REORGANIZING CONTENT:

This page is going to be reorganized into a set of pages which are being drafted on our internal wiki here: /wiki/spaces/cnsit/pages/134350319

KEY:

Content moved to /wiki/spaces/cnsit/pages/134350319

Content will be moved to: /wiki/spaces/cnsit/pages/134252169 (page for that OS)

Content moved to /wiki/spaces/cnsit/pages/134355164

Content moved to /wiki/spaces/cnsit/pages/116097054 for completion

Content moved to /wiki/spaces/cnsit/pages/135299312

Content moved to /wiki/spaces/cnsit/pages/135266802

Page Contents

What’s going on?

...

Auditors have found that devices connected to the network— and specifically, computers— are one of the largest security risks we have. To address this risk, the Endpoint Management (EPM) Centralization and Standardization Program was created and its use written into policy at the direction of the Executive Vice President and Provost, and the Information Security Office.

Enforcement of these policies is increasing and the Information Security Office may begin taking drastic measures including locking EIDs, quarantining devices from the UT network, or blocking devices from accessing UT services. We aim to address compliance before such methods are used. We do not have a timeline on when this will happen thus we are trying to address as many devices to help the community out before this happens. Should you choose to wait on addressing your system until the quarantines take place, you run the risk of extensive downtime as everyone in this state is addressed.

...

• Establish an inventory of computers connected to UT networks.

• Enroll all UT-owned computers in central EPM and/or take all measures required to make each UT-owned computer compliant with UT policies while maintaining the ability to perform required functions.

• Understand the use of personal computers for UT business, and use that understanding to collaborate with leadership to identify options for addressing the use of personal computers.

What does this look like?

Current Effort

Stage 1: Inventory Identification of all Networked Devices

CNS OIT technicians are going door-to-door through CNS buildings to identify devices connected to the UT network. We’re working with building managers to send a message to the building before we begin. If you’re not on your building's email list you can sign up here.

The team of CNS OIT technicians will:

• Identify computers connected to the UT network and record hardware and contact information. This includes (but isn't limited to).

• UT Owned computers:

  • Assess the state of computers by reviewing inventory information and discussing with the device owner. For research labs, this is the PI or a lab member they identify. CNS OIT techs will ask questions that help determine the compatibility between the computer's required functions and management.

  • For computers already enrolled in management, CNS OIT techs will check the status of data backups using CrashPlan and help configure backups at the descresion of the device owner.

• Personally purchased computers:

  • Supply this link so we can provide options once they become available. See below.

Stage 2: Addressing UT-Owned Computers

All UT-owned computers must fall into one of the following categories to be considered compliant: 

1. Enrolled into management 

2. Removed from the network 

3. Exception from management approved by the Dean and filed with the ISO, in combination with additional security measures.

   1. Note: This option requires a technical justification approved by CNS OIT, the Dean, and the ISO. For more information about exceptions, see the FAQ What qualifies for an exception from management? What does an exception entail?

Using the information from Stage 1 and through discussions with the device owner, a plan will be made to identify what actions need to take place. Then, steps will be taken to address the computer and make it compliant.

Forcing enrollment or addressing a computer will not occur without proper assessment of the device and discussion with the owner.

Going forward

Personal Computers

• We recognize there are a number of reasons computers in this state such as grant stipulations and we are working through this with leadership. There could be opertunities to use existing centrally provided funds so it is imperative this form is filled out.

• We are using the basic information collected to provide information to leadership so they can make dessions accordingly. In order for us to contact you once options have been identified and before a quarantine goes into affect, we must know about these devices.

• We do not have a timeline when quarantines will take place, should it take place before personal computer usage is addressed, we need a way to suply a list to the information security office to come up with a intermediate plan.

Purchase of ALL devices must go through CNS OIT and computers must be enrolled in management

If an IT device will connect to the network (wired or wireless), it must be vetted by CNS OIT prior to purchase and all computers must be delivered to CNS OIT to enroll into management. This is defined in IRUSP standard 19.6.

If a device will not connect to the network and cannot store UT data (e.g. keyboard, monitor), then purchase doesn’t have to go through CNS OIT. We are happy to assist in verifying compatibility.

