complete the following steps as needed:
-
- a. If yes, make sure the VPN configuration does not route all traffic and DNS queries to the VPN server.
-
- b. If no, proceed to step 3.
-
-3. If you still have issues, [Generate diagnostic report](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/#/faqs/how-to-generate-and-upload-diagnostic-files-to-incident-support-request) and upload it to the [incident support request](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/raise-an-incident-support-request).
-
-## Issue 2
-
-**Users experience connectivity issues**
-
-Cloudflare has reported connectivity issues for its users whose macOS WARP client version is earlier than 2022.12.583.0 (20230112.24). These users may experience intermittent connectivity issues while trying to access websites over the internet.
-
-**Workarounds**
-
-**Workaround 1**: Update Cloudflare WARP client to the latest version.
-
-**To update your Cloudflare WARP client**
-
-1. Open Cloudflare WARP on your GMD.
-2. Click **Settings** > **About WARP**.
-3. Click **Check for Updates**. Details of the latest version are displayed.
-
-> **Note**
->- If you experience an error stating that Cloudflare is unable to check for updates, try turning off Cloudflare WARP, ensure that you are able to connect to Internet sites and repeat steps 1-3.
-
-4. Click **Install Updates** to download the latest version.
-5. When prompted, enter your device password and click **OK**.
-6. Click **Install and Relaunch** to install the downloaded latest version of Cloudflare WARP.
-7. Repeat steps 1-2 and confirm if the latest Cloudflare version is installed on your GMD.
-
-- **If you are unable to upgrade or still have issues, uninstall WARP and install the latest version**
-
-
-
-#### **macOS**
-
-1. To uninstall the existing WARP client, open the **Terminal** app and run the following command.
-
- ```
- sudo /bin/sh /Applications/Cloudflare\ WARP.app/Contents/Resources/uninstall.sh
- ```
-2. Enter your macOS password when prompted. You will be prompted to confirm the uninstallation.
-
- ```Do you want to uninstall Cloudflare WARP app? Enter Y to proceed or N to exit.```
-
-3. Enter `Y`. When WARP is successfully uninstalled, the message ```Finished uninstallation!``` is displayed.
-
-4. Install the latest WARP client for macOS.
-
-#### **Windows**
-
- 1. To uninstall the existing WARP client, click the **Start** icon on the taskbar.
- 2. Go to **Settings** > **Apps** and search for **Cloudflare WARP**.
- 3. Choose Cloudflare WARP and then click **Uninstall**.
-
- 4. Install the latest WARP client for Windows.
-
-
-
-
-
-## Issue 3
-
-**Users experience issues while accessing or loading Slack**
-
-Users experience intermittent connectivity issues while trying to accessing Slack application over the internet.
-
-**Workaround**
-
-See [Issue 2](#issue-2) for the possible workaround. If you still experience this issue, create a [support request](https://go.gov.sg/seed-techpass-support).
-
-## Issue 4
-
-**Unable to access AWS documentation**
-
-Users are unable to access AWS documentation if Cloudflare Warp is turned on. Cloudflare has stated that it has resolved this issue.
-
-**Workaround**
-
-If you continue to experience this issue, create a [support request](https://go.gov.sg/seed-techpass-support).
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+!> This documentation has moved to [Troubleshooting issues](/support/troubleshooting-issues).
\ No newline at end of file
diff --git a/faqs/offboarding-faq.md b/faqs/offboarding-faq.md
new file mode 100644
index 00000000..5961d2eb
--- /dev/null
+++ b/faqs/offboarding-faq.md
@@ -0,0 +1,148 @@
+# Offboarding FAQ
+
+macOS
- - ``` -/Applications/Cloudflare\ WARP.app/Contents/Resources/warp-diag - -``` - -
+
+
+What should I do if I cannot download the offboarding package?
+ +Raise a [service request](https://go.gov.sg/seed-techpass-support) and request the offboarding package for your Defender organisation. + +
+
+
+What should I do if I am unable to log in to my device?
+ +1. Raise a [service request](https://go.gov.sg/seed-techpass-support). +2. In **Details**, enter the text *I am unable to offboard my device from SEED components but I would like to submit my Intune Device ID to offboard my device from SEED*. +3. Select SEED as **TechPass Tenant**. +4. Select Production as **Environment**. +5. Provide all the required details and submit the form. + +
+
+
+Why do I get the error Unknown Tenant detected while running the offboarding package?
+ +This error indicates that you are not a SEED user or your device was not properly enrolled in SEED. + +If you had properly onboarded your device to SEED earlier but still get this error, please [raise a service request](https://go.gov.sg/seed-techpass-support) with the TechPass and SEED support. + +
+
+
+What should I do if I receive the error Defender offboarding package has expired! Please download a new offboarding package from the docs portal while running the offboarding package?
+ +This error indicates that your offboarding package is outdated. + +For detailed steps on offboarding your device, please refer to the appropriate guide: +- [Windows offboarding steps](/offboard-device/windows-offboarding-guide.md) +- [macOS offboarding steps](/offboard-device/macos-offboarding-guide.md) + +Download the offboarding package from the provided page and complete the offboarding steps. + +If you continue to experience the same or any other error, [raise a service request](https://go.gov.sg/seed-techpass-support) with the TechPass and SEED support. + +
+
+
+What should I do if I encounter an error on my macOS device while running the offboarding package to remove SEED components like Cloudflare WARP, Microsoft Defender, or Tanium Client?
+ +Try running the script again. If you still experience any error, [raise a service request](https://go.gov.sg/seed-techpass-support) with the TechPass and SEED support. + +
+
+
+What should I do if I receive the error Intune ID not found. Please manually input your Intune ID after successfully completing Phase A to offboard my device from SEED components.
+ +You may encounter this error if we are unable to auto-retrieve your Intune Device ID due to incorrect configurations on your device. + +1. To get your Intune Device ID, either: + - Go to the [TechPass portal](https://portal.techpass.gov.sg/secure/account/profile) and retrieve the Intune Device ID from your account profile. + - If you cannot access the TechPass portal, [raise a service request](https://go.gov.sg/seed-techpass-support) with the TechPass and SEED support to obtain your Intune Device ID. + +2. Once you have your Intune Device ID, proceed with **Phase B: Submit Intune Device ID** to remove the device record. + +If there is a significant time lapse between Phase B and Phase A, the latest version of the SEED components may be reinstalled on your device. In that case, you need to repeat **Phase A: Offboard device from SEED components**. + +
+
+
+What should I do if I received an email stating that my offboarding was unsuccessful?
+ +This can happen if you submitted an incorrect Intune Device ID. + +1. To get your correct Intune Device ID, either: + - Retrieve the Intune Device ID from your account profile on the [TechPass portal](https://portal.techpass.gov.sg/secure/account/profile). + - If you cannot access the TechPass portal, [raise a service request](https://go.gov.sg/seed-techpass-support) with the TechPass and SEED support to obtain the correct Intune Device ID. + +2. Complete the offboarding steps for your device. + +For detailed steps on offboarding your device, please refer to the appropriate guide: +- [Windows offboarding steps](/offboard-device/windows-offboarding-guide.md) +- [macOS offboarding steps](/offboard-device/macos-offboarding-guide.md) + +If your offboarding is still unsuccessful despite submitting the correct Intune Device ID, please [raise a service request](https://go.gov.sg/seed-techpass-support). + +
+
+
+What should I do if I did not receive the successfully offboarded email after submitting my Intune Device ID
+ +It may take up to 30 minutes for the SEED team to send the successfully offboarded email to you. If you still have not received this email, please [raise a service request](https://go.gov.sg/seed-techpass-support). + +If the TechPass and SEED support team completes the offboarding for you, you may not receive this email from the SEED team. However, the TechPass and SEED support team can confirm if you have successfully offboarded your device from SEED. + +How do I offboard from Defender using Hive offboarding package if my Internet Device belongs to Hive organisation?
+ + + +If your Defender organisation is Hive, contact [Hive support](mailto:GDS_DEN@hive.gov.sg) to get the offboarding package and follow the below steps for your device: + +macOS
+ +1. Save the offboarding script to the **Downloads** folder. + + > **Note**: + > Check if the script that you received has not yet expired. The expiry date is indicated on the file name. For example, hive_mac_valid_until_2023-04-30.sh + +2. Go to the **Terminal** and run the following commands: + ``` + sudo mdatp config tamper-protection enforcement-level --value audit + + sudo /bin/sh ~/Downloads/Windows
+ +1. Save the offboarding script in your **Downloads** folder. + + > **Note**: + > Check if the script that you received has not yet expired. The expiry date is indicated on the file name. For example, *hive_windows_valid_until_2023-09-07.cmd*. + +2. Go to **Start** and type **cmd**. +3. Right-click on **Command Prompt** and select **Run as administrator**. +4. If prompted, enter your Windows password. +5. Run the following commands: + ``` + cd "%USERPROFILE%\Downloads\" + + .\
+
+
+How can I confirm the successful onboarding of my Internet Device to SEED?
+ +After completing the onboarding process for your device to SEED, you should expect to receive a confirmation email indicating successful onboarding within two hours. This email will be sent to your organizational email address. + +If you have not received the confirmation email after this two-hour period, [raise a service request](https://go.gov.sg/seed-techpass-support) for assistance. +
+
+What should I do if profile installation fails during management profile installation?
+ +1. Ensure you have received an email confirming that the required SEED onboarding license has been assigned to you. If you have received this confirmation, proceed to step 2. +2. Navigate to the **Apple** menu > **System Preferences** > **Profiles**. +3. If you already have an existing **Management Profile**, select it and remove it by clicking the minus icon at the lower-left corner. +4. If you encounter difficulties removing the **Management Profile**, uninstall **Company Portal**. +5. Reinstall [Company Portal](https://go.microsoft.com/fwlink/?linkid=853070). +6. [Onboard your device to SEED](onboard-device/identify-onboarding-persona). + +
+
+How does enrolling my device with Microsoft Intune or other MDM solutions impact my SEED onboarding?
+ + Enrolling your device with Microsoft Intune or other MDM solutions can have an impact on your SEED onboarding process. It's important to remove any existing enrollments with Microsoft Intune or other MDM solutions from your device before proceeding with SEED onboarding. + +
+
+What data is collected by Microsoft Intune?
+ + To learn about the data collected by Microsoft Intune, please refer to [Data collection in Intune](https://docs.microsoft.com/en-us/mem/intune/protect/privacy-data-collect). + +
+
+
+Why is Microsoft Defender not automatically installed after enrolling in Company Portal?
+ + This can happen if Defender or any other antivirus solution previously installed on the device was not completely removed before onboarding to SEED. Please verify that Microsoft Defender is correctly configured on your device. + + For detailed steps on verifying Microsoft Defender on your device, please refer to the appropriate guide: + - [macOS 14 and 13](/post-onboarding-instructions/macos-latest.md) + - [macOS 12](/post-onboarding-instructions/macos.md) + - [Windows](/post-onboarding-instructions/windows.md) + +
+
+
+While onboarding to Microsoft Intune, I receive an error message: "Could not download the identity profile from the Encrypted Profile Service. The credentials within the Device Enrolment profile may have expired." What should I do?
+ + One possible reason for this error is that your device may have been previously onboarded to Microsoft Intune by a different user and was not properly offboarded during the pre-onboarding steps. + + To confirm this, please [raise a service request](https://go.gov.sg/seed-techpass-support) and provide your device's serial number. The SEED team will investigate whether your device was previously enrolled in Microsoft Intune under a different user. + + If this is confirmed, you can choose one of the following options to offboard your device from Microsoft Intune and then retry the SEED onboarding process: + + - For Windows users, refer to the [SEED offboarding steps for Windows](/offboard-device/windows-offboarding-guide.md). + - For macOS users, go to **System Preferences** and locate the old Management Profile. Follow the [SEED offboarding steps for macOS](/offboard-device/macos-offboarding-guide.md). +
+
+
+
+What should I do if my device is not automatically renamed after SEED onboarding?
+ + This can happen if Defender or any other antivirus already installed on the device was not completely removed before onboarding to SEED. To confirm this, verify if Microsoft Defender is configured correctly on your device. + +
+
+
+While enabling Full Disk Access (FDA), I could not find TaniumClient. What should I do?
+ + If **TaniumClient** is not visible while enabling Full Disk Access (FDA), follow these steps: + + + 1. Open the **Terminal** application and run the command: ``sudo chmod 755 /Library/Tanium/TaniumClient``. + 2. Go to the **Apple** menu > **System Preferences** > **Security & Privacy**. + 3. Click the **Privacy** tab. + 4. From the left pane, choose **Full Disk Access**. + 5. Click the lock icon at the lower left and use your Touch ID or enter your password to unlock. + 6. Click the plus icon on the **Full Disk Access** pane. + 7. Go to **Macintosh HD** > **Library** > **TaniumClient** and select the application file **TaniumClient**. + 8. Ensure the checkbox beside **TaniumClient** is selected. + +
+
+
+While enabling Full Disk Access (FDA), I cannot find Microsoft Intune Agent and Microsoft Defender for Endpoint. What should I do?
+ + If **Microsoft Intune Agent** and **Microsoft Defender for Endpoint** are not visible while enabling Full Disk Access (FDA), follow these steps: + +1. Go to the **Apple** menu > **System Preferences** > **Security & Privacy**. +2. Click the **Privacy** tab. +3. In the left pane, select **Full Disk Access**. +4. Click the lock icon at the lower left and use your Touch ID or enter your password to unlock. +5. Click the plus icon on the **Full Disk Access** pane and follow these steps as needed: + - To add "Microsoft Intune Agent," navigate to **Macintosh HD** > **Library** > **Intune** and open **Microsoft Intune Agent.app**. + - To add "Microsoft Defender for Endpoint," go to **Applications**, select **Microsoft Defender for Endpoint**, and click **Open**. + +
+
+
+While enabling Full Disk Access (FDA), I cannot find Microsoft Defender Endpoint Security Extension. Can I proceed with onboarding?
+ + Yes, you can proceed with your SEED onboarding, and **Microsoft Defender Endpoint Security Extension** should become available within four hours. If it does not become available after four hours, please [raise a service request](https://go.gov.sg/seed-techpass-support) as it is necessary to ensure the completeness of your onboarding. + +
+
+
+When enabling FileVault or FDA, I am unable to unlock Security & Privacy preferences using my current password. What should I do?
+ + This issue may arise due to a new password policy that requires you to reset your password. + + Follow these steps: + +1. Go to the **Apple** menu and choose **Lock Screen** or press **Command+Control+Q**. +2. Enter your current password and press **Return**. +3. You will be prompted to reset your password. +
+
+
+
+I did not receive the successfully onboarded email after onboarding to SEED. What should I do?
+ +Possible reasons: + +- Microsoft Defender or any other antivirus solution previously installed on the device was not completely removed before onboarding to SEED. +- Tanium and Cloudflare were not installed while onboarding to SEED. + +Before raising a service request, confirm the following: + +- Verify if Microsoft Defender is configured correctly on your device. + +- Check if Tanium and Cloudflare are installed. These applications should be automatically installed during device enrolment with SEED. If they are not installed, [raise a service request](https://go.gov.sg/seed-techpass-support). + +
+
+
+While approving the management profiles, I get a message Profiles cannot be approved while using remote or automated input method. What should I do?
+ + To resolve this issue, upgrade to the [latest macOS version][upgrade-macos] and ensure your Mac device has sufficient available disk space before attempting to approve the management profiles. + + +
+
+
+
+How can I reset my password on macOS?
+If you encounter password reset issues on macOS, it may be due to new password requirements. Before you proceed to reset your macOS password, please ensure that the new password meets the following requirements: + +- It should contain at least 12 characters. +- It should not be the same as the previous three passwords. +- The same character cannot be used consecutively. +- It cannot have three sequential characters. +- It should contain at least one number and one alphabetic character. + +Now, here are three options for resetting your macOS password: + +
+
+
+Reset password using Apple ID
+ +Refer to [Reset your macOS login password using Apple ID](https://support.apple.com/en-gb/guide/mac-help/mh35902/mac) for step-by-step instructions. +
+
+
+Reset password Using recovery key
+ +**To reset your password using a recovery key**: + +1. Click the question mark next to the password field in the login window. + +?> If you do not see a question mark, press and hold the power button until your Mac shuts down, then press the power button to restart your Mac. Alternatively, enter any password three times. + +2. Click **If you forgot your password, you can reset it using your Recovery Key**. +3. Enter the recovery key, making sure to use uppercase letters and include hyphens. +4. Reset your password. +
+
+Reset password using recovery mode
+ +If you do not have an Apple ID or a recovery key, you can reset your password in recovery mode based on your Mac's chip: + + + +#### **M1 Chip** +1. Restart or shut down your device by pressing the power button until the screen is black and all lights, including the Touch Bar, are off. +2. Press and hold the power button on your Mac until the **Loading startup options** screen appears. After a few seconds, you’ll see two icons: **Macintosh HD** and **Options**. +3. Click **Options** and select your user account, then click **Next**. +4. Enter your password to continue. +5. Go to **Applications** > **Utilities** > **Terminal**. +6. Enter `resetpassword` and press `return`. The **Reset Password** assistant will be displayed. +7. Choose **My password doesn’t work when logging in** and click **Next**. +8. If prompted, select the user account for which you need to change the password. +9. Enter the old password and your new password in the respective fields. +10. Type the new password again to verify and provide a password hint. +11. Click **Next**. +12. Restart your device and, on the login screen, select your user account and enter the new password. + +> **Note**: + +> 1. If you still cannot reset your password, repeat steps 1-6. +> 2. Select **My keyboard isn't working when typing my password to log in** and click **Next**. +> 3. Disable FileVault on the **Macintosh HD** volume. +> 4. Restart your device. On the login screen, select your user account and enter the new password. + +#### **Intel chip** + +1. Restart your device by pressing the power button while holding down the `Command + R` keys. +2. Release the keys when you see the load bar. +3. Go to **Applications** > **Utilities** > **Terminal**. +4. Enter `resetpassword` and press `return`. The **Reset Password** assistant will be displayed. +5. Choose **My password does not work when logging in** and click **Next**. +6. If prompted, select the user account for which you need to change the password. +7. Enter the old password and your new password in the respective fields. +8. Type the new password again to verify and provide a password hint. +9. Click **Next**. +10. Restart your device. On the login screen, select your user account and enter the new password. + +> **Note**: + +> 1. If you still cannot reset your password, repeat steps 1-4. +> 2. Select **My keyboard is not working when typing my password to log in** and click **Next**. +> 3. Disable FileVault on the **Macintosh HD** volume. +> 4. Restart your device and, on the login screen, select your user account and enter the new password. + + + +
+
1. Ensure the device you are onboarding to SEED has a stable internet connectivity until you see the **Onboarded** Status on the TechPass portal.
2. Go to the [TechPass portal](https://portal.techpass.gov.sg/).
3. At the top right, go to your user name and click **My Account**. Your profile details are displayed.
4. Go to the **SEED Devices** section and click **Retry**.
5. If the error persists, [Raise a service request](https://go.gov.sg/seed-techpass-support). | +| Software Installation Error | 1. Restart the device you are onboarding to SEED.
2. After 10-15 minutes, go to the [TechPass portal](https://portal.techpass.gov.sg/).
3. At the top right, go to your user name and click **My Account**. Your profile details are displayed.
4. Go to the **SEED Devices** section and click **Retry**.
5. If the error persists, [Raise a service request](https://go.gov.sg/seed-techpass-support).| +| Internal Error | 1. Restart the device you are onboarding to SEED.
2. After 10-15 minutes, go to the [TechPass portal](https://portal.techpass.gov.sg/).
3. At the top right, go to your user name and click **My Account**. Your profile details are displayed.
4. Go to the **SEED Devices** section and click **Retry**.
5. If the error persists, [Raise a service request](https://go.gov.sg/seed-techpass-support).| +| Device that is trying to onboard is a DWP device. Please onboard with a non-DWP device.| You cannot onboard a DWP device to SEED. You can onboard only an Internet Device to SEED. | + +
+
+
+
+
+
+
+
+[verify-defender-configuration]: post-onboarding-instructions/verify-microsoft-defender-is-configured-correctly-for-your-os
+[raise-support-request]: https://go.gov.sg/seed-techpass-support
+[upgrade-macos]: https://support.apple.com/downloads/macos
\ No newline at end of file
diff --git a/faqs/seed-faq-general.md b/faqs/seed-faq-general.md
index 842bcef6..a24c403e 100644
--- a/faqs/seed-faq-general.md
+++ b/faqs/seed-faq-general.md
@@ -1,217 +1 @@
-# General FAQ
-
-What should I do if my onboarding fails while registering my Intune Device ID on the TechPass portal?
+ +As a prerequisite, ensure the device you are onboarding to SEED has a stable internet connectivity until you see the **Onboarded** Status on the TechPass portal. + + + +| Reason for failed onboarding | Action required | +| ---|---| +| Unexpected Error| [Raise a service request](https://go.gov.sg/seed-techpass-support). | +| Software Misconfiguration Error | [Raise a service request](https://go.gov.sg/seed-techpass-support).| +| Endpoint Error |1. Ensure the device you are onboarding to SEED has a stable internet connectivity until you see the **Onboarded** Status on the TechPass portal.
2. Go to the [TechPass portal](https://portal.techpass.gov.sg/).
3. At the top right, go to your user name and click **My Account**. Your profile details are displayed.
4. Go to the **SEED Devices** section and click **Retry**.
5. If the error persists, [Raise a service request](https://go.gov.sg/seed-techpass-support). | +| Software Installation Error | 1. Restart the device you are onboarding to SEED.
2. After 10-15 minutes, go to the [TechPass portal](https://portal.techpass.gov.sg/).
3. At the top right, go to your user name and click **My Account**. Your profile details are displayed.
4. Go to the **SEED Devices** section and click **Retry**.
5. If the error persists, [Raise a service request](https://go.gov.sg/seed-techpass-support).| +| Internal Error | 1. Restart the device you are onboarding to SEED.
2. After 10-15 minutes, go to the [TechPass portal](https://portal.techpass.gov.sg/).
3. At the top right, go to your user name and click **My Account**. Your profile details are displayed.
4. Go to the **SEED Devices** section and click **Retry**.
5. If the error persists, [Raise a service request](https://go.gov.sg/seed-techpass-support).| +| Device that is trying to onboard is a DWP device. Please onboard with a non-DWP device.| You cannot onboard a DWP device to SEED. You can onboard only an Internet Device to SEED. | + +
What is TechPass and why do I need it?
- - TechPass is an Identity & Access Management (IAM) and Single Sign-On (SSO) solution. It provides a seamless login experience while accessing tools across Singapore Government Technology Stack (SGTS) and allows to easily manage access control for the users from a centralised location. It is a prerequisite for onboarding your device(internet) to SEED. For more information, refer to [TechPass Documentation][techpass-documentation]. - -What is SEED and why should I onboard my device to SEED?
- -Security Suite for Engineering Endpoint Devices (SEED) is a Mobile Device Management (MDM) solution. SEED ensures data security to protect the digital information of your organisation from unauthorised access, malicious users, and corruption. When you onboard an Internet Device to SEED, it becomes a GMD. It allows you to remotely manage access to highly sensitive data, provide user authentication, and can wipe off data from the device remotely if it is lost or compromised. - -What devices can be onboarded to SEED?
- -See the [SEED prerequisites](prerequisites-for-onboarding?id=supported-operating-systems-and-devices-for-seed). - -Can I onboard my mobile device to SEED?
- -No. Phones and tablets(iOS and Android) as well as GoMax devices are currently not supported. - -My TechPass account is active but my SEED onboarding email invitation has expired. How do I get another SEED onboarding email invitation?
- -Your SEED onboarding email invitation is valid for 30 days. If you have not onboarded to SEED following your TechPass onboarding within this 30 days, your invitation will no longer be valid. - -If you use a non-SE GSIB device and if your TechPass account is active, to request for SEED: - -1. Go to the [TechPass portal](http://portal.techpass.gov.sg) from your non-SE GSIB device. -2. Log in with TechPass. -3. Hover over your user name and click **My Account**. -4. In the **Profile** page, click **Request for SEED**. -5. You will receive the SEED onboarding invitation email within the next three business days. - -Complete to onboard your internet (which is not a GSIB) device by following the instructions on [SEED documentation](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/prerequisites-for-onboarding). - -If you do not use a non-SE GSIB device and if your TechPass account is active, [create a service request with TechPass](https://go.gov.sg/seed-techpass-support) to receive the SEED onboarding invitation email again. - -What data can I store on a Government Managed Device (GMD)?
- -GMDs are to facilitate development work for developers to access GCC 2.0 and SGTS securely. Production and live data should **not be stored on GMDs**. - -Can I install unlicensed software or tools on my Government Managed Device (GMD)?
- -Installing unlicensed software on your GMD is strictly prohibited. GMDs are government-managed, and this policy ensures security and compliance. Unauthorised software compromises security and violates regulations. - -If you need a particular software for your development work, please follow your organisation's processes to obtain the legitimate version. Refer to [Terms of Use](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/additional-resources/terms-of-use.pdf) for details. - -Can I bring and use my GMD (Government Managed Device) overseas?
- -Users should assess the risk and seek approval from their Reporting Officer (RO) before doing so. - -I have lost my Government Managed Device (GMD). What should I do?
- -1. Inform the manager-in-charge and operations manager and get an approval to delete the data from the lost device. -2. Raise a [service request][service-request] to notify the SEED team about the lost device. -3. In this service request, indicate if the device had any sensitive data to prioritise the remote wipe. - -> **Note**: To wipe the device, the device needs to be powered on and be connected to the internet so it can receive the communication for it to be wiped. - -4. Attach the approvals from your managers so that the SEED Administrator can take the required actions accordingly to prevent any data breach. - -What happens when the security of a GMD is compromised?
- -Once the SEED team detects that a security of the device is compromised, it will contact the device owner to disconnect the affected device from the network. SEED proceeds to do a remote wipe, after getting the required consent and approval from the device owner and the manager-in-charge, respectively. - -> **Note**: To wipe the device, the device needs to be powered on and be connected to the internet so it can receive the communication for it to be wiped. - -What happens when a remote wipe is performed on a GMD?
- -Remote wipe in SEED is the feature where SEED administrator can remotely delete and destroy data on a device or system. Remote wipe is performed only if the device is stolen, lost or its security is compromised. - -When remote wipe is performed on a device, all the data on it will be erased. For more information, refer to the [Terms and Policies][terms-and-policies]. - -> **Note**: To wipe the device, the device needs to be powered on and be connected to the internet so it can receive the communication for it to be wiped. - -Is remote wipe done only on devices that belong to public sector agencies?
- -No, remote wipe will be done on any GMD which is lost or whose security is compromised to prevent data breach. However, remote wipe is performed only if the device is stolen, lost or its security is compromised. For more information, refer to the [Terms and Policies][terms-and-policies]. - -> **Note**: To wipe the device, the device needs to be powered on and be connected to the internet so it can receive the communication for it to be wiped. - -What should I do if my device has been inactive for 180 days?
- -If your device is no longer required to access SEED, please [offboard your device](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/offboard-device/offboard-device-from-seed). If you still require access after being inactive for 180 days, please email enquiries_seed@tech.gov.sg for assistance. - -What should I do if I want to check if my device record has been deleted?
