As part of a college-wide communication sent on May 9, 2024, CNS OIT announced that a project to enroll networked computers is underway. Composed of two stages, the current effort involves proactive steps to improve the college’s compliance with security policies by focusing on the implementation of Endpoint Management in CNS. These policies exist not only due to state and federal regulations, but also to protect UT from cyberattacks and security risks that threaten our ability to carry out UT’s mission.

Enforcement of device management policies is increasing and the Information Security Office may begin taking drastic measures including locking EIDs, quarantining devices from the UT network, or blocking devices from accessing UT services. We don’t have a timeline on when such methods will start being used, so we’re working to minimize hinderances to productivity by bringing as many devices into compliance as possible.

This work aims to achieve the following outcomes:

All faculty and staff, including graduate students and undergraduate students who are employed by the college or conducting research.

You will be impacted if one of more of the following criteria applies to your role:

• Funded by UT and / or external grants

• Involved in research that is funded by UT and / or external grants

• Requires you to use (including produce, share, access, store) UT data

Many people have multiple roles and there are certain instances where your UT-related activities are outside the scope of this project. Only roles that meet the criteria described above are in scope.

One example of a person who has roles in scope and roles out of scope is a graduate student. Their “TA role” is in scope because they are interacting with students and accessing FERPA data (student information and grades). Their “research staff" role is in scope because they are conducting research and interacting with research data that is being produced as part of a project funded by an external grant and / or UT. Their “student role”, however, is not in scope— this includes their own FERPA data, homework assignments, and course materials that are related to a class in which they are enrolled.

CNS OIT technicians are going door-to-door through CNS buildings to identify devices connected to the UT network. We’re working with building managers to send a message to the building before we begin. If you’re not on your building's email list you can sign up here or reach out to your building manager.

For UT-owned computers, hardware and contact information will be gathered. CNS OIT techs will also discuss with the device owner. For research labs, this is the PI or a lab member they identify. The questions we ask help determine the compatibility between the computer's required functions and management. Our focus is on the computer itself— the goal is to understand the use and current state of a computer and be able to identify it on the network.

All UT-owned computers must have a UT Tag to indicate they’re UT property. CNS OIT technicians will place an orange UT Tag on any untagged computers to meet this requirement and further help us identify a specific computer.

For computers already enrolled in management, CNS OIT techs will check the status of data backups using CrashPlan and help the device owner configure backups.

We’re asking that anyone who uses their personally-owned computer for UT work fill out this Personal Device Use Identification form.

Using the information from Stage 1 and through discussions with the device owner, a plan will be made to identify what actions need to take place. Then, steps will be taken to address the computer and make it compliant.

Forcing enrollment or addressing a computer will not occur without proper assessment of the device and discussion with the owner.

A computer is considered compliant once it falls into one of the following categories:

1. Enrolled into management 

2. Removed from the network 

3. Exception from management approved by the Dean and filed with the ISO, in combination with additional security measures.

   1. Note: This option requires a technical justification approved by CNS OIT, the Dean, and the ISO. For more information about exceptions, see the section “Exceptions to Management” on Endpoint Management in CNS.

Please note you risk extended downtime if you delay addressing your computer. As mentioned above, enforcement measures are increasing. If a computer is quarantined due to lack of compliance, we can make no guarantees nor estimates for when the computer can be addressed and network access restored.

We’re aware that many CNS faculty, staff, and students use their personal computers for UT work and research due to a wide variety of factors. We need your input to understand what these factors are and the scale of impact. We’re collaborating with CNS leadership to find solutions so access to a UT-owned computer is guaranteed.

It is imperative that anyone using their personal computer for UT work or research fills out the Personal Device Use Identification form.

There are three primary reasons why your input is critical:

1. In order to design a solution that meets your needs, we need to know what your exact needs are.

2. We’ll be able to contact your directly once a solution is identified.

3. When the ISO begins quarantining personal computers, if a long-term solution hasn’t yet been identified we can use the information supplied to create an intermediate plan so you’ll experience as little disruption as possible.

If an IT device will connect to the network (wired or wireless), it must be vetted by CNS OIT prior to purchase and all computers must be delivered to CNS OIT to enroll into management. This is defined in IRUSP standard 19.6.

If a device will not connect to the network and cannot store UT data (e.g. keyboard, monitor), then purchase doesn’t have to go through CNS OIT. We are happy to assist in verifying compatibility.

Please contact CNS OIT by sending an email to help@cns.utexas.edu. If you don’t have a specific item in mind, CNS OIT can assist and provide customized quotes to your purchasing agent.

Network access will be limited to devices that must be on the network. If the device does not need network access to complete work, it’s best to leave it disconnected from the wired and wireless network. 