Please contact CNS OIT by sending an email to help@cns.utexas.edu. If you don’t have a specific item in mind, CNS OIT can assist and provide customized quotes to your purchasing agent.

Network access and design requires collaboration with CNS OIT

Any device will only be permitted on the wired or IoT wireless network after CNS OIT completes an inventory survey and verifies the device meets policy requirements. Any devices that connect to the network without CNS OIT involvement will be removed from the network at an unspecified time.

For new labs or renovations, CNS OIT needs be brought into discussions early to help design and implement the infrastructure to ensure your needs will be met. Infrastructure changes such as adding new ethernet ports are almost always needed and are faster (and less expensive) when identified from the start.

Network access will be limited to devices that must be on the network. If the device does not need network access to perform work, it is best to leave it disconnected from the wired and wireless network. 

Please submit a Network Connectivity request through the CNS OIT Help Form to create a ticket directly with our Networking team.

If you will be onboarding new staff who typically supply their own computer (such as graduate students, TAs, and undergraduate research assistants), please fill out this form we can assist with identifying options to address your need. 

Non-computer networked devices (e.g. printers)

No action is planned at this time. Once the ISO identifies a need, CNS OIT will create a plan and communicate it to CNS. Requests to connect new devices to the network will be reviewed and only devices that need to be networked and meet security requirements will be allowed online, as mentioned above.

FAQs

Overall Process and General FAQs

Who does this impact?

All faculty and staff. Employeed graduate and employeed undergraduate students still need to identify so when options become availible we can communicate to them.

...

• Funded by UT and / or external grants

• Involved in research that is funded by UT and / or external grants

• Requires you to use (including produce, share, access, store) UT data

...

One example of a person who has roles in scope and roles out of scope is a graduate student. Their “TA role” is in scope because they are interacting with students and accessing FERPA data (student information and grades). Their “research staff" role is in scope because they are conducting research and interacting with research data that is being produced as part of a project funded by an external grant and / or UT. Their “student role”, however, is not in scope— this includes their own FERPA data, homework assignments, and course materials that are related to a class in which they are enrolled.

What computers and devices are included?

Any computer that is accessing UT data or used for UT business is in scope for identification. This includes any computer that is:

• UT-owned and already managed by CNS OIT, or

• UT-owned but not yet managed by CNS OIT, or

• provided by the vendor for use controlling a scientific instrument, or

• personally-owned

ONLY UT-owned computers are in scope for enrollment into endpoint management

Smartphones and mobile phones are not in scope.

For inventory identification, our current focus is computers, however we may also ask to gather inventory information about other network-connected devices like printers, iPads, or IoT devices such as freezers.

How will this impact me?

You will only be impacted in the ways that are listed under the FAQs “Who does this impact?” and “What computers and devices are included?” It can be helpful to ask yourself, “What roles do I have? Which role is asking me to participate in this activity?” to determine how you may be impacted.

Our current efforts will primarily be with research labs. For more information about this, please see the FAQ Why is this mainly affecting research labs?

How long does the inventory identification take?

10-25 minutes for each computer. It may be more or less time, however, depending on what information we already know about the computer and what information we need to gather.

For more information about what inventory identification includes, please see the FAQ section “Inventory Identification“.

How long does enrollment take?

This is deep

How can I coordinate the process with CNS OIT? Are there options to schedule an appointment?

What if CNS OIT never comes to my area?

We are doing our best to show up to every lab but depending on when we show up there is a chance you may have stepped out.

Endpoint Management (EPM) & Enrollment in Central EPM

Am I expempt from the requirements if I can manage my own computer or do not have confidential data?

All computers used for university business are in scope regardless if they contain confidential data or not per the policy. While there are many tallented technical folk in the college, we must be able to show auditors compliance is met real time and act quickly in the event of an attack on the university. We are unable to do either if the computer is not enrolled in endpoint management.

What will be different after my computer is enrolled?

Below are the most noticeable differences. This is not an exhaustive list.

Administrator accounts and administrative access

• Logging in to the computer using an administrator account will be disabled, but an administrator account will be created for the device owner as needed. This is in accordance with IRUSP Stand 5.

• CNS OIT will have an administrator account that enables us to properly administer the computer.

