Hi Peter, Thank you so much for your reply. As I said in my original email, my offer is a stop gap until the Cyber Task Force has drawn its conclusion and is in no way a suggestion of an alternative. Please don't suffer in silence until the task force has completed its work. We continue to be told of problems, so please show us them so we can get you up and running asap! We want to help. Thanks, Jason -----Original Message----- From: Peter Pietzuch <prp@imperial.ac.uk> Sent: Thursday, June 22, 2023 2:06 PM To: Bennett, Jason W <jason.bennett@imperial.ac.uk>; Colling, David J <d.colling@imperial.ac.uk>; Willson, Thomas H <t.willson@imperial.ac.uk>; Robb, Mike A <mike.robb@imperial.ac.uk>; Oliver, Gareth <w.oliver@imperial.ac.uk>; Stephenson, Richard <r.stephenson@imperial.ac.uk>; Halimi, Amine <m.halimi@imperial.ac.uk>; Cohen, Jeremy <jeremy.cohen@imperial.ac.uk>; Haynes, Sian B <s.haynes@imperial.ac.uk>; Shaw, Rosie A <r.a.shaw@imperial.ac.uk>; Boyle, David <david.boyle@imperial.ac.uk>; McLachlan, Duncan J <duncan.mclachlan@imperial.ac.uk>; Taborda, David M G <d.taborda@imperial.ac.uk>; Wong, Harmony <w.wong@imperial.ac.uk>; Bearpark, Michael J <m.bearpark@imperial.ac.uk>; Galvan, Stefano <s.galvan@imperial.ac.uk>; Bresme, Fernando <f.bresme@imperial.ac.uk>; Wood, Nicholas E M <nicholas.wood@imperial.ac.uk>; Ochieng, Washington Y <w.ochieng@imperial.ac.uk>; Kamara, Lloyd D <l.kamara@imperial.ac.uk>; McCann, Julie A <j.mccann@imperial.ac.uk>; Constantinides, George A <g.constantinides@imperial.ac.uk>; Villamil, Juan <juan.villamil@imperial.ac.uk>; physics-departmental-computing <physics-departmental-computing@imperial.ac.uk>; White, Duncan C <d.white@imperial.ac.uk>; White, Luke A <luke.white@imperial.ac.uk>; French, Paul (PHOT) M W <paul.french@imperial.ac.uk>; Craster, Richard V <r.craster@imperial.ac.uk>; Whitehouse, Dan <d.whitehouse@imperial.ac.uk> Cc: Joannou, Ingrid <i.joannou@imperial.ac.uk>; Taylor, James A <james.a.taylor@imperial.ac.uk> Subject: Re: Securing Imperial : Post Audit and Risk Committee Follow Up Hi Jason, On 22/06/2023 12:19, Bennett, Jason W wrote:
As a stop gap before the committee gets spun up (I have no information on this) the EUC team continues to be more than happy to help anyone in need. If any of your users have any tangible, replicable example of how Jamf is stopping them working (once the exceptions have been put in place) please feel free to email me (Jason.bennett@imperial.ac.uk) and we will work with them to get it resolved.
Please do circulate this ongoing offer far and wide (I will also bring it up in the Physics Computing meeting in July).