- -Log in to [SEED Dashboard](https://dashboard.seed.tech.gov.sg/) after 23rd October to see whether your device record still exists. If your device record does not exist, or you are unable to log into SEED Dashboard, your device records have been cleaned up. - -What should I do if my device record has been deleted even though it is still active?
- -Please email enquiries_seed@tech.gov.sg for assistance. - -I have already enrolled my device with Microsoft Intune under my organisation or with other MDM solution. Will this impact when I onboard my device to SEED?
- -Yes, this impacts your SEED onboarding. Before onboarding to SEED, remove your existing Microsoft Intune enrolment under your organisation's tenancy or other MDM solution on your device. - -What data is collected by Microsoft Intune?
- -To know about the data collected by Microsoft Intune, refer to [Data collection in Intune](https://docs.microsoft.com/en-us/mem/intune/protect/privacy-data-collect). - -
-
-
-I am unable to connect to AWS VPN client on port 443?
- -This is a known issue with Microsoft Defender version 101.54.16. To resolve this, install Microsoft Defender version 101.56.35 or later. - -Why am I prompted to turn on my system integrity protection on my macOS device?
- - This is a policy requirement of the SEED team. System Integrity Protection is a security technology in OS X El Capitan and later that's designed to help prevent potentially malicious software from modifying protected files and folders on your macOS. System Integrity Protection restricts the root user account and limits the actions that the root user can perform on protected parts of the macOS. - -
-
-
-What is the minimum version of macOS needed for onboarding it into Microsoft Intune?
- - macOS 12 (Monterrey) is the minimum version needed for a successful onboarding. If your macOS is an earlier version, ensure to [upgrade it to a later macOS version](https://support.apple.com/downloads/macos). - - - -
-
-
-Can I upgrade my macOS to macOS 14 (Sonoma)?
- - You can now upgrade your Mac device to macOS 14 (Sonoma) and onboard it to SEED. - - -
-
-
-Why am I prompted to turn on File Vault encryption?
- - File Vault encryption is needed to ensure device security and compliance. -Why does my device slowdown after onboarding to Microsoft Intune?
- -SEED is designed to use **Microsoft Defender for Endpoint** to ensure device is free from malware, prevent and respond to advanced threats. If there is any other antivirus or anti-malware running simultaneously, it could compromise the performance of the operating system. To resolve this, disable or uninstall antivirus other than **Microsoft Defender for Endpoint**. - -When I onboard my Mac device to SEED, why does it take up more than 100 GB of storage space?
- -The current `audit_control` configuration set by SEED could be the reason causing the audit logs to be written excessively to the `/private/var/audit` folder. - -The latest configuration change for audit logs retention is 60 days and 5 GB. - -If your `/private/var/audit` folder size is more than 5 GB, run the following commands to sync with the new audit log retention policy. - -``` -audit -s -audit -e -``` - -Previously I had successfully onboarded my Internet Device to SEED, but now I received an email stating that I may not be able to access SEED-protected resources such as GCC 2.0 and SGTS products. What’s the reason, and what should I do?
- -Most likely, this indicates that we detected some issues with your device configuration for SEED. For example, your Microsoft Defender could be unhealthy. As it could pose a security risk, we revoked your access to SEED-protected resources. - -If the issue could be resolved automatically, your access to SEED-protected resources will be restored and you will be notified via an email. - -If this issue can't be automatically resolved, you will receive an email stating that you can't access SEED-protected resources. This email allows you to do one of the following based on your needs: - -- [Offboard your device](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/offboard-device/offboard-device-from-seed) if you no longer need to access SEED-protected resources. - -- Submit an [incident request][service-request] to restore access to SEED-protected resources. Specify that your SEED access has been revoked due to device misconfiguration. This would allow us to process the ticket accordingly. - - -Why did I receive the successfully onboarded email again?
- -If you've received this email again, some or all the services that make your device SEED-compliant may have had configuration issues, causing you to temporarily lose access to SEED-protected resources . - -When the configurations of the impacted services return to a healthy state, you will receive the successfully onboarded email indicating that you can access the SEED-protected resources again. - -Click the triangle to view more details about each method. - -
-=.+MICROSOFT INTUNE MDM DEVICE CA' | grep alis | cut -d '"' -f 4)"
-if [ -z "$intune_id" ]
-then
- echo "Intune ID not found"
- return
-fi
-
-num_candidates="$(echo "$intune_id" | wc -l | xargs echo -n)"
-if [ "$num_candidates" -eq 1 ]
-then
- echo "$intune_id"
- return
-fi
-
-old_ifs="$IFS"
-IFS='\n'
-actual_id="Intune ID not found"
-curr_latest_end_date_unix=0
-while read id
-do
- end_date="$(security find-certificate -c "$id" -p /Library/Keychains/System.keychain | openssl x509 -noout -enddate | cut -d '=' -f 2)"
- end_date_unix="$(date -j -f "%b %e %H:%M:%S %Y %Z" "$end_date" "+%s")"
- if [ "$end_date_unix" -ge "$curr_latest_end_date_unix" ]
- then
- actual_id="$id"
- curr_latest_end_date_unix="$end_date_unix"
- fi
-done <<< "$intune_id"
-
-IFS="$old_ifs"
-echo "$actual_id"
-```
-2. Take note of the Intune Device ID that is displayed on the **Terminal** window.
-
-
-
-Method 1: Get Intune Device ID from your GMD
- - -1. On your GMD, open your **Terminal** and run the following commands: - -``` -intune_id="$(security find-certificate -a /Library/Keychains/System.keychain | egrep -B 4 '\"issu\"
-
-
-
-Method 2: Get Intune Device ID from TechPass portal
- -1. On your non-SE GSIB device, go to the [TechPass portal](https://portal.techpass.gov.sg/secure/account/profile). -2. On the TechPass portal, at the top right, go to your user name and click **My Account**. Your **Profile** details are displayed. -3. Take note of the **Intune Device ID** from the **Profile** page. - - - -
-
Use this method only if you can't log in to your GMD or TechPass portal. - -- Submit an [incident request](https://go.gov.sg/seed-techpass-support) to get your Intune Device ID. - -
-
-
-!> **Note**Method 3: Submit an incident request to get Intune Device ID.
- -?> **Note**Use this method only if you can't log in to your GMD or TechPass portal. - -- Submit an [incident request](https://go.gov.sg/seed-techpass-support) to get your Intune Device ID. - -
If you have any issues with the offboarding steps, see the [Offboarding FAQs](/faqs/seed-offboarding-faqs) before submitting an [incident request](https://go.gov.sg/seed-techpass-support) with TechPass and SEED support. - - -## Phase A: Offboard device from SEED components - -1. Go to **Terminal** and run `mdatp health`. - - - -2. Take note of the value displayed for **org_id**. - - - -3. Refer to the following table and identify your **Defender organisation** and download the respective offboarding package. - - | org_id | Defender organisation | Offboarding package | - | ------------- |:-------------:|:-------------:| - | faa36a5e-2da6-4225-8e27-226177c801a0 | WOG | [Download offboarding package](https://kaao45f5hebx3i7lsypkr625rq0zuiyt.lambda-url.ap-southeast-1.on.aws/local_wog_mac) | - | 49237d71-42ac-425a-a803-881b92cc18ce | TechPass | [Download offboarding package](https://kaao45f5hebx3i7lsypkr625rq0zuiyt.lambda-url.ap-southeast-1.on.aws/local_tp_mac) | - | 6389e966-e334-461d-86ce-0fed12484620 | Hive | Contact [Hive support](mailto:GDS_DEN@hive.gov.sg) to get the offboarding package. | - - -!> **Important**
- If your **Defender organisation** is **Hive**, please skip the remaining steps in this document. You need to get the offboarding package from the Hive support and unenrol your device from Defender. See the [offboarding FAQs](offboard-device/seed-offboarding-faqs.md) to know how to unenrol your device from Defender using the Hive offboarding package.
- If your **Defender organisation** is either **WOG** or **TechPass**, you need to use your TechPass to download the offboarding package and proceed with the remaining steps.
- If your **Defender organisation** is **none of the above**, contact the IT support of the organisation that provided you with the device. - -4. Go to the folder where you downloaded the ZIP file and extract the files. You should see the following two files. - - - -?> **Note**: The file names vary with the organisation. - -5. On your **Terminal**, go to the folder where you extracted the files. For example, if they are in the **Downloads** > **Offboarding_local_wog_mac** folder, go to that folder. - - - -6. Copy the below and run it on the same **Terminal**. - - ``` - sudo chmod +x local_mac_offboarding.sh - ``` - -7. When prompted for a **Password**, enter your device password. -8. Copy and run the following command on your **Terminal**. - - ``` - sudo ./local_mac_offboarding.sh - ``` - -When you see the following success message on your **Terminal**, you are automatically directed to the **SEED Offboarding: Device Record Removal** form to submit the Intune Device ID. - - - -!>**Important note**
Make sure you complete the steps in Phase B immediately after Phase A. If not, your device update policy may reinstall the latest version of the deleted SEED components. - - -## Phase B: Submit Intune Device ID to remove device record - -### Prerequisites - -- Successful completion of [Phase A: Offboard device from SEED components](#phase-a-offboard-device-from-seed-components). -- **Intune Device ID**. Generally, when you successfully offboard your device from the SEED components, the Intune Device ID is automatically displayed on the **SEED Offboarding: Device Record Removal** form. If it is not displayed, see [Get Intune Device ID](#get-intune-device-id). -- [Optional]If you had submitted an incident request with the TechPass and SEED support team to offboard your device from the SEED components, please have the reference number ready as we may need this information. - -### To submit Intune Device ID - -1. Ensure your **Intune Device ID** is displayed on the form. If it is not displayed, provide it. -2. Enter your organisational email address in **Organisational Email Address** and click **Verify**. -3. Enter the OTP you receive at this email address. -4. Indicate if you had any issues while completing **Phase A**. -5. [Optional] If you had issues completing **Phase A**, we encourage you to provide the **Support Ticket Number**. -6. Click **Submit**. When this request is processed successfully, we send a notification via email. - - - - -?> **Additional information**
- We require up to 30 minutes to process your server-side offboarding request.
- If you are still waiting to receive an email after 30 minutes, please submit a [TechPass and SEED support request](https://go.gov.sg/seed-techpass-support). - - - - - - - - - +!> This documentation has moved to [macOS offboarding guide](mac-os-offboarding-guide). \ No newline at end of file diff --git a/offboard-device/mac-os.md b/offboard-device/mac-os.md deleted file mode 100644 index 42e5d494..00000000 --- a/offboard-device/mac-os.md +++ /dev/null @@ -1,177 +0,0 @@ -# Offboard macOS device using a script - - This document guides you to offboard your macOS device onboarded to SEED. - -## Audience - -- Users who need to offboard their macOS device from SEED. - -## Prerequisites - -- You must have an active TechPass account. -- Your device must have been onboarded to SEED. -- [Optional] We recommend you to have your Intune Device ID ready. - -### Get Intune Device ID - -Complete one of the following methods to get your Intune Device ID: - -?> **Tip**
Click the triangle to view more details about each method. - -
-=.+MICROSOFT INTUNE MDM DEVICE CA' | grep alis | cut -d '"' -f 4)"
-if [ -z "$intune_id" ]
-then
- echo "Intune ID not found"
- return
-fi
-
-num_candidates="$(echo "$intune_id" | wc -l | xargs echo -n)"
-if [ "$num_candidates" -eq 1 ]
-then
- echo "$intune_id"
- return
-fi
-
-old_ifs="$IFS"
-IFS='\n'
-actual_id="Intune ID not found"
-curr_latest_end_date_unix=0
-while read id
-do
- end_date="$(security find-certificate -c "$id" -p /Library/Keychains/System.keychain | openssl x509 -noout -enddate | cut -d '=' -f 2)"
- end_date_unix="$(date -j -f "%b %e %H:%M:%S %Y %Z" "$end_date" "+%s")"
- if [ "$end_date_unix" -ge "$curr_latest_end_date_unix" ]
- then
- actual_id="$id"
- curr_latest_end_date_unix="$end_date_unix"
- fi
-done <<< "$intune_id"
-
-IFS="$old_ifs"
-echo "$actual_id"
-```
-2. Take note of the Intune Device ID that is displayed on the **Terminal** window.
-
-
-
-Method 1: Get Intune Device ID from your GMD
- - -1. On your GMD, open your **Terminal** and run the following commands: - -``` -intune_id="$(security find-certificate -a /Library/Keychains/System.keychain | egrep -B 4 '\"issu\"
-
-
-
-Method 2: Get Intune Device ID from TechPass portal
- -1. On your non-SE GSIB device, go to the [TechPass portal](https://portal.techpass.gov.sg/secure/account/profile). -2. On the TechPass portal, at the top right, go to your user name and click **My Account**. Your **Profile** details are displayed. -3. Take note of the **Intune Device ID** from the **Profile** page. - - - -
-
Use this method only if you can't log in to your GMD or TechPass portal. - -- Submit an [incident request](https://go.gov.sg/seed-techpass-support) to get your Intune Device ID. - -
-
-
-!> **Note**Method 3: Submit an incident request to get Intune Device ID.
- -?> **Note**Use this method only if you can't log in to your GMD or TechPass portal. - -- Submit an [incident request](https://go.gov.sg/seed-techpass-support) to get your Intune Device ID. - -
If you have any issues with the offboarding steps, see the [Offboarding FAQs](/faqs/seed-offboarding-faqs) before submitting an [incident request](https://go.gov.sg/seed-techpass-support) with TechPass and SEED support. - - -## Phase A: Offboard device from SEED components - -1. Go to **Terminal** and run `mdatp health`. - - - -2. Take note of the value displayed for **org_id**. - - - -3. Refer to the following table and identify your **Defender organisation** and download the respective offboarding package. - - | org_id | Defender organisation | Offboarding package | - | ------------- |:-------------:|:-------------:| - | faa36a5e-2da6-4225-8e27-226177c801a0 | WOG | [Download offboarding package](https://kaao45f5hebx3i7lsypkr625rq0zuiyt.lambda-url.ap-southeast-1.on.aws/local_wog_mac) | - | 49237d71-42ac-425a-a803-881b92cc18ce | TechPass | [Download offboarding package](https://kaao45f5hebx3i7lsypkr625rq0zuiyt.lambda-url.ap-southeast-1.on.aws/local_tp_mac) | - | 6389e966-e334-461d-86ce-0fed12484620 | Hive | Contact [Hive support](mailto:GDS_DEN@hive.gov.sg) to get the offboarding package. | - - -!> **Important**
- If your **Defender organisation** is **Hive**, please skip the remaining steps in this document. You need to get the offboarding package from the Hive support and unenrol your device from Defender. See the [offboarding FAQs](offboard-device/seed-offboarding-faqs.md) to know how to unenrol your device from Defender using the Hive offboarding package.
- If your **Defender organisation** is either **WOG** or **TechPass**, you need to use your TechPass to download the offboarding package and proceed with the remaining steps.
- If your **Defender organisation** is **none of the above**, contact the IT support of the organisation that provided you with the device. - -4. Go to the folder where you downloaded the ZIP file and extract the files. You should see the following two files. - - - -?> **Note**: The file names vary with the organisation. - -5. On your **Terminal**, go to the folder where you extracted the files. For example, if they are in the **Downloads** > **Offboarding_local_wog_mac** folder, go to that folder. - - - -6. Copy the below and run it on the same **Terminal**. - - ``` - sudo chmod +x local_mac_offboarding.sh - ``` - -7. When prompted for a **Password**, enter your device password. -8. Copy and run the following command on your **Terminal**. - - ``` - sudo ./local_mac_offboarding.sh - ``` - -When you see the following success message on your **Terminal**, you are automatically directed to the **SEED Offboarding: Device Record Removal** form to submit the Intune Device ID. - - - -!>**Important note**
Make sure you complete the steps in Phase B immediately after Phase A. If not, your device update policy may reinstall the latest version of the deleted SEED components. - - -## Phase B: Submit Intune Device ID to remove device record - -### Prerequisites - -- Successful completion of [Phase A: Offboard device from SEED components](#phase-a-offboard-device-from-seed-components). -- **Intune Device ID**. Generally, when you successfully offboard your device from the SEED components, the Intune Device ID is automatically displayed on the **SEED Offboarding: Device Record Removal** form. If it is not displayed, see [Get Intune Device ID](#get-intune-device-id). -- [Optional]If you had submitted an incident request with the TechPass and SEED support team to offboard your device from the SEED components, please have the reference number ready as we may need this information. - -### To submit Intune Device ID - -1. Ensure your **Intune Device ID** is displayed on the form. If it is not displayed, provide it. -2. Enter your organisational email address in **Organisational Email Address** and click **Verify**. -3. Enter the OTP you receive at this email address. -4. Indicate if you had any issues while completing **Phase A**. -5. [Optional] If you had issues completing **Phase A**, we encourage you to provide the **Support Ticket Number**. -6. Click **Submit**. When this request is processed successfully, we send a notification via email. - - - - -?> **Additional information**
- We require up to 30 minutes to process your server-side offboarding request.
- If you are still waiting to receive an email after 30 minutes, please submit a [TechPass and SEED support request](https://go.gov.sg/seed-techpass-support). - - - - - - - - - diff --git a/offboard-device/macos-offboarding-guide.md b/offboard-device/macos-offboarding-guide.md new file mode 100644 index 00000000..1fa6d1c7 --- /dev/null +++ b/offboard-device/macos-offboarding-guide.md @@ -0,0 +1,222 @@ +# macOS offboarding guide + + This guide provides instructions for you to offboard your macOS device onboarded to SEED. + +## Audience + +- Users who need to offboard their macOS device from SEED. + +## Prerequisites + +Before you begin, make sure you have the following: + +- An active TechPass account +- A SEED onboarded device +- [Optional] Your Intune Device ID + +### How to obtain Intune Device ID + +You need your Intune Device ID during the offboarding process. Here is how to find it: + +?> Click the triangle to view more details. + +
+=.+MICROSOFT INTUNE MDM DEVICE CA' | grep alis | cut -d '"' -f 4)"
+if [ -z "$intune_id" ]
+then
+ echo "Intune ID not found"
+ return
+fi
+
+num_candidates="$(echo "$intune_id" | wc -l | xargs echo -n)"
+if [ "$num_candidates" -eq 1 ]
+then
+ echo "$intune_id"
+ return
+fi
+
+old_ifs="$IFS"
+IFS='\n'
+actual_id="Intune ID not found"
+curr_latest_end_date_unix=0
+while read id
+do
+ end_date="$(security find-certificate -c "$id" -p /Library/Keychains/System.keychain | openssl x509 -noout -enddate | cut -d '=' -f 2)"
+ end_date_unix="$(date -j -f "%b %e %H:%M:%S %Y %Z" "$end_date" "+%s")"
+ if [ "$end_date_unix" -ge "$curr_latest_end_date_unix" ]
+ then
+ actual_id="$id"
+ curr_latest_end_date_unix="$end_date_unix"
+ fi
+done <<< "$intune_id"
+
+IFS="$old_ifs"
+echo "$actual_id"
+```
+2. Note down the Intune Device ID that is displayed on the **Terminal** window.
+
+
+
+Method 1: Retrieve Intune Device ID from your macOS device
+ + +1. Open the **Terminal** and execute the following commands: + +``` +intune_id="$(security find-certificate -a /Library/Keychains/System.keychain | egrep -B 4 '\"issu\"
+
+
+
+Method 2: Retrieve Intune Device ID from the TechPass portal
+ +1. On your non-SE GSIB device, go to the [TechPass portal](https://portal.techpass.gov.sg/secure/account/profile). +2. On the TechPass portal, at the top right, go to your user name and click **My Account**. Your **Profile** details are displayed. +3. Take note of the **Intune Device ID** from the **Profile** page. + +  + +
+
+
+
+> **Note**: For more information, refer to [Offboarding FAQ](/faqs/offboarding-faq.md).
+
+## Phase A: Offboard device from SEED components
+
+1. Go to **Terminal** and run `mdatp health`.
+
+
+
+2. Take note of the value displayed for **org_id**.
+
+ 
+
+3. Refer to the following table and identify your **Defender organisation** and download the respective offboarding package.
+
+ | org_id | Defender organisation | Offboarding package |
+ | ------------- |:-------------:|:-------------:|
+ | faa36a5e-2da6-4225-8e27-226177c801a0 | WOG | [Download offboarding package](https://ekgxtc4rxln5a7bxhanhw4d4cm0mmzsf.lambda-url.ap-southeast-1.on.aws/local_wog_mac) |
+ | 49237d71-42ac-425a-a803-881b92cc18ce | TechPass | [Download offboarding package](https://ekgxtc4rxln5a7bxhanhw4d4cm0mmzsf.lambda-url.ap-southeast-1.on.aws/local_tp_mac) |
+ | 6389e966-e334-461d-86ce-0fed12484620 | Hive | Contact [Hive support](mailto:GDS_DEN@hive.gov.sg) to get the offboarding package. |
+
+
+> **Important**
+>
+> - If your **Defender organisation** is **Hive**, please disregard the remaining steps in this document. Instead, you should obtain the offboarding package from Hive support and unenroll your device from Defender. Refer to [Offboarding FAQ](/faqs/offboarding-faq.md) for guidance on unenrolling your device from Defender using the Hive offboarding package.
+>
+> - If your **Defender organisation** is either **WOG** or **TechPass**, you should use your TechPass account to download the offboarding package and proceed with the remaining steps.
+>
+> - If your **Defender organisation** is **none of the above**, please reach out to the IT support of the organization that provided you with the device for further assistance.
+
+
+4. Go to the folder where you downloaded the ZIP file and extract the files. You should see the following two files.
+ 
+
+> **Note**: The file names vary with the organisation.
+
+
+5. On your **Terminal**, run the following command:
+
+```
+sudo mdatp config tamper-protection enforcement-level --value audit
+```
+6. On your **Terminal**, go to the folder where you extracted the files. For example, if they are in the **Downloads** > **Offboarding_local_wog_mac** folder, go to that folder.
+
+ 
+
+7. Copy the below and run it on the same **Terminal**.
+
+ ```
+ sudo chmod +x local_mac_offboarding.sh
+ ```
+
+8. When prompted for a **Password**, enter your device password.
+9. Copy and run the following command on your **Terminal**.
+
+ ```
+ sudo ./local_mac_offboarding.sh
+ ```
+
+ When you see the following success message on your **Terminal**, you will be automatically directed to the **SEED Offboarding: Device Record Removal** form to submit the Intune Device ID.
+
+ 
+
+ >**Note**: Ensure you complete the steps in Phase B immediately after Phase A. Failure to do so may result in your device update policy reinstalling the latest version of the removed SEED components.
+
+## Phase B: Submit Intune Device ID to remove device record
+
+### Prerequisites
+
+- Successful completion of [Phase A: Offboard device from SEED components](#phase-a-offboard-device-from-seed-components).
+- **Intune Device ID**: Generally, when you successfully offboard your device from the SEED components, the Intune Device ID is automatically displayed on the **SEED Offboarding: Device Record Removal** form. If it is not displayed, see [Get Intune Device ID](#how-to-obtain-intune-device-id).
+- [Optional] If you had raised a support request with the TechPass and SEED support team to offboard your device from the SEED components, please have the reference number ready as we may need this information.
+
+### Submit Intune Device ID
+
+**To submit Intune Device ID**:
+
+1. Ensure your **Intune Device ID** is displayed on the form. If it is not displayed, provide it.
+2. Enter your organizational email address in **Organizational Email Address** and click **Verify**.
+3. Enter the OTP.
+4. Indicate if you had any issues while completing **Phase A**.
+5. [Optional] If you had issues completing **Phase A**, we encourage you to provide the **Support ticket number**.
+6. Click **Submit**. When this request is processed successfully, we send a notification via email.
+
+ 
+
+
+> **Note**:
+> - We require up to 30 minutes to process your server-side offboarding request.
+> - If you are still waiting to receive an email after 30 minutes, please raise a [service request](https://go.gov.sg/seed-techpass-support).
+
+
+
+## Device clean-up policy
+
+The device clean-up policy applies to SEED users with TechPass IDs belonging to the TechPass Entra ID. You can identify a TechPass Entra ID account if your TechPass ID's domain is *techpass.gov.sg*. For example, *james_lee@techpass.gov.sg* is associated with the TechPass Entra ID.
+
+The primary objective of this policy is to remove inactive device records from the Intune portal.
+
+> **Note**:
+> - The device clean-up policy does **not apply** if your TechPass ID belongs to the **WOG Entra ID**.
+> - A TechPass ID in the WOG Entra ID typically aligns with your organizational email address, which is in the format *\Method 3: Raise a service request to retrieve Intune Device ID.
+ +> **Note**: Use this method if you cannot log in to your GMD or TechPass portal. + +- [Raise a service request](https://go.gov.sg/seed-techpass-support) to retrieve your Intune Device ID. + +Make sure you complete **Phase B** immediately after **Phase A**. If not, your device update policy may reinstall the latest version of the deleted SEED components. - -To know the steps in each phase see: - -- [Offboard macOS device](offboard-device/mac-os-using-script) -- [Offboard Windows device](offboard-device/windows-using-script) - - - diff --git a/offboard-device/seed-offboarding-faqs.md b/offboard-device/seed-offboarding-faqs.md deleted file mode 100644 index cffc8e13..00000000 --- a/offboard-device/seed-offboarding-faqs.md +++ /dev/null @@ -1,3 +0,0 @@ -[FAQs](../snippets/snippets-seed-offboarding-faq.md ':include') - - diff --git a/offboard-device/windows-offboarding-guide.md b/offboard-device/windows-offboarding-guide.md new file mode 100644 index 00000000..ce40dd30 --- /dev/null +++ b/offboard-device/windows-offboarding-guide.md @@ -0,0 +1,215 @@ +# Windows offboarding guide + + This guide provides instructions for you to offboard your Windows device onboarded to SEED. + +## Audience + +- Users who need to offboard their Windows device from SEED. + +## Prerequisites + +Before you begin, make sure you have the following: + +- An active TechPass account +- A SEED onboarded device +- [Optional] Your Intune Device ID + +### Get Intune Device ID + +You need your Intune Device ID during the offboarding process. Here is how to find it: + +?> **Tip**
Click the triangle to view more details about each method. + +
+
+
+Method 1: Retrieve Intune Device ID from your Windows device
+ +1. Open **PowerShell** and run the following commands: + +``` +$rootKey = [Microsoft.Win32.RegistryKey]::OpenBaseKey( + [Microsoft.Win32.RegistryHive]::LocalMachine, + [Microsoft.Win32.RegistryView]::Registry64 +) +$enrollmentsKey = $rootKey.OpenSubKey("Software\Microsoft\Enrollments") +$intune_id = "Intune ID not found" +foreach ($name in $enrollmentsKey.GetSubKeyNames()) { + $enrollmentIdKey = $enrollmentsKey.OpenSubKey($name) + if ($enrollmentIdKey.GetValue("ProviderID") -ieq "MS DM Server") { + $intune_id = $enrollmentIdKey.OpenSubKey("DMClient\MS DM Server").GetValue("EntDMID", "Intune ID not found") + break + } +} +Write-Output $intune_id + +``` +2. Take note of the Intune Device ID that is displayed on the **Powershell** window. + +
+
+
+
+Method 2: Retrieve Intune Device ID from TechPass portal
+ +1. On your non-SE GSIB device, go to the [TechPass portal](https://portal.techpass.gov.sg/secure/account/profile). +2. On the TechPass portal, at the top right, go to your user name and click **My Account**. Your **Profile** details are displayed. +3. Take note of the **Intune Device ID** from the **Profile** page. + +  + +
+
+
+> **Note**:mFor more information, refer to [Offboarding FAQ](/faqs/offboarding-faq.md).