Screen saver lock

• As defined in IRUSP Standard 15.2.5: “Unattended computing devices must be secured from unauthorized access using a combination of physical and logical security controls… [including] screen saver passwords and automatic session time-outs that are set to activate after 15-minutes of inactivity.”

Remote access

• Unless required, remote access will be restricted to only allow remote access by CNS OIT. CNS OIT only uses remote access when it’s required to provide support.

Logging in with EIDs

• Computers are connected to the Austin domain which gives users the ability to login to a computer using their EID. This is done in accordance with IRUSP Standards 4.1.1 and 4.1.3.

Operating system and application security updates

As defined in Minimum Security Standard 4.5.2 for Systems: “Operating system and application services security patches are installed expediently (e.g., 30-days) and in a manner consistent with change management procedures. Products that no longer receive security updates from the vendor (e.g., unsupported) are not authorized.”

Operating Systems:

...

Currently supported versions

Windows 10, 11

...

macOS: 3 most recent versions

...

Linux:

Applications:

macOS:

...

Windows:

...

Linux:

Is my computer compatible with EPM?

Apple computers: Only supported operating systems can be enrolled into endpoint management.

Windows computers:

• Must be compatible with Windows 11, or compatible with Windows 10 with a replacement plan identified (Windows 10 reaches End of Life in October 2025 and will not be allowed after that date without a temporary ISO approved exception).

Linux computers:

What if my computer isn’t compatible with EPM?

If your computer isn’t compatible with EPM due to a technical business justification, an exception from management can be requested. More information about exceptions are in the FAQ What qualifies for an exception from management? What does an exception entail? CNS OIT will work with the device owner to understand the situation and identify options.

What qualifies for an exception from management? What does an exception entail?

An exception requires a technical justification approved by CNS OIT, the Dean, and the ISO. Additional security measures must be taken to ensure the security and compliance of the computer. It is valid for a maximum of 1 year and must then be either enrolled in management, or refiled with required approvals.

The exception is the responsibility of the owner of the device, but CNS OIT will assist with certain aspects of the exception process and alternate security measures. As each case is unique, CNS OIT will discuss the division of responsibility with the device owner.

Here is an example of a computer in a research lab that qualifies for an exception from management and what compliance looks like:

• Situation: The computer is an instrument controller provided by the vendor. Enrolling the computer in management is a violation of the service agreement with the vendor and would cause issues with the software used to control the instrument.

• Security measures taken to meet compliance: A firewall configured by CNS OIT is installed in front of the computer. The computer is then only able to connect to a select number of devices in the lab, UT Box, CrashPlan, and an IP address range supplied by the vendor used for remote support including updates to the instrument and software.

• What these measures accomplish: The computer will be less vulnerable to attacks from external sources. If the computer were to become infected or be compromised, it’s ability to infect or other computers on the network or compromise UT data is limited. These are protections that EPM provides through a combination of firewall rules, system configurations, and anti-virus software. The computer is still able to control the instrument and receive support from the vendor. Data can be automatically backed up to a file server, UT Box, or CrashPlan, making it easy to access from another computer for analysis and decreasing the chance of data loss.

Do you have access to my data?

Some of it. CNS OIT has the access and technical ability to access data that is stored in these ways:

• On the hard drive of a managed computer: Select members of CNS OIT staff can use our administrator account to access files saved within any user profile.

• CrashPlan (Code42, UTBackup): Select members of CNS OIT staff have access to the administrator console.

• UT Box: Only if CNS OIT is the owner of a shared folder, or has access to a departmental Box share.

• File servers: Only if CNS OIT manages it.

CNS OIT does not have access to data stored in these locations, however the administrators of these services do:

• UTMail

• Microsoft 365: Outlook (email and calendar), OneDrive, SharePoint, Teams

• UT Box

• All other UT-owned devices and services

Your data is your data, and the privacy and security of your data is a top priority. We do not access anyone’s data unless requested to do so by the data owner or another authority.

Will you be monitoring or looking at my data?

No. CNS OIT does not look at nor monitor the data anyone has on their computer. The only time we intentionally touch data on a computer is if we are assisting in data recovery or if we are legally required to do so such as during a FOIA request. In these cases, CNS OIT does not open, look at, nor review any files beyond verifying the data is not corrupted. CNS OIT also ensures data storage and transmission is secure and accessible only by those authorized to do so.

