RM Logo
Technical Rating: 
Support Home PageSupport
Print This PagePrint This Page
Add to 'My Library' Add to 'My Library'

FAQ for RM Unify Network Provisioning
Published Date : 22 Aug 2017   Last Updated : 01 Nov 2019   Content Ref: TEC5832777  





Symptoms

RM Cloud Service Delivery can assist you with your Network Provisioning installation.
For non-CC4 networks, Network Provisioning must be installed and configured by RM.
For CC4 networks, customers can self-install Network Provisioning or purchase an installation service.
For further information, please speak to your Sales representative on 0800 046 9798 or email networks@rm.com, quoting this article.



More Information

General information and troubleshooting

Note: Today, support is limited to networks provisioned from a single RM Unify establishment. Support for networks provisioned from multiple RM Unify establishments is coming soon.

Note:
For CC4 customers, this is supported on CC4.5 (i.e., where your CC4 First server is 2012R2) and above networks.

What user types are pushed to the AD?
All Students, Teachers and Non-Teaching Staff, regardless of where those users came from - MIS, CSV or manual web form.

Are disabled RM Unify users provisioned to AD?
Yes, when the Network Agent receives a message from a disabled RM Unify user the AD account is created or updated as usual. Additionally, the AD account will be disabled.

How quickly are changes in RM Unify reflected in my AD?
Changes will be synchronised in less than five minutes under normal conditions.

How quickly are password changes in AD reflected in RM Unify?
The new password will be synchronised in less than five minutes under normal conditions, as long as the password meets the RM Unify password policy.

See FAQ below for information about the RM Unify password policy.

Does device single sign-on (SSO) work with Network Provisioning?
Yes. See TEC4668878 (in the Other Useful Articles section below) for information about device SSO.

What AD attributes are written to?
The following table defines how the user attributes are written in AD.
RM Unify Attribute AD Attribute CC4 User Property
IdentityGuid rmCom-ImmutableIdentityGuid Learner Number
OrganisationGuid rmCom-OrganisationGuid

n/a

n/a rmCom-ManagementInfo n/a
Role defines location in AD defines user type
UserName sAMAccountName Username
FirstName givenName First Name
LastName sn Last Name
DisplayName displayName Display Name
YearOfEntry optional Year of Entry (Student only)
UniquePupilNumber optional UPN (Student only)
TeacherId optional Staff ID (Teaching Staff only)
MISId rmCom-MisId n/a

Will the Network Agent move AD user accounts to a different location in the AD? 
No, the Network Agent can link an RM Unify user to an AD user account but it is not configured to move the AD user account to different location.  For example, if the Network Agent links an RM Unify user to an AD user account in OU="Entry2018" and you later move the user to an OU="Entry 2017", the AD user account will remain in OU="Entry 2017", the Agent will not move the account back.

How are communications between the Network Agent and RM Unify cloud secured?
Every Network Agent MSI that is generated contains a complex, secret API key, which is unique for every deployment of Network Agent. Whenever the Network Agent communicates with RM Unify it provides the API key to identify itself. As all of this communication takes place over a TLS encrypted channel, this provides a secure basis for data transfer between the two parties.

How are passwords secured?
Passwords flow in two directions - cloud to network and network to cloud. In both cases we use public key cryptography; the same approach used to secure HTTPS Internet traffic.

  • Cloud to network: On the first run, the Network Agent generates a new C2N public-private key pair and securely transmits the public key to RM Unify cloud. The private key stays secure on your server, which makes it the only place that passwords can be decrypted, which is essential if they are to be written into AD. From this point on, all password changes that occur in RM Unify cloud, either new users or password changes, are immediately encrypted using the specific Network Agent public key. These are stored in RM Unify and forwarded to the appropriate Network Agent.
  • Network to cloud: On the first run, the Network Agent retrieves a N2C password encryption public key from the RM Unify cloud. This public key is then distributed to the Password Filter component(s). When a password change occurs in AD, this is encrypted using the N2C password encryption public key and the resultant encrypted password sent up to RM Unify.

Once I have my AD synchronised from RM Unify, do all users have to exist in both systems? 
Once Network Agent is installed, you can control which users you wish to be present only in AD, or only in RM Unify.

Most schools will be using MIS Sync, which automatically creates users in RM Unify once they are added to the MIS.
Person in MIS? RM Unify user required? AD user required? Steps to achieve this

Yes

Yes

Yes

This is the normal case. A user added to the MIS gets a corresponding RM Unify account, and this is synced to AD.

Direction: Add the user to the MIS.