+
+
+## Phase A: Offboard device from SEED components
+
+1. Go to the **Start** menu and enter **Powershell**.
+2. Right-click on the search result for **PowerShell** and select **Run as Administrator**
+
+ 
+
+3. On **Powershell**, run the following command.
+
+```
+$reg64 = [Microsoft.Win32.RegistryKey]::OpenBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, [Microsoft.Win32.RegistryView]::Registry64)
+$OrgID = $reg64.OpenSubKey("SOFTWARE\MICROSOFT\Windows Advanced Threat Protection\Status").GetValue("OrgID")
+echo $OrgID
+```
+
+
+4. Take note of the value displayed for **OrgID**.
+
+ 
+
+5. Refer to the following table and identify your **Defender organisation** and download the offboarding package.
+
+ | OrgID | Defender organisation | Offboarding package |
+ | ------------- |:-------------:|:-------------:|
+ | faa36a5e-2da6-4225-8e27-226177c801a0 | WOG | [Download offboarding script](https://ekgxtc4rxln5a7bxhanhw4d4cm0mmzsf.lambda-url.ap-southeast-1.on.aws/local_wog_windows) |
+ | 49237d71-42ac-425a-a803-881b92cc18ce | TechPass | [Download offboarding script](https://ekgxtc4rxln5a7bxhanhw4d4cm0mmzsf.lambda-url.ap-southeast-1.on.aws/local_tp_windows) |
+ | 6389e966-e334-461d-86ce-0fed12484620 | Hive | Contact [Hive support](mailto:GDS_DEN@hive.gov.sg) to get the offboarding package. |
+
+?> **Important**
+>
+> - If your **Defender organisation** is **Hive**, please disregard the remaining steps in this document. Instead, you should obtain the offboarding package from Hive support and unenroll your device from Defender. Refer to [Offboarding FAQ](/faqs/offboarding-faq.md) for guidance on unenrolling your device from Defender using the Hive offboarding package.
+>
+> - If your **Defender organisation** is either **WOG** or **TechPass**, you should use your TechPass account to download the offboarding package and proceed with the remaining steps.
+>
+> - If your **Defender organisation** is **none of the above**, please reach out to the IT support of the organization that provided you with the device for further assistance.
+
+
+
+6. Go to the folder where you downloaded the ZIP file and extract the files. You should see the following two files.
+
+ 
+
+> **Note**: The file names vary with the organisation.
+
+7. Right-click the unzipped folder to select **Show more options** > **Copy as path**. The folder path is now saved to your clipboard.
+
+8. On **Powershell**, run the following command to go to the folder which has the extracted files:
+
+ ```
+ cd {Path from clipboard}
+ ```
+
+ For example:
+
+ ```
+ cd "C:\Users\testUser\Downloads\Offboarding_local_tp_windows"
+
+ ```
+
+ 
+
+10. To run the script, enter the following command:
+
+ ```
+ powershell.exe -ExecutionPolicy Bypass .\local_windows_offboarding.ps1
+
+ ```
+
+ When you see the following success message on your **Powershell**, you are automatically directed to the **SEED offboarding: Request to remove device record** form to submit the Intune Device ID.
+
+ 
+
+>**Note**: Ensure you complete the steps in Phase B immediately after Phase A. If not, your device update policy may reinstall the latest version of the deleted SEED components.
+
+## Phase B: Submit Intune Device ID to remove device record
+
+### Prerequisites
+
+- Successful completion of [Phase A: Offboard device from SEED components](#phase-a-offboard-device-from-seed-components).
+- **Intune Device ID**: Generally, when you successfully offboard your device from the SEED components, the Intune Device ID is automatically displayed on the **SEED Offboarding: Device Record Removal** form. If it is not displayed, see [Get Intune Device ID](#get-intune-device-id).
+- [Optional] If you had submitted an incident request with the TechPass and SEED support team to offboard your device from the SEED components, please have the reference number ready as we may need this information.
+
+### Submit Intune Device ID
+
+**To submit Intune Device ID**:
+
+1. Ensure your **Intune Device ID** is displayed on the form. If it is not displayed, provide it.
+2. Enter your organisational email address in **Organisational Email Address** and click **Verify**.
+3. Enter the OTP you receive at this email address.
+4. Indicate if you had any issues while completing **Phase A**.
+5. [Optional] If you had issues completing **Phase A**, we encourage you to provide the **Support Ticket Number**.
+6. Click **Submit**. When this request is processed successfully, we send a notification via email.
+
+ 
+
+
+> **Note**:
+> - We require up to 30 minutes to process your server-side offboarding request.
+>- If you are still waiting to receive an email after 30 minutes, please [raise a service request](https://go.gov.sg/seed-techpass-support).
+
+## Device clean-up policy
+
+The device clean-up policy applies to SEED users with TechPass IDs belonging to the TechPass Entra ID. You can identify a TechPass Entra ID account if your TechPass ID's domain is *techpass.gov.sg*. For example, *james_lee@techpass.gov.sg* is associated with the TechPass Entra ID.
+
+The primary objective of this policy is to remove inactive device records from the Intune portal.
+
+> **Note**:
+>
+> - The device clean-up policy does **not apply** if your TechPass ID belongs to the **WOG Entra ID**.
+> - A TechPass ID in the WOG Entra ID typically aligns with your organizational email address, which is in the format *\Method 3: Raise a service request to retrieve Intune Device ID.
+ +> **Note**: Use this method if you cannot log in to your GMD or TechPass portal. + +- [Raise a service request](https://go.gov.sg/seed-techpass-support) to retrieve your Intune Device ID. + +Click the triangle to view more details about each method. - -
-
-
-Method 1: Get Intune Device ID from your GMD
- -1. Open **PowerShell** and run the following commands: - -``` -$rootKey = [Microsoft.Win32.RegistryKey]::OpenBaseKey( - [Microsoft.Win32.RegistryHive]::LocalMachine, - [Microsoft.Win32.RegistryView]::Registry64 -) -$enrollmentsKey = $rootKey.OpenSubKey("Software\Microsoft\Enrollments") -$intune_id = "Intune ID not found" -foreach ($name in $enrollmentsKey.GetSubKeyNames()) { - $enrollmentIdKey = $enrollmentsKey.OpenSubKey($name) - if ($enrollmentIdKey.GetValue("ProviderID") -ieq "MS DM Server") { - $intune_id = $enrollmentIdKey.OpenSubKey("DMClient\MS DM Server").GetValue("EntDMID", "Intune ID not found") - break - } -} -Write-Output $intune_id - -``` -2. Take note of the Intune Device ID that is displayed on the **Powershell** window. - -
-
-
-
-Method 2: Get Intune Device ID from TechPass portal
- -1. On your non-SE GSIB device, go to the [TechPass portal](https://portal.techpass.gov.sg/secure/account/profile). -2. On the TechPass portal, at the top right, go to your user name and click **My Account**. Your **Profile** details are displayed. -3. Take note of the **Intune Device ID** from the **Profile** page. - - - -
-
Use this method only if you can't log in to your GMD or TechPass portal. - -- Submit an [incident request](https://go.gov.sg/seed-techpass-support) to get your Intune Device ID. - -
-
-
-
-!> **Note**Method 3: Submit an incident request to get Intune Device ID.
- -?> **Note**Use this method only if you can't log in to your GMD or TechPass portal. - -- Submit an [incident request](https://go.gov.sg/seed-techpass-support) to get your Intune Device ID. - -
If you have any issues with the offboarding steps, see the [Offboarding FAQs](/faqs/seed-offboarding-faqs) before submitting an [incident request](https://go.gov.sg/seed-techpass-support) with TechPass and SEED support. - - -## Phase A: Offboard device from SEED components - -1. Go to the **Start** menu and enter **Powershell**. -2. Right-click on the search result for **PowerShell** and select **Run as Administrator** - - - -3. On **Powershell**, run the following command. - -``` -$reg64 = [Microsoft.Win32.RegistryKey]::OpenBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, [Microsoft.Win32.RegistryView]::Registry64) -$OrgID = $reg64.OpenSubKey("SOFTWARE\MICROSOFT\Windows Advanced Threat Protection\Status").GetValue("OrgID") -echo $OrgID -``` - - -4. Take note of the value displayed for **OrgID**. - - - -5. Refer to the following table and identify your **Defender organisation** and download the offboarding package. - - | OrgID | Defender organisation | Offboarding package | - | ------------- |:-------------:|:-------------:| - | faa36a5e-2da6-4225-8e27-226177c801a0 | WOG | [Download offboarding script](https://kaao45f5hebx3i7lsypkr625rq0zuiyt.lambda-url.ap-southeast-1.on.aws/local_wog_windows) | - | 49237d71-42ac-425a-a803-881b92cc18ce | TechPass | [Download offboarding script](https://kaao45f5hebx3i7lsypkr625rq0zuiyt.lambda-url.ap-southeast-1.on.aws/local_tp_windows) | - | 6389e966-e334-461d-86ce-0fed12484620 | Hive | Contact [Hive support](mailto:GDS_DEN@hive.gov.sg) to get the offboarding package. | - - !> **Important**
- If your **Defender organisation** is **Hive**, please skip the remaining steps in this document. You need to get the offboarding package from the Hive support and unenrol your device from Defender. See the [offboarding FAQs](offboard-device/seed-offboarding-faqs.md) to know how to unenrol your device from Defender using the Hive offboarding package.
- If your **Defender organisation** is either **WOG** or **TechPass**, you need to use your TechPass to download the offboarding package and proceed with the remaining steps.
- If your **Defender organisation** is **none of the above**, contact the IT support of the organisation that provided you with the device. - -6. Go to the folder where you downloaded the ZIP file and extract the files. You should see the following two files. - - - -?> **Note**: The file names vary with the organisation. - -7. Right-click the unzipped folder to select **Show more options** > **Copy as path**. The folder path is now saved to your clipboard. - -8. On **Powershell**, run the following command to go to the folder which has the extracted files: - - ``` - cd {Path from clipboard} - ``` - - For example: - - ``` - cd "C:\Users\testUser\Downloads\Offboarding_local_tp_windows" - - ``` - -  - -10. To run the script, enter the following command: - - ``` - powershell.exe -ExecutionPolicy Bypass .\local_windows_offboarding.ps1 - - ``` - -When you see the following success message on your **Powershell**, you are automatically directed to the **SEED offboarding: Request to remove device record** form to submit the Intune Device ID. - - - -!>**Important note**
Make sure you complete the steps in Phase B immediately after Phase A. If not, your device update policy may reinstall the latest version of the deleted SEED components. - -## Phase B: Submit Intune Device ID to remove device record - -### Prerequisites - -- Successful completion of [Phase A: Offboard device from SEED components](#phase-a-offboard-device-from-seed-components). -- **Intune Device ID**. Generally, when you successfully offboard your device from the SEED components, the Intune Device ID is automatically displayed on the **SEED Offboarding: Device Record Removal** form. If it is not displayed, see [Get Intune Device ID](#get-intune-device-id). -- [Optional]If you have submitted an incident request with the TechPass and SEED support team to offboard your device from the SEED components, please have the reference number ready as we may need this information. - -### To submit Intune Device ID - -1. Ensure your **Intune Device ID** is displayed on the form. If it is not displayed, provide it. -2. Enter your organisational email address in **Organisational Email Address** and click **Verify**. -3. Enter the OTP you receive at this email address. -4. Indicate if you had any issues while completing **Phase A**. -5. [Optional] If you had issues completing **Phase A**, we encourage you to provide the **Support Ticket Number**. -6. Click **Submit**. When this request is processed successfully, we send a notification via email. - - - - -?> **Additional information**
- We require up to 30 minutes to process your server-side offboarding request.
- If you are still waiting to receive an email after 30 minutes, please submit a [TechPass and SEED support request](https://go.gov.sg/seed-techpass-support). - +!> This documentation has moved to [Windows offboarding guide](windows-offboarding-guide). \ No newline at end of file diff --git a/offboard-device/windows.md b/offboard-device/windows.md deleted file mode 100644 index caa9b2e7..00000000 --- a/offboard-device/windows.md +++ /dev/null @@ -1,160 +0,0 @@ -# Offboard Windows device using a script - -This document guides you to offboard your Windows device onboarded to SEED. - -## Audience - -- Users who need to offboard their Windows device from SEED. - -## Prerequisites - -- You must have an active TechPass account. -- Your device must have been onboarded to SEED. -- [Optional] We recommend you to have your Intune Device ID ready. - -### Get Intune Device ID - -Complete one of the following methods to get your Intune Device ID: - -?> **Tip**
Click the triangle to view more details about each method. - -
-
-
-Method 1: Get Intune Device ID from your GMD
- -1. Open **PowerShell** and run the following commands: - -``` -$rootKey = [Microsoft.Win32.RegistryKey]::OpenBaseKey( - [Microsoft.Win32.RegistryHive]::LocalMachine, - [Microsoft.Win32.RegistryView]::Registry64 -) -$enrollmentsKey = $rootKey.OpenSubKey("Software\Microsoft\Enrollments") -$intune_id = "Intune ID not found" -foreach ($name in $enrollmentsKey.GetSubKeyNames()) { - $enrollmentIdKey = $enrollmentsKey.OpenSubKey($name) - if ($enrollmentIdKey.GetValue("ProviderID") -ieq "MS DM Server") { - $intune_id = $enrollmentIdKey.OpenSubKey("DMClient\MS DM Server").GetValue("EntDMID", "Intune ID not found") - break - } -} -Write-Output $intune_id - -``` -2. Take note of the Intune Device ID that is displayed on the **Powershell** window. - -
-
-
-
-Method 2: Get Intune Device ID from TechPass portal
- -1. On your non-SE GSIB device, go to the [TechPass portal](https://portal.techpass.gov.sg/secure/account/profile). -2. On the TechPass portal, at the top right, go to your user name and click **My Account**. Your **Profile** details are displayed. -3. Take note of the **Intune Device ID** from the **Profile** page. - - - -
-
Use this method only if you can't log in to your GMD or TechPass portal. - -- Submit an [incident request](https://go.gov.sg/seed-techpass-support) to get your Intune Device ID. - -
-
-
-
-!> **Note**Method 3: Submit an incident request to get Intune Device ID.
- -?> **Note**Use this method only if you can't log in to your GMD or TechPass portal. - -- Submit an [incident request](https://go.gov.sg/seed-techpass-support) to get your Intune Device ID. - -
If you have any issues with the offboarding steps, see the [Offboarding FAQs](/faqs/seed-offboarding-faqs) before submitting an [incident request](https://go.gov.sg/seed-techpass-support) with TechPass and SEED support. - - -## Phase A: Offboard device from SEED components - -1. Go to the **Start** menu and enter **Powershell**. -2. Right-click on the search result for **PowerShell** and select **Run as Administrator** - - - -3. On **Powershell**, run the following command. - -``` -$reg64 = [Microsoft.Win32.RegistryKey]::OpenBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, [Microsoft.Win32.RegistryView]::Registry64) -$OrgID = $reg64.OpenSubKey("SOFTWARE\MICROSOFT\Windows Advanced Threat Protection\Status").GetValue("OrgID") -echo $OrgID -``` - - -4. Take note of the value displayed for **OrgID**. - - - -5. Refer to the following table and identify your **Defender organisation** and download the offboarding package. - - | OrgID | Defender organisation | Offboarding package | - | ------------- |:-------------:|:-------------:| - | faa36a5e-2da6-4225-8e27-226177c801a0 | WOG | [Download offboarding script](https://kaao45f5hebx3i7lsypkr625rq0zuiyt.lambda-url.ap-southeast-1.on.aws/local_wog_windows) | - | 49237d71-42ac-425a-a803-881b92cc18ce | TechPass | [Download offboarding script](https://kaao45f5hebx3i7lsypkr625rq0zuiyt.lambda-url.ap-southeast-1.on.aws/local_tp_windows) | - | 6389e966-e334-461d-86ce-0fed12484620 | Hive | Contact [Hive support](mailto:GDS_DEN@hive.gov.sg) to get the offboarding package. | - - !> **Important**
- If your **Defender organisation** is **Hive**, please skip the remaining steps in this document. You need to get the offboarding package from the Hive support and unenrol your device from Defender. See the [offboarding FAQs](offboard-device/seed-offboarding-faqs.md) to know how to unenrol your device from Defender using the Hive offboarding package.
- If your **Defender organisation** is either **WOG** or **TechPass**, you need to use your TechPass to download the offboarding package and proceed with the remaining steps.
- If your **Defender organisation** is **none of the above**, contact the IT support of the organisation that provided you with the device. - -6. Go to the folder where you downloaded the ZIP file and extract the files. You should see the following two files. - - - -?> **Note**: The file names vary with the organisation. - -7. Right-click the unzipped folder to select **Show more options** > **Copy as path**. The folder path is now saved to your clipboard. - -8. On **Powershell**, run the following command to go to the folder which has the extracted files: - - ``` - cd {Path from clipboard} - ``` - - For example: - - ``` - cd "C:\Users\testUser\Downloads\Offboarding_local_tp_windows" - - ``` - -  - -10. To run the script, enter the following command: - - ``` - powershell.exe -ExecutionPolicy Bypass .\local_windows_offboarding.ps1 - - ``` - -When you see the following success message on your **Powershell**, you are automatically directed to the **SEED offboarding: Request to remove device record** form to submit the Intune Device ID. - - - -!>**Important note**
Make sure you complete the steps in Phase B immediately after Phase A. If not, your device update policy may reinstall the latest version of the deleted SEED components. - -## Phase B: Submit Intune Device ID to remove device record - -### Prerequisites - -- Successful completion of [Phase A: Offboard device from SEED components](#phase-a-offboard-device-from-seed-components). -- **Intune Device ID**. Generally, when you successfully offboard your device from the SEED components, the Intune Device ID is automatically displayed on the **SEED Offboarding: Device Record Removal** form. If it is not displayed, see [Get Intune Device ID](#get-intune-device-id). -- [Optional]If you have submitted an incident request with the TechPass and SEED support team to offboard your device from the SEED components, please have the reference number ready as we may need this information. - -### To submit Intune Device ID - -1. Ensure your **Intune Device ID** is displayed on the form. If it is not displayed, provide it. -2. Enter your organisational email address in **Organisational Email Address** and click **Verify**. -3. Enter the OTP you receive at this email address. -4. Indicate if you had any issues while completing **Phase A**. -5. [Optional] If you had issues completing **Phase A**, we encourage you to provide the **Support Ticket Number**. -6. Click **Submit**. When this request is processed successfully, we send a notification via email. - - - - -?> **Additional information**
- We require up to 30 minutes to process your server-side offboarding request.
- If you are still waiting to receive an email after 30 minutes, please submit a [TechPass and SEED support request](https://go.gov.sg/seed-techpass-support). - diff --git a/onboard-device/_sidebar-old.md b/onboard-device/_sidebar-old.md deleted file mode 100644 index 77091f9d..00000000 --- a/onboard-device/_sidebar-old.md +++ /dev/null @@ -1,16 +0,0 @@ -- **Onboarding** -[Onboard to SEED](onboard-device/onboard-device-to-seed.md) -- **Public officers** -- [Onboard macOS device](onboard-device/mac-os) -- [Onboard Windows device](onboard-device/windows) -- **Vendors** -- [Onboard macOS device](onboard-device/macos-vendor-onboarding) -- [Onboard Windows device](onboard-device/windows-vendor-onboarding) -- **Additional resources** - - [Onboarding FAQs](faqs/common-onboarding-issues.md) - - [Post onboarding steps](post-onboarding-instructions/post-onboarding-steps-and-verification) - - [Back to main](/) - - - \ No newline at end of file diff --git a/onboard-device/identify-onboarding-persona.md b/onboard-device/identify-onboarding-persona.md new file mode 100644 index 00000000..01731a67 --- /dev/null +++ b/onboard-device/identify-onboarding-persona.md @@ -0,0 +1,35 @@ +## Identify onboarding persona + +Before setting up your device for SEED, you need to identify your onboarding role: **public officer** or **vendor**. Your TechPass login ID determines whether you should onboard your Internet Device to SEED as a public officer or a vendor. + + +## Audience + +TechPass users onboarding their Internet Device to SEED. + +## Prerequisites + +- Ensure you have your TechPass login details. + + +### Public officer onboarding + +If your TechPass login ID matches your work email (WOG account), opt for the public officer onboarding. + +For example: john_doe@moe.gov.sg, john_doe_from.cognizant@tech.gov.sg. + +Follow the instructions below: + +- [Onboard as a public officer](/onboard-device/public-officer) + + +### Vendor onboarding + +If your TechPass login ID ends with **techpass.gov.sg**, opt for the vendor onboarding route. + + +For example: john_doe@techpass.gov.sg. + +Follow the instructions below: + +- [Onboard as a vendor](/onboard-device/vendor) \ No newline at end of file diff --git a/onboard-device/mac-os.md b/onboard-device/mac-os.md index 6a770798..c258af1d 100644 --- a/onboard-device/mac-os.md +++ b/onboard-device/mac-os.md @@ -1,159 +1 @@ -# Onboard macOS device to SEED as public officers - - - - -?>
- Based on your device settings, while onboarding, you may be prompted to restart your device a couple of times and reset your device password.
- Keep your recovery keys ready if you face issues resetting your password or logging in to your device. - - - - -## Step 1: Set up Microsoft Intune - -
-
-
-## Step 2: Register Microsoft Intune Device ID
-
-Set up Microsoft Intune to get the required applications and device configurations.
- - - Go to [Microsoft Intune documentation](https://learn.microsoft.com/en-us/mem/intune/user-help/enroll-your-device-in-intune-macos-cp) and follow the instructions on this page to complete the following: - - a. Download and install Company Portal. - - b. Enroll your Mac device. - - -
-
- -1. Open **Terminal** and run the following commands: - -``` -intune_id="$(security find-certificate -a /Library/Keychains/System.keychain | egrep -B 4 '\"issu\"=.+MICROSOFT INTUNE MDM DEVICE CA' | grep alis | cut -d '"' -f 4)"
-if [ -z "$intune_id" ]
-then
- echo "Intune ID not found"
- return
-fi
-
-num_candidates="$(echo "$intune_id" | wc -l | xargs echo -n)"
-if [ "$num_candidates" -eq 1 ]
-then
- echo "$intune_id"
- return
-fi
-
-old_ifs="$IFS"
-IFS='\n'
-actual_id="Intune ID not found"
-curr_latest_end_date_unix=0
-while read id
-do
- end_date="$(security find-certificate -c "$id" -p /Library/Keychains/System.keychain | openssl x509 -noout -enddate | cut -d '=' -f 2)"
- end_date_unix="$(date -j -f "%b %e %H:%M:%S %Y %Z" "$end_date" "+%s")"
- if [ "$end_date_unix" -ge "$curr_latest_end_date_unix" ]
- then
- actual_id="$id"
- curr_latest_end_date_unix="$end_date_unix"
- fi
-done <<< "$intune_id"
-
-IFS="$old_ifs"
-echo "$actual_id"
-```
-2. Take note of the Intune Device ID that is displayed on the Terminal window.
-
-3. Choose the appropriate method to register your Intune Device ID:
-
- a. If you only have a **SE GSIB** device, submit a [support request](https://go.gov.sg/seed-techpass-support) to register your Intune Device ID and skip rest of the steps. Within two hours, you should receive the successfully onboarded email.
-
- b. If you have a **non-SE GSIB** device, log in to the [TechPass portal](https://portal.techpass.gov.sg/secure/account/profile).
-
-4. On the TechPass portal, at the top right, go to your user name and click **My Account**. Your **Profile** details are displayed.
-5. Click **Onboard device to SEED** and follow the on-screen instructions to submit this Intune Device ID.
-
- 
-
- You will receive the following confirmation message.
-
- 
-
- Your Internet Device record is listed under the **SEED Devices** with the following details:
-
- - Device name
- - Operating system of the device
- - Serial number
- - Intune Device ID
- - Date and time when the onboarding was trigerred or when the device was successfully onboarded
- - Onboarding status
-
- 
-
-6. Ensure the device you are onboarding is connected to the Internet so that Intune is able to install the required software and configurations.
-
-7. After 30-60 minutes, check your inbox (organisational email address) to see if you have received any email regarding your onboarding status.
-
-8. Choose the appropriate step:
-
- a. If you have received a successfully onboarded email, skip rest of the steps in this section and proceed to [Step 3: Verify installation](#step-3-verify-installation).
-
- b. If you have **not yet received** the **successfully onboarded email** or if you **have received** a **failed onboarding email**, complete the following step on [TechPass portal](https://portal.techpass.gov.sg/).
-
-9. Refer to the following table to know about the possible onboarding status and the action required by you.
-
-| Status | Description | Action required |
-|---| ---| ---|
-| **triggered, waiting for software installation (step 1 of 2)**| Your SEED onboarding has been triggered on the device and is waiting for the software installation to be completed. | 1. On your non-SE GSIB device, go to the [TechPass portal](https://portal.techpass.gov.sg/).
2. At the top right, go to your user name and click **My Account**. Your profile details are displayed.
3. Go to the **SEED Devices** section and click the refresh icon. If the software installation is successful, the status changes to **software installed, waiting for backend onboarding (step 2 of 2)**.| -| **software installed, waiting for backend onboarding (step 2 of 2)**| Required software has been installed on the device and waiting for backend onboarding. | 1. On your non-SE GSIB device, go to the [TechPass portal](https://portal.techpass.gov.sg/).
2. At the top right, go to your user name and click **My Account**. Your profile details are displayed.
3. Go to the **SEED Devices** section and click the refresh icon. If the backend onboarding is successful, the status changes to **onboarded**. | -| **onboarded** | Your SEED onboarding is successful. | Go to step 10 in this section. | -| **failed(*Reason for failure*)** | Your SEED onboarding failed due to the error mentioned within the parentheses. | 1. On your non-SE GSIB device, go to the [TechPass portal](https://portal.techpass.gov.sg/).
2. At the top right, go to your user name and click **My Account**. Your profile details are displayed.
3. Go to the **SEED Devices** section. Action required to resolve this failure is generally mentioned in the parentheses.
4. Complete the suggested action. | - -10. Check your inbox (organisational email address) to see if you have received the successfully onboarded email. - -?> If you don't receive this email after two hours, submit an [incident request](https://go.gov.sg/seed-techpass-support). - - - -
-
-## Step 3: Verify installation
-
-Register the Microsoft Intune Device ID for your macOS device.
- -1. Open **Terminal** and run the following commands: - -``` -intune_id="$(security find-certificate -a /Library/Keychains/System.keychain | egrep -B 4 '\"issu\"
-
- You will receive the following confirmation message.
