Hi,
I would just note that despite point 2 in Toms email (*Ability to create local accounts *), I believe that I have recently been involved in an email thread from the Service Desk
with respect to ticket RITM0054412 (dated approximately 18th May or just before) when a request to set up a local account was refused on the basis that:
“Local account - they're not complying for Data Protection regulations and users are blocked from creating them even with administrator's rights.”
It would be good to confirm this, one way or the other, as the policy still appears to be somewhat inconsistent.
Thanks,
Dan
From:
physics-departmental-computing-bounces@imperial.ac.uk <physics-departmental-computing-bounces@imperial.ac.uk> on behalf of David Colling <d.colling@imperial.ac.uk>
Date: Wednesday, 21 June 2023 at 17:30
To: Bennett, Jason W <jason.bennett@imperial.ac.uk>, Pietzuch, Peter R <prp@imperial.ac.uk>, Willson, Thomas H <t.willson@imperial.ac.uk>, Robb, Mike A <mike.robb@imperial.ac.uk>, Oliver, Gareth <w.oliver@imperial.ac.uk>, Stephenson, Richard <r.stephenson@imperial.ac.uk>,
Halimi, Amine <m.halimi@imperial.ac.uk>, Cohen, Jeremy <jeremy.cohen@imperial.ac.uk>, Haynes, Sian B <s.haynes@imperial.ac.uk>, Shaw, Rosie A <r.a.shaw@imperial.ac.uk>, Boyle, David <david.boyle@imperial.ac.uk>, McLachlan, Duncan J <duncan.mclachlan@imperial.ac.uk>,
Taborda, David M G <d.taborda@imperial.ac.uk>, Wong, Harmony <w.wong@imperial.ac.uk>, Bearpark, Michael J <m.bearpark@imperial.ac.uk>, Galvan, Stefano <s.galvan@imperial.ac.uk>, Bresme, Fernando <f.bresme@imperial.ac.uk>, Wood, Nicholas E M <nicholas.wood@imperial.ac.uk>,
Ochieng, Washington Y <w.ochieng@imperial.ac.uk>, Kamara, Lloyd D <l.kamara@imperial.ac.uk>, McCann, Julie A <j.mccann@imperial.ac.uk>, Constantinides, George A <g.constantinides@imperial.ac.uk>, Villamil, Juan <juan.villamil@imperial.ac.uk>, physics-departmental-computing
<physics-departmental-computing@imperial.ac.uk>, White, Duncan C <d.white@imperial.ac.uk>, White, Luke A <luke.white@imperial.ac.uk>, French, Paul (PHOT) M W <paul.french@imperial.ac.uk>, Craster, Richard V <r.craster@imperial.ac.uk>
Cc: Taylor, James A <james.a.taylor@imperial.ac.uk>, Joannou, Ingrid <i.joannou@imperial.ac.uk>
Subject: Re: [Physics-Departmental-Computing] Securing Imperial : Post Audit and Risk Committee Follow Up
HI Jason,
This doesn't answer Peter's question. In all the discussion that we had
(over about 4 months) we drew up a list of different categories of
machines including the category of unmanaged research machines, these
had slightly more support than BYOD and had JAMF (or windows equivalent)
installed but in a mode where it didn't interfere but only gave warning.
There was also the option of taking a college bought device and turning
it into a BYOD by having JAMF removed (or never installed).
These classes machines would have the limited access to college systems
- essentially through web browsers etc. This was about managing risk so
that college systems were safe and researchers and educators were still
able to do their jobs.
This we thought was a good solution for all concerned. In email
conversations with Juan this is, I believe, what he thinks the situation
to be. However, from Tom's communications it appears that this is not
actually the case and that all machines will have JAMF (or windows
equivalent) regardless of whether the user wants it or not.
This will cause significant unhappiness and result in many people buying
(especially) apple devices on their grants by routes other than through
the college supplier. Whereas most would have been happy with the mode
where their device was monitored and just received warnings (because
most people do want to be good citizens) they now have no warnings and
zero visibility to ICT.
What was wrong with the solution that we all thought that we had agreed?
Best,
david
On 21/06/2023 15:21, Bennett, Jason W wrote:
> Hi all,
>
> With Toms permission I am just clarifying this section.
>
>
> Windows Devices
>
> *All* Windows devices purchased via the College preferred channels are
> automatically enrolled into our Intune tenancy.
>
>
> Laptops
>
> * Very similar to the Jamf process.
> * Sent to a staging centre after purchase to be Autopilot
> pre-provisioned– meaning they can then be shipped straight to customer.
