Brightwater IT Knowledge Bible

About This Document

This is the complete IT knowledge transfer reference for Brightwater Senior Living. Use the sidebar to navigate between sections. Everything a successor needs to own the IT function is here: portals, credentials context, recurring duties, active projects, scripts, and vendor contacts.

Credentials are not stored here. All credentials are managed in IT Glue (brightwater-senior-living.itglue.com). This document provides context, purpose, and procedure — not passwords.

Transition context — June 2026 Mark Harper's last day is June 19, 2026. Several properties are mid-transition (Mt. Bachelor offboarding July 1, Capital Crossing ownership transfer in progress, Vacaville onboarding TBD). See the Properties section and Active Projects for details.

IT Request & Approval Process Anyone at Brightwater can email it@bwliving.com for support — this creates a ticket in Autotask automatically. However, before any significant spending or major system changes are made, approval from the property's OAD (Operations and Administration Director) is required. Each community has its own OAD — they are the primary approval authority for IT decisions at their site. The successor will interact with OADs regularly. Do not commit to purchases or changes that affect a community without that property's OAD sign-off first. OAD contacts for every community are in the Master Contact List (SharePoint → Brightwater → Collaboration → All Communities → Master Contact List).

Environment Summary

M365 Tenant: bwliving.com
Azure Subscription: bwautomationcsp
Subscription ID: starts with 720fdf80
Automation Account: bwautomate
Resource Group: bwautomationcsp
SharePoint root: bwliving.sharepoint.com

Local automation machine: I7TEST01 — desktop in Central Office IDF
Local scripts path: C:\Scripts\ on I7TEST01
SFTP server: bwlivingftp.com (IP-whitelisted, local only)
IT documentation: SharePoint → root site → /IT
21 total communities (10 Canada, 9 US active + 2 in transition)

No On-Call IT Support After June 19, 2026

After Mark Harper’s departure on June 19, 2026, there is no on-call IT support commitment. The incoming IT Manager is not obligated to provide after-hours coverage unless they choose to. The IT helpdesk phone (541-728-0477) transfers with the role, but after-hours support is not a defined expectation.

Properties & Communities

Brightwater Senior Living operates 21 communities across Canada and the United States. Several are currently in transition — see the Status column and Notes.

Active transitions as of June 2026: Mt. Bachelor management transfers July 1, 2026 (Cascade Living Group). Capital Crossing ownership and management transfer in progress (this year). Vacaville onboarding pending — no confirmed start date.

Code	Name	Location	Country	Status	Notes
`103-HLD`	Highland	Highland, CA	USA	Active	—
`107-TUX`	Tuxedo	Winnipeg, MB	Canada	Active	Sara/eMessenger on-site
`108-CAP`	Capital Crossing	—	—	Offboarding	Ownership + management transfer ~September 2026 (date not hard-set). Sara/eMessenger on-site — will NOT be decommissioned by BW; new owners/management will decide what to do with the equipment (owned by Capital Crossing). Ensure IT Glue documentation is exported and delivered. No hard deadline pressure on IT side beyond documentation.
`109-CAR`	Carnegie Heights	Henderson, NV	USA	Active	Status Solutions Sara/eMessenger server is installed but not powered on. The `BWNV-SARA` WiFi SSID exists but is not actively used — the box is dormant. ISP: Lumen (primary, 100Mbps from 08/01/2025).
`110-LDR`	Linden Pointe	Winnipeg, MB	Canada	Active	Sara/eMessenger on-site
`111-RLP`	The Residences at Linden Pointe	Winnipeg, MB	Canada	Under Construction	Building not yet complete. Low-voltage contractor will install a unified system on-site and provide IT department access once setup. Not standard HPE Instant On — follow up with contractor to ensure handover happens and system is documented. This is a deviation from BW's standard equipment.
`201`	Central Office (BRIGHTWATER LLC)	Bend, OR	USA	HQ	Headquarters. I7TEST01 automation machine located in IDF here.
`322-RAV`	Ravines Senior Suites	—	—	Partial	Under KSV conservatorship. Brightwater manages the Senior Suites side only — not the full building. Uses Connexall Care (resident monitoring — not Sentrics/Stratos). Uses Barracuda VPN to access an RDP server managed by Ashcroft Homes — IT contact at Ashcroft is Angelo.
`351-VSH`	The Vista at Sage Hill	Calgary, AB	Canada	Under Construction	Building under construction. Currently BW supports a remote sales office only — staff doing sales from that location. The `IT\Projects\351 New Network` folder represents an equipment pitch to the property owners (HPE Instant On standard). Joel Sauter was in communication with the stakeholders — the HP Instant On gateway has since been purchased and is racked on-site as of June 2026. Cutover pending VLAN segmentation work. See Firewall Swaps project for current status.
`361-MLV`	Mirror Lake Village	Federal Way, WA	USA	Active	Transition complete. No more weekly meetings. Current open issue: firewall cutover failed — existing network has a flat single-VLAN with a subnet scope too wide for HP Instant On gateways (max /21 per VLAN). Firewall has been purchased and is on-site. Next steps: VLAN segmentation on existing equipment first, then static IP/gateway changes on 3–4 servers (requires on-site or KVM-over-IP access). See Active Projects for full detail.
`401-BDY`	The Bradley	Kanata, ON	Canada	Active	Network expansion in progress + firewall EOL. Equipment via CDW Canada. SIP ALG issue: HP Instant On gateways cannot disable SIP ALG — causes Ansatel phone calls to fail on new firewalls. Workaround applied at Heritage Meadows (404-HMS) by Ren (Ansatel's main technician) — HMS is the only HP Instant On site with the workaround currently active. Must be applied at each remaining HP Instant On site before firewall swap, OR HP needs to ship a firmware fix. See Firewall Swaps project for current per-site status.
`402-CDV`	Cedarview	Woodstock, ON	Canada	Active	Network expansion in progress.
`403-GLC`	Guelph Lake Commons	Guelph, ON	Canada	Active	Network expansion in progress.
`404-HMS`	Heritage Meadows	Cambridge, ON	Canada	Active	Network expansion in progress.
`405-RWE`	Rosewood Estates	Cobourg, ON	Canada	Active	Network expansion in progress.
`406-VCP`	Victoria Park	Regina, SK	Canada	Active	Advanced Telecom & Security is the phone system vendor — contact is Curtis Hextall (chextall@advancedtelecom.ca, 306-586-2835). Curtis is the go-to for all Victoria Park phone issues.
`451-MB1`	Mt. Bachelor AL/MC	Bend, OR	USA	Offboarding	Management transfer to Cascade Living Group on July 1, 2026. IT inventory in Box — see Files section.
`501-ARB`	Pine Ridge Terrace	Santa Rosa, CA	USA	Active	BW manages the Assisted Living side only. The Skilled Nursing Facility (SNF) side of the building is not BW-managed. Networks are technically separated, but there may be legacy connections where gear is shared. A site survey is recommended to clarify those lines.
`502-SRH`	Santa Rosa Hills	Santa Rosa, CA	USA	Active	Not yet open for residents. Staff are working across SRH and Healdsburg (a nearby Brightwater community) during the pre-open phase. Transition meetings may still be active — confirm with leadership (Brooke Hausman was organizing but is leaving).
`503-HLB`	The Ridge at Healdsburg	Healdsburg, CA	USA	Active	Julie is working with local maintenance to factory reset all APs and re-adopt them to the UniFi cloud key she set up and shipped. Currently WiFi works but IT has no management access — can't change SSIDs, view stats, or troubleshoot until adoption is complete.
`504-VMC`	Vacaville	Vacaville, CA	USA	Upcoming	New property — onboarding pending. No confirmed start date as of June 2026.

Network Expansion — Ontario Properties

A major IDF, WiFi, and switching upgrade is underway at the five Ontario communities (The Bradley, Cedarview, Guelph Lake Commons, Heritage Meadows, Rosewood Estates). Equipment is ordered through CDW Canada. See Active Projects for timeline and next steps.

Key Contacts

Key Vendor Contacts

Vendor	Contact	Phone / Email	Used For
Connection.com	Michael Mara — Presidential Account Manager Jazlyn Gonzalez (backup) CSP/Azure support: Ofelia Arriaza Velado	michael.mara@connection.com Mobile: 360-543-3264 TeamMara@connection.com jazlyn.gonzalez@connection.com Azure/CSP support: cloud.support@csp.connection.com	Primary US hardware & software procurement. Azure/CSP quota requests go to cloud support.
CDW Canada	Dominic Smoluch — Executive Account Manager	Dominic.Smoluch@cdw.ca Acct #13441984 RMA returns: crreturnsca@cdw.com	Canada hardware — network expansion equipment, Ontario property orders
Relias	Helpdesk — chat on website	reliaslearning.com	Use the chat box on the Relias website for support. Do not contact individual technicians directly.
Yardi	Sheena Caldow — Account Manager	sheena.caldow@yardi.com	Primary account manager for all Yardi escalations. For day-to-day support tickets, use the Yardi support portal directly.
Kaseya / IT Glue	Thomas Calcutt — Account Manager	thomas.calcutt@kaseya.com 786-228-8027 Renewals: renewals@kaseya.com	Kaseya suite renewals (IT Glue, RMM, etc.)
ScalePad	Edgard Diaz — Billing Coordinator Poonam Verma — Renewals Manager	edgard.diaz@scalepad.com poonam.verma@scalepad.com 646-413-7746	Hardware asset lifecycle — warranty, EOL alerts. Annual renewal (~October).
SIB (Procurement Partner)	Jennifer Bettke	jennifer.bettke@aboutsib.com aboutsib.com	Procurement partner for internet and telecom solutions (including Fusion Connect services). SIB sources the right provider depending on region — use them for any new ISP or telecom procurement rather than going to Fusion Connect directly. T&A transfers for existing Fusion accounts: T&A@fusionconnect.com
SafeHarbor Solutions (MSP)	—	SHS SharePoint	Managed service provider — Canada properties
Ansatel	Ren Mann — Lead Technician	ren@ansatel.ca	Ansatel PBX phone system support for the Ontario properties (401–405: The Bradley, Cedarview, Guelph Lake Commons, Heritage Meadows, Rosewood Estates). Victoria Park (406-VCP, Regina SK) is NOT an Ansatel site — its phone vendor is Advanced Telecom & Security (Curtis Hextall). Ren is the primary technical contact — he applied the SIP ALG workaround at Heritage Meadows (404-HMS). Engage Ren before each HP Instant On gateway swap to apply the workaround at that site, OR when the HP firmware fix ships. Call him for any Ontario phone system issues.
Advanced Telecom & Security	Curtis Hextall	chextall@advancedtelecom.ca 306-586-2835	Victoria Park phone system vendor. Curtis Hextall is the go-to for all VCP phone issues.
Cascade Living Group	Bill Levine (managing consultant) Tyler Weygandt (principal engineer) John Calhoun (community migrations) Mary Sanders (marketing/domains)	—	Incoming management company for Mt. Bachelor (July 1, 2026). Coordinate all IT handover actions through these contacts.

Healdsburg 503-HLB Key Staff

725 Grove Street, Healdsburg, CA 95448 · Main: 707-433-4877

Name	Role	Email
Tristan Amari	Sales & Marketing Director	Tristan.Amari@bwliving.com
Tiffany Leos Escobar	Health Services Director	Tiffany.Leos@bwliving.com
Jennifer Sanchez Flores	Resident Care Coordinator	Jennifer.Flores@bwliving.com
Mitchell Moore	Business Office Manager	Mitchell.Moore@bwliving.com
Ruby Sanchez	Culinary Manager	Ruby.Sanchez@bwliving.com
Anthony Smith	Maintenance Manager	Anthony.Smith@bwliving.com

Recurring Responsibilities

Fully Automated — Monitor for Failures

Task	Frequency	Platform	What It Does / Watch For
User-Cleanup Runbook	Every 4 hrs	Azure Automation (bwautomate)	Finds disabled Entra accounts → disables in Relias → strips M365 licenses. Logs to `ProcessedDisabledUsers` variable. Watch for runbook failures in Azure portal.
Sync-ReliasGUIDsFromEntra Runbook	Every 4 hrs	Azure Automation (bwautomate)	Syncs Entra ObjectIDs into Relias `globalUniqueId`. Watch for accounts with missing O365 or Entra records — they will show as skipped in logs.
weekly_training_gaps.py	Daily	Local machine — `I7TEST01` (`C:\Scripts\`)	Pulls UKG SFTP + Relias API + Aspire SFTP + Aspire LP API. Emails HTML report to `it@bwliving.com`. If the email stops arriving, check: (1) script is still scheduled on I7TEST01, (2) env vars are set, (3) SFTP is accessible.

