CITOC Technology Bulletins E-‐Book 2014
Electronic Calendar Display Technology Experience Bulletin, TEB: 2012-02 Electronic Calendar Display In most court locations in Alaska the daily calendar is supplied as a paper printout left in the lobby for the public to use so they can find in what courtroom their case is going to be heard. As with most data on paper once it is printed it is often obsolete within a short period of time and updates are needed. We also publish our calendars to the web and these are updated on a frequent basis. http://www.courts.alaska.gov/trialcts.htm#cal We wanted to better help our customers when they are at the Courthouse. So we came up with our own electronic calendars, built by a combination of network, software and hardware folks from the ACS IS department. We liken the calendars to the arrival/departure screens that you find at airports. The data to build the screens is taken from a replicated version of the CourtView case management system used by ACS. Tip 1: Develop a web application to display court hearing information by party’s name alphabetically. If a party has more than one case, all will appear in case number order. Calendar event will appear for each party involved in the case based on a predefined list of party types to include. Party name will appear in initials if the party type is considered confidential. Tip 2: Depending on the size of court location, entire list of hearing events may be divided and displayed on two or more TEB:2012-02 Electronic Calendar Displays
physical screen displays. Webpage can be launched at run time to divide entire list to include only party names that fall into a specific range of alpha letters. Tip 3: Webpage has an option to display all events scheduled for current day, which is good for smaller courts. However, using parameters, the webpage can be set to display only a subset of events that starts within a window of time before and after the current time. Tip 4: Updates to refresh the entire list for the given event time range occurs every 5 minutes or as defined when webpage launches Tip 5: If the entire list of events in a given event time range has more than the number of events the display screen can handle at one time, webpage will display 35 events at nd a time first, then 2 group of 35 events in 10 seconds, and rotate until the last group of 35 or remaining events are displayed before showing the first group of events again. 35 was chosen as a number that fit in the display panel. This number can be changed with a parameter setting. Tip 6: Courts requested to have the webpage continue to display events that ended and display those with the resolve code if applicable to assist party who arrives late at the venue so they can see the status of hearing. Tip 7: For large court with more than one building or location in the city, webpage will display hearings for all locations in case parties arriving at wrong location they do not mistakenly think event didn’t occur.
Tip 8: Through experimentation, a darker background for the display made for easier viewing. Tip 9: Choice of font for a non-fixed-width type is more difficult to manipulate but is better for fitting more information into limited real estate on screen. Tip 10: Webpage is designed to display a friendly message if calendar event returns an empty set of data or the calendar information is not available due to lost connection to database.
Components Server - Windows Server 2008 R2 Programming - NET 2.0, ASP.NET, C#, Visual Studio 2005 Database - SQL Server 2008 R2 (CourtView) Client software Internet Explorer in Kiosk mode. Internet Explorer shortcut to calendar site added to startup with the user set to auto logon Hardware: Thin Client Wyse Z90 with Windows 7 embedded Monitors: High Definition 42” – 55” depending on location arranged in portrait mode We chose LG models VGA output - resolution 768 x 1024 (portrait)
TEB:2012-02 Electronic Calendar Displays
Web Application Parameters Parameter Name Location
Description court location/city
Accepted Values Any city with a court location
cacheDuration
time in seconds to be cached locally number of events to show on each page to change portrait or landscape (basically just changes default eventsPerPage To show either all events for day, or only small range Show events of parties with names beginning with these letters and after Show events of parties with names beginning with these letters and before minimum minutes to continue showing event after it has started minimum minutes before start of event to begin showing it Number of minutes to between changing the start and end time Specific start time to show (for debugging)
Any positive whole number
Default Value Local city based on IP if found, otherwise Palmer 300 (5 minutes)
Any positive whole number
35
true(shows portrait)/false(shows landscape)
true
true/false
true
Any alphanumeric character(s)
A
Any alphanumeric character(s)
Z
Any positive whole number
30
Any positive whole number
60
Any positive whole number
30
Any Date and Time
Based on current time, and above parameters
Specific end time to show (for debugging)
Any Date and Time
Based on current time, and above parameters
eventsPerPage Portrait
limitEvents
startLetters
endLetters
afterEvent
beforeEvent
Shift
startTime endTime
There is more intelligence built in the database query as well as the webpage presentation layer.
TEB:2012-02 Electronic Calendar Displays
Palmer Court Calendar Display Page – Example 1
Palmer Court Calendar Display Page – Example 2
TEB:2012-02 Electronic Calendar Displays
Summary The Alaska Court System sought to provide an electronic alternative to the traditional paper calendar to better assist our courthouse visitors and reduce paper usage and staff time. The creation of our own electronic calendar displays has allowed us to post the information from our CourtView case management system in a timely and cost-effective manner.
Author:
Joseph Mannion, Chief Technology Officer, Alaska Court System, JMannion@courts.state.ak.us, 907-264-0569 Disclaimer: The advice and opinions represented in this bulletin are based on the experiences of the Alaska Court System. Such recommendations may not be suitable for other jurisdictions, and are only offered in the spirit of sharing experience as information to others considering the installation of similar technologies.
