Restricted Permissions
While this page is in development, only the following people have access to view this page:
Melissa Medina-Razzaque
Matt Davidson
Mark McFarland
Margie Athol
Check back often for updates
This page is being updated frequently to include more information and answers to questions we’ve received. The date this page was last updated can be seen under the page title.
If you have a question that isn’t answered on this page yet, please don’t hesitate to reach out. The best way to ask a question is by submitting this question form:
This will connect you directly to the CNS OIT team leading the device enrollment efforts, quickly connecting you to those who are best able to answer your question.
Page Contents
What’s going on?
As part of a college-wide communication sent on May 9, 2024, CNS OIT announced that a project to enroll networked computers is underway. CNS OIT is taking proactive steps to minimize hinderances to productivity that may be imposed while becoming compliant with security policies for device configuration and management stating UT business must be performed using computers that are enrolled in the central EPM platform and administered by trained IT staff, and that we must prove all devices meet minimum security standards. These policies exist not only due to state and federal regulations, but also to protect UT from cyberattacks and security risks that threaten our ability to carry out UT’s mission.
Auditors have found that networked devices— and specifically, computers— are one of the largest security risks we have. To address this risk, the Endpoint Management (EPM) Centralization and Standardization Program was created at the direction of the President of The University of Texas at Austin, the Executive Vice President and Provost, and the Information Security Office and its use was written into policy.
Enforcement of these policies is increasing and campus may begin taking drastic measures including locking EIDs, quarantining devices from the UT network, or blocking devices from accessing UT services. We aim to address compliance before such methods are used.
This work aims to produce the following outcomes:
Establish an inventory of computers connected to CNS networks.
Enroll all UT-owned computers in central EPM and/or take all measures required to make each UT-owned computer compliant with UT policies without preventing the ability to perform required functions.
Understand the use of personal computers for UT business, and use that understanding to collaborate with Dean Vanden Bout and CNS leadership to identify options for addressing the use of personal computers.
CNS OIT's role in achieving the vision of CNS is to transform technology from a hinderance into a facilitator. With comprehensive knowledge of policy and technology, we aim to mitigate the constraints imposed by compliance to enable our faculty, staff, and researchers as they drive community, discovery, and impact at scale.
What will this look like?
Current Effort
Two stages comprise the current effort:
Stage 1: Inventory Identification of all Networked Devices
CNS OIT technicians are going door-to-door through CNS buildings to identify devices connected to the UT network. We’re working with building managers to send a message to the building before we begin. If you’re not on your building's email list, we recommend reaching out to your building manager.
The team of CNS OIT technicians will:
Identify any devices connected to the UT network and record hardware and contact information. This includes (but isn't limited to) computers, printers, sensors, firewalls, local switches, instruments directly networked, and AV equipment.
Assess the state of computers by reviewing inventory information and discussing with PIs and / or lab staff. CNS OIT techs will ask questions that help determine the compatibility between the computer's required functions and management.
For computers already enrolled in management, they will check the status of data backups using CrashPlan and help configure backups if needed.
Forcing enrollment or addressing a computer will not occur without proper assessment of the device and discussion with the owner.
Stage 2: Addressing UT-Owned Computers
Based on the situation, it may be possible to complete Stage 2 at the same time as completing Stage 1.
All UT-owned computers must fall into one of the following categories to be considered compliant:
Enrolled into management
Removed from the network
Exception from management filed with the ISO and Dean, in combination with additional security measures.
Note: This option requires a technical justification approved by the ISO and the Dean. It is only valid for 1 year and must then be either pushed into management, or refiled with required approvals. The exception is the responsibility of the owner of the device.
Using the information from Stage 1 and through discussions with the device owner, a plan will be made to identify what actions need to take place. Then, steps will be taken to address the computer and make it compliant. No steps to address a computer will be made without approval from the device owner.
This is an example of a computer that qualifies for an exception from management and what compliance looks like:
Situation: The computer is an instrument controller provided by the vendor. Enrolling the computer in management is a violation of the service agreement with the vendor and would cause issues with the software used to control the instrument.
Security measures taken to meet compliance: A hardware firewall configured by CNS OIT is installed in front of the computer. The computer is then only able to connect to other devices in the lab, UT Box, CrashPlan, and an IP address range supplied by the vendor used for remote support including updates to the instrument and software.