> * Are managed by Intune and Configuration Manager (Co-managed).
> * Are Azure-AD bound but have no awareness of Active Directory (and
> thus have no GPO applied).
>
> With laptops, and as with Jamf, *there is no such thing as a “College
> build”* – we are using the OS as the vendor intended and applying MDM
> profiles to apply, typically security orientated, settings.
>
>
> Desktops
>
> * Although they are enrolled into Intune, they are typically sent to
> ICT to “wiped and loaded”. This includes reinstalling an OS,
> alongside installing several applications.
> * Devices are managed by Configuration Manager.
> o In time they will also be managed by Intune.
> * Devices have AD awareness and settings are applied via GPO.
> * This is currently considered the Classic method, but in time will be
> Legacy.
>
> Other notes:
>
> * We have 15k active Windows devices in Configuration Manager.
> o Of these, 2759 are co-managed between Intune and Configuration
> Manager.
> * We are currently testing Autopilot on desktops and hope to roll this
> out soon.
> * We will be updating the Device Management webpages in due course to
> outline both of the above outlined systems.
>
> Thanks,
>
> Jason
>
> *From:*Peter Pietzuch <prp@imperial.ac.uk>
> *Sent:* Wednesday, June 21, 2023 12:52 PM
> *To:* Willson, Thomas H <t.willson@imperial.ac.uk>; Robb, Mike A
> <mike.robb@imperial.ac.uk>; Oliver, Gareth <w.oliver@imperial.ac.uk>;
> Stephenson, Richard <r.stephenson@imperial.ac.uk>; Halimi, Amine
> <m.halimi@imperial.ac.uk>; Cohen, Jeremy <jeremy.cohen@imperial.ac.uk>;
> Haynes, Sian B <s.haynes@imperial.ac.uk>; Shaw, Rosie A
> <r.a.shaw@imperial.ac.uk>; Boyle, David <david.boyle@imperial.ac.uk>;
> McLachlan, Duncan J <duncan.mclachlan@imperial.ac.uk>; Taborda, David M
> G <d.taborda@imperial.ac.uk>; Wong, Harmony <w.wong@imperial.ac.uk>;
> Bearpark, Michael J <m.bearpark@imperial.ac.uk>; Galvan, Stefano
> <s.galvan@imperial.ac.uk>; Bresme, Fernando <f.bresme@imperial.ac.uk>;
> Wood, Nicholas E M <nicholas.wood@imperial.ac.uk>; Ochieng, Washington Y
> <w.ochieng@imperial.ac.uk>; Kamara, Lloyd D <l.kamara@imperial.ac.uk>;
> Colling, David J <d.colling@imperial.ac.uk>; McCann, Julie A
> <j.mccann@imperial.ac.uk>; Constantinides, George A
> <g.constantinides@imperial.ac.uk>
> *Cc:* Joannou, Ingrid <i.joannou@imperial.ac.uk>; Taylor, James A
> <james.a.taylor@imperial.ac.uk>; Bennett, Jason W
> <jason.bennett@imperial.ac.uk>
> *Subject:* Re: Securing Imperial : Post Audit and Risk Committee Follow Up
>
> Dear Thomas,
>
> Thanks for your email, but I'm confused now: what happened to the
> category of unmanaged research machines? At least Computing's (and I
> suspect other department's as well) concerns about compulsory
> MDM/JAMF-managed machines are not addressed by the information below.
>
> Cheers,
> Peter
>
> On 21/06/2023 12:39, Willson, Thomas H wrote:
>
> Dear all,
>
> Apologies for not sending out this email sooner.
>
> Recent events, such as the unfortunate incident at Manchester
> University (as reported by the BBC
> https://www.bbc.co.uk/news/uk-england-manchester-65855002
> <https://www.bbc.co.uk/news/uk-england-manchester-65855002>) and the
> incidents that affected Imperials pension providers; SAUL
> (https://www.imperial.ac.uk/human-resources/pay-and-pensions/pensions/saul/saul-data-breach/ <https://www.imperial.ac.uk/human-resources/pay-and-pensions/pensions/saul/saul-data-breach/>)
and USS (https://www.imperial.ac.uk/human-resources/pay-and-pensions/pensions/uss/capita-cyber-incident/ <https://www.imperial.ac.uk/human-resources/pay-and-pensions/pensions/uss/capita-cyber-incident/>)
serve as a stark reminder as to the importance of Cyber Security – including understanding the posture of our devices (e.g. patching, central reporting, running supported operating systems etc.), endpoint protection, MFA etc.
