Restricted Permissions

While this page is in development, only the following people have access to view this page:

Melissa Medina-Razzaque
Matt Davidson
Mark McFarland
Margie Athol

Check back often for updates

This page is being updated frequently to include more information and answers to questions we’ve received. The date this page was last updated can be seen under the page title.

If you have a question that isn’t answered on this page yet, please don’t hesitate to reach out. The best way to ask a question is by submitting this question form:

This will connect you quickly and directly to the CNS OIT team leading the device enrollment efforts who are best able to answer your questions.

Page Contents

What’s going on?

As part of a college-wide communication sent on May 9, 2024, CNS OIT announced that a project to enroll networked computers is underway. Security policies for device configuration and management state UT business must be performed using computers enrolled in the central EPM platform and administered by trained IT staff. Additionally, IT staff must be able to prove all devices meet minimum security standards. CNS OIT is taking proactive steps to minimize hinderances to productivity that may be imposed while becoming compliant with policy. These policies exist not only due to state and federal regulations, but also to protect UT from cyberattacks and security risks that threaten our ability to carry out UT’s mission.

Auditors have found that devices connected to the network— and specifically, computers— are one of the largest security risks we have. To address this risk, the Endpoint Management (EPM) Centralization and Standardization Program was created and its use written into policy at the direction of the President of The University of Texas at Austin, the Executive Vice President and Provost, and the Information Security Office.

Enforcement of these policies is increasing and campus may begin taking drastic measures including locking EIDs, quarantining devices from the UT network, or blocking devices from accessing UT services. We aim to address compliance before such methods are used.

This work aims to achieve the following outcomes:

Establish an inventory of computers connected to CNS networks.
Enroll all UT-owned computers in central EPM and/or take all measures required to make each UT-owned computer compliant with UT policies while maintaining the ability to perform required functions.
Understand the use of personal computers for UT business, and use that understanding to collaborate with Dean Vanden Bout and CNS leadership to identify options for addressing the use of personal computers.

CNS OIT's role in achieving the vision of CNS is to transform technology from a hinderance into a facilitator. With comprehensive knowledge of policy and technology, we aim to mitigate constraints imposed by compliance to enable our faculty, staff, and researchers as they drive community, discovery, and impact at scale.

What does this look like?

Current Effort

Two stages comprise the current effort:

Stage 1: Inventory Identification of all Networked Devices

CNS OIT technicians are going door-to-door through CNS buildings to identify devices connected to the UT network. We’re working with building managers to send a message to the building before we begin. If you’re not on your building's email list, we recommend reaching out to your building manager.

The team of CNS OIT technicians will:

Identify any devices connected to the UT network and record hardware and contact information. This includes (but isn't limited to) computers, printers, sensors, firewalls, local switches, networked instruments, and AV equipment.
Assess the state of computers by reviewing inventory information and discussing with PIs and / or lab staff. CNS OIT techs will ask questions that help determine the compatibility between the computer's required functions and management.
For computers already enrolled in management, they will check the status of data backups using CrashPlan and help configure backups if needed.

Forcing enrollment or addressing a computer will not occur without proper assessment of the device and discussion with the owner.

Stage 2: Addressing UT-Owned Computers

Based on the situation, it may be possible to complete Stage 2 at the same time as completing Stage 1.

All UT-owned computers must fall into one of the following categories to be considered compliant:

Enrolled into management
Removed from the network
Exception from management filed with the ISO and Dean, in combination with additional security measures.
1. Note: This option requires a technical justification approved by the ISO and the Dean. It is only valid for 1 year and must then be either enrolled in management, or refiled with required approvals. The exception is the responsibility of the owner of the device.

Using the information from Stage 1 and through discussions with the device owner, a plan will be made to identify what actions need to take place. Then, steps will be taken to address the computer and make it compliant. No steps to address a computer will be made without approval from the device owner.

