(Work in progress to update customer web page and internal use wiki)

notes from web version:
My preference is that all contact is initiated through DSS helpdesks first as a filter.

• Operating System and Software Support (****Note: Upon thinking about this, I don't think we need this in DSS. I don't want to have a user think they are limited to just these things. I'd rather have them call us and ask to fix whatever the issue is, and then we can either direct them to the right place or help them****) 
  • LAITS will assist supported faculty, staff, and researchers with most issues related to computing devices, including, but not limited to:
    • Patching and Security > link  to EPM
    • Software Applications / Self Service > link  to EPM
    • Remote Access > 

• Patching and security standards
• Enrolled computers will receive regular patching, malware protection, backup, and security
• Enrollment includes BeyondTrust™ Remote Support Client as a standard application for remote assistance
• standard software applications onsupported computers   
• Automatic updates of Antivirus applications
• Critical security updates may be applied outside of the regular patch schedule, with a notice to the customer contact as listed on the SLA
• LAITS will work with end users to remediate any ISO quarantines on vulnerable systems, and will assist with evaluating and requesting exceptions as required for business purposes.
  If systems are quarantined by the ISO, LAITSWhen quarantined by ISO - Actively monitor and remediate vulnerabilities
• File exceptions with ISO, when appropriate

web description

The desktop engineering team ensures customer computers and printers are configured and maintained to meet Information Security Office (ISO) requirements including regular patching, malware protection, backup, and security.

Computer Provisioning (Imaging)

Desktop Engineering formats computers with standard software, functionality and security privileges before they are released to users

• Maintain base images with standard software for all recommended models (Dell | Apple)

  • Recommended computers can usually be imaged with standard software and deployed within 5 business days of receipt.

• Install non-standard software prior to deployment

  • DE staff must have the license information upon receipt of the computer. 

• Install the latest approved OS by default

  • New Apple computers must be configured with the OS that they were delivered with.

• Tablets and Mobile Devices 
  • Devices must be purchased through Campus Computer Store
  • Apple devices must be enrolled in Apple School Manager to facilitate patch management
  • Configured to prevent users from unintentionally wiping iPads and other iOS devices 
• Prevent users from unintentionally wiping iPads and other iOS devices.

LAITS Staff do not:

• Image devices that are unable to connect to our systems (no ethernet port).

• Install software on unmanaged iOS devices.

• Install non-current OSes unless a specific business reason is approved by LAITS management.

  • non-supported OSes are never allowed

• Install Dual-boot systems.

• Image machines that don't officially support one of our approved OSes.

• Image custom-built computers, unless we built it.  (see notes)

Fleet Management Policies

In order to successfully support, secure and maintain the fleet of computers in use by faculty and staff, LAITS staff have developed a minimum security profile for supported computers.

• Apply Minimum Security Standards to all computers

  • EID Login required

  • Applications / OS are patched

  • Computers are backed up

  • Computer name is standardized

  • Faculty / Staff devices are encrypted

  • IT staff can access any device

  • Hardware must be modern

  • OS must be within the top two vendor supported versions

  • University Warning Banner presented at logon

  • SSH access disabled

  • File sharing disabled

  • 15-minute screen saver with password required

  • Firewall is enabled

  • Access is logged

  • Systems Management tools are installed

  • Virus/Malware protection is active

• LAITS Staff do not:

  • Change top-level settings (Minimum Security Standards) without significant investigation and customer communication

  • Remove or change security settings due to user preference (business reason is required)

  • Restrict the ability to connect to a home wifi network

  • Support machines that do not have our management software or admin rights

Backup Management

Backup management is the process of monitoring, maintaining, testing and deleting obsolete backups on a regular basis to ensure your stored data is reliable, accessible and compliant with the University of Texas standards.