TEB:2012-02 Electronic Calendar Displays
iPAD USAGE BY THE COURTS Technology Experience Bulletin, TEB: 2011-03
With the advent of tablet computing, iPads continue to proliferate through the judicial system. While these particular devices may not have been purchased with state dollars, individual end users are buying them and asking to have them connected to state systems. In this TEB, I’ll share our experiences with supporting iPads in Texas at the state supported court level. This will provide several tips on how you can support the usage of iPads (both personally and professionally bought).
Court Context The court system in Texas is highly decentralized. Direct state support is limited to the Supreme Court (Court of last resort for civil matters), the Criminal Court of Appeals (the court of last resort for criminal matters), the 14 regional appellate courts and a handful of Child Protection and Child Support courts. Information Technology support for the state supported courts is done through the Office of Court Administration (OCA). OCA Information Services also provides services to seven other judicial branch agencies. In total, Texas has 2,717 courts with approximately 3,300 judges. To date, iPad support provided by OCA has been to devices that are not owned by OCA. We generally provide information to the user on how to connect it to our network
and how to use it in a safe and secure manner. Recommendations may not be suitable for other jurisdictions with a different environment and this section should help the reader determine the applicability of the recommendations to their particular circumstances. Tips for Implementation 1. 2. 3. 4. 5. 6. 7. 8.
Get over it Configure Enterprise Security Configure VPN Access Decide on Recommended Apps Find an approach for procurement Review Computing Policies Don’t ignore basic security Watch out for the cloud
Tip 1: Get over it. The initial reaction from the service desk when I told them we were going to assist our end users with iPads was one of resistance. Being used to a Windows environment, they were not used to Apple technology and supporting it. Several concerns arose (some valid, some not) about spreading too thin. Unfortunately, the iPad is sleek and sexy and will woo your end users faster than you can possibly imagine. I suspect other technological wonders will follow this path as well.
We ended up buying an iPad for our IT Director, our Administrative Director, our Chief Justice of the Supreme Court and one for our service desk.
team used the iPhone configuration utility2 to create an encrypted VPN profile that would allow users to securely connect to our network.
The service desk was asked to play around with it to get familiar and to do independent research on supporting it.
This configuration results in an easy call to the support desk. The person obtains approval for VPN access through normal channels (paperwork acknowledging VPN responsibilities) and the support group emails the person the encrypted profile.
They got over it. They are now well versed in supporting iPads and provide support to have them link into our network services (Email, Calendaring, Contacts, VPN and remote desktop). Tip 2: Configure Enterprise Security iPads are in no way a substitute for a secure laptop or desktop as a primary computing device. They should be treated in your enterprise in the same way other mobile devices (iPhones, Blackberries, etc) are treated. Apple provides an iOS configuration utility2 that can be used to set various security parameters on the iPad (much like many of the smartphones). This utility should be leveraged to ensure that iPads will live comfortably as a mobile device (again, much like a smartphone). According to a recent evaluation by the Iowa’s Executive Branch IT Security, the iPad should not be used as a standalone computing device because of its lack of device firewall, anti-virus, and full-disk encryption5. Tip 3: Configure VPN Access. One of the most valuable things you can do for your end users is to construct a VPN profile for use with the native VPN client that comes with an iPad. Out of the box, iPads support VPN through several methods1. The network TEB: 2011-03 iPad Usage by the Courts
When the person clicks on the attachment to the email on their iPad, it installs the encrypted profile (which includes the connection information) to their iPad. Turning on the VPN is then a quick trip to General Settings and flipping the VPN switch to the “ON” position. Tip 4: Decide on Recommended Apps. Through the Apple App Store, there are thousands of Apps that perform a cadre of tasks. While we’re not in a position to force usage of a particular app, we certainly can highly recommend apps. We spent time polling our early adopters to see what apps that use and with what capacity. We came up with the following list, but still welcome those who choose to deviate from it: Email, Calendar, Contacts – We recommend the native email, calendar and contacts client on iPad (free). Since our organization uses MS Exchange (and has Outlook Web Access), the iPad has a built in connector to work with OWA for email, calendaring and contacts.
2
Remote Desktop Client – We recommend PocketCloud (free). Depending on your situation, you’ll need to select the appropriate protocol (RDP or VNC). Our shop uses RDP (native to Windows XP, Windows 7). PocketCloud offered the best bang for the buck (there is a decent free version) that would allow our end users (via the VPN) remote into their workstations to do work. It has tools in the menu bar that allows for scrolling, right-clicking and other Windows specific actions that you wouldn’t normally do on an apple. There are other clients available (in a wide range of prices) that allow for the normal iPad gesturing (we haven’t found one that is free). Other apps sometimes require that you install a windows client piece on the other end in order to enable a remote connection. We chose to keep with the native Windows RDP.
to print to a network printer on the same network that the iPad is connected. As of this writing, we haven’t settled on a solution but are testing ones with the approach of installing a piece of software on a windows network print server that will enable the printers to be seen by the iPad’s AirPrint feature. PDF Software – For reading only, we’d recommend iBooks (free). iBooks allows you load PDF documents through iTunes on a host PC, view and store PDFs from an email attachment. iBooks allows you to organize PDF files into “Collections”. You can have as many collections as you like.
There is something goofy about looking at a Windows machine using an Apple iPad.
