All posts by Ben Shields

Update to Managed Java Settings

An update was rolled out to the managed Java settings on Windows hosts in the CN domain. The GPO is currently applied to the CN, G1, G2, G3, and INTO-OSU OUs. If an OU is blocking inheritance or outside of those OUs, the policy will not apply.

The managed settings now also deploy certificate trusts for the certificates on Banner, Appworx, and Nolij. This means that users should no longer be prompted with the usual “Do you want to run this application?” prompt when launching those applications, unless the certificates are changed at a later date.

If you run into users hitting “Do you want to run this application?” or other Java prompts for OSU applications, please let me (Ben) know so I can work on getting the deployed settings to play nice with those applications, or update the existing certs as needed.

The complete list of what settings we’re managing is:
– Force SSLv2ClientHello Format enablement (required for Banner to run properly under Java 8, off by default)
– Force TLSv1 enablement (required for Banner to run properly under Java 8, on by default but we don’t want people turning it off)
– Disable JRE auto-download (disable Oracle’s auto updater as much as Oracle will let us, so we don’t roll to known broken versions uncontrollably)
– Disable “Your Java version is out of data” messages (if we have to stay back on an old version, we don’t need to harass people about it)
– Disable sponsor offers on updates/installs (e.g. browser toolbars, as much as Oracle will let us turn this off)
– Import certificate trusts for Banner, Appworx, and Nolij

Plugin Updates

Updates rolled out today for both Flash ( and Java (8u51). The flash update this morning addresses a number of the recent security vulnerabilities, and is not automatically blocked by Firefox (which is blacklisting and lower).

Java 8u51 is a regularly scheduled release, and functions just fine with Banner, Appworx, and Nolij. Firewall exceptions for the updated 8u51 path have been added to the domain firewall policy, and the old exceptions for 8u40 have been removed.

Final Library Unifications

As a reminder, the last three non-unified staff accounts for the library will be having that done this afternoon (6/1) at 3:30pm. This should be relatively uneventful as I’m working with all three customers directly. The three accounts being unified are:

  • Xiaoping Li (CN\lix -> ONID\lixiao)
  • Maura Valentino (CN\valentim -> ONID\valentim)
  • Uta Hussong-Christian (CN\hussongu -> ONID\hussongu)

These were not done with the rest of the library unifications due to being out for various reasons (vacation, conferences, etc).

UPN changes for IS employees

The user principal name will be changing for IS employees with unified accounts the evening of 5/7. The following message went out to folks who would be impacted by the change:

Hey all,


We need to make a change to all existing unified accounts. This will be occurring the evening of 5/7, around 9:30pm. Details are below:


TL;DR version:

The user principal name on your account will be changing from to This does not impact your e-mail address, but does impact trying to log in to a service or computer with the old first.last@o.e format.



Full details:

Recently the Identity & Access Management (IAM) team made a final recommendation going forward regarding the User Principal Name (UPN) format for unified accounts. While the UPN is not something that many are directly familiar with, it determines how the username must be formatted for access to many services. If you would like specifics, you can read IAM’s full breakdown here: UPN Format Decision Document.


We will be adjusting the UPN of your account to match this new standard on Thursday evening (5/7/2015). After this time valid formats for your username will be:


The most common things that are impacted by the UPN change are:

  • Mobile devices will need to be configured to use onid\username or as the username after the change. On some android devices, the account needs to be completely removed and added back (if the device doesn’t allow changing the username on an existing account)
  • If you log in to a windows box using the format and lock the workstation, you will not be able to unlock the workstation after the change. Either log out before you leave for the day, or make sure you’re logged in using onid\username.
  • You will lose access to data in Office 365 when the change happens, until the next time the synchronization process runs (3am and 3pm)
  • Outlook 2011 for OSX typically needs the username adjusted from the old UPN format to the new UPN format.


If you have any questions, please let me know!





We went through this process already with Client Services staff with unified accounts with minimal impact, so I don’t imagine we’ll get many calls on this.