• Configure Crashplan for individual computers.
• Configure the client software to the default for LAITS-supported computers.
• During deployment, ensure a backup is initiated and verify a successful client software connection to the service.
• Before warranty repair, ensure a current backup exists.
• Configure the client software to send alerts to the user when the backup fails.  (see notes)
• Restore files from the cloud, if a backup is available.
• Delete old backup records after a new computer is connected.
• Move user & device accounts from other CSU's, when a user switches department. 
• See Desktop Support (LINK)

The Desktop Engineering team is responsible for controlling the base configuration settings for our instance of Crashplan. The core service is ultimately owned and controlled by central ITS and as such we are limited in the scope of changes we can make. The Desktop Support team is available to assist with your individual backup configuration needs.

LAITS Staff do not:

• Monitor backup status for client computers.

  • The user can contact LAITS Desktop Support for guidance on how to fix any issues.

• Provision Crashplan for shared or research lab computers.

Operating Systems Support

Staff support the operating system (OS) which manages all of the software and hardware on a computer. 

Support macOS and Windows

• OS must be within the top two vendor supported versions

• Support is limited to the compatibility of our Systems Management tools

• If a problem occurs on a lower Operating System, our first recommendation will be to update the OS

• Keep a limited set of older OS versions which can be used for troubleshooting and special cases

• Current recommendations - macOS (wiki link is internal, so what do we want customers to know? )
  

• Current recommendations - Windows (wiki link is internal, so what do we want customers to know? )

I believe we agreed to eliminate the explicit definition of what versions we support for ease of page serviceability  

The currently-supported operating system versions are:

Windows current supported operating systems versions are:

OS Upgrades

• Review a new operating system when it is released and approve it when stable.

  • Once approved, the OS version becomes the default for deployment on new and re-imaged computers.

• Prevent users from self-upgrading macOS until we've approved the new version

• Find and upgrade computers when a Windows version is no longer supported by Microsoft (End of Life - EOL)

LAITS staff do not:

• Guarantee compatibility with our software or security standards for macOS versions lower than or newer than our current recommendations

• Test and push Windows updates (this is done by ITS through the campus WSUS server)

• Support non-server Linux operating systems

• Support Dual-boot for single-user machines

Malware and Antivirus Protection

Desktop Engineering installs Malware and Antivirus protection to scan, detect, and remove viruses, and to safeguard a device from spyware and worms designed to hack into a computer. 

• Install Microsoft Defender for Endpoints on both Windows and macOS computers

• Apply a default profile to each computer with the following settings:

  • Scan weekly on Sunday at 12:00 pm

  • Respond to virus alerts and quarantines

  • Scanning Exclusions for certain folders (programs and caches controlled by LAITS)

  • Monitor Program installation

  • Monitor Program execution

  • Monitor network connections

• Configure scanning exceptions to support business needs

LAITS Staff do not:

• Configure Antivirus applications to scan email

  • UT Ironports does this on the server side, so it is unnecessary to scan on the device

Quarantines and Security/Abuse Notifications

Desktop Engineering staff actively monitor and remediate vulnerabilities referred by the UT Information Security Office.

• Actively monitor and remediate vulnerabilities referred to us by ISO

• Vulnerable/Compromised Devices - Respond to quarantines of devices on LAITS-managed networks (see notes)

  • UT Device - Fix the problem

  • Non-UT Device - disconnect from network, refer to ITS

• DMCA notices - Identify user by EID (if possible) and reply to DMCA Agent

• SSN remediation - Notify department head or IT contact

• Deploy standard preventative settings as part of our Minimum Security Profile for Supported Computers

  • (List out the minimum lists for customers? Link is internal to LAITS)

LAITS staff do not:

• Respond to quarantines for devices outside of LAITS-managed networks

• Respond to Compromised EID notifications - no action, ITS must reset password

• Guarantee protection from any kind of security problem

• Threats are ever-evolving, but DE staff do their best to keep computers secure

Distributed Partners 

Some units provide their own desktop support and purchase only Desktop Engineering from LAITS.  

