UNM Owned Device Support Standard

This standard seems to be virtually the same as the previous iteration with a couple minor adjustments. Many of my comments from the last revision still stand, which I have copied (and updated) below:

Laptop, desktops, Windows tablets seems vague and non-inclusive. What about iOS tablets? What about other mobile devices (iOS/Android tablets, phones, etc.)? What about departments that use Linux or UNIX boxes? Aren’t they considered “end-user devices”? If not addressed in this standard, will there be another standard to reference them? There is a reference to a “mobile device SLA” but SLAs do not set forth standards.

The term “mobile device” seems to be used very loosely. What is the definition of a “mobile device”? To me, a “mobile device” is anything that doesn’t require a power cable to turn on, which would include laptops, tablets, phones, etc. UPDATE: This revision seems to be referring to another category of “portable” devices. What’s the difference and how is the casual reader supposed to easily tell the difference? Seems like there may need to be a glossary of terms, at minimum.

“What is End-User Device Support”

“Acquisition, management, maintenance, and support” – this standard notes “support” in the title, so some of these items seem to be out of scope. Acquisition, for example, is a purchasing/funding issue. “Support” is supposed to be the topic of the standard, so why is it noted separately from these other items and why are they included?
“Excluded from the scope of this standard”

Doesn’t make sense to address student checkout laptops in the Classroom Technology standard. They may or may not ever be used in a classroom. What about lab equipment? Print stations? Where do they fall? Seems like all of these need to be in the same place.

“Responsibilities – UNM IT”
Should be noted that UNM IT charges for the base standard operating environment

“Device Acquisition”
Second bullet doesn’t speak to the cost associated or to creating a plan to meet this requirement

“Installation, Warranty and Equipment Maintenance”
What constitutes a “certified staff” member? Do they need to be Dell/Apple certified? A+? This is very vague.

“Equipment Set up, Integration and, Security”
Typos and grammatical issues in section heading

First bullet – UPDATE: This document is much better than what was there before. I’m curious, though, how this was developed and by who. If strictly by UNM IT, I don’t believe that meets the spirit of a collaborate standard where all parties should have some feedback into what constitutes best imaging practices

Enterprise-grade deployment tools aren’t always appropriate in smaller departments/environments (cost could easily outweigh benefits). What’s wrong with deploying images via USB keys?

While a good general rule to try to follow, many departments cannot guarantee operating systems are “within manufactures (sic) product life cycle” – many departments must utilize older operating systems for special hardware, such as Windows XP for mass spectrometers that are necessary for their department’s operation and initiatives.

“All UNM owned devices must utilize Microsoft Active Directory (AD) authentication and be joined to either HEALTH or COLLEGES UNM domains”
Nice idea, but not possible (at a minimum) without wireless AD availability. Windows tablets don’t have ethernet ports, nor do many modern laptops. This would require additional adapters to be purchased for these devices. Additionally, tethering a Surface tablet to the wall with a cable kind of defeats the purpose of a tablet or mobile device. Wireless AD would be great! But I don’t think we can add it to a standard that REQUIRES people to join AD using a solution that doesn’t yet exist. If this is an auditable standard then if wireless AD doesn’t exist then, in order to comply, we MUST join the devices to the domain via whatever method IS available, which simply isn’t doable with currently existing technology on campus. Unless this can be put into place before this standard is ratified, it should be added to the standard later during a regular review cycle once wireless AD is available.

This also doesn’t address offsite UNM-owned machines, even if they have ethernet ports. Will VPN be available for these machines? Cached profiles work for a while, but not indefinitely.

“Antivirus”
What is the “UNM IT enterprise managed solution”? Microsoft Defender has been more than adequate since Windows 8. Why slow down machines with software that provides no additional coverage? I do not agree that the UNM enterprise anti-virus solution is preferable. I would not be providing good service to my users if I install a program that will significantly slow down my users’ machines without providing any measurable improvement in stability or protection, which is especially true on older machines that are struggling for system resources to begin with. Having an enterprise-level anti-virus solution is great for areas that do not have robust images or IT support, but there needs to be a way for areas to meet this requirement without having to prescribe to only one solution if another can meet the same level of protection, particularly if it offers a massive performance increase to boot. This was one thing that the Data Center Standard did so well – it offered guidelines and a general “toolbox” of options but did not require that any single solution had to be employed.

“Hardware Lifecycle”
Again, this is a nice standard to aim for but doesn’t seem attainable by many UNM departments unless UNM IT is offering a multi-million-dollar influx of money for departments to meet this requirement. “As budget permits” helps, though.