This is an example of a computer that qualifies for an exception from management and what compliance looks like:

Situation: The computer is an instrument controller provided by the vendor. Enrolling the computer in management is a violation of the service agreement with the vendor and would cause issues with the software used to control the instrument.
Security measures taken to meet compliance: A hardware firewall configured by CNS OIT is installed in front of the computer. The computer is then only able to connect to a select number of devices in the lab, UT Box, CrashPlan, and an IP address range supplied by the vendor used for remote support including updates to the instrument and software.
What these measures accomplish: The computer will be protected against attacks from external sources that would have been mitigated by management. The computer is still able to control the instrument and receive support from the vendor. Data can be automatically backed up to a file server, UT Box, or CrashPlan, making it easy to access from another computer for analysis and decreasing the chance of data loss.

Going forward

Once CNS OIT has completed inventory identification (described under Stage 1 above):

Purchase of ALL devices must go through CNS OIT and computers must be enrolled in management

Every IT device purchased with UT funds (including grant-funded and ProCard purchases) must be vetted by CNS OIT prior to purchase and must be delivered to CNS OIT to enroll into management. This is defined in IRUSP standard 19.6.

Network access and design requires collaboration with CNS OIT

Any device will only be permitted on the wired network after CNS OIT completes an inventory survey and verifies the device meets policy requirements. Any devices that connect to the network without CNS OIT approval will be quarantined.

For new labs or renovations, CNS OIT needs be brought into discussions early on to help design and implement the infrastructure.

Network access will be limited to devices that must be on the network. If the device does not need network access to perform work, it is best to leave it off the wired and wireless network.

Please submit a Network Connectivity request through the CNS OIT Help Form to create a ticket directly with our CNS OIT Network team.

Personal Computers

We are using the information collected to identify all possible options to address the use of personal devices for University business.

We don't yet have a timeline of when a plan will be developed or what that may look like. As options are identified, they will be communicated to those impacted. At this time, we are also not sure how that communication will be sent.

If you will be onboarding new staff who typically supply their own computer (such as graduate students, TAs, and undergraduate research assistants), please contact CNS OIT so we can assist with identifying options to address your need.

Non-computer networked devices (e.g. printers)

No action is planned at this time. Once the ISO identifies a need, CNS OIT will create a plan and communicate it to CNS. Requests to connect new devices to the network will be reviewed and only devices that need to be networked and meet security requirements will be allowed online, as mentioned above.

FAQs

Overall Process and General FAQs

Who does this impact?

All faculty, staff, and graduate students in CNS. Undergraduate students conducting research, working with research data, or who are student employees will also be impacted.

You will be impacted if one of more of the following criteria applies to your role:

funded by UT and / or external grants,
involved in research that is funded by UT and / or external grants,
requires you to use (including produce, share, access, store) UT data,
instructional with direct student interaction and access to FERPA data.

Many people at UT have multiple roles and there are certain instances where your UT-related activities are outside the scope of this project. Only roles that meet the criteria described above are in scope.

One example of a person who has roles in scope and roles out of scope is a graduate student. Their “TA role” is in scope because they are interacting with students and accessing FERPA data (student information and grades). Their “research staff" role is in scope because they are conducting research and interacting with research data that is being produced as part of a project funded by an external grant and / or UT. Their “student role”, however, is not in scope— this includes their own FERPA data, homework assignments, and course materials that are related to a class in which they are enrolled.

What computers and devices are included?

Any computer that is accessing UT data or used for UT business. This includes any computer that is:

UT-owned and already managed by CNS OIT, or
UT-owned but not yet managed by CNS OIT, or
provided by the vendor for use controlling a scientific instrument, or
personally-owned

Smartphones and mobile phones are not in scope.

For enrollment in EPM, ONLY UT-owned computers are in scope.

For inventory identification, our current focus is computers, however we may also ask to gather inventory information about other network-connected devices like printers, iPads, or IoT devices such as freezers.

How will this impact me?

You will only be impacted in the ways that are listed under the FAQs “Who does this impact?” and “What computers and devices are included?” It can be helpful to ask yourself, “What roles do I have? Which role is asking me to participate in this activity?” to determine how you may be impacted.