What these measures accomplish: The computer will be protected against attacks from external sources that would have been mitigated by management. The computer is still able to control the instrument and receive support from the vendor. Data can be automatically backed up to a file server, UT Box, or CrashPlan, making it easier to access from another computer and decreasing the chance of data loss.
Going forward
Purchase of ALL devices must go through CNS OIT and computers must be enrolled in management
Every device purchased with UT funds (including grant-funded and ProCard purchases) must be vetted by CNS OIT prior to purchase and must be delivered to CNS OIT to enroll into management. This is defined IRUSP standard 19.6.
Network access and design requires collaboration with CNS OIT
Any device will only be permitted on the wired network after CNS OIT completes an inventory survey and verifies the device meets policy requirements. Any devices that connect to the network without CNS OIT approval will be quarantined.
For new labs or renovations, CNS OIT needs be brought into discussions early on to help design and implement the infrastructure.
Network access will be limited to devices that must be on the network. If the device does not need network access to perform work, it is best to leave it off the wired and wireless network.
Please submit a Network Connectivity request through the CNS OIT Help Form to create a ticket directly with our CNS OIT Network team.
Personal Computers
We are using the information collected to identify funding sources and options to address the use of personal devices for University business.
We don't yet have a timeline of when a plan will be developed or what that may look like. As options are identified, they will be communicated to those impacted. At this time, we are also not sure how that communication will be done.
If you will be onboarding new staff who typically supply their own computer (such as graduate students, TAs, and undergraduate research assistants), please contact CNS OIT so we can assist with identifying options to address the need.
Non-computer networked devices (e.g. printers)
No action is planned at this time. Once the ISO identifies a need, CNS OIT will create a plan and communicate it to CNS.
Definitions & Terms
Below is an alphabetized list of frequently used terms and how they’re defined along with an explanation of what that looks like in our environment or implications.
Term | Definition | What does that mean? |
|---|---|---|
Address, addressing a device | Done by CNS OIT in collaboration with the owner. Take actions so the device is capable of performing needed functions and is compliant with security policies. This includes collecting inventory information, making configuration changes to the device, and/or making configuration changes around the device. | Inventory identification will happen for every computer. Some details from inventory identification are used to determine compatibility of the device with EPM. Configuration changes to a computer may include enrollment in central management, adjusting administrative permissions, setting up data backups, installing OS and application updates, among other settings changes. Configuration changes around the computer may include removing it from the network, changing what network it’s connected to, or adding a hardware firewall. |
Data | In the context of information technology, “data” refers to raw, unprocessed facts and statistics collected for reference or analysis. It can exist in various forms, such as numbers, text, images, or sounds, and is used as the basis for computations, analyses, and decision making in IT systems. | |
Endpoint | Any device capable of connecting to the internet and accessing, storing, or sharing information. | Computers, tablets, smartphones, security cameras, and printers are all considered endpoints. In the context of this project, “endpoint” will most commonly be referring to a computer. |
Endpoint Management (EPM), management | A set of tools used by IT to employ policies designed to protect access to University computers, data, and resources by securing computers and identifying the presence of specific security vulnerabilities. | Currently, we have EPM tools for computers (macOS, Windows, and Linux) and iPads. See the FAQ “What will be different after my computer is enrolled?” for more details. |
Enroll, enroll in management, enrollment in central management | Done by CNS OIT in collaboration with the owner. Install software that connects a computer to the centralized Endpoint Management (EPM) systems, then use the EPM systems to set up policies for regular installation of updates and enable security configurations. | See the FAQ “What will be different after my computer is enrolled?” for more details. |
Inventory identification | Gather details about a computer that are used to identify a device, who is responsible for it, and aid in support. | CNS OIT will gather details about the computer’s hardware from the device itself. We will talk to the owner and/or users of the device to find out information about how the device is used and by whom. See the FAQ section “Inventory Identification” for more details. |
Owner, device owner | The individual who owns the device or who is responsible for making decisions about the device. | For research labs, the PI is assumed to be owner for each device. The owner can delegate responsibilities (such as approving changes) at their discretion. |
Personal, personally-owned | Purchased using personal funds that did not originate from a UT account. Belongs to the individual. | |
Scientific data | As defined by the NIH’s Data Management and Sharing Policy, scientific data are defined as, “the recorded factual material commonly accepted in the scientific community as of sufficient quality to validate and replicate research findings, regardless of whether the data are used to support scholarly publications.” | This includes:
As defined by the NIH, Scientific data do not include:
|
Used for University business | Any device that is used to store, process, access, or share data that is owned by the University or produced during and/or for the purpose of performing University duties. | Using a computer in these ways would make that computer used for University business:
Any UT work or UT resources being accessed as a student does not count (e.g. submitting your own coursework via Canvas). |
UT business, University business | Any activity that is occurring as the result of, in service of, or to further the mission of The University of Texas at Austin and / or the values and impact of the College of Natural Sciences. | Research, undergraduate education, graduate education, and public service. |
UT data, University data | Any information or insights that are generated, collected, processed, or stored while conducting UT business. Any data stored on or in a UT-owned device, account, or service. | Including digital files, recordings, emails, employee records, financial transactions, operational documentation such as SOPs, metadata, and all data produced as part of research— even if it does not meet the criteria for scientific data. A UT-owned service would be anything you sign into using your EID or any licensed software / service that is paid for with UT funds. This includes UTMail, UT Box, Qualtrics, and Microsoft 365 (e.g. Outlook, Teams, OneDrive, SharePoint). Your own personal information and personal data protected by HIPAA, FERPA, or another federal or state law is not considered UT data when it is in your possession. For example, accessing my own medical records after a visit to University Health Services is not considered accessing UT data. A member of University Health Services staff accessing my medical records after my visit is considered accessing UT data. |
UT-owned | Purchased using UT funds, including grants. Owned by the University of Texas at Austin. | For research labs that came to UT from another University: all devices originally purchased at a prior institution and were brought to UT are UT-owned and required to be transferred from the prior institution’s inventory to UT’s inventory. |
FAQs
Overall Process and General FAQs
Who does this impact?
All faculty, staff, and graduate students. Undergraduate students are also impacted if they are conducting research or working with research data.
You will be impacted if one of more of the following criteria applies to your role:
is funded by UT and / or external grants,
involved in research that is funded by UT and / or external grants,
requires you to use (including produce, share, access, store) UT data,
is instructional with direct student interaction and access to FERPA data.
Many people at UT have multiple roles and there are certain instances where your UT-related activities are outside the scope of this project. Only roles that meet the criteria described above are in scope.
One example of a person who has roles in scope and roles out of scope is a graduate student. Their “TA role” is in scope because they are interacting with students and accessing FERPA data (student information and grades). Their “research staff role” is in scope because they are conducting research and interacting with research data that is being produced as part of a project funded by an external grant and / or UT. Their “student role”, however, is not in scope— this includes their own FERPA data, homework assignments, and course materials that are related to a class in which they are enrolled.
What computers and devices are included?
Any computer that is accessing UT data or used for UT business. This includes any computer that is:
UT-owned and already managed by CNS OIT, or
UT-owned but not yet managed by CNS OIT, or
provided by the vendor for use controlling a scientific instrument, or
personally-owned
For enrollment in EPM, ONLY computers that are UT-owned are in scope.
For inventory identification, our current focus is computers, however we may also ask to gather inventory information about other network-connected devices like printers, iPads, or IoT devices such as freezers.
How will this impact me?
You will only be impacted in the ways that are listed under the FAQs “Who does this impact?” and “What computers and devices are included?” It can be helpful to ask yourself, “What roles do I have, and which is the reason for me participating in this specific activity?” to determine how you’ll be impacted.
How long does the inventory identification take?
10-25 minutes for each computer. What information we already know about the computer,
For more information about what inventory identification includes, please see the FAQ section “Inventory Identification“.
How long does enrollment take?
How can I coordinate the process with CNS OIT? Are there options to schedule an appointment?
What if CNS OIT never comes to my lab?
Endpoint Management (EPM) & Enrollment in Central EPM
What will be different after my computer is enrolled?
admin access
logging in with EIDs
OS and applications updates (security)
screen saver lock
CNS IT will have an admin account
Remote access
What updates are done by management?
Is my computer compatible with EPM?
Apple computers:
Windows computers:
Must be compatible with Windows 11, or compatible with Windows 10 with a replacement plan identified (Windows 10 reaches End of Life in October 2025 and will not be allowed after that date).
Do you have access to my data?
Some of it. CNS OIT has the access and technical ability to access data that is stored in these ways:
On the hard drive of a managed computer: Select members of CNS OIT staff can use our administrative account to access files saved within any user profile.