If your intent is to be able to mark-up PDFs, we recommend purchasing a stylus for use with the iPad and a copy of iAnnotate PDF ($9.99). iAnnotate lets you mark-up documents and share them in a variety of ways. The latest version also lets you “flatten” the document, pushing your annotations to the base layer of the PDF.
Office Productivity Suite – Until Microsoft decides to develop a version of Office for use on the iPad, we’re relegated to using other apps. We recommend QuickOffice ($14.99).
Legal Reference – We found many sources out there for legal reference. Depending on the state you’re in, there may be apps that are online references to existing laws, code.
QuickOffice allows you to edit Word, Excel, and PowerPoint 2003 files (it can only view PowerPoint 2007 files). If you have the handy VGA converter, you can use your iPad to power presentations and even use your finger as a safe laser pointer (touching the iPad screen shows a red dot on the presentation screen).
LexisNexis and Westlaw also offer iPad apps for those wanting to do legal searches on the go (and have valid accounts).
Printing – Since the iPad doesn’t have the ability to hook directly to a printer, we needed something that would be able TEB: 2011-03 iPad Usage by the Courts
Since legal reference seems to be a court-by-court preference, we have no recommendation (other than you should have it). Tip 5: Find an approach for procurement. The Apple App Store 3
makes it incredibly difficult to buy apps in bulk. While a program exists for educational institutions, no such programs exist for government. iTunes requires that each individual set up an account and link it to an iPad. When apps are bought, it’s done entirely through a username and password, charging the credit card linked to the account. If no credit card is linked, no paid apps can be bought. For Texas, this process hasn’t been ironed out yet. We’ve managed to skirt the issue by only using free apps. In a large scale deployment effort, this issue will need a resolution. To date, our solution has been to reimburse individuals for business related app purchases. Our help desk steers users to free apps to minimize the load on our procurement staff. App procurements will continue to be problematic until Apple can create an Enterprise Business Portal much like they have already set up for the education sector. Tip 6: Review your Computing Policies. Make sure that the computing policies in place aren’t boxed in, disallowing iPads. In the case of our policies, we proposed eliminating the phrase “BlackBerry” and “SmartPhone” and replace it with “Internet Connected Device”. We found that our policies on mixed usage (state reimbursed data plan on a personal device) were broad enough to handle the issue with iPad data usage. See the next two tips for possible policy modifications with regards to security.
TEB: 2011-03 iPad Usage by the Courts
Tip 7: Don’t ignore basic security. Remind your end users about basic computing security. We recommended reviewing the iPhone Configuration Utility Guide2 for applicability to your environment’s computing practices. After receiving the first state funded iPad, we promptly hooked it up to our internal WiFi network and had our security team scan it to see what they could find. Our initial results showed a single open port (used when the iPad connects to a PC to sync with iTunes), but was otherwise clean. Another concern is Anti-Virus/Malware protection. To date no activity has been seen on an iPad. This is due mostly in part to the proprietary nature of Apple’s iOS. This concern is valid on “jailbroken” iPads (iPads where the internal operating system has been overwritten with an open source operating system). In any case, all users should be extensively reminded that data exists on the iPad much like it exists on laptops, USB drives and smart phones and that while iPads encrypt data at a file level, it’s not as strong (AES-196 vs AES256). Tip 8: Watch out for the Cloud. Education efforts will need to be undertaken to educate end users about the cloud. It seems magical that a person can go to a website, load a document and then have it automatically available on their iPad. Services like dropbox.com and box.net provide cloud based storage services with custom iPad apps. Users need to be aware that once these services are employed, that they are relinquishing control over their data to 4
these third party services. Our recommendation is to have end users avoid cloud based services for storing confidential or sensitive information (especially court related).
networks. Listen to your end users, but at the same time remind them about security precautions that need to be taken.
Other considerations Work with your users to determine their uses of the iPad. In our case, we see iPad uses at the appellate level. Justices report using iPads for reading draft opinions, briefs and other case materials (through iBooks). All tips apply to personally procured iPads too. In the event that your organization decides not to procure iPads for use, they will creep into your environment. Currently, there are a total of five state funded iPads in the organizations we support. However, I know that in addition to those five, we have at least 50 in the field where judges have bought them for themselves. We are supporting them in the sense we provide VPN profiles (in accordance with our VPN policy) as well as support in linking their email client with Outlook Web Access (or whatever mail program their court may have).
Summary The key points for this TEB: As with any technology, have your security experts review it for compliance with your policies (or adjust your polices as needed) If your organization hasn’t procured any iPads that doesn’t mean they don’t exist on your
References 1.
Apple Inc. “iOS Reference Library – VPN Server Configuration for iOS” Accessed January 28, 2001. http://developer.apple.com/library/ios/# featuredarticles/FA_VPN_Server_Confi guration_for_iPhone_OS/Introduction/I ntroduction.html
2.
Apple Inc. “iPhone Configuration Utility for Windows, v3.2”. Accessed January 31, 2011. http://support.apple.com/kb/DL926
3.
Apple Inc. “iPad Deployment Enterprise”. http://images.apple.com/ipad/business/p df/iPad_Deployment_Scenarios.pdf
4.