There is a zero tollerance policy for this that results in termination if required access is abused.

Inventory Identification

Why do you need to know how I use my computer?

These are 3 main reasons:

1. We configure management to minimize disruptions and avoid negative impacts to productivity while adhering to security requirements. The default management configurations are designed based on the average habits and needs of our users, but we evaluate every situation individually.

2. Troubleshooting is streamlined and a more targeted approach can be taken.

3. UT is required by state law to identify what classification and types of data are stored on or accessed by a device. Knowing how a device is used helps answer this question.

How are you gathering information?

By getting information from the device itself, and by talking to the device owner or users.

...

CNS OIT technicians may navigate through device settings and use Command Prompt or Terminal to gather specific pieces of information. No changes to settings or configurations are made during this process.

If you do not want CNS OIT technicians to touch your personal computer, please let them know. Our technicians will then inform you what information they need and guide you through finding that information.

For UT-owned devices:

When gathering inventory details from the device itself, CNS OIT technicians will use scripts written by our Mac, Windows, and Linux Systems Administrators that return specific pieces of information. These scripts automate the steps our technicians would otherwise perform manually and individually through a combination of navigating through the device settings and using commands in Command Prompt or Terminal. The only configuration change made would be enabling a routine setting that allows scripts to be run if it is not already enabled. The script itself does not make any configuration changes.

You may also see the technicians submit the information provided by the script through a Microsoft Form. This Form is configured to securely submit the data to a database that only CNS OIT staff are able to access. This allows our technicians to record the information more quickly and accurately.

Who has access to the information?

Only staff in positions of special trust with controlled access will be able to access information.

For UT-owned devices, this means CNS OIT staff and authorized UT IT staff including the Information Security Office and systems administrators for the EPM tools.

For personal devices, only CNS OIT staff will have access to all of the information you provide to us. If a personal device has connected to the UT network, authorized UT IT staff including the Information Security Office and ITS Networking will be able to see only specific pieces of information about the computer that make it identifiable on the network.

CNS OIT shares, at specific intervals, aggregate data with CNS leadership. Any information about specific devices or individuals is anonymized before being shared. Certain factors such as department or primary affiliation may be used to categorize data and identify trends.

Personal Computers & Devices Used for Research and UT Business

What should I do if I'm currently using a personal device for UT work?

Anyone who uses a personal computer should fill out this form so the college can determine the scale and users' needs. If you supervise anyone such as students or research assistants who use personal computers, please send them the form so they can fill it out as well.

Full-time staff should submit a ticket at https://help.cns.utexas.edu/ requesting a work computer. Tenure-Track faculty should provide funds to address the purchase. Professional track faculty qualify for a university laptop through the Dean’s Instructional Laptop Program. See here for additional information.

Will I be required to enroll my personal computer in EPM?

NO. CNS OIT will not enroll and is not permitted to enroll personal devices in central EPM.

Is there a plan to provide UT laptops to researchers that are currently relying on their personal computer?

We are still working on identifying options based on the needs identified and in collaboration with leadership.

What about undergraduate researchers working in the lab? What if I have a large number of students involved in research throughout the academic year?

We don't have a solution identified yet, but this is a need we are aware of and planning for.

Definitions & Terms

Below is an alphabetized list of frequently used terms and how they’re defined along with an explanation of what that looks like in our environment or implications.

...

Term

...

Definition

...

What does that mean?

...

Address, addressing a device

...

Done by CNS OIT in collaboration with the owner.

Take actions so the device is capable of performing needed functions and is compliant with security policies. This includes collecting inventory information, making configuration changes to the device, and/or making configuration changes around the device.

...

Inventory identification will happen for every computer. Some details from inventory identification are used to determine compatibility of the device with EPM. Configuration changes to a computer may include enrollment in central management, adjusting administrative permissions, setting up data backups, installing OS and application updates, among other settings changes. Configuration changes around the computer may include removing it from the network, changing what network it’s connected to, or adding a hardware firewall.

...

Data

In the context of information technology, “data” refers to raw, unprocessed facts and statistics collected for reference or analysis. It can exist in various forms, such as numbers, text, images, or sounds, and is used as the basis for computations, analyses, and decision making in IT systems.