How long does the inventory identification take?

10-25 minutes for each computer. It may be more or less time, however, depending on what information we already know about the computer and what information we need to gather.

For more information about what inventory identification includes, please see the FAQ section “Inventory Identification“.

How long does enrollment take?

How can I coordinate the process with CNS OIT? Are there options to schedule an appointment?

What if CNS OIT never comes to my lab?

Endpoint Management (EPM) & Enrollment in Central EPM

What will be different after my computer is enrolled?

Below are the most noticeable differences. This is not an exhaustive list.

Administrator accounts and administrative access

Logging in to the computer using an administrator account will be disabled, but an administrator account will be created for the device owner as needed. This is in accordance with IRUSP Stand 5.
CNS OIT will have an administrator account that enables us to properly administer the computer.

Screen saver lock

As defined in IRUSP Standard 15.2.5: “Unattended computing devices must be secured from unauthorized access using a combination of physical and logical security controls… [including] screen saver passwords and automatic session time-outs that are set to activate after 15-minutes of inactivity.”

Remote access

Unless required, remote access will be restricted to only allow remote access by CNS OIT. CNS OIT only uses remote access when it’s required to provide support.

Logging in with EIDs

Computers are connected to the Austin domain which gives users the ability to login to a computer using their EID. This is done in accordance with IRUSP Standards 4.1.1 and 4.1.3.

Operating system and application security updates

As defined in Minimum Security Standard 4.5.2 for Systems: “Operating system and application services security patches are installed expediently (e.g., 30-days) and in a manner consistent with change management procedures. Products that no longer receive security updates from the vendor (e.g., unsupported) are not authorized.”
For specifics about what types of updates are installed and which applications are updated by EPM, please see the FAQ “What updates are done by management?"

What updates are done by management?

Operating Systems:

Currently supported versions
Windows 10, 11
- See MECM End User Experiences
macOS: 3 most recent versions
- See Jamf OS Patching: UT Macintosh Security Updates and Reboot Policy
Linux:

Applications:

macOS:
- See Jamf Application Patching End User Experiences
Windows:
- See Third Party Application Updates
Linux:

Is my computer compatible with EPM?

Apple computers:

Windows computers:

Must be compatible with Windows 11, or compatible with Windows 10 with a replacement plan identified (Windows 10 reaches End of Life in October 2025 and will not be allowed after that date).

Linux computers:

Do you have access to my data?

Some of it. CNS OIT has the access and technical ability to access data that is stored in these ways:

On the hard drive of a managed computer: Select members of CNS OIT staff can use our administrator account to access files saved within any user profile.
CrashPlan (Code42, UTBackup): Select members of CNS OIT staff have access to the administrator console.
UT Box: Only if CNS OIT is the owner of a shared folder, or has access to a departmental Box share.
File servers: Only if CNS OIT manages it.

CNS OIT does not have access to data stored in these locations, however the administrators of these services do:

UTMail
Microsoft 365: Outlook (email and calendar), OneDrive, SharePoint, Teams
UT Box
All other UT-owned devices and services

Your data is your data, and the privacy and security of your data is a top priority. We do not access anyone’s data unless requested to do so by the data owner or another authority.

Will you be monitoring or looking at my data?

No. CNS OIT does not look at nor monitor the data anyone has on their computer. The only time we intentionally touch data on a computer is if we are assisting in data recovery or if we are legally required to do so such as during a FOIA request. In these cases, CNS OIT does not open, look at, nor review any files beyond verifying the data is not corrupted.

Inventory Identification

What information are you gathering?

What information we’re collecting	Collected for UT-owned computers?	Collected for personal computers?	Why we’re collecting it

Why are you taking inventory details about my personal computer?

Why do you need to know how I use my computer?

