What tools does Duke use for endpoint management?
IT departments at Duke use different tools to manage the computers they support. The primary tools currently in use are Jamf Pro, Microsoft Endpoint Configuration Manager, and HCL BigFix. A computer must have one of these tools installed to be compliant with Duke’s endpoint management policy. In the event that a machine is self-managed by the end user and not by a departmental IT group, the end user should install the BigFix self-managed client.
What is Jamf Pro? What is Configuration Manager? What is BigFix?
Jamf Pro, Configuration Manager, and BigFix are all endpoint management tools used to collect information about and (optionally) change the configuration of participating computers. Each tool requires a client that communicates to a central management service. Jamf Pro manages devices running the macOS and iOS operating systems, Configuration Manager manages Windows computers, and BigFix manages macOS, Windows, and Linux computers.
By requiring endpoint agents on Duke computers, aren’t we creating an extremely attractive target to hackers? How are you protecting these endpoint security tools?
Due to their access to other computers, these systems are under increased scrutiny to ensure their security. Among the measures in place on these services are:
- Regular vulnerability scanning
- Monthly patching
- Monitoring and auditing of access
- Rigorous change control
- Encrypted communications between clients and servers
- Duo two-factor authentication required for access to management consoles (in progress)
In addition, the operation of these endpoint management tools is subject to the Duke IT Security Office’s Endpoint Management Operational and Privacy Protocols.
What if I don’t have a departmental IT group? What if I don’t want my departmental IT group managing my computer?
If you do not have (or want) departmental IT managing your computer, you can download the self-managed client for BigFix. This client is installed in a “locked” state and is not assigned to a departmental IT group. Only the administrators of these tools have access to self-managed clients and they only take actions that pertain to the direct maintenance of the client (i.e. updating the client software, changing client settings, etc.). Aside from these agent-related maintenance tasks, self-managed clients will report on the software and hardware status of the computer. The end user is responsible for the management of the computer and the software on it. If a self-managed computer is non-compliant with university security policy, it is the end user’s responsibility to make the necessary changes.
What does it mean to “lock” a system? Who has control over whether a computer is locked or unlocked?
In BigFix, “locking” a system means that it is excluded from any management actions outside of the direct maintenance of the client software itself. Nobody can make other changes to a “locked” client without deliberately changing the lock status. In some cases, the ability to change this status can be placed solely in the hands of the end user. In such a configuration, no changes can be made to the computer (outside of client software maintenance) without direct action by a local administrator of the computer.
What are security patches? Will they reboot my computer?
In today’s technology environment, all computers regularly require software updates to keep the operating system and applications secure. These software updates are often called “patches”. Jamf Pro, Configuration Manager, and BigFix all have the ability to remotely deploy patches. Depending on the patch, such an action may require a reboot of the computer to complete or to proceed to the next step. If a reboot is necessary, the end user should be prompted with a message that explains why the reboot is necessary. Under normal circumstances, the end user should have the ability to defer the reboot. Updates to the endpoint management client software have rarely (if ever) required a reboot.
I have experiments that run on my computer and do not want them to be interrupted by a reboot when patches are applied. How can I ensure that does not happen?
Computers running time-sensitive or long-running tasks should be set to “locked” and should be manually patched on a regular basis outside of the running of such tasks. If these tasks run longer than a few weeks or require no possibility of interruption, the computer should perhaps be removed from the network, with experiment data retrieved via removable storage. Non-networked computers fall outside of the scope of the university endpoint management policy. If such a computer requires network access, please contact the university IT Security office to discuss alternate solutions.
What information is collected by the endpoint management tools?
The default information collected by these tools is currently being audited and will be outlined in a future page on this site. Departmental IT groups can create their own retrieved properties that will not be listed here. Please contact your departmental IT group for more information. Self-managed clients will only have the default information collected.
Endpoint Computers (Desktops and Laptops):
Why is Duke requiring the installation of endpoint management on all Duke-owned endpoint computers on the network?
Having visibility into all devices on the network is critical to protecting Duke’s data and computing resources. Endpoint management tools provide Duke IT with an accurate inventory of the devices are on the network, their patch status, and to whom they belong. Unknown or unidentified devices on the network are a risk to every other device on the network.
What should I expect after installing an endpoint management client?
For the most part, individuals installing an endpoint management client should expect to see nothing different. The client will run in the background, consuming minimal CPU resources, periodically checking in with the server to provide ongoing updates to the system status as well as check for new tasks (patches and software to install, settings to change). Departmentally managed computers may display pop-ups explaining that the computer needs to be rebooted to complete an installation. Users of self-managed computers should see nothing at all.
How does installing endpoint management tools on computers help keep our sensitive information secure?
Endpoint management tools help the university maintain an accurate inventory of devices on our network and associates those devices with a specific user. This allows IT to identify unauthorized or compromised computers and take action to protect Duke data and resources (preventing network outages, for example). The inventory data also allows us to determine if a system is encrypted, to verify patch levels, and to ensure that anti-virus/malware software is installed and up-to-date.
Who has system administrator access to the endpoint management tools?
Following the “principle of least privilege”, only designated Duke IT Staff have system administrator access to the Duke endpoint management tools. Access to these tools, whether at the system level or departmentally, is regularly audited.
I manage my own computer and do not want to cede control of my computer to a Duke IT administrator.
None of these tools will take away the rights you currently have on your computer. You can still take whatever actions you could before the client was installed.