End User Device Support Standard

  • This topic has 11 replies, 8 voices, and was last updated 8 years ago by tjm.
Viewing 11 reply threads
  • Author
    Posts
    • #598
      aswancer
      Participant

      The purpose of the End-User Device Support Standard is to ensure that UNM owned devices are secure and well supported in order to deliver promised productivity at a low total cost of ownership. The standard applies to laptops, desktops and Windows tablets used to access UNM information assets, UNM applications, services, and network resources.

    • #622
      ccovey01
      Participant

      Equipment Set up, Integration, and Security:

      Question – does this apply to Macs, Unix, and Windows Embedded systems, among others, that they be joined to the UNM domain?

      Usage:

      Question – same as above, all clients have to authenticate to the UNM domain?

      • This reply was modified 8 years ago by ccovey01.
    • #638
      elisha
      Participant

      Under What is End-User Device Support, is this limited to Windows tablets as stated, or does it extend to any tablet?

      Under Equipment Set up, Integration, and Security (note the comma is in the wrong place in the header)
      Can we call out specific requirements/ Best Practices instead of pointing users at a 200 page federal manual? 

      Typo fix: “Operating systems must be within manufacturers product life cycle.”

      Can departments run their own WSUS, or must they connect to the UNM IT system? Is that system designed to scale for the campus?

    • #645
      ayoder
      Participant

      Will this standard apply to Virtual Desktops (VDI), Windows Embedded, or RT products?

      Responsibilities Section:
      Some of these standards say there will be a yearly review or “appropriate periodic review”. Will this standard be reviewed yearly?

      Compliance Section:
      “This standard has been developed, under and is subject to, all UNM policies”
      From UNM Policy 2560: “Draft standards will be developed by the IT Managers Council and then sent to the IT Agents Networking Group for review and comment.  The Networking Group will forward their comments to the IT Managers Council for consideration. The Council will publish the proposed standard on the CIO website and solicit comments from the campus.  The IT Managers Council will update the standard based on campus comment and submit it to the IT Cabinet for review.”

      “UNM Administration” needs to be defined. Which departments or offices are part of determining compliance.

      Installation, Warranty and Equipment Maintenance Section::
      “Ensure that equipment is properly and routinely cleaned and maintained”
      What criteria is UNM Administration, Internal Audit, and UNM IT using to evaluate whether equipment has been properly and routinely cleaned?

      Equipment Set up, Integration and, Security Section:
      There is a reference to best practices but none are listed on FastInfo. Also the 200 page document linked in this section has little relevance to the purpose of defining best practices. The only mention of best practices in this document is for Virtualiation, VOIP, Cloud Computing, and mobile devices.

      “Operating systems must be within manufactures product life cycle”
      What is the exceptions process for this? If there is a mission critical hardware device attached to that machine that is incompatible with updated product offerings?

      “Windows based operating systems must receive regular updates and patches through UNM IT Enterprise Update Servers (WSUS)”
      Are WSUS services available over UNM Wireless? Off site users? Also, there is not mention of an enterprise OS X update solution. What is the standard for updating UNM owned Apple devices? Is there a UNM repository for Linux/UNIX updates?

      “Use Enterprise grade deployment tools such as but not limited to Casper, SCCM, LanDesk, and Symantec Ghost to push, deploy or otherwise manage UNM SOE (Standard Operating Environment)”
      How does this affect departments who can’t use a tool like this due to cost, incompatibility issues, or it just doesn’t make sense to have a system that size for a smaller department? Some of these are very expensive systems and it does not make fiscal sense to force a department to purchase an “Enterprise grade deployment tool” to be compliant with the standard. Also, which agency determines if a deployment tool is “Enterprise grade”. Microsoft provides many deployment solutions at little/no cost but are these invalidated because they are not considered “Enterprise grade”?

      “All UNM owned devices must utilize Microsoft Active Directory (AD) authentication and be joined to either HEALTH or COLLEGES UNM domains.”
      For non-Windows/OS X devices do those have to be joined as well? Will Active Directory services be available over the UNM wireless? What security measures have been taken to encrypt communications of the UNM enterprise wireless network so that users can authenticate against the domain while on UNM property? What about users who have an assigned duty station not on a UNM network? Is UNM prepared to offer an off site solution for Active Directory authentication? What is the time frame for moving to that so departments can be compliant with the requirements of this standard?

