Nexus: News

Nexus365 currently includes a user-customisable setting that allows users to personalise what page they land on when they log into the Nexus365 portal. However Microsoft have chosen to remove this functionality. They have begun rolling out a new (mandatory) home page for users logging in via the web. This will soon replace any customised landing page.

The thinking behind this change is that Microsoft’s Office.com page has evolved. Now it shows users’ most relevant applications, documents, and places where they are working. Since this useful information is all collected in one place Microsoft believe that it makes for a more useful, more consistent (and thus easier to support) default page when someone signs into Nexus365 at Office.com.
Users who miss the customised starting page can continue to use browser bookmarks and direct URL navigation to get to specific Nexus365 components, applications, or pages.

When will this happen?
The change should first become visible in March 2019, when users who have set a start page other than Office.com will be directed to Office.com when they log-in.

What should I do to prepare?
Informing your users of the upcoming change would be sensible, and encouraging them to bookmark any custom page they’ve set as their start page.

How can I stay informed?
The Nexus Team make information available via this blog, and via the IT Services Service Desk.
You can also review upcoming changes yourself via Microsoft’s roadmap page. This specific change can be found on that roadmap here.

A number of Nexus users have recently logged support tickets with the Service Desk regarding a repeating cycle of logon authentication requests in Outlook. Similarly affected users may receive an error stating ‘You need the internet for this’ even when they are self-evidently connected and online.

Investigation has shown that – generally but not exclusively – this seems to affect users running versions of Office downloaded from the Nexus365 portal, and who are running Windows 10 as their operating system.

ITSS advice and things to try:

1. Under Settings>Accounts>Access Work or School, remove any reference to an OnTheHub or personal Microsoft account.
2. Ensure that your local firewall, antivirus software, and/or Windows Defender are not blocking processes that engage in authentication token acquisition.
3. Removing stored accounts from Credentials Manager, and rebuilding Outlook’s profile may also help.
4. There is a registry fix which can resolve this issue. However as the issue is due to be patched early in 2019 if you use this solution we strongly recommend you schedule to reverse it once the fix is released. With that borne in mind:
   Starting from build 16.0.7967, Office switches from Azure Active Directory Authentication Library authentication (ADAL) to Web Account Manager (WAM) for sign-in workflows on Windows builds later than 15000 (Windows Version 1703, build 15063.138). The workaround is to disable WAM by modifying the following key:[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\
   “DisableADALatopWAMOverride”=dword:00000001

It has been brought to our attention that a recent update to Thunderbird – bringing the version number up to v60 – has the unfortunate side-effect of breaking Nexus365 calendars. Experimentation within the Nexus team has shown that the only calendar functionality that remains intact during testing is the use of one’s own calendar and, bizarrely, a single meeting room.

Calendar issues aside, this upgrade to the application is worthwhile. Testers within the Nexus team described it as  “…definitely snappier and more responsive.”

Mozilla have made a big jump with the plug-in architecture for Thunderbird (as happened for Firefox about a year ago), so to continue to use Nexus365 calendars within Thunderbird we will have to wait for the developers of the exchangecalendar plug-in to get their heads around the new design. In the meantime Outlook Web App (http://outlook.office.com) gives calendar functionality via almost any modern browser.

Mozilla have provided the following guidance regarding calendar issues post upgrade:

https://support.mozilla.org/en-US/kb/calendar-updates-issues-thunderbird

This may also be useful:

https://www.thunderbird.net/en-US/thunderbird/60.3.1/releasenotes/

EDIT: Version ‘v5.0.0-alpha2’ of the exchangecalendar add-on was released in the last 24 hours. Testing within the Nexus team has shown that with this version delegate calendars re-appear. https://github.com/ExchangeCalendar/exchangecalendar/releases

The fifth most-requested feature for Teams is a client for Linux. This simple request has garnered over five thousand votes since it was first posted two years ago.

Since Microsoft are slowly moving away from Skype clients, pushing communications functions into the Teams application, this will clearly become more of an issue as time goes on. In the current documentation Microsoft state that Meetings work on Chrome 59 (and later). Firefox users are effectively being told that they should replace their browser.

There is a convoluted work-around to permit video calls and presentations to work but it’s very much a fudge: it effectively persuades the server that you’re running the Edge browser.

However, as of yesterday, it seems that there may be a hint of progress. Some engineering time may even be being allocated to resolving these issues. In a tweet yesterday Microsoft’s Suphatra Rufo gave a hint that there may be progress.

If you are a Linux user and need a proper Teams client please add your voice here:
https://microsoftteams.uservoice.com/forums/555103/suggestions/16911565

Apple have never been as clear as Microsoft regarding the timeline over which their software will be officially supported. However as a general rule the current version of the operating system, and the one immediately preceding it, can be considered officially supported. When dealing with Microsoft Office apps on iOS Microsoft are now following that premise.

