New Policy Requires Enrollment in Device Management

July 13th, 2017

Due to of the risks posed by systems missing security updates, the university is implementing a policy to require all Duke-owned computers be enrolled in the campus security management systems by Sept. 30, 2017.

This policy is designed to provide all of us with the direction and support to ensure that devices connecting to our network are kept up-to-date with security patches, and can be identified with an individual or group. While the methods may differ depending on whether the device is a laptop, server or VM, the intent is to make sure all are well-protected.

Below is some additional guidance for IT staff on implementation priorities:

  1. Planisphere: Use Planisphere for tracking your IT assets and identifying which are enrolled in one of the endpoint management tools. A new report shows the status of machines on a per-VRF and per-subnet basis. We’re still tweaking the report and adding more data sources for context. However, you should be able to pick the subnet or VRF you are interested in and get a list of what is connecting that needs to be addressed. As your Planisphere Support Groups are created, you will need to assign tags to filter your devices in Planisphere. We’ll be running informational sessions on Planisphere in the coming weeks to help you get started and to collect feedback.  We’ll also be discussing Planisphere at various user group meetings, including SLG (early August), win-admin and unixgroup. In the meantime, please send feedback to planisphere-feedback@duke.edu.
  2. Servers and VMs: Servers are considered to be different from laptops/desktops, but they should still be managed. OIT and other departments have made good use of SCCM, BigFix, WSUS, Puppet, Ansible, and Spacewalk as options. VM’s should also be maintained. VM’s running on enterprise infrastructure like ESX should be managed or tracked, and a process should be in place to track and/or update them.  For VM’s on desktops and laptops, the priority is to ensure the host OS is kept up-to-date and tracked. Dual boot machines should have coverage on both OS’s, and will be reported in Planisphere.
  3. Research labs: If you have research lab environments, Duke OIT and ITSO would like to know about them so we can work with you on which alternative protections might be needed. Please email itso@duke.edu for assistance with labs.
  4. Mobile devices: Phones and tablets are not in the policy’s current scope, but, if you have Duke-purchased phones and tablets, please begin considering how these are managed and tracked. Casper is available for iOS devices today, with information available on this site.