Apple Inc. “Enterprise Deployment Guide iPhone OS”. http://manuals.info.apple.com/en_US/E nterprise_Deployment_Guide.pdf
5.
Iowa ISO – Apple iPad Security Evaluation. Franklin, Jeff, Jeff.Franklin@iowa.gov
Author:
Casey Kennedy, Director of Information Services, Office of Court Administration; 512-463-1603 casey.kennedy@txcourts.gov Disclaimer: The advice and opinions represented in this bulletin are based on the experiences of Office of Court Administration. Such recommendations may not be suitable for other jurisdictions, and are only offered in the spirit of sharing experience as information to others considering the installation of similar technologies.
Approved by the CITOC Editorial Board on [date]
TEB: 2011-03 iPad Usage by the Courts
5
Mobile Device Strategy Technology Experience Bulletin, TEB: 2012-01 Mobile Device Strategy Two years ago, the Administrative Office of Pennsylvania Courts’ (AOPC) standard mobile phone was the Blackberry. Almost all Blackberries were court-owned and few Blackberries connected to any internal systems other than email. Today, this Blackberry-only approach has been shaken by the addition of Apple and Android mobile devices. In addition to Blackberry, we support 52 iPads and 47 iPhones, both court and personally owned, and 2 Android tablets and 26 Android phones, all personally owned. Users want their court email on all these devices. Tablets blur the line between laptops and smartphones because they can be used for email only, like a Blackberry, or access court systems, like a laptop. Apple and Android devices differ from each other, and from Windows and Blackberry devices, in significant ways. To accommodate these devices, we reevaluated our remote access, wireless network, mobile device management, and mobile policy. This article outlines what AOPC is doing in these areas.
Court Context Remote Access Aventail is the Judiciary’s VPN gateway from the Internet to internal resources. We use Aventail with Citrix Receiver to connect iPads and Androids to Windows desktops and internal applications. Other vendors provide VPN clients for mobile device access. Mobile Device Management (MDM)
TEB:2012-01 Mobile Device Strategy
To manually configure every Apple and Android device is impossible. We needed a Mobile Device Management (MDM) solution to remotely install applications and wireless configurations without physically touching the devices. The MDM had to install and view apps, manage apps and configurations from a central console, perform device inventory, and offer an in-house “app store” from which users could download approved agency apps. The MDM had to support Apple and Android devices. It needed to enforce policy, such as mandatory passwords, from a center console and allow us to wipe lost devices selectively. We wanted round the clock product support from the MDM vendor. Although Exchange can do some of these things, it cannot delete applications selectively. It can only wipe an entire device. Several products met our requirements that were listed in Gartner’s Magic Quadrant report on MDM solutions. All products we evaluated offered the same features for managing Apple devices because Apple controls the APIs. We selected Zenprise MDM because it was the least expensive. There may be other approaches available for this purpose such as using “Find My Phone” for those who have no funds available for a dedicated MDM. Policy Personal devices pose a major support challenge – they don’t belong to the courts. Their owners may download anything they wish or change configurations at will, which may cause problems with court installed software. We didn’t want our support staff getting pulled into troubleshooting problems
1
that had nothing to do with court applications. To make it clear to users what we would and would not support, we developed a “bring your own device” policy (BYOD) that addresses the following areas:
Users accept a password on their personal device, managed by us through the MDM, to connect to enterprise resources. The password is mandatory; a user cannot access enterprise resources without it. Users accept AOPC’s device configurations from the MDM on their personal devices. Without the MDM configuration, a user will not be able to access enterprise resources. AOPC software installed on a personal device is the property of AOPC as long as it remains on the device. We require that AOPC purchased software and apps be removed from personal devices when a person leaves our employ. AOPC IT staff will support only AOPC provided software and configurations, not personally owned apps or configurations. Employees must notify AOPC IT staff of lost or stolen devices, including personal devices. Agency applications will be available from a corporate iTunes account.