Word, Excel, PowerPoint and OneNote are no longer supported for Office app updates on devices running iOS 10 (or earlier versions of iOS). In November support for Outlook will also cease for those versions of iOS.

These Office apps will continue to work, albeit officially unsupported and without further updates. Once the device is updated to iOS 11 (or later), Office apps will then resume receiving updates and patches. Users should be made aware that, if no action is taken to keep their operating system current, Outlook for iOS will eventually stop synchronising email and calendar data. Furthermore all Office apps will stop receiving feature and security upgrades.

Best advice is always to ensure your operating system is current to minimise exposure to security vulnerabilities. This will also ensure your Office programs continue to work securely too.

Microsoft are planning to discontinue support for the older 1.0 and 1.1 versions of Transport Layer Security (TLS) in Microsoft Office 365 from the end of October 2018.

TLS is the successor to the (now deprecated) Secure Sockets Layer  protocol which was designed to provide secure communications over a network. The protocol’s job is to provide reliable privacy and data integrity between client and server- so it is important that Nexus365 only implements current fully-supported versions.

The TLS protocol builds on Netscape’s original SSL specifications from the mid 1990s, which added HTTPS support to Netscape Navigator. TLS was first defined in 1999 with the specification updated in 2008 (RFC5246) and again in 2011 to ensure TLS was used in preference to SSL (RFC6176).

TLS 1.0 originally  included an option to downgrade to SSL3, weakening security and potentially allowing known attack vectors to be exploited. The revised TLS 1.1 dates from early 2006, and was again revised in the summer of 2008 with TLS 1.2 becoming a standard. Dropping support for versions of TLS older than v1.2 will thefore be mandating use of a protocol that has been around for a decade. Only the oldest, least regularly updated client software, should be unable to connect using TLS 1.2. In fact some browsers already support TLS 1.3, currently a draft standard, dating from March 2018.

The October 2018 deadline for dropping TLS 1.0 and 1.1 support already represents a postponement of Microsoft’s original planned date, so is unlikely to be extended further.

To ensure you can still use secure connections to Nexus365 after the end of October 2018 all client and browser software used to access Nexus365 must therefore be using TLS 1.2 or later. This may mean you need to update, or replace, your software in order to connect securely. Any TLS-related connectivity issues logged in support tickets relating to Nexus365 will require an update to TLS 1.2 as part of the resolution.

Examples of software known to use old versions of TLS:

• Android 4.3 (and earlier)
• Firefox version 5.0 (and earlier – and any related forks of it)
• Internet Explorer 8-10 on Windows 7 (and earlier)
• Internet Explorer 10 on Windows Phone 8.0
• Safari 6.0.4/OS X10.8.4 (and earlier)

Analysis shows that, as a proportion of all traffic, very little of it is TLS 1.0 and 1.1 usage. Please note that we are not mandating that you cease using older versions of TLS for other functions. If you are still using TLS for other purposes you can leave it enabled for those functions – however TLS 1.2 should be enabled for secure connections to Nexus365 in addition to those.  This should ensure that you avoid future TLS connectivity issues when accessing Nexus365.

We’ve had reports from some Nexus users that Outlook 2016 can appear to hang while trying to make a connection to our Exchange servers. The reported delay is between thirty and forty seconds, after which the connection is established and normal service resumes.

People who have stayed on Outlook 2013 don’t generally encounter this issue, but if they do they can easily resolve it by tweaking settings.

Here is what’s going on: the Exchange 2010 Autodiscover service tells the client to try a regular RPC/TCP connection before resorting to a RPC/HTTP connection. 

In Outlook 2013 there is an option in the program’s settings: ‘On fast networks, connect using HTTP first, then connect using TCP/IP’. This setting resolves the issue (and these days ‘fast network’ means any connection that’s faster than dial-up).

But if you’ve updated to Outlook 2016 that option has disappeared. Essentially you’re looking at a mismatch of versions – Microsoft are assuming that Outlook 2016 will be connecting to Exchange 2016. Once we’ve migrated to Nexus365 we will be but, currently, we’re still on Exchange 2010 on-premises. In other words, even with our best-practice server configuration, newer versions of client software are creating ‘gotchas’ for us…

What can the Nexus Team do about this?

There is an option of mandating all Nexus client connections to use HTTP first. This is a server-side setting we can apply. However this has an adverse effect for everyone who doesn’t use Outlook. For us, that’s a lot of people. We have had to rule out that solution.

The longer-term solution is to migrate our users to Nexus365, since that will effectively bring the servers you are connecting to bang up to date. Pilot migrations begin next month.

What can I do about this?

The recommendation for University IT Support Staff is to use Group Policy to resolve this wherever possible – the policy settings that are equivalent to Outlook 2013’s tickboxes still exist. Microsoft may have removed the interface to see them in Outlook 2016 but the configuration can still be made, albeit via a circuitous route.

