BCTC News and Information blog

Updates to CUNY Zoom Security

Please see the following message from CIS:

As previously communicated, we have implemented Zoom security settings on December 27th that enforced meeting passcodes and waiting rooms for all Zoom meetings. This email provides additional information regarding Zoom meeting passcodes and waiting rooms.
Passcodes
Any meetings that were scheduled prior to December 27th that did not require a passcode have been updated to require a passcode.
For these meetings, meeting organizers should send an invitation update that includes the passcode to ensure that attendees can access the meeting.
Regarding Waiting Rooms
The CUNY-wide Zoom waiting room setting means that meeting attendees either:
  • Wait in the waiting room until admitted by the person in charge of the meeting or a meeting co-host.
OR
  • Bypass the waiting room and be directly admitted to the meeting if they logged into the meeting using their CUNY Zoom account.
Zoom users can change their meeting security settings at https://cuny.zoom.us to require all attendees to be held in the waiting room OR allow some attendees to bypass the waiting room and immediately access the meeting.
For information on changing Zoom waiting room options, users can visit How do I change my Zoom meeting’s waiting room options? in CUNY IT Help or register to attend a Zoom Security Training Webinar on January 18, 23 or 24.
After CUNY made the security changes previously announced for December 27th it was determined that the changes reduced flexibility in a way that was unacceptable.  Not being able to change the waiting room behavior was not sufficient in the case of wanting to ensure that participants stayed in the waiting room before the meeting started.  CUNY thus reenabled the option to change the waiting room behavior for users.
This is a good time to continue to remind users that Zoom security is of paramount importance–CUNY is still besieged by Zoombombing incidents that are disruptive and disturbing to the community.  Ensuring that meetings are secured to the maximum extent possible greatly reduces the possibility of disruption and may allow us to determine the responsible parties and refer for appropriate disciplinary action.
We also strongly recommend attending one of the Zoom Security Training Webinars referred to above.

Security Changes to Zoom (update)

At 6pm on December 27th CUNY CIS will enforce the following Zoom security settings to ensure meeting security:

  • A passcode will be required when setting up all Zoom meetings (scheduled, instant and personal) and webinars 
  • All Zoom meeting and webinar attendees will be required to enter the passcode to access the meeting
  • The use of the Zoom waiting room to validate attendees will be enforced  

These changes will be for all CUNY users and can not be overridden individually or by campus.

Please note that CUNY has set the waiting room options to have anyone in the CUNY Zoom instance to bypass the waiting room by default, and this option also can’t be overridden:

Screenshot of Waiting Room security options showing the the waiting room is bypassed for authenticated users on the same account.

We do anticipate this may necessitate a change in open meetings for support; the potential solution is to require registration and publicly post the registration link instead of the open meeting link.  This will also allow offices holding Zoom office hours to get emails of their customers for followup.

This change is a full enforcement of the current CUNY policy on securing Zoom meetings and is a response to continued meeting disruptions (“zoombombing”) across CUNY.

  • You can learn more about these changes, as well as best practices when setting up and running Zoom meetings, by attending one of the following training sessions:  Wednesday, December 28, 2-3pm Wednesday, January 11, 2-3pm Tuesday, January 24, 11am-12pm  To register for one of these training sessions, please visit https://us02web.zoom.us/meeting/register/tZcrfuqorT4vE9G5hGqvUyJM3bbXQMohEm8E  If you are unable to attend the training, you can either review: 
  • A training recording to be available with other Zoom training recordings in the CIS Training Zoom channel in Microsoft 365 Stream.
  • The Zoom Security Protocol document on the CUNY website and in CUNY IT Help [KB0011713] outlines required and recommended Zoom settings, as well as best practices, to ensure safe and secure Zoom meetings and webinars.

eduroam now available at Baruch

The “eduroam” wireless network is now available at Baruch!  Thank you to the networking team at Baruch and CUNY CIS for getting this done.

What this means is that any user from another eduroam organization can log into the Wi-Fi at Baruch by using the “eduroam” SSID and the login credentials from their home institution.  Baruch users can also use their CUNY Login username and password to connect to eduroam both on campus and at any other eduroam institution.  Users from other CUNY schools who come to Baruch can also use eduroam and their CUNY Login to access wireless while on campus.

