| Position | Laptop Guidelines | Licensing | Grace IT Helpdesk Support |
| Intern (Short-term) | No laptop offered (use personal laptop) | Email, Office, SharePoint/OneDrive Online (MS E1 or E2) | Email, Office, SharePoint/OneDrive Only |
| Intern (Long-term) | Offered laptop May use personal | Full Microsoft Licensing (MS E3 & E5) Email, Office, SharePoint/OneDrive Online (MS E1 or E2) | Yes Email, Office, SharePoint/OneDrive Only |
| Resident | Leased Laptop | Full Microsoft Licensing (MS E3 & E5) | Yes |
| Pastor | Leased Laptop (Choice Windows or Mac) | Full Microsoft Licensing (MS E3 & E5) | Yes |
| Staff (10hrs +) | Leased Laptop | Full Microsoft Licensing (MS E3 & E5) | Yes |
| Staff (< 10 hrs) | Offered older laptop May use personal | Full Microsoft Licensing (MS E3 & E5) Email, Office, SharePoint/OneDrive Online (MS E1 or E2) | Yes Email, Office, SharePoint/OneDrive Only |
| Custodial | No laptop offered (use personal laptop) | Email, Office, SharePoint/OneDrive Online (MS E1 or E2) | Email, Office, SharePoint/OneDrive Only |
| Volunteer (Staff) | Offered older laptop May use personal | Full Microsoft Licensing (MS E3 & E5) Email, Office, SharePoint/OneDrive Online (MS E1 or E2) | Yes Email, Office, SharePoint/OneDrive Only |
| Volunteer (Other) | No laptop offered (use personal laptop) | Email, Office, SharePoint/OneDrive Online (MS E1 or E2) | Email, Office, SharePoint/OneDrive Only |
A **passcode lock** on your phone is required by our organization in order to use the Microsoft Authenticator App and the Outlook app together. You will need to setup a 4 or 6 digit passcode on your phone in order to properly use the Authenticator app. **Please set this up** before proceeding through the below instructions.
#### **Setting up the method manually yourself** Expand this instruction list to get started! Use these instructions if you need to setup a new phone with the Authenticator app.If you are an iOS user, please read through the "Situational" section in this article.
If you are an iOS user, please read through the "Situational" section in this article.
UPDATE: You may see a prompt like this picture below on your phone when roughly 60 or 90 days pass. Apple forces you to reauthenticate after that period of time but vaguely prompts you to do it with this message. **PLEASE** keep this in mind if you really want to use the iOS Mail app, as when the period time passes by you will stop receiving mail and calendar updates again *until* you reauthenticate your account again. There is not much that Grace IT can do to remedy this as this is primarily an Apple technology issue. The **[Outlook App](https://apps.apple.com/us/app/microsoft-outlook/id951937596)** does not have this issue, so Grace IT again recommends you to use that as your Mail and Calendar App solution for Work.
If you see this picture below, your iOS Mail/Calendar app wants you to reauthenticate your work account. As you can tell from reading the prompt: it vaguely tells you this—but you will need to address this prompt in order to continue receiving email and calendar updates when using the iOS mail and calendar apps for this purpose. [](https://kb.gracechurches.org/uploads/images/gallery/2021-12/image-1639268011495.png) - - You can tap Edit Settings to re-enter your password for your Office365 account. You can also re-enter your password by going to the Settings app, then to Mail or Calendar. Tap on accounts and and tap on your work account..| a. Computer View (www.office.com for example) | b. iPhone View (Using Authenticator App to approve MFA) |
Please read and keep these tidbits of information in mind to help protect yourself and our church from harm.