Wireless NAC Although all users already have wireless access to our enterprise network, we wanted an elevated level of security and control over the devices that connected by wireless. This led us to investigate a wireless network access control (NAC) system. Our goals for this system were to provide a more secure and stable wireless environment, to simplify wireless access for the user by using domain credentials, and to enable all users to access the wireless environment from the first day of employment. Any laptop or tablet device, whether court-owned or personal, should be able to connect securely while ensuring the protection of the network. We also wanted to speed provision of wireless access to vendors and other visitors. The NAC had to recognize mobile devices, work with our Cisco Wireless infrastructure, and
TEB:2012-01 Mobile Device Strategy
have minimal impact on users. We selected StillSecure’s Safe Access solution. Any employee or contractor with domain credentials can access the wireless network. If the user attempts to access resources on the internal network with a Windows device, they are asked to allow their device to be scanned for operating system, patch levels, and anti-virus compliance. If the device passes the test, the user is granted access to the internal network. If the device fails the test, the user will be provided a brief explanation of what is needed to bring the device into compliance (i.e., install a reputable AV solution), and they will only get Internet access. If the user is unable to correct the problem, we help them. We have a mobility specialist on our messaging team. Our NAC can identify the operating system on iPads and Androids. It does not detect anti-virus software on these devices. We can allow or block access by device type or MAC address. StillSecure is planning to add more scanning capabilities for iPads and Androids. We have not yet defined the circumstances under which we would take someone off the network, but recognize that we need to develop this policy. Tips for Implementation 1. Policy first, then technology 2. Help the user understand what a tablet can and cannot do 3. Smartphone access to servers and applications 4. Android is not like Apple 5. Apple Support and Common Problems 6. Proxy 7. iTunes and Personal Devices 8. iPad Battery
Tip 1: Consolidate and minimize the ingress/egress control points of your network. Too many organizations have multiple control points in and out of the network - some dedicated for single purposes. While this may seem to simplify your topology and configuration, it greatly increases the number of exploitation points into the network. You may eventually forget 2
about the small router in some closet that allows access to an entire unsecure partner network. Additionally, while most organizations understand the need to secure access to/from the Internet, they will grant their business partners a less restrictive access point into the network. You must treat all external parties the same – as untrusted entities. You have no insight or control of their network; therefore you must enforce the same security measures. This protects all parties from potential security breaches and liability. Tip 2: Do not allow network devices to run parallel to the firewall. The firewall must be the one and only control point of the network where all network traffic traverses. If you deploy additional security devices such a web security proxies or VPN devices, deploy them behind the firewall preferably in a DMZ. A parallel architecture negates all the efforts of deploying firewalls in the first place. Tip 3: Limit the access and management
of those control points. Give access to only those responsible for the management and maintenance of the network devices. Avoid having only one person with access and always use unique named user accounts – never share credentials. Also, always require strong passwords that must be changed on a regular basis. Network devices that are directly exposed to outside networks should limit their management access to internal secure networks only. Tip 4: Do not allow direct inbound/outbound network access. Secure all inbound traffic with a security device such as reverse proxy or VPN, and authenticate your users whenever possible with unique named user credentials that are not shared. This is especially true for vendors and business partners. We tend to issue one set of credentials per vendor / partner, however if those credentials are compromised, you would never know who or how. Servers accessible from outside networks such as web portals, e-mail gateways, etc. should always be place in a TEB:2012-01 Mobile Device Strategy
DMZ and never inside your secure network. Outbound traffic should also be monitored and managed if possible with web security devices. It is equally important to understand what traffic is leaving your network. Tip 5: Limit the ports required for access. Open only those ports required for access. Do not cheat for server-to-server connectivity by limiting access using IP addresses. You want to minimize your systems’ exposure to any potential vulnerability in the event of any security breach. While ICMP is a popular troubleshooting tool, do not expose your secure networks using ICMP to any outside network. Audit your control points by scheduling a routine port scan of your perimeter networks to ensure you are only exposing what you intend to. Tip 6: Apply security patches to all network devices on a routine basis. Organizations now apply security patches and updates to their server infrastructure and end-user devices. However, many fail to stay up-to-date with their network devices. The old philosophy was to leave your network operating systems alone if the network is working fine. If you have an old OS, then you cannot be exposed to new vulnerabilities. In fact, your risk is the exact opposite. Many hackers target old operating systems in hopes that the devices have never been patched. The easiest solution is to subscribe to the manufacturers or 3rd party alert services and create a routine process for the management of network device configuration and patch updates. Tip 7: Actively monitor your control points 24/7. The deployment of an intrusion detection/prevention system is a critical piece of a complete network security posture allowing you to have an in depth view of all traffic. Subscribing to a security monitoring service is even more important. Most organizations do not have adequate staff to 3
actively monitor and react to real-time threats. Relying on e-mail and SMS alerts for a reaction to any potential intrusion hours later is too late in most cases. Tip 8: Keep networks logs in a separate location for at least 6 months. You may never need to revert to logs for anything other than trouble-shooting. However, keeping logs for long as possible is critical to identifying a security breach and origination point after the fact. Unfortunately, many sophisticated breaches are discovered too late. The existence of network logs helps the forensics team bridge that gap. Tip 9: Include network security operations in your base budget. Don’t just install the technology – create a budget plan to manage, monitor, maintain, and refresh the technology. No network is secure regardless of the technology if you fail to actively operate and refresh the equipment. It would be a waste of capital to invest in robust, secure network architecture only to allow it to become outdated within a short time of its deployment. Tip 10: Policy, policy, policy. Tip 11: Document the network. Tip 12: Policy First, then Technology. Make sure you have support policies and procedures in place early, before personal smartphone and tablet use is widespread. Personal devices are a support minefield. Does IT support fix a user-installed app when it interferes with receiving court email or access to the network? Does support staff need to wipe personal devices when they are reported as lost or stolen? If so, what are the procedures for doing this? Work out your policies in advance so that everyone knows what to expect. Tip 13: Help the user understand what a tablet can and cannot do. While Apple and Android rule the smartphones and tablets, Windows still rules the desktops. Not all our in-house applications work well on smartphones or tablets, or in mobile TEB:2012-01 Mobile Device Strategy