Manual Regular Tasks

Task	Frequency	Priority	Notes
Refresh Master Contact List on I7TEST01	Weekly	High	Open the Master Contact List file on `I7TEST01` and click Refresh to sync it with current active employees from SharePoint. The `auto365.ps1` account creation script reads this local copy to determine notification recipients — if it goes stale, new account notifications go to the wrong people. Local path: `C:\Users\MasterContactlistSer\Brightwater\Brightwater - Brightwater\Collaboration\All Communities\Master Contact List\MASTER-contact list -BW + Ventas + Griffin.xlsx`
Approve Yardi Invoices	Weekly	High	Review and approve invoices in YardiOne.
Follow-up on Blocked/Waiting Tasks	Weekly	Medium	Review Motion task list for items blocked on external dependencies; chase outstanding items. ~30 min.
Email Quarantine	As needed	Low	Users can release their own quarantined email. There is an ongoing project to disable the quarantine layer entirely — waiting on Coro to confirm full blocking. The change is a GoDaddy SMTP setting (send through vs. quarantine). Not yet complete — see Active Projects.
M365 Service Health Check	Weekly	Medium	Review Service Health dashboard for active incidents affecting users.
Credit Card Receipt Collection	As requested	Medium	Sierra (AP/Finance) sends requests for vendor receipts. Log into each vendor's billing portal, download the receipt, and forward it to her. Triggered on-demand — not on a fixed schedule.
Bill Audits / Contract Review	Annual	Medium	Not a monthly task — do a full audit once, then maintain annually to confirm good pricing and eliminate service overlap. Process: pull vendor invoices from Yardi, then work directly with each vendor to cross-reference the invoice against what is actually in use. No template — this is a vendor-by-vendor conversation. Part of the audit requires documenting the CMAC — the MAC address (or serial number if MAC isn't visible) from the label on the ISP-provided router/modem at each property. This ties the physical hardware to the billing record so you can confirm the right circuit is being invoiced. Walk the label at each site or pull it remotely if the device is manageable. Billout spreadsheets in `IT\Monthly Billouts\`.
Report KPIs to Joel Sauter	Monthly	High	Prepare and deliver IT KPI report to Joel Sauter. ~2 hours. Covers helpdesk metrics, project status, uptime.
Rogers Mobile Billing Review	Monthly	Medium	Review Canadian mobile billing at Rogers Business. Check for overages or deactivated lines still billing. Breakdown spreadsheet: `IT\Monthly Billouts\Rogers Breakdown.xlsx`.
Apple / Intune Token Renewal	Annual	High	Renew ABM DEP token and VPP token in Intune before expiry. Links: ABM Sync \| VPP Sync. Expiry shown in Intune portal — set a calendar reminder 30 days ahead.

Recurring Meetings

Meeting	Cadence	Time (PT)	Location	Organizer	Purpose
BW Department Head Monthly Meeting	Monthly	1st Tuesday of month, 2–3 PM	Teams + Bend Conference Room	TBD (Brooke Hausman — leaving)	Cross-department communication, BW-wide issues and growth. Communicate relevant items to your team afterward — not meant for community-specific issues.
Santa Rosa Hills Transition Meeting	Weekly	Wednesday, 12–12:30 PM	Bend Conference Room	TBD (Brooke Hausman — leaving)	Transition status for Santa Rosa Hills. Come prepared with an IT status update and open items. Agenda finalized one day prior. Confirm with leadership whether still active and who has taken over organizing.
BW University / Relias / UKG Sync	Ad hoc	—	Teams	Cynthia Sinclair	Discuss Relias integration with BW University and how often systems sync with UKG for reporting. Attendees: Cynthia Sinclair, McKenzie Sauer, IT.

Active Projects — Needs Handoff

All projects below are in progress as of June 2026. Each needs an assigned owner before June 19. Contact details and next steps are included per project. Full project files are in IT\Projects\ on OneDrive.

Project	Status	Current Stage	Next Steps & Owner
Ontario Network Expansion 401-BDY · 402-CDV · 403-GLC · 404-HMS · 405-RWE	In Progress	Site Survey	Electrician completing site surveys at each Ontario location (Heritage Meadows first — cabling June 12–13) Key constraint: cat5e cable runs must not exceed 300 ft Scope approval deadline: Aug 25, 2026 \| Equipment order deadline: Oct 21, 2026 Equipment vendor: CDW Canada. Project files: DBL Q spreadsheets per site in `IT\Projects\` All Ontario firewalls are EOL and out of support — security keys expired. Being replaced with HP Instant On gateways. New firewalls are purchased and sitting at each site, uninstalled. SIP ALG issue (critical — open case): HP Instant On gateways cannot disable SIP ALG — this breaks Ansatel phone calls on new firewalls. Two paths to resolution: (a) Ren (Ansatel main technician) applies the workaround he used at Heritage Meadows to each remaining site before the firewall swap, or (b) HP ships a firmware fix. HPE Support Case 5401727045 is open with HPE Aruba ERT — Engineering Ticket SMB-37530 has been filed with HP's development team. Contact: Mohd Saif Khan (mohammad-saif.khan@hpe.com). Someone must track this case until HP resolves it.
Payroll Automation	In Progress	Validation & Trust Building	Power Automate flow — full documentation in IT Glue Accounting team reviewing automated CSV against manually created one Document discrepancies → adjust automation → get sign-off Final stage: transition payroll from manual CSV to automated process Target completion: Aug 21, 2026 Contact: Lauren Buccola (lauren.buccola@bwliving.com)
Offboard Mt. Bachelor (451-MB1)	In Progress	Active — Cascade intro meeting held June 4	Management transfers to Cascade Living Group on July 1, 2026 Cascade contacts: Bill Levine (managing consultant), Tyler Weygandt (principal engineer), John Calhoun (community migrations) Mark's open action items: Chromebook inventory → Cascade; IT Glue export → Cascade; Aruba Instant On cloud site transfer; Autopilot device export; floor plans with AP locations; Fusion VoIP cloud controller access; local admin accounts + Cascade RMM agent push; phone number porting plan; Coro security uninstall docs; domain/website details → Mary Sanders Environment: 25 managed Windows workstations, 6 EHR + 3 training Chromebooks, HP Instant On 1930 switches (PoE), Aruba WAPs, Syscore eCall, Fusion VoIP, AT&T iPhones (ABM), Coro endpoint security IT inventory in Box — see Files section
Capital Crossing Offboard (108-CAP)	In Progress	Ownership transfer	Ownership and management transfer in progress — date not yet confirmed. Sara/eMessenger on-site needs decommission as part of handover. Monitor for timeline confirmation from leadership.
Santa Rosa Hills Transition (IT)	In Progress	Weekly meetings active	Ongoing. Weekly Wednesday meeting at 12–12:30 PM PT — come with an IT update and open items. Note: Brooke Hausman (meeting organizer) is leaving — confirm with leadership who is taking over and whether the meeting cadence continues.
Vacaville Onboarding (504-VMC)	Upcoming	Pending start date	New property — no confirmed start date as of June 2026. Watch for leadership announcement. When it kicks off, start with the New Community Transition Questionnaire in IT Glue — this is the standard 33-item intake checklist covering network, servers, printers, PCs, MDM, telecom, ISP, software licensing, mobile devices, and external accounts. Complete it before making any changes to understand what's already in place.
New Microsoft SharePoint Page Launch	In Progress	—	New SharePoint intranet page being stood up. Note: Brooke Hausman (previous coordinator) is leaving — confirm with leadership who is taking ownership of content and structure. Project folder: `IT\Projects\Sharepoint Consolidation\`.
Windows 10 Replacement	In Progress	Majority replaced	The majority of Windows 10 devices have been replaced. Remaining units either weren't accounted for in the original inventory or were repurposed as training computers. Recommendation for remaining devices: Convert to Chrome OS Flex — the IT team already knows the process and it's the cleanest path for training-only machines. Project files: `IT\Projects\Windows 10 Replacement\`.
Firewall Swaps	In Progress	Multiple sites	Firewall replacements across multiple sites. Per-site status as of June 2026: `361-MLV` Mirror Lake Village — HP Instant On purchased and racked on-site. Cutover not yet complete — blocked by VLAN segmentation work required first. See MLV VLAN Segmentation & Firewall Cutover project. `503-HLB` Healdsburg — HP Instant On installed and in production. Complete `451-MB1` Mt. Bachelor ALMC — HP Instant On installed and in production. Complete `451-MB2` Mt. Bachelor MC — HP Instant On installed and in production. Complete `501-ARB` Pine Ridge Terrace — HP Instant On installed and in production. Complete `404-HMS` Heritage Meadows — HP Instant On installed and in production. Ren (Ansatel) has applied the SIP ALG workaround here — only HP Instant On site with the workaround currently applied. Complete `401-BDY` The Bradley — New WatchGuard firewall on-site in a box, not yet installed. `402-CDV` Cedarview — New WatchGuard firewall on-site in a box, not yet installed. `403-GLC` Guelph Lake Commons — New WatchGuard firewall on-site in a box, not yet installed. `405-RWE` Rosewood Estates — New WatchGuard firewall on-site in a box, not yet installed. SIP ALG: Must contact Ren (Ansatel) before each remaining HP Instant On cutover — call quality fails post-swap without the workaround. Open HPE Support Case `5401727045` / Engineering Ticket `SMB-37530`. Joel Sauter owns this case after June 19; HPE contact: Mohd Saif Khan. Ventas contractor (BDY/CDV/GLC/HMS/RWE): Physical installation is handled by a low-voltage/wiring contractor — not Brightwater IT. Chad and Kyle have the contractor name and contact; Joel Sauter overseeing. Must be documented in IT Glue before cutover begins at any of these sites. Site-specific configs and order records in `IT\Projects\Firewall Swaps\`.
Factory Reset & Cloud Controller — Healdsburg (503-HLB)	In Progress	Nearly complete	Owner: Julie. Julie is running this project end-to-end — coordinating with local Healdsburg maintenance to factory reset each AP and re-adopt it to the UniFi cloud key she configured and shipped to the site. 1 task remaining: confirm cloud key delivery. Julie shipped the cloud key but did not record a tracking number and does not know if it arrived. Next step: have Anthony Smith (Maintenance Manager, Anthony.Smith@bwliving.com) physically check for the package on-site. Until the cloud key is confirmed on-site and APs are adopted, Brightwater IT has no remote management access to the Healdsburg network.
Manager Field Cleanup & Automation (O365)	In Progress	Low priority	Immediate (bulk fix): Update the Manager field for all existing Entra/O365 users based on the current org chart. The hierarchy stops at the RCMS level — anyone above RCMS should not have a manager populated. Deadline: Jul 31, 2026. Future (automate at account creation): The manager field should be set automatically when a new account is created in O365/Entra. This could be built into the `CreateO365User` PowerShell script in `IT\Scripts\`, or handled via a Power Automate flow triggered on Entra account creation. Whoever picks up account creation scripts should scope this improvement.
Yardi Security Group Cleanup	In Progress	Voyager 8 migration	Cleaning up Yardi security groups as part of Voyager 8 upgrade. Files: `IT\Projects\Yardi Security Group Cleanup\`.
Voyager 8 Senior EHR Go-Live	In Progress	Go-live June 15, 2026	Yardi Voyager 8 EHR go-live is June 15 — 4 days before Mark's last day Permissions review meeting held May 26; Health Services requested changes — Mark and Brighton working through these together so Brighton can take ownership Brighton must own this project after June 19
UKG → Yardi Python ETL Integration	In Progress	Design / kickoff	Purpose: Eliminates ~30 min/community of manual Excel work currently performed by Lael (Accounting) — pulling employee records from UKG and transforming them into a Yardi-compatible import format Architecture: Python-based SFTP pull + ETL transformation + Yardi upload. Intended to run in Azure Automation (bwautomate). Note: if it needs to reach the `bwlivingftp.com` SFTP server, it must run on I7TEST01 instead (Azure cannot reach that server — see SFTP section). Confirm data source with Lael before finalizing the hosting decision. Requirements: Document the full data mapping (UKG field → Yardi field), transformation logic, and schedule. Store the runbook in IT Glue when complete — this is a critical accounting dependency. Kickoff meeting: Recorded with Lael, May 26, 2026 — recording in Teams. Review before resuming development. Expected completion: 60–90 days from May 2026 Handoff contact: Lael (Accounting) — she owns the process requirements side
AI / Copilot Rollout Policy	In Progress	Policy drafted, pending rollout	All AI blacklisted at community level except Copilot — chrome.exe also needs blacklisting due to embedded Gemini Advanced AI (Claude) available to approved individuals by exception Quintin/Tactical Area Directors must be briefed before community blacklist goes live
Teams Phone Extensions	In Progress	Brighton — in progress	Adding phone extensions to Teams calling across properties. Brighton Griffin is the owner. Target: complete within weeks of May 26.
Heritage Meadows Network Expansion	In Progress	Imminent — cabling June 12–13	Heritage Meadows is the first of the 5 Ontario properties in the network expansion. Wi-Fi equipment ordered, cabling scheduled June 12–13. All other Ontario properties begin after Heritage Meadows completes.
MLV — VLAN Segmentation & Firewall Cutover	In Progress	Blocked — VLAN work required first	MLV transition is complete but the firewall cutover failed — existing subnet scope is too wide for HP Instant On gateway (max /21 per VLAN on a single-VLAN flat network) Firewall has been purchased and is on-site Step 1: Implement VLAN segmentation on existing equipment to break up the wide subnet Step 2: Update static IPs and gateways on 3–4 servers that have static configs — must be done on-site or via KVM-over-IP (recommended: plug a KVM-over-IP into the server so you can manage it remotely even when the NIC changes VLANs) Step 3: Swap firewall once VLANs and statics are resolved
Email Quarantine Disable	In Progress	Waiting on Coro confirmation	Plan to eliminate the M365 quarantine layer — users already can release their own email, so the quarantine is redundant. Change: update GoDaddy SMTP setting to pass email through (rather than quarantine). Waiting on Coro to confirm it will block all threats before pulling the trigger. Not yet complete.
Mt. Bachelor — Security Camera Retrieval	In Progress	Must complete before July 1	The security camera system on-site (local NVR + WiFi camera) is Brightwater property — not Mt. Bachelor's or Cascade's Equipment must be retrieved before the July 1 transfer Secondary project: moving the camera from the small building to the bigger building to capture kitchen activity — low priority, but retrieval is non-negotiable regardless Camera system serves as a BW R&D demo (unified local NVR + wireless camera proof-of-concept)
After-Hours Escalation Path	In Progress	Owner: Julie	Owner: Julie. Julie is working with Executive Directors at each community to establish preferred after-hours communication and escalation paths, including collecting cell phone numbers. When complete, this will define what the IT team does when something critical goes down outside business hours (internet outage, phone system failure, Yardi down, etc.). The successor should follow up with Julie to confirm where this information will live and ensure they have access to it before day one.
111-RLP Residences at Linden Pointe — Contractor Follow-Up	Pending	Building under construction	Low-voltage contractor has agreed to install a unified system and hand IT department access once complete. System is non-standard (not HPE Instant On). Need to follow up to ensure the handover actually happens, get credentials/documentation, and assess whether equipment meets BW standards or needs to be replaced.
Zebra Devices — Mobile Workstation Pilot	Pending	No property selected yet	Evaluating Zebra mobile workstations as a replacement for property phones — intended for frontline care staff. Quote from Michael Mara (Connection.com) is in Mark's email. High upfront cost means this is better suited for a capital plan (CAPEX) rather than OPEX. Original idea: roll out to the next community needing a phone system replacement. No property has been selected yet. See `IT\Projects\Zebra Devices\` for comparison spreadsheets and CDW quotes.
Ventas Communities — Phone System Replacement	Pending	Replacement plan not yet actioned	A phone system was deployed to the 5 Ventas-owned Ontario communities approximately 2 years ago. Communities are unhappy with both the phones and the vendor's support. Affected properties: The Bradley (401-BDY), Cedarview (402-CDV), Guelph Lake Commons (403-GLC), Heritage Meadows (404-HMS), Rosewood Estates (405-RWE). Replacement plan: migrate to a Fusion Connect hosted VoIP solution, consistent with the setup at Mt. Bachelor ALMC (451-MB1) — though note that Mt. Bachelor's Fusion Connect controller transfers to Cascade Living Group on July 1, 2026. CAPEX quote on file: `IT\Projects\CAPEX\2024\Ventas Phone System Replacement.pdf`. Project files: `IT\Projects\Ventas Phones\`. This has not been actioned yet — successor should follow up with Ventas community EDs and assess timeline.
401-BDY (The Bradley) — WiFi Expansion	Pending	Planned	WiFi expansion project planned for The Bradley (401-BDY). Quote on file: `IT\Projects\CIP\2026\PCC Quote 13882807_01.pdf`. Check with leadership for approval status and timeline before departure.
Entra Security Group Cleanup	In Progress	Ongoing	Audit and clean up Entra ID (Azure AD) security groups — remove stale groups, consolidate where possible, ensure group membership reflects current roles. Files: `IT\Projects\Entra Security Group Cleanup\` (includes Allgroups.xlsx and Comprehensive Permissions 2025-12-11 export). Plan.docx in folder outlines the approach.
Shared Mailbox Cleanup	In Progress	Ongoing	Audit shared mailboxes in M365 — remove unused ones, confirm access is correctly scoped, and ensure no shared mailbox is consuming a paid license unnecessarily. Project files: `IT\Projects\Shared Mailbox Cleanup\`.
SharePoint Consolidation	In Progress	Ongoing	Ongoing project to consolidate and clean up SharePoint structure across all communities. Goal: single consistent folder hierarchy across all properties. Files: `IT\Projects\Sharepoint Consolidation\`.
Aspire Department Rollout	In Progress	All properties have access; HR & Health Services active	Aspire is live at all properties but only HR and Health Services are actively using it. Remaining departments need to migrate their training materials and documentation to Aspire — IT facilitates the upload process once each department has reorganized their content. Next department: Dining — pending their internal document cleanup before upload. Successor should follow up with department heads (Dining first) to keep momentum. Project files: `IT\Projects\Aspire Rollout\`.
New Security Suite Evaluation	Complete	Decision made — Coro selected	Evaluated replacing OpenVPN, Office E3 bundles, and Defender for O365 with a consolidated security approach. Comparison included Coro Complete, Microsoft Sentinel, and various M365 license tier combos. Decision: Coro for endpoint security; Business Premium as primary license tier. Evaluation spreadsheet: `IT\Projects\New Security Suite\New Security Suite.xlsx`.