      “Must use the UNM IT enterprise Key Management Server license (KMS)”
      What about users who work off site? Will the KMS server be adjusted to allow connections from outside UNMs network? Currently activations are pulled after 180 days and if a user has a UNM device at home and doesn’t touch the UNM network, the license is pulled from their machine. IT Software Distribution has been instructed to not give departments individual license keys which would activate a perpetual license on that device.

      Antivirus Section:
      “Must use the UNM IT enterprise managed solution”
      Is this a requirement for OS X machines? Also, for UNM owned devices that are running a non Windows/OS-X operating system, is there an antivirus client available for Linux/Unix based operating systems?

      Support Plan Section:
      “Ensure secure connection and advise on personal firewalls”
      What is a personal firewall? Is this a “Host-based firewall”?

    • #655
      jwong
      Participant

      Questions:
       1. There are a few “MUSTs” in this standard. It sounded more like a policy.  Are these best practice recommendations, or are they requirements?

      2. Is the patch management service (WSUS) free or do we have to have an SLA with IT to get updates?  What kind of updates, Microsoft, Adobe, Symantec, etc…?

    • #657
      cdean
      Participant

      In addition to the questions posted by others, I submit the following:

      1) Scope of the Standard: “The standard addresses the following Supplemental service…”. The definition of Supplemental as per KSA is “Those aspects of information technology that are offered via a central entity on a non-exclusive basis”. However, later in the standard’s “Equipment Set up, Integration, and Security” section, bullet 5 states “All UNM owned devices must utilize Microsoft Active Directory (AD) authentication and must be joined to either HEALTH or COLLEGES UNM domains.” These statements seem conflicting to me. If a standard applies to a department offering a Supplemental service, can the standard specify that the non-exclusive central entity must use an Enterprise service? As usual, I’m confused. And why is it that only the HEALTH or COLLEGES UNM domains are specified? See my additional comments below.

      2) Also in Equipment Set up Integration and Security: “Operating systems must be within manufactures {SIC} product life cycle.” What about a system that is not connected to the network at all via wired or wireless?

      3) If the Standard is stating that everyone must now join the Enterprise AD, who will be responsible for the potentially extremely complex and costly (both in terms of people and downtime) process of migrating existing directory services to a different AD?

      4) Can a department choose to join the HEALTH domain?

      5) There are multiple items specified in the standard that do not belong, IMO. For example, under “Usage”, bullet 2 states “Publish best practices for users of the device.” Most of the section called “Support Plan” is not appropriate for a standard. There are multiple University Administrative Policies that specify departmental responsibilities for publishing policies. For example, here are snippets from UAP 2500 and UAP 2520. I’m sure there are others.

           – UAP 2500 Acceptable Computer Use: “Individual departments within the University may define “conditions of use” for information resources under their control. These statements must be consistent with this overall policy but may provide additional detail, guidelines, and/or restrictions.  Such policies may not relax, or subtract from, this policy.  Where such “conditions of use” exist, the enforcement mechanisms defined within these departmental statements shall apply.  Individual departments are responsible for publicizing both the regulations they establish and their policies concerning the authorized and appropriate use of the equipment for which they are responsible.”

           – UAP 2520 Computer Security Controls: “Therefore, all departments operating University owned computers, including those operated by faculty, staff, and students, must develop departmental security practices which comply with the security practices listed herein.  In addition, departments must have environment-specific management practices for business functions such as maintenance, change control procedures capacity planning, software licensing and copyright protection, training, documentation, power, and records management for computing systems under their control. This may be done by hiring a qualified employee, sharing resources with other departments, or contracting with UNM Information Technologies (IT).  IT is available to assist and advise departments in planning how they can carry out compliance with this and other computer technology-related policies. Departments must document and periodically review established practices.” 

      Cyndi Johnson

      • This reply was modified 8 years ago by cdean.
    • #659
      cdean
      Participant

      Oh, and I forgot to point out that “Supplies & Daily Operation” states that departments must provide protective cases and carrying bags. Great idea for *mobile devices* (not specifically stated) but is that really appropriate to be in a Standard??? 
      Cyndi

    • #667
      tjm
      Participant

      I am going to try my best to reply to all the questions!