device browsers. Users expect to have access to applications or remote to their desktops, only to be frustrated with an awkward interface. Make sure you set the expectations of your users about what does, and does not, work well on a tablet. Tip 14: Smartphone access to servers and applications. We worried that many users would want to connect their Apple or Android smartphones to our remote access system, wireless network, or both. Few users have actually asked for this; the likely cause is the small screen size of most smartphones. It is impractical to access most of our applications, other than email, on a smartphone. Tip 15: Android is not like Apple. Unlike Apple, the Android operating system differs between phone manufacturers. Each manufacturer tweaks the Android running on its own phones. Android features and lookand-feel may differ from phone to phone, making support a challenge. Unlike Apple, Androids also lack a common email application. Many MDM solutions that support Android standardized on Touchdown for email. Unfortunately, Zenprise, the MDM we selected, did not make it clear when we evaluated it that we had to purchase Touchdown for every Android device that uses it. Most MDM solutions for Androids will require you to buy Touchdown. Tip 16: Apple Support and Common Problems. Apple support has three levels: Select, Preferred, and Alliance. Select support covers 10 incidents. Preferred and Alliance support both cover unlimited incidents, and two and one hour response times, respectively, on priority 1 issues. We did not purchase any of these because they seem costly compared to the number of devices we support. We’ve encountered several common problems with Apple devices. An incorrect Active Directory user ID or password on an Apple device can cause Windows account lock outs. Switching iPads between our wireless network and 3G has been an issue, particularly the switch between external and internal IP addresses when connecting to our email. 4
Tip 17: Proxy. iPads have a problem with our proxy server. Even when settings are properly configured, Apple devices do not pass on authentication to the proxy server. In order for users to get connected to email and other resources while using the wireless network, they must authenticate each morning with our proxy. In researching this problem, we find that many organizations have the same problem no matter what proxy server they use. The problem has frustrated users and made it difficult to troubleshoot connectivity problems. Tip 18: iTunes and Personal Devices. Personal iPhones and iPads are tied to personal iTunes accounts. To get around this, we purchase apps in bulk and install them on personal devices using courtowned iTunes accounts created for each user. This method allows us to remove the app and retrieve the license when the user leaves the agency. You may want to consider your employee turnover rate and personal device usage when distributing purchased apps. Apps downloaded from iTunes will prompt users when there are updates. There is no way to control user acceptance of an update. We’ve already seen one update break an app. Encourage your users to back up their devices often. Tip 19: iPad Battery. When iPads are on battery and go to sleep, they disconnect from the wireless network and switch to 3G. When it wakes up, the iPad must reconnect and re-authenticate to the wireless network. The user often notices this as a delay in receiving email. The user doesn’t have to do anything but they must wait for reauthentication to occur. Educate your users
that this will happen. This does not occur when the iPad goes to sleep as it is charging.
Summary AOPC sought to allow Apple and Android mobile devices in our environment without also creating a support headache or frustrating the users. We did this by first considering what policies were needed. We made sure that the VPN gateway and the wireless network could accommodate these devices, and we put the appropriate management tools and practices in place.
Author:
Bill Mahan, IT Operations Program Manager, Administrative Office of Pennsylvania Courts, william.mahan@pacourts.us 717.795.2067
Resource and Jurisdiction Contacts Amy Ceraso, Director of Judicial Automation, Administrative Office of Pennsylvania Courts, amy.ceraso@pacourts.us, 412-565-3013 Disclaimer: The advice and opinions represented in this bulletin are based on the experiences of the Administrative Office of Pennsylvania Courts (AOPC). Such recommendations may not be suitable for other jurisdictions, and are only offered in the spirit of sharing experience as information to others considering the installation of similar technologies.
Approved by the CITOC Editorial Board on November 5, 2012
TEB:2012-01 Mobile Device Strategy
5
Microsoft CRM Simplifies Court Projects Technology Experience Bulletin, TEB: 2013-01
Recently, the Administrative Office of Pennsylvania Courts (AOPC) has begun to implement the Microsoft Customer Relationship Management (CRM) application for rapid development of internal projects. CRM is a rolebased paradigm, and is intended to be used as a customizable tool for sales teams, marketing, sales campaigns, team building and customer tracking. AOPC staff has taken the CRM tool and re-engineered the approach to address the needs of some of its internal agencies and offices. The CRM application is fully customizable.
The CRM solution, as it exists out of the box, displays items (objects) that are specific to a marketing and sales team business application. The standard dashboard is comprised of different sections—panes for dynamic Sales Pipeline chart, Source Campaign chart and Cases by Priority (Per Day) chart. The Activities grid displays a sales team’s actions and is designed to track their daily, weekly and monthly tasks. The Workplace is designed for the sales teams to identify salespeople, sales, marketing efforts, promotions, resources and issues.
Specifically, AOPC is beta-testing implementations that staff developed as an Interpreter Database Solution for its Interpreter Certification process (PAIS) and for a Litigation Management Solution for internal AOPC legal staff (PALS). AOPC is also working on development of two other solutions to replace existing applications -- one for juvenile dependency hearing observation forms and one for a call management tracking system.
In the hands of the AOPC staff, this standard dashboard was transformed into an area that is more relevant to the business processes of the internal agencies.