-
-
-
- Your Internet Device record is listed under the **SEED Devices** with the following details:
-
- - Device name
- - Operating system of the device
- - Serial number
- - Intune Device ID
- - Date and time when the onboarding was trigerred or when the device was successfully onboarded
- - Onboarding status
-
- 
-
-6. Ensure the device you are onboarding is connected to the Internet so that Intune is able to install the required software and configurations.
-
-7. After 30-60 minutes, check your inbox (organisational email address) to see if you have received any email regarding your onboarding status.
-
-8. Choose the appropriate step:
-
- a. If you have received a successfully onboarded email, skip rest of the steps in this section and proceed to [Step 3: Verify installation](#step-3-verify-installation).
-
- b. If you have **not yet received** the **successfully onboarded email** or if you **have received** a **failed onboarding email**, complete the following step on [TechPass portal](https://portal.techpass.gov.sg/).
-
-9. Refer to the following table to know about the possible onboarding status and the action required by you.
-
-| Status | Description | Action required |
-|---| ---| ---|
-| **triggered, waiting for software installation (step 1 of 2)**| Your SEED onboarding has been triggered on the device and is waiting for the software installation to be completed. | 1. On your non-SE GSIB device, go to the [TechPass portal](https://portal.techpass.gov.sg/).2. At the top right, go to your user name and click **My Account**. Your profile details are displayed.
3. Go to the **SEED Devices** section and click the refresh icon. If the software installation is successful, the status changes to **software installed, waiting for backend onboarding (step 2 of 2)**.| -| **software installed, waiting for backend onboarding (step 2 of 2)**| Required software has been installed on the device and waiting for backend onboarding. | 1. On your non-SE GSIB device, go to the [TechPass portal](https://portal.techpass.gov.sg/).
2. At the top right, go to your user name and click **My Account**. Your profile details are displayed.
3. Go to the **SEED Devices** section and click the refresh icon. If the backend onboarding is successful, the status changes to **onboarded**. | -| **onboarded** | Your SEED onboarding is successful. | Go to step 10 in this section. | -| **failed(*Reason for failure*)** | Your SEED onboarding failed due to the error mentioned within the parentheses. | 1. On your non-SE GSIB device, go to the [TechPass portal](https://portal.techpass.gov.sg/).
2. At the top right, go to your user name and click **My Account**. Your profile details are displayed.
3. Go to the **SEED Devices** section. Action required to resolve this failure is generally mentioned in the parentheses.
4. Complete the suggested action. | - -10. Check your inbox (organisational email address) to see if you have received the successfully onboarded email. - -?> If you don't receive this email after two hours, submit an [incident request](https://go.gov.sg/seed-techpass-support). - - - -
-
- -1. Go to the **Apple menu** > **System Settings** > **Privacy and Security**. -2. Select **Profiles** on the right pane. You should be able to see the following profiles. -
-
-
-
-
+!> This documentation has moved to [Identify onboarding persona](/onboard-device/identify-onboarding-persona).
\ No newline at end of file
diff --git a/onboard-device/macos-vendor-onboarding.md b/onboard-device/macos-vendor-onboarding.md
index 2403b6e3..3871f27b 100644
--- a/onboard-device/macos-vendor-onboarding.md
+++ b/onboard-device/macos-vendor-onboarding.md
@@ -1,104 +1 @@
-# Onboard macOS device to SEED as vendors
-
-
-
-?> Verify the installation of the required profiles.
- -1. Go to the **Apple menu** > **System Settings** > **Privacy and Security**. -2. Select **Profiles** on the right pane. You should be able to see the following profiles. -
-
-
- Credential Profile -
- Custom Preferences Profile - com.cloudflare.warp -
- Custom Preferences Profile - com.microsoft.wdav -
- GCC2 ATP Full Disk Access -
- GCC2 ATP Kernel Extensions - Custom -
- GCC2 ATP Network Filter -
- GCC2 ATP Notifications -
- GCC2 ATP Onboarding -
- Intune MDM Agent SCEP Profile -
- Management Profile -
- Passcode Profile -
- Privacy Preferences Policy Profile -
- System Extension Profile -
- Based on your device settings, while onboarding, you may be prompted to restart your device a couple of times and reset your device password.
- Keep your recovery keys ready if you face issues resetting your password or logging in to your device. - - - - - -## Step 1: Set up Microsoft Intune - -
-
- - 1. Go to [Microsoft Intune documentation](https://learn.microsoft.com/en-us/mem/intune/user-help/enroll-your-device-in-intune-macos-cp) and follow the instructions on this page to complete the following: - - a. Download and install Company Portal. - - b. Enroll your Mac device. - - - 2. Ensure that your device is connected to the Internet so that Intune is able to install the required SEED components and configurations. - 3. Within the next two hours, check your inbox (organisational email address) to see if you have received the successfully onboarded email. - 4. If you don't receive this email after two hours, submit an [incident request](https://go.gov.sg/seed-techpass-support). - -
-
-## Step 2: Verify installation
-
-Set up Microsoft Intune to get the required applications and device configurations.
- - 1. Go to [Microsoft Intune documentation](https://learn.microsoft.com/en-us/mem/intune/user-help/enroll-your-device-in-intune-macos-cp) and follow the instructions on this page to complete the following: - - a. Download and install Company Portal. - - b. Enroll your Mac device. - - - 2. Ensure that your device is connected to the Internet so that Intune is able to install the required SEED components and configurations. - 3. Within the next two hours, check your inbox (organisational email address) to see if you have received the successfully onboarded email. - 4. If you don't receive this email after two hours, submit an [incident request](https://go.gov.sg/seed-techpass-support). - -
-
- -1. Go to the **Apple menu** > **System Settings** > **Privacy and Security**. -2. Select **Profiles** on the right pane. You should be able to see the following profiles. - -
-
-
-
-
-
-
-
+!> This documentation has moved to [Identify onboarding persona](identify-onboarding-persona).
\ No newline at end of file
diff --git a/onboard-device/onboard-device-to-seed.md b/onboard-device/onboard-device-to-seed.md
index 094e5fa9..3871f27b 100644
--- a/onboard-device/onboard-device-to-seed.md
+++ b/onboard-device/onboard-device-to-seed.md
@@ -1,37 +1 @@
-# Step 2: Onboard your device to SEED
-
-
-
-This article explains how to onboard your Internet Device to SEED.
-
-## Audience
-
-Users onboarding their Internet Device to SEED.
-
-## Prerequisites
-
-Ensure that you complete the following:
-
- - [Step 0: Prerequisites for onboarding to SEED](prerequisites-for-onboarding)
- - [Step 1: Identify your SEED onboarding persona](identify-seed-onboarding-persona)
-
-If you are using a silicon-based chip Mac, such as M1 or M2, run the following command in Terminal before beginning the onboarding process.
-```
-sudo softwareupdate --install-rosetta
-```
-This command is necessary to ensure that certain applications can be installed on your device without encountering any software installation errors.
-
-## Onboard device to SEED
-
-Based on your onboarding persona and operating system of your Internet Device, choose the required onboarding flow:
-
-**Public officers**
-
-- [Onboard macOS device](onboard-device/mac-os)
-- [Onboard Windows device](onboard-device/windows)
-
-**Vendors**
-
-- [Onboard macOS device](onboard-device/macos-vendor-onboarding)
-- [Onboard Windows device](onboard-device/windows-vendor-onboarding)
-
+!> This documentation has moved to [Identify onboarding persona](identify-onboarding-persona).
\ No newline at end of file
diff --git a/onboard-device/public-officer.md b/onboard-device/public-officer.md
new file mode 100644
index 00000000..7b3c0e51
--- /dev/null
+++ b/onboard-device/public-officer.md
@@ -0,0 +1,291 @@
+# Onboard to SEED as a public officer
+
+This document provides a step-by-step guide to help public officers through the onboarding process for the Secure Engineering Environment for Developers (SEED). Before proceeding, make sure you meet the prerequisites outlined below.
+
+## Prerequisites
+
+Before proceeding with the SEED (Secure Engineering Environment for Developers) onboarding process as a public officer, ensure you meet the following prerequisites:
+
+- Your TechPass login ID must match your work email, typically associated with a WOG (Whole-of-Government) account. For example, john_doe@moe.gov.sg or john_doe_from.cognizant@tech.gov.sg.
+
+
+## macOS
+
+During the process, you may encounter prompts to restart your device and reset your device's password. It is important to have your recovery keys ready in case you encounter any issues during the password reset or device login.
+
+
+
+
+### Step 1: Configure Microsoft Intune
+
+Verify the installation of the required profiles.
- -1. Go to the **Apple menu** > **System Settings** > **Privacy and Security**. -2. Select **Profiles** on the right pane. You should be able to see the following profiles. - -
-
-
- Credential Profile -
- Custom Preferences Profile - com.cloudflaare.warp -
- Custom Preferences Profile - com.microsoft.wdav -
- GCC2 ATP Full Disk Access -
- GCC2 ATP Kernel Extensions - Custom -
- GCC2 ATP Network Filter -
- GCC2 ATP Notifications -
- GCC2 ATP Onboarding -
- Intune MDM Agent SCEP Profile -
- Management Profile -
- Passcode Profile -
- Privacy Preferences Policy Profile -
- System Extension Profile -
+
+
+### Step 2: Register Microsoft Intune Device ID
+
+Configure Microsoft Intune to obtain applications and device settingss.
+ + - Go to [Microsoft Intune documentation](https://learn.microsoft.com/en-us/mem/intune/user-help/enroll-your-device-in-intune-macos-cp) and follow the instructions provided on the page to complete the following: + + a. Download and install Company Portal. + + b. Enrol your Mac device. + + +
+
+ +1. Open **Terminal** and run the following commands: + +``` +intune_id="$(security find-certificate -a /Library/Keychains/System.keychain | egrep -B 4 '\"issu\"=.+MICROSOFT INTUNE MDM DEVICE CA' | grep alis | cut -d '"' -f 4)"
+if [ -z "$intune_id" ]
+then
+ echo "Intune ID not found"
+ return
+fi
+
+num_candidates="$(echo "$intune_id" | wc -l | xargs echo -n)"
+if [ "$num_candidates" -eq 1 ]
+then
+ echo "$intune_id"
+ return
+fi
+
+old_ifs="$IFS"
+IFS='\n'
+actual_id="Intune ID not found"
+curr_latest_end_date_unix=0
+while read id
+do
+ end_date="$(security find-certificate -c "$id" -p /Library/Keychains/System.keychain | openssl x509 -noout -enddate | cut -d '=' -f 2)"
+ end_date_unix="$(date -j -f "%b %e %H:%M:%S %Y %Z" "$end_date" "+%s")"
+ if [ "$end_date_unix" -ge "$curr_latest_end_date_unix" ]
+ then
+ actual_id="$id"
+ curr_latest_end_date_unix="$end_date_unix"
+ fi
+done <<< "$intune_id"
+
+IFS="$old_ifs"
+echo "$actual_id"
+```
+2. Record the Intune Device ID displayed in the Terminal window.
+
+> **Note**: The following steps (3 and 4) are for users with **non-SE GSIB** devices. If you have an **SE GSIB** device, proceed to step 5.
+
+
+3. Log in to the [TechPass portal](https://portal.techpass.gov.sg/secure/account/profile).
+
+4. On the TechPass portal, go to your user name at the top right and select **My Account**. Your **Profile** details will be displayed.
+
+5. If you have an **SE GSIB** device, [raise a service request](https://go.gov.sg/seed-techpass-support) to register your Intune Device ID and skip the remaining steps. An email confirming successful onboarding will be sent to you within two hours.
+
+6. Click **Onboard device to SEED** and follow the on-screen instructions to submit your Intune Device ID.
+
+ 
+
+ You will receive the following confirmation message:
+
+ 
+
+ Your Internet Device record is listed under **SEED Devices** and includes the following details:
+
+ - Device name
+ - Operating system of the device
+ - Serial number
+ - Intune Device ID
+ - Date and time when the onboarding was trigerred or when the device was successfully onboarded
+ - Onboarding status
+
+ 
+
+6. Ensure the device you are onboarding is connected to the Internet for Intune to install the required software and configurations.
+
+7. After 30-60 minutes, check your inbox (organisational email address) for any emails regarding your onboarding status.
+
+
+8. Choose the appropriate step:
+
+ a. If you have received a email confirming successful onboarding, skip the rest of the steps in this section and proceed to [Step 3: Verify installation](#step-3-verify-installation).
+
+ b. If you did not receive the email or if you **have received** a **failed onboarding email**, complete the following step on [TechPass portal](https://portal.techpass.gov.sg/).
+
+9. Refer to the following table to know about the possible onboarding status and the action required by you.
+
+| Status | Description | Action required |
+|---| ---| ---|
+| **Triggered, waiting for software installation (step 1 of 2)**| Your SEED onboarding has been triggered on the device and is waiting for the software installation to be completed. | 1. On your non-SE GSIB device, go to the [TechPass portal](https://portal.techpass.gov.sg/).
2. At the top right, select your user name and click **My Account**. Your profile details are displayed.
3. Navigate to the **SEED Devices** section and click the refresh icon. If the software installation is successful, the status changes to **Software installed, waiting for backend onboarding (step 2 of 2)**.| +| **Software installed, waiting for backend onboarding (step 2 of 2)**| Required software has been installed on the device and waiting for backend onboarding. | 1. On your non-SE GSIB device,access the [TechPass portal](https://portal.techpass.gov.sg/).
2. At the top right, select your user name and click **My Account**. Your profile details are displayed.
3. Navigate to the **SEED Devices** section and click the refresh icon. If the backend onboarding is successful, the status will change to **Onboarded**. | +| **Onboarded** | Your SEED onboarding is successful. | Proceed to step 10 in this section. | +| **Failed** **(*Reason for failure*)** | Your SEED onboarding has failed due to the error displayed. | 1. On your non-SE GSIB device, access the [TechPass portal](https://portal.techpass.gov.sg/).
2. At the top right, select your user name and click **My Account**. Your profile details are displayed.
3. Navigate to the **SEED Devices** section. The action required to resolve this failure is mentioned in the parentheses.
4. Complete the suggested action. | + +10. Check your inbox (organisational email address) to see if you have received the successfully onboarded email. + +?> If you do not receive this email after two hours, [raise a service request](https://go.gov.sg/seed-techpass-support). + + + +
+
+### Step 3: Verify installation
+
+Register Microsoft Intune Device ID for your macOS device.
+ +1. Open **Terminal** and run the following commands: + +``` +intune_id="$(security find-certificate -a /Library/Keychains/System.keychain | egrep -B 4 '\"issu\"
2. At the top right, select your user name and click **My Account**. Your profile details are displayed.
3. Navigate to the **SEED Devices** section and click the refresh icon. If the software installation is successful, the status changes to **Software installed, waiting for backend onboarding (step 2 of 2)**.| +| **Software installed, waiting for backend onboarding (step 2 of 2)**| Required software has been installed on the device and waiting for backend onboarding. | 1. On your non-SE GSIB device,access the [TechPass portal](https://portal.techpass.gov.sg/).
2. At the top right, select your user name and click **My Account**. Your profile details are displayed.
3. Navigate to the **SEED Devices** section and click the refresh icon. If the backend onboarding is successful, the status will change to **Onboarded**. | +| **Onboarded** | Your SEED onboarding is successful. | Proceed to step 10 in this section. | +| **Failed** **(*Reason for failure*)** | Your SEED onboarding has failed due to the error displayed. | 1. On your non-SE GSIB device, access the [TechPass portal](https://portal.techpass.gov.sg/).
2. At the top right, select your user name and click **My Account**. Your profile details are displayed.
3. Navigate to the **SEED Devices** section. The action required to resolve this failure is mentioned in the parentheses.
4. Complete the suggested action. | + +10. Check your inbox (organisational email address) to see if you have received the successfully onboarded email. + +?> If you do not receive this email after two hours, [raise a service request](https://go.gov.sg/seed-techpass-support). + + + +
+
+ +1. Go to the **Apple menu** > **System Settings** > **Privacy and Security**. +2. Select **Profiles** on the right pane. You should be able to see the following profiles. +
+
+ ## Windows
+
+
+Based on your Windows settings, you may be prompted to restart or reset your password while onboarding.
+
+
+
+### Step 1: Set up Microsoft Intune
+
+Verify the installation of the required profiles.
+ +1. Go to the **Apple menu** > **System Settings** > **Privacy and Security**. +2. Select **Profiles** on the right pane. You should be able to see the following profiles. +
-
+
- Credential Profile +
- Custom Preferences Profile - com.cloudflare.warp +
- Custom Preferences Profile - com.microsoft.wdav +
- GCC2 ATP Full Disk Access +
- GCC2 ATP Kernel Extensions - Custom +
- GCC2 ATP Network Filter +
- GCC2 ATP Notifications +
- GCC2 ATP Onboarding +
- Intune MDM Agent SCEP Profile +
- Management Profile +
- Passcode Profile +
- Privacy Preferences Policy Profile +
- System Extension Profile +
+
+ +1. Click **Start** icon on the taskbar. + +2. Go to **Settings** > **Accounts** > **Access work or school** and click **Connect** to add your WOG account. + +  + +3. Authorise your WOG account by entering the verification code displayed for your SG Govt M365 profile on the authenticator app before approving your TechPass login. + +  + + Your account is added and listed as a connection. This account has **Info** and **Disconnect** options as shown below. + +  + +4. Select the **Info** option and verify that a similar result to the following is displayed. + +  + + +
+
+### Step 2: Register Microsoft Intune Device ID
+
+
+Set up Microsoft Intune to get the required applications and device configurations.
+ +1. Click **Start** icon on the taskbar. + +2. Go to **Settings** > **Accounts** > **Access work or school** and click **Connect** to add your WOG account. + +  + +3. Authorise your WOG account by entering the verification code displayed for your SG Govt M365 profile on the authenticator app before approving your TechPass login. + +  + + Your account is added and listed as a connection. This account has **Info** and **Disconnect** options as shown below. + +  + +4. Select the **Info** option and verify that a similar result to the following is displayed. + +  + + +
+
3. At the top right, go to your user name and click **My Account**. Your profile details are displayed.
4. Go to the **SEED Devices** section and click the refresh icon. If the software installation is successful, the status changes to **software installed, waiting for backend onboarding (step 2 of 2)**.| +| **software installed, waiting for backend onboarding (step 2 of 2)**| Required software has been installed on the device and waiting for backend onboarding. | 1. On your non-SE GSIB device, go to the [TechPass portal](https://portal.techpass.gov.sg/).
3. At the top right, go to your user name and click **My Account**. Your profile details are displayed.
4. Go to the **SEED Devices** section and click the refresh icon. If the backend onboarding is successful, the status changes to **onboarded**. | +| **onboarded** | Your SEED onboarding is successful. | Go to step 10 in this section. | +| **failed(*Reason for failure*)** | Your SEED onboarding failed due to the error mentioned within the parentheses. | 1. On your non-SE GSIB device, go to the [TechPass portal](https://portal.techpass.gov.sg/).
3. At the top right, go to your user name and click **My Account**. Your profile details are displayed.
4. Go to the **SEED Devices** section. Action required to resolve this failure is generally mentioned in the parentheses.
5. Complete the suggested action. | + + +10. Check your inbox (organisational email address) to see if you have received the successfully onboarded email. + +?> If you do not receive this email after two hours, [raise a service request](https://go.gov.sg/seed-techpass-support). + + +
+
+
+### Step 3: Verify installation
+
+Register the Microsoft Intune Device ID for your Windows device.
+ +1. Open **PowerShell** and run the following commands: +``` +$rootKey = [Microsoft.Win32.RegistryKey]::OpenBaseKey( + [Microsoft.Win32.RegistryHive]::LocalMachine, + [Microsoft.Win32.RegistryView]::Registry64 +) +$enrollmentsKey = $rootKey.OpenSubKey("Software\Microsoft\Enrollments") +$intune_id = "Intune ID not found" +foreach ($name in $enrollmentsKey.GetSubKeyNames()) { + $enrollmentIdKey = $enrollmentsKey.OpenSubKey($name) + if ($enrollmentIdKey.GetValue("ProviderID") -ieq "MS DM Server") { + $intune_id = $enrollmentIdKey.OpenSubKey("DMClient\MS DM Server").GetValue("EntDMID", "Intune ID not found") + break + } +} +Write-Output $intune_id +``` +2. Take note of the Intune Device ID that is displayed on the Powershell window. + +3. Choose the appropriate method to register your Intune Device ID: + + a. If you only have a **SE GSIB** device, [raise a service request](https://go.gov.sg/seed-techpass-support) to register your Intune Device ID and skip rest of the steps. Within two hours, you should receive the successfully onboarded email. + + b. If you have a **non-SE GSIB** device, log in to the [TechPass portal](https://portal.techpass.gov.sg/secure/account/profile). + +4. On the TechPass portal, at the top right, go to your user name and click **My Account**. Your **Profile** details are displayed. +5. Click **Onboard device to SEED** and follow the on-screen instructions to submit this Intune Device ID. + +  + + You will receive the following confirmation message. + +  + + Your Internet Device record is listed under the **SEED Devices** with the following details: + + - Device name + - Operating system of the device + - Serial number + - Intune Device ID + - Date and time when the onboarding was trigerred or when the device was successfully onboarded + - Onboarding status + +  + +6. Ensure the device you are onboarding is connected to the Internet so that Intune is able to install the required software and configurations. + +7. After 30-60 minutes, check your inbox (organisational email address) to see if you have received any email regarding your onboarding status. + +8. Choose the appropriate step: + + a. If you have received a successfully onboarded email, skip rest of the steps in this section and proceed to [Step 3: Verify installation](#step-3-verify-installation). + + b. If you have **not yet received** the **successfully onboarded email** or if you **have received** a **failed onboarding email**, complete the following step on [TechPass portal](https://portal.techpass.gov.sg/). + +9. Refer to the following table to know about the possible onboarding status and the action required by you. + +| Status | Description | Action required | +|---| ---| ---| +| **triggered, waiting for software installation (step 1 of 2)**| Your SEED onboarding has been triggered on the device and is waiting for the software installation to be completed. | 1. On your non-SE GSIB device, go to the [TechPass portal](https://portal.techpass.gov.sg/).3. At the top right, go to your user name and click **My Account**. Your profile details are displayed.
4. Go to the **SEED Devices** section and click the refresh icon. If the software installation is successful, the status changes to **software installed, waiting for backend onboarding (step 2 of 2)**.| +| **software installed, waiting for backend onboarding (step 2 of 2)**| Required software has been installed on the device and waiting for backend onboarding. | 1. On your non-SE GSIB device, go to the [TechPass portal](https://portal.techpass.gov.sg/).
3. At the top right, go to your user name and click **My Account**. Your profile details are displayed.
4. Go to the **SEED Devices** section and click the refresh icon. If the backend onboarding is successful, the status changes to **onboarded**. | +| **onboarded** | Your SEED onboarding is successful. | Go to step 10 in this section. | +| **failed(*Reason for failure*)** | Your SEED onboarding failed due to the error mentioned within the parentheses. | 1. On your non-SE GSIB device, go to the [TechPass portal](https://portal.techpass.gov.sg/).
3. At the top right, go to your user name and click **My Account**. Your profile details are displayed.
4. Go to the **SEED Devices** section. Action required to resolve this failure is generally mentioned in the parentheses.
5. Complete the suggested action. | + + +10. Check your inbox (organisational email address) to see if you have received the successfully onboarded email. + +?> If you do not receive this email after two hours, [raise a service request](https://go.gov.sg/seed-techpass-support). + + +
+
+ +1. Go to the Internet Device onboarded to SEED, open **Settings** > **Apps** > **Apps & features**. +2. Ensure that Cloudflare WARP and Tanium are listed. + +  + +  + + You may receive a desktop notification that your device has been renamed according to convention, and that a timed restart will occur in 5 minutes. This is completely expected, and you should save any existing work to prevent data loss. Alternatively, you can also opt to manually restart your device, after receiving the desktop notification, to speed up the process. As the naming convention is required for administrative purposes, please refrain from renaming your device thereafter. + +
+
diff --git a/onboard-device/seed-prerequisites.md b/onboard-device/seed-prerequisites.md
new file mode 100644
index 00000000..b308dd60
--- /dev/null
+++ b/onboard-device/seed-prerequisites.md
@@ -0,0 +1,407 @@
+# SEED prerequisites
+
+Before you begin the process of onboarding your Internet Device to SEED, you need meet the necessary prerequisites. These prerequisites are vital for a successful onboarding experience.
+
+## Supported browsers and OS
+
+Supported browsers:
+
+ - Google Chrome
+ - Microsoft Edge
+ - Mozilla Firefox. If you are using Mozilla Firefox, you need to [configure Firefox to trust the root certificate store of your system](https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox).
+
+Supported OS:
+
+- macOS 12 or higher
+- Windows 10 and 11
+
+## Request SEED provisioning
+
+You can request SEED provisioning through one of the following methods:
+
+- Contact your reporting officer or project manager to request TechPass and SEED provisioning via the [TechBiz portal](http://portal.techbiz.suite.gov.sg/).
+- If you have access to the [TechPass portal](https://portal.techpass.gov.sg/), you can sign up for TechPass and SEED provisioning simultaneously. For detailed information, refer to [TechPass documentation](https://docs.developer.tech.gov.sg/docs/techpass-user-guide/onboard-to-techpass).
+- If you already have an active TechPass account and can access the TechPass portal, you can initiate the [SEED provisioning request](https://docs.developer.tech.gov.sg/docs/techpass-user-guide/request-for-seed-provisioning) from your TechPass account profile.
+- If you are a SE GSIB user with an active TechPass account, you can raise a [service request](https://go.gov.sg/seed-techpass-support) for SEED provisioning.
+
+> **Note**: You need to use a non-SE GSIB device to access [TechBiz portal](http://portal.techbiz.suite.gov.sg/) and [TechPass portal](https://portal.techpass.gov.sg/).
+
+## Successful completion of SEED provisioning
+
+Once SEED provisioning is successfully completed, the following steps are as follows:
+
+- You will receive the SEED onboarding email within the next three business days.
+- Keep in mind that this email remains valid for 30 days.
+- Prior to proceeding with onboarding your internet device to SEED, ensure that you have successfully activated your TechPass account.
+- If your SEED onboarding email has expired, consider the following options:
+ - If you originally requested SEED provisioning via your reporting officer or project manager, reach out to them again to receive a new SEED onboarding invitation email.
+ - If you signed up for SEED via the TechPass portal, you can log in to the TechPass portal to [request a new SEED onboarding invitation email](https://docs.developer.tech.gov.sg/docs/techpass-user-guide/request-for-seed-provisioning).
+
+
+## Uninstall existing software
+
+Before proceeding with SEED onboarding, it is required to uninstall any relevant software solutions from your device:
+
+- Any existing MDM (Mobile Device Management) software
+- Tanium client or any other unified endpoint management and security platform
+- Cloudflare WARP or any other software used for privacy and secured connections
+- Defender or any other antivirus solution
+
+Follow the steps below to check for and remove any existing software on your device, depending on your operating system:
+
+### macOS
+
+Verify the installation.
