Versions Compared

Version Old Version 10 New Version 11
Changes made by

Matt Davidson

Matt Davidson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

As part of a college-wide communication sent on May 9, 2024, CNS OIT announced that a project to enroll networked computers is underway. Security policies for device configuration and management state require UT business must be performed using computers enrolled in the central EPM platform and administered by trained IT staff. Additionally, IT staff must be able to prove all devices meet minimum security standards to auditors. CNS OIT is taking proactive steps to minimize hinderances to productivity that may be imposed by future quarantines while becoming compliant with policy. These policies exist not only due to state and federal regulations, but also to protect UT from cyberattacks and security risks that threaten our ability to carry out UT’s mission.

...

Enforcement of these policies is increasing and the Information Security Office may begin taking drastic measures including locking EIDs, quarantining devices from the UT network, or blocking devices from accessing UT services. We aim to address compliance before such methods are used. We do not have a timeline on when this will happen thus we are trying to address as many devices to help the community out before this happens. Should you choose to wait on addressing your system until the quarantines take place, you run the risk of extensive downtime as everyone in this state is addressed.

This work aims to achieve the following outcomes:

  • Establish an inventory of computers connected to UT networks.

  • Enroll all UT-owned computers in central EPM and/or take all measures required to make each UT-owned computer compliant with UT policies while maintaining the ability to perform required functions.

  • Understand the use of personal computers for UT business, and use that understanding to collaborate with CNS leadership to identify options for addressing the use of personal computers.

What does this look like?

Current Effort

...

Stage 1: Inventory Identification of all Networked Devices

...

The team of CNS OIT technicians will:

  • Identify any devices computers connected to the UT network and record hardware and contact information. This includes (but isn't limited to) computers, printers, sensors, firewalls, local switches, networked instruments, and AV equipment. .

  • UT Owned computers:

    • Assess the state of computers by reviewing inventory information and discussing with the device owner. For research labs, this is the PI or a lab member they identify. CNS OIT techs will ask questions that help determine the compatibility between the computer's required functions and management.

    • For computers already enrolled in management, CNS OIT techs will check the status of data backups using CrashPlan and help configure backups at the descresion of the device owner.

...

  • Personally purchased computers:

Stage 2: Addressing UT-Owned Computers

...

Using the information from Stage 1 and through discussions with the device owner, a plan will be made to identify what actions need to take place. Then, steps will be taken to address the computer and make it compliant.

Going forward

Once CNS OIT has completed inventory identification (described under Stage 1 above) in a building:

Purchase of ALL devices must go through CNS OIT and computers must be enrolled in management

If an IT device will connect to the network (wired or wireless), it must be vetted by CNS OIT prior to purchase and all computers must be delivered to CNS OIT to enroll into management. This is defined in IRUSP standard 19.6.

If a device will not connect to the network and cannot store UT data (e.g. keyboard, monitor), then purchase doesn’t have to go through CNS OIT. We are happy to assist in verifying compatibility.

Please contact CNS OIT by sending an email to help@cns.utexas.edu. If you don’t have a specific item in mind, CNS OIT can assist and provide customized quotes to your purchasing agent.

Network access and design requires collaboration with CNS OIT

Any device will only be permitted on the wired or IoT wireless network after CNS OIT completes an inventory survey and verifies the device meets policy requirements. Any devices that connect to the network without CNS OIT approval will be quarantined.

For new labs or renovations, CNS OIT needs be brought into discussions early to help design and implement the infrastructure to ensure your needs will be met. Infrastructure changes such as adding new ethernet ports are almost always needed and are faster (and less expensive) when identified from the start.

Network access will be limited to devices that must be on the network. If the device does not need network access to perform work, it is best to leave it disconnected from the wired and wireless network. 

Please submit a Network Connectivity request through the CNS OIT Help Form to create a ticket directly with our Networking team.

Personal Computers

We are using the basic information collected to provide information to leadership so they can make dessions accordingly. In order for us to contact you once options have been identified and before a quarantine goes into affect, we must know about these devices.

We don't yet have a timeline of when a plan will be developed or what that may look like. As options are identified, they'll be communicated to those impactedForcing enrollment or addressing a computer will not occur without proper assessment of the device and discussion with the owner.

