Dukeblue Certificate and Profile Deployment Options

The security certificate currently in use by the Dukeblue wireless network expires on May 30, 2020. A new Duke-signed certificate will be put in its place on May 20, 2020. Computers must have a Duke root certificate authority added to their Trusted Root Certification Authority store before they will be able to connect to Dukeblue using the new certificate. Duke University managed computers can receive the new certificate in a few different ways, some of which also include full wireless profiles that auto-connect and provide additional functionality and security.

Certificate and Profile

Active Directory Group Policy (Windows)

The DU-GLOBAL_Dukeblue_Profile Group Policy Object will install a Dukeblue profile and the certificates necessary to connect to Dukeblue both before May 20 and after. This GPO is the older and widely-used “CDSS-Dukeblue” policy, updated with the new certificate and renamed. If you had applied the older CDSS GPO, you have nothing to do; this policy now applies in its place. If you had not, simply link this GPO to your Active Directory OU and any computers within will receive the profile and certificates the next time they’re on the Duke network (either via VPN or IRL).

Jamf Pro Configuration Profile (macOS)

This Template Configuration Profile, once downloaded and uploaded into your Jamf Pro site, will create a Configuration Profile with a Dukeblue network payload and certificate payloads for the old and new certificates. If you have not already deployed a Dukeblue Configuration Profile to your supported macOS devices, you can upload this file, rename the Profile, set a Scope, and you’re done! If you are already deploying a Dukeblue Configuration Profile, you’re already set: the new certificate has already been added to all existing Dukeblue Configuration Profiles in Duke Jamf Pro with the edited Profile re-distributed to all previous computers in scope.

Certificate Only

Active Directory Group Policy (Windows)

The DU-GLOBAL_Dukeblue+eduroam_cert_root Group Policy Object only installs the new certificate root needed to connect to Dukeblue. Once installed, computers will be able to trust the new Dukeblue certificate and connect after the certificate is updated on May 20, 2020. As with the other GPO, link this GPO to your Active Directory OU and any computers within will receive the certificates the next time they’re on the Duke network (either via VPN or IRL).

BigFix (Windows and macOS)

The DU-GLOBAL – Install Dukeblue and eduroam certificate root Task is relevant for all Windows and macOS computers and will install the new certificate root needed to connect to Dukeblue. Once installed, computers will be able to trust the new Dukeblue certificate and connect after the certificate is updated on May 20, 2020.  While installing certificates is fairly straightforward, identifying installed certificates is not. As such, this BigFix Task will remain relevant for all Windows and macOS computers even after the Task has been successfully run. We’re looking in to ways to accurately report on the current certificate state but, in the meantime, there is no harm in pushing this Task to a computer that already has the certificate.

Manual (All platforms)

This archive file contains two scripts–one .BAT for Windows and one .SH for macOS–that (when run as Admin/root) will create and install the new Dukeblue root certificate into the Trusted Root Certification Authority store. Run the appropriate script in an elevated Windows Command Prompt or as sudo in macOS Terminal and you’re good to go. If you’re determined to do things yourself, you can also download the certificate itself and install it by whatever means you see fit.

Posted in News | Comments Off on Dukeblue Certificate and Profile Deployment Options

Duke University Unsupported OS Quarantine Information

Due to many recent e-mails and discussions, we would like to address some questions and confusion about endpoint quarantines and the upcoming end-of-support date for Windows 7, Windows Server 2008, and Windows Server 2008 R2.

Quarantines for lack of endpoint management (EPM) are done on a different schedule than quarantines of unsupported operating systems (EOL). EPM quarantines happen on specific dates, with the next EPM quarantine date displayed in the Planisphere Dashboard (in this case, January 30, 2020). Warnings are sent to a targeted device’s Support Group 16 days before quarantine and to the device’s user 2 days before if the lack of EPM has not been addressed.

EOL quarantines, on the other hand, will be put in place the day after the operating system’s end-of-support date (in the case of Windows 7/2008/R2, January 14, 2020), with the quarantine taking place immediately upon device identification. No warnings will be sent; Support Groups are expected to use Planisphere or other tools to stay apprised of the support state of the devices they manage.

Due to the questions and confusion around these dates, the quarantine date for Windows 7/2008/R2 has been extended from January 15 (the day after the end-of-support date) to January 30 (the next planned EPM quarantine date). However, no warnings will be sent for the EOL quarantines; Support Groups can identify their devices at risk of EOL quarantine using Planisphere or other tools.

Other operating systems that are already past their end-of-support date (macOS 10.12 and below, Windows 8.0, Windows 10 Enterprise 1703 and below, Windows 10 Pro 1803 and below), will not be immediately quarantined. Instead, a future quarantine date–likely within the next 3 to 6 months–will be established and communicated very soon. These devices are currently visible in Planisphere as running an Unsupported OS.

Operating systems that fall out of support in the future will be quarantined immediately starting the day after end-of-support. In the near-term, this includes Windows 10 Enterprise (1709) on April 15, 2020, and Windows 10 Home/Pro (1809) on May 13, 2020. We are discussing plans to add a “device OS will be unsupported within N months” warning within Planisphere. Until such a solution is in place, devices running these particular operating systems can be identified using Planisphere or other tools.