Example: All student and staff users.

Yes

Yes

No

Direction: Disable AD user or add username to the blacklist.

If the AD account is disabled, they will only be automatically re-enabled if the RM Unify account is Disabled and then Enabled. 
See TEC6933539 for information on blacklisting.

Example: Student or staff user who should not have any access to local resources. 

Yes

No

Yes

Direction: Disable RM Unify account, manually enable AD account.
AD/CC4 account will be automatically disabled if any change is made to their (disabled) RM Unify account. 

Example: Student or staff user who should not have any access to cloud services.

Yes

No

No

Direction: Mark student/staff record as leaver in MIS if appropriate, or
Disable the RM Unify account, which will disable the corresponding AD account.

Example: Erroneous, test, or temporary records in MIS.

No

Yes

Yes

Direction: Create account in RM Unify. 

Example: Staff user who will not be added to MIS, or school governor.

No

Yes

No

Direction: (1) Create an account in RM Unify with a role of Other or Governor, as these do not get provisioned to AD, or (2) Create account in RM Unify, then disable the AD account.
Note: AD account will be automatically re-enabled only if the RM Unify account is Disabled and then Enabled. 

Example: Visitor requires access to cloud services only.

No

No

Yes

Direction: Create account locally in AD. 

Example: Local users, service accounts.

Now that users are automatically created in AD, where do I get the initial password from? 
There are three options, depending on the current status of the RM Unify user:

Login status of RM Unify user Action
New users joining your school and who have never signed into RM Unify We recommend you use the RM Unify Management Console. Your new users will appear on the Download Passwords page and from there you can download the initial credentials for all users newly created from the MIS sync.
https://www.rmunify.com/ManagementConsole/DownloadPasswords

These initial passwords will follow the format: <capital letter><3x lower case letters><4x numbers>.

New and existing RM Unify users who have never signed into RM Unify Monitor the New Students (etc.) folder/OU in AD to identify any new accounts as they arrive. From there you can reset passwords and communicate them to the users. This new password will sync and apply to the RM Unify account and, for new users, they will be removed from the aforementioned Download Passwords page.
Existing RM Unify users who have signed into RM Unify before Ask the users to sign into RM Unify. After signing in, a (hashed) password will be synced from RM Unify to the network and applied to their AD account.

What if the password set for a user in RM Unify is not complex enough to meet my AD password policy?
It will fail to be written into AD and the password will be out of sync between the school network and the cloud.

If this occurs when a new password is set for an existing RM Unify user, then the failure will be clearly visible from the User Audit page in the RM Unify Management Console.

If a weak password is specified when creating a new RM Unify user (in the RM Unify Management Console or via CSV import), then there will be no indication of the failure.

We will be adding a feature that allows you to set school specific password complexity thresholds in RM Unify. This will reduce the likelihood of any passwords being accepted into RM Unify that will be rejected by your AD policy. The current RM Unify password policy is detailed in TEC5943089 (in the Other Useful Articles section below).

What if the password set for a user in AD is not complex enough to meet the RM Unify password policy?
It will fail to be synced to RM Unify and so passwords will be out of sync between the network and the cloud. This issue will be listed in the User Audit page in the RM Unify Management Console. We suggest that you periodically check the User Audit page for password sync failures and educate users as appropriate.

The current RM Unify password policy is detailed in TEC5943089 (in the Other Useful Articles section below) and uses heuristics rather than composition rules to determine how strong a user's password is. Therefore, the RM Unify password policy cannot be represented with AD password policy rules, but we do suggest that you set password policies in your AD for students and staff, to increase the chance of passwords being accepted by the RM Unify policy, e.g. a minimum of four characters for students and a minimum of six characters for staff. You can get a feel for the RM Unify password policy by visiting the Change Password page (https://sts.platform.rmunify.com/Account/ChangePassword) and typing in a 'New password'. We accept Weak passwords for students but require Acceptable passwords for other roles.

You may also wish to encourage users to change their passwords in RM Unify rather than on the local school network.

We will be adding a feature that allows you to set school specific password complexity thresholds in RM Unify.

How are disabled accounts treated?
For users received by the Network Agent which are disabled in RM Unify, the AD user will be created/updated as well as disabled.

If the RM Unify user is enabled and the AD user is then disabled locally, it will only be automatically re-enabled if the RM Unify user is disabled and then enabled.

If the RM Unify account is disabled and the AD user is then enabled locally, it will be automatically disabled if any changes are made to the  RM Unify user.