Going forward

Personal Computers

  • We recognize there are a number of reasons computers in this state such as grant stipulations and we are working through this with leadership. There could be opertunities to use existing centrally provided funds so it is imperative this form is filled out.

  • We are using the basic information collected to provide information to leadership so they can make dessions accordingly. In order for us to contact you once options have been identified and before a quarantine goes into affect, we must know about these devices.

  • We do not have a timeline when quarantines will take place, should it take place before personal computer usage is addressed, we need a way to suply a list to the information security office to come up with a intermediate plan.

Purchase of ALL devices must go through CNS OIT and computers must be enrolled in management

If an IT device will connect to the network (wired or wireless), it must be vetted by CNS OIT prior to purchase and all computers must be delivered to CNS OIT to enroll into management. This is defined in IRUSP standard 19.6.

If a device will not connect to the network and cannot store UT data (e.g. keyboard, monitor), then purchase doesn’t have to go through CNS OIT. We are happy to assist in verifying compatibility.

Please contact CNS OIT by sending an email to help@cns.utexas.edu. If you don’t have a specific item in mind, CNS OIT can assist and provide customized quotes to your purchasing agent.

Network access and design requires collaboration with CNS OIT

Any device will only be permitted on the wired or IoT wireless network after CNS OIT completes an inventory survey and verifies the device meets policy requirements. Any devices that connect to the network without CNS OIT involvement will be removed from the network at an unspecified time.

For new labs or renovations, CNS OIT needs be brought into discussions early to help design and implement the infrastructure to ensure your needs will be met. Infrastructure changes such as adding new ethernet ports are almost always needed and are faster (and less expensive) when identified from the start.

Network access will be limited to devices that must be on the network. If the device does not need network access to perform work, it is best to leave it disconnected from the wired and wireless network. 

Please submit a Network Connectivity request through the CNS OIT Help Form to create a ticket directly with our Networking team.

If you will be onboarding new staff who typically supply their own computer (such as graduate students, TAs, and undergraduate research assistants), please fill out this form we can assist with identifying options to address your need. 

...

Table of Content Zone
minLevel1
maxLevel7
locationtop

Who does this impact?

All faculty and staff. Employeed graduate /and employeed undergraduate students still need to identify so when options become availible we can communicate to them.

...

One example of a person who has roles in scope and roles out of scope is a graduate student. Their “TA role” is in scope because they are interacting with students and accessing FERPA data (student information and grades). Their “research staff" role is in scope because they are conducting research and interacting with research data that is being produced as part of a project funded by an external grant and / or UT. Their “student role”, however, is not in scope— this includes their own FERPA data, homework assignments, and course materials that are related to a class in which they are enrolled.

What computers and devices are included?

Any computer that is accessing UT data or used for UT business is in scope for identification. This includes any computer that is:

...

For inventory identification, our current focus is computers, however we may also ask to gather inventory information about other network-connected devices like printers, iPads, or IoT devices such as freezers.

How will this impact me?

You will only be impacted in the ways that are listed under the FAQs “Who does this impact?” and “What computers and devices are included?” It can be helpful to ask yourself, “What roles do I have? Which role is asking me to participate in this activity?” to determine how you may be impacted.

Our current efforts will primarily be with research labs. For more information about this, please see the FAQ Why is this mainly affecting research labs?

How long does the inventory identification take?

10-25 minutes for each computer. It may be more or less time, however, depending on what information we already know about the computer and what information we need to gather.

For more information about what inventory identification includes, please see the FAQ section “Inventory Identification.

How long does enrollment take?

How can I coordinate the process with CNS OIT? Are there options to schedule an appointment?

Why is this mainly affecting research labs?

Almost all computers used by faculty for instruction and by administrative staff have already been enrolled in management and brought into compliance. Research labs have unique needs and more complicated requirements. The current approach is designed so CNS OIT is able to give the needed focus and time to each lab. .

How long does enrollment take?

This is deep

How can I coordinate the process with CNS OIT? Are there options to schedule an appointment?

What if CNS OIT never comes to my

...

area?

We are doing our best to show up to every lab but depending on when we show up there is a chance you may have stepped out.

Endpoint Management (EPM) & Enrollment in Central EPM

...