CrashPlan (Code42, UTBackup): Select members of CNS OIT staff have access to the administrator console.
UT Box: Only if CNS OIT is the owner of a shared folder, or has access to a departmental Box share.
File servers: Only if CNS OIT manages it.
CNS OIT does not have access to data stored in these locations, however the administrators of these services do:
UTMail
Microsoft 365: Outlook (email and calendar), OneDrive, SharePoint, Teams
UT Box
All other UT-owned devices and services
Your data is your data, and the privacy and security of your data is a top priority. We do not access a person’s data unless requested to do so by the data owner or another authority.
Will you be monitoring or looking at my data?
No. CNS OIT does not look at nor monitor the data anyone has on their computer. The only time we intentionally touch data on a computer is if we are assisting in data recovery or if we are legally required to do so such as during a FOIA request. In these cases, CNS OIT does not open, look at, nor review any files beyond verifying the data is not corrupted.
Inventory Identification
What information are you gathering?
What information we’re collecting | Collected for UT-owned computers? | Collected for personal computers? | Why we’re collecting it |
|---|---|---|---|
Why are you taking inventory details about my personal computer?
Why do you need to know how I use my computer?
These are 3 main reasons:
We configure management to minimize disruptions and avoid negative impacts to productivity while adhering to security requirements. The default management configurations are designed based on the average habits and needs of our users, but we evaluate every situation individually.
Troubleshooting is streamlined and a more targeted approach can be taken. We look for patterns based on how a computer is used, and deviations from those patterns help us identify the underlying problem.
UT is required by state law to identify what classification and types of data are stored on or accessed by a device. Knowing how a device is used helps answer this question.
For personal computers, knowing how you use your personal computer for UT business will help us in identifying options as we collaborate with CNS leadership to address the use of personal devices for UT business.
How are you gathering information?
By getting information from the device itself, and by talking to the device owner or users.
For personal devices:
CNS OIT technicians may navigate through device settings and use Command Prompt or Terminal to gather specific pieces of information. No changes to settings or configurations is made during this process.
If you do not want CNS OIT technicians to touch your personal computer, please let them know. Our technicians will then inform you what information they need and guide you through finding that information.
For UT-owned devices:
When gathering inventory details from the device itself, CNS OIT technicians will use scripts written by our Mac, Windows, and Linux Systems Administrators that return specific pieces of information. These scripts automate the steps our technicians would otherwise perform manually and individually through a combination of navigating through the device settings and using commands in Command Prompt or Terminal. The only configuration change made would be enabling a routine setting that allows scripts to be run if it is not already enabled. The script itself does not make any configuration changes.
You may also see the technicians submit the information provided by the script through a Microsoft Form. This Form is configured to securely submit the data to a database that only CNS OIT staff are able to access. This allows our technicians to record the information more quickly and
Who has access to the information?
Only staff in positions of special trust with controlled access will be able to access information.
For UT-owned devices, this means CNS OIT staff and authorized UT IT staff including the Information Security Office and systems administrators for the EPM tools.
For personal devices, only CNS OIT staff will have access to all of the information you provide to us. If a personal device has connected to the UT wired network, authorized UT IT staff including the Information Security Office will be able to see only specific pieces of information about the computer’s hardware that make it identifiable on the network.
CNS OIT shares, at specific intervals, aggregate data with CNS leadership. If any information about specific devices, groups, or individuals (such as department, needs, and use-cases) is anonymized before being shared.
Use of Personal Computers and Personal Devices for Research and UT Business
What should I do if I'm currently using a personal device for UT work?
Anyone who uses a personal computer or who has students or assistants who use personal computers should fill out this form so the college can determine the scale and users' needs.
Full-time staff should submit a ticket at https://help.cns.utexas.edu/ requesting a work computer. Tenure-Track faculty should provide funds to address the purchase. Professional track faculty qualify for a university laptop through the Dean’s Instructional Laptop Program.
Will I be required to enroll my personal computer in EPM?
NO. CNS OIT will not enroll and is not permitted to enroll personal devices in central EPM.
Is there a plan to provide UT laptops to researchers that are currently relying on their own personal equipment?
Not right now. We are still working on identifying options based on the needs identified and in collaboration with CNS leadership.
What about undergraduate researchers working in the lab? What if I have a large number of students involved in research throughout the academic year?
We don't have a solution identified yet, but this is a need we are aware of and planning for.