MLV Firewall — HP Instant On confirmed (not WatchGuard)

Confirmed June 10 2026: Mirror Lake Village is receiving an HP Instant On gateway, not a WatchGuard. The Firewall Swaps project entry has been corrected to reflect this.

Added 2026-06-10

Microsoft 365 & Azure Systems

Admin & Service Accounts in Entra All credentials are in IT Glue — this table documents purpose only.

Account	Role(s)	Purpose / Notes
`365admin@BWLiving.onmicrosoft.com`	Global Administrator, Purview Content Admin	Break-glass / emergency admin account. Uses the tenant's native onmicrosoft.com domain — still works even if the bwliving.com domain has DNS or federation issues. Keep this account active and its credentials current in IT Glue at all times.
`bwadmin@bwliving.com`	Global Administrator	Autopilot enrollment account. Must always have an E3 license assigned — see device provisioning section. Also used as a local admin on all enrolled devices via Datto RMM Initial Audit job #12.
`ITG@bwliving.com`	Global Administrator	IT Glue service account. Used by IT Glue to sync with M365. Do not delete or disable — IT Glue integration will break.
`mastercontactsvc@bwliving.com`	User Administrator	Syncs the Master Contact List from SharePoint down to `I7TEST01` locally. The `auto365.ps1` account creation script reads this local copy to determine who to notify when a new account is created. Sync is manual — a user must open the Master Contact List file on I7TEST01 and click Refresh weekly so it stays current with active employees. If this is not done regularly, account creation notifications may go to stale contacts. If this account is disabled, the sync will fail entirely. Local file path on I7TEST01: `C:\Users\MasterContactlistSer\Brightwater\Brightwater - Brightwater\Collaboration\All Communities\Master Contact List\MASTER-contact list -BW + Ventas + Griffin.xlsx`. Credentials in IT Glue.
`brighton.admin.griffin@bwliving.com`	Global Administrator	Brighton Griffin's dedicated admin account (separate from his standard user account). Used for IT admin tasks.
`julie.admin.stanfield@bwliving.com`	Global Administrator, Purview Content Writer, Device Local Admin	Julie Stanfield's dedicated admin account.
`mark.admin.harper@bwliving.com`	Global Administrator, Purview Content Admin, Attribute Admin	Mark Harper's admin account — disable and remove roles on or before June 19, 2026.
`sierra.watson@bwliving.com`	Billing Administrator	Sierra Watson — Billing Admin for M365 subscription management.
`steve@bwliving.com`	SharePoint Administrator	Steve Yates — SharePoint Admin.
`bwautomate` (service principal)	License Administrator, Exchange Administrator	Azure Automation service principal — used by the bwautomate runbooks to manage licenses and Exchange settings. Do not remove these role assignments.
`ManageEngine SPMP Client - 497726` `ManageEngine SPMP Client - 720850` (service principals)	Exchange Administrator	Stale — ManageEngine is no longer used. These service principals should be removed from Entra to reduce the attack surface. Safe to delete.

Multi-Factor Authentication (MFA) MFA is enforced for all M365 users with no exceptions via Entra Conditional Access policies. Managed in Entra ID → Protection → Conditional Access → Named Locations.

Trusted locations: Property on-site networks are added as trusted locations — MFA is not triggered when a user signs in from a trusted network, except on first-time account setup (MFA registration is always required on creation regardless of location). Users signing in from outside a trusted location (home, mobile, etc.) will be challenged for MFA as normal.

IP management: Most properties have static public IPs — these are set once and don't change. Known dynamic IP sites: Victoria Park (406-VCP), Vista at Sage Hill (351-VSH), and The Residences at Linden Pointe (111-RLP) — the latter two are pre-construction properties currently operating from temporary offices (temporary office ISPs typically assign dynamic IPs). When a dynamic site's IP changes, the Named Locations entry must be updated manually in Entra, otherwise on-site users will start getting MFA-challenged unexpectedly. If staff at a property suddenly report MFA prompts they didn't used to get, check whether that site's public IP has changed and update Named Locations accordingly.

Do not disable, exempt, or create account exclusions to resolve MFA issues — troubleshoot the authenticator method instead. If a new property's IP needs to be added to trusted locations, do so in Entra → Named Locations.

Admin Portals

System	URL	Purpose
Azure Portal	portal.azure.com	Azure resources, automation accounts, subscriptions, runbooks
M365 Admin Center	portal.office.com/adminportal	User & license management, M365 service settings
Entra (Azure AD) Admin	aad.portal.azure.com	Identity, Conditional Access, groups, enterprise apps, device registration
Microsoft Intune	endpoint.microsoft.com	MDM — Windows and Apple device enrollment, app policies, compliance
Intune → ABM Sync	Intune ABM token	Apple Business Manager DEP token — renew annually before expiry. Backup cert/key files stored in `IT\backups\Apple MDM\` — the archived certificate dates from May 2023 and expired May 2024. ⚠ Verify the current cert status in Intune and update the backup file after renewal.
Intune → VPP Connector	Intune VPP token	Apple VPP app licensing token — renew annually before expiry. VPP token backup: `IT\backups\Apple MDM\sToken_for_Brightwater_Senior_Living_Group__LLC.vpptoken`. Apple device CSV export: `IT\backups\Apple MDM\appledevices.csv`.
Security / Defender 365	security.microsoft.com	Email security, quarantine management, threat protection
Email Quarantine	security.microsoft.com/quarantine	Review quarantined email — check weekly for false positives
Compliance / Purview	compliance.microsoft.com	Data governance, eDiscovery, retention policies
Exchange Admin / Message Trace	admin.exchange.microsoft.com	Message trace, transport rules (including the domain transport rule)
SharePoint Admin	bwliving-admin.sharepoint.com	SharePoint site collections, storage, permissions
Teams Admin	admin.teams.microsoft.com	Teams policies, meeting settings, extension deployment
M365 Service Health	admin.microsoft.com → Service Health	Microsoft outage and incident tracking
Azure Cloud Shell	portal.azure.com/#cloudshell	Browser-based PowerShell/CLI for Azure management

Connected Third-Party Admin Portals (M365-linked)

System	URL	Purpose
Apple Business Manager	business.apple.com	DEP device enrollment, VPP app volume licensing
Google Zero Touch	partner.android.com/zerotouch	Android zero-touch enrollment for corporate devices
Adobe Admin Console	adminconsole.adobe.com	Adobe Creative Cloud license management
Microsoft Bookings	outlook.office.com/bookings	IT helpdesk appointment booking page (linked to BWITHelpdesk@bwliving.com). IT Manager has admin access only — manage availability, staff assignments, and the booking page. Sessions are handled by IT staff (Brighton Griffin). The IT Manager does not take helpdesk sessions directly.

SharePoint / Intranet

Resource	URL
BW Intranet Home	bwliving.sharepoint.com/Brightwater
Signature Images Library	bwliving.sharepoint.com/Signature Images
SharePoint Access Requests	bwliving.sharepoint.com/Access Requests
Transition Meeting Notes	Brooke Hausman's OneDrive → Documents → Meeting Notes & Agendas → Transition Meeting Notes & Agendas

SharePoint Collaboration Folders (IT Glue documented)

All folders live under bwliving.sharepoint.com/Brightwater/Collaboration/. Access is managed via M365 groups — grant/revoke in SharePoint or M365 Admin. Full list in IT Glue (File Sharing assets).

Folder	Who Has Access	Notes
All Communities	All community managers	Files shared org-wide across all communities. Contains Master Contact List.
BW HR	Quintin King + Cynthia (confidential)	Confidential HR folder — do not grant access without explicit authorization from Quintin.
Infrastructure	Joel Sauter + Chad Henry	Infrastructure team collaboration space.
Schedules	HR + Ventas Managers	Schedule sharing between HR and Ventas-managed community managers.
Spenddown	Community managers (per-community child folder)	Parent folder is read-only for all. Managers access only their community's subfolder.
Ventas Communities	BW Home Office group	Ventas transitional documentation.
108-Capital Crossing	Capital Crossing managers	Community-specific collaboration folder.
109-Carnegie Heights	Carnegie Heights managers	Community-specific collaboration folder.
Tuxedo Reception	Tuxedo Receptions + Tuxedo Managers	—

M365 License Inventory

Sourced from IT Glue Microsoft Licenses sync. Full details in M365 Admin Center → Billing → Licenses. Review unused licenses during annual bill audit.

