Versions Compared

Version Old Version 12 New Version 13
Changes made by

Matt Davidson

Margie Athol

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: highlighting content as it's being migrated for reformatting
Panel
panelIconId1f6ab
panelIcon:no_entry_sign:
panelIconText🚫
bgColor#FFEBE6

Restricted Permissions

While this page is in development, only the following people have access to view this page:

  • Melissa Medina-Razzaque

  • Matt Davidson

  • Mark McFarland

  • Margie Athol

REORGANIZING CONTENT:

This page is going to be reorganized into a set of pages which are being drafted on our internal wiki here: /wiki/spaces/cnsit/pages/134350319

KEY:

Content moved to /wiki/spaces/cnsit/pages/134350319

Content will be moved to: /wiki/spaces/cnsit/pages/134252169 (page for that OS)

...

Panel
bgColor#E6FCFF

Check back often for updates

This page is being updated frequently to include more information and answers to questions we’ve received. The date this page was last updated can be seen under the page title.

If you have a question that isn’t answered on this page yet, please don’t hesitate to reach out. The best way to ask a question is by submitting this question form:

This will connect you quickly and directly to the CNS OIT team leading the device enrollment efforts who are best able to answer your questions.

Page Contents

Table of Contents
minLevel1
maxLevel2
outlinefalse
stylenone
typelist
printabletrue

...

As part of a college-wide communication sent on May 9, 2024, CNS OIT announced that a project to enroll networked computers is underway. Security policies for device configuration and management require UT business must be performed using computers enrolled in the central EPM platform and administered by trained IT staff. Additionally, IT staff must be able to prove all devices meet minimum security standards to auditors. CNS OIT is taking proactive steps to minimize hinderances to productivity that may be imposed by future quarantines while becoming compliant with policy. These policies exist not only due to state and federal regulations, but also to protect UT from cyberattacks and security risks that threaten our ability to carry out UT’s mission.

Auditors have found that devices connected to the network— and specifically, computers— are one of the largest security risks we have. To address this risk, the Endpoint Management (EPM) Centralization and Standardization Program was created and its use written into policy at the direction of the Executive Vice President and Provost, and the Information Security Office.

Enforcement of these policies is increasing and the Information Security Office may begin taking drastic measures including locking EIDs, quarantining devices from the UT network, or blocking devices from accessing UT services. We aim to address compliance before such methods are used. We do not have a timeline on when this will happen thus we are trying to address as many devices to help the community out before this happens. Should you choose to wait on addressing your system until the quarantines take place, you run the risk of extensive downtime as everyone in this state is addressed.

...

Table of Content Zone
minLevel1
maxLevel7
locationtop

Am I expempt from the requirements if I can manage my own computer or do not have confidential data?

All computers used for university business are in scope regardless if they contain confidential data or not per the policy. While there are many tallented technical folk in the college, we must be able to show auditors compliance is met real time and act quickly in the event of an attack on the university. We are unable to do either if the computer is not enrolled in endpoint management.

What will be different after my computer is enrolled?

Below are the most noticeable differences. This is not an exhaustive list.

Administrator accounts and administrative access

  • Logging in to the computer using an administrator account will be disabled, but an administrator account will be created for the device owner as needed. This is in accordance with IRUSP Stand 5.

  • CNS OIT will have an administrator account that enables us to properly administer the computer.

Screen saver lock

  • As defined in IRUSP Standard 15.2.5: “Unattended computing devices must be secured from unauthorized access using a combination of physical and logical security controls… [including] screen saver passwords and automatic session time-outs that are set to activate after 15-minutes of inactivity.”

Remote access

  • Unless required, remote access will be restricted to only allow remote access by CNS OIT. CNS OIT only uses remote access when it’s required to provide support.

Logging in with EIDs

  • Computers are connected to the Austin domain which gives users the ability to login to a computer using their EID. This is done in accordance with IRUSP Standards 4.1.1 and 4.1.3.

Operating system and application security updates

As defined in Minimum Security Standard 4.5.2 for Systems: “Operating system and application services security patches are installed expediently (e.g., 30-days) and in a manner consistent with change management procedures. Products that no longer receive security updates from the vendor (e.g., unsupported) are not authorized.”

Operating Systems:

Applications:

Is my computer compatible with EPM?

Apple computers: Only supported operating systems can be enrolled into endpoint management.

Windows computers:

  • Must be compatible with Windows 11, or compatible with Windows 10 with a replacement plan identified (Windows 10 reaches End of Life in October 2025 and will not be allowed after that date without a temporary ISO approved exception).

Linux computers:

What if my computer isn’t compatible with EPM?

If your computer isn’t compatible with EPM due to a technical business justification, an exception from management can be requested. More information about exceptions are in the FAQ What qualifies for an exception from management? What does an exception entail? CNS OIT will work with the device owner to understand the situation and identify options.

What qualifies for an exception from management? What does an exception entail?

An exception requires a technical justification approved by CNS OIT, the Dean, and the ISO. Additional security measures must be taken to ensure the security and compliance of the computer. It is valid for a maximum of 1 year and must then be either enrolled in management, or refiled with required approvals.

The exception is the responsibility of the owner of the device, but CNS OIT will assist with certain aspects of the exception process and alternate security measures. As each case is unique, CNS OIT will discuss the division of responsibility with the device owner.

Here is an example of a computer in a research lab that qualifies for an exception from management and what compliance looks like:

  • Situation: The computer is an instrument controller provided by the vendor. Enrolling the computer in management is a violation of the service agreement with the vendor and would cause issues with the software used to control the instrument.

  • Security measures taken to meet compliance: A firewall configured by CNS OIT is installed in front of the computer. The computer is then only able to connect to a select number of devices in the lab, UT Box, CrashPlan, and an IP address range supplied by the vendor used for remote support including updates to the instrument and software.

  • What these measures accomplish: The computer will be less vulnerable to attacks from external sources. If the computer were to become infected or be compromised, it’s ability to infect or other computers on the network or compromise UT data is limited. These are protections that EPM provides through a combination of firewall rules, system configurations, and anti-virus software. The computer is still able to control the instrument and receive support from the vendor. Data can be automatically backed up to a file server, UT Box, or CrashPlan, making it easy to access from another computer for analysis and decreasing the chance of data loss.

Do you have access to my data?

Some of it. CNS OIT has the access and technical ability to access data that is stored in these ways:

  • On the hard drive of a managed computer: Select members of CNS OIT staff can use our administrator account to access files saved within any user profile.

  • CrashPlan (Code42, UTBackup): Select members of CNS OIT staff have access to the administrator console.

  • UT Box: Only if CNS OIT is the owner of a shared folder, or has access to a departmental Box share.

  • File servers: Only if CNS OIT manages it.

CNS OIT does not have access to data stored in these locations, however the administrators of these services do:

  • UTMail

  • Microsoft 365: Outlook (email and calendar), OneDrive, SharePoint, Teams

  • UT Box

  • All other UT-owned devices and services

Your data is your data, and the privacy and security of your data is a top priority. We do not access anyone’s data unless requested to do so by the data owner or another authority.

Will you be monitoring or looking at my data?

No. CNS OIT does not look at nor monitor the data anyone has on their computer. The only time we intentionally touch data on a computer is if we are assisting in data recovery or if we are legally required to do so such as during a FOIA request. In these cases, CNS OIT does not open, look at, nor review any files beyond verifying the data is not corrupted. CNS OIT also ensures data storage and transmission is secure and accessible only by those authorized to do so.

There is a zero tollerance policy for this that results in termination if required access is abused.

Inventory Identification

Table of Content Zone
minLevel1
maxLevel7
locationtop

...