Any device will only be permitted on the wired or IoT wireless network after CNS OIT completes an inventory survey and verifies the device meets policy requirements. Any devices that connect to the network without CNS OIT involvement will be removed from the network at an unspecified time without warning.

For new labs or renovations, CNS OIT needs be brought into discussions early to help design and implement the infrastructure to ensure your needs will be met. Infrastructure changes such as adding new ethernet ports are almost always needed and are faster (and less expensive) when identified from the start.

Please submit a Network Connectivity request through the CNS OIT Help Form to create a ticket directly with our Networking team.

No action is planned at this time. Once the ISO identifies a need, CNS OIT will create a plan and communicate it to CNS. Requests to connect new devices to the network will be reviewed and only devices that need to be networked and meet security requirements will be allowed online, as mentioned above.

What computers and devices are included?

Any computer that is accessing UT data or used for UT business is in scope for identification. This includes any computer that is:

• UT-owned and already managed by CNS OIT, or

• UT-owned but not yet managed by CNS OIT, or

• provided by the vendor for use controlling a scientific instrument, or

• personally-owned

ONLY UT-owned computers are in scope for enrollment into endpoint management

Smartphones and mobile phones are not in scope.

For inventory identification, our current focus is computers, however we may also ask to gather inventory information about other network-connected devices like printers, iPads, or IoT devices such as freezers.

How will this impact me?

You will only be impacted in the ways that are listed under the section “Who is impacted?” and the FAQ “What computers and devices are included?” It can be helpful to ask yourself, “What roles do I have? Which role is asking me to participate in this activity?” to determine how you may be impacted.

Our current efforts will primarily be with research labs. Research labs have unique needs and more complicated requirements. The current approach is designed so CNS OIT is able to give the needed focus and time to each lab.

How long does the inventory identification take?

10-25 minutes for each computer. It may be more or less time, however, depending on what information we already know about the computer and what information we need to gather.

For more information about what inventory identification includes, please see below “Inventory Identification FAQs“.

Will I be required to enroll my personal computer in EPM?

NO. CNS OIT will not enroll and is not permitted to enroll personal devices in central EPM.

What will be different after my computer is enrolled?

Please see the “Management is required for all UT-owned computers” section on this page for some of the most noticeable differences: https://cloud.wikis.utexas.edu/wiki/spaces/cnsit/pages/134350319/Endpoint+Management+in+CNS#Management-is-required-for-all-UT-owned-computers

Inventory Identification FAQs

Why do you need to know how I use my computer?

There are 3 main reasons:

1. We configure management to minimize disruptions and avoid negative impacts to productivity while adhering to security requirements. The default management configurations are designed based on the average habits and needs of our users, but we evaluate every situation individually.

2. Troubleshooting is streamlined and a more targeted approach can be taken.

3. UT is required by state law to identify the classification and type of data that are stored on or accessed by each specific device. Knowing how a device is used helps answer this question.

What information are you gathering?

For UT-owned computers:

• We’re collecting information about the computer: this includes contact information of the device owner, details about the hardware, type of data stored on the computer, and how the computer is used. Qualitative information about data is gathered in order to categorize it according to the ISO’s Data Classification Standard.

For personal computers:

• We’ll ask you if you use a personal computer for UT work. We’ll then request you fill out the Personal Device Use Identification form which asks for a few details about your personal computer including the OS family and a few questions about the UT data you store and access from your personal computer.

How are you gathering information?

By getting information from the device itself and by talking to the device owner or users.

For UT-owned computers, CNS OIT technicians will use scripts written by our Mac, Windows, and Linux Systems Administrators that return specific pieces of information. These scripts automate the steps our technicians would otherwise perform manually and individually through a combination of navigating through the device settings and using commands in Command Prompt or Terminal. The only configuration change made would be enabling a routine setting that allows scripts to be run if it's not already enabled. The script itself does not make any configuration changes.

You may also see the technicians submit the information provided by the script through a Microsoft Form. This Form is configured to securely submit the data to a database that only CNS OIT staff are able to access. This allows our technicians to record the information more quickly and accurately.

Who has access to the information?

Only staff in positions of special trust with controlled access will be able to access information.

For UT-owned devices, this means CNS OIT staff and authorized UT IT staff including the Information Security Office and systems administrators for the EPM tools.

For personal computers, only CNS OIT staff will have access to all of the information you provide to us. If a personal device has connected to the UT network (wired or wireless), authorized UT IT staff including the Information Security Office and ITS Networking will be able to see only specific pieces of information about the device that make it identifiable on the network.

CNS OIT shares, at specific intervals, aggregate data with CNS leadership. Any information about specific devices or individuals is anonymized before being shared. Certain factors such as department or primary affiliation may be used to categorize data and identify trends.