License	Active	Consumed	Unused
Microsoft 365 Business Premium	267	259	8
Exchange Online (Plan 1)	370	338	32
Microsoft 365 F3	174	162	12
Microsoft Defender for Office 365 (Plan 1)	174	162	12
Microsoft 365 Business Basic	44	39	5
Visio Online Plan 2	3	3	0
Visio Online Plan 1	2	0	Assigned to Quintin King (shows 0 consumed in IT Glue sync — verify in M365 Admin)
Azure AD Premium P2	2	2	0
Microsoft Defender for Office 365 (Plan 2)	1	1	0

License Assignment by Role

From IT\Office Licenses\License Plan.xlsx. Guides which license to assign when creating new accounts. When in doubt: if the user has a dedicated PC and needs Office apps — Business Premium. If they just need email/Teams on a shared device — F3 or Exchange Plan 1.

License	Roles / Use Case	Includes
Microsoft 365 Business Premium	Office Staff with dedicated PCs: Executive Director, Business Office Manager, Sales & Marketing Manager/Director, Health Services Director, Community Engagement Manager, Chef, Sous Chef, Receptionist, Scheduler, Dining Services Manager, Maintenance Manager, Operations & Administration Director. Also: Charge Nurses and Medication Technicians.	Full Office desktop apps, Exchange, Teams, Intune MDM, Defender for Business, Azure AD P1
Microsoft 365 F3 + Defender for O365 Plan 1	Frontline / shared-device staff who need email and Teams but no desktop Office apps: Resident Assistants, Housekeepers, Care Aides, Bus Drivers, Kitchen Assistants, Support Workers. F3 and Defender for O365 Plan 1 are assigned together as a bundle.	Office web apps only, Exchange, Teams, SharePoint (web), Frontline Worker features
Exchange Online Plan 1	Users who need a mailbox only — no Teams, no Office apps. Typically shared mailboxes converted to user accounts, or staff with very limited IT needs.	Exchange mailbox only
Microsoft 365 Business Basic	Limited use — web-based apps and Teams only, with a mailbox. Occasionally used for specific roles where Business Premium is not justified.	Office web apps, Exchange, Teams, SharePoint (web)

Windows Device Provisioning — Autopilot New Windows PCs are provisioned via Windows Autopilot using the enrollment account bwadmin@bwliving.com. This account must always have a Microsoft 365 E3 license assigned — if the license lapses, Autopilot enrollment will fail. Check the license assignment in M365 Admin Center before deploying any new devices. Autopilot profiles are managed in Intune (endpoint.microsoft.com).

Policy structure: Single Intune tenant. Most policies apply to all enrolled computers by default — there is no complex group targeting to manage. The only standing exception is Quintin King's dedicated group (see below).

Full build sequence:

Autopilot enrollment triggers Intune
Intune installs the Datto RMM agent, applies desktop shortcuts, and enforces security policies
Once the Datto agent is live, Initial Audit jobs run automatically and deploy the standard app set

Do not manually install apps before the Initial Audit job has completed.

Active Initial Audit Jobs (17 total):

#	Job Name	Component(s)	Target
1	Install Print Management	Add Print Management	All Devices
2	Install Coro Installer 3.7.1	Coro Installer 3.7.1	OK To Reboot (Not Servers or Omnia PCs)
3	Remove Quick Assist	Quick Assist Remove	All Devices
4	Dell Dock Management Agent	Install Dell Dock Management Agent	Dell Laptops
5	Add .exe rewriter	Push exe rewriter	OK To Reboot (Not Servers or Omnia PCs)
6	Remove Shutdown option	Hide/Remove Shutdown Button	All Windows Desktops (Not Laptops)
7	Remove Initial User from Admin Group	detectAdminAccounts	OK To Reboot (Not Servers or Omnia PCs)
8	Configure and Install Office	M365 Apps Configuration Tool [WIN]; Microsoft 365 Apps (Office) - Current [WIN]	OK To Reboot (Not Servers or Omnia PCs)
9	Install WatchGuard Cert Central Office	Install WatchGuard Cert	Central Office
10	Enable OneDrive Sync Reporting	Enable OneDrive Sync Reporting	OK To Reboot (Not Servers or Omnia PCs)
11	Allow Long Paths	Enable Long Paths [WIN]	OK To Reboot (Not Servers or Omnia PCs)
12	Add bwadmin user to all computers	Add bwadmin	All Devices
13	Install New Teams	Microsoft Teams (New/Classic) [WIN]	OK To Reboot (Not Servers or Omnia PCs)
14	Laptop Power Settings	Power Settings [WIN]	All Laptops
15	Desktop Power Settings	Power Settings [WIN]	All Windows Desktops (Not Laptops)
16	Windows 11 Readiness Check	Windows 11 Readiness Check [WIN]	MS Win 7, MS Win 8, MS Win 10
17	Initial Audit / UDF — Additional Windows device data	BitLocker & TPM Audit [WIN]; Write Disk Type to UDF [WIN]; Detect Windows and Office keys [WIN]	All Windows Desktops + All Windows Servers

Note: "Omnia PCs" is a Datto device group — these are excluded from most standard job targets. Jobs labeled "OK To Reboot" require the device to be in a reboottable state/group.

New PC Setup — Installation Checklist The standard PC setup process is documented in IT\Default PC Standards\Installation Checklist.docx on SharePoint. Key steps: ensure user is licensed for Microsoft 365 Business Premium (required for Intune), set up local admin account, install TeamViewer Full Client using the static corporate URL (pulls latest installer + corporate settings — link in the document), then allow Autopilot/Intune to complete the build. Do not manually install standard apps before the Initial Audit job completes — Datto RMM handles the standard app set automatically.

Hardware standard: Dell All-in-Ones (AIOs) for workstations, Dell laptops for mobile roles. US procurement via Connection.com (Michael Mara). Canada via CDW Canada. See Printers & Copiers section for copier standards.

BYOD (Personal Devices) Brightwater does not enroll personal devices into Intune. However, if an employee installs Outlook on their personal phone or tablet, Intune automatically applies a Mobile Application Management (MAM) policy — requiring a PIN/password and enforcing encryption on the Outlook app and its data. No full device enrollment or MDM control is applied — only the Outlook app is managed. Employees cannot opt out of this if they want to access company email on a personal device.

Intune Policy Exception — Quintin King Quintin King has been granted two standing exceptions via Intune policy:
1. Local administrator access on his devices — he can install software without IT involvement.
2. Personal OneDrive connection — a dedicated Intune group was created containing only his user account and his devices, with a policy that permits personal OneDrive. All other users are blocked from connecting personal OneDrive. Do not remove him from this group.

Device Decommissioning & Lost/Stolen Procedure

Standard wipe: Devices are wiped remotely via Intune (Devices → select device → Wipe). All data is erased and the device is unenrolled.
Lost or stolen: Put the device into Intune Lost Mode (Devices → select device → Lost mode) — this locks the screen, displays a contact message, and enables GPS location tracking via the Intune portal.
E-waste log: All retired, wiped, or destroyed devices must be recorded in the E-waste tracker:
SharePoint → IT → Destruction → E waste computers.xlsx

Azure Automation — bwautomate Resource Group: bwautomationcsp | Subscription ID starts: 720fdf80. Runbooks: User-Cleanup and Sync-ReliasGUIDsFromEntra. Both scheduled every 4 hours. Monitor via Azure Portal → Automation Accounts → bwautomate → Jobs.

IT Helpdesk Phone & Shared Mailboxes

IT Helpdesk Phone: 541-728-0477 This number is the public-facing IT helpdesk line. After hours, it rings the IT Manager's work cell phone. Mark Harper is leaving this cell phone behind for the incoming IT Manager — the number stays the same and the device transfers with the role. Ensure the new IT Manager has the phone on day one and knows they are on call via this number.

Mailbox	Purpose	Access
`it@bwliving.com`	Primary IT shared mailbox and the employee-facing IT support address. Emails sent here by staff automatically create tickets in Autotask — employees have no direct portal access. Also receives automated reports (training gap emails from `weekly_training_gaps.py`), vendor correspondence, and system notifications. Used as the account owner for services like Cloudflare.	Shared mailbox accessible by the IT team. May be licensed (check M365 Admin Center — if licensed, it counts against your license allocation). Ensure the incoming IT Manager has full access and send-as rights — grant in M365 Admin Center → Active mailboxes.
`BWITHelpdesk@bwliving.com`	Microsoft Bookings helpdesk scheduling mailbox. End users book IT appointments through this address. IT staff manage availability via the Bookings page.	Shared mailbox — linked to the Bookings page. Manage staff and availability at outlook.office.com/bookings.

Network & Security

System	URL / Address	Purpose / Notes
Meraki Dashboard	n506.meraki.com	Cisco Meraki — switching, wireless, and security appliance management
UniFi Network Portal	network.unifi.ui.com	Ubiquiti UniFi cloud controller — used at Healdsburg (503-HLB). Setup nearly complete.
WatchGuard Cloud	usa.cloud.watchguard.com	WatchGuard firewall cloud management — reporting and remote config
WatchGuard Products	myproducts.watchguard.com	License management, RMA requests, tech support
WatchGuard M200 — Local	`https://10.140.193.2:8080`	Fireware Web UI — on-prem management of local M200 (internal network only)
Central Office Firewall	`https://192.168.1.1:8080`	On-site firewall admin — Bend Central Office (internal network only)
CIS Remote Filter	filter.cis-remote.com	Custom Integration Solutions — web content filtering
Alarm.com	alarm.com/web/system	Physical security alarm system management across communities
Cloudflare	dash.cloudflare.com	Used to host and proxy beo.brightwaterseniorliving.com — the internal Banquet Event Order (BEO) web application. Community staff use the BEO form to plan and document events across all Brightwater properties (food service, room setup, A/V, décor, budget codes, organizer approval, etc.). Cloudflare handles DNS, proxying, CDN, and SSL for that subdomain. Account owner: `it@bwliving.com` — password in IT Glue. If the BEO site goes down or SSL errors appear, check the Cloudflare dashboard first.
Suspicious Sign-Ins Tracker	`IT\Security\suss sign ins.xlsx`	Local spreadsheet tracking flagged or suspicious Entra/M365 sign-ins (e.g. foreign IPs, unusual locations). Review periodically and cross-reference with Coro and Entra Sign-In Logs. If a compromised account is suspected: disable in Entra immediately, revoke all active sessions, reset password, and review their recent email/SharePoint activity.
Coro	dashboard.coro.net	Primary full-stack security platform for Brightwater. Coro is a unified security suite — a single platform (not stitched-together tools) covering: Endpoint Security / EDR, Email Security (inbound threat filtering), Cloud App Security, Data Governance, Network Protection, and Security Awareness Training. Deployed to managed workstations and laptops via Datto RMM (Coro Installer 3.7.1, job #2 in Initial Audit sequence) — not deployed to servers (servers use Microsoft Defender for Cloud). Tier: Coro Complete (all modules active) — excluding MDR (Managed Detection & Response). Without MDR, there is no Coro SOC actively monitoring alerts on BW's behalf — alerts must be reviewed manually in the dashboard. No dedicated account rep — support via dashboard.coro.net or coro.net/support. Credentials in IT Glue. Active context: Coro's email filtering layer is currently active — the Email Quarantine Disable project is waiting on Coro confirmation before switching GoDaddy SMTP to passthrough mode. Do not change GoDaddy SMTP routing until Coro confirms it will block all inbound threats independently. Review Coro alerts at dashboard.coro.net regularly.
Microsoft Defender for Servers	portal.azure.com	Server-level threat protection via Microsoft Defender for Cloud. Covers BW servers — endpoints are handled by Coro, not Defender. Managed through the Azure Portal. Credentials in IT Glue.
Spanning Backup	o365.spanningbackup.com	Microsoft 365 backup solution. Covers user mailboxes and Brightwater SharePoint. Used for backup and restore — not for retention enforcement. Credentials in IT Glue.
Microsoft Purview	purview.microsoft.com	Manages M365 data retention policies. 7-year retention is configured in Purview for OneDrive, SharePoint, and email. Do not remove or modify retention policies without understanding compliance implications — these may be required for regulatory or legal reasons.
Microsoft Remote Connectivity Analyzer	testconnectivity.microsoft.com	Test inbound SMTP and Exchange connectivity
MLV SonicWall TZ270 (CMS Communications)	Managed by CMS Communications	Mirror Lake Village (106-MLV) SonicWall TZ 270 is fully managed by CMS Communications — Mark Nicholson (mark@cmscomm.com, 425-732-6100). Brightwater IT has no management responsibility for this device. Serial number, management IP, and ISP circuit details still need to be documented on next site visit.

Guest Wi-Fi

Guest SSIDs exist at most properties. Passwords in IT Glue per property. SSID names pulled from IT Glue below — general notes:

No captive portals — guests connect directly with a pre-shared key.
No separate contractor SSID — vendors and contractors use the guest network.
Some properties have VLAN separation between guest and staff/resident networks — guest traffic is isolated at Layer 2/3 and cannot reach internal resources.
Some properties use client/host isolation on the guest SSID — connected guests cannot see or communicate with other devices on the same network.
Configuration varies by property and hardware (WatchGuard, Meraki, HP Instant On, UniFi). Always check IT Glue before making changes to guest networking at any site.

