USU is standardizing computer management across all University-owned devices. All computers at USU must be professionally managed and configured in an auditable and standardized way by authorized USU IT support staff. To identify and contact your assigned IT support staff, log into MyTech. Please see the memorandum from the President and the CIO of Utah State as an introduction.
What does this mean for me?
If you are the primary user of a University-owned desktop or laptop, please work with your assigned USU IT support staff to ensure that your computer is enrolled, configured, and professionally managed according to USU requirements. Your IT support staff will take care of things and answer all of your questions. Please note that this is not something you can do on your own. See MyTech to identify and contact your assigned IT support staff.
Your IT support staff will do most of the work, configuring each of your computers to ensure a baseline security level, including the installation and updating of certain required applications (like CrowdStrike, a FEDramp certified anti-malware/anti-virus software). It will not prevent access to the software you need to do your job, nor track day-to-day activity or web browsing. It will verify that the installed operating system is patched and up-to-date, apply appropriate hard drive encryption, and configure certain system, application, and access controls as necessary, and allow USU and your IT support staff to ensure the state of such electronically.
See Can I use a personal device? for specific requirements concerning personal device use for University business.
Why is this necessary?
These efforts enable USU to comply with required portions of CIS, CMMC 2.0, NIST, and NSPM-33 standards representing best practices for cybersecurity, which in turn allows USU to receive federal contracts and grants, and to adhere to USHE policy as well as state and federal law. Effective computer management will also ensure greater protection of institutional data, including student and employee records.
What can I do to be ready?
Work with your USU IT Support professional to aid them in this process. Communicate your needs and scheduling preferences to make this process as smooth as possible.
Backup: Prior to moving to the device management system backup of locally stored data may be required. Moving your files to a personal or departmental folder on Box.com is a great option. The backup time will vary depending on the amount of data transferred. Your IT support team at mytech.usu.edu can assist with this process.
Enrollment
- Time: The initial device setup typically takes 1.5 to 2 hours.
- Availability: You will need to be present during the setup process so you will be established as the primary user.
Additional Tips:
- You can also schedule the move process with IT support for your convenience at mytech.usu.edu.
Be prepared with any necessary passwords or information during the setup
When will this happen?
This will start with each computer being evaluated and configured or reconfigured manually over the next year or so. Your IT support staff will work with each of you individually to schedule time to make the change. In some cases, your device may already be correctly configured and part of this new system, as piloting and testing is already underway.
I hear that I won’t have ‘admin rights’ to my computer under this new policy. How does this change how I work?
Correct. Regulatory requirements and cybersecurity best practices require that you work with “standard user” privileges and only escalate to “administrator” rights as needed. The good news is we have implemented an easy way for you to elevate to “admin” in order to install software as-needed without generally needing to contact or go through an IT support person. Many of the most common tools are already part of the "standard user" set-up, with many more available in the Apple Self-Service and Microsoft Company Portal apps that won't require "administrator rights" to install.
You can find information how to use these tools in knowledgebase articles for both Intune and Jamf.
How can I tell if my computer is being appropriately managed?
Contact your IT support staff. Ask them if your computer is set up to use “Intune” if Windows or “Jamf” if Mac. You can also work with your desktop support to bring your computer in compliance if you have a Linux operating system.
Another way to know if that has happened is you will find that Apple Macintosh computers have a “Self-service” app installed, and Windows computers have a “Company Portal” app installed.
How do I get my computer enrolled?
Please work with your assigned USU IT support staff to ensure that it is enrolled, configured, and managed according to new USU requirements. Your IT support staff will take care of things and answer all of your questions. Please note that this is not something you can do on your own. See MyTech to identify and contact your assigned IT support staff. If that site indicates that you do not have IT support staff assigned, please work with your unit supervisor and contact Madonna Bortle, supervisor of the IT Service Desk to advise on options.
Does this change how computers are purchased at USU?
New computers must be fully compatible with USU computer management systems and applications. Not all computers are. Please work with your assigned IT support staff before purchasing to identify models, configurations, and sources that fully support these new requirements and ease onboarding and enrolling.
We recommend that Apple devices are purchased though the USU bookstore, and Windows devices are purchased through EZ-Buy. Please do not order devices on-the-fly through Amazon, BestBuy or other sources without first consulting and receiving approval from your assigned IT support staff.