The issue is not that colleagues don't know that they can raise problems with ICT -- it is rather the friction that the implementation of this policy causes: as Jeremy and David explained, academics and researchers don't want to have to contact ICT to explain things that haven't been problems in the past. Cheers, Peter
-----Original Message----- From: David Colling <d.colling@imperial.ac.uk> Sent: Thursday, June 22, 2023 11:17 AM To: Willson, Thomas H <t.willson@imperial.ac.uk>; Pietzuch, Peter R <prp@imperial.ac.uk>; Bennett, Jason W <jason.bennett@imperial.ac.uk>; Robb, Mike A <mike.robb@imperial.ac.uk>; Oliver, Gareth <w.oliver@imperial.ac.uk>; Stephenson, Richard <r.stephenson@imperial.ac.uk>; Halimi, Amine <m.halimi@imperial.ac.uk>; Cohen, Jeremy <jeremy.cohen@imperial.ac.uk>; Haynes, Sian B <s.haynes@imperial.ac.uk>; Shaw, Rosie A <r.a.shaw@imperial.ac.uk>; Boyle, David <david.boyle@imperial.ac.uk>; McLachlan, Duncan J <duncan.mclachlan@imperial.ac.uk>; Taborda, David M G <d.taborda@imperial.ac.uk>; Wong, Harmony <w.wong@imperial.ac.uk>; Bearpark, Michael J <m.bearpark@imperial.ac.uk>; Galvan, Stefano <s.galvan@imperial.ac.uk>; Bresme, Fernando <f.bresme@imperial.ac.uk>; Wood, Nicholas E M <nicholas.wood@imperial.ac.uk>; Ochieng, Washington Y <w.ochieng@imperial.ac.uk>; Kamara, Lloyd D <l.kamara@imperial.ac.uk>; McCann, Julie A <j.mccann@imperial.ac.uk>; Constantinides, George A <g.constantinides@imperial.ac.uk>; Villamil, Juan <juan.villamil@imperial.ac.uk>; physics-departmental-computing <physics-departmental-computing@imperial.ac.uk>; White, Duncan C <d.white@imperial.ac.uk>; White, Luke A <luke.white@imperial.ac.uk>; French, Paul (PHOT) M W <paul.french@imperial.ac.uk>; Craster, Richard V <r.craster@imperial.ac.uk>; Whitehouse, Dan <d.whitehouse@imperial.ac.uk> Cc: Joannou, Ingrid <i.joannou@imperial.ac.uk>; Taylor, James A <james.a.taylor@imperial.ac.uk> Subject: Re: Securing Imperial : Post Audit and Risk Committee Follow Up
Hi Tom,
I don't seem to have been invited to the last meeting, so I was no aware of there having been further discussion in this area - me not being invited may well be related to me not having an outlook calendar (purely historical reasons). If a committee is to be set up what is the progress of setting up this committee? I believe that the UMB meeting was in March. Can I suggest that the people who worked on this between November and March are probably people with the right set of skills. It is important to make this happen quickly.
No computing issue has ever caused as much unhappiness amongst the staff or caused as many people not to be able to do their job, and even if eventually through exemptions they can just about do their jobs this takes weeks of effort often battling against ill informed staff on the service desk.
Cyber security is extremely important and we need to get it right. This is about having the correct level of security each device. This is very different for a researcher who is not dealing with confidential data and only accessing college systems through the ICIS web portal or clients that require multi factor authentication, from a researcher who is dealing with sensitive data (medical or commercial) or somebody who more direct access to college systems such as payroll.
I know that we all want to get this right. We now need to do this quickly.
Best, david
On 21/06/2023 18:22, Willson, Thomas H wrote:
Hi all,
Rather than multiple replies - I'll try and pick out the relevant queries and cover them in one email.
@Peter Pietzuch - what happened to the category of unmanaged research machines? At least Computing's (and I suspect other department's as well) concerns about compulsory MDM/JAMF-managed machines are not addressed by the information below. @Colling, David J - In all the discussion that we had (over about 4 months) we drew up a list of different categories of machines including the category of unmanaged research machines, these had slightly more support than BYOD and had JAMF (or windows equivalent) installed but in a mode where it didn't interfere but only gave warning @Colling, David J - One was asset tracking only (which is what I meant by turning your college bought machine into a BYOD and I admit that I should have mentioned asset tracking), the next one up was the software just sent warning, then different levels of management with greater access to the college systems as the management increased. This was previous discussed at the last time this group met. However, I appreciate that not everyone was able to attend, and I should have included it in my email so apologies. That proposal went to UMB for approval/confirmation and the recommendation was to setup a Cyber Security Taskforce who will regularly review/ratify the roadmaps for Cyber Security - this would include the approach that you've mentioned above. This group is in the process of being setup - sorry it wasn't clear in my original email.
@Whitehouse, Dan - I would just note that despite point 2 in Toms email (*Ability to create local accounts *), I believe that I have recently been involved in an email thread from the Service Desk with respect to ticket RITM0054412 (dated approximately 18th May or just before) when a request to set up a local account was refused on the basis that: All I can say is that this is regretfully disappointing that we (ICT) are still sending out inconsistent messages - I thought we had sorted this issue but I'm disappointed that we haven't. I will again talk to the Service Desk to get this resolved. When the fully automated self service feature comes in place hopefully this will reduce the chances even more.