...

Endpoint

...

Any device capable of connecting to the internet and accessing, storing, or sharing information.

...

Computers, tablets, smartphones, security cameras, and printers are all considered endpoints.

In the context of this project, “endpoint” will most commonly be referring to a computer.

...

Endpoint Management (EPM), management

...

A set of tools used by IT to employ policies designed to protect access to University computers, data, and resources by securing computers and identifying the presence of specific security vulnerabilities.

...

Currently, we have EPM tools for computers (macOS, Windows, and Linux) and iPads.

See the FAQ “What will be different after my computer is enrolled?” for more details.

...

Enroll, enroll in management, enrollment in central management

...

Done by CNS OIT in collaboration with the owner.

Install software that connects a computer to the centralized Endpoint Management (EPM) systems, then use the EPM systems to set up policies for regular installation of updates and enable security configurations.

...

See the FAQ “What will be different after my computer is enrolled?” for more details.

...

Inventory identification

...

Gather details about a computer that are used to identify a device, who is responsible for it, and aid in support.

...

CNS OIT will gather details about the computer’s hardware from the device itself. We will talk to the owner and/or users of the device to find out information about how the device is used and by whom. See the FAQ section “Inventory Identification” for more details.

...

Owner, device owner

...

The individual who owns the device or who is responsible for making decisions about the device.

...

For research labs, the PI is assumed to be owner for each device. The owner can delegate responsibilities (such as approving changes) at their discretion.

...

Personal, personally-owned

...

Purchased using personal funds that did not originate from a UT account. Belongs to the individual.

...

Scientific data

...

As defined by the NIH’s Data Management and Sharing Policy, scientific data are defined as, “the recorded factual material commonly accepted in the scientific community as of sufficient quality to validate and replicate research findings, regardless of whether the data are used to support scholarly publications.”

...

This includes:

• Primary data, often obtained through measurement, observation, or simulation.

• Individual data points that are commonly grouped together in datasets with a consistent and defined data structure.

• Manuscripts that have been submitted or accepted for publication.

As defined by the NIH, Scientific data do not include: 

• laboratory notebooks,

• preliminary analyses,

• completed case report forms,

• drafts of scientific papers,

• plans for future research,

• peer reviews,

• communications with colleagues, or

• physical objects, such as laboratory specimens.

...

Used for University business

...

Any device that is used to store, process, access, or share data that is owned by the University or produced during and/or for the purpose of performing University duties.

...

Using a computer in these ways would make that computer used for University business:

• Grading student work— even if done entirely through a web browser (e.g. using Grade Scope or Canvas).

• Analyzing data, writing a paper, or creating a poster for UT-funded and/or grant-funded research.

Any UT work or UT resources being accessed as a student does not count (e.g. submitting your own coursework via Canvas).

...

UT business, University business

...

Any activity that is occurring as the result of, in service of, or to further the mission of The University of Texas at Austin and / or the values and impact of the College of Natural Sciences.

...

Research, undergraduate education, graduate education, and public service.

...

UT data, University data

Any information or insights that are generated, collected, processed, or stored while conducting UT business.

Any data stored on or in a UT-owned device, account, or service.

...

Including digital files, recordings, emails, employee records, financial transactions, operational documentation such as SOPs, metadata, and all data produced as part of research— even if it does not meet the criteria for scientific data.

A UT-owned service would be anything you sign into using your EID or any licensed software / service that is paid for with UT funds. This includes UTMail, UT Box, Qualtrics, and Microsoft 365 (e.g. Outlook, Teams, OneDrive, SharePoint).

Your own personal information and personal data protected by HIPAA, FERPA, or another federal or state law is not considered UT data when it is in your possession.

For example, accessing my own medical records after a visit to University Health Services is not considered accessing UT data. A member of University Health Services staff accessing my medical records after my visit is considered accessing UT data.

...

UT-owned

...

Purchased using UT funds, including grants. Owned by the University of Texas at Austin.

For research labs that came to UT from another University: all devices originally purchased at a prior institution and were brought to UT are UT-owned and required to be transferred from the prior institution’s inventory to UT’s inventory.

...