While you will now see the eduroam SSID everywhere on campus, you should continue to use the Baruch SSID for your normal network access if you’re a Baruch student, faculty or staff member, since it will provide access to additional on-campus resources that eduroam will not.

Connecting to eduroam

In most cases, you will just need to find the “eduroam” wireless network, and when it asks for a username and password provide your CUNY Login username (firstname.lastnamexx@login.cuny.edu) and password.  If you need to configure settings, the following ones will work:

Security:  WPA2 Enterprise
EAP method: PEAP
CA Certificate:  don’t validate
Phase 2 Authentication: GTC

Attached is a screenshot from a Samsung phone showing the setup with the above options (in most cases you shouldn’t need to enter anything but the “CA Certificate” option)

Android phone connecting to eduroam SSID, with Security set to WPA/WPA2 Enterprise, CA certificate set to "don't validate" and Phase 2 authentication set to "GTC"

This is what it looks like on an iPhone:

Connectign to "eduroam" Username is CUNY Login, password is CUNY Login password.

 

Windows and macOS are similar as well.  Once you configure eduroam at Baruch it will work anyplace eduroam is available.

For additional information about eduroam you can go to https://eduroam.org/ .

We look forward to being able to provide this service to the Baruch community as well as both CUNY and external visitors to Baruch.

 

WiFi Troubleshooting

New and returning students frequently have challenges connecting to WiFi at the start of the semester. BCTC identified a timing issue that was affecting the ability of students to connect with their Baruch username and password; we have adjusted the parameters on the WiFi network and we believe we have improved that situation.

If you do not know your Baruch username and password, you can reset it at https://mypassword.baruch.cuny.edu/ if you have previously set your password recovery items there; you can also contact the BCTC Helpdesk who can assist in resetting the password.

It is impossible for BCTC to test for connectivity for every device and every combination of operating system, network drivers, etc. If you know you have the correct password and still are not connecting reliably you should make sure you’re running the most recent version of whatever operating system you have, and if there are separate network drivers available for your device you can upbrade those as well. BCTC can assist if necessary as well.

M365 Basic Authentication Disabled for all CUNY accounts

Effective August 1st, 2022, CUNY CIS has disabled M365 Basic Authentication for all CUNY accounts.

What this means is that older clients and methods of access to the CUNY M365 environment (this includes faculty/staff email through the “CUNY tenant” and all student access to M365 including baruchmail.cuny.edu) no longer work. This change is necessary both to improve security of the M365 environment and allow for the enforcement of multifactor authentication (which was previously enabled for student accounts and will be enabled for faculty and staff accounts shortly.)

Among other things this affects it affects people who are using the Gmail POP3 importer. Gmail has not updated this interface to use modern authentication, and if they do not before October 1st 2022 when Microsoft will completely disable basic authentication for all Microsoft accounts it will stop working for everyone. Users who are affected can read their CUNY email via the web client, the native M365 support in iOS and Android (both of which support modern authentication), the Outlook client (for Mac, Windows, iOS or Android), or any other application that supports modern authentication (also known as OAuth) for POP or IMAP. POP and IMAP access is still enabled when modern authentication is used.

This change is necessary because of the high number of compromised accounts we have seen. If you have received messages from a CUNY address that are scams (these are often employment scams) you know the impact of having accounts that are easily compromised. Enabling modern authentication both reduces the likelihood of this occurring and allows us to fully enforce multifactor authentication which further reduces the chance of account compromise.

Please note that basic authentication was already disabled for faculty and staff M365 accounts in June.