+ +1. Go to the Internet Device onboarded to SEED, open **Settings** > **Apps** > **Apps & features**. +2. Ensure that Cloudflare WARP and Tanium are listed. + +  + +  + + You may receive a desktop notification that your device has been renamed according to convention, and that a timed restart will occur in 5 minutes. This is completely expected, and you should save any existing work to prevent data loss. Alternatively, you can also opt to manually restart your device, after receiving the desktop notification, to speed up the process. As the naming convention is required for administrative purposes, please refrain from renaming your device thereafter. + +
+
- If you see Microsoft Intune in the settings, it indicates that your MDM is **Microsoft Intune**. Proceed to **step b. Unenrol from Microsoft Intune**
- For devices managed by other MDM software, please contact your organization's IT administrator to unenrol your device. + +
+a. Verify if your device is already managed by any MDM software
+ + Complete the following steps to find if your device is already managed by an MDM solution. + + 1. Choose the appropriate step based on your macOS version: + + a. If your macOS version is macOS 12, navigate to the **Apple** menu > **System Preferences** > **Profiles**. + + b. If your macOS version is macOS 13 or 14, navigate to the **Apple** menu > **System Settings** > **Privacy and Security** > **Profiles** on the right. You may need to scroll down. + + 2. Click **Management Profile**. + + a. If your macOS version is macOS 12, and you see a page similar to the following, it indicates that you already have an MDM software installed. + +  + + b. If your macOS version is macOS 13 or 14 and you see a similar page, it indicates that you already have MDM software installed. + +  + + 3. Choose the appropriate step: + + - If you have verified that your Internet Device is not currently managed by any MDM, proceed to step **c.Remove Tanium Client** to check for and remove Tanium Client if it is installed. + + - If your Internet Device is managed by an MDM software, go to **Settings** on the **Management Profile** to identify the current MDM software. + +  + +?>- If you see Microsoft Intune in the settings, it indicates that your MDM is **Microsoft Intune**. Proceed to **step b. Unenrol from Microsoft Intune**
- For devices managed by other MDM software, please contact your organization's IT administrator to unenrol your device. + +
+
+
+b. Unenrol from Microsoft Intune
+ +Complete the following steps to remove your device from Intune. + +?> To find if your device is enrolled with Intune, refer to step **a. Verify if your device is already managed by any MDM software**. + + 1. Sign in to the **Company Portal** app. +  + 2. Go to **Devices** and click the three dots beside the device you want to unenrol. + 3. Choose **Remove**. +  + 4. When prompted to confirm the removal, select **Remove**. + 5. Click your profile icon and **Sign out** of the **Company Portal**. + +
+
+c. Remove Tanium Client
+ +Complete the following steps to find if Tanium Client is available on your device and remove it. + + 1. Open **Terminal** and run the following command: + + ``` + sudo ls /Library/Tanium/TaniumClient + ``` + 2. Enter your macOS password when prompted. + + 3. If you see confirmation, as shown in the image below, that Tanium Client is installed on your device, proceed to step 4. If not, continue to **step d. Remove the Cloudflare WARP client**. +  + + 4. Run the following commands in **Terminal**: + + ``` + sudo launchctl unload /Library/LaunchDaemons/com.tanium.taniumclient.plist + + sudo launchctl remove com.tanium.taniumclient > /dev/null 2 >&1 + + sudo rm /Library/LaunchDaemons/com.tanium.taniumclient.plist + + sudo rm /Library/LaunchDaemons/com.tanium.trace.recorder.plist + + sudo rm -rf /Library/Tanium/ + + sudo rm /var/db/receipts/com.tanium.taniumclient.TaniumClient.pkg.bom + + sudo rm /var/db/receipts/com.tanium.taniumclient.TaniumClient.pkg.plist + + sudo rm /var/db/receipts/com.tanium.tanium.client.bom + + sudo rm /var/db/receipts/com.tanium.tanium.client.plist + + ``` + 5. Enter your macOS password when prompted. Once the commands are successfully executed, Tanium Client is removed from your device. + +
+
+d. Remove Cloudflare WARP Client
+ +Complete the following steps to find if Cloudflare WARP client is available on your device and remove it. + + 1. Click the **Finder** icon in the **Dock**. + 2. Choose **Applications**. + 3. Search for **Cloudflare WARP.app**. + 4. If available, open **Terminal** and run the following command: + ``` + sudo /bin/sh /Applications/Cloudflare\ WARP.app/Contents/Resources/uninstall.sh + ``` + + 5. When prompted, enter your macOS password. + +e. Remove Defender or the current antivirus solution
+ +If your device is already enroled with Defender or any other antivirus solution, it has to be completely unenroled from it before you proceed to onboard the device to SEED. + +Complete the following steps to determine if Defender is your current antivirus solution and remove it from your device. + +?> **Note**: If you have another antivirus solution, please contact your administrator to remove it. + + +1. Open **Terminal** and run `mdatp health. +2. Choose the appropriate step: + + a. If you get a `mdatp: command not found` error, it means you do not have Defender installed on your device. You can skip the remaining steps in this section. + + b. Take note of the value displayed for **org_id**. + +3. Identify the organisation corresponding to this **org_id** from the following table. This is the organisation that is linked to your Defender or antivirus solution on your device. + + | org_id | Defender organisation | Offboarding package | + | ------------- |:-------------:|:-------------:| + | faa36a5e-2da6-4225-8e27-226177c801a0 | WOG | [Download offboarding package](https://k3uwa66lu3tj6uxft46666ynhe0uvzor.lambda-url.ap-southeast-1.on.aws/local_wog_mac) | + | 49237d71-42ac-425a-a803-881b92cc18ce | TechPass | [Download offboarding package](https://k3uwa66lu3tj6uxft46666ynhe0uvzor.lambda-url.ap-southeast-1.on.aws/local_tp_mac) | + | 6389e966-e334-461d-86ce-0fed12484620 | Hive | Contact [Hive support](mailto:GDS_DEN@hive.gov.sg) to get the offboarding package. | + + +?> **Important** +> - If your **Defender organization** is **Hive**, skip the remaining steps in this document. Obtain the offboarding package from Hive support and unenrol your device from Defender. Refer to [Offboarding FAQ](/faqs/onboarding-faq.md) for instructions on how to unenrol your device from Defender using the Hive offboarding package. +> - If your **Defender organization** is either **WOG** or **TechPass**, it suggests that this device may have already been onboarded to SEED under a different TechPass profile. Therefore, you need to offboard this device before proceeding further. +> - If your **Defender organization** is **none of the above**, please contact the IT support of the organization that provided you with the device. + +4. Log in with your TechPass to download the offboarding package. +5. Go to the folder where you downloaded the ZIP file and extract the files. You should see the following two files. + +  + +> **Note**: The file names vary with the organisation. + +6. On your **Terminal**, run the following command: + +``` +sudo mdatp config tamper-protection enforcement-level --value audit +``` + +7. On **Terminal**, go to the folder where you extracted the files. For example, if they are in the **Downloads** > **Offboarding_local_wog_mac** folder, go to that folder. + +  + +8. Copy the below and run it in the same **Terminal**. + + ``` + sudo chmod +x local_mac_offboarding.sh + ``` + +9. When prompted for a **password**, enter your device password. +10. Copy and run the following command in your **Terminal**. + + ``` + sudo ./local_mac_offboarding.sh + ``` + + When the following success message appears in **Terminal**, ou will be automatically redirected to a form to submit the Intune Device ID. + +  + +11. Ensure your **Intune Device ID** is displayed on the form. If it is not displayed, provide it. Refer to [Get Intune Device ID](/offboard-device/mac-os) for assistance. +12. Enter your organisational email address in the **Organisational Email Address** field and click **Verify**. +13. Enter the OTP you receive at this email address. +14. Click **Submit**. Once this request is processed successfully, we will send a notification via email. + +  + +
+
+
+a. Remove existing MDM software
+ +Complete the following steps to find if your device is managed by an MDM solution and remove it. + + 1. Click the **Start** icon on the taskbar. + 2. Go to **Settings** > **Accounts**. + 3. From the left menu, choose **Access work or school**. + +?> If your device is managed by an MDM software, your username in your organisation's domain will be displayed under **Work or school account**. + + 4. Click **Work or school account** and then select **Disconnect**. + + +
+
+
+b. Remove Tanium Client
+ +Complete the following steps to find if Tanium client is available on your device and remove it. + + 1. Click **Start** icon on the taskbar. + 2. Go to **Settings** > **Apps** and search for **Tanium Client**. + 3. If available, choose it and then click **Uninstall**. + +
+
+
+c. Remove Cloudflare WARP Client
+ +Complete the following steps to find if Cloudflare WARP client is available on your device and remove it. + + 1. Click the **Start** icon on the taskbar. + 2. Go to **Settings** > **Apps** and search for **Cloudflare WARP**. + 3. If available, select it and then click **Uninstall**. + +d. Remove current antivirus solution on the device
+ +If your device is already enrolled with Defender or any other antivirus solution, it has to be completely unenrolled from it before you proceed to onboard the device to SEED. + +Complete the following steps to find if Defender is your current antivirus solution and remove it from your device. + +1. Go to the **Start** menu and search for **Powershell**. +2. Right-click on the search result for **PowerShell** and select **Run as Administrator**. + +  + +3. On **Powershell**, run the following command: + +``` +$reg64 = [Microsoft.Win32.RegistryKey]::OpenBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, [Microsoft.Win32.RegistryView]::Registry64) +$OrgID = $reg64.OpenSubKey("SOFTWARE\MICROSOFT\Windows Advanced Threat Protection\Status").GetValue("OrgID") +echo $OrgID +``` + +4. Take note of the value displayed for **OrgID**. + +  + +?> Note: If you do not receive any response, it means you do not have Defender installed on your device. You can skip the steps in this section. + +5. Refer to the following table and identify your **Defender organisation** and download the offboarding package. + + | OrgID | Defender organisation | Offboarding package | + | ------------- |:-------------:|:-------------:| + | faa36a5e-2da6-4225-8e27-226177c801a0 | WOG | [Download offboarding script](https://k3uwa66lu3tj6uxft46666ynhe0uvzor.lambda-url.ap-southeast-1.on.aws/local_wog_windows) | + | 49237d71-42ac-425a-a803-881b92cc18ce | TechPass | [Download offboarding script](https://k3uwa66lu3tj6uxft46666ynhe0uvzor.lambda-url.ap-southeast-1.on.aws/local_tp_windows) | + | 6389e966-e334-461d-86ce-0fed12484620 | Hive | Contact [Hive support](mailto:GDS_DEN@hive.gov.sg) to get the offboarding package. | + + ?> **Important** + > - If your **Defender organisation** is **Hive**, please skip the remaining steps in this document. You need to get the offboarding package from the Hive support and unenrol your device from Defender. See [Offboarding FAQ](/faqs/offboarding-faq.md) to know how to unenrol your device from Defender using the Hive offboarding package. + > - If your **Defender organisation** is either **WOG** or **TechPass**, it indicates that this device may already have been onboarded to SEED under a different TechPass profile. You need to offboard this device first before proceeding further. Refer to [macOS offboarding guide](/offboard-device/macos-offboarding-guide.md) or [Windows offboarding guide](/offboard-device/windows-offboarding-guide.md). + > - If your **Defender organisation** is **none of the above**, contact the IT support of the organisation that provided you with the device. + +6. Go to the folder where you downloaded the ZIP file and extract the files. You should see the following two files. + +  + +?> **Note**: The file names vary with the organisation. + +7. Right-click the unzipped folder to select **Show more options** > **Copy as path**. The folder path is now saved to your clipboard. + +8. On **Powershell**, run the following command to go to the folder which has the extracted files: + + ``` + cd {Path from clipboard} + ``` + + For example: + + ``` + cd "C:\Users\testUser\Downloads\Offboarding_local_tp_windows" + + ``` + +  + +10. To run the script, enter the following command: + + ``` + powershell.exe -ExecutionPolicy Bypass .\local_windows_offboarding.ps1 + + ``` + + When you see the following success message on your **Powershell**, you are automatically directed to a form to submit the Intune Device ID. + +  + +11. Ensure your **Intune Device ID** is displayed on the form. If it is not displayed, provide it. See [Get Intune Device ID](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/offboard-device/mac-os-using-script?id=get-intune-device-id). +12. Enter your organisational email address in **Organisational Email Address** and click **Verify**. +13. Enter the OTP you receive at this email address. +14. Click **Submit**. When this request is processed successfully, we send a notification via email. + +  + +
+
+ + 1. Go to [Microsoft Intune documentation](https://learn.microsoft.com/en-us/mem/intune/user-help/enroll-your-device-in-intune-macos-cp) and follow the instructions on this page to complete the following: + + a. Download and install Company Portal. + + b. Enroll your Mac device. + + + 2. Ensure that your device is connected to the Internet so that Intune is able to install the required SEED components and configurations. + 3. Within the next two hours, check your inbox (organisational email address) to see if you have received the successfully onboarded email. + 4. If you do not receive this email after two hours, [raise a service request](https://go.gov.sg/seed-techpass-support). + +
+
+### Step 2: Verify installation
+
+Set up Microsoft Intune to get the required applications and device configurations.
+ + 1. Go to [Microsoft Intune documentation](https://learn.microsoft.com/en-us/mem/intune/user-help/enroll-your-device-in-intune-macos-cp) and follow the instructions on this page to complete the following: + + a. Download and install Company Portal. + + b. Enroll your Mac device. + + + 2. Ensure that your device is connected to the Internet so that Intune is able to install the required SEED components and configurations. + 3. Within the next two hours, check your inbox (organisational email address) to see if you have received the successfully onboarded email. + 4. If you do not receive this email after two hours, [raise a service request](https://go.gov.sg/seed-techpass-support). + +
+
+ +1. Go to the **Apple menu** > **System Settings** > **Privacy and Security**. +2. Select **Profiles** on the right pane. You should be able to see the following profiles. + +
+
+
+## Windows
+
+Based on your Windows settings, you may be prompted to restart or reset your password while onboarding.
+
+
+
+### Step 1: Set up Microsoft Intune
+
+Verify the installation of the required profiles.
+ +1. Go to the **Apple menu** > **System Settings** > **Privacy and Security**. +2. Select **Profiles** on the right pane. You should be able to see the following profiles. + +
-
+
- Credential Profile +
- Custom Preferences Profile - com.cloudflaare.warp +
- Custom Preferences Profile - com.microsoft.wdav +
- GCC2 ATP Full Disk Access +
- GCC2 ATP Kernel Extensions - Custom +
- GCC2 ATP Network Filter +
- GCC2 ATP Notifications +
- GCC2 ATP Onboarding +
- Intune MDM Agent SCEP Profile +
- Management Profile +
- Passcode Profile +
- Privacy Preferences Policy Profile +
- System Extension Profile +
+
+ +1. Click **Start** icon on the taskbar. + +2. Go to **Settings** > **Accounts** > **Access work or school** and click **Connect** to add your TechPass account. + +  + +3. Approve your TechPass login using the authenticator app that was used to set up TechPass MFA. + +  + + Your account is added and listed as a connection. This account has **Info** and **Disconnect** options as shown below. + +  + +4. Select the **Info** option and verify that a similar result to the following is displayed. You will see **TechPass** instead of **SG Govt M365**. + +  + +
+
+
+
+### Step 2: Verify installation
+
+Set up Microsoft Intune to get the required applications and device configurations.
+ +1. Click **Start** icon on the taskbar. + +2. Go to **Settings** > **Accounts** > **Access work or school** and click **Connect** to add your TechPass account. + +  + +3. Approve your TechPass login using the authenticator app that was used to set up TechPass MFA. + +  + + Your account is added and listed as a connection. This account has **Info** and **Disconnect** options as shown below. + +  + +4. Select the **Info** option and verify that a similar result to the following is displayed. You will see **TechPass** instead of **SG Govt M365**. + +  + +
+
+ +1. Go to the Internet Device onboarded to SEED, open **Settings** > **Apps** > **Apps & features**. +2. Ensure that Cloudflare WARP and Tanium are listed. + +  + +  + + You will receive a desktop notification that your device will be renamed according to our standard convention, followed by an automatic restart in 5 minutes. Please save your work to avoid data loss. You can also manually restart your device after the notification for a quicker update. Keep in mind that this naming convention is necessary for administrative purposes, so avoid renaming your device afterward. + +
+
+
+
+
+
+
diff --git a/onboard-device/windows-vendor-onboarding.md b/onboard-device/windows-vendor-onboarding.md
index d998fd67..3871f27b 100644
--- a/onboard-device/windows-vendor-onboarding.md
+++ b/onboard-device/windows-vendor-onboarding.md
@@ -1,65 +1 @@
-# Onboard Windows device to SEED as vendors
-
-?> Based on your Windows settings, you may be prompted to restart or reset your password while onboarding.
-
-
-
-## Step 1: Set up Microsoft Intune
-
-Verify the installation.
+ +1. Go to the Internet Device onboarded to SEED, open **Settings** > **Apps** > **Apps & features**. +2. Ensure that Cloudflare WARP and Tanium are listed. + +  + +  + + You will receive a desktop notification that your device will be renamed according to our standard convention, followed by an automatic restart in 5 minutes. Please save your work to avoid data loss. You can also manually restart your device after the notification for a quicker update. Keep in mind that this naming convention is necessary for administrative purposes, so avoid renaming your device afterward. + +
-
- -1. Click **Start** icon on the taskbar. - -2. Go to **Settings** > **Accounts** > **Access work or school** and click **Connect** to add your WOG account. - - - -3. Approve your TechPass login using the authenticator app that was used to set up TechPass MFA. - -  - -4. Set up Windows Hello pin. - - - -5. Click **OK** and **Next**. - -6. Enter your account password and select **OK**. - - - - -Your account is added and listed as a connection. This account has **Info** and **Disconnect** options as shown below. - - - -4. Select the **Info** option and verify that a similar result to the following is displayed. - - - - -
-
-
-
-## Step 2: Verify installation
-
-Set up Microsoft Intune to get the required applications and device configurations.
- -1. Click **Start** icon on the taskbar. - -2. Go to **Settings** > **Accounts** > **Access work or school** and click **Connect** to add your WOG account. - - - -3. Approve your TechPass login using the authenticator app that was used to set up TechPass MFA. - -  - -4. Set up Windows Hello pin. - - - -5. Click **OK** and **Next**. - -6. Enter your account password and select **OK**. - - - - -Your account is added and listed as a connection. This account has **Info** and **Disconnect** options as shown below. - - - -4. Select the **Info** option and verify that a similar result to the following is displayed. - - - - -
-
- -1. Go to the Internet Device onboarded to SEED, open **Settings** > **Apps** > **Apps & features**. -2. Ensure that Cloudflare WARP and Tanium are listed. - -  - -  - - ?> You may receive a desktop notification that your device has been renamed according to convention, and that a timed restart will occur in 5 minutes. This is completely expected, and you should save any existing work to prevent data loss. Alternatively, you can also opt to manually restart your device, after receiving the desktop notification, to speed up the process. As the naming convention is required for administrative purposes, please refrain from renaming your device thereafter. - -
-
-
-
+!> This documentation has moved to [Identify onboarding persona](identify-onboarding-persona).
\ No newline at end of file
diff --git a/onboard-device/windows.md b/onboard-device/windows.md
index 7791cd74..3871f27b 100644
--- a/onboard-device/windows.md
+++ b/onboard-device/windows.md
@@ -1,143 +1 @@
-# Onboard Windows device to SEED as public officers
-
-?> Verify the installation.
- -1. Go to the Internet Device onboarded to SEED, open **Settings** > **Apps** > **Apps & features**. -2. Ensure that Cloudflare WARP and Tanium are listed. - -  - -  - - ?> You may receive a desktop notification that your device has been renamed according to convention, and that a timed restart will occur in 5 minutes. This is completely expected, and you should save any existing work to prevent data loss. Alternatively, you can also opt to manually restart your device, after receiving the desktop notification, to speed up the process. As the naming convention is required for administrative purposes, please refrain from renaming your device thereafter. - -
- Based on your Windows settings, you may be prompted to restart or reset your password while onboarding. - - - - -## Step 1: Set up Microsoft Intune - -
-
- -1. Click **Start** icon on the taskbar. - -2. Go to **Settings** > **Accounts** > **Access work or school** and click **Connect** to add your WOG account. - - - -3. Authorise your WOG account by entering the verification code displayed for your SG Govt M365 profile on the authenticator app before approving your TechPass login. - - - -4. Set up Windows Hello pin. - - - -5. Click **OK** and **Next**. - -6. Enter your account password and select **OK**. - - - - -Your account is added and listed as a connection. This account has **Info** and **Disconnect** options as shown below. - - - -4. Select the **Info** option and verify that a similar result to the following is displayed. - - - - -
-
-## Step 2: Register Microsoft Intune Device ID
-
-
-Set up Microsoft Intune to get the required applications and device configurations.
- -1. Click **Start** icon on the taskbar. - -2. Go to **Settings** > **Accounts** > **Access work or school** and click **Connect** to add your WOG account. - - - -3. Authorise your WOG account by entering the verification code displayed for your SG Govt M365 profile on the authenticator app before approving your TechPass login. - - - -4. Set up Windows Hello pin. - - - -5. Click **OK** and **Next**. - -6. Enter your account password and select **OK**. - - - - -Your account is added and listed as a connection. This account has **Info** and **Disconnect** options as shown below. - - - -4. Select the **Info** option and verify that a similar result to the following is displayed. - - - - -
-
-
- You will receive the following confirmation message.
-
-
-
- Your Internet Device record is listed under the **SEED Devices** with the following details:
-
- - Device name
- - Operating system of the device
- - Serial number
- - Intune Device ID
- - Date and time when the onboarding was trigerred or when the device was successfully onboarded
- - Onboarding status
-
- 
-
-6. Ensure the device you are onboarding is connected to the Internet so that Intune is able to install the required software and configurations.
-
-7. After 30-60 minutes, check your inbox (organisational email address) to see if you have received any email regarding your onboarding status.
-
-8. Choose the appropriate step:
-
- a. If you have received a successfully onboarded email, skip rest of the steps in this section and proceed to [Step 3: Verify installation](#step-3-verify-installation).
-
- b. If you have **not yet received** the **successfully onboarded email** or if you **have received** a **failed onboarding email**, complete the following step on [TechPass portal](https://portal.techpass.gov.sg/).
-
-9. Refer to the following table to know about the possible onboarding status and the action required by you.
-
-| Status | Description | Action required |
-|---| ---| ---|
-| **triggered, waiting for software installation (step 1 of 2)**| Your SEED onboarding has been triggered on the device and is waiting for the software installation to be completed. | 1. On your non-SE GSIB device, go to the [TechPass portal](https://portal.techpass.gov.sg/).
3. At the top right, go to your user name and click **My Account**. Your profile details are displayed.
4. Go to the **SEED Devices** section and click the refresh icon. If the software installation is successful, the status changes to **software installed, waiting for backend onboarding (step 2 of 2)**.| -| **software installed, waiting for backend onboarding (step 2 of 2)**| Required software has been installed on the device and waiting for backend onboarding. | 1. On your non-SE GSIB device, go to the [TechPass portal](https://portal.techpass.gov.sg/).
3. At the top right, go to your user name and click **My Account**. Your profile details are displayed.
4. Go to the **SEED Devices** section and click the refresh icon. If the backend onboarding is successful, the status changes to **onboarded**. | -| **onboarded** | Your SEED onboarding is successful. | Go to step 10 in this section. | -| **failed(*Reason for failure*)** | Your SEED onboarding failed due to the error mentioned within the parentheses. | 1. On your non-SE GSIB device, go to the [TechPass portal](https://portal.techpass.gov.sg/).
3. At the top right, go to your user name and click **My Account**. Your profile details are displayed.
4. Go to the **SEED Devices** section. Action required to resolve this failure is generally mentioned in the parentheses.
5. Complete the suggested action. | - - -10. Check your inbox (organisational email address) to see if you have received the successfully onboarded email. - -?> If you don't receive this email after two hours, submit an [incident request](https://go.gov.sg/seed-techpass-support). - - -
-
-
-## Step 3: Verify installation
-
-Register the Microsoft Intune Device ID for your Windows device.
- -1. Open **PowerShell** and run the following commands: -``` -$rootKey = [Microsoft.Win32.RegistryKey]::OpenBaseKey( - [Microsoft.Win32.RegistryHive]::LocalMachine, - [Microsoft.Win32.RegistryView]::Registry64 -) -$enrollmentsKey = $rootKey.OpenSubKey("Software\Microsoft\Enrollments") -$intune_id = "Intune ID not found" -foreach ($name in $enrollmentsKey.GetSubKeyNames()) { - $enrollmentIdKey = $enrollmentsKey.OpenSubKey($name) - if ($enrollmentIdKey.GetValue("ProviderID") -ieq "MS DM Server") { - $intune_id = $enrollmentIdKey.OpenSubKey("DMClient\MS DM Server").GetValue("EntDMID", "Intune ID not found") - break - } -} -Write-Output $intune_id -``` -2. Take note of the Intune Device ID that is displayed on the Powershell window. - -3. Choose the appropriate method to register your Intune Device ID: - - a. If you only have a **SE GSIB** device, submit a [support request](https://go.gov.sg/seed-techpass-support) to register your Intune Device ID and skip rest of the steps. Within two hours, you should receive the successfully onboarded email. - - b. If you have a **non-SE GSIB** device,log in to the [TechPass portal](https://portal.techpass.gov.sg/secure/account/profile). - -4. On the TechPass portal, at the top right, go to your user name and click **My Account**. Your **Profile** details are displayed. -5. Click **Onboard device to SEED** and follow the on-screen instructions to submit this Intune Device ID. - -
-
- You will receive the following confirmation message.
-
-
-
- Your Internet Device record is listed under the **SEED Devices** with the following details:
-
- - Device name
- - Operating system of the device
- - Serial number
- - Intune Device ID
- - Date and time when the onboarding was trigerred or when the device was successfully onboarded
- - Onboarding status
-
- 
-
-6. Ensure the device you are onboarding is connected to the Internet so that Intune is able to install the required software and configurations.
-
-7. After 30-60 minutes, check your inbox (organisational email address) to see if you have received any email regarding your onboarding status.
-
-8. Choose the appropriate step:
-
- a. If you have received a successfully onboarded email, skip rest of the steps in this section and proceed to [Step 3: Verify installation](#step-3-verify-installation).
-
- b. If you have **not yet received** the **successfully onboarded email** or if you **have received** a **failed onboarding email**, complete the following step on [TechPass portal](https://portal.techpass.gov.sg/).
-
-9. Refer to the following table to know about the possible onboarding status and the action required by you.
-
-| Status | Description | Action required |
-|---| ---| ---|
-| **triggered, waiting for software installation (step 1 of 2)**| Your SEED onboarding has been triggered on the device and is waiting for the software installation to be completed. | 1. On your non-SE GSIB device, go to the [TechPass portal](https://portal.techpass.gov.sg/).3. At the top right, go to your user name and click **My Account**. Your profile details are displayed.
4. Go to the **SEED Devices** section and click the refresh icon. If the software installation is successful, the status changes to **software installed, waiting for backend onboarding (step 2 of 2)**.| -| **software installed, waiting for backend onboarding (step 2 of 2)**| Required software has been installed on the device and waiting for backend onboarding. | 1. On your non-SE GSIB device, go to the [TechPass portal](https://portal.techpass.gov.sg/).