• Provide limited access for our distributed partners to the following tools: (see notes)

  • Active Directory OU –  the technician will have full access

  • macOS local itadmin account - a separate password will be created and applied to their Zone device

  • Microsoft Deployment Toolkit (MDT) – access to deploy LAITS pre-configured images

  • Adobe Management Console - admin rights to their own VIP group

  • Crashplan - Org admin rights for relevant units

  • LANRev – add/remove/deploy software to their Zone

  • DeployStudio – access to deploy workflows (requires pre-staging from a LAITS staff member)

  • Bootstrappr - read & mount access to file.laits.utexas.edu, which contains images

• Provide limited assistance in packaging unit-specific software

• Configure Crashplan to deliver Org reports to partners

• Enable ISO Quarantine notices to be sent to the partner (see notes)

  • help with identification/location, if necessary (not common)

• Allow limited specific (already configured) software and configurations to be applied to a group of computers upon deployment

LATIS Staff do not:

• Configure/Maintain specialized images unless there is a specific business reason or SLA.

• Create separate local admin accounts (macOS) - itadmin is the only option

• Monitor specialized software for new releases

• Prioritize deploying new releases of specialized software (expect 2-3 weeks)

• Do training for our tools, outside of previously published wiki articles.

Mobile Devices

LAITS supports iPads for faculty and staff

• LAITS supports iPads, but does not provide support for other mobile devices (iPhone, Android, Fire Tablet). 

• Devices must be purchased through Campus Computer Store.

• To be supported, devices must be enrolled in Apple School Manager and Jamf to facilitate patch management.

• Any system that is no longer receiving software updates from Apple must be retired.

• Staff will assist with theft recovery / activation lock as necessary

Internal Staff Notes:
Jamf enrollment is also required for such devices.

We supervise so that we can recover the device. if someone signs in with AppleID, supervision prevents the device from being locked to the personal Apple ID.

Software availability and distribution

DE staff maintain a portfolio of standard software available to install on customer computers

• list of faculty and staff software
• Patch My PC 3rd Party Updates List

• Package specialized software (reasonable effort)

• Update specialized software upon request (limit 2 updates per year)

• Assist with Adobe software purchases

•  (wiki FAQ)
  
  • ESRI ArcGIS
  • ERDAS Imagine
  • Mathworks MATLAB 
• Include BeyondTrust™ Remote Support Client (formerly Bomgar™ Remote Support Client) as a standard application for remote assistance.

LAITS Staff do not:

• Purchase non-Adobe software

  • Many products can be purchased here.

• Store or manage license keys (see notes)

  • Specifically, Adobe Creative Cloud licenses are managed by departmental contacts

• Install software outside of the terms of service

  • no unlimited re-installation of trial software

  • no terminal servers for circumventing licensing agreements

  • no other methods to circumvent licensing agreements

• Install Microsoft Office using the O365 portal (use this method for personal machines)

• Install Adobe Creative Cloud applications; customers can install them on their own through the Creative Cloud application once a license is assigned

  • This does NOT include student labs & classrooms

• Keep track of releases of non-standard software

Software and Operating System Updates

(need a short declarative description of this service)

DE To decide on the italicized section

Application Updates

Most common application updates are curated and executed by the central Endpoint Management Team. Please refer to the following link for an exhaustive list of the software that is maintained as a part of this program:
3rd Party Updates List

• The following applications are Staff Patch during the third week of each month (see notes):

  • Adobe Flash

  • Adobe Reader

  • Chrome

  • Firefox

  • Java

  • Microsoft Office

Operating System Updates

• macOS updates

  • Safari

  • Apple Firmware (model-specific)

• Windows OS updates

  • Internet Explorer / Edge

• Enable automatic updates of Microsoft Defender for Endpoints

• Allow reboots to be deferred up to 8 hours, and then the computer will be automatically rebooted (Windows only)

  • A script checks weekly at 4pm on Thursdays and starts a reboot with 8 hour timer, if a reboot is required after updates

• Apply critical security updates outside of the regular patch schedule, with a notice to the customer contact as listed on the SLA

  • non-deferrable reboots may be employed, depending on severity

LAITS staff do not:

• Patch software not defined in the list to the left

• Patch more often than monthly

• Maintain old versions of software

  • When software breaks due to old OS versions, the default answer will be to upgrade the OS before troubleshooting further

Print Management

LAITS maintains a list of recommended printers that are fully supported. They also review and update this list each summer or as new models are released.