The setting you want to change is:

User Configuration\Administrative Templates\Microsoft Outlook 2016\Account Settings\Exchange

Enabling ‘flag 4’ is equivalent to ticking the checkbox in Outlook 2013 for using HTTP first.

Self-managing Outlook 2016 users can edit their registry to achieve the same effect. You need to create (or modify) this key:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Outlook\RPC

Add a DWORD value of ‘ProxyServerFlags’ with a decimal value of 47.

Note that because this is a current-user setting you will also need to apply it for other users of the same PC.

If the problems persist, for multiple users, please verify that your DNS settings are correct for autodiscover to successfully resolve your unit’s subdomain. Even after all these years since Nexus went into service we still find occasional pockets of users putting up with slower-than-needed lookups and configuration challenges which are avoidable with autodiscover set correctly.

When the University first signed up for the OnTheHub service plenty of University members went there to obtain free or discounted software. When asked to register, they used their official email address – after all, why wouldn’t you?

Some time later, as Nexus’ migration to Office 365 project kicked off, it became apparent that this couldn’t continue: we needed to reserve all of the University’s email domains/suffixes for use in our official Office 365 tenancy. Users who were using their University email addresses for any other interaction with Microsoft were creating a ‘viral tenancy’ with no administrative control, while simultaneously preventing us from adding that domain name to the official tenancy. And without the ability to add that domain name to ‘Nexus365’ that college or department would be stuck for all eternity on a tiny in-house Nexus mailbox.

It was around a year ago we identified this problem and asked Kivutu, who administer OnTheHub, to stop accepting registrations from University email addresses. Now users of OnTheHub are asked to register with an email address in the format first.last@oxforduni.onmicrosoft.com. Our help text was also updated to reflect that change.

A year on from that we now have a new problem. OnTheHub users are asked to periodically renew their licence, to prove that they are still members of the University and thus entitled to continue using that software.  It’s been a year, so University OnTheHub users are starting to relicence their software, as requested.

To verify entitlement, users are asked to log in…
The problem is that after all this time many users have forgotten about that oxforduni.onmicrosoft.com address – many of them have been trying to log in with their official University email address. Because we’ve been adding all of those email domains to the official Nexus365 tenancy, and we’ve federated it via Shibboleth to use single-sign-on addresses, Microsoft’s logon page sees an address that belongs to us and ‘helpfully’ sends the request in our direction.

Your end user sees a standard SSO logon, knows what to do with that, so logs in. However what they get is not OnTheHub. What they’re seeing is, in effect, a sneak preview of Nexus365. But it’s not usable in any meaningful sense as what they’re seeing is a not-yet-migrated and not-yet-licensed example of Nexus365. All of the new exciting toys are visible but none of them are usable until we are able to start migrating folk across.

It would therefore be a great help to us, and a useful reduction of the support burden on the helpdesk, if you could advise your OnTheHub users to look up their oxforduni.onmicrosoft.com alias and use that to re-licence their Microsoft software downloads. It will have been sent to their official University email address so should be searchable within their mailbox. Finding and using that address will  ensure that a greater number of people can continue using their software without delay or (additional) confusion by re-licensing at their first attempt.

The Nexus team are trying things out. My mailbox is now just a tad larger than it was yesterday.

Isn’t this number a lovely sight?

The Nexus Blackberry Enterprise server is licensed for 378 BlackBerry devices. And, back in 2010, we needed every last one of those licences. Today things are very different. After a lengthy process contacting users and removing those who had given up their BlackBerries, there are now only 27 people still registered on the server. Of those, only 25 have made contact during the last month. This means that active usage has more than halved just since July 2016, when we counted sixty active users.

Nexus’ BlackBerry server software does not support the current range of BlackBerry handsets. In order to support these newer devices our server software would have to be upgraded. More importantly the version change requires users’ devices to be re-licensed (at cost). The expense and effort required to do this does not make good financial sense for a system hosting so few users. The service requires two BlackBerry Enterprise Servers, for redundancy, and a back-end SQL database. All of these need monitoring, updating, backup, and general fettling. For 25 people this routine upkeep doesn’t represent a good return on the effort required. The department would struggle to justify provision of any new service from which fewer than thirty University members would benefit and which only supports obsolete devices.

The intention is that Nexus’ BES service will be retired ahead of the migration to Office 365. All current BlackBerry server users (i.e. anyone who bought a licence and has gone through the server activation process) should plan to replace those devices as soon as possible. New Blackberry handsets can still be used to connect to Nexus but should be configured to connect only via the ActiveSync protocol. If you are a BlackBerry user who use BIS, or ActiveSync, to connect to Nexus you will be unaffected regardless of whether we maintain a Nexus BlackBerry Enterprise Service.

• 81% are using a device that’s over five years old.
• The other 19% have 9720 devices (which were first introduced in the summer of 2013).
• The oldest devices in use – an 8310 and an 8800 model – date from 2007.