These are 3 main reasons:

We configure management to minimize disruptions and avoid negative impacts to productivity while adhering to security requirements. The default management configurations are designed based on the average habits and needs of our users, but we evaluate every situation individually.
Troubleshooting is streamlined and a more targeted approach can be taken. We look for patterns based on how a computer is used, and deviations from those patterns help us identify the underlying problem.
UT is required by state law to identify what classification and types of data are stored on or accessed by a device. Knowing how a device is used helps answer this question.

For personal computers, knowing how you use your personal computer for UT business will help us in identifying options as we collaborate with CNS leadership to address the use of personal devices for UT business.

How are you gathering information?

By getting information from the device itself, and by talking to the device owner or users.

For personal devices:

CNS OIT technicians may navigate through device settings and use Command Prompt or Terminal to gather specific pieces of information. No changes to settings or configurations is made during this process.

If you do not want CNS OIT technicians to touch your personal computer, please let them know. Our technicians will then inform you what information they need and guide you through finding that information.

For UT-owned devices:

When gathering inventory details from the device itself, CNS OIT technicians will use scripts written by our Mac, Windows, and Linux Systems Administrators that return specific pieces of information. These scripts automate the steps our technicians would otherwise perform manually and individually through a combination of navigating through the device settings and using commands in Command Prompt or Terminal. The only configuration change made would be enabling a routine setting that allows scripts to be run if it is not already enabled. The script itself does not make any configuration changes.

You may also see the technicians submit the information provided by the script through a Microsoft Form. This Form is configured to securely submit the data to a database that only CNS OIT staff are able to access. This allows our technicians to record the information more quickly and accurately.

Who has access to the information?

Only staff in positions of special trust with controlled access will be able to access information.

For UT-owned devices, this means CNS OIT staff and authorized UT IT staff including the Information Security Office and systems administrators for the EPM tools.

For personal devices, only CNS OIT staff will have access to all of the information you provide to us. If a personal device has connected to the UT network, authorized UT IT staff including the Information Security Office and ITS Networking will be able to see only specific pieces of information about the computer that make it identifiable on the network.

CNS OIT shares, at specific intervals, aggregate data with CNS leadership. Any information about specific devices or individuals is anonymized before being shared. Certain factors such as department or primary affiliation may be used to categorize data and identify trends.

Personal Computers & Devices Used for Research and UT Business

What should I do if I'm currently using a personal device for UT work?

Anyone who uses a personal computer should fill out this form so the college can determine the scale and users' needs. If you supervise anyone such as students or research assistants who use personal computers, please send them the form so they can fill it out as well.

Full-time staff should submit a ticket at https://help.cns.utexas.edu/ requesting a work computer. Tenure-Track faculty should provide funds to address the purchase. Professional track faculty qualify for a university laptop through the Dean’s Instructional Laptop Program.

Will I be required to enroll my personal computer in EPM?

NO. CNS OIT will not enroll and is not permitted to enroll personal devices in central EPM.

Is there a plan to provide UT laptops to researchers that are currently relying on their personal computer?

Not right now. We are still working on identifying options based on the needs identified and in collaboration with CNS leadership.

What about undergraduate researchers working in the lab? What if I have a large number of students involved in research throughout the academic year?

We don't have a solution identified yet, but this is a need we are aware of and planning for.

Definitions & Terms

Below is an alphabetized list of frequently used terms and how they’re defined along with an explanation of what that looks like in our environment or implications.

