Information about devices managed by Engineering IT
This document describes some of the basic requirements and behaviors of devices managed by Engineering IT.
Engineering IT takes steps to help secure the university shared network and your data, in accordance with the Client Computer Security standard
, which is part of the overall campus IT security policy
. This includes regular updates on managed devices, as well as vulnerability monitoring, unscheduled critical security patches, and remote endpoint management. Details of how these efforts are implemented are provided below.
Devices "imaged", or "managed" by Engineering IT have one or more of the following characteristics:
- have been joined to the university Active Directory domain by Engineering IT
- have one or more endpoint management software solutions installed by Engineering IT
- Engineering IT has administrative access
"Imaged" devices are "managed", but "managed" devices may or may not have been "imaged". Imaging is just the process by which devices can be efficiently wiped and redeployed with standardized operating systems, software, and configurations.
"Managed" does not mean Engineering IT actively manipulates individual devices (except when requested, or for critical security vulnerability patching). It just means those devices conform to set of standards and policies, described in more detail below.
Managed devices are automatically updated, generally on a weekly schedule. While downloads of updates may happen at any time, installation of updates is generally targeted for early morning on Monday at about 3am. Updates which do not require a reboot and do not interrupt core operating system services may be installed immediately after download. Updates for Windows will include updates for other Microsoft products, such as Microsoft Office.
Updates which require reboots will automatically schedule a reboot immediately after the updates are finished installing. A 15 minute notice will be presented to logged-in users. It's highly recommended to take this time to save all open work such as word documents, emails, and anything else which does not automatically save your progress. Because reboots may occur at about 3am on Monday mornings, it's recommended to save your work and log out before leaving for the weekend.
For devices running Windows 10, there are options for delaying updates and reboots which you may find useful. For more information, please see this page
For devices which have a legitimate business/research use case that conflicts with the regular update/reboot schedule, we provide an exception process, which can be initiated by filling out the exception form
Enforced security policies
Some security policies are enforced on managed devices, in accordance with the campus security standards linked above. These include:
- Screen-lock timeouts (to prevent unattended computers from being left unlocked)
- Sleep settings (to allow users to reliably remote into their computers, and to ensure computers stay on to receive updates and security patches).
- Local and network-level firewall settings
- Blocking of unapproved macros in Microsoft Office applications
Critical security vulnerability patching
In rare cases, where a critical security vulnerability has been identified, Engineering IT reserves the right to install critical vulnerability patches with minimal notice, to protect the university network and everyone's data. In these cases, reboots may be required, but will be avoided if at all possible.
Engineering IT staff will have local administrative access to all managed devices. In some cases this includes limited administrative access by student workers. If there is a conflict of interest, such as when a faculty's computer is supported by an Engineering IT student worker who is also a student of that faculty, please let us know by emailing email@example.com
and we will make accommodations to resolve this.
Remote endpoint management and monitoring
Devices managed by Engineering IT will have endpoint management software installed. This software allows Engineering IT to better support and protect systems by:
- Providing limited remote support
- Providing limited self-serve application installation options
- Allowing for the monitoring and remediation of vulnerabilities