I certainly agree with the spirit of this standard, but it definitely needs an exception process or needs to be expanded so as not to disrupt alternative workstation management processes. At the library, we have used Pharos and LanDesk to secure and keep our student workstations updated for quite some time now – actually since before my time. This has proved to be an effective way to manage our 500+ student-facing workstations, so I am certainly hoping to work on making this standard more flexibile. I assume the section on Compliance is attempting to be so with the statement: “The UNM Administration, Internal Audit, or UNM IT may determine the compliance of departmental support approaches with this standard.” – I think as long as we can discuss our exceptional circumstances and ensure they are included in approved workstation management model, then the library will be able to easily comply with all of the components of this standard. – Kevin Comerford, Library IT.

I agree that this provision is the responsible thing to do, “Replace or upgrade equipment that cannot provide the setup, data protection, user access and security measures identified in the next sections.” Making that a reality will require new funding allocations or budget models in many departments.

Under Equipment Set up, Integration, and Security, I assume “Windows 8,1” should read “Windows 8.1” Are there best practices documents for Windows 7, OS X, or any specific concerns with Linux?

Simpler processes to support devices that do not regularly connect to the UNM network (offsite, out of town) for KMS would be helpful.

Thanks for the comments.  There has been a significant change to this standard from the original post.  The changes to the new standard emphasize the requirements for UNM owned devices that access sensitive, protected data.  We’ve shortened the security standard from a 200 page FBI document to a two page document vetted by Security.  AN enterprise antivirus/antimalware that is managed is part of security requirements.  If departments choose to use something else for computers accessed only by students, this standard doesn’t apply in that situation. The lifecycle of equipment is a recommendation not a must have.  Operating systems will dictate hardware requirements as they go end of life. 

As for AD authentication, yes there will be necessary hardware- such as dongals, to attach to the wired network.  We are working the AD authentication through wireless so the hardware won’t be necessary at some point.  Joining the colleges domain is the first level of security for those of us who have access to protected, confidential data.  For those those situations that require equipment that communicates to an EOL operating syste and need  to be attached to network – let’s talk.  risk assessment for the potential of data loss would be assessed.  As well as cost to upgrade equipment or related software would be part of that assessment. 

The goal of this standard is to ensure we have appropriate security around different types of data.  For compliance, that has yet to be determined.  At a minimum, devices that do not meet the standard may be denied access to highly confidential, protected data.

Ryan, thank you for the update on the upcoming standard to be authored collaboratively, that’s a positive development.

Based on follow up comments, the standard appears to pivot more towards security, yet the document as it’s now written seems largely concerned with PC maintenance – would ROI/TCO recommendations and day to day support expectations perhaps live better in another, more general standard that encompasses SPI and non-SPI systems?

• Could an IT Agents or IT UNM meeting be scheduled that discusses dongles, wireless updates, and other plans to secure these systems? It sounds like there are significant changes coming, but I imagine this is the first many of us have heard of them.

• Could we get the definitions for Sensitive and Protected Information (SPI)?

• If a system is not used by students, but also doesn’t access SPI, does this standard apply to it?

• Will these SPI systems need to run WSM images?

• I know this is a recurring theme, but it appears Apple and Linux devices, among many others, would not be allowed to access SPI?

• An Active Directory doesn’t on its own guarantee a secure system – what specific implementations are forthcoming?

o Are there particular group policies or third party software that will be applied to these systems to lock them down? Will something like Software Restriction Policies or Applocker be used, or some other software that allows some software to run, and blocks everything else?

o Those have the potential to block much legitimate academic software used around campus, what testing protocol will be followed prior to software and other enforcements?

o If a department acquires new software and needs it to be unblocked, what is the process, and will there be a chargeback for that request?

• Would users of these SPI systems use one Windows PC to access SPI data, and then have another if they have to travel, do presentations, or if they need to install software as needed?

• What will the communication/change management process look like for these systems? If a group policy or other change blocks legitimate software, breaks printing, or disables an Internet browser for a user, as examples, should a user call C-IT, or their local IT? Will local IT receive prior notification about group policy changes?

o What cost-recovery will apply?

o Will a billing index be required to initiate a ticket?

o What SLAs will apply to support requests in these situations?

• Is an encryption system on the roadmap?

• This reply was modified 7 years, 11 months ago by ccovey01.

Continuing with potential SPI configurations:

* will a multi-factor authentication system be in place to support these systems?
* will these systems have location tracking software like Computrace? If so, who will purchase and support any additional multi-factor and location tracking hardware or software packages?