>
> At our last meeting, a number of issues were raised and hopefully
> they should all be addressed below.
>
>
> Standard Response
>
> The standard response that Academia (supplier of Apple equipment)
> and the Service Desk should be providing members of Imperial if they
> ask about device management is:
>
> /We enrol all devices purchased by Imperial College London into
> Apple School Manager, as we are contractually obliged to do by the
> College. The ICT department has provided the following information:/
>
> /Devices are setup using Apple’s Mobile Device Management (MDM)
> framework, details of which can be found on //Apple’s support web
> pages/ <https://support.apple.com/en-gb/HT204142>/. /
>
> / There are no known performance issues with MDM,and itis highly
> configurable. If there is a specific configuration you need for your
> work, please //contact the ICT Service Desk/
> <https://www.imperial.ac.uk/admin-services/ict/contact-ict-service-desk/>/who will be happy to help./
>
> /Apple devices have been managed by ICT for over 10 years on an
> opt-in basis, this is now mandatory to address the increased threat
> of cyber-attacks. In addition, it will also assist Imperial in
> achieving //Cyber Essentials/
> <https://www.ncsc.gov.uk/cyberessentials/overview>/which will
> support some members of Imperial in their research applications./
>
>
> Requestable Exceptions for Apple Devices
>
> We are aware of 3 additional features/capabilities, which are
> exceptions that can be requested by logging a ticket with the
> Service Desk and for which a self-service form to automatically
> process these requests will be available in July-August 2023 (we
> will be sharing the link to this form as soon as it is available)
>
> Those exceptions are:
>
> 1. *Ability to run unnotarised applications* (i.e. applications not
> downloaded from either the Apple App Store and/or applications
> not notarised). This is a one-time exception request and lasts
> for the life of the device not each time a member of Imperial
> wants to run an unnotarised application. This is not required
> to run code that was developed on the device e.g. python code.
>
> 2. *Ability to create local accounts *– this is possible upon
> request. The primary user, who raised the request, can be an
> admin and everybody a standard user.
>
> 3. *Ability to defer update warnings* – updates are not forced, but
> people will be alerted/reminded when updates are
> available/required to be installed.
>
> Historically ICT have alerted users when updates were available with
> additional popup notifications. Those notification had in the past
> resulted in our patch compliance reaching a peak of 79% on the 20^th
> July 2022. These additional notifications were disabled (in January
> 2023) as requested by some members of Imperial College because Apple
> had marked an OS upgrade to Ventura as a minor update.
> Unfortunately, this has resulted in our patching compliance dropping
> to an all-time low of 19% on the 24^th May 2023.
>
> The prompt installation of security updates is a key component in
> the device against cyber-attacks with the aim of installing updates
> that mitigate critical/high rated vulnerabilities within 14 days of
> release.
>
> The new notifications that will be pushed out will look similar to
> the following:
>
> A screenshot of a computer Description automatically generated with
> medium confidence
>
> This will be reintroduced at the beginning of July 2023.
>
>
> Jamf Platform
>
> Some questions were raised about the Jamf platform regarding
> security standards, privacy notices etc. The Jamf website has a
> considerable amount of information on these topics and is available
> here: https://www.jamf.com/trust-center/
> <https://www.jamf.com/trust-center/>
>
>
> Python Development
>
> A number of people highlighted concerns around issues with Python
> development on managed Apple Devices. Our RCS team (whose devices
> are managed by JAMF) have recently published a blog post which
> people might find helpful -
>
https://blogs.imperial.ac.uk/research-software-engineering/2023/04/20/python-development-on-m1-macs/ <https://blogs.imperial.ac.uk/research-software-engineering/2023/04/20/python-development-on-m1-macs/>
>
>
> Website Changes
>
> The content for the following website hasn’t changed significantly
> (aside from some updates to the FAQs). It is worth letting you all
> know that there the content for the Apple pages will be completely
> refreshed in the coming weeks.
>
> Windows Devices
>
> There were some questions if Windows devices were being dealt with
> in a similar way as Apple ones and they are: /any devices purchased
> since December via official channels would have been enrolled into
> our Intune tenancy – note this only applies to Windows laptops./
>
> Cyber Task Force
>
> I don’t have a date for its creation/setup yet but as soon as I do
> the information will be circulated.
>
> Thanks
>
> Tom
>
_______________________________________________
Physics-Departmental-Computing mailing list
Physics-Departmental-Computing@imperial.ac.uk
https://mailman.ic.ac.uk/mailman/listinfo/physics-departmental-computing