Thanks
Tom
-----Original Message----- From: Peter Pietzuch <prp@imperial.ac.uk> Sent: Wednesday, June 21, 2023 6:01 PM To: Colling, David J <d.colling@imperial.ac.uk>; Bennett, Jason W <jason.bennett@imperial.ac.uk>; Willson, Thomas H <t.willson@imperial.ac.uk>; Robb, Mike A <mike.robb@imperial.ac.uk>; Oliver, Gareth <w.oliver@imperial.ac.uk>; Stephenson, Richard <r.stephenson@imperial.ac.uk>; Halimi, Amine <m.halimi@imperial.ac.uk>; Cohen, Jeremy <jeremy.cohen@imperial.ac.uk>; Haynes, Sian B <s.haynes@imperial.ac.uk>; Shaw, Rosie A <r.a.shaw@imperial.ac.uk>; Boyle, David <david.boyle@imperial.ac.uk>; McLachlan, Duncan J <duncan.mclachlan@imperial.ac.uk>; Taborda, David M G <d.taborda@imperial.ac.uk>; Wong, Harmony <w.wong@imperial.ac.uk>; Bearpark, Michael J <m.bearpark@imperial.ac.uk>; Galvan, Stefano <s.galvan@imperial.ac.uk>; Bresme, Fernando <f.bresme@imperial.ac.uk>; Wood, Nicholas E M <nicholas.wood@imperial.ac.uk>; Ochieng, Washington Y <w.ochieng@imperial.ac.uk>; Kamara, Lloyd D <l.kamara@imperial.ac.uk>; McCann, Julie A <j.mccann@imperial.ac.uk>; Constantinides, George A <g.constantinides@imperial.ac.uk>; Villamil, Juan <juan.villamil@imperial.ac.uk>; physics-departmental-computing <physics-departmental-computing@imperial.ac.uk>; White, Duncan C <d.white@imperial.ac.uk>; White, Luke A <luke.white@imperial.ac.uk>; French, Paul (PHOT) M W <paul.french@imperial.ac.uk>; Craster, Richard V <r.craster@imperial.ac.uk> Cc: Joannou, Ingrid <i.joannou@imperial.ac.uk>; Taylor, James A <james.a.taylor@imperial.ac.uk> Subject: Re: Securing Imperial : Post Audit and Risk Committee Follow Up
Hi David, Jason, Thomas,
I thought that unmanaged research machines would be asset-tracked in a database only and not have any ICT management software/policies running on them (no MDM/JAMF/etc, as the term 'unmanaged' suggests). Like BYOD, they would be prevented from accessing certain critical College systems directly.
Cheers, Peter
On 21/06/2023 17:03, David Colling wrote:
HI Jason,
This doesn't answer Peter's question. In all the discussion that we had (over about 4 months) we drew up a list of different categories of machines including the category of unmanaged research machines, these had slightly more support than BYOD and had JAMF (or windows equivalent) installed but in a mode where it didn't interfere but only gave warning. There was also the option of taking a college bought device and turning it into a BYOD by having JAMF removed (or never installed).
These classes machines would have the limited access to college systems - essentially through web browsers etc. This was about managing risk so that college systems were safe and researchers and educators were still able to do their jobs.
This we thought was a good solution for all concerned. In email conversations with Juan this is, I believe, what he thinks the situation to be. However, from Tom's communications it appears that this is not actually the case and that all machines will have JAMF (or windows equivalent) regardless of whether the user wants it or not.
This will cause significant unhappiness and result in many people buying (especially) apple devices on their grants by routes other than through the college supplier. Whereas most would have been happy with the mode where their device was monitored and just received warnings (because most people do want to be good citizens) they now have no warnings and zero visibility to ICT.
What was wrong with the solution that we all thought that we had agreed?
Best, david
On 21/06/2023 15:21, Bennett, Jason W wrote:
Hi all,
With Toms permission I am just clarifying this section.
Windows Devices
*All* Windows devices purchased via the College preferred channels are automatically enrolled into our Intune tenancy.
Laptops
* Very similar to the Jamf process. * Sent to a staging centre after purchase to be Autopilot pre-provisioned- meaning they can then be shipped straight to customer. * Are managed by Intune and Configuration Manager (Co-managed). * Are Azure-AD bound but have no awareness of Active Directory (and thus have no GPO applied).
With laptops, and as with Jamf, *there is no such thing as a "College build"* - we are using the OS as the vendor intended and applying MDM profiles to apply, typically security orientated, settings.
Desktops
* Although they are enrolled into Intune, they are typically sent to ICT to "wiped and loaded". This includes reinstalling an OS, alongside installing several applications. * Devices are managed by Configuration Manager. o In time they will also be managed by Intune. * Devices have AD awareness and settings are applied via GPO. * This is currently considered the Classic method, but in time will be Legacy.