Configuring macOS Mail for Baruch M365 Email

  1. Open the “Mail” app:
    macOS Mail app
  2. If this is the first account you’re entering, you’ll be prompted to add the account, otherwise you’ll need to manually add a new account. Select “Microsoft Exchange”:

  3. Enter your name and your CUNY Login ID in the box and click “Sign In”:
  4. At the next screen, click “Sign In” again:

  5. You will be presented with the CUNY Web Applications Login, log in with your CUNY Login ID and password:



  6. Click the apps you want synced to your “Mac” and then click “Done”:


  7. The last step is to ensure that your Baruch email address is used for outgoing messages. In Mail, go to the “Mail” menu and select “Preferences”:


  8. In the Preferences window, you’ll see the new account you added. Click on the email address and select “Edit Email Addresses”:





  9. In the list of email addresses, simply click on the @login.cuny.edu address and change it to your @baruch.cuny.edu email address (note: you will not be able to use an email address for which you are not authorized):



  10. Once that is completed you should be able to use the Mail app to send and receive email from your Mac.

Configuring the Android Mail app for access to your Baruch M365 Email account

Most Android devices have a “Mail” or “Email” application that can be used to read your Microsoft 365 email. These screenshots were taken on a Galaxy S21 Ultra but the instructions should be similar on any Android device running a current version of Android.

  1. Open the “Email” app on your device.
  2. You should get an option to “Set up Email”. Pick the “Office 365” option:
    Set Up Email, select "Office 365"

At the “Sign In” screen, enter your CUNY Login ID (firstname.lastnameXX@login.cuny.edu):
Sign in with your CUNY Login

You will be taken to the CUNY Web Applications Login page, where you will login with your CUNY Login ID and password:
CUNY Web Applications Login

Once you log in you may get a permissions dialog from Microsoft asking you to authorize the Email app to have access to your Microsoft 365 account. Click “Accept”:
Microsoft permissions dialog, click "accept"

The Android Email app will then ask you to authorize M365 to be able to configure your device. You should click “activate” here:

You’ll then get a screen asking how much mail you want downloaded to the device, and whether or not calendars, contacts, and tasks should sync to your device. Selectd your desired settings and click “Done”:

Your email app is now configured for use with your Baruch M365 account.

Configuring Outlook for Windows for your Baruch M365 Email Account

As of May 3rd, 2022 all faculty and staff users are using Microsoft 365 for their Baruch email address (@baruch.cuny.edu).

To configure Outlook to use M365, first download and install Office from http://www.office.com after logging in with your CUNY Login. Then start Outlook on your computer. You will get a screen where you should enter your baruch.cuny.edu email address:

Outlook screen where you should enter your baruch.cuny.edu address

When you enter your email address you may be prompted with a CUNY Web Applications Login dialog; if so, enter your CUNY Login ID and password:

Once complete you will get a dialog showing your the email address. Select “Done”:

You can then restart Outlook normally, and your email should appear within Outlook.

Deploying Email Fixes

BCTC has developed and tested the strategy for resolving the remaining email and calendar transition issues and will be deploying it to administrative offices over the coming days.

The steps include building a new Outlook profile that only talks to Microsoft 365 and making the baruch.cuny.edu address primary there. We are also simplifying access to shared mailboxes.

We are working to deploy this solution as quickly as possible to all administrative offices; we will be coordinating with divisional vice presidents to schedule on a per-office basis (as defined by the VPs and relevant managers). We need all staff in an office to be available in person or remotely accessing their office computer when the transition is made. Even though most of the changes will be deployed automatically, we will be available via Zoom during an office’s cutover to ensure that users can log in and access email, as well as configure access to any shared mailboxes.

If you have not been able to migrate your email to the new system, you will be instructed to access it through webmail at https://mymail.baruch.cuny.edu/ for the time being. We are nearing the ability to complete migrating maliboxes in an automated fashion in the background, a process that may take several weeks but will happen with no additional user intervention.

Email System Status May 20th

Summary: Emails sent through May 2nd are safe and always available through the Mymail web interface at https://mymail.baruch.cuny.edu/.  New mail is always available at https://outlook.office.com/. We will be changing the primary address for all accounts to baruch.cuny.edu soon, which should remedy most of  the issues described below. In the meantime, the Outlook web interface is a consistently reliable way to access old and new email if the Outlook clients are causing issues.