Is this optional? I’m pretty good with computers and can manage them myself securely.
Unfortunately not. USU must utilize common device management platforms to electronically ensure, verify, and enforce certain configurations. If you are interested in formally taking on an IT computer support role for your unit with the approval of your supervisor, we can visit with you on beginning that journey. Otherwise, please rely on your assigned IT support staff to ensure compliance. Please note that these systems largely allow you to operate your computer as-usual once set up and enrolled.
I’m concerned about privacy and data security. What can these systems see and do on a managed computer?
This is an important question. At USU, computer management platforms are carefully configured to enhance security and not bypass security and privacy controls in files, applications, or data.
USU has customized our implementations to collect only the data needed to proactively secure, inventory, and support. For example, the management platforms can:
- View model, serial number, and operating system
- Identify your device by name
- Reset a lost or stolen device to factory settings
- View disk encryption status
- View information for installed applications (e.g. versions)
- Apply vetted operating system configurations
- Push or ask you to install vetted patches and updates, allowing notice and reasonable deferrals so that updates do not interfere with critical work.
These management platforms do NOT collect personal information. For example, they do NOT:
- Access, view, or edit your files, photos, data, application content, browsing history, or bookmarks.
- Record your screen, audio, or activate any camera or microphone
- Access your passwords.
- Track your location with the device.
IT support technicians and systems administrators receive training and sign the USU Non-Disclosure Agreement (formerly known as the IT Confidentiality Agreement).
And, finally, any action taken on any device is expressly logged and tied to the technician involved.
My computer doesn't work with USU’s “Intune” or “Jamf” computer management systems. What do I do?
Work directly with your assigned IT support staff to create a plan to remediate. This could include plans to replace or upgrade systems to compatible ones, or investigating compensating controls to reach required standards. Your IT support staff can work with USU IT security staff to help advise on options and paths forward.
Can I use a personal device?
Departments are strongly encouraged to provide each faculty and staff member who will need a computer to fulfill their responsibilities with a USU-owned computer that has been properly provisioned and configured using USU's desktop management systems. This ensures that employees have the best possible experience, and that any university data on the device is secured. In cases where the USU employee may need to access the computer off-hours or off-site, the computer should be a laptop to facilitate ease of access.
Using a personal computer for university-related work is strongly discouraged, and depending on the type of data being handled may violate state or federal law or have other legal implications. However, accessing university email and messaging apps on personal devices (e.g., personal cell phone) to keep up-to-date on work-related matters is acceptable.
For employees whose departments have not provided them with a USU-owned computer, and who are not accessing sensitive information, personal computers may be used in a limited context provided that they are properly secured. This includes, but is not limited to:
- Using a modern, up-to-date, and supported operating system and web browser
- Enabling the local firewall
- Disallowing university data, especially information related to students or employees, from being saved locally to the personal device
- Continuous connection to USU's GlobalProtect VPN when working on official USU business
Departments are responsible for making these requirements known to their staff and faculty to which they may apply. Violations of these requirements may result in an employee no longer being able to access certain USU resources from their personal devices.
What about ipads and tablets?
At this time university owned ipads and tablets are not required to be enrolled in the device management systems but it is HIGHLY RECOMMEND. These tools give management and security features that you otherwise wouldn't have if they aren't enrolled. Often, if a user signs into their own personal account on those devices, they are locked after that individual leaves the university, blocking access or re-assignment to someone else. (There are boxes of bricked devices at surplus that they can't sell.) There is a $10/year charge for enrolling mobile devices, please have your Desktop support submit the necessary license request on the Software Licensing Store. This costs is covered if you have a support agreement with the IT Service Desk.
What about servers?
While this initiative is primarily focused on USU-owned desktop and laptop computers, it does not exempt the requirement of ensuring that servers are professionally and securely managed. Work directly with your assigned IT support staff to evaluate and investigate options for compliant server administration.
Can we purchase non-standard configurations for computers using approved methods?
YES, Work with IT to find a way to meet needs. We should be able to provide any equipment needed or verify compatibility with our systems.
Is remote login still supported?
Yes, though being connected to the USU VPN first is required. Remote login protocols, especially Windows Remote Desktop Services (RDS), are highly vulnerable to compromise and so should be carefully managed, always patched, and tightly IP address limited at the host service level.