Office client infrastructure
============================

Wireless
--------

SSID's
~~~~~~

We're maintaining two wireless SSID's:

+---------------+---------------+---------------------------------+
|      SSID     |     Usage     |          Access method          |
+===============+===============+=================================+
| ``DeathStar`` | Internal WLAN | `X.509 SSL client certificate`_ |
+---------------+---------------+---------------------------------+
| ``GuestStar`` | Guest WLAN    | Vouchers                        |
+---------------+---------------+---------------------------------+

Guests can connect to the ``GuestStar`` network. Just give them a voucher for it and they're fine to go.

DeathStar on macOS & iOS
~~~~~~~~~~~~~~~~~~~~~~~~

To connect to the ``DeathStar`` WLAN, use the following configuration with **macOS** & **iOS**:

+--------------+------------------------------------------------------------+
|   **Mode**   |                          EAP-TLS                           |
+--------------+------------------------------------------------------------+
| **Identity** | `X.509 SSL client certificate`_                            |
+--------------+------------------------------------------------------------+
| **Username** | Must match the CN of the certificate (i.e. your full name) |
+--------------+------------------------------------------------------------+

DeathStar on Linux
~~~~~~~~~~~~~~~~~~

If you're running **Linux**, use the following configuration:

+-------------------------------+------------------------------------------------------------+
| **Security**                  | WPA & WPA2 Enterprise                                      |
+-------------------------------+------------------------------------------------------------+
| **Authentication**            | TLS                                                        |
+-------------------------------+------------------------------------------------------------+
| **Identity**                  | Must match the CN of the certificate (i.e. your full name) |
+-------------------------------+------------------------------------------------------------+
| **CA certificate**            | :download:`confirmCA </_static/files/confirmCA.pem>`       |
+-------------------------------+------------------------------------------------------------+
| **Private key**               | X.509 SSL client certificate                               |
+-------------------------------+------------------------------------------------------------+

DeathStar on Windows
~~~~~~~~~~~~~~~~~~~~

If you're a **Windows (10)** user (*shame on you*), use the following pain-in-the-ass thanks to an obviously mentally ill Microsoft developer who wants to see the world burn:

* Add to :download:`confirmCA </_static/files/confirmCA.pem>` and trust it (rename to ``*.crt`` & add to trusted root CA store)
* Add the user :ref:`X.509 SSL client certificate`
* Do **NOT** try to connect to the ``DeathStar`` WLAN at all (this is important, no joke)
* In case you did try before, right-click the ``DeathStar`` WLAN and choose ``Forget``
* Hit ``Windows + R`` and enter ``control``
* Go to ``Network and Internet`` and then ``Network and Sharing Center``
* Click on ``Set up a new connection or network``
* Select ``Manually connect to a wireless network``
* Use ``DeathStar`` as network name with ``WPA2-Enterprise`` as security type
* Uncheck both checkboxes (*auto start connection & connect even if not broadcasting*)
* Click ``Next``
* Click on ``Change connection settings`` (this only appears if WLAN wasn't configured before)
* Go to ``Security`` and change the authentication method to ``Smart Card or other certificate``
* Click on ``Settings``
* Select ``confirmCA`` as trusted root certificate authority
* Check the checkbox ``Use a different user name for the connection``
* Confirm the settings
* Connect to the ``DeathStar``
* Select your certificate
* The user name must match the CN of the certificate (i.e. your full name)

.. hint::

    Please note, when you did something wrong in Windows, there's IMHO way to open the non-retarded WLAN settings again. You've to forget the WLAN network and start adding it manually again.
    You can always open the Windows 10 kindergarden / retarded WLAN settings, but not the classic / non-retarded ones.

.. warning::

    If you dare asking me, Dominique Barton, if I can help you connecting your crappy & shitty Windows notebook to the WLAN, you better get some lube, because I'll probably shove that thing up your arse. Try it yourself or FFS get a proper OS (Linux or macOS).


X.509 SSL client certificate
----------------------------

We make use of client certificates which are issued by a private CA. You need to install your personal certificate, so that you've full access to the office infrastructure.

.. hint::

    To create a new certificate, head over to the :ref:`confirmCA <confirmCA>` section.

