Endpoints@Duke

The purpose of Duke’s endpoint security program is to secure laptops and desktops purchased by Duke and used by faculty and staff.  The applications used to support this efforts may only be used to: (a) report on missing software updates; or (b) apply missing software updates if the machine is fully managed by departmental or central IT staff.  It will also be used to report and automatically address security issues on the machine such as the presence of viruses or malware.

Any IT administrators with access to the endpoint security tools, including the IT Security Office, are required to adhere to the Duke Acceptable Use Policy, particularly those statements regarding the expectation of privacy for the Duke community:

Duke cherishes freedom of expression, the diversity of values and perspectives inherent in an academic institution, the right to acknowledgment, and the value of privacy for all members of the Duke community. At the same time, Duke may be required by law to access and disclose information from computer and network users’ accounts or may find it necessary do so in order to protect Duke’s legal interests, uphold contractual obligations, or comply with other applicable Duke policies. Duke may also be required to access information to diagnose and correct technical problems.

IT administrators may not use their access to look at content on the systems they maintain, except for the conditions outlined above.  Any additional access must be approved by the President or Executive Vice President of Duke University.  Use of the security management tools is audited for this reason.  Any concerns regarding inappropriate access should be directed to the school’s IT Director or campus IT Security Office.

In addition the departmental IT groups, IT administrators for the endpoint security software, and IT Security Office are bound by confidentiality agreements to keep any system information reported by the tools private.  A copy of the confidentiality agreement may be found on Duke HR’s website.

This information is also available on the Duke IT Security Office website.

Due to of the risks posed by devices that are missing security updates, the University has implemented a policy that requires all Duke-owned endpoints (laptops, desktops, and Windows/Linux tablets) to be enrolled in a campus security management system by September 30, 2017. This policy applies not only to endpoint devices that are managed by a departmental IT support group, but also to Duke-owned devices that are managed by their primary user.

Endpoint Management software configured for self-managed endpoint devices is now available from the Duke Software Licensing site. Users with Windows or Linux devices should download the appropriate IBM BigFix client; users with macOS devices should download either the IBM BigFix client or the Jamf Casper client for that platform.

If you have any questions, please contact the OIT Service Desk or the University IT Security Office.

Note: If you are part of the School of Medicine, School of Nursing, or are connected to the Duke Health System Network, you will need to install the BigFix client that communicates with the Health System instance of BigFix.  You can find these client installers on the Duke Health Intranet BigFix page.  Windows, Macintosh, and Linux clients are available along with instructions.

Due to the risks posed by systems that are missing security updates, the University is implementing a policy that requires all Duke-owned computers to be enrolled in a campus security management system by Sept. 30, 2017.

This policy is designed to provide the University with the direction and support needed to ensure that devices connecting to our network are kept up-to-date with security patches and can be associated with an individual or group. While the methods may differ depending on the device type, the intent is to make sure all devices are well-protected.

Below is additional guidance for IT staff on implementation priorities:

1. Planisphere: Use Planisphere for tracking your IT assets and identifying which are enrolled in one of the endpoint management tools. A new report shows the status of machines on a per-VRF and per-subnet basis. We’re still tweaking the report and adding more data sources for context. However, you should be able to pick the subnet or VRF you are interested in and get a list of what is connecting that needs to be addressed. As your Planisphere Support Groups are created, you will need to assign tags to filter your devices in Planisphere. We’ll be running informational sessions on Planisphere in the coming weeks to help you get started and to collect feedback.  We’ll also be discussing Planisphere at various user group meetings, including SLG (early August), win-admin and unixgroup. In the meantime, please send feedback to planisphere-feedback@duke.edu.
2. Servers and VMs: Servers are considered to be different from laptops/desktops, but they should still be managed. OIT and other departments have made good use of SCCM, BigFix, WSUS, Puppet, Ansible, and Spacewalk as options. VM’s should also be maintained. VM’s running on enterprise infrastructure like ESX should be managed or tracked, and a process should be in place to track and/or update them.  For VM’s on desktops and laptops, the priority is to ensure the host OS is kept up-to-date and tracked. Dual boot machines should have coverage on both OS’s, and will be reported in Planisphere.
3. Research labs: If you have research lab environments, Duke OIT and ITSO would like to know about them so we can work with you on which alternative protections might be needed. Please email itso@duke.edu for assistance with labs.
4. Mobile devices: Phones and tablets are not in the policy’s current scope, but, if you have Duke-purchased phones and tablets, please begin considering how these are managed and tracked. Casper is available for iOS devices today, with information available on this site.