Term	Definition	What does that mean?
Address, addressing a device	Done by CNS OIT in collaboration with the owner. Take actions so the device is capable of performing needed functions and is compliant with security policies. This includes collecting inventory information, making configuration changes to the device, and/or making configuration changes around the device.	Inventory identification will happen for every computer. Some details from inventory identification are used to determine compatibility of the device with EPM. Configuration changes to a computer may include enrollment in central management, adjusting administrative permissions, setting up data backups, installing OS and application updates, among other settings changes. Configuration changes around the computer may include removing it from the network, changing what network it’s connected to, or adding a hardware firewall.
Data	In the context of information technology, “data” refers to raw, unprocessed facts and statistics collected for reference or analysis. It can exist in various forms, such as numbers, text, images, or sounds, and is used as the basis for computations, analyses, and decision making in IT systems.
Endpoint	Any device capable of connecting to the internet and accessing, storing, or sharing information.	Computers, tablets, smartphones, security cameras, and printers are all considered endpoints. In the context of this project, “endpoint” will most commonly be referring to a computer.
Endpoint Management (EPM), management	A set of tools used by IT to employ policies designed to protect access to University computers, data, and resources by securing computers and identifying the presence of specific security vulnerabilities.	Currently, we have EPM tools for computers (macOS, Windows, and Linux) and iPads. See the FAQ “What will be different after my computer is enrolled?” for more details.
Enroll, enroll in management, enrollment in central management	Done by CNS OIT in collaboration with the owner. Install software that connects a computer to the centralized Endpoint Management (EPM) systems, then use the EPM systems to set up policies for regular installation of updates and enable security configurations.	See the FAQ “What will be different after my computer is enrolled?” for more details.
Inventory identification	Gather details about a computer that are used to identify a device, who is responsible for it, and aid in support.	CNS OIT will gather details about the computer’s hardware from the device itself. We will talk to the owner and/or users of the device to find out information about how the device is used and by whom. See the FAQ section “Inventory Identification” for more details.
Owner, device owner	The individual who owns the device or who is responsible for making decisions about the device.	For research labs, the PI is assumed to be owner for each device. The owner can delegate responsibilities (such as approving changes) at their discretion.
Personal, personally-owned	Purchased using personal funds that did not originate from a UT account. Belongs to the individual.
Scientific data	As defined by the NIH’s Data Management and Sharing Policy, scientific data are defined as, “the recorded factual material commonly accepted in the scientific community as of sufficient quality to validate and replicate research findings, regardless of whether the data are used to support scholarly publications.”	This includes: Primary data, often obtained through measurement, observation, or simulation. Individual data points that are commonly grouped together in datasets with a consistent and defined data structure. Manuscripts that have been submitted or accepted for publication. As defined by the NIH, Scientific data do not include: laboratory notebooks, preliminary analyses, completed case report forms, drafts of scientific papers, plans for future research, peer reviews, communications with colleagues, or physical objects, such as laboratory specimens.
Used for University business	Any device that is used to store, process, access, or share data that is owned by the University or produced during and/or for the purpose of performing University duties.	Using a computer in these ways would make that computer used for University business: Grading student work— even if done entirely through a web browser (e.g. using Grade Scope or Canvas). Analyzing data, writing a paper, or creating a poster for UT-funded and/or grant-funded research. Any UT work or UT resources being accessed as a student does not count (e.g. submitting your own coursework via Canvas).
UT business, University business	Any activity that is occurring as the result of, in service of, or to further the mission of The University of Texas at Austin and / or the values and impact of the College of Natural Sciences.	Research, undergraduate education, graduate education, and public service.
UT data, University data	Any information or insights that are generated, collected, processed, or stored while conducting UT business. Any data stored on or in a UT-owned device, account, or service.	Including digital files, recordings, emails, employee records, financial transactions, operational documentation such as SOPs, metadata, and all data produced as part of research— even if it does not meet the criteria for scientific data. A UT-owned service would be anything you sign into using your EID or any licensed software / service that is paid for with UT funds. This includes UTMail, UT Box, Qualtrics, and Microsoft 365 (e.g. Outlook, Teams, OneDrive, SharePoint). Your own personal information and personal data protected by HIPAA, FERPA, or another federal or state law is not considered UT data when it is in your possession. For example, accessing my own medical records after a visit to University Health Services is not considered accessing UT data. A member of University Health Services staff accessing my medical records after my visit is considered accessing UT data.
UT-owned	Purchased using UT funds, including grants. Owned by the University of Texas at Austin.	For research labs that came to UT from another University: all devices originally purchased at a prior institution and were brought to UT are UT-owned and required to be transferred from the prior institution’s inventory to UT’s inventory. Devices picked up from surplus or acquired from the UT surplus store are also UT-owned.