Client certificate on iOS
~~~~~~~~~~~~~~~~~~~~~~~~~

The most straight-forward way to install the certificate on iOS is to:

* Send the PFX certificate by e-mail to yourself
* Open the certificate on iOS 
* Enter your iOS PIN number or password
* Enter the certificate passphrase ``secret``
* Click on Install

Client certificate on Android
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The most straight-forward way to install the certificate on Android is to:

* Rename the .pfx filename extension to .p12
* Transfer the P12 certificate to your phone
* Go to Settings -> Passwords & Security -> Privacy -> Encryption & Credentials -> Install from storage
* Select the P12 certificate to install from storage
* The passphrase is ``secret``

Client certificate on macOS
~~~~~~~~~~~~~~~~~~~~~~~~~~~

The most straight-forward way to install the certificate on macOS is to:

* Copy the PFX certificate to your Mac
* Open the ``Keychain Access`` application
* Drag-n-drop the PFX certificate into the ``Keychain Access`` / ``login`` keychain
* Enter the certificate passphrase ``secret``
* Right-click on the certificate and then ``New Identity Preference…``
* Enter ``*.confirm.ch``

Client certificate on Windows
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

When adding the certificate on Windows do this:

* Copy the PFX certificate to your Windows machine
* Open the certificate 
* Select ``Current User`` in the welcome screen
* Accept the file name of the certificate (should be the PFX file)
* Enter the certificate passphrase ``secret`` and accept all other default values
* Let Windows automatically select the certificate store based on the type of certificate
* Finish the installation

Printer
-------

Colour Laser Printer
~~~~~~~~~~~~~~~~~~~~

We're using a **Kyocera ECOSYS M6035cidn** colour laser printer.
You can find the drivers `right here on the Kyocera Page <https://www.kyoceradocumentsolutions.com/download/model_en.html?r=107&s=10&m=294&p=61>`_.

The printer's reachable within our office via hostname ``laser-printer.confirm.ch`` and protocol **Line Printer Daemon (LPD)**. Please make sure you select the **right driver** and add **an additional Paper Feeder**.

There's also a `WebUI <https://laser-printer.confirm.ch>`_ available.

.. hint::

    The credentials can be found in the :ref:`Enpass <enpass>` vault.

Inkjet Printer
~~~~~~~~~~~~~~

We're using an **EPSON ET-8550** colour inkjet printer.
You can find the drivers `right here on the EPSON Page <https://www.epson.ch/de_CH/support/sc/epson-ecotank-et-8550/s/s1864>`_.

The printer's reachable within our office via hostname ``inkjet-printer.confirm.ch`` and via **AirPlay**.

.. hint::

    The credentials can be found in the :ref:`Enpass <enpass>` vault.

.. important::

    This printer shall only be used for marketing purposes!

Scanner
-------

We're using a **Fujitsu ScanSnap iX500** scanner.
You can easily scan document with your mobile phone by downloading the `ScanSnap Connect App from the iTunes Store <https://itunes.apple.com/de/app/scansnap-connect-application/id464728181?mt=8>`_.

Sonos
-----

We ♥ music - music is awesome!
Therefore we use `Sonos <http://www.sonos.com/>`_ and you might be interested in the `Sonos Controller App <https://itunes.apple.com/us/app/sonos-controller/id293523031>`_.

Badge reader
------------

This is the instruction for the access system in our office. The access system which we use is from Salto Systems AG.

Add/Delete user card
~~~~~~~~~~~~~~~~~~~~

* Present the **programming key** once on the reader
* Present all **user key** that you want to add/remove to the system
* When a new **user key** is added to the system the light will be green
* When a old **user key** is deleted from the system the light will be red
* Close Programming mode by:
    * presenting the **programming key** again
    * Or wait 5 seconds for the lock to close the programming mode itself
* *(a single beep will be heard)*

Activate office mode
~~~~~~~~~~~~~~~~~~~~

* Activating the **office mode** is like adding/deleting users to the system
* Present the **office key** once on the reader
* Present all **user key** that you want to activate or deactivate the **office mode**
* When a new **user key** is added to the office mode the light will be green
* When a old **user key** is deleted from the office mode the light will be red
* Close **office mode** by:
    * presenting the **office key** again
    * Or wait 5 seconds for the lock to close the office mode itself
* *(a single beep will be heard)*

:download:`Download Salto programming guide </_static/files/salto.pdf>`