      The standard calls for UNM owned devices to be joined to UNM’s domain.  The driver behind this statement is to setup a first layer of security.  As we talk about access to protected data of any type, devices, whether personal or UNM owned, that do not meet certain criteria, will not be granted access to this data.  Encryption will come into play as these discussion continues regarding data classification and the access to such data.

      This standard applies to virtual desktops.  Any non windows tablet owned by UNM will fall under mobile device management to access protected data. 

      I agree a 200 page document should be condensed.  We will work with Security to get a security standard for end user devices developed and vetted in the coming months.

      The WSUS is available and scalable for campus. 

      Any OS that is end of life, no longer supported must not connect to the UNM network.

      For those of you who have workers off site, if they are working with protected data, must have a way to get updates, scan computer for virus, must have access to KMS.  Let’s talk if you have these situations.

      Symantec is available for windows, Mac, Linux.  All three OSes have personal firewall functionality.

      Wireless at this time does not allow for AD authentication. It is on the roadmap.

      As for compliance, that process has not been fully designed.  In my opinion, this standard would not a true/false statement but more of an assessment of maturity or levels of compliance.  

      • This reply was modified 8 years ago by tjm. Reason: correct an grammar error
    • #680
      ssmock
      Participant

      Some of these items have been brought up already, but I wanted to submit all the notes I had in one place. I do believe that this standard and the feedback received highlights some of the issues with the standard writing process, particularly one that affects so many people and areas on campus.

      ———–

      The name of the standard is misleading – it seems to talk about how UNM IT/departments provide support to end-users, which could include personal devices and all mobile devices, in some cases. While no one may want to touch personal devices physically, isn’t simply providing documentation (e.g. knowledgebase articles) for users to configure their personal devices “end-user device support”? This should be renamed to something along the lines of “UNM-owned End-User Device Support Standard”.

      Laptop, desktops, Windows tablets seems vague and non-inclusive. What about iOS tablets? What about other mobile devices (iOS/Android tablets, phones, etc.)? What about departments that use Linux or UNIX boxes? Aren’t they considered “end-user devices”? If not addressed in this standard, will there be another standard to reference them? There is a reference to a “mobile device SLA” but SLAs do not set forth standards.

      The term “mobile device” seems to be used very loosely. What is the definition of a “mobile device”? To me, a “mobile device” is anything that doesn’t require a power cable to turn on, which would include laptops, tablets, phones, etc.

      “What is End-User Device Support”

      “Acquisition, management, maintenance, and support” – this standard notes “support” in the title, so some of these items seem to be out of scope. Acquisition, for example, is a purchasing/funding issue. “Support” is supposed to be the topic of the standard, so why is it noted separately from these other items and why are they included?

      “Excluded from the scope of this standard”

      Doesn’t make sense to address student checkout laptops in the Classroom Technology standard. They may or may not ever be used in a classroom. What about lab equipment? Print stations? Where do they fall? Seems like all of these need to be in the same place.

      “Responsibilities – UNM IT”

      Should be noted that UNM IT charges for the base standard operating environment

      “Device Acquisition”

      Second bullet doesn’t speak to the cost associated or to creating a plan to meet this requirement

      “Installation, Warranty and Equipment Maintenance”

      What constitutes a “certified staff” member? Do they need to be Dell/Apple certified? A+? This is very vague.

      “Equipment Set up, Integration and, Security”

      Typos and grammatical issues in section heading

      First bullet – what are these “best practices” that are being talking about? The FBI doc is 200 pages long and provides almost no information whatsoever that’s relevant. What’s included in “best practices”? Are we talking about security (isn’t that the Data Security Standard)? Image creation and deployment practices? Ergonomics and high-contrast color schemes? Accessibility settings? Startup programs? Licensing? Power settings? Group policies? Local policies? Personalization settings? The list goes on and on – this point is incredibly vague with no guidance.

      Enterprise-grade deployment tools aren’t always appropriate in smaller departments/environments (cost could easily outweigh benefits). What’s wrong with deploying images via USB keys?

      While a good general rule to try to follow, many departments cannot guarantee operating systems are “within manufactures (sic) product life cycle” – many departments must utilize older operating systems for special hardware, such as Windows XP for mass spectrometers that are necessary for their department’s operation and initiatives.