Using the person-based design of CRM, AOPC staff was able to envision and reuse the objects within the solution and re-think the logical associations behind the activities and use them to satisfy the needs of some of its internal agencies, such as the AOPC Interpreter Certification and the AOPC’s Legal Staff offices. Both of these internal offices need to track individuals or cases involving people. AOPC decided to work the substance of the CRM application in ways to accommodate the business processes of the two offices. For technological solutions that can be translated into person-based terms, this methodology works well.
TEB:2013-01 Microsoft CRM Simplifies Court Projects
1
The AOPC design for the interpreter office staff is shown in the screen shot below.
Word are seamlessly integrated, so simple tasks like cut, paste, copy and save are easy to find, and new users of the solution can be taught without devoting much training time on where to find the action buttons that they need to use. In addition, the integration allows for the clients to use familiar features such as mail merge seamlessly without leaving the application while the CRM application records are updated to record the action as taking place. In combination with Microsoft’s SharePoint and MS SQL Server Reporting Services (both may be integrated with the CRM application), AOPC analysts created custom entities with built-in document management, activity management and complex reporting and analytics to accommodate automation or facilitation of business processes for these internal offices.
The Ribbon Bar, displayed at the top of the screen, is also customizable for each of the screens in the new solution. Some icons and controls may be disabled or enabled as well, depending on the way the staff needs to use the screen.
AOPC staff are now able to replace more complicated small-scale applications developed for court agencies and internal operations that previously may have been developed using MS Access shared on a server. Often, these applications were conveyed to an MS SQL Server database with Access remaining linked as the front end, causing issues in stability and maintenance as the processes or storage demands grew larger.
The new application provides AOPC nontechnical staff with a tool that they can use to respond directly to business process changes without having to translate the business processes to a programmer or to a web developer. This helps to streamline the timeline for new development and maintenance as there is no development staff involved and analysts work directly with the clients. The AOPC staff can address modifications quickly and easily. There is also no need for system down time for deployments to the production environment. CRM users a SQL Server database that requires standard IT support, installation and maintenance. However, all querying can be done through CRM itself and even tasks such as data imports have a CRM wizard that makes the process more analytical than technical.
The new solutions have the capability of eliminating some development bottlenecks and for creating more stable, scalable and highly customizable environments for these smallerscale applications.
The CRM application is also designed to integrate fully with Microsoft Office products, so AOPC staff could take advantage of the familiarity with the user interface of Outlook to shorten their learning curve with the application. If an organization uses Outlook, its users will also be familiar with the ‘look and feel’ of solutions developed using CRM. Excel and TEB:2013-01 Microsoft CRM Simplifies Court Projects
The CRM solutions are also equipped to provide for an abundance of concurrent users--up to 100,000. This capability extends far beyond many of the home-grown or smaller customized applications that currently exist for peripheral functions within the courts. Now the staff is able to create tasks and ticklers that appear as Activities in the Dashboard. For instance, some of the tasks remind the interpreter staff to invite a newly registered interpreter to the next Orientation Event, with an alert date set prior to the Orientation Event. Staff receives the Outlook reminder and checks to ensure that the newly registered interpreter(s) have been invited to the Orientation sessions. Integration with Excel permits the user to import or export data from the new solution, or to create reports and graphs using that same data. The icon in the Ribbon Bar (Export to Excel) enables 2
the user to put the on-screen list into an Excel spreadsheet to manipulate the data or to extract information for other purposes. Integration with SharePoint enables version handling as well as storage. The step by step workflow process can be used for document handling using SharePoint as a plug-in. AOPC staff is able to customize dashboards, actions and notifications that can be grouped by team structure. Notifications can be broadcast by distribution lists and by team. Dashboards can be customized by the type of actions that the teams perform. Data grids can be accessed from the Site Map to open a full screen of the grid/form instead of accessing it through the Contact screen. Actions and notifications are depending on the network and capabilities of the environment.
real-time, hardware
Workflows enable the staff to maximize individual efforts. Whether it is a chain of approval sign offs or a series of actions on a document, workflows make managing of these tasks seamless by behind-the-scenes logic that moves documents from one party to the next in a series of steps. These workflows can be developed with different teams in mind or with just one team where a document goes back and forth between the members for different types of updates or additions, using statuses as triggers. AOPC has implemented workflows to provide notifications, fill-in data across multiple entities and to hide records for the clients based upon actions and events within the application. Reports are created with roles in mind. This is very useful in document handling and teambased environments. With clearly defined roles in a solution, reports are structured to describe team or individual efforts in a quantitative way. Graphics and charts can also be used to enhance the reporting for presentation purposes. Users are able to design their own customized reports based on views within the solution. Using simple dropdown features, users can develop their own ad hoc reports and build new system reports. Forms are created by dragging and dropping fields onto a form template screen. The fields maintain their properties from one form to the next and can be maintained in one central TEB:2013-01 Microsoft CRM Simplifies Court Projects
location. If the properties of the field change, they change for every form that includes that field. So the users can enter the contact’s information once to populate the appropriate areas of the record—as well as any forms or views that contain that information. For any activity that is related to an individual contact or agency, the Activities list for that entity displays the items that have been delegated to that person or agency. This is an audit tracking feature that can be employed in any new solution. The audit tracking bit can be set on individual fields, and those fields can be tracked on an instance by instance level throughout the solution.