Priority = Faculty Email Support: We know the next two weeks are critical for faculty to send and receive email to and from students; to that end we want to recommend that Microsoft 365 mail accounts are always available on the web at https://outlook.office.com.  The web version is not only a fallback option for sending and receiving email, in many instances it can be your primary method for sending and receiving email on- or off-campus.  The Microsoft 365 Outlook web interface is much more fully-featured than our old Mymail system.  Also keep in mind that the old Outlook Web Access is still fully available for referring to any old email, calendars and contacts you might need to access at https://mymail.baruch.cuny.edu/. The links to the old and new accounts are posted on the Quick Links menu on the College’s web site. 

Changing primary email address in Microsoft 365 to Baruch.cuny.edu: Currently, may email addresses are displaying in the CUNY login format: firstname.lastname## @ login.cuny.baruch.edu. Please be assured that this only temporary and your email address has not changed. Your email address is still firstname.lastname @ Baruch.cuny.edu. The temporary setting of the Microsoft 365 email address away from Baruch.cuny.edu was done to allow both accounts to be visible in a single instance of Outlook for Windows.  However, it is causing other issues with sending and receiving email.  We will be setting all accounts email addresses in M365 to @baruch.cuny.edu shortly after the end of the semester.  You can also ask to have your address changed to @baruch.cuny.edu sooner if you have no need to access the old and new servers in Outlook for Windows in the same profile.  Changing the default mail address to @baruch.cuny.edu will necessitate making the Outlook for Windows profiles only use the Microsoft 365 account.  We are working on a process to do that for users automatically and will support users directly as necessary.

Old emails, calendars and contacts: Changing the default email address in the cloud to baruch.cuny.edu will change how you can access old email on the old server. We will be working with users and offices who may still need to have old email (and calendars and contacts) available in Microsoft 365 and will be providing guidance on migration of email later this summer. Access to old email that has not yet been migrated will be through https://mymail.baruch.cuny.edu/ for the time being. We are encouraging users to only connect their devices with the Outlook client and mobile apps only to the Microsoft 365 environment and if they have not migrated their email to use Mymail to search mail when needed at this time.

Resource Mailboxes:  Resource mailboxes, which are shared mailboxes used by administrative offices of the College, cannot receive mail from senders outside of the CUNY M365 environment when the @login.cuny.edu address is used. We must change the addresses associated with all resource accounts to the baruch.cuny.edu address as soon as possible. We will be providing guidance to users regarding this change in the next few days.

Resource mailbox users have noticed that the message folders show up automatically in their M365 profiles on Outlook for Windows, but they cannot send messages the same way as before—notably the messages do not show up in the “Sent” folder of the resource accounts.  Adding the resource account as a separate email address in the profile does work, but will cause duplicate folders to appear in your folder list.  We are investigating removing the auto-mapping of resource accounts and relying on adding the email addresses manually moving forward.  There are also complications if you have not moved the resource accounts and users of them to having their Baruch address as primary in M365.  Again, in all cases opening the mailbox in Outlook 365 Web allows you to use the boxes until the client configuration is finalized.

Calendar Migration: We are aware that meetings (calendar items with multiple attendees) migrated to M365 are not properly updating for all participants when the meeting organizer makes a change to the meeting. We are investigating the cause with CUNY and Microsoft, but it is likely that these issues will be resolved when we set the primary email address in M365 to baruch.cuny.edu. In some instances, a user may need to create a new calendar item in the M365 calendar for a meeting that needs to be changed and instruct the other invited participant(s) to remove the old event from the calendar manually.  We expect to understand more about this in the coming days.

Additional technical background:  The bulk of the challenges we are seeing with email at this point are around the Windows Outlook configuration.  The challenge is that the baruch.cuny.edu address exists both on our local server and on the Microsoft 365 CUNY tenant.  Different versions of Outlook try to find things first on Microsoft 365 (including Outlook 2019 and later) and make it challenging to access the old server and new system at the same time, or even to access the old server at all with the Windows Outlook Client.  

We are having other issues with some @login.cuny.edu user mailboxes not being able to receive messages from outside of the CUNY tenant, which are basically off-campus addresses.  This is the documented behavior for resource mailboxes (which is why we’re changing them back very soon) but for users is because of a configuration error that CUNY will fix for us.

We are still seeing other miscellaneous issues around delegation and rights assignments, especially to distribution lists and shared mailboxes.  We are working with CUNY to devise the best methods for moving forward.

css.php