- Even with how strong MFA is, it is not infallible. You still need to have strong passwords. - MFA is only as strong as to how well you keep your phone/phone number (or email account) secured. Make sure that you keep your phone/phone account protected by strong passcodes and passwords, and make sure that your phone number is not compromised. - **Never** share a MFA token (or a session token) with anyone under any circumstance. The MFA token is a form of authentication that should only be used by the authorized user. - Do not accept Authentication Requests when you are not trying to login yourself. - **Never** accept authentication requests when you are not attempting to log in yourself. Even if Grace IT is trying to log in to your GraceOhio account to assist (Grace IT can bypass the MFA step or reset your account credentials), do not accept any sign-in request that you did not initiate. - If you receive a MFA request when you weren't attempting to log in through a login prompt yourself, your password may have been compromised. Change your password immediately, especially if you use the same password for other internet accounts. - Each Microsoft Authenticator app notification is supposed to be received almost instantaneously (within a couple of seconds), and each request sent will only last for approximately 60 seconds. If you do not accept the request in time, you will need to make a new request since the verification timed out. - If you miss the time window for authenticating through MFA, do not accept any requests that come later than 60 seconds after you initially made the request, as they will not be coming from you (check out **Figure 2**). This is particularly important since hackers may send fake requests to trick you into accepting them. Again, change your password when you don't initiate a MFA request yourself. - Check out this article that explains how people have fallen victim to cyber attacks, even when they have MFA enabled. It mentionins "MFA Fatigue" and Social Engineering attacks on Phone Providers: [MFA Bypass: The Next Frontline for Security Pros - Infosecurity Magazine (infosecurity-magazine.com)](https://www.infosecurity-magazine.com/news-features/mfa-bypass-frontline-security-pros) ##### **Figure 2: Approximately 1 Minute to accept MFA requests** [](https://kb.gracechurches.org/uploads/images/gallery/2022-05/image-1653512304152.gif) #### **Change or Add 2FA method** [](https://kb.gracechurches.org/uploads/images/gallery/2022-10/image-1664897434078.png) You can access your Microsoft Account page **[here](https://mysignins.microsoft.com/security-info)**. The link takes you to the security info section. Here you can remove and add methods (Phone text or call, Email, or another Authenticator App), as well as take a look at your default and current methods. You also don't have to strictly use the Microsoft Authenticator app if you prefer to use something else, but it is a solution that Grace IT recommends since it integrates well with our work environment. Once you click on *Add sign-in method*, choose your method and follow the onscreen instructions. You can also follow the manual step-by-step setup guide listed earlier in this KB article for adding the Microsoft Authenticator App for MFA quickly: **[Setting up the method manually yourself](https://kb.gracechurches.org/books/it-policies-and-guidelines/page/multi-factor-authentication-mfa-2fa#bkmrk-setting-up-the-metho "Setting up the method manually yourself")**This resource will be useful if you ever go through the process of changing or upgrading your phone, as your Multi Factor configuration is *not* carried over to your new device automatically. If you see yourself upgrading your phone soon or often enough then we strongly recommend you add another method, like your phone number or personal email, using the above link so that you do not experience downtime from being locked out of your account.
If you ever get stuck, and get locked out of your account for any reason, don't panic—Grace IT will be able to reset your credentials or MFA methods for you. Reach out to Grace IT at the helpdesk: [https://kb.gracechurches.org/books/it-helpdesk/page/requesting-it-help-grace-church-and-ce-national](https://kb.gracechurches.org/books/it-helpdesk/page/requesting-it-help-grace-church-and-ce-national)
# Preparing for Leased Laptop Replacement #### Our leasing flow Most of our leased computer equipment are leased for 3 years. Currently, our Dell laptops are the exception at 4 years. #### When your lease is up When they come due, Grace IT will send a notice to you letting you know that the lease on your laptop is coming up and we will need to give you a replacement. We will typically give the heads up around a month before we need to return them, and then reminders later on if necessary. #### Prepare for your Swap To help prepare for this, here are some steps you can take: 1. Please make sure you have everything you need backed up to your Business OneDrive folder, see picture below for an example of what one's Buisness OneDrive folder may look like (Notice that Onedrive, if you are using a Windows PC, *automatically* backs up your Documents, Pictures, and Desktop folders, but *only* these folders