3. At the top right, go to your user name and click **My Account**. Your profile details are displayed.
4. Go to the **SEED Devices** section and click the refresh icon. If the backend onboarding is successful, the status changes to **onboarded**. | -| **onboarded** | Your SEED onboarding is successful. | Go to step 10 in this section. | -| **failed(*Reason for failure*)** | Your SEED onboarding failed due to the error mentioned within the parentheses. | 1. On your non-SE GSIB device, go to the [TechPass portal](https://portal.techpass.gov.sg/).
3. At the top right, go to your user name and click **My Account**. Your profile details are displayed.
4. Go to the **SEED Devices** section. Action required to resolve this failure is generally mentioned in the parentheses.
5. Complete the suggested action. | - - -10. Check your inbox (organisational email address) to see if you have received the successfully onboarded email. - -?> If you don't receive this email after two hours, submit an [incident request](https://go.gov.sg/seed-techpass-support). - - -
-
- -1. Go to the Internet Device onboarded to SEED, open **Settings** > **Apps** > **Apps & features**. -2. Ensure that Cloudflare WARP and Tanium are listed. - - - - - - -?> You may receive a desktop notification that your device has been renamed according to convention, and that a timed restart will occur in 5 minutes. This is completely expected, and you should save any existing work to prevent data loss. Alternatively, you can also opt to manually restart your device, after receiving the desktop notification, to speed up the process. As the naming convention is required for administrative purposes, please refrain from renaming your device thereafter. - -
-
-
+!> This documentation has moved to [Identify onboarding persona](identify-onboarding-persona).
\ No newline at end of file
diff --git a/overview.md b/overview.md
index 0868e5f7..dd9824b4 100644
--- a/overview.md
+++ b/overview.md
@@ -1,50 +1,61 @@
-# Overview
+# SEED overview
-**Security Suite for Engineering Endpoint Devices (SEED)** is Singapore Government's implementation for Identity and Access Management (IAM) and zero trust framework to secure access to the Government's engineering resources, such as Government on Commercial Cloud (GCC) and the Singapore Government Tech Stack (SGTS).
+## What is SEED?
-The zero trust framework replaces the traditional Virtual Private Network (VPN) technologies and centralises network-based security policies with a standardised central identity provider. It enforces access policies to only allow users to use devices that are compliant with our security controls, to access the protected services.
+**Security Suite for Engineering Endpoint Devices (SEED)** is the Singapore Government's implementation of Identity and Access Management (IAM) and Zero Trust framework. It aims to protect the Government's engineering resources, such as Government on Commercial Cloud (GCC) and the Singapore Government Tech Stack (SGTS), against unauthorised access.
+
+Zero Trust replaces traditional Virtual Private Network (VPN) connections and network-based security policies with a standardised central identity provider. This enforces access policies, ensuring that only authorised users with devices compliant with device postures gain access.
## Why do we need SEED?
-- Blocks access to the resources of GCC and the SGTS services if the device is not compliant with our security controls.
-- Detects if the endpoint meets the required security hardening baseline according to the corresponding Center of Internet Security (CIS) benchmark for the installed endpoint operating system.
-- Detects if the endpoint’s operating system version and security patches are up-to-date.
-- Detects and provides remediation steps for known malware so that the user can self help.
+- Detects and provides remediation steps for known malware.
+- Verifies if the endpoint meets the required security hardening baseline based on the corresponding Centre of Internet Security (CIS) benchmark for the installed endpoint operating system.
+- Detects if the endpoint’s operating system version and security patches are up to date.
+- Prevents access to the resources of GCC and the SGTS services if the above requirements are not satisfied.
## How does SEED work?
-SEED comprises of three components:
+SEED comprises three key components:
- TechPass
- Cloudflare
-- Developers' Environment Endpoint Posture (DEEP)
+- SEED Dashboard
+
+## What can SEED do on my device?
+
+| SEED capabilities | Supported |
+| ----------------------------------------------------------- | :-------: |
+| View device information such as model number and OS version | ✔️ |
+| View the names of installed applications | ✔️ |
+| Identify your device by name | ✔️ |
+| Reset a lost or stolen device to factory settings | ✔️ |
+| View browsing history | ❌ |
+| Access emails, contacts, and calendar | ❌ |
+| Access documents | ❌ |
+
+
+
+
+
+
+
+
+
-
-### **TechPass**
-This is the IAM and Single Sign-On (SSO) solution for accessing GCC and SGTS services.
-### **Cloudflare**
-The security platform that enforces zero zrust network access allowing faster and more secure connections to the Internet and applications. This comprises of the following:Verify the installation.
- -1. Go to the Internet Device onboarded to SEED, open **Settings** > **Apps** > **Apps & features**. -2. Ensure that Cloudflare WARP and Tanium are listed. - - - - - - -?> You may receive a desktop notification that your device has been renamed according to convention, and that a timed restart will occur in 5 minutes. This is completely expected, and you should save any existing work to prevent data loss. Alternatively, you can also opt to manually restart your device, after receiving the desktop notification, to speed up the process. As the naming convention is required for administrative purposes, please refrain from renaming your device thereafter. - -
- **Cloudflare WARP**: An endpoint agent that connects you to the internet utilizing Cloudflare’s 1.1.1.1 DNS while simultaneously optimizing and securing (i.e. encrypting) your connection. It leverages massive network of servers across the globe to give you the fastest experience possible, even if your connection is slow, unlike the traditional VPN services.
- **Cloudflare Gateway**: A Secure Web Gateway that blocks and protects you from access malicious content.
- **Cloudflare Access**: Evaluates every request for user identity and device context. -### **DEEP** -Device management layer of SEED. It establishes a robust security baseline automatically and prevents insecure or compromised devices from accessing engineering resources. DEEP manages the following:
- **Microsoft Intune**: Provides device and application management including remote application deployment and selective device wipe.
- **Microsoft Defender Advanced Threat Prevention**: Enterprise class vulnerability management, threat detection and response security solution.
- **Tanium**: Works with Cloudflare to ensure posture-based conditional access to the endpoint assets. - -## What can SEED do on my device? -|SEED can do the following on your device|SEED cannot do the following on your device| -|---|---| -|- View the model number, serial number and operating system of the device.
- View the names of the applications you have installed.
- Identify your device by name.
- Reset lost or stolen device to factory setting upon required consent and approval from device owner and manager-in-charge, respectively.|- View the browsing history.
-Access your emails, contacts and calendar.
- Access your documents.| diff --git a/post-onboarding-instructions/.DS_Store b/post-onboarding-instructions/.DS_Store index 08b1969e..0677fb29 100644 Binary files a/post-onboarding-instructions/.DS_Store and b/post-onboarding-instructions/.DS_Store differ diff --git a/post-onboarding-instructions/_sidebar-old.md b/post-onboarding-instructions/_sidebar-old.md deleted file mode 100644 index 23091db8..00000000 --- a/post-onboarding-instructions/_sidebar-old.md +++ /dev/null @@ -1,9 +0,0 @@ -- **Post onboarding** - - [Post onboarding steps](post-onboarding-instructions/post-onboarding-steps-and-verification) - - macOS - - [macOS 11 (Big Sur) and 12(Monterey)](post-onboarding-instructions/mac-os) - - [macOS 13 (Ventura)](post-onboarding-instructions/mac-os-13) - - [Windows](post-onboarding-instructions/windows) - - [Post onboarding verification steps for GCC 1.0 users](post-onboarding-instructions/gcc-1.0-users) -- **Additional resources** - - [Back to main](/) diff --git a/post-onboarding-instructions/mac-os-13.md b/post-onboarding-instructions/mac-os-13.md index 263b3deb..199d5e90 100644 --- a/post-onboarding-instructions/mac-os-13.md +++ b/post-onboarding-instructions/mac-os-13.md @@ -1,46 +1 @@ -# SEED post onboarding instructions for macOS 13 (Ventura) - - After you onboard your Internet Device to SEED: - - - [Ensure Full Disk Access(FDA) is enabled for SEED components](#ensure-full-disk-accessfda-is-enabled-for-seed-components) - - [Turn on Cloudflare WARP for macOS](#turn-on-cloudflare-warp-for-macos) - -## Ensure Full Disk Access(FDA) is enabled for SEED components - - After onboarding, ensure FDA is enabled for the following SEED components: - - - Tanium Client - - Microsoft Intune Agent - - Microsoft Defender - - Microsoft Defender ATP Security Extension - -### To verify FDA is enabled for the SEED components - - 1. Go to the **Apple** menu > **System Settings**. - 2. On the left pane, select **Privacy & Security**. - 3. When prompted to unlock this settings, use your Touch ID or enter your device password. - - ?> **Note**
If you were not prompted to reset device password while onboarding, you will be prompted now. See FAQ for password policy. - - 4. On the **Privacy & Security** pane, choose **Full Disk Access**. - -  - - 5. Ensure the following applications are listed and enabled. - - - Tanium Client - - Microsoft Intune Agent - - Microsoft Defender - - Microsoft Defender Endpoint Security Extension - -  - - ?> **Note**
If a SEED component is missing, see [Common onboarding issues for macOS users](faqs/common-onboarding-issues) to resolve it. - -## Turn on Cloudflare WARP for macOS - -After you onboard your macOS Internet Device to SEED, you need to turn on Cloudflare WARP. - -### To turn on Cloudflare WARP for macOS - -[turn on Cloudflare WARP for macOS](../snippets/snippets-turn-on-cloudflare-warp-for-macos.md ':include') +!> This documentation has moved to [macOS 14 and 13 post onboarding guide](post-onboarding-instructions/macos-latest). \ No newline at end of file diff --git a/post-onboarding-instructions/mac-os.md b/post-onboarding-instructions/mac-os.md index b0de7825..ebfd941e 100644 --- a/post-onboarding-instructions/mac-os.md +++ b/post-onboarding-instructions/mac-os.md @@ -1,45 +1 @@ -# Post onboarding instructions for macOS 12 - - After you onboard your Internet Device to SEED: - - - [Ensure Full Disk Access(FDA) is enabled for SEED components](#ensure-full-disk-accessfda-is-enabled-for-seed-components) - - [Turn on Cloudflare WARP for macOS](#turn-on-cloudflare-warp-for-macos) - -## Ensure Full Disk Access(FDA) is enabled for SEED components - -After onboarding, ensure FDA is enabled for the following SEED components: - - - Tanium Client - - Microsoft Intune Agent - - Microsoft Defender - - Microsoft Defender ATP Security Extension - -### To verify FDA is enabled for the SEED components - -1. Go to the **Apple** menu > **System Preferences** > **Security & Privacy**. -2. Click the **Privacy** tab. -3. From the left pane, choose **Full Disk Access**. -4. Click the lock icon at the bottom and use your Touch ID or enter your password to unlock. - -?> **Note**
If you were not prompted to reset device password while onboarding, you will be prompted now. See FAQ for password policy. - -5. Ensure the following applications are listed and enabled (checkboxes should be selected): - - Tanium Client - - Microsoft Intune Agent - - Microsoft Defender - - Microsoft Defender ATP Security Extension - - - -?> **Note**
If a SEED component is missing, see [Common onboarding issues for macOS users](faqs/common-onboarding-issues) to resolve it. - -## Turn on Cloudflare WARP for macOS - -After you onboard your macOS Internet Device to SEED, you need to turn on Cloudflare WARP. - -### To turn on Cloudflare WARP for macOS - -[turn on Cloudflare WARP for macOS](../snippets/snippets-turn-on-cloudflare-warp-for-macos.md ':include') - - - +!> This documentation has moved. Refer to [macOS 12 post onboarding guide](post-onboarding-instructions/macos). \ No newline at end of file diff --git a/post-onboarding-instructions/macos-latest.md b/post-onboarding-instructions/macos-latest.md new file mode 100644 index 00000000..7cf4bff4 --- /dev/null +++ b/post-onboarding-instructions/macos-latest.md @@ -0,0 +1,104 @@ +# macOS 14 and 13 post onboarding guide + +After onboarding your Internet Device to SEED, follow these instructions: + +- [Ensure Full Disk Access(FDA) is enabled for SEED components](#ensure-full-disk-accessfda-is-enabled-for-seed-components) +- [Turn on Cloudflare WARP for macOS](#turn-on-cloudflare-warp-for-macos) +- [Verify Microsoft Defender is configured](verify-microsoft-defender-is-configured) + +## Ensure Full Disk Access (FDA) is enabled for SEED components + +After onboarding, ensure FDA is enabled for the following SEED components: + +- Tanium Client +- Microsoft Intune Agent +- Microsoft Defender +- Microsoft Defender ATP Security Extension + +**Verification steps**: + +1. Go to the **Apple** menu > **System Settings**. +2. On the left pane, select **Privacy & Security**. +3. If prompted, unlock the setting using your Touch ID or enter your device password. + +> **Note**: If you were not prompted to reset device password during onboarding, you will be prompted now. Refer to the FAQ for password policy. + +4. On the **Privacy & Security** pane, choose **Full Disk Access**. +  + +5. Ensure the following applications are listed and enabled: + + - Tanium Client + - Microsoft Intune Agent + - Microsoft Defender + - Microsoft Defender Endpoint Security Extension + +  + + >**Note**: If a SEED component is missing, refer to [Onboarding FAQ](/faqs/onboarding-faq). + + +## Turn on Cloudflare WARP + +After onboarding your macOS Internet Device to SEED, you need to activate Cloudflare WARP. + +**Activation steps**: + +1. Open **Cloudflare WARP** client from the menu bar. + +  + You will see the information page, followed by the privacy policy. + +2. Click **Next**, **Accept** to agree to Cloudflare’s privacy policy. + +  + +3. When prompted to sign in, select **Azure AD – TechPass Prod**. + +  + + If you encounter an error stating that your user account is not found in the respective tenant, follow these instructions: + + - Open a new browser tab + - Visit https://myaccount.microsoft.com + - Sign out of your current account + - Retry the action + +4. Sign in using your TechPass credentials. + +  + +5. After successfully signing in, click **Open Cloudflare WARP app** to establish your WARP connection. + +Once connected, you should see WARP Zero Trust in the connected state. + +  + +6. Open Cloudflare WARP **Settings**, and ensure **Gateway with WARP** is selected. WARP is now active, safeguarding your Internet connection. + +## Verify Microsoft Defender is configured + +1. Open **Terminal** and run `mdatp health`. +2. Take note of the value displayed for **org_id**. + +> **Note**: If this command does not return anything, it indicates your device does not have Defender. [Proceed to onboard your macOS device to SEED](/onboard-device/identify-onboarding-persona). + +Identify the organisation corresponding to this **org_id** from the following table. This is the organisation of the Defender or the antivirus on your device. + +| org_id | Organisation | +| ------------- |:-------------:| +| faa36a5e-2da6-4225-8e27-226177c801a0 | WOG | +| 49237d71-42ac-425a-a803-881b92cc18ce | TechPass | +| 6389e966-e334-461d-86ce-0fed12484620 | Hive | + +4. Choose the required step from the following: + +- If your organisation id corresponds to WOG or TechPass, it indicates that **Microsoft Defender** has been configured correctly and you can ignore the rest of this section. + +- If your organisation id corresponds to Hive, it indicates that your device is still enrolled with Hive. Contact [Hive support](mailto:GDS_DEN@hive.gov.sg) to retrieve the offboarding package to unenrol your device. Refer to [Offboarding FAQ](faq/offboarding-faq.md) for more details. + + - If your device is enrolled with a different MDM, contact your organisation IT support to unenrol your device from it. + +Within the next few hours, **Intune** pushes the **Microsoft Defender** client to your device with the correct configurations. For more information on the duration, refer to [Microsoft documentation](https://docs.microsoft.com/en-us/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned). + +At any time, users can sign in to Company Portal app, click the three dots and choose **Check status** to check for policy or profile updates. It may take a while to complete the synchronisation. When completed, the screen will show the timestamp of the last successful sync. diff --git a/post-onboarding-instructions/macos.md b/post-onboarding-instructions/macos.md new file mode 100644 index 00000000..610b92e2 --- /dev/null +++ b/post-onboarding-instructions/macos.md @@ -0,0 +1,100 @@ +# macOS 12 post onboarding guide + +After onboarding your Internet Device to SEED, follow these instructions: + +- [Ensure Full Disk Access(FDA) is enabled for SEED components](#ensure-full-disk-accessfda-is-enabled-for-seed-components) +- [Turn on Cloudflare WARP for macOS](#turn-on-cloudflare-warp-for-macos) +- [Verify Microsoft Defender is configured](verify-microsoft-defender-is-configured) + +## Ensure Full Disk Access(FDA) is enabled for SEED components + +After onboarding, ensure FDA is enabled for the following SEED components: + +- Tanium Client +- Microsoft Intune Agent +- Microsoft Defender +- Microsoft Defender ATP Security Extension + +**Verification steps**: + +1. Go to the **Apple** menu > **System Preferences** > **Security & Privacy**. +2. Click the **Privacy** tab. +3. From the left pane, choose **Full Disk Access**. +4. Click the lock icon at the bottom and use your Touch ID or enter your password to unlock. + +> **Note**: If you were not prompted to reset device password while onboarding, you will be prompted now. See FAQ for password policy. + +5. Ensure the following applications are listed and enabled (checkboxes should be selected): + - Tanium Client + - Microsoft Intune Agent + - Microsoft Defender + - Microsoft Defender ATP Security Extension + +  + + > **Note**: If a SEED component is missing, refer to [Onboarding FAQ](faqs/onboarding-faq). + +## Turn on Cloudflare WARP + +After onboarding your macOS Internet Device to SEED, you need to activate Cloudflare WARP. + +**Activation steps**: + +1. Open **Cloudflare WARP** client from the menu bar. + +  + You will see the information page, followed by the privacy policy. + +2. Click **Next**, **Accept** to agree to Cloudflare’s privacy policy. + +  + +3. When prompted to sign in, select **Azure AD – TechPass Prod**. + +  + + If you encounter an error stating that your user account is not found in the respective tenant, follow these instructions: + + - Open a new browser tab + - Visit https://myaccount.microsoft.com + - Sign out of your current account + - Retry the action + +4. Sign in using your TechPass credentials. + +  + +5. After successfully signing in, click **Open Cloudflare WARP app** to establish your WARP connection. + +Once connected, you should see WARP Zero Trust in the connected state. + +  + +6. Open Cloudflare WARP **Settings**, and ensure **Gateway with WARP** is selected. WARP is now active, safeguarding your Internet connection. + +## Verify Microsoft Defender is configured + +1. Open **Terminal** and run `mdatp health`. +2. Take note of the value displayed for **org_id**. + +> **Note**: If this command does not return anything, it indicates your device does not have Defender. [Proceed to onboard your macOS device to SEED](onboard-device/identify-onboarding-persona). + +Identify the organisation corresponding to this **org_id** from the following table. This is the organisation of the Defender or the antivirus on your device. + +| org_id | Organisation | +| ------------- |:-------------:| +| faa36a5e-2da6-4225-8e27-226177c801a0 | WOG | +| 49237d71-42ac-425a-a803-881b92cc18ce | TechPass | +| 6389e966-e334-461d-86ce-0fed12484620 | Hive | + +4. Choose the required step from the following: + +- If your organisation id corresponds to WOG or TechPass, it indicates that **Microsoft Defender** has been configured correctly and you can ignore the rest of this section. + +- If your organisation id corresponds to Hive, it indicates that your device is still enrolled with Hive. Contact [Hive support](mailto:GDS_DEN@hive.gov.sg) to get the offboarding package to unenrol your device. Refer to [offboarding FAQ](faq/offboarding-faq.md) for more details. + + - If your device is enrolled with a different MDM, contact your organisation IT support to unenrol your device from it. + +Within the next few hours, **Intune** pushes the **Microsoft Defender** client to your device with the correct configurations. For more information on the duration, refer to [Microsoft documentation](https://docs.microsoft.com/en-us/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned). + +At any time, users can sign in to Company Portal app, click the three dots and choose **Check status** to check for policy or profile updates. It may take a while to complete the synchronisation. When completed, the screen will show the timestamp of the last successful sync. diff --git a/post-onboarding-instructions/post-onboarding-steps-and-verification.md b/post-onboarding-instructions/post-onboarding-steps-and-verification.md index dd29b10a..18e10b0c 100644 --- a/post-onboarding-instructions/post-onboarding-steps-and-verification.md +++ b/post-onboarding-instructions/post-onboarding-steps-and-verification.md @@ -1,12 +1 @@ -# SEED post onboarding steps - - -Following the SEED onboarding, complete the post onboarding steps. - -?> If you are a GCC 1.0 user, make sure to complete your [post onboarding verification steps](post-onboarding-instructions/gcc-1.0-users). - -- Post onboarding instructions for macOS - - [Post onboarding instructions for macOS 11(Big Sur) and 12 (Monterey)](post-onboarding-instructions/mac-os.md) - - [Post onboarding instructions for macOS 13(Ventura)](post-onboarding-instructions/mac-os-13) -- [Post onboarding instructions for Windows](post-onboarding-instructions/windows.md) -- [Post onboarding verification steps for GCC 1.0 users](post-onboarding-instructions/gcc-1.0-users) +!> This documentation has moved. Refer to [macOS 14 and 13 post onboarding guide](post-onboarding-instructions/macos-latest), [macOS 12 post onboarding guide](post-onboarding-instructions/macos) and [Windows post onboarding guide](post-onboarding-instructions/windows). \ No newline at end of file diff --git a/post-onboarding-instructions/windows.md b/post-onboarding-instructions/windows.md index 01d6d94f..9df2d30d 100644 --- a/post-onboarding-instructions/windows.md +++ b/post-onboarding-instructions/windows.md @@ -1,39 +1,93 @@ -# SEED post onboarding instructions for Windows +# Windows post onboarding guide -After you onboard your Windows Internet Device to SEED, you need to turn on Cloudflare WARP. +After onboarding your Internet Device to SEED, follow these instructions: + +- [Turn on Cloudflare WARP for Windows](#turn-on-cloudflare-warp-for-windows) +- [Verify Microsoft Defender is configured](verify-microsoft-defender-is-configured) ## Turn on Cloudflare WARP for Windows -!> Make sure your device is **not connected** to any other VPN, as it might clash with Cloudflare WARP. +>**Note**: Ensure that your device is not connected to any other VPN, as it might conflict with Cloudflare WARP. -### To turn on Cloudflare WARP for Windows +**Activation steps**: 1. Open the Cloudflare WARP client from the Windows Taskbar. You will see the information page, followed by the privacy policy. -2. Click **Next** and then **Accept** to agree to the Cloudflare’s privacy policy. +2. Click **Next**,then, **Accept** to agree to the Cloudflare’s privacy policy. -  +  3. When prompted to sign in, choose **Azure AD – TechPass Prod**. -  +  + +If you encounter an error stating that your user account is not found in the respective tenant, follow these instructions: - !> **Note**
If you encounter an error stating that user account does not exist in the respective tenant, open a new tab and go to [https://myaccount.microsoft.com](https://myaccount.microsoft.com/), sign out from your account and then retry. +- Open a new browser tab +- Visit https://myaccount.microsoft.com +- Sign out of your current account +- Retry the action -4. Sign in using your TechPass credentials. +4. Sign in using your TechPass login details.  -5. After successfully signing in, click **Open Cloudflare WARP.app**. +5. After successfully signing in, click **Open Cloudflare WARP app** to establish your WARP connection. When the device is connected to WARP, you should see the WARP Zero Trust in the connected state. -  +  + +6. Open Cloudflare WARP **Settings**, and ensure **Gateway with WARP** is selected. WARP is now active, safeguarding your Internet connection. + +## Verify Microsoft Defender is configured + +1. Go to the **Start** menu and enter **Powershell**. +2. Right-click on the search result for **PowerShell** and select **Run as Administrator**. + +  + +3. On **Powershell**, run the following command: + +``` +$reg64 = [Microsoft.Win32.RegistryKey]::OpenBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, [Microsoft.Win32.RegistryView]::Registry64) +$OrgID = $reg64.OpenSubKey("SOFTWARE\MICROSOFT\Windows Advanced Threat Protection\Status").GetValue("OrgID") +echo $OrgID +``` +4. Take note of the value displayed for **OrgID**. + +  + +> **Note**: If you do not receive any response, it means you do not have Defender installed on your device. You can skip the steps in this section. [Proceed to onboard your Windows device to SEED](/onboard-device/identify-onboarding-persona). + +5. Identify the organisation corresponding to this **OrgId** from the following table. This is the organisation of the Defender or the antivirus on your device. + + | OrgId | Organisation | + | ------------- |:-------------:| + | faa36a5e-2da6-4225-8e27-226177c801a0 | WOG | + | 49237d71-42ac-425a-a803-881b92cc18ce | TechPass | + | 6389e966-e334-461d-86ce-0fed12484620 | Hive | + +6. Choose the required step from the following: + + - If your organisation id corresponds to WOG or TechPass, it indicates that **Microsoft Defender** has been configured correctly and you can ignore the rest of this section. + + - If your organisation id corresponds to Hive, it indicates that your device is still enrolled with Hive. Contact [Hive support](mailto:GDS_DEN@hive.gov.sg) to get the offboarding package to unenrol your device. Refer to [offboarding FAQ](/faq/offboarding-faq.md) for more details. + + - If your device is enrolled with a different MDM, contact your organisation IT support to unenrol your device from it. + +Within the next few hours, **Intune** pushes the **Microsoft Defender** client to your device with the correct configurations. For more information on the duration, refer to [Microsoft documentation](https://docs.microsoft.com/en-us/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned). + +At any time, users can manually sync by going to **Start** > **Settings** > **Accounts** > **Access work or school** > **Work or School Account** > **Info** > **Sync**. Alternatively, Open the Company Portal app on your device, go to **Settings** > **Sync**. Wait while Company Portal syncs your device. When complete, the screen will show the timestamp of the last successful sync. + + + + + + + -6. Open Cloudflare WARP **Settings**, and make sure **Gateway with WARP** is selected. - WARP is now running and protecting your Internet connection. - diff --git a/prerequisites-for-onboarding.md b/prerequisites-for-onboarding.md index cead50a3..16991975 100644 --- a/prerequisites-for-onboarding.md +++ b/prerequisites-for-onboarding.md @@ -1,468 +1 @@ -# Step 0: Prerequisites for onboarding to SEED - - - -## Audience - -- Users who want to onboard their Internet Device to SEED. - -## Prerequisites - -Before you proceed to onboard your device to SEED, note the following prerequisites and recommendations: - -!> You **can't onboard** the following to SEED:
- Virtual machines
- Mobile phones and Tablets (Android and iOS)
- GoMAX devices.