Property	Staff SSID	Guest SSID	Special SSIDs
Central Office (Bend)	Brightwater Senior Living	Guest Brightwater (open)	—
Highland (103-HLD)	Brightwater of Highland	Brightwater Highland Guest	—
Tuxedo (107-TUX)	Tuxedo	—	Tuxedo-Sara (Sara life safety)
Capital Crossing (108-CAP)	BWCC-Main	BWCC-Guest	BMCC-SARA (Sara); AV-ipad
Carnegie Heights (109-CAR)	BWNV-Main	BWNV-Guest	BWNV-SARA (Sara)
Linden Pointe (110-LDR)	Linden Pointe - Main	Linden Pointe - Guest	Linden Pointe - SARA; AV-iPAD
The Bradley (401-BDY)	xlwifi1	The Bradley Guest (open)	—
Cedarview (402-CDV)	xlwifi1	Guest (open)	—
Guelph Lake Commons (403-GLC)	xlwifi1	Guelph Guest (open)	—
Heritage Meadows (404-HMS)	xlwifi1	Guest (open)	—
Rosewood Estates (405-RWE)	xlwifi1	Rosewood Guest (open)	—
Victoria Park (406-VCP)	xlwifi1	Guest218 (open)	—
Mt. Bachelor ALMC (451-MB1)	MemoryCare	AL/MC Guest	ECall MTB (OneSource)
Mt. Bachelor MC (451-MB2)	MBMC	MBMCGUEST	—
Pine Ridge Terrace (501-ARB)	office-1 / ArbolStaff	Guest	—
Santa Rosa Hills (502-SRH)	Airway Staff	Airway Guest	—
Healdsburg (503-HLB)	—	—	RL4_Resident; RL4 Resident Apple; TV
Mirror Lake Village (106-MLV)	Mirror Lake Staff	Mirror Lake Village	—
Ravines (322-RAV)	Ravines	—	—
Vista at Sage Hill (351-VSH)	TELUS Business WIFI - Private	—	Temp office only

Note: "open" guest networks have no WPA passphrase — connection requires no password. All passwords for WPA2 networks are in IT Glue per property org.

Internet / WAN by Property

All ISP details sourced from IT Glue. Account numbers and full IP blocks in IT Glue per property. Static IPs listed here for quick reference — these are the IPs used in Entra Named Locations for MFA trusted sites.

Property	Primary ISP	Acct #	Static IP	Secondary ISP	Notes
Central Office — Main (Bend, OR)	Lumen Static Fiber	Billing: 5-6B3QB6RS	See IT Glue (image)	LS Networks (acct 00914, 206.188.211.42 — 1777 Chandler Ave tenants); TDS Cable (accts on file)	Lumen is primary. LS Networks at Chandler Ave. TDS backup circuits also documented in IT Glue.
Highland (103-HLD)	Spectrum Enterprise	8448400520745295	—	—	500↑/500↓. No static IP in IT Glue — verify.
Tuxedo (107-TUX)	Rogers Business / Shaw	038-0533-4682	184.67.165.114 (static) 50.71.64.151 (dynamic)	—	Has both a static and a dynamic IP on the same circuit.
Capital Crossing (108-CAP)	Access Communications	5761911	—	—	$1,265/mo, 250↑/250↓. Offboarding — confirm ISP cancellation with ownership transfer. Support: 844-891-6803 opt 1.
Carnegie Heights (109-CAR)	Lumen (100 Mbps)	5-6b3qb6rs	4.35.38.82–.86/29 (WAN: 4.35.38.80/29)	Cox Business (acct 001861-0138347301, static 184.186.104.178); CenturyLink/Lumen legacy (acct 90332720, static 65.140.157.123)	Three ISP entries — Lumen 100Mbps is newest/primary. Old CenturyLink/Lumen may be decommissioned — verify.
The Bradley (401-BDY)	Bell	541706519	76.65.215.150	Patsy's Internet	$156/mo, 940↑/940↓. Patsy's Internet has no account/IP details in IT Glue.
Cedarview (402-CDV)	Rogers Cable	232-397964307 (svc) / 957937592 (billing)	24.137.56.178	Execulink Telecom (acct 616665) — phone service only, not internet	$194/mo. Execulink is not a data ISP.
Guelph Lake Commons (403-GLC)	Rogers	231-305214900	208.124.248.242 (GW: 208.124.248.241)	—	$202/mo.
Heritage Meadows (404-HMS)	Rogers	9-5740-6036	—	—	$235/mo. No static IP in IT Glue — verify.
Rosewood Estates (405-RWE)	Cogeco	50003291585	—	—	$167/mo, 50↑/120↓. No static IP in IT Glue — verify.
Victoria Park (406-VCP)	Access Communications	4796181	Dynamic	—	$210/mo, 350↓. No static IP — update Entra Named Locations when IP changes. Advanced Telecom & Security local vendor: 306-586-2835.
Mt. Bachelor ALMC (451-MB1)	TDS Cable	8224 60 001 0529295	184.60.221.120	—	Offboarding July 1 — confirm ISP transfer to Cascade Living Group.
Mt. Bachelor MC (451-MB2)	TDS Cable	822 460 001 050 0635	208.100.184.247 (updated Jul 2024)	—	Offboarding July 1. Old IP was 184.60.32.2. Account PIN: 4041. Support: 1-866-448-0071.
Santa Rosa Hills (502-SRH)	Comcast Business	8155 30 034 3323903	50.189.106.69	—	35↑/1250↓.
The Vista at Sage Hill (351-VSH)	TELUS Business	See IT Glue	Dynamic (temp office)	—	Pre-construction temp office — dynamic IP. Update Named Locations when IP changes.
Residences at Linden Pointe (111-RLP)	See IT Glue	—	Dynamic (temp office)	—	Pre-construction temp office — dynamic IP. Update Named Locations when IP changes. Note: IT Glue has two org entries for this property ("The Residences at Linden Pointe" and "The Residences") — they are the same community.
Linden Pointe (110-LDR), Mirror Lake Village (106-MLV), Pine Ridge Terrace (501-ARB), Healdsburg (503-HLB)	See IT Glue	—	—	—	ISP data not in IT Glue WAN export — check IT Glue per property org.

Internal IP addresses — require on-site access 10.140.193.2 (WatchGuard M200 Fireware), 10.140.194.27 (Sara/eMessenger — Tuxedo), 192.168.1.1 (Central Office firewall). These are not accessible from the public internet — require physical on-site access or a management tunnel.

LAN / VLAN Topology

Sourced from IT Glue LAN flexible assets. Full VLAN detail (firewall configs, switch ports, DHCP server links) is in IT Glue per property org. Not all properties have LAN records in IT Glue — see checklist for gaps.

Property	VLAN Name	Subnet	VLAN ID	DHCP Scope
Capital Crossing (108-CAP)	MGMT	10.0.100.1/23	1	1–254
	BWCC-LAN	10.140.196.1/23	10	1–254
	BWCC-Guest	192.168.2.1/23	30	1–254
	AV iPad Network	10.100.80.1/24	40	1–254
Carnegie Heights (109-CAR)	MGMT	10.75.0.1/22	1	10.75.0.1–3.254
	BWNV-LAN	10.140.195.1/22	10	10.75.195.1–198.254
	Sara eMessenger	10.140.197.1/24	20	.1–.254
	BWNV-Guest	192.168.2.1/24	30	.1–.254
Rosewood Estates (403-RSD)	Staff LAN	192.168.146.0/24	—	—
Pine Ridge Terrace (501-ARB)	Management	10.150.84.0/23	1	.100–.250
	Admin	172.16.57.0/24	192	.100–.250
	FullCount	172.30.100.0/27	88	.15–.30
	Guest	10.4.0.0/22	998	0.2–3.254
Mt. Bachelor ALMC (451-MB1)	OneSource	10.0.101.0/24	101	.20–.254
Santa Rosa Hills (502-SRH)	LAN	192.168.168.168/24	—	.001–.167
Central Office (Bend, OR)	Staff LAN	192.168.1.0/24	1	1–254

Properties with no LAN records in IT Glue: Highland, Tuxedo, Linden Pointe, The Bradley, Cedarview, Guelph Lake Commons, Heritage Meadows, Victoria Park, Healdsburg, Mirror Lake Village, and all pre-build properties. See checklist — document before departure.

On-Premises Servers

All servers below are managed via Datto RMM (site: NO RESTARTS — do not send automatic reboot jobs to this group). Credentials in IT Glue per device.

Hostname	Property	OS	Purpose	Notes
`2M200409PM`	Capital Crossing (108-CAP)	Windows Server 2016	Sara Server	Sara = life safety / nurse call system. Do not wipe or decommission without coordinating with the property.
`2M291902DK`	Linden Pointe (110-LDR)	Windows Server 2016	Sara Server	Same as above.
`2M2D0Q03V5`	Tuxedo (107-TUX)	Windows Server 2022	Sara Server	Sara/eMessenger — internal IP `10.140.194.27`. Same caution applies.
`WIN-34T9SGTETQR`	Mirror Lake Village (106-MLV)	Windows Server 2016	Camera / Fire Panel Server	Supports on-site camera and fire panel integration. Do not reboot without coordinating with property staff.
`DESKTOP-0E36N3P`	Carnegie (105-CAR)	Windows 10 Enterprise LTSC	Omnia Server 2024	Omnia = door access control system. "Omnia PCs" in Datto are excluded from standard Initial Audit jobs.
`DESKTOP-9ENITIA`	Capital Crossing (108-CAP)	Windows 10 Pro	Omnia Server	Same as above.
`OMNIALINDENPOINT`	Linden Pointe (110-LDR)	Windows 11 Pro	Omnia Server	Same as above.
`BWWebv2`	Azure — Resource Group: `AIChatWebServices` (Subscription: ConnectionBilled, Central US)	Windows Server	Employee Self-Service Password Reset Portal	Hosts bwliving.ai — a publicly accessible password reset portal available to all communities. Workflow: employee enters their Employee ID + phone number on file in UKG → system validates against UKG → if the phone number isn't yet registered in Entra for SSPR, it pushes it automatically → employee is redirected to the Microsoft Self-Service Password Reset portal to complete the reset. No IT involvement required for standard resets. Stack: Python / Flask. Traffic path: Internet → Appliationgateway (Azure App Gateway, WAF policy: `WebWAF`) → BWWebv2 VM (Flask app). Flask is kept running via Task Scheduler on the VM. Gateway logs go to `GatewayLogs` Log Analytics workspace. To RDP into BWWebv2: Use Azure Bastion (`vnet-centralus-bastion`) — there is no direct RDP; access is Bastion-only. ⚠ Document before departure: Python version and venv path, UKG API key, Microsoft Graph API credentials (used to push phone to Entra), Task Scheduler task name and trigger, SSL certificate renewal process. All credentials in IT Glue under BWWebv2.
`PHONEMANAGER`	Mirror Lake Village (106-MLV)	Windows 11 Pro	Phone Manager (Mitel)	Local management host for the CMS Communications Hosted Mitel phone system. Do not wipe — phone system dependency. Contact CMS (Mark Nicholson, mark@cmscomm.com) before any changes.
`i7test01`	Central Office IDF	Windows 11 Enterprise	IT Automation Machine	DO NOT WIPE. Runs all local automation scripts (`C:\Scripts\`): account creation, Yardi integration, SFTP jobs. This is the backbone of IT operations — see Automation & Scripts section.

Sara Servers — Life Safety Systems Sara (and its companion eMessenger) is a nurse call / life safety platform running on on-prem Windows Servers at Capital Crossing, Linden Pointe, and Tuxedo. These servers must never be wiped or decommissioned without explicit coordination with the property's Director of Care and the vendor. A failure in Sara directly impacts resident safety alerts.

Mobile Devices

IT manages the mobile device program centrally. US properties: AT&T — managed via AT&T Business Console (DEP enrollment, billing). Canadian properties: Rogers — managed via Rogers Business Online. Billing split spreadsheets in IT\Monthly Billouts\.

Carrier	Region	Account	Portal	Account Rep	Notes
AT&T	USA	See IT Glue	dmp.wireless.att.com	Cody Fitzgerald — Business Solutions Exec, Greater Oregon Mobile (primary) cody.fitzgerald@att.com \| 541-965-2520 Chuck Underwood — Senior Sales Rep (backup) cu098w@att.com	DEP enrollment for US iPhones. Device procurement: new iPhones — AT&T provides strong promotional deals, so CPO is not needed here. Billing split: `IT\Monthly Billouts\AT&T billing split.xlsx`. Business support: att.com/businesshelp.
Rogers (via Airsource)	Canada	888902566	bss.rogers.com	Arlo Rico — Sr. Corporate Account Exec, Airsource (primary) arlo.rico@airsource.net \| 204-294-9500 20–2579 Pembina Hwy, Winnipeg, MB Kiesh Nanthan — Rogers Account Rep (account changes) Kiesh.Nanthan@rci.rogers.com Wesley Yip — Rogers Billing Wesley.Yip@rci.rogers.com	Canadian mobile fleet (MB, ON, SK properties). Device procurement: Certified Pre-Owned (CPO) iPhones from Rogers — keeps costs low. Billing breakdown: `IT\Monthly Billouts\Rogers Breakdown.xlsx`. Cancellations / support: 1-877-742-9249.