      “All UNM owned devices must utilize Microsoft Active Directory (AD) authentication and be joined to either HEALTH or COLLEGES UNM domains”

      Nice idea, but not possible (at a minimum) without wireless AD availability. Windows tablets don’t have ethernet ports, nor do many modern laptops. This would require additional adapters to be purchased for these devices. Additionally, tethering a Surface tablet to the wall with a cable kind of defeats the purpose of a tablet or mobile device.

      This also doesn’t address offsite UNM-owned machines, even if they have ethernet ports. Will VPN be available for these machines? Cached profiles work for a while, but not indefinitely.

      “Antivirus”

      What is the “UNM IT enterprise managed solution”? Microsoft Defender has been more than adequate since Windows 8. Why slow down machines with software that provides no additional coverage?

      “Supplies & Daily Operation”

      Equipment Maintenance – what qualifies as “certified staff”? Do they need to be Apple/Dell certified? A+?

      “Hardware Lifecycle”

      Again, this is a nice standard to aim for but doesn’t seem attainable by many UNM departments unless UNM IT is offering a multi-million dollar influx of money for departments to meet this requirement. “As budget permits” helps, though.

      Lastly, I’m concerned that this standard is being developed without a matching SLA from UNM IT for this service. Where is UNM IT in all this? This standard seems to be targeted towards departments but not towards UNM IT’s baseline for service.

      • This reply was modified 8 years ago by ssmock.
    • #687
      tjm
      Participant

      UNM IT does have a SLA for manged workstations.  Since this is a supplemental service, the standard is up for review and comment.  It is based on the SLA we provide customers who are part of the managed ws program.  As for antivirus/anti malware, the solution offered by UNM IT is a managed solution that works with Windows, Mac and Linux operating systems.  This is preferable over windows defender that is not managed and only works with a specific OS. UNM IT is working to open up AD ports to the wireless network.  As for grouping devices such as classroom computers, printers, etc – we originally thought it might work that way.  We felt it was better to call out UNM owned workstations as a separate standard because these are the devices that UNM employees would use to access protected data.    This standard, as much as possible, is focusing on preventing data loss through UNM owned devices. Of course, this is just one level of security to keep data protected.  

    • #689
      ssmock
      Participant

      Thank you for the reply, TJ. Some additional feedback based on your response:

      1) It seems like “End User Device Support” extends far beyond managed workstations and that the SLA for that cohort is nowhere near inclusive enough to cover “End User Device Support”. This goes back to my comment that the name for this standard shows that the contents of this standard are nowhere near broad enough to cover what “End User Device Support” really covers, or the name is incorrect and needs to reference “UNM-owned” or “UNM Managed” systems.

      2) I do not agree that the UNM enterprise anti-virus solution is preferable. I would not be providing good service to my users if I install a program that will significantly slow down my users’ machines without providing any measurable improvement in stability or protection, which is especially true on older machines that are struggling for system resources to begin with. Having an enterprise-level anti-virus solution is great for areas that do not have robust images or IT support, but there needs to be a way for areas to meet this requirement without having to prescribe to only one solution if another can meet the same level of protection, particularly if it offers a massive performance increase to boot. This was one thing that the Data Center Standard did so well – it offered guidelines and a general “toolbox” of options but did not require that any single solution had to be employed.

      2.5) Why is this standard focused on “preventing data loss” (I’m assuming you’re meaning in a security/data protection sense)? Isn’t that the Data Security Standard? Why would we re-define security standards (including anti-virus) in this document when they should be defined in a much larger sense. That standard doesn’t exist yet, but this standard should still simply reference the Data Security Standard and this can be done very simply with a single line – “All systems must adhere to the UNM Data Security Standards as set forth in <insert link here>”.

      3) Wireless AD would be great! But I don’t think we can add it to a standard that REQUIRES people to join AD using a solution that doesn’t yet exist. If this is an auditable standard then if wireless AD doesn’t exist then, in order to comply, we MUST join the devices to the domain via whatever method IS available, which simply isn’t doable with currently existing technology on campus.

    • #710
      tjm
      Participant

      This standard will be rewritten and up for review during the Group 4 period.  Many suggestions will be considered as well as a title change.  My plans is to start up monthly meetings to review this standard beginning in july to gain broader feedback and revise the standard.  Right now, let’s target December for a revision.

      Thanks,

      TJ

Viewing 11 reply threads
  • The topic ‘End User Device Support Standard’ is closed to new replies.