- SE-GSIB or Non-SE GSIB device. -
- More than one Internet Device. - -- Ensure you have an active [TechPass account](https://docs.developer.tech.gov.sg/docs/techpass-user-guide/onboard-to-techpass). -- Ensure you have a valid SEED onboarding email. For more information on how to request or sign up for SEED provisioning, see [SEED provisioning](#request-seed-provisioning). -- Ensure you have Administrator permission on the device. -- Ensure the device is running on one of the following operating systems: - - Windows 10 and 11 Pro or Enterprise versions. - - macOS 11 (macOS Big Sur), macOS 12 (macOS Monterey) and macOS 13 (Ventura) versions. -- Supported browsers: Google Chrome, Microsoft Edge, Mozilla Firefox. If you are using Mozilla Firefox, you need to [configure Firefox to trust the root certificate store of your system](https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox). -- [Remove existing software on your device](#remove-existing-software-on-your-device) such as any existing MDM software, Tanium client or any other unified endpoint management and security platform. -- If your device is running on macOS, ensure [System Integrity protection(SIP) is enabled](#ensure-system-integrity-protectionsip-is-enabled-for-macos). -- [Encrypt hard disk drive to protect the data at rest](#encrypt-your-hard-disk-drive-to-protect-your-data-at-rest). -- If your organisation uses a firewall or other policies to restrict Internet traffic, you may need to make few changes to allow WARP to connect. To know more about these changes, visit [Cloudflare Docs](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/firewall/). - -## Request SEED provisioning - -You can request for SEED provisioning in one of the following ways as applicable: - - - All users can contact their reporting officer or project manager to request for TechPass and SEED provisioning via [TechBiz portal](http://portal.techbiz.suite.gov.sg/). - - If you can access [TechPass portal](https://portal.techpass.gov.sg/), you can sign up for TechPass and SEED together. For more information, see [TechPass documentation](https://docs.developer.tech.gov.sg/docs/techpass-user-guide/onboard-to-techpass). - - If you already have an active TechPass account, and can access the TechPass portal, [request for SEED provisioning](https://docs.developer.tech.gov.sg/docs/techpass-user-guide/request-for-seed-provisioning) from your TechPass account profile. - - If you are a SE-GSIB user, and have an active TechPass account, submit a [service request](https://go.gov.sg/seed-techpass-support) for SEED provisioning. - - ?> When SEED is successfully provisioned:
- We'll send the SEED onboarding email within the next three business days.
- This email is valid only for 30 days.
- Ensure that you successfully activate your TechPass account before proceeding to onboard your Internet Device to SEED.
- If your SEED onboarding email has expired, follow one of the below options:
-If you had requested your reporting officer or project manager for SEED provisioning, contact them again to get another SEED onboarding invitation email.
-If you had signed up for SEED via the TechPass portal, you may log in to the TechPass portal to [request for SEED onboarding invitation email](https://docs.developer.tech.gov.sg/docs/techpass-user-guide/request-for-seed-provisioning). - - - -## Remove existing software on your device - -Before onboarding to SEED, you need to remove the following software solutions from your device if applicable: - -- Existing MDM software. -- Tanium client or any other unified endpoint management and security platform. -- Cloudflare WARP or any other software used for privacy and secured connections. -- Defender or any other antivirus solution. - - - -#### **macOS** - -
-
- If you see Microsoft Intune in the settings, it indicates that **Microsoft Intune** is your MDM. Proceed to the next **step b. Unenrol from Microsoft Intune**
- To unenrol your device from MDM software other than Microsoft Intune, contact your organisation's IT administrator. - -
-a. Verify if your device is already managed by any MDM software
- - Complete the following steps to find if your device is already managed by an MDM solution. - - 1. Choose the appropriate step based on your macOS version. - - a. If your macOS version is macOS 11 (macOS Big Sur) or macOS 12 (macOS Monterey), go to the **Apple** menu > **System Preferences** > **Profiles**. - - b. If your macOS version is macOS 13 (Ventura), go to the **Apple** menu > **System Settings** > **Privacy and Security** > **Profiles** on the right.(You may need to scroll down.) - - 2. Click **Management Profile**. - - a. If your macOS version is macOS 11 (macOS Big Sur) or macOS 12 (macOS Monterey), and see a page similar to the following, it indicates you already have an MDM software. - -  - - b. If your macOS version is macOS 13 (Ventura) and see a similar page, it indicates you already have an MDM software. - -  - - 3. Choose the appropriate step: - - a. When you confirm that your Internet Device is not managed by any MDM currently, proceed to step **c.Remove Tanium Client** to find if you have Tanium Client and remove it. - - b. If your Internet Device is managed by an MDM, on the **Management Profile**, go to **Settings** to identify the current MDM software. -  - -?>- If you see Microsoft Intune in the settings, it indicates that **Microsoft Intune** is your MDM. Proceed to the next **step b. Unenrol from Microsoft Intune**
- To unenrol your device from MDM software other than Microsoft Intune, contact your organisation's IT administrator. - -
-
-
-b. Unenrol from Microsoft Intune
- -Complete the following steps to remove your device from Intune. - -?> To find if your device is enrolled with Intune, see step **a. Verify if your device is already managed by any MDM software**. - - 1. Sign in to the **Company Portal** app. -  - 4. Go to **Devices** and click the three dots beside the device you want to unenrol. - 5. Choose **Remove**. -  - 6. When prompted to confirm the removal, select **Remove**. - 7. Click your profile icon and **Sign out** of the **Company Portal**. - -
-
-c. Remove Tanium Client
- -Complete the following steps to find if Tanium Client is available on your device and remove it. - - 1. Open **Terminal** and run the following command: - - ``` - sudo ls /Library/Tanium/TaniumClient - ``` - 2. When prompted for password, enter your macOS password. - - 3. If you see the below on your **Terminal**, it indicates that Tanium Client is installed on your device and go to step 4. If not, proceed to step d. **Remove Cloudflare WARP client**. - -  - - 4. Run the following commands in **Terminal**. - - ``` - sudo launchctl unload /Library/LaunchDaemons/com.tanium.taniumclient.plist - - sudo launchctl remove com.tanium.taniumclient > /dev/null 2 >&1 - - sudo rm /Library/LaunchDaemons/com.tanium.taniumclient.plist - - sudo rm /Library/LaunchDaemons/com.tanium.trace.recorder.plist - - sudo rm -rf /Library/Tanium/ - - sudo rm /var/db/receipts/com.tanium.taniumclient.TaniumClient.pkg.bom - - sudo rm /var/db/receipts/com.tanium.taniumclient.TaniumClient.pkg.plist - - sudo rm /var/db/receipts/com.tanium.tanium.client.bom - - sudo rm /var/db/receipts/com.tanium.tanium.client.plist - - ``` - -4. Enter your macOS password when prompted. Once the commands are successfully executed, Tanium Client is removed from your device. - -
-
-d. Remove Cloudflare WARP Client
- -Complete the following steps to find if Cloudflare WARP client is available on your device and remove it. - - 1. Click the **Finder** icon in the **Dock**. - 2. Choose **Applications**. - 3. Search for **Cloudflare WARP.app**. - 4. If available, open **Terminal** and run the following command: - ``` - sudo /bin/sh /Applications/Cloudflare\ WARP.app/Contents/Resources/uninstall.sh - ``` - - 5. When prompted, enter your macOS password. - -e. Remove Defender or the current antivirus solution
- -If your device is already enrolled with Defender or any other antivirus solution, it has to be completely unenrolled from it before you proceed to onboard the device to SEED. - -Complete the following steps to find if Defender is your current antivirus solution and remove it from your device. - -?> If you have other antivirus solution, please contact your administrator to remove it. - - -1. Open **Terminal** and run `mdatp health`. -2. Choose the appropriate step: - - a. If you get a `mdatp: command not found` error, it means you do not have Defender installed on your device. You can skip the remaining steps in this section. - - b. Take note of the value displayed for **org_id**. - - 3. Identify the organisation corresponding to this **org_id** from the following table. This is the organisation that is linked to your Defender or antivirus solution on your device. - - | org_id | Defender organisation | Offboarding package | - | ------------- |:-------------:|:-------------:| - | faa36a5e-2da6-4225-8e27-226177c801a0 | WOG | [Download offboarding package](https://k3uwa66lu3tj6uxft46666ynhe0uvzor.lambda-url.ap-southeast-1.on.aws/local_wog_mac) | - | 49237d71-42ac-425a-a803-881b92cc18ce | TechPass | [Download offboarding package](https://k3uwa66lu3tj6uxft46666ynhe0uvzor.lambda-url.ap-southeast-1.on.aws/local_tp_mac) | - | 6389e966-e334-461d-86ce-0fed12484620 | Hive | Contact [Hive support](mailto:GDS_DEN@hive.gov.sg) to get the offboarding package. | - - -!> **Important**- If your **Defender organisation** is **Hive**, skip the remaining steps in this document. You need to get the offboarding package from the Hive support and unenrol your device from Defender. See the [offboarding FAQs](offboard-device/seed-offboarding-faqs.md) to know how to unenrol your device from Defender using the Hive offboarding package.
- If your **Defender organisation** is either **WOG** or **TechPass**, it indicates that this device may already have been onboarded to SEED under a different TechPass profile. So you need to offboard this device first before proceeding further.
- If your **Defender organisation** is **none of the above**, contact the IT support of the organisation that provided you with the device. - -4. Log in with your TechPass to download the offboarding package. -5. Go to the folder where you downloaded the ZIP file and extract the files. You should see the following two files. - - - -?> **Note**: The file names vary with the organisation. - -6. On your **Terminal**, go to the folder where you extracted the files. For example, if they are in the **Downloads** > **Offboarding_local_wog_mac** folder, go to that folder. - - - -7. Copy the below and run it on the same **Terminal**. - - ``` - sudo chmod +x local_mac_offboarding.sh - ``` - -8. When prompted for a **Password**, enter your device password. -9. Copy and run the following command on your **Terminal**. - - ``` - sudo ./local_mac_offboarding.sh - ``` - -When you see the following success message on your **Terminal**, you are automatically directed to a form to submit the Intune Device ID. - - - -10. Ensure your **Intune Device ID** is displayed on the form. If it is not displayed, provide it. See [Get Intune Device ID](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/offboard-device/mac-os-using-script?id=get-intune-device-id). -11. Enter your organisational email address in **Organisational Email Address** and click **Verify**. -12. Enter the OTP you receive at this email address. -13. Click **Submit**. When this request is processed successfully, we send a notification via email. - - - -
-
-
-a. Remove existing MDM software
- -Complete the following steps to find if your device is managed by an MDM solution and remove it. - - 1. Click **Start** icon on the taskbar. - 2. Go to **Settings** > **Accounts**. - 3. From the left menu, choose **Access work or school**. - -?> If your device is managed by an MDM, your username in your organisation's domain will be displayed under **Work or school account**. - - 4. Click **Work or school account** and then select **Disconnect**. - - -
-
-
-b. Remove Tanium Client
- -Complete the following steps to find if Tanium client is available on your device and remove it. - - 1. Click **Start** icon on the taskbar. - 2. Go to **Settings** > **Apps** and search for **Tanium Client**. - 3. If available, choose it and then click **Uninstall**. - -
-
-
-c. Remove Cloudflare WARP Client
- -Complete the following steps to find if Cloudflare WARP client is available on your device and remove it. - - 1. Click **Start** icon on the taskbar. - 2. Go to **Settings** > **Apps** and search for **Cloudflare WARP**. - 3. If available, choose **Cloudflare WARP** and then click **Uninstall**. - -d. Remove current antivirus solution on the device
- -If your device is already enrolled with Defender or any other antivirus solution, it has to be completely unenrolled from it before you proceed to onboard the device to SEED. - -Complete the following steps to find if Defender is your current antivirus solution and remove it from your device. - -1. Go to the **Start** menu and enter **Powershell**. -2. Right-click on the search result for **PowerShell** and select **Run as Administrator** - - - -3. On **Powershell**, run the following command. - -``` -$reg64 = [Microsoft.Win32.RegistryKey]::OpenBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, [Microsoft.Win32.RegistryView]::Registry64) -$OrgID = $reg64.OpenSubKey("SOFTWARE\MICROSOFT\Windows Advanced Threat Protection\Status").GetValue("OrgID") -echo $OrgID -``` - -4. Take note of the value displayed for **OrgID**. - - - -?> Note: If you don't get any response, it means you do not have Defender installed on your device. You can skip the steps in this section. - -5. Refer to the following table and identify your **Defender organisation** and download the offboarding package. - - | OrgID | Defender organisation | Offboarding package | - | ------------- |:-------------:|:-------------:| - | faa36a5e-2da6-4225-8e27-226177c801a0 | WOG | [Download offboarding script](https://k3uwa66lu3tj6uxft46666ynhe0uvzor.lambda-url.ap-southeast-1.on.aws/local_wog_windows) | - | 49237d71-42ac-425a-a803-881b92cc18ce | TechPass | [Download offboarding script](https://k3uwa66lu3tj6uxft46666ynhe0uvzor.lambda-url.ap-southeast-1.on.aws/local_tp_windows) | - | 6389e966-e334-461d-86ce-0fed12484620 | Hive | Contact [Hive support](mailto:GDS_DEN@hive.gov.sg) to get the offboarding package. | - - !> **Important**- If your **Defender organisation** is **Hive**, please skip the remaining steps in this document. You need to get the offboarding package from the Hive support and unenrol your device from Defender. See the [offboarding FAQs](offboard-device/seed-offboarding-faqs.md) to know how to unenrol your device from Defender using the Hive offboarding package.
- If your **Defender organisation** is either **WOG** or **TechPass**, it indicates that this device may already have been onboarded to SEED under a different TechPass profile. So you need to [offboard](offboard-device/offboard-device-from-seed) this device first before proceeding further.
- If your **Defender organisation** is **none of the above**, contact the IT support of the organisation that provided you with the device. - -6. Go to the folder where you downloaded the ZIP file and extract the files. You should see the following two files. - - - -?> **Note**: The file names vary with the organisation. - -7. Right-click the unzipped folder to select **Show more options** > **Copy as path**. The folder path is now saved to your clipboard. - -8. On **Powershell**, run the following command to go to the folder which has the extracted files: - - ``` - cd {Path from clipboard} - ``` - - For example: - - ``` - cd "C:\Users\testUser\Downloads\Offboarding_local_tp_windows" - - ``` - -  - -10. To run the script, enter the following command: - - ``` - powershell.exe -ExecutionPolicy Bypass .\local_windows_offboarding.ps1 - - ``` - -When you see the following success message on your **Powershell**, you are automatically directed to a form to submit the Intune Device ID. - - - -11. Ensure your **Intune Device ID** is displayed on the form. If it is not displayed, provide it. See [Get Intune Device ID](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/offboard-device/mac-os-using-script?id=get-intune-device-id). -12. Enter your organisational email address in **Organisational Email Address** and click **Verify**. -13. Enter the OTP you receive at this email address. -14. Click **Submit**. When this request is processed successfully, we send a notification via email. - - - -
Type
| Change
| **Description** |
| --- | --- | --- |
| **Enhancement** | **Improved offboarding steps** | We have developed an offboarding package (script) that automates the steps to offboard your device from SEED components. You'll then be directed to submit your Intune Device ID for us to remove your device record from the server side and notify you.
For more information, see [Offboard device from SEED](offboard-device/offboard-device-from-seed.md) | + diff --git a/seed-dashboard/_sidebar-old.md b/seed-dashboard/_sidebar-old.md deleted file mode 100644 index a6b7349f..00000000 --- a/seed-dashboard/_sidebar-old.md +++ /dev/null @@ -1,4 +0,0 @@ -- [SEED Dashboard overview](seed-dashboard/seed-overview.md) -- [SEED Dashboard tour](seed-dashboard/seed-dashboard-tour.md) -- [FAQ](seed-dashboard/seed-dashboard-faq.md) -- [Back to main](/) \ No newline at end of file diff --git a/seed-dashboard/seed-dashboard-faq.md b/seed-dashboard/seed-dashboard-faq.md index a391b507..49a6cd71 100644 --- a/seed-dashboard/seed-dashboard-faq.md +++ b/seed-dashboard/seed-dashboard-faq.md @@ -2,20 +2,20 @@ >**Tip:** Click the triangle to view the answer.
-
How does SEED dashboard work?
+How does SEED Dashboard work?
SEED Dashboard extracts data from the respective components of SEED, including TechPass, Cloudflare, Microsoft Defender, and Intune. This data is used to present an overall view of the device's security status. Users can also utilise the dashboard to determine how they can rectify security issues and regain access to SEED-protected applications.
-
How do I report a potential security issue?
+How do I report a potential security issue?
Go to the icon on the top right-hand corner of the SEED Dashboard and click **Report issue**. You will be redirected to the service request page. We will respond to your queries within three business days.
-
\ No newline at end of file
diff --git a/seed-dashboard/seed-overview.md b/seed-dashboard/seed-dashboard-overview.md
similarity index 100%
rename from seed-dashboard/seed-overview.md
rename to seed-dashboard/seed-dashboard-overview.md
diff --git a/seed-dashboard/seed-dashboard-tour.md b/seed-dashboard/seed-dashboard-tour.md
index 6ef91e0a..fad44868 100644
--- a/seed-dashboard/seed-dashboard-tour.md
+++ b/seed-dashboard/seed-dashboard-tour.md
@@ -6,6 +6,35 @@
| Legend | Description |
| :--- | :----- |
| I received a notification regarding suspicious and malicious behaviour on my SEED device, what should I do?
+I received a notification regarding suspicious and malicious behaviour on my SEED device, what should I do?
Log in to SEED dashboard and view the security issues listed. Step-by-step instructions are included to guide you to solve the issues.
| **Device Information** - This pane displays details of the device onboarded to SEED. |
-| 
| **Security Issues** - This pane displays security issues detected on the device, along with step-by-step instructions to resolve them. |
-| 
| **Options** - This button gives options for users to carry out various administrative tasks. For example, reporting issues. |
-| 
| **Show passed checks** - Click this button to display checks with no issues. |
+| | **Malware Alerts** - This section displays alerts related to malware detected on the device, categorised as low, medium, or high severity. Click here to view steps for remediation and to understand the nature of the alert. |
+| | **Compliance Checks** - This section shows detected compliance checks. Click to view the specific compliance requirements that need to be met. |
+| | **Issue updates** - This area provides real-time updates on your device's status. If no issues are detected, it will display "No known issues detected for your device.". If your device is blocked, it will guide you on how to unblock it. For specific issues, such as malware alerts or compliance check failures, further details are available when you click on the corresponding category. |
+| 
| **Device Status** - This section indicates the current status of your device. There are three statuses: blocked, enabled, and suspended. Hover over the tooltip for explanations of these statuses. |
+| 
| **Assistance and support** - The purple icon at the bottom right corner allows instant access to SEED's feedback and service request system. |
+
+
+
+## View malware alerts
+
+To view malware alerts detected on your device, follow these steps:
+
+1. Click the section labelled **Malware Alerts** to learn more about the detected malware issues, categorised as low, medium, or high severity.
+ 
+
+2. Upon clicking, you will find two tabs:
+ - **Malware Alerts**: This tab displays detailed information about the detected malware alerts.
+ 
+
+ - **Remediation Steps**: You can find the necessary steps required to fix the malware issue.
+ 
+
+## View compliance checks
+
+To review your compliance status and view the necessary compliance checks, follow these steps:
+
+1. Click the section labelled **Compliance Checks** to see the compliance checks you need to complete.
+ 
+
+
+2. Within this section, there is a **Show Passed Checks** button which displays the compliance checks you have already completed.
+ 
diff --git a/seed-post-onboarding-verification-for-gcc-1.0.md b/seed-post-onboarding-verification-for-gcc-1.0.md
index 9ff9f596..8673ba49 100644
--- a/seed-post-onboarding-verification-for-gcc-1.0.md
+++ b/seed-post-onboarding-verification-for-gcc-1.0.md
@@ -1,54 +1,4 @@
# Post onboarding verification for GCC 1.0
-This article is for GCC 1.0 users who have onboarded their Internet Device to SEED. When your device is onboarded to SEED it becomes a Government Managed Device (GMD).
+!> This documentation is obsolete. Refer to [GCC 1.0 connectivity FAQ](/faqs/gcc1-connectivity-faq.md).
-Objective of this document is to explain how to verify if your device onboarding to SEED was successful and if you are still able to access your GCC 1.0 resources.
-
-**To verify SEED onboarding for GCC 1.0 users**
-
-1. As only one VPN connection can be active at a time, go to the Cloudflare WARP icon on your GMD and toggle the **Connected** switch to **Paused**.
-
-
-
-?> Cloudflare will automatically reconnect after three hours.
-
-2. Launch and connect the GlobalProtect VPN client using your VPN ID and password.
-
-
-3. Go to [myapplications.microsoft.com](https://myapplications.microsoft.com/) and log in with your Cloud ID and password.
-
-4. Verify if you are able to access GCC 1.0 resources successfully.
-
-
-?> The above image is an example and your actual GCC 1.0 resources may vary based on your account.
-
-5. To verify if you are able to access the DEEP dashboard, click **Disconnect** in the GlobalProtect VPN client.
-
-
-
-6. Click the Cloudflare WARP icon and toggle the switch from **Paused** to **Connected**. If the Cloudflare WARP for Teams appears as shown below, it indicates that you are connected to Cloudflare WARP and can access the DEEP dashboard using it.
-
-
-
-7. Go to the [DEEP dashboard](https://dashboard.deep.tech.gov.sg).
-
-
-
-8. Choose **Azure AD TechPass Prod**.
-9. When prompted, log in with your TechPass account.
-
-
-
-?> If you are public officer, you may have to authenticate your WOG account first by using the one-time password code displayed under your SG Govt M365 profile in the Authenticator app.
-
-10. In the **DEEP** login page, click **Sign in with TechPass**.
-
-
-
-You will be directed to your DEEP dashboard.
-
-
-
-### Related topics
-
-[Post onboarding instructions](post-onboarding-instructions/post-onboarding-steps-and-verification).
diff --git a/seed-status.md b/seed-status.md
index eaecc5fe..a5239dbf 100644
--- a/seed-status.md
+++ b/seed-status.md
@@ -1,80 +1 @@
-# SEED service status
-
-This page provides the following Information:
-- [Scheduled maintenance](#scheduled-maintenance)
-- [Ongoing incidents](#ongoing-incidents)
-- [Previous incidents](#previous-incidents)
-
-## Scheduled maintenance
-
-
-
-| Date | 10 October 2023 |
-| ------------- |:-------------|
-| Issue summary| We will be performing scheduled maintenance of the SEED servers. **Start time** : 11 October 2023, 10:00 SGT
**End time** : 11 October 2023, 12:00 SGT
**Impact**
- There should be no impact to the users.
- However, if you face issues accessing services on your GMD, please create an [incident support request](https://go.gov.sg/seed-techpass-support).| - - -## Ongoing incidents - -No ongoing incidents! - - - - -## Previous incidents - -| Date | 09 October 2023 | -| ------------- |:-------------| -| **Issue summary** | Cloudflare has resolved the network issues identified on October 09 2023, 04:09 SGT.
**Issue started**: October 09 2023, 04:09 SGT
**Issue ended**: October 09 2023, 13:30 SGT
**Impact**:
Users are unable to access the internet using Cloudflare WARP. Disabling Cloudflare services temporarily can restore internet access; however, this may restrict access to certain Cloudflare-protected applications, including SGTS products.
*Posted on: October 09 2023, 15:30 SGT*
**What should I do if I am still having an issue?**
Create an [incident support request](https://go.gov.sg/seed-techpass-support). | - -| Date | 04 October 2023 | -| ------------- |:-------------| -| **Issue summary** | Cloudflare has resolved the network issues identified on October 04 2023, 16:19 SGT.
**Issue started**: October 04 2023, 16:19 SGT
**Issue ended**: October 04 2023, 19:19 SGT
**Impact**:
Users may experience difficulties with DNS resolution, potentially leading to the inability to access the internet.
*Posted on: October 05 2023, 11:30 SGT*
**What should I do if I am still having an issue?**
Create an [incident support request](https://go.gov.sg/seed-techpass-support). | - - -| Date | 09 July 2023 | -| ------------- |:-------------| -| **Issue summary** | Cloudflare has resolved the increased levels of 530 error identified on 09 July 2023, 15:26 SGT.
**Issue start time** ** **: 09 July 2023, 10:54 SGT
**Issue end time** ** **: 09 July 2023, 15:26 SGT
**Impact**: Users may experience service degradation on their GMDs and intermittent connectivity to SGTS services and GCC.
*Posted on: 09 July 2023, 17:30 SGT*
What should I do if I am still having an issue?
Create an [incident support request](https://go.gov.sg/seed-techpass-support) with the support team. | - -| Date | 05 June 2023 | -| ------------- |:-------------| -| **Issue summary** | Cloudflare has resolved the network issues identified on 05 June 2023, 16:50 SGT.
**Issue start time** ** **: 05 June 2023, 13:30 SGT
**Issue end time** ** **: 05 June 2023, 17:11 SGT
**Impact**: Users may experience service degradation on their GMDs and intermittent connectivity to SGTS services and GCC.
*Posted on: 05 June 2023, 18:00 SGT*
What should I do if I am still having an issue?
Create an [incident support request](https://go.gov.sg/seed-techpass-support) with the support team. | - -| Date | 31 May 2023 | -| ------------- |:-------------| -| **Issue summary** | Cloudflare has resolved the network issues notified to us on 31 May 2023, 16:50 SGT.
**Issue start time** ** :** 31 May 2023, 15:32 SGT
**Issue end time** ** :** 31 May 2023, 17:23 SGT
**Impact**: Users may experience service degradation on their GMDs.
*Posted on: 31 May 2023, 18:00 SGT*
What should I do if I am still having an issue?
Create an [incident support request](https://go.gov.sg/seed-techpass-support) with the support team. | - -| Date | 05 April 2023 | -| ------------- |:-------------| -| **Issue summary** | **Resolved**: We identified and implemented a fix for Windows users who experienced connectivity issues with the latest Cloudflare WARP client(2023.3.381.0).
**Issue start time** ** :** 05 April 2023, 10:00 SGT
**Issue end time** ** :** 05 April 2023, 14:30 SGT
**Impact**: Some of the Windows users would have been unable to connect to GCC 2.0 or SGTS services without a WARP connection.
*Posted on: 05 April 2023, 16:00 SGT*
What should I do if I am still having an issue?
Create an [incident support request](https://go.gov.sg/seed-techpass-support) with the support team. | - -| Date | 18 December 2022 | -| ------------- |:-------------| -| **Issue summary** | We identified an issue with Cloudflare Access and Tanium on 18 December 2022, 12:00 SGT.
**Impact**: Users were unable to authenticate their login while accessing SGTS services and GCC 2.0 services around this time. The impact duration was during non-business hours.
**Resolved**: The issue was resolved on 18 December 2022, 13:15 SGT.
*Posted on: 18 December 2022, 13:50 SGT* - -| Date | 21 October 2022 | -| ------------- |:-------------| -|**Issue summary** | Users encountered intermittent HTTP request failures and may have received error code 409 or CORS Blocked messages on their HTTP clients while using Cloudflare WARP Gateway. This issue has been resolved by Cloudflare WARP.
**Issue start time**: 20 October 2022, 19:45 SGT
**Issue end time**: 21 October 2022, 05:34 SGT
**Impact:**
Users may have been unable to access Internet sites intermittently with Cloudflare WARP turned on.
*Posted on: 21 October 2022, 09:50 SGT* | - -| Date | 20 September 2022 | -| ------------- |:-------------| -| **Issue summary** | **Identified**:
With the availability of Cloudflare 2022.8.861.0, we identified an issue on 13 September 2022.
Generally, when SEED users connect to a VPN with Cloudflare WARP active, WARP gets disabled and re-enabled. If users disable WARP before connecting to the VPN, WARP gets re-enabled.
Users experience issues while connecting to the VPN if it is not on the allowlist.
