New Policy Requires Enrollment in Device Management

Due to of the risks posed by systems missing security updates, the university is implementing a policy to require all Duke-owned computers be enrolled in the campus security management systems by Sept. 30, 2017.

This policy is designed to provide all of us with the direction and support to ensure that devices connecting to our network are kept up-to-date with security patches, and can be identified with an individual or group. While the methods may differ depending on whether the device is a laptop, server or VM, the intent is to make sure all are well-protected.

Below is some additional guidance for IT staff on implementation priorities:

  1. Planisphere: Use Planisphere for tracking your IT assets and identifying which are enrolled in one of the endpoint management tools. A new report shows the status of machines on a per-VRF and per-subnet basis. We’re still tweaking the report and adding more data sources for context. However, you should be able to pick the subnet or VRF you are interested in and get a list of what is connecting that needs to be addressed. As your Planisphere Support Groups are created, you will need to assign tags to filter your devices in Planisphere. We’ll be running informational sessions on Planisphere in the coming weeks to help you get started and to collect feedback.  We’ll also be discussing Planisphere at various user group meetings, including SLG (early August), win-admin and unixgroup. In the meantime, please send feedback to planisphere-feedback@duke.edu.
  2. Servers and VMs: Servers are considered to be different from laptops/desktops, but they should still be managed. OIT and other departments have made good use of SCCM, BigFix, WSUS, Puppet, Ansible, and Spacewalk as options. VM’s should also be maintained. VM’s running on enterprise infrastructure like ESX should be managed or tracked, and a process should be in place to track and/or update them.  For VM’s on desktops and laptops, the priority is to ensure the host OS is kept up-to-date and tracked. Dual boot machines should have coverage on both OS’s, and will be reported in Planisphere.
  3. Research labs: If you have research lab environments, Duke OIT and ITSO would like to know about them so we can work with you on which alternative protections might be needed. Please email itso@duke.edu for assistance with labs.
  4. Mobile devices: Phones and tablets are not in the policy’s current scope, but, if you have Duke-purchased phones and tablets, please begin considering how these are managed and tracked. Casper is available for iOS devices today, with information available on this site.

 

Duke University IT staff utilize a number of endpoint management services to support efficient maintenance of computing devices. These services are available to all IT support groups at Duke.

Steering Committee information available here, and Duke’s Endpoint Management Charter may be found here.  A description of each service is provided below.

The Steering Committee comprises representatives from campus IT staff including:

Paula Batton, OIT
Richard Biever, IT Security Office
Ed Gomes, Arts and Sciences
Jeff Mimnaugh, Divinity
Trent Ramsey, Student Affairs

Dan Cantrell, Casper
Al Kearney, SCCM
Blaine Ott, BigFix
John Straffin, Symantec Endpoint Protection

IT administrators are encouraged to join the endpoints@duke.edu mail list for announcements and help with managing their environments.

Casper Casper

Casper supports management of Mac OS X and iOS devices. Casper provides automated software installation and maintenance, iOS security, and device encryption key escrow.

  • iOS and Mac OS X device management
  • Encryption deployment and management (with escrow and reporting)
  • Utilize the Restricted Software feature as needed o System and application settings management and enforcement
  • Self Service application
  • Make use of the remote lock/wipe features for laptops that go missing
  • Enhanced patch management
  • User driven self provisioning of new machines either via Self Service and or DEP
  • Inventory management and reporting

bigfixIBM BigFix

IBM BigFix provides endpoint management and security for servers, desktops, notebooks and smartphones running a Microsoft Windows, Mac OS X, and various flavors of Linux operating systems. It is used for automated software installation and maintenance, operating system patch management, security settings and inventory.

  • Device management
  • Automated software installation/maintenance
  • Operating system patch management
  • System and application security settings
  • Inventory management and reporting

SCCMMicrosoft System Center Configuration Manager (SCCM)

Centrally managed for Windows based computer configuration support. Configuration Manager provides remote control, patch management, software distribution, operating system deployment, network access protection and hardware and software inventory.

  • Windows operating system installation/imaging including the latest Dell and Lenovo device drivers
  • Build and deploy software applications and packages
  • Remote access to client machines with no user interaction required
  • Windows operating system patch management
  • Provide users with a list of approved software that can be installed with no local admin access via Software Center
  • Access to numerous pre-built reports.

SymantecSymantec

Symantec Endpoint Protection (or “SEP”) is designed for use in managed environments, providing security for both servers and workstations running Microsoft Windows, Mac OS X, and several popular Linux distributions. The software is centrally licensed by Duke OIT for use on all university-owned and employee-owned computers.

  • Anti-virus/malware protection, backed by the world’s largest civilian threat intelligence network
  • Intrusion prevention, based on file reputation and application behavior
  • Rule-based firewall (Windows only), with fine-grained control and logging capabilities
  • Application control, allowing control of file and registry access and how processes are allowed to run
  • Advanced system lockdown features, allowing only whitelisted applications, or blocking blacklisted applications
  • External media control, restricting access to select hardware and controlling what types of devices can upload or download information

Symantec Endpoint Protection Manager (or “SEPM”) is the central management point for groups of managed computers running the SEP software. The SEPM service is managed by the Duke IT Security Office.

  • Apply shared policies to multiple managed endpoints
  • Access aggregated reports and alerts
  • Push actions (including software upgrades) and collect information from managed endpoints