out of all your Library folders. So, for example, if you have files in your Downloads, Videos, or Music folders that you still need—please move them into one of your OneDrive folders if you wish to hang onto them): [](https://kb.gracechurches.org/uploads/images/gallery/2022-10/image-1665433056165.png) We will be using OneDrive to carry over your files to your new computer. Make sure your OneDrive application is running with no issues/errors reported to ensure that your files are being backed up and synced to the cloud! [](https://kb.gracechurches.org/uploads/images/gallery/2023-02/image-1676997436287.png) If it is not running, please search and open OneDrive from the Start menu on Windows, or from Launchpad on MacOS. If it doesn't load up, please raise a support ticket with Grace IT to help you get that fixed. \- Notice on Macs that OneDrive **ONLY** backups your Onedrive Folder (see photo). All the library folders you see highlighted in yellow are not inside the OneDrive folder and thus aren't backed up by it by default on a Mac System. Keep this in mind when you are backing up your files. [](https://kb.gracechurches.org/uploads/images/gallery/2023-03/image-1680033044837.png) 2. Once you are signed into your new laptop it will setup your desktop environment automatically for you, including OneDrive. 3. If you are on a windows laptop, it should also try to reinstall some of your programs you had on your old laptop. If you have certain software configurations or bookmarks you want copied over, you will need to do that yourself. For Google Chrome you can either [Make a Google account ](https://support.google.com/accounts/answer/27441?hl=en)to [Sync Bookmarks and Other Browser Settings Automatically](https://support.google.com/chrome/answer/165139?hl=en&co=GENIE.Platform%3DDesktop&oco=0), or export them to a file you can use to later import them onto your new laptop, preferably to OneDrive so that it is there ([Import bookmarks & settings - Google Chrome Help](https://support.google.com/chrome/answer/96816?hl=en)). If you are signed into the Edge Browser with your GraceOhio account, then any of your Edge settings and history will transfer over. 4. To add back your SharePoint folders you were syncing to your old laptop, please refer to this KB guide: [How to Sync and Favori... | Grace Church KB (gracechurches.org](https://kb.gracechurches.org/books/sharepoint/page/how-to-sync-and-favorite-any-of-the-campuses-files-sharepoint-folders) 5. Please let Grace IT know a good time to get you swapped out. We do need to get you signed in to your new laptop to get you setup with it and to initialize your laptop, so please be prepared to either enter in your credentials a couple of times, or to provide your desired password and/or (Windows) PIN code. Once you are signed into the laptop, it will start to receive policies, scripts, programs, and printers in the background. 6. If you were using a Mac, please disconnect your Apple ID completely from it *if you signed into it using that*. Turn off "Find my Device", or Activation Lock, if this is enabled. We will be charged a casualty fee if the device is still locked under your Apple ID since it cannot be remarketed. We will handle the data wiping your old computer for you before shipping the computer back to the leasers, so you do not need to worry about that. Though if you were using a Mac, please make sure you followed the procedures of disassociating your device from your Apple ID. ***This Mac check is EXTREMELY important.*** If you have questions about this, please let us know. --- #### Deactivating Activation Lock on MacBook - From MacBook You can disable Mac Activation lock directly on your Mac. Below details how to do this in 5 steps: [Deactivating Activatio... | Grace Church KB (gracechurches.org)](https://kb.gracechurches.org/books/laptop-operating-systems/page/deactivating-activation-lock-on-mac) --- #### House Keeping Items Since Grace IT has multiple laptops that we need to swap out from multiple people, it is important that we get you swapped out swiftly. To help make the swap transition smooth for everyone, please follow these other points for swapping: [Returning your Laptop | Grace Church KB (gracechurches.org)](https://kb.gracechurches.org/books/it-policies-and-guidelines/page/returning-your-laptop) # Purchasing Web Domains If you are interested in paying for a web domain dedicated to a church event, ministry, or other related subject {Examples of this would be like jrcamp.org, allinallout.org, gameday.org, lovebarberton.org/lovebarberton.com} *please do not purchase the domain yourself*, especially if it is a website. Please ask Grace IT to help you purchase it. Grace IT is in charge of managing and financing these internet domains owned by the church and cannot manage them if we didn't purchase them.In addition, in order to transfer a domain to our Grace IT domain management account, we will have to coordinate with you some steps about the process and ensure that certain conditions are met to successfully make a transfer, [including paying a transfer fee and making sure 60 days have passed since the domain was bought](https://support.google.com/domains/answer/3251236?authuser=0&hl=en&ref_topic=9003137).