Other notes:
* We have 15k active Windows devices in Configuration Manager. o Of these, 2759 are co-managed between Intune and Configuration Manager. * We are currently testing Autopilot on desktops and hope to roll this out soon. * We will be updating the Device Management webpages in due course to outline both of the above outlined systems.
Thanks,
Jason
*From:*Peter Pietzuch <prp@imperial.ac.uk> *Sent:* Wednesday, June 21, 2023 12:52 PM *To:* Willson, Thomas H <t.willson@imperial.ac.uk>; Robb, Mike A <mike.robb@imperial.ac.uk>; Oliver, Gareth <w.oliver@imperial.ac.uk>; Stephenson, Richard <r.stephenson@imperial.ac.uk>; Halimi, Amine <m.halimi@imperial.ac.uk>; Cohen, Jeremy <jeremy.cohen@imperial.ac.uk>; Haynes, Sian B <s.haynes@imperial.ac.uk>; Shaw, Rosie A <r.a.shaw@imperial.ac.uk>; Boyle, David <david.boyle@imperial.ac.uk>; McLachlan, Duncan J <duncan.mclachlan@imperial.ac.uk>; Taborda, David M G <d.taborda@imperial.ac.uk>; Wong, Harmony <w.wong@imperial.ac.uk>; Bearpark, Michael J <m.bearpark@imperial.ac.uk>; Galvan, Stefano <s.galvan@imperial.ac.uk>; Bresme, Fernando <f.bresme@imperial.ac.uk>; Wood, Nicholas E M <nicholas.wood@imperial.ac.uk>; Ochieng, Washington Y <w.ochieng@imperial.ac.uk>; Kamara, Lloyd D <l.kamara@imperial.ac.uk>; Colling, David J <d.colling@imperial.ac.uk>; McCann, Julie A <j.mccann@imperial.ac.uk>; Constantinides, George A <g.constantinides@imperial.ac.uk> *Cc:* Joannou, Ingrid <i.joannou@imperial.ac.uk>; Taylor, James A <james.a.taylor@imperial.ac.uk>; Bennett, Jason W <jason.bennett@imperial.ac.uk> *Subject:* Re: Securing Imperial : Post Audit and Risk Committee Follow Up
Dear Thomas,
Thanks for your email, but I'm confused now: what happened to the category of unmanaged research machines? At least Computing's (and I suspect other department's as well) concerns about compulsory MDM/JAMF-managed machines are not addressed by the information below.
Cheers, Peter
On 21/06/2023 12:39, Willson, Thomas H wrote:
Dear all,
Apologies for not sending out this email sooner.
Recent events, such as the unfortunate incident at Manchester University (as reported by the BBC
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw w w .bbc.co.uk%2Fnews%2Fuk-england-manchester-65855002&data=05%7C01%7Ct. w illson%40imperial.ac.uk%7Cec40fadd39e9468de33308db72791ef8%7C2b8975 0 7 ee8c4575830b4f8267c3d307%7C0%7C0%7C638229636825496411%7CUnknown%7CT W F pbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVC I 6 Mn0%3D%7C3000%7C%7C%7C&sdata=pc1BE1XmthERipeBUE2U%2B2b3zVUWe8hTYoEY v 2 PBC6M%3D&reserved=0 <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2F w w w.bbc.co.uk%2Fnews%2Fuk-england-manchester-65855002&data=05%7C01%7Ct. willson%40imperial.ac.uk%7Cec40fadd39e9468de33308db72791ef8%7C2b897 5 0 7ee8c4575830b4f8267c3d307%7C0%7C0%7C638229636825496411%7CUnknown%7C T W FpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXV C I 6Mn0%3D%7C3000%7C%7C%7C&sdata=pc1BE1XmthERipeBUE2U%2B2b3zVUWe8hTYoE Y v 2PBC6M%3D&reserved=0>) and the incidents that affected Imperials pension providers; SAUL (https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2F w w w.imperial.ac.uk%2Fhuman-resources%2Fpay-and-pensions%2Fpensions%2F s a ul%2Fsaul-data-breach%2F&data=05%7C01%7Ct.willson%40imperial.ac.uk% 7 C ec40fadd39e9468de33308db72791ef8%7C2b897507ee8c4575830b4f8267c3d307 % 7 C0%7C0%7C638229636825496411%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjA w M DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&s d a ta=JL2OAF2cqYAZxhIIoOXERpbwKsB7XtJgGviaeITgCgg%3D&reserved=0 <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2F w w w.imperial.ac.uk%2Fhuman-resources%2Fpay-and-pensions%2Fpensions%2F s a ul%2Fsaul-data-breach%2F&data=05%7C01%7Ct.willson%40imperial.ac.uk% 7 C ec40fadd39e9468de33308db72791ef8%7C2b897507ee8c4575830b4f8267c3d307 % 7 C0%7C0%7C638229636825496411%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjA w M DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&s d a ta=JL2OAF2cqYAZxhIIoOXERpbwKsB7XtJgGviaeITgCgg%3D&reserved=0>) and USS (https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2F w w w.imperial.ac.uk%2Fhuman-resources%2Fpay-and-pensions%2Fpensions%2F u s s%2Fcapita-cyber-incident%2F&data=05%7C01%7Ct.willson%40imperial.ac. u k%7Cec40fadd39e9468de33308db72791ef8%7C2b897507ee8c4575830b4f8267c3 