DE staff support:

• Printer Setup:

• Set up new printers within 5 business days (recommended models), (see notes)

  • Non-standard printers may take longer to install, if possible at all...

• Provide campus-only IP addresses and configure DNS records (Network Team)

• Create print queues set up through the central LAITS print server

  • Includes Mac print driver packages

  • Deploy Printers to Windows & Mac via automated policy

• Request Mail relay whitelist to allow scan-to-email

• Connect Fax lines (see notes)

• Standard configuration

  • Adherence to printer and print queue naming standards (Printer Naming Standards) DEPT-Room-Purpose-Feature

  • Adherence to standard security settings (Printer Security Standards)

• Attempt to support non-recommended models (reasonable effort)

LAITS Staff do not: 

• Obtain and maintain the contract with an approved university vendor

• Refill or replace Paper or toner/ink

• Support Fiery front ends

• Provide Printer hardware maintenance

• Manage print codes/restrictions  (see notes). LAITS does not configure or maintain User Authentication Management and Account Codes on departmental printers.

  • If a special driver is necessary, LAITS will push the driver remotely or send the package to a department contact for installation

• Manage Accounting/usage data (see notes)

• Manage address books or contact lists (see notes)

Staff Resource Accounts

DE provides support to set up new resource accounts, shared calendars and departmental mailboxes.

• Help assess the best tool for the customers' needs

  • UTList vs Resource Account vs Distribution Group

• Set up new resource accounts, shared calendars, and departmental mailboxes

• Create departmental shared UTBox folders

  • Add co-owners, who can then add editors on their own

• Assist if all departmental representatives leave the university and the remaining department staff need access to mailing lists, distribution groups, shared calendars, or resource accounts.

LAITS staff do not:

• Create or maintain UTLists

• Handle daily management of UTBox folders (e.g., adding editors)

• Department must manage day-to-day access, after it is created

  • https://www.austin.utexas.edu/Office365Management/

Lost or Stolen Devices

If a computer is missing, DE staff can search the network to determine if the device is on campus or online.

Staff members must report lost or stolen equipment the UT Police Department and report to ISO

• Contact UTPD on their non-emergency line: (512)-471-4441 to file a report

• Fill out an ISO Stolen Device Form

After devices have been submitted to Inventory as missing:

• Search Endpoint Management applications immediately to determine if the IP is on-campus

• Set alerts in Endpoint Management applications to watch for the device to come back online

• Limit 5 devices, expect slow turnaround

LAITS Staff do not:

• Certify departmental inventory, including:

  • Locating a list of devices prior to inventory being complete

  • Completing ISORA

• Update computer locations in DEFINE during non-move support interactions

• Monitor faculty and staff location moves

• Store devices outside of unit-owned spaces: a departmental representative should hold all unused equipment

INTERNAL ONLY Contact Information

• Email: LAITS-DE@austin.utexas.edu | that's our Svc Now ingest
• laits-de-shared@austin.utexas.edu | Team email
• Phone: n/a
• Physical Headquarters: BEL 228 (not open to the public)
• ServiceNow Assignment Group: LAITS-Desktop-Engineering
• Slack Channel: #desktop_engineering

Helpful Links:

• Desktop Engineering Customers
• Desktop Engineering SLA
• Minimum Security Profile for Supported Computers

  If you believe any of the service definitions are missing information, are in error, or require additional clarification, send an email and your concern(s) to laits-escalation@utlists.utexas.edu.