[](https://support.google.com/domains/answer/3251236?authuser=0&hl=en&ref_topic=9003137) # Apple Genius Bar Appointments | Service Requests You or GraceIT can take your MacBook to get it serviced at the Apple Genius Bar if it is experiencing an issue. You can make an appointment, free of charge. All the MacBooks we purchase and lease come with AppleCare which backs it with a multiyear warranty. If you need to have your MacBook serviced, please make sure that you can deactivate your device from your Apple ID (look at [Turn off Find My on your iPhone or other devices - Apple Support](https://support.apple.com/en-us/HT211149)). If Grace IT needs to take it for you, please turn off ***Find My Device*** and ***sign out of your Apple ID*** in case your computer needs to be wiped while it is serviced. Otherwise, Apple won't be able to make repairs: - [Activation Lock - Support (apple.com)](https://al-support.apple.com/#/getsupport) - [Remove a device from Find Devices on iCloud.com - Apple Support](https://support.apple.com/guide/icloud/remove-a-device-mmfc0eeddd/icloud)If there is physical damage or water damage related to the technical issue going on with the laptop, Apple will charge you to make repairs even if it has Apple Care+. If this is the case for your computer, please do not take it to the Apple Store (if you know there is a strong chance of water damage) or pay out of pocket to make the service repairs. Please let Grace IT know about it and we will take care of it all for you.
# Traveling Internationally - Account Access IT Policy Grace IT will by default prohibit logins coming from outside of North America. This is because a lot of scammers and online bots will often try to brute force through our online accounts from Internet IP's outside of the North Americas. Because of this, you won't be able to access your Grace Church Office365 work account (GraceOhio.org, GraceChurches.org, GraceGeorgia.org, etc) when you travel internationally. We can put you in an exemption group for times when you need access to your email or other services overseas. We ask that you help give us the heads up when you plan on traveling abroad by filling out this form, (you can also fill it out on behalf of someone): [https://forms.office.com/Pages/ResponsePage.aspx?id=tmkE-IFaT0am8UrY5KxEih\_2uv0Um4BOp9YIP8-5CSFUM0dTQU5VTEszQ08wNUU5SElTTlc2WFBTNS4u](https://forms.office.com/Pages/ResponsePage.aspx?id=tmkE-IFaT0am8UrY5KxEih_2uv0Um4BOp9YIP8-5CSFUM0dTQU5VTEszQ08wNUU5SElTTlc2WFBTNS4u) Just simply login with your Grace Church Office365 account to fill it out. Grace IT will be notified about the request. Thanks, and travel safe! [](https://kb.gracechurches.org/uploads/images/gallery/2024-07/image.png) # Returning your Laptop If you offboard, or if your laptop lease is coming due, we need to take your laptop along with the accessories. These points will help us keep in the loop: 1. Let us know when to expect to receive your laptop and accessories that came with it. If you need to wrap up things before you officially leave staff, that is probably fine but there is the chance that we may have to ask you to swap to a loaner laptop so that we can manage our laptop inventory for future hires. 2. If you are getting a swap, verify that your files are backed up (i.e. in OneDrive: [Sharepoint / OneDrive | Grace Church KB (gracechurches.org](https://kb.gracechurches.org/books/sharepoint-onedrive)) and you recorded any miscellaneous software configurations/settings you want to keep. 3. Let us know if there are any important files/folders on your system that you want us to specifically backup to be used by someone on staff. We normally only archive your OneDrive files otherwise. 4. AVOID putting stickers or other accessories on the leased computers in general. The leasing companies strongly dislike these and will penalize us for returning equipment with these on. If you have stickers on yours, please make an effort to remove them from your computer. Sticker residue can sometimes be difficult to remove. 5. Make sure that you return your computer with **all the accessories** that came with it. People often forget to drop these off with their computer. Typically, this will include - The laptop itself - The charger adaptor - Any detachable cable that comes with the laptop / charger - If applicable, any other Monitor, Docking, or USB equipment separately purchased for your position. (*Obviously, if you are staying in your current position, you can continue to use these*). - If you lose your charger, cable, or anything else that goes with the laptop, *please* inform Grace IT before returning your computer so that we can act accordingly. These are required and expected to be returned along with the computer. 6. If you have been using a Mac that is due, and you use your Apple ID ***AND*** you turned on "Find my Device", you are responsible for **[turning off Activation Lock](https://al-support.apple.com/#/getsupport). (Also, for more information and to turn off activation lock when you don't have your computer on hand, look at [Remove a device from Find Devices on iCloud.com - Apple Support](https://support.apple.com/guide/icloud/remove-a-device-mmfc0eeddd/icloud)).** You can also look at [Deactivating Activatio... | Grace Church KB (gracechurches.org)](https://kb.gracechurches.org/books/laptop-operating-systems/page/deactivating-activation-lock-on-mac) for disabling directly on your Mac.