d 3 07%7C0%7C0%7C638229636825496411%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4 w L jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C% 7 C &sdata=Itr1qKg%2Fw60L7b4rvbNkrLww9ieA4prc3apgWrKPyts%3D&reserved=0 <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2F w w w.imperial.ac.uk%2Fhuman-resources%2Fpay-and-pensions%2Fpensions%2F u s s%2Fcapita-cyber-incident%2F&data=05%7C01%7Ct.willson%40imperial.ac. u k%7Cec40fadd39e9468de33308db72791ef8%7C2b897507ee8c4575830b4f8267c3 d 3 07%7C0%7C0%7C638229636825496411%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4 w L jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C% 7 C &sdata=Itr1qKg%2Fw60L7b4rvbNkrLww9ieA4prc3apgWrKPyts%3D&reserved=0> ) serve as a stark reminder as to the importance of Cyber Security - including understanding the posture of our devices (e.g. patching, central reporting, running supported operating systems etc.), endpoint protection, MFA etc.
At our last meeting, a number of issues were raised and hopefully they should all be addressed below.
Standard Response
The standard response that Academia (supplier of Apple equipment) and the Service Desk should be providing members of Imperial if they ask about device management is:
/We enrol all devices purchased by Imperial College London into Apple School Manager, as we are contractually obliged to do by the College. The ICT department has provided the following information:/
/Devices are setup using Apple's Mobile Device Management (MDM) framework, details of which can be found on //Apple's support web pages/ <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2F s u pport.apple.com%2Fen-gb%2FHT204142&data=05%7C01%7Ct.willson%40imper i a l.ac.uk%7Cec40fadd39e9468de33308db72791ef8%7C2b897507ee8c4575830b4f 8 2 67c3d307%7C0%7C0%7C638229636825496411%7CUnknown%7CTWFpbGZsb3d8eyJWI j o iMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000% 7 C %7C%7C&sdata=HzfZYaXTV%2FRNJA4hx00MwGzFdhL7bs0nsIHaF8a6uGg%3D&reser v e d=0>/. /
/ There are no known performance issues with MDM,and itis highly configurable. If there is a specific configuration you need for your work, please //contact the ICT Service Desk/ <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2F w w w.imperial.ac.uk%2Fadmin-services%2Fict%2Fcontact-ict-service-desk% 2 F &data=05%7C01%7Ct.willson%40imperial.ac.uk%7Cec40fadd39e9468de33308 d b 72791ef8%7C2b897507ee8c4575830b4f8267c3d307%7C0%7C0%7C6382296368254 9 6 411%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJ B T iI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=98eblGGnfHHTlJU1RZX G u 39rWWcrBT7LN0JFe9WEZFM%3D&reserved=0>/who will be happy to help./
/Apple devices have been managed by ICT for over 10 years on an opt-in basis, this is now mandatory to address the increased threat of cyber-attacks. In addition, it will also assist Imperial in achieving //Cyber Essentials/ <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2F w w w.ncsc.gov.uk%2Fcyberessentials%2Foverview&data=05%7C01%7Ct.willson % 4 0imperial.ac.uk%7Cec40fadd39e9468de33308db72791ef8%7C2b897507ee8c45 7 5 830b4f8267c3d307%7C0%7C0%7C638229636825496411%7CUnknown%7CTWFpbGZsb 3 d 8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D % 7 C3000%7C%7C%7C&sdata=YkhbCSiF9oLOXRUezuUQ1hsxJ77dMnzxRevVwTyauDQ%3D & r eserved=0>/which will support some members of Imperial in their research applications./
Requestable Exceptions for Apple Devices
We are aware of 3 additional features/capabilities, which are exceptions that can be requested by logging a ticket with the Service Desk and for which a self-service form to automatically process these requests will be available in July-August 2023 (we will be sharing the link to this form as soon as it is available)
Those exceptions are:
1. *Ability to run unnotarised applications* (i.e. applications not downloaded from either the Apple App Store and/or applications not notarised). This is a one-time exception request and lasts for the life of the device not each time a member of Imperial wants to run an unnotarised application. This is not required to run code that was developed on the device e.g. python code. 2. *Ability to create local accounts *- this is possible upon request. The primary user, who raised the request, can be an admin and everybody a standard user.