Phone & Communications

System	URL / Address	Purpose
Sara / eMessenger — Tuxedo (107-TUX)	`https://10.140.194.27:8083/emessenger/Appln_Admin_Jsp/Login.do` `http://10.140.194.27/admin/adminscr.php`	Resident call system — Tuxedo (Winnipeg, MB). Internal access only. Sara server on-site.
Sara / eMessenger — Linden Pointe (110-LDR)	Internal — IP in IT Glue	Resident call system — Linden Pointe (Winnipeg, MB). Internal access only. Sara server on-site.
Sara / eMessenger — Capital Crossing (108-CAP)	Internal — IP in IT Glue	Resident call system — Capital Crossing. Offboarding in 2026 — decommission Sara as part of ownership transfer. Coordinate timing with leadership.
Rogers Business	bss.rogers.com	Canadian mobile billing & account management — review monthly. Covers MB, ON, AB, SK properties.
AT&T Business Console	dmp.wireless.att.com	US mobile device management, DEP enrollment, billing. Billing split: `IT\Monthly Billouts\AT&T billing split.xlsx`
eFax Corporate	efaxcorporate.com/mgmt	Fax account management and number management. Billed monthly — Consensus eFax.
Xerox (Printers)	accounts.xerox.com	Xerox printer fleet account management and support portal

Phone Systems by Property

Property / Group	System	Type	Notes
Central Office (Bend, OR)	Microsoft Teams Phone	Cloud / UCaaS	bHosted (BendTel FreePBX) is no longer used. Admin via Teams Admin Center.
Santa Rosa Hills (502-SRH)	Microsoft Teams Phone via PhoneAll Inc	Cloud / UCaaS	Teams Phone delivered through PhoneAll Inc. Support: support@phoneall.net / 619-294-7220.
Highland (103-HLD)	Vonage	Hosted VoIP	Account: 43471. Support: businesssupport.vonage.com
Pine Ridge Terrace (501-ARB)	PhoneAll Inc	Hosted	Support: support@phoneall.net / 619-294-7220. Details in IT Glue.
Ontario properties (401–405)	Ansatel PBX	On-premise PBX	The Bradley, Cedarview, Guelph Lake Commons, Heritage Meadows, Rosewood Estates. How-to access docs in IT Glue per property. Contact: Ren Mann — ren@ansatel.ca. Note: Victoria Park (406-VCP) is NOT on Ansatel — see Advanced Telecom & Security below. ⚠ Replacement planned: communities are unhappy with the system and support — Fusion Connect hosted VoIP is the proposed replacement. See Active Projects → Ventas Communities Phone System Replacement.
Victoria Park (406-VCP)	Advanced Telecom & Security	Hosted VoIP	Regina, SK. Not on the Ansatel/Ontario PBX setup. Hosted VoIP — no on-prem PBX controller. Contact: Curtis Hextall (chextall@advancedtelecom.ca, 306-586-2835). Details in IT Glue.
Capital Crossing (108-CAP)	Panasonic Phone Server	Local	On-site server. Decommission as part of ownership transfer.
Healdsburg (503-HLB)	Groove Technology Solutions	Local	On-site phone system. Support: Groove Technology Solutions, 1-801-994-3642. Details in IT Glue.
Mt. Bachelor MC (451-MB1)	Fusion Connect	Hosted Cloud	Transfer cloud controller access to Cascade Living Group July 1
Tuxedo (107-TUX)	On-site PBX	On-premise	Unity Connected manages on-site phone (Panasonic) and Status Solutions (life safety) servers at Tuxedo, Capital Crossing, and Linden Pointe. Equipment runs on local hardware — Unity is boots-on-the-ground support only. Website: unityconnected.com. Credentials in IT Glue.
Linden Pointe (110-LDR)	On-site PBX	On-premise	Unity Connected — same as Tuxedo. Manages on-site phone and Status Solutions servers. Credentials in IT Glue.
Mirror Lake Village (106-MLV)	CMS Communications — Hosted Mitel	Hosted Cloud	Managed by CMS Communications (cmscomm.com). Contact: Mark Nicholson — mark@cmscomm.com. Hosted Mitel system — no on-prem PBX controller; cloud-hosted. The `PHONEMANAGER` device is the local management host. Firewall note: SIP ALG must be disabled or cordless phones will not register. Contract on file — see Joel Sauter's forwarded email (Jan 2026). ⚠ Document full details in IT Glue before departure.

Business & Resident Applications

Third-Party Application Approval Policy All third-party applications that access Brightwater data or systems must be reviewed and approved by an IT administrator before use. The review must cover:

Access scope: What data or systems does this app access? Does it touch PHI (Protected Health Information), employee records, or financial data?
HIPAA compliance: If the app processes or stores PHI, a Business Associate Agreement (BAA) is required before the app can be approved. No BAA = no approval for PHI-touching apps.
OAuth permissions review: Check what Microsoft 365 / Entra permissions the app requests (e.g., read all mail, access all files). Limit to least-privilege.
Vendor vetting: Review the vendor's security posture, data residency, and breach notification policies.

IT administrators can review and revoke third-party app consents in Entra Admin → Enterprise Applications.

System	URL	Purpose & Notes
YardiOne (Main ERP)	43220bright.yardione.com	Primary property management ERP — all communities run through Yardi. Also hosts BW University eLearning.
Brightwater Senior Living University	brightwaterseniorliving.yardielearning.com	Yardi eLearning / BW University LMS admin dashboard
UKG (Time & Attendance)	secure6.entertimeonline.com	UKG workforce management. Source of `DailyActiveEmployees.csv` delivered via SFTP for training gap automation.
Relias (Training / Compliance LMS)	Via API — see Automation section	Compliance training platform. Accounts synced to Entra via runbook. Entra `Department` field = Relias EmployeeID. Relias has its own admin portal — credentials in IT Glue.
Aspire (LMS — Learning & Document Management)	Via SFTP + API — see Automation section	Training and document management platform. Live across all properties, but active use is limited: HR and Health Services are the only departments currently utilizing it. All other departments need to work with IT to migrate their training materials and department documents to Aspire. Next in line: Dining — waiting on Dining's internal document reorganization before upload can begin. Auth via `aspire_auth.py`; LP section requires `ASPIRE_TOKEN` env var. Project files: `IT\Projects\Aspire Rollout\`.
Stratos / Sentrics / Silversphere	stratos.silversphere.com	Resident monitoring, safety call systems, and activity technology.
CloudApper	web.cloudapper.com	Workforce / HR app platform.
First Access (Door Locks)	Local software — on-site	Door access control system at Rosewood Estates (405-RWE) and The Bradley (401-BDY). Backup file: `IT\backups\First Access backup\FirstAccess.bak`. How-to docs in IT Glue per property.
Connexall Care	On-site	Resident monitoring/nurse call system at Ravines Senior Suites (322-RAV) only. Different from Sentrics/Stratos used at other properties — Ravines is a partial/KSV engagement.
Status Solutions / Sara (eMessenger)	Local servers on-site	Resident emergency call system. On-site at Tuxedo (107-TUX), Linden Pointe (110-LDR), Capital Crossing (108-CAP — decommissioning). Carnegie Heights has a dedicated SARA WiFi SSID — verify full scope. Each site has its own server and admin interface (IPs in IT Glue).
ScreenCloud OS	Cloud	Digital signage platform. KB in IT Glue.
GoIcon / Community Kiosk	On-site kiosks	Resident/visitor kiosk system. Setup doc in IT Glue.
Yardi CRM	43220bright.yardione.com	CRM module within YardiOne. Used by sales — if down, sales process cannot proceed.
Yardi Check Scan	Local (installed)	CRITICAL — required to process incoming checks. If unavailable, check processing is blocked. Credentials in IT Glue.
Yardi yCheck (Check Printing)	Local (installed)	CRITICAL — required to print checks. If unavailable, outgoing payments are blocked. Credentials in IT Glue.
Crestron Go	App-based	Digital signage and cable box control in common areas. Low business impact — in use at Linden Pointe and Capital Crossing. Server: Linden Pointe – `10.100.90.132`. Config doc in IT Glue.
NVMS AI	On-site	Security camera system at Linden Pointe (110-LDR). Stored and live footage access. Details in IT Glue.
Consensus E-Fax	Cloud	Electronic fax platform. If unavailable, e-faxing is blocked. Credentials in IT Glue.
Adobe (All Products)	adminconsole.adobe.com	VIP #: E40A7BF85E5264E2161A. Renews approximately November. 78 users, 2 admins (mark.harper + it@bwliving.com), 20 user groups. Current license inventory: Acrobat Pro — 5/5 (fully utilized): Anna Harsh, Cynthia Sincuir, Evelyn Hernandez, Amber Kelsey, Lisa Delgado Acrobat Standard DC — 65/68 (3 available): Distributed across all properties and Corp (201) Creative Cloud Pro — 4/4 (fully utilized): Hayley Purvis (Marketing), Mackenzie Dunham (Marketing), Casey Sherrell (Media Manager, Central Office), and Cassandra Grisar (Director of Marketing, Central Office — ⚠ Adobe account display name is incorrectly set to "Carnegie Heights" from when she worked at that property; should be corrected to her actual name in Admin Console) InDesign — 4/5 (1 available): Shelby Johnstone (401-BDY), Dorothy Guerra (403-GLC), Makenna Simmons (109-CAR), Sara Kovis (109-CAR) ⚠ 3 users have no user group assigned (Tarren Black, Cheyenne Flores, Jennifer Sanchez Flores) — verify they are still active employees before renewal. Managed in Adobe Admin Console. Monthly billout tracked in `IT\Monthly Billouts\Adobe Billout.xlsx`. Credentials in IT Glue.
Vonage	businesssupport.vonage.com	Hosted phone system at Highland (103-HLD). Account: 43471. Support portal: businesssupport.vonage.com.
LifeSmart (Pharmacy EHR)	Local (Citrix-based)	Pharmacy EHR system used at Linden Pointe (110-LDR) and Tuxedo (107-TUX) only. Staff access the pharmacy's EHR through a Citrix-hosted environment. Requires 3 software packages to be installed: Citrix Workspace, ScrewDrivers (print driver), and CloudWerx. A Datto RMM component was created to deploy all 3 packages automatically to any workstation that needs pharmacy access — use that component rather than manually installing. Installer files also available in `IT\Software\LifeSmart EHR\`. Credentials in IT Glue.
EntraPass / Kantech (Door Access)	`http://10.12.3.205:81/EntrapassWeb/`	Kantech EntraPass door access control system — used at Ravines Senior Suites (322-RAV) only. Web client runs on a local server (internal network access only). Installer: `IT\Software\EntraPass\EntraPass web.msi`. Separate from Omnia (used at most other properties) and First Access (Rosewood, Bradley). Credentials in IT Glue.
Yardi Panini Check Scanner	Local (installed)	Hardware check scanner driver/software for Yardi Check Scan. Panini Universal Installer v4.5.300 in `IT\Software\Yardi\`. Required for Yardi Check Scan to process incoming checks. Install on any workstation used for check processing.

MSP & ITSM Tools

Tool	URL	Purpose
IT Glue	brightwater-senior-living.itglue.com	Primary documentation and password vault. SOPs, network diagrams, credentials, asset records. Start here for any missing context.
KaseyaOne	one.kaseya.com	Unified MSP portal (PSA, RMM, billing hub)
Datto RMM	portal.rmm.datto.com	Remote Monitoring and Management platform. The Datto agent is pushed to new devices by Intune during Autopilot enrollment. Once the agent checks in, Initial Audit jobs run automatically to deploy the standard app set. Also used for ongoing endpoint monitoring and remote management across all sites. Credentials in IT Glue.
ScalePad	app.scalepad.com	Hardware asset lifecycle management — warranty tracking, EOL alerts. Asset export: `IT\Mark's stuff\Reports\ScalePad-Assets-*.xlsx`
Autotask	ww4.autotask.net	IT ticketing system. Employees do not have a portal — they email `it@bwliving.com` and Autotask automatically creates a ticket from the inbound email. IT staff manage and resolve tickets from within Autotask. Credentials in IT Glue.
MSP Manager	app.mspmanager.com	Ticketing and project management for MSP work
SafeHarbor Solutions SharePoint	safeharborsolution.sharepoint.com	MSP shared documents, service desk resources
Pluralsight	app.pluralsight.com	IT team technical training and certifications
Motion (Project / Task Management)	app.usemotion.com	IT Department workspace (26 tasks), plus personal workspace. All active projects tracked here.

Procurement & Vendors

Procurement process: IT Procurement Policy is in IT\Mark's stuff\Documents\Policies and Memos\IT Procurement Policy (003).docx. PO templates and signed POs are in IT\Purchases\PO's\. All major purchases require approval before ordering.