Court Context The Administrative Office of Pennsylvania Courts Judicial Automation department has been responsible for development of case management systems for Magisterial District Judges, the Court of Common Pleas Criminal division, and the Pennsylvania Appellate Courts–Supreme, Superior and Commonwealth courts. This office has also been responsible for development of software for the Pennsylvania Board of Law Examiners (PABLE) and for internal administrative services and human resource tracking. AOPC-developed systems also include web interfaces for District Attorney Offices’ production of Bills of Information, online bar applications, warrant tracking for arresting agencies and other secure users, online secure and public docket sheets for appellate and criminal cases, a scheduling interface for the Court of Common Pleas Criminal Division, among others. Judicial Automation at the AOPC employs a full development staff. In over 20 years of developing software packages, beginning with the Magisterial District Judge (MDJ) System, AOPC has refined a repeatable process for software development, enhancement, and acquisition that involves an iterative lifecycle, joint application development (JAD) with user groups, screen prototyping, cross-disciplinary software development teams, and structured testing.
3
Tips for Implementation 1. Understand that an analysis of the business requirements is still key to the process. 2. Thoroughly read administrators’ manuals and other information available to determine the best implementation of the technical environment. 3. Custom entities are usually best. 4. Look for already-built plug-ins that may meet your needs. 5. Develop Lookup Entities rather than using Option Sets.
Tip 1: A thorough analysis of the business requirements is still key to the process. Though the development time may be shortened, it is still necessary to thoroughly understand the business process and to plan entities and attributes before diving into the process of development. However, experimenting with the creation of custom entities may lead to better ideas about how to build the system. Tip 2: Thoroughly read administrators’ manuals and other information available to determine the best implementation of the technical environment. A thorough understanding of the integration points of Sharepoint, MS CRM, and MS Reporting Services will help to make your project more successful. Get advice from Microsoft when needed. AOPC is also looking at integration with Team Foundation Service. Tip 3: Custom entities are usually best. MS CRM comes with prebuilt entities, the primary of which are the Accounts and Contacts. You may wish to reuse Accounts and Contacts as they come with some basic functionality that is useful. However, you will usually hit a road block when trying to reuse entities such as Invoice if you attempt to morph these into some court based functionality. It is usually better to build your own entities, with the exception of Contact and Account. Tip 4: Look for already-built plug-ins that may meet your needs. AOPC staff has been able to use existing plugins to help facilitate the growth and use of the CRM–these include such things as a Site Map and Navigation Editor as well as some user facing plug-ins. As AOPC develops customized TEB:2013-01 Microsoft CRM Simplifies Court Projects
solutions for use in the court system, more is discovered about the versatility of working with the packaged programs that are available from other developers and from our own resources. The solution designs are portable and can be reused, where appropriate, and tweaked to accommodate different needs of other users. Tip 5. Develop Lookup Entities rather than using Option Sets. CRM allows fields to be set up as Option Sets. However, these sets are stored in a single “Type, Value” entity. If you need to write reports or views across entities, joining to this entity for more than one field can be a performance issue. It is better to set up specific entities that can be used as lookup values. Then, any field that requires a list can be designated as a Lookup Value based field rather than as an Option Set.
Other considerations AOPC is beta-testing implementations that staff developed as an Interpreter Database Solution for the Interpreter Certification process (PAIS) and for a Litigation Management Solution for internal legal staff (PALS). AOPC is also working on development of two other solutions to replace existing applications --one for juvenile dependency hearing observation forms and one for a call management system.
Summary Using Microsoft CRM as a tool for rapid development of projects, AOPC has reengineered the role-based paradigm and implemented two separate browser-based applications for use by AOPC internal agencies. These two pilot solutions provide a new standard for development that would otherwise require mid to large-scale schedules, along with the resources and the budget to support it. Using SharePoint and MS SQL Server Reporting Services, analysts created customized solutions with interactive dashboard navigation, built-in document management, activity management and complex reporting and analytics. Without the need for complex coding, these solutions were developed in a very short period of time by non-technical staff using views, workflows and dialog processes. Seamless 4
integration with Outlook and other Microsoft Office applications provided immediate recognition of screens and access to information within a customized workplace.
Ralph Hunsicker Assistant Director of Judicial Automation Administrative Office of Pennsylvania Courts 717.795.2000
By reducing the development costs and integrating electronic document handling controls, AOPC has discovered a way to deliver affordable, scalable, and highly customizable solutions within a more stable environment for court users and agencies.
ralph.hunsicker@pacourts.us
Author: Barbara A. Holmes Enterprise Design Architect, Court Administrative Office of Pennsylvania Courts 717.795.2000
barb.holmes@pacourts.us,
Disclaimer: The advice and opinions represented in this bulletin are based on the experiences of the Administrative Office of the Pennsylvania Courts. Such recommendations may not be suitable for other jurisdictions, and are only offered in the spirit of sharing experience as information to others considering the installation of similar technologies.
Resource and Jurisdiction Contacts: Amy Ceraso Director of Judicial Automation, Administrative Office of Pennsylvania Courts 412.565.3013,
amy.ceraso@pacourts.us
TEB:2013-01 Microsoft CRM Simplifies Court Projects
Approved by the CITOC Editorial Board on April 8, 2013.
5