First run

What new attributes are added to the AD schema?
On its first run, the Network Agent will add the following attributes to the User object schema:

  • rmCom-ManagementInfo
  • rmCom-ImmutableIdentityGuid
  • rmCom-OrganisationGuid
  • rmCom-MisId

When will users and their passwords start syncing?
RM Unify users will start syncing to your school network around five minutes after the RM Unify Network Agent Service Windows service starts.

Note: Passwords of existing users will not be synced immediately. A user's password will be synced between RM Unify and the school network only when their password is changed or when the user next signs in to RM Unify after installation of the Network Agent.

When I install Network Agent and it performs initial sync, will it create all new users?
No. Network Agent will attempt to identify users from RM Unify that are already in AD, based on username and role. If it finds an existing user in AD with a matching username and role (student or staff), it will link to that AD user instead of creating a new one.

Therefore, in preparation for installing Network Agent, you should ensure that the usernames match between the AD and RM Unify for those users you wish to join. This is explained in detail in TEC5797912 (in the Other Useful Articles section below), which covers prerequisites and preparation.

How do I recover if the Network Agent incorrectly creates duplicate users on initial sync?
If a duplicate user is created in error, this can be corrected. The root cause is that the local username and RM Unify username are different. This example shows how it can be rectified:

RM Unify user = homersimpson@myschool, AD username = homer.s

On initial sync, a new AD account will be incorrectly created for homersimpson.

  1. Delete the newly created homersimpson account (from CC4 or from AD).
  2. If the desired username is homersimpson:
    • Rename the local homer.s account to homersimpson
    • Perform resync of this/all users (see FAQs above)
  3. If the desired username is homer.s:

CC4 specific

CC4: Where are new users created?
Users will be set up in the same way as CC4 does for you today, using your current CC4 User Templates. New users will be created in the New Students, New Teaching Staff and New Non-teaching Staff user folders (OUs), on the server where the Network Agent is installed (CC4 First server), ready for you to move them to the appropriate server and folder. 

CC4: Do new users have to change their password at first login to Windows?
The CC4 user template is used to control this and this will be honoured when Network Agent creates a new user.

CC4: What happens when a CC4 user is forced to change their password at next logon?
If a CC4 user's password must be changed at next logon, and a password is synced down from RM Unify for the user, the user will still be forced to change their password at next logon. This is equivalent to changing a user's password via the CC4 RM Management Console.

CC4: Does the Network Agent sync with specific OUs at setup and what happens if we create new OUs later?
The Network Agent works with any new user folder (OU) that is created using the CC4 Management Console under Students, Teaching Staff or Non-Teaching Staff, whether created before or after the Network Agent installation. Once the account has been provisioned to the CC4 network, the CC4 administrator can choose to move it to the desired OU.


Non-CC4 specific

Non-CC4: Where are new users created?
AD users are created in the OU path you specify for the user's role during the Network Agent configuration. Home folders and/or profile folders can optionally be created for new users in the locations that you specify.

Non-CC4: Do new users have to change their password at first login to Windows?
No. When new AD users are created, the Account option 'User must change password at next logon' is not set.

Non-CC4: What happens when a user is forced to change their password at next logon?
If a user's password must be changed at next logon and a password is synced down from RM Unify for the user, the user will not be forced to change their password at next logon.



Other Useful Articles

RM Unify Network Provisioning: prerequisites and preparation (TEC5797912)
RM Unify password policy (TEC5943089)
Preparing your network for device single sign-on (SSO) with RM Unify (TEC4668878)
Installation services for RM Unify Network Provisioning (TEC6284446)
RM Unify Network Provisioning error "cryptographic error occurred while encrypting the password" (TEC6482267)

FEEDBACK
Did the information in this article help answer your question?
 Yes
 No
Please add any comments about this article in the box below. If you answered No then it is important you tell us why so that we can change the article if required. We can only respond if you log in to the RM Support website or provide your contact details. Note: If you need help with a technical query, please log a call online or telephone our support team.
Thank you for your feedback, which is sent directly to the RM Knowledge team. We address every message received with the intention of improving our Knowledge Library articles. If you have an unresolved technical issue, please contact RM Support.


If this article has not helped provide a solution then it is also possible to log a call...



Document Keywords: faq, unify, network, provisioning, ad, sync, questions, rmunify, rmuvnp, rmunp, rmup, network agent, FAQ for RM Unify Network Provisioning


Please read - important disclaimer information.
http://www.rm.com/_RMVirtual/Includes/csredirect.asp?cref=&title=Standard Content Disclaimer


Top Of PageTop of page