Vendor	URL	Use Case	Notes
Connection.com	connection.com	Primary US hardware & software vendor	Contact: Michael Mara — michael.mara@connection.com \| 847-592-9155 / 830-318-6019
CDW Canada	cdw.ca	Canada hardware — network expansion equipment and Canadian property orders	Invoices in `IT\Purchases\Invoices\CDW.ca\`
Compugen	—	Canadian boots-on-the-ground support	On-site support contractor for Canadian properties — not a hardware vendor in the same way as CDW. Purchase records in `IT\Purchases\Compugen\`
Dell	dell.com/support/home	Hardware warranty support	Dell Auction (dellauction.com) for refurbished equipment
Lenovo PSREF	psref.lenovo.com	Lenovo product specs, compatibility reference	Use to verify dock/display compatibility before ordering
Apple Business Manager	business.apple.com	Apple device procurement & DEP enrollment	Also used for iTunes VPP credit
Adobe Admin Console	adminconsole.adobe.com	Adobe license management & procurement	5× Acrobat Pro, 68× Acrobat Standard DC, 4× Creative Cloud Pro, 5× InDesign. Renews ~November. Monthly billout: `IT\Monthly Billouts\Adobe Billout.xlsx`

Printers & Copiers

Standardization in progress. The printer/copier fleet is a mix across properties — each community may have legacy devices on different contracts. The direction is to standardize: Canada → Xerox contracts; US → Pacific Office Automation. When a property's device comes up for renewal, push toward the appropriate standard vendor for their region.

Region	Preferred Vendor	Portal	Notes
Canada (ON, SK)	Xerox	accounts.xerox.com	Xerox manages contracts, service, and supplies for Canadian properties on the standard. Credentials in IT Glue.
USA (WA, OR, CA, ID)	Pacific Office Automation	—	Primary preferred copier/printer vendor for US properties. Contact and account details in IT Glue. Push renewals here when legacy contracts expire.

Note: Not all properties are on the standard vendor yet — check IT Glue per property org for their current printer/copier contract, service contact, and meter-read submission process. Properties largely self-manage day-to-day consumables (toner, paper); IT handles contract renewals and escalations.

Monthly Recurring Costs — Billout Files

All vendor cost-allocation spreadsheets are in IT\Monthly Billouts\ on OneDrive. Key files:

File	Vendor	Notes
Adobe Billout.xlsx	Adobe	Per-community Adobe license cost split
AT&T billing split.xlsx	AT&T	US mobile cost allocation
Chrome Enterprise.xlsx	Google	Chrome Enterprise device licensing
Consensus Efax Billout.xlsx	Consensus eFax	Fax number cost allocation
Godaddy Big Bill.xlsx	GoDaddy	Domain and hosting cost split
Kaseya Billout.xlsx	Kaseya	RMM/MSP tool cost allocation
Microsoft Azure Invoice GXXX Allocation.xlsx	Microsoft Azure	Azure cost per community
O365 License Allocation Mark.xlsx	Microsoft 365	Per-community M365 license costs
Rogers Breakdown.xlsx	Rogers	Canadian mobile billing breakdown
Vonage.xlsx	Vonage	Phone system cost allocation

Domain Names (GoDaddy)

⚠ URGENT — reginaseniors.com expires June 26, 2026. This domain is registered in GoDaddy for Victoria Park (Regina, SK). Renewal must be actioned before that date or the domain lapses. Log in to GoDaddy (credentials in IT Glue) and renew or enable auto-renew. Do not let this expire — it is the public-facing domain for an active community.

All Brightwater domain registrations are managed through GoDaddy. See IT\Monthly Billouts\Godaddy Big Bill.xlsx for the full domain list and cost allocation per community.

Automation & Scripts

Azure Automation Runbooks (bwautomate)

How to access: Azure Portal → Automation Accounts → bwautomate (Resource Group: bwautomationcsp). Monitor recent Jobs for failures. Both runbooks are scheduled to run every 4 hours.

Runbook	Schedule	What It Does	Key Quirks / Gotchas
User-Cleanup	Every 4 hours	Finds disabled Entra accounts → deactivates in Relias → strips M365 licenses. Logs each processed account to the `ProcessedDisabledUsers` Automation variable (365+ entries — do NOT clear this list).	Matches Relias by Entra `Department` field = Relias EmployeeID Blank `Department` = skips Relias step, logs "not needed" Display name contains `(Shared)` = account already offboarded, this is normal Skip reasons are logged — review if someone was not properly deactivated
Sync-ReliasGUIDsFromEntra	Every 4 hours	Reads Entra Object IDs and writes them into Relias `globalUniqueId` field. Required for Relias to match accounts to Entra identities.	Params are `[string]` type — Azure Automation passes `"$true"` strings, NOT booleans. Do not change to `[switch]`. Sanitizes UPN — strips surrounding quotes (e.g. `'"email"'` → `email`) Skip reasons: no Entra account, no O365 account, unmapped OfficeLocation, already synced, on excluded list Excluded user: `322RAV` (Mary Trainor at Ravines)

Local Scripts — `C:\Scripts\` on `I7TEST01`

These scripts do NOT run in Azure. The SFTP server (bwlivingftp.com) is IP-whitelisted and Azure cannot reach it. Scripts must run on I7TEST01 — the desktop machine in the Central Office IDF (Bend, OR). If this machine is replaced or retired, the scripts and scheduled task must be migrated before decommissioning.

File	Role	Notes
`weekly_training_gaps.py`	Main script (runs daily)	Pulls UKG SFTP + Relias API + Aspire SFTP + Aspire LP API. Generates `Output/training_gaps.html` and `Output/training_gaps_summary.json`. Emails report to `it@bwliving.com`. Also disables Entra accounts for employees marked Deceased in UKG.
`aspire_lp_rules.py`	Required dependency	Contains `ASPIRE_LP_RULES` dict (currently empty — HSVS/EHR LP rules not yet populated). Must exist alongside main script or it will fail to import.
`aspire_auth.py`	Required dependency	Aspire API authentication helper. Must exist alongside main script.
`Output/training_gaps.html`	Output	Latest HTML training gap report — viewable in any browser
`Output/training_gaps_summary.json`	Output	Latest JSON summary of training gaps
`weekly_training_gaps_kb.html`	Documentation	Knowledge base runbook for the main script — read this for full operational detail

Required Environment Variables (on I7TEST01)

Variable	Purpose	If Missing
`GRAPH_TENANT_ID`	Azure AD tenant ID for Graph API (deceased employee Entra disable)	Deceased disable feature will not run
`GRAPH_CLIENT_ID`	App registration client ID	Deceased disable feature will not run
`GRAPH_CLIENT_SECRET`	App registration client secret	Deceased disable feature will not run
`ASPIRE_TOKEN`	Aspire LP API token	LP section is skipped gracefully — no error, just no LP data in report

Account Creation Scripts — `C:\Scripts\` on `I7TEST01`

IT Glue article may be out of date. The canonical reference is Account Creation Script — IT Glue (last saved Oct 15, 2025). Treat the article as a guide; verify line numbers in the actual scripts before making changes.

New employee accounts are provisioned via two scripts on I7TEST01. Running them in sequence sets up M365, Yardi, and email notifications for the new hire's community.

File	Language	What It Does	Key Variable(s)
`auto365.ps1`	PowerShell	Creates and configures the new user's M365 / Entra account. Maps communities via accounting numbers and names so the account is assigned to the right property.	`$communities` (~line 27) — dictionary of accounting number → community name. Must match exactly how the community appears in UKG New Hire Reports. Secondary community mapping (~line 169) — used when the community name appears in reports instead of its accounting code. Must only reference keys already in `$communities`.
`autoYardiCreator.py`	Python	Provisions the new employee in Yardi. Uses the `properties` dictionary to map accounting numbers to Yardi property records.	`properties` (~line 280) — dictionary mapping accounting number → Yardi property. See the IT Glue article for video walkthrough on how to find property IDs in Yardi. `boss_roles` (~line 600) — list of job titles that receive an email notification when a new account is created. Add/remove titles here to control who gets notified per community.

Master Contact List

A spreadsheet (location: C:\Scripts\ on I7TEST01 or check IT Glue) drives the notification emails sent to specific job titles at each community after account creation. When adding a new community:

Copy an existing community header section and edit with the new community's details
In the hidden Column A, enter the community's accounting number directly beside the community name row
The accounting number in Column A must match the key in $communities and properties — all three must be in sync

When a new community is added to BW, update all three places:

auto365.ps1 → $communities variable (and secondary mapping if needed)
autoYardiCreator.py → properties dictionary
Master Contact List → new community header row with accounting number in Column A

SFTP Server

Item	Value
Host	`bwlivingftp.com`
Credentials	Stored at the top of `C:\Scripts\weekly_training_gaps.py`
Key file paths	`/UKG/DailyActiveEmployees.csv` — header on row 7 `/UKG/OLD/DailyTerminatedEmployees_.csv` `/UKG/OLD/ScheduledNewHireReport_.csv` — header on row 6
Access restriction	IP whitelisted — run from I7TEST01 (local machine) only. Azure cannot reach this SFTP server.

Identity / Offboarding Flow

How it connects end-to-end:
UKG flags employee as Deceased → weekly_training_gaps.py picks this up from DailyActiveEmployees.csv → disables their Entra account via Graph API → Azure Automation User-Cleanup runbook picks up the disabled account → strips M365 licenses + deactivates Relias → Aspire and Yardi are handled as secondary steps.

Known exclusion: Employee 322RAV (Mary Trainor, Ravines Senior Suites) is excluded from Aspire and Relias checks in weekly_training_gaps.py. She has no Entra account and is on the Sync-ReliasGUIDsFromEntra runbook skip list. Ravines is a partial engagement — BW manages the Senior Suites side only under KSV conservatorship.

Files & Key Locations

Location	What's There
`/IT` (SharePoint)	Location: SharePoint root site → `/IT` Top-level folders: CAPEX, Documentation, Financials, How To, Job Descriptions, Logos, Mark's stuff, Monthly Billouts, Office Licenses, Policies, Projects, Purchases, Regulations, Scripts, Security, Software, Training. All organized — start here for any IT process, quote, PO, or billout.
`IT\Projects\`	One subfolder per active project (see Active Projects section). Key active ones: 351 New Network, Aspire Rollout, Firewall Swaps, Windows 10 Replacement, Yardi Security Group Cleanup, Transitions.
`IT\Monthly Billouts\`	Cost-allocation spreadsheets for every recurring IT vendor. One file per vendor. Used for monthly billing audit.
`IT\Scripts\`	PowerShell and utility scripts — CreateO365User, DeleteO365User, BulkDeleteO365Users, mailbox scripts, etc. MarkScripts and JadeScripts subfolders.
`IT\Policies\`	Information Security Policy, HIPAA/PHI compliance docs, SLA, PHIPA (Canadian privacy regulation).
`IT\Documentation\`	Computer Info per community, network docs (firewall photos, Canadian network dump), org structure docs for Ontario properties, Mobile Device Locations spreadsheet.
`C:\Scripts\` on I7TEST01	All local automation scripts — `weekly_training_gaps.py`, `aspire_auth.py`, `aspire_lp_rules.py`, outputs, KB article. This is on the automation machine, not Azure.
IT Glue	brightwater-senior-living.itglue.com — passwords, network diagrams, SOPs, asset records, runbook documentation. Start here for any credential or procedure you can't find elsewhere. Payroll Automation flow is also documented here.
Azure Automation Variable: `ProcessedDisabledUsers`	Running list of Entra accounts already processed by User-Cleanup (365+ entries). Do not clear this — it prevents re-processing. View in bwautomate → Variables.
SharePoint — BW Intranet	bwliving.sharepoint.com/Brightwater
Transition Meeting Notes	Previously in Brooke Hausman's OneDrive → Documents → Meeting Notes & Agendas → Transition Meeting Notes & Agendas. Brooke Hausman is leaving — confirm where these notes will live going forward.
Mt. Bachelor IT Inventory	Pull from IT Glue — Mt. Bachelor organization. The old Box application link (ventasreit.app.box.com) is outdated and should not be used. All current IT inventory for Mt. Bachelor is in IT Glue. Needed for July 1, 2026 transfer to Cascade Living Group.
Bartlett Transition Docs	Box — app.box.com/folder/268795103117 (bookmarked as "The Bartlett Transition")
Canada 6 Transition (Hawthorn)	Box — app.box.com/folder/169748273628 (bookmarked as "Canada 6 Transition")
Master Contact List	SharePoint → Brightwater → Collaboration → All Communities → Master Contact List — OAD and key staff contacts for every community. Also used by the account creation script to drive notification emails.
New Community Transition Questionnaire	IT Glue → Checklists → New Community Transition Questionnaire — 33-item intake checklist used when BW takes over a new community. Covers: network (switches, firewall, WiFi controller), on-site servers, printers, PCs (local admin, encryption, MDM, login config), AV/EDR/backup, telecom, ISP, software (CRM, EHR, Office, PDF, Windows licensing, security training), mobile devices, Apple Business Manager, fax, DNS, and eFax. Run this first before making any changes at a new site. Note: there is no equivalent offboard checklist. When a community leaves BW, the incoming management company sends their own IT transition requirements — BW responds to that. Do not go looking for an internal offboard playbook; wait for (or proactively request) the incoming company's list.
Motion Task Manager	app.usemotion.com — IT Department workspace (26 active tasks), My Private Workspace (371 tasks including recurring admin tasks)

GoDaddy Domain Portfolio (53 domains)

⚠ reginaseniors.com expires June 26, 2026 — auto-renew is ON but verify manually. This is the Victoria Park (Regina, SK) vanity domain.