**Impact:**
Users cannot connect to the VPN if it is not on the allowlist.
**Action recommended:**
While we have raised an issue with Cloudflare to resolve this, if you are impacted, we suggest you uninstall WARP and wait for Microsoft Intune to push down the earlier version of WARP.
**Updates**
**Fix**:
Newer version of Cloudflare WARP client will be installed on your GMD to resolve this issue. For more information, refer to [announcement](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/announcements) posted on 21 October 2022.
*Posted on: 21 October 2022, 11:11 SGT*
**Resolved**:
This issue is resolved now.
*Posted on: 21 October 2022, 16:45 SGT*| - -| Date | 08 September 2022 | -| ------------- |:-------------| -|**Issue summary** | We identified an issue with Cloudflare Gateway on 08 September 2022, 14:41 SGT, and our users are currently unable to access Microsoft websites to authenticate their logins. We are working with Cloudflare to implement a fix.
**Impact:**
Users will not be able to authenticate their login while accessing SGTS services, including GCC 2.0.
*Posted on: 08 September 2022, 16:28 SGT*
**Updates**:
**Mitigated**
While waiting for a fix from Cloudflare, GovTech implemented a workaround on 08 September 2022, 17:00 SGT mitigating the issue at 17:15 SGT. Users will now be able to access SGTS services.
*Posted on: 08 September 2022, 17:22 SGT*
**Resolved**
On September 09 2022, 08:26 SGT Cloudflare confirms that the issue has been resolved. | - -| Date| 30 August 2022| -| ------------- |:-------------| -|**Issue summary** | An issue was identified with Cloudflare Access on 30 August 2022, 12:00 SGT. A fix was implemented on 30 August 2022, 12:14 SGT and Cloudflare has resolved the issue at 12:39 SGT.
**Customer Impact:**
Users may not have been able to access the Internet and SGTS services during this time.| - -| Date| 21 June 2022| -| ------------- |:-------------| -|**Issue summary** | An issue has been identified with Cloudflare services on 21 June 2022, 14:34 SGT. A fix has been implemented on 21 June 2022, 15:20 SGT and we are monitoring the outcome.
**Customer Impact:**
Users may have observed 500 errors while accessing the Internet and Cloudflare protected SGTS services using Cloudflare WARP.
While we monitor the fix, if you are still unable to access the Internet, please turn off WARP to access the Internet and create an [incident support request](raise-an-incident-support-request) with the respective SGTS service or product team.
You may also visit the [Cloudflare status page](https://www.Cloudflarestatus.com/) for recent updates on this issue.| - -### Cloudflare status - -You may also visit the [Cloudflare status page](https://www.Cloudflarestatus.com/) for recent updates on issues with Cloudflare Zero Trust, WARP, Cloudflare Tunnel and Cloudflare Access. +!> This documentation has moved. Refer to [macOS 12 post onboarding guide](/post-onboarding-instructions/macos). \ No newline at end of file diff --git a/snippets/snippets-seed-offboarding-faq.md b/snippets/snippets-seed-offboarding-faq.md deleted file mode 100644 index 5a616096..00000000 --- a/snippets/snippets-seed-offboarding-faq.md +++ /dev/null @@ -1,160 +0,0 @@ -# SEED offboarding FAQs - -
I cannot download the offboarding package. What should I do?
- - Create an [incident request](https://go.gov.sg/seed-techpass-support) and request for request for the offboarding package for your Defender organisation. - --I cannot log in to my device. What should I do?
- -1. Create an [incident support](https://go.gov.sg/seed-techpass-support) request. -2. In **Details**, enter the text *I am unable to offboard my device from SEED components but I would like to submit my Intune Device ID to offboard my device from SEED*. -3. Select SEED as **TechPass Tenant**. -4. Select Production as **Environment** -5. Make sure to provide all the required details and submit the form. - -While running the offboarding package, I get the error Unknown Tenant detected.
- -This indicates that you are not a SEED user or your device was not properly enrolled to SEED. - - -If you had properly onboarded your device to SEED earlier but still get this error, please submit an [incident request](https://go.gov.sg/seed-techpass-support) with the TechPass and SEED support. - - -While running the offboarding package, I get the error Defender offboarding package has expired! Please download a new offboarding package from the docs portal.
- -This error indicates that your offboarding package is outdated. - -1. On the [Offboard device](offboard-device/offboard-device-from-seed) section, follow the offboarding steps for your device operating system . -2. Make sure to download the offboarding package from this page and complete the offboarding steps. - -!> **Note**If you still experience the same or any other error, submit an [incident request](https://go.gov.sg/seed-techpass-support) with the TechPass and SEED support. - - - -
when I run the offboarding package on my device, I get the error Microsoft Defender for Endpoint Service failed to stop running!
- -This error would look like the following: - - - -Try running the script again. If you still experience the same or any other error, submit an [incident request](https://go.gov.sg/seed-techpass-support) with the TechPass and SEED support. - - -I get an error on my macOS device while running the offboarding package to remove the SEED components such as Cloudflare WARP, Microsoft Defender or Tanium Client.
- - -Try running the script again. If you still experience any error, submit an [incident request](https://go.gov.sg/seed-techpass-support) with the TechPass and SEED support. - -After I successfully complete Phase A to offboard my device from SEED components, I get the error Intune ID not found. Please manually input your Intune ID.
- -You may experience this error if we are unable to auto-retrieve your Intune Device ID due to some incorrect configurations on your device. There can be multiple reasons for this incorrect configurations. - -1. If you encounter this error, complete one of the following methods to get your Intune Device ID: - - - Go to the [TechPass portal](https://portal.techpass.gov.sg/secure/account/profile) and get the Intune Device ID from your account profile. - - - If you can't access the TechPass portal, please submit an [incident request](https://go.gov.sg/seed-techpass-support) with the TechPass and SEED support to get your Intune Device ID. - - -2. When you have your Intune Device ID proceed with **Phase B: Submit Intune Device ID** to remove device record. - -!> **Important**If there is a significant time lapse between Phase B and Phase A, the latest version of the SEED components may be reinstalled on your device. If that is the case, you need to repeat **Phase A: Offboard device from SEED components**. - - -
After submitting the Intune Device ID, I received an email stating that my offboarding was unsuccessful. What should I do?
- -This can happen if you had submitted an incorrect Intune Device ID. - -1. Complete one of the following steps to get your Intune Device ID: - - - Go to the [TechPass portal](https://portal.techpass.gov.sg/secure/account/profile) and get the Intune Device ID from your account profile. - - If you can't access the TechPass portal, please submit an [incident request](https://go.gov.sg/seed-techpass-support) with the TechPass and SEED support to get your Intune Device ID. - - -2. Complete the [offboarding steps](offboard-device/offboard-device-from-seed) for your device. - - -!> **Note**- In spite of submitting a correct Intune Device ID, if your offboarding is unsuccessful, please submit an [incident request](https://go.gov.sg/seed-techpass-support) with the TechPass and SEED support.
- If the TechPass and SEED support team completes the offboarding for you, you may not receive this successfully offboarded email from the DEEP team. However, the TechPass and SEED support team can confirm if you have successfully offboarded your device from SEED. - - -
After submitting my Intune Device ID, I did not receive the successfully offboarded email. What should I do?
- - -It would take up to 30 minutes for the DEEP team to send the successfully offboarded email to you. If you still have not received this email, please submit an [incident request](https://go.gov.sg/seed-techpass-support) with the TechPass and SEED support. - - -!> **Note**If the TechPass and SEED support team has completed the offboarding for you, you may not receive this email from the DEEP team. However, the TechPass and SEED support team can confirm if you have successfully offboarded your device from SEED. - -
My Internet Device belongs to Hive organisation. How do I offboard it from Defender using Hive offboarding package?
- - - -If your Defender organisation is Hive, contact [Hive support](mailto:GDS_DEN@hive.gov.sg) to get the offboarding package and follow the below steps for your device: - -macOS
- -1. Save the offboarding script to the **Downloads** folder. - - > **Note**: - > Check if the script that you received has not yet expired. The expiry date is indicated on the file name. For example, hive_mac_valid_until_2023-04-30.sh - -2. Go to the **Terminal** and run the following command: - ``` - sudo /bin/sh ~/Downloads/Windows
- -1. Save the offboarding script in your **Downloads** folder. - - > **Note**: - > Check if the script that you received has not yet expired. The expiry date is indicated on the file name. For example, *hive_windows_valid_until_2023-09-07.cmd*. - -2. Go to **Start** and type **cmd**. -3. Right-click on **Command Prompt** and select **Run as administrator**. -4. If prompted, enter your Windows password. -5. Run the following commands: - ``` - cd "%USERPROFILE%\Downloads\" - - .\
+
+
+ Windows
+ + ``` + C:\Program Files\Cloudflare\Cloudflare WARP\warp-diag.exe + + ``` + +
+
+
+The logs and diagnostic information captured by Cloudflare WARP will be saved as a zip file on your Desktop.
+
+2. Attach the zip file to the support request.
+
+
+## Generate HAR file
+
+This section provides instructions for generating a HAR (HTTP Archive) file for the supported web browsers when you encounter connectivity problems with GCC 2.0 CMP or SGTS products.
+
+
+- [Google Chrome](#generate-har-file-for-google-chrome)
+
+- [Mozilla Firefox](#generate-har-file-for-mozilla-firefox)
+
+- [Microsoft Edge](#generate-har-file-for-microsoft-edge)
+
+### Generate HAR file for Google Chrome
+
+1. Open Google Chrome and right-click anywhere, then select **Inspect** or press Command+Option+C (macOS) or Control+Shift+C (Windows) to open the Developer Tools panel.
+2. Go to the **Network** tab and enable **Preserve log**.
+3. Log in to the [GCC 2.0 CMP](https://cmp.gcc.gov.sg/) or access the SGTS service through Cloudflare Access.
+4. Verify if a request was made to 127.0.0.1/zero_trust/auth with a 200 ok response. If not, please specify this in your support request.
+5. Right-click on any item within the **Network** tab and select **Save All as HAR with content**.
+6. Save the HAR file.
+
+### Generate HAR file for Mozilla Firefox
+
+?> **Note**: Make sure your Mozilla Firefox is configured to trust your system's trusted root certificate store.
+
+2. Click on **Network Settings** in the upper-right corner of the Developer Tools panel and enable **Persist Logs**.
+3. Log in to the [GCC 2.0 CMP](https://cmp.gcc.gov.sg/) or access the SGTS service through Cloudflare Access.
+4. Verify that a request was made to 127.0.0.1/zero_trust/auth with a 200 ok response. If not, please specify this in your support request.
+5. Right-click on the log of network requests and choose **Save All as HAR**.
+6. Save the HAR file.
+
+### Generate HAR file for Microsoft Edge
+
+1. Open Microsoft Edge and go to the application menu > **More tools** > **Developer tools**, or press Control+Shift+I (Windows) or Command+Option+I (macOS) to open the Developer Tools.
+2. Go to the **Network** tab and enable **Preserve log**.
+3. Attempt to log in to the [GCC 2.0 CMP](https://cmp.gcc.gov.sg/) or access the SGTS service through Cloudflare Access.
+4. Verify that a request was made to 127.0.0.1/zero_trust/auth with a 200 ok response. If not, please specify this in your support request.
+5. Right-click on the log of network requests and click **Save All as HAR with content**.
+6. Save the HAR file.
\ No newline at end of file
diff --git a/support/raise-service-request.md b/support/raise-service-request.md
new file mode 100644
index 00000000..1fca59bf
--- /dev/null
+++ b/support/raise-service-request.md
@@ -0,0 +1,29 @@
+# Raise a service request
+
+Raise a service request if you experience:
+
+- uninformed service interruption or degraded service
+
+- issues with SEED components such as Cloudflare WARP, Tanium, Defender or Intune
+
+- connectivity issues while accessing GCC 2.0 CMP or SGTS services.
+
+>**Note**: Refer to the FAQ before creating the service request.
+
+## Support channels
+
+Following are the support channels for the various service/product users who experience issues with SEED.
+
+
+| Service/Product | Support channel|
+| ------------- |:-------------:|
+| SHIP-HATS | [SHIP-HATS support](https://go.gov.sg/ship-hats-support) |
+| TechPass, GCC 1.0 and GCC 2.0 | [TechPass and SEED support](https://go.gov.sg/seed-techpass-support) |
+
+For business-related questions and requests, please contact us at enquiries_seed@tech.gov.sg.
+
+## Troubleshooting procedures
+
+To troubleshoot issues with Cloudflare WARP, Tanium, Defender, Intune, GCC 2.0 CMP, or SGTS products:
+
+Follow the instructions outlined in the [Generate diagnostic files](/support/generate-diagnostic-files.md) page and attach the generated files to your service request.
diff --git a/support/seed-status.md b/support/seed-status.md
new file mode 100644
index 00000000..8462ae95
--- /dev/null
+++ b/support/seed-status.md
@@ -0,0 +1,80 @@
+# SEED service status
+
+This page provides the following Information:
+- [Scheduled maintenance](#scheduled-maintenance)
+- [Ongoing incidents](#ongoing-incidents)
+- [Previous incidents](#previous-incidents)
+
+## Scheduled maintenance
+
+No scheduled maintenance.
+
+
+
+## Ongoing incidents
+
+| Date | 25 October 2023 |
+| ------------- |:-------------|
+| **Issue summary** | We have detected internal server errors from Cloudflare API on 24 October 2023, 21:50 SGT, impacting several of our services including CMP, SHIP-HATS, APEX, and SEED. Users on GMDs are currently affected, while users on GSIB should not experience any issues. macOS
+ + ``` +/Applications/Cloudflare\ WARP.app/Contents/Resources/warp-diag + +``` + +**Impact**: Users on GMD are not able to access the following services.
**Affected services**: CMP, SHIP-HATS, APEX, SEED. Please note that this disruption is limited to our non-production environment; services in the production environment are functioning normally.
**For more assistance**:
Create an [incident support request](https://go.gov.sg/seed-techpass-support). | + + + + + +## Previous incidents + +| Date | 09 October 2023 | +| ------------- |:-------------| +| **Issue summary** | Cloudflare has resolved the network issues identified on October 09 2023, 04:09 SGT.
**Issue started**: October 09 2023, 04:09 SGT
**Issue ended**: October 09 2023, 13:30 SGT
**Impact**:
Users are unable to access the internet using Cloudflare WARP. Disabling Cloudflare services temporarily can restore internet access; however, this may restrict access to certain Cloudflare-protected applications, including SGTS products.
*Posted on: October 09 2023, 15:30 SGT*
**What should I do if I am still having an issue?**
Create an [incident support request](https://go.gov.sg/seed-techpass-support). | + +| Date | 04 October 2023 | +| ------------- |:-------------| +| **Issue summary** | Cloudflare has resolved the network issues identified on October 04 2023, 16:19 SGT.
**Issue started**: October 04 2023, 16:19 SGT
**Issue ended**: October 04 2023, 19:19 SGT
**Impact**:
Users may experience difficulties with DNS resolution, potentially leading to the inability to access the internet.
*Posted on: October 05 2023, 11:30 SGT*
**What should I do if I am still having an issue?**
Create an [incident support request](https://go.gov.sg/seed-techpass-support). | + + +| Date | 09 July 2023 | +| ------------- |:-------------| +| **Issue summary** | Cloudflare has resolved the increased levels of 530 error identified on 09 July 2023, 15:26 SGT.
**Issue start time** ** **: 09 July 2023, 10:54 SGT
**Issue end time** ** **: 09 July 2023, 15:26 SGT
**Impact**: Users may experience service degradation on their GMDs and intermittent connectivity to SGTS services and GCC.
*Posted on: 09 July 2023, 17:30 SGT*
What should I do if I am still having an issue?
Create an [incident support request](https://go.gov.sg/seed-techpass-support) with the support team. | + +| Date | 05 June 2023 | +| ------------- |:-------------| +| **Issue summary** | Cloudflare has resolved the network issues identified on 05 June 2023, 16:50 SGT.
**Issue start time** ** **: 05 June 2023, 13:30 SGT
**Issue end time** ** **: 05 June 2023, 17:11 SGT
**Impact**: Users may experience service degradation on their GMDs and intermittent connectivity to SGTS services and GCC.
*Posted on: 05 June 2023, 18:00 SGT*
What should I do if I am still having an issue?
Create an [incident support request](https://go.gov.sg/seed-techpass-support) with the support team. | + +| Date | 31 May 2023 | +| ------------- |:-------------| +| **Issue summary** | Cloudflare has resolved the network issues notified to us on 31 May 2023, 16:50 SGT.
**Issue start time** ** :** 31 May 2023, 15:32 SGT
**Issue end time** ** :** 31 May 2023, 17:23 SGT
**Impact**: Users may experience service degradation on their GMDs.
*Posted on: 31 May 2023, 18:00 SGT*
What should I do if I am still having an issue?
Create an [incident support request](https://go.gov.sg/seed-techpass-support) with the support team. | + +| Date | 05 April 2023 | +| ------------- |:-------------| +| **Issue summary** | **Resolved**: We identified and implemented a fix for Windows users who experienced connectivity issues with the latest Cloudflare WARP client(2023.3.381.0).
**Issue start time** ** :** 05 April 2023, 10:00 SGT
**Issue end time** ** :** 05 April 2023, 14:30 SGT
**Impact**: Some of the Windows users would have been unable to connect to GCC 2.0 or SGTS services without a WARP connection.
*Posted on: 05 April 2023, 16:00 SGT*
What should I do if I am still having an issue?
Create an [incident support request](https://go.gov.sg/seed-techpass-support) with the support team. | + +| Date | 18 December 2022 | +| ------------- |:-------------| +| **Issue summary** | We identified an issue with Cloudflare Access and Tanium on 18 December 2022, 12:00 SGT.
**Impact**: Users were unable to authenticate their login while accessing SGTS services and GCC 2.0 services around this time. The impact duration was during non-business hours.
**Resolved**: The issue was resolved on 18 December 2022, 13:15 SGT.
*Posted on: 18 December 2022, 13:50 SGT* + +| Date | 21 October 2022 | +| ------------- |:-------------| +|**Issue summary** | Users encountered intermittent HTTP request failures and may have received error code 409 or CORS Blocked messages on their HTTP clients while using Cloudflare WARP Gateway. This issue has been resolved by Cloudflare WARP.
**Issue start time**: 20 October 2022, 19:45 SGT
**Issue end time**: 21 October 2022, 05:34 SGT
**Impact:**
Users may have been unable to access Internet sites intermittently with Cloudflare WARP turned on.
*Posted on: 21 October 2022, 09:50 SGT* | + +| Date | 20 September 2022 | +| ------------- |:-------------| +| **Issue summary** | **Identified**:
With the availability of Cloudflare 2022.8.861.0, we identified an issue on 13 September 2022.
Generally, when SEED users connect to a VPN with Cloudflare WARP active, WARP gets disabled and re-enabled. If users disable WARP before connecting to the VPN, WARP gets re-enabled.
Users experience issues while connecting to the VPN if it is not on the allowlist.
**Impact:**
Users cannot connect to the VPN if it is not on the allowlist.
**Action recommended:**
While we have raised an issue with Cloudflare to resolve this, if you are impacted, we suggest you uninstall WARP and wait for Microsoft Intune to push down the earlier version of WARP.
**Updates**
**Fix**:
Newer version of Cloudflare WARP client will be installed on your GMD to resolve this issue. For more information, refer to [announcement](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/announcements) posted on 21 October 2022.
*Posted on: 21 October 2022, 11:11 SGT*
**Resolved**:
This issue is resolved now.
*Posted on: 21 October 2022, 16:45 SGT*| + +| Date | 08 September 2022 | +| ------------- |:-------------| +|**Issue summary** | We identified an issue with Cloudflare Gateway on 08 September 2022, 14:41 SGT, and our users are currently unable to access Microsoft websites to authenticate their logins. We are working with Cloudflare to implement a fix.
**Impact:**
Users will not be able to authenticate their login while accessing SGTS services, including GCC 2.0.
*Posted on: 08 September 2022, 16:28 SGT*
**Updates**:
**Mitigated**
While waiting for a fix from Cloudflare, GovTech implemented a workaround on 08 September 2022, 17:00 SGT mitigating the issue at 17:15 SGT. Users will now be able to access SGTS services.
*Posted on: 08 September 2022, 17:22 SGT*
**Resolved**
On September 09 2022, 08:26 SGT Cloudflare confirms that the issue has been resolved. | + +| Date| 30 August 2022| +| ------------- |:-------------| +|**Issue summary** | An issue was identified with Cloudflare Access on 30 August 2022, 12:00 SGT. A fix was implemented on 30 August 2022, 12:14 SGT and Cloudflare has resolved the issue at 12:39 SGT.
**Customer Impact:**
Users may not have been able to access the Internet and SGTS services during this time.| + +| Date| 21 June 2022| +| ------------- |:-------------| +|**Issue summary** | An issue has been identified with Cloudflare services on 21 June 2022, 14:34 SGT. A fix has been implemented on 21 June 2022, 15:20 SGT and we are monitoring the outcome.
**Customer Impact:**
Users may have observed 500 errors while accessing the Internet and Cloudflare protected SGTS services using Cloudflare WARP.
While we monitor the fix, if you are still unable to access the Internet, please turn off WARP to access the Internet and create an [incident support request](raise-an-incident-support-request) with the respective SGTS service or product team.
You may also visit the [Cloudflare status page](https://www.Cloudflarestatus.com/) for recent updates on this issue.| + +### Cloudflare status + +You may also visit the [Cloudflare status page](https://www.Cloudflarestatus.com/) for recent updates on issues with Cloudflare Zero Trust, WARP, Cloudflare Tunnel and Cloudflare Access. diff --git a/support/troubleshooting-issues.md b/support/troubleshooting-issues.md new file mode 100644 index 00000000..ae608521 --- /dev/null +++ b/support/troubleshooting-issues.md @@ -0,0 +1,84 @@ +# Troubleshooting issues + +This guide provides solutions to common problems for SEED. Follow the steps below to troubleshoot and resolve the problems you're experiencing. + +## Experiencing the *Account does not have access* error + +When using SGTS products with Cloudflare WARP, you might encounter an error message saying, *That account does not have access*. + +## Solution + +1. First, check the following: + + - Have you received the *successfully onboarded* email from SEED? + - Are you using one of the supported browsers? + - Is your Cloudflare WARP client connected and up to date? + - Open Cloudflare WARP **Settings** and ensure "Gateway with WARP" is selected. + - For Windows users, check if Tanium is listed in the **Start** menu. + - For macOS users, look for Tanium in **Finder** > **Applications**. + - Ensure your device's operating system is up to date. + - Make sure Defender is updated and running. + - Check if your TechPass account has the necessary permissions for GCC 2.0 CMP or a specific SGTS service. + +> **Note** +>- SEED does not support running other VPN clients alongside Cloudflare WARP. +>- It is recommended not to use WARP and a VPN simultaneously. + +2. If you are running a VPN client along with WARP, ensure that the VPN configuration doesn't route all traffic and DNS queries to the VPN server. + +3. If the issues persist, [generate a diagnostic report](configure-cli-tools/how-to-generate-and-upload-diagnostic-files-tp-incident-support-reqest) and upload it to the [service request](https://go.gov.sg/seed-techpass-support). + + +## Connectivity issues for macOS WARP users + +Cloudflare has reported connectivity problems for users with macOS WARP client versions earlier than 2022.12.583.0 (20230112.24). These users may experience intermittent connectivity issues while trying to access websites. + + +## Solutions + +### Workaround 1: Update Cloudflare WARP client to the latest version + +**To update your Cloudflare WARP client**: + +1. Open Cloudflare WARP on your GMD. +2. Click **Settings** > **About WARP**. +3. Click **Check for Updates** to see details of the latest version. + +>- If you encounter an error when checking for updates, turn off Cloudflare WARP, ensure you can connect to the internet, and then repeat steps 1-3. + +4. Click **Install Updates** to download the latest version. +5. Enter your device password when prompted and click **OK**. +6. Click **Install and Relaunch** to install the downloaded latest version of Cloudflare WARP. +7. Repeat steps 1-2 and confirm if the latest Cloudflare version is installed on your GMD. +> **Note**: +> If you still face issues, uninstall WARP and install the latest version**. + + + +#### **macOS** + +1. To uninstall the existing WARP client, open the **Terminal** app and run the following command. + + ``` + sudo /bin/sh /Applications/Cloudflare\ WARP.app/Contents/Resources/uninstall.sh + ``` +2. Enter your macOS password when prompted. You will be prompted to confirm the uninstallation. + + ```Do you want to uninstall Cloudflare WARP app? Enter Y to proceed or N to exit.``` + +3. Enter `Y`. When WARP is successfully uninstalled, the message ```Finished uninstallation!``` is displayed. + +4. Install the latest WARP client for macOS. + +#### **Windows** + + 1. To uninstall the existing WARP client, click the **Start** icon on the taskbar. + 2. Go to **Settings** > **Apps** and search for **Cloudflare WARP**. + 3. Choose Cloudflare WARP and click **Uninstall**. + + 4. Install the latest WARP client for Windows. + + + + + diff --git a/verify-microsoft-defender-is-configured-correctly-for-your-os.md b/verify-microsoft-defender-is-configured-correctly-for-your-os.md index 866367d0..aa1841b9 100644 --- a/verify-microsoft-defender-is-configured-correctly-for-your-os.md +++ b/verify-microsoft-defender-is-configured-correctly-for-your-os.md @@ -1,116 +1 @@ -### Ensure Microsoft Defender is configured correctly for your OS - -
-
-
-
-macOS
- - 1. Open **Terminal** and run `mdatp health`. - 2. Take note of the value displayed for **org_id**. - - > **Note**: - > If this command does not return anything, it indicates your device does not have Defender. Hence, [proceed to onboard your macOS device to SEED](onboard-device/mac-os). - - 3. Identify the organisation corresponding to this **org_id** from the following table. This is the organisation of the Defender or the antivirus on your device. - - | org_id | Organisation | - | ------------- |:-------------:| - | faa36a5e-2da6-4225-8e27-226177c801a0 | WOG | - | 49237d71-42ac-425a-a803-881b92cc18ce | TechPass | - | 6389e966-e334-461d-86ce-0fed12484620 | Hive | - - 4. Choose the required step from the following: - - - If your organisation id corresponds to WOG or TechPass, it indicates that **Microsoft Defender** has been configured correctly and you can ignore the rest of this section. - - - If your organisation id corresponds to Hive, it indicates that your device is still enrolled with Hive. Contact [Hive support](mailto:GDS_DEN@hive.gov.sg) to get the offboarding package to unenrol your device. See the [offboarding FAQs](offboard-device/seed-offboarding-faqs.md) to know how to unenrol your device from Defender using the Hive offboarding package. - - - If your device is enrolled with a different MDM, contact your organisation IT support to unenrol your device from it. - -Within the next few hours, **Intune** pushes the **Microsoft Defender** client to your device with the correct configurations. For more information on the duration, refer to [Microsoft Documentation](https://docs.microsoft.com/en-us/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned). - -At any time, users can Sign in to Company Portal app, click the three dots and choose **Check status** to check for policy or profile updates. It may take a while to complete the synchronisation. When completed, the screen will show the timestamp of the last successful sync. - - -
-