If you have any questions or concerns regarding the unsupported operating system quarantines, please let us know at security@duke.edu.

(NOTE: This information applies only to the Duke University network and Duke University-owned devices. Members of the Duke Health IT community should consult with the DHE ISO regarding Duke Health policies for devices running unsupported operating systems.)

Posted in News | Comments Off on Duke University Unsupported OS Quarantine Information

Endpoint Management Operational and Privacy Protocols

The purpose of Duke’s endpoint security program is to secure laptops and desktops purchased by Duke and used by faculty and staff.  The applications used to support this efforts may only be used to: (a) report on missing software updates; or (b) apply missing software updates if the machine is fully managed by departmental or central IT staff.  It will also be used to report and automatically address security issues on the machine such as the presence of viruses or malware.

Any IT administrators with access to the endpoint security tools, including the IT Security Office, are required to adhere to the Duke Acceptable Use Policy, particularly those statements regarding the expectation of privacy for the Duke community:

Duke cherishes freedom of expression, the diversity of values and perspectives inherent in an academic institution, the right to acknowledgment, and the value of privacy for all members of the Duke community. At the same time, Duke may be required by law to access and disclose information from computer and network users’ accounts or may find it necessary do so in order to protect Duke’s legal interests, uphold contractual obligations, or comply with other applicable Duke policies. Duke may also be required to access information to diagnose and correct technical problems.

IT administrators may not use their access to look at content on the systems they maintain, except for the conditions outlined above.  Any additional access must be approved by the President or Executive Vice President of Duke University.  Use of the security management tools is audited for this reason.  Any concerns regarding inappropriate access should be directed to the school’s IT Director or campus IT Security Office.

In addition the departmental IT groups, IT administrators for the endpoint security software, and IT Security Office are bound by confidentiality agreements to keep any system information reported by the tools private.  A copy of the confidentiality agreement may be found on Duke HR’s website.

This information is also available on the Duke IT Security Office website.

Posted in News | Comments Off on Endpoint Management Operational and Privacy Protocols

Duke University Self-Managed Endpoint Clients Now Available

Due to of the risks posed by devices that are missing security updates, the University has implemented a policy that requires all Duke-owned endpoints (laptops, desktops, and Windows/Linux tablets) to be enrolled in a campus security management system by September 30, 2017. This policy applies not only to endpoint devices that are managed by a departmental IT support group, but also to Duke-owned devices that are managed by their primary user.

Endpoint Management software configured for self-managed endpoint devices is now available from the Duke Software Licensing site. Users with Windows or Linux devices should download the appropriate IBM BigFix client; users with macOS devices should download either the IBM BigFix client or the Jamf Casper client for that platform.

If you have any questions, please contact the OIT Service Desk or the University IT Security Office.

Note: If you are part of the School of MedicineSchool of Nursing, or are connected to the Duke Health System Network, you will need to install the BigFix client that communicates with the Health System instance of BigFix.  You can find these client installers on the Duke Health Intranet BigFix page.  Windows, Macintosh, and Linux clients are available along with instructions.

Posted in News | Comments Off on Duke University Self-Managed Endpoint Clients Now Available

New Policy Requires Enrollment in Device Management

Due to the risks posed by systems that are missing security updates, the University is implementing a policy that requires all Duke-owned computers to be enrolled in a campus security management system by Sept. 30, 2017.

This policy is designed to provide the University with the direction and support needed to ensure that devices connecting to our network are kept up-to-date with security patches and can be associated with an individual or group. While the methods may differ depending on the device type, the intent is to make sure all devices are well-protected.

Below is additional guidance for IT staff on implementation priorities:

  1. Planisphere: Use Planisphere for tracking your IT assets and identifying which are enrolled in one of the endpoint management tools. A new report shows the status of machines on a per-VRF and per-subnet basis. We’re still tweaking the report and adding more data sources for context. However, you should be able to pick the subnet or VRF you are interested in and get a list of what is connecting that needs to be addressed. As your Planisphere Support Groups are created, you will need to assign tags to filter your devices in Planisphere. We’ll be running informational sessions on Planisphere in the coming weeks to help you get started and to collect feedback.  We’ll also be discussing Planisphere at various user group meetings, including SLG (early August), win-admin and unixgroup. In the meantime, please send feedback to planisphere-feedback@duke.edu.
  2. Servers and VMs: Servers are considered to be different from laptops/desktops, but they should still be managed. OIT and other departments have made good use of SCCM, BigFix, WSUS, Puppet, Ansible, and Spacewalk as options. VM’s should also be maintained. VM’s running on enterprise infrastructure like ESX should be managed or tracked, and a process should be in place to track and/or update them.  For VM’s on desktops and laptops, the priority is to ensure the host OS is kept up-to-date and tracked. Dual boot machines should have coverage on both OS’s, and will be reported in Planisphere.
  3. Research labs: If you have research lab environments, Duke OIT and ITSO would like to know about them so we can work with you on which alternative protections might be needed. Please email itso@duke.edu for assistance with labs.
  4. Mobile devices: Phones and tablets are not in the policy’s current scope, but, if you have Duke-purchased phones and tablets, please begin considering how these are managed and tracked. Casper is available for iOS devices today, with information available on this site.