3. *Ability to defer update warnings* - updates are not forced, but people will be alerted/reminded when updates are available/required to be installed. Historically ICT have alerted users when updates were available with additional popup notifications. Those notification had in the past resulted in our patch compliance reaching a peak of 79% on the 20^th July 2022. These additional notifications were disabled (in January 2023) as requested by some members of Imperial College because Apple had marked an OS upgrade to Ventura as a minor update. Unfortunately, this has resulted in our patching compliance dropping to an all-time low of 19% on the 24^th May 2023.
The prompt installation of security updates is a key component in the device against cyber-attacks with the aim of installing updates that mitigate critical/high rated vulnerabilities within 14 days of release.
The new notifications that will be pushed out will look similar to the following:
A screenshot of a computer Description automatically generated with medium confidence
This will be reintroduced at the beginning of July 2023.
Jamf Platform
Some questions were raised about the Jamf platform regarding security standards, privacy notices etc. The Jamf website has a considerable amount of information on these topics and is available here: https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw w w .jamf.com%2Ftrust-center%2F&data=05%7C01%7Ct.willson%40imperial.ac. u k %7Cec40fadd39e9468de33308db72791ef8%7C2b897507ee8c4575830b4f8267c3d 3 0 7%7C0%7C0%7C638229636825496411%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4w L j AwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7 C & sdata=P8Ipx4PXB70N3ZayUzpeMlPiMhKUG4Lfe76oKkpwqdg%3D&reserved=0
<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2F w w w.jamf.com%2Ftrust-center%2F&data=05%7C01%7Ct.willson%40imperial.ac. u k%7Cec40fadd39e9468de33308db72791ef8%7C2b897507ee8c4575830b4f8267c3 d 3 07%7C0%7C0%7C638229636825496411%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4 w L jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C% 7 C &sdata=P8Ipx4PXB70N3ZayUzpeMlPiMhKUG4Lfe76oKkpwqdg%3D&reserved=0>
Python Development
A number of people highlighted concerns around issues with Python development on managed Apple Devices. Our RCS team (whose devices are managed by JAMF) have recently published a blog post which people might find helpful - https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fb l o gs.imperial.ac.uk%2Fresearch-software-engineering%2F2023%2F04%2F20% 2 F python-development-on-m1-macs%2F&data=05%7C01%7Ct.willson%40imperial. ac.uk%7Cec40fadd39e9468de33308db72791ef8%7C2b897507ee8c4575830b4f82 6 7 c3d307%7C0%7C0%7C638229636825496411%7CUnknown%7CTWFpbGZsb3d8eyJWIjo i M C4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C % 7 C%7C&sdata=wXXEc%2BbleqRBSESIeZVU6AZ7kQyZh9SZ%2FXglZcbuE%2B8%3D&res e r ved=0 <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2F b l ogs.imperial.ac.uk%2Fresearch-software-engineering%2F2023%2F04%2F20 % 2 Fpython-development-on-m1-macs%2F&data=05%7C01%7Ct.willson%40imperi a l .ac.uk%7Cec40fadd39e9468de33308db72791ef8%7C2b897507ee8c4575830b4f8 2 6 7c3d307%7C0%7C0%7C638229636825496411%7CUnknown%7CTWFpbGZsb3d8eyJWIj o i MC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7 C % 7C%7C&sdata=wXXEc%2BbleqRBSESIeZVU6AZ7kQyZh9SZ%2FXglZcbuE%2B8%3D&re s e rved=0>
Website Changes
The content for the following website hasn't changed significantly (aside from some updates to the FAQs). It is worth letting you all know that there the content for the Apple pages will be completely refreshed in the coming weeks.
Windows Devices
There were some questions if Windows devices were being dealt with in a similar way as Apple ones and they are: /any devices purchased since December via official channels would have been enrolled into our Intune tenancy - note this only applies to Windows laptops./
Cyber Task Force
I don't have a date for its creation/setup yet but as soon as I do the information will be circulated.
Thanks
Tom