All 53 domains are managed at GoDaddy Domain Portfolio. Most are property vanity/forwarding domains redirecting to the main Brightwater site. Key domains visible in portfolio:

Domain	Maps To	Notes
residenceswinnipeg.com	Wix site	Linden Pointe marketing site — actively used on Wix
reginaseniors.com	Victoria Park page	Expires Jun 26, 2026 — verify renewal
highlandseniorlife.com	Highland page	—
tuxedoseniorlife.com	Tuxedo page	—
lindenseniorlife.com	Linden Pointe page	—
heritageseniorlife.com	Heritage Meadows page	—
guelphseniorlife.com	Guelph Lake Commons page	—
rosewoodseniorlife.com	Rosewood Estates page	—
victoriaseniorlife.com	Victoria Park page	—
vistasagehill.com	Vista at Sage Hill page	—
mirrorlakeseniorliving.com / mirrorlakevillage.com	MLV page	Two domains for same property
healdsburgseniorliving.com / theridgeseniorlife.com	Healdsburg page	—
santarosahills.com / santarosahillsseniorliving.com	Santa Rosa Hills	—
pineridgeseniorlife.com	Pine Ridge Terrace	—
retirementlivingcobourg.com	Rosewood Estates page	—
retirementlivingkanata.com	The Bradley page	—
retirementlivingontario.com	BW communities page	—
mtbachelorassistedliving.com / mtbachelormemorycare.com / mtbachelorseniorlife.com	Mt. Bachelor	3 domains — review post-July 1 transfer whether to release or redirect
bwliving.ai	BWWebv2 VM — RG: AIChatWebServices	Employee self-service password reset portal — DNS resolves to the Azure Application Gateway (`Appliationgateway`), which routes to the BWWebv2 VM. Employees enter Employee ID + UKG phone number; system pushes the phone to Entra SSPR if missing, then redirects to Microsoft SSPR portal. See On-Premises Servers → BWWeb for full workflow and dependencies.
thebartlettliving.com	Aspira Life (Oshawa)	The Bartlett is fully transitioned — domain forwards to Aspira
discoverravines.com / discoverparkplace.com / discoverpromenade.com / courtyardsseniorlife.com	Various	Older vanity domains — verify what they forward to

How-To Video Library

Video walkthroughs stored in IT\How To\ on SharePoint. These are informal screen recordings — not polished training, but useful as first-pass orientation for the successor.

Video	Location	Covers
CreateO365User.mkv	`IT\How To\Code Walkthroughs\`	How to create a new M365/O365 user account
BackupUserProfile All.mkv	`IT\How To\Code Walkthroughs\`	Backing up a user profile before device wipe
AddPrinters.mkv	`IT\How To\Code Walkthroughs\`	Adding printers to a workstation
getPropertyFromYardi.mp4 / usePropertyFromYardi.mp4	`IT\How To\Code Walkthroughs\`	How the automation scripts pull property/org data from Yardi
howtoaddtoipdetector.mp4	`IT\How To\Code Walkthroughs\`	Adding a site to the IP detection/named locations system
How to Check if Job Title missing assignment.mp4	`IT\How To\Code Walkthroughs\`	Checking for users missing job title → license assignment issue
Create Yardi Resident Assistant.mp4	`IT\How To\Code Walkthroughs\`	Yardi account creation for RA role
How to Create O365 Users and Yardi Accounts.mp4	`IT\How To\`	End-to-end new user provisioning (O365 + Yardi)
How to Delete User in O365.mp4	`IT\How To\`	User offboarding in M365
How to share in Sharepoint.mp4	`IT\How To\`	SharePoint sharing and permissions for community staff

Relias Training Platform — IT Reference

Relias is the LMS (Learning Management System) used for staff training compliance. IT manages SSO (SAML), user sync, and integration with the automation scripts. Reference files in IT\How To\Relias\.

Reference	Notes
SAML SSO Setup Guide	`IT\How To\Relias\SAML - SSO_Single Sign On Guide.pdf` — Relias SAML/SSO configuration. SSO is linked to Entra ID. If SSO breaks, staff cannot log in to Relias with their BW credentials.
UKG to Relias Mapping	`IT\How To\Relias\UKG to Relias.xlsx` and `UKG to Relias 2.xlsx` — field mapping for syncing HR data from UKG into Relias. Referenced by the weekly training gap automation.
Brightwater User List	`IT\How To\Relias\BrightWater_SimpleUserList.xlsx` — static user export used for mapping/validation.
DailyActiveEmployees	`IT\How To\Relias\DailyActiveEmployees.csv/.xlsx` — daily employee extract. Used as source of truth for active staff sync.
Resources Mapping.png	`IT\How To\Relias\Resources Mapping.png` — visual diagram of the Relias resource/property hierarchy mapping.

Knowledge Base Articles

Article	Location	Covers
weekly_training_gaps.py KB	`C:\Scripts\weekly_training_gaps_kb.html`	Dependencies, configuration, data flow, skip reasons, known issues
User-Cleanup.ps1 KB	IT Glue	M365 license removal, Relias deactivation, ProcessedDisabledUsers variable
Sync-ReliasGUIDsFromEntra.ps1 KB	IT Glue	Param types (`[string]`), skip reasons (5 types), line number references

Last updated: June 11, 2026 — Mark Harper, IT Manager, Brightwater Senior Living

Yardi DB Status Dashboard

Live dashboard: it-vault.pages.dev/yardi-dashboard.html — real-time view of active Yardi test-database restores. Accessible to any BW IT staff.

Purpose

Yardi Support regularly restores copies of Brightwater production databases into test environments so BW staff can verify bug fixes before those fixes go live. During an active restore the test DB is locked — BW staff should not use it. The Yardi DB Status Dashboard automatically tracks which test databases are in use and who is testing, so staff always know which DBs are safe.

How It Works

On every dashboard load a Cloudflare Pages Worker scans the BW Microsoft 365 tenant (via Microsoft Graph API) for emails matching these patterns:

Approvals: Subject contains "Hosted DB Restore" or "Client Access" plus [Case ID: XXXXXXX]
Closures: Subject contains "Closed" plus a matching case ID

New cases are evaluated by Claude AI to deduplicate entries, identify the BW tester, correct DB names from thread context, and detect when a fix has been deployed to LIVE (which triggers immediate removal).

Case Lifecycle

Stage	Trigger	Dashboard State
Case Opened	Approval email from Yardi Support: subject "Hosted DB Restore [Case ID: …]" or "Client Access [Case ID: …]"	Active row — no badge or green Active badge
Restore Done	Yardi sends DB restore completion notice to mark.harper@bwliving.com	Orange `RESTORE DONE` badge. Yardi finished the restore; BW employee is still testing. Not the same as deployed to LIVE.
Fix Deployed to LIVE	Kevin Craner (or another Yardi tech) emails confirmation that the package was loaded to LIVE; Claude detects the signal in the thread	Entry removed immediately and automatically
Manual Close	IT clicks "Close" on the dashboard	Moved to Closed archive table below (soft-delete — reversible)
Auto-Purge	14 days after `yardiClosed` was set with no "deployed to LIVE" confirmation	Removed permanently from KV
Reactivate	IT clicks "Reactivate" in the Closed archive table	Entry returns to active table

Status Badges

Badge	Meaning
`RESTORE DONE` (orange)	Yardi has completed the database restore. The BW tester has been notified but may still be validating. Do not assume the fix is deployed to production until the entry disappears from the dashboard.
`CLIENT ACCESS`	Yardi opened direct client access to a test DB (not a full DB restore). Treated the same as an active restore for tracking purposes.

RESTORE DONE ≠ Fix Deployed to LIVE. The orange badge only means Yardi finished the restore operation. The BW employee is still testing. The entry leaves the dashboard automatically once Kevin Craner (or the Yardi tech) sends a deployment confirmation email containing "deployed to LIVE." Do not manually close a case just because you see RESTORE DONE.

Closing and Reactivating Cases

Cases close automatically when the AI detects a "deployed to LIVE" confirmation in the email thread. You can also manually close a case via the Close button, which moves it to the Closed archive below the main table. Closed cases can be reactivated from the archive at any time by clicking Reactivate.

If a case is missing from the dashboard (e.g., approved verbally or via a non-standard email), add it manually using the form on the dashboard page.

Technical Architecture

Component	Details
Hosting	Cloudflare Pages project: `it-vault` URLs: `it-vault.pages.dev` / `it-vault.bwliving.ai`
Worker / API	`functions/api/yardi-db.js` — handles sync, manual-add, manual-close, manual-reactivate actions
KV Storage	Namespace `BIBLE_KV` (ID: `3d7db9fee53c4f1383decdaf3c82e33d`) Key `YARDI_ACTIVE_CASES` — JSON array of all case objects Key `YARDI_LAST_SYNC` — ISO timestamp of last email scan
Email Scanning	Microsoft Graph API — scans `mark.harper@bwliving.com` and all shared tenant mailboxes. 60-day lookback.
AI Enrichment	Claude Haiku (`claude-haiku-4-5-20251001`) — deduplicates cases, identifies BW testers vs Yardi techs, corrects DB names from email thread context, detects "deployed to LIVE" signals in yardiClosed entries
Environment Secrets	`MS_TENANT_ID`, `MS_CLIENT_ID`, `MS_CLIENT_SECRET` (Graph API), `ANTHROPIC_API_KEY` (Claude)
Dashboard HTML	`public/yardi-dashboard.html` — static HTML + vanilla JS, no framework
Source Code	`C:\Users\MarkHarper\Desktop\IT-Vault-CF\`

Reading / Writing KV Directly

Important: wrangler kv key get may return stale replica data (or "Value not found") even when the live key exists. Always use the Cloudflare REST API for accurate reads and writes.

Action	Details
OAuth token location	`%APPDATA%\xdg.config\.wrangler\config\default.toml` — valid ~24h; run any wrangler command to refresh if expired
Account ID	`f90337b80e6321ee268829bf96a966d2` (It@bwliving.com account)
List keys	`GET https://api.cloudflare.com/client/v4/accounts/{accountId}/storage/kv/namespaces/3d7db9fee53c4f1383decdaf3c82e33d/keys`
Read a key	`GET …/values/YARDI_ACTIVE_CASES` (or any key name)
Write a key	`PUT …/values/BIBLE_HTML` with the new value as the request body
Auth header	`Authorization: Bearer <oauth_token>`

KV dashboard URL: https://dash.cloudflare.com/{accountId}/workers/kv/namespaces (note: the /storage/kv/namespaces/… path returns 404 in the Cloudflare UI — use /workers/kv/namespaces instead).

Known Issues & Gotchas

Issue	Notes
Wrangler KV stale replica	`wrangler kv key get` may return "Value not found" even though the live KV has the value. Use the Cloudflare REST API instead (see above).
Case ID mismatch on closures	Yardi sometimes sends closure emails referencing a different Case ID than the original approval. The `resolveUnmatchedClosures()` function uses Claude to match by person name + "deployed" signal.
Missing cases	If a case was verbally approved (no email), add it manually via the form on the dashboard. Set the DB name, tester, and case ID manually.
enrichExistingCases skipping RESTORE DONE entries	The enrichment function must include `yardiClosed` entries (filter only on `!c.claudeSkipped`), otherwise "deployed to LIVE" emails won't trigger removal for entries already marked RESTORE DONE.

Last updated: June 11, 2026 — Mark Harper, IT Manager, Brightwater Senior Living

IT Knowledge Bible

About This Document

Environment Summary

Properties & Communities

Network Expansion — Ontario Properties

Key Contacts

Key Vendor Contacts

Healdsburg 503-HLB Key Staff

Recurring Responsibilities

Fully Automated — Monitor for Failures

Manual Regular Tasks

Recurring Meetings

Active Projects — Needs Handoff

Microsoft 365 & Azure Systems

Admin Portals

Connected Third-Party Admin Portals (M365-linked)

SharePoint / Intranet

SharePoint Collaboration Folders (IT Glue documented)

M365 License Inventory

License Assignment by Role

IT Helpdesk Phone & Shared Mailboxes

Network & Security

Guest Wi-Fi

Internet / WAN by Property

LAN / VLAN Topology

On-Premises Servers

Mobile Devices

Phone & Communications

Phone Systems by Property

Business & Resident Applications

MSP & ITSM Tools

Procurement & Vendors

Printers & Copiers

Monthly Recurring Costs — Billout Files

Domain Names (GoDaddy)

Automation & Scripts

Azure Automation Runbooks (bwautomate)

Local Scripts — C:\Scripts\ on I7TEST01

Required Environment Variables (on I7TEST01)

Account Creation Scripts — C:\Scripts\ on I7TEST01

Master Contact List

SFTP Server

Identity / Offboarding Flow

Files & Key Locations

GoDaddy Domain Portfolio (53 domains)

How-To Video Library

Relias Training Platform — IT Reference

Knowledge Base Articles

Yardi DB Status Dashboard

Purpose

How It Works

Case Lifecycle

Status Badges

Closing and Reactivating Cases

Technical Architecture

Reading / Writing KV Directly

Known Issues & Gotchas

Local Scripts — `C:\Scripts\` on `I7TEST01`

Account Creation Scripts — `C:\Scripts\` on `I7TEST01`