Hi all, Sorry, my original reply was to clear up any misinformation around Windows devices rather than a reply to Peters question - I left that with Tom. Alongside there is no such thing as a build there is another area of clarity required - there is no such thing as network accounts for Mac. With a Jamf managed devices, all accounts are local accounts. When you login to the device using your Imperial credentials a local account is created based upon your credentials and passwords are kept in sync with Jamf connect (which speaks to Azure). We have not bound Macs to the network for many years and anybody currently using a domain bound Mac should stop. Should anybody suggest we are using network accounts I will refer to this email. The standard setup only allows one person to login to the device. We can (and already process requests to) make it so that any College account (including guest/visitor accounts) can login to the device which will make another local account on login with those credentials. We can enable the Users and Accounts section (and in RITM0054412 this should have happened), and you can create another, non-College, local account. However, the new local account that gets created is no different to the local account created by your first login (less the password sync via Jamf connect). It is actually a worse experience as you lose the device based wifi auth. Alongside Tom, I will remind the Service Desk team leads about our stance on enabling the Users and Groups section to avoid things such as RITM0054412. As Tom has said, the automation will vastly reduce such cases. Thanks, Jason -----Original Message----- From: Willson, Thomas H <t.willson@imperial.ac.uk<mailto:t.willson@imperial.ac.uk>> Sent: Wednesday, June 21, 2023 6:23 PM To: Pietzuch, Peter R <prp@imperial.ac.uk<mailto:prp@imperial.ac.uk>>; Colling, David J <d.colling@imperial.ac.uk<mailto:d.colling@imperial.ac.uk>>; Bennett, Jason W <jason.bennett@imperial.ac.uk<mailto:jason.bennett@imperial.ac.uk>>; Robb, Mike A <mike.robb@imperial.ac.uk<mailto:mike.robb@imperial.ac.uk>>; Oliver, Gareth <w.oliver@imperial.ac.uk<mailto:w.oliver@imperial.ac.uk>>; Stephenson, Richard <r.stephenson@imperial.ac.uk<mailto:r.stephenson@imperial.ac.uk>>; Halimi, Amine <m.halimi@imperial.ac.uk<mailto:m.halimi@imperial.ac.uk>>; Cohen, Jeremy <jeremy.cohen@imperial.ac.uk<mailto:jeremy.cohen@imperial.ac.uk>>; Haynes, Sian B <s.haynes@imperial.ac.uk<mailto:s.haynes@imperial.ac.uk>>; Shaw, Rosie A <r.a.shaw@imperial.ac.uk<mailto:r.a.shaw@imperial.ac.uk>>; Boyle, David <david.boyle@imperial.ac.uk<mailto:david.boyle@imperial.ac.uk>>; McLachlan, Duncan J <duncan.mclachlan@imperial.ac.uk<mailto:duncan.mclachlan@imperial.ac.uk>>; Taborda, David M G <d.taborda@imperial.ac.uk<mailto:d.taborda@imperial.ac.uk>>; Wong, Harmony <w.wong@imperial.ac.uk<mailto:w.wong@imperial.ac.uk>>; Bearpark, Michael J <m.bearpark@imperial.ac.uk<mailto:m.bearpark@imperial.ac.uk>>; Galvan, Stefano <s.galvan@imperial.ac.uk<mailto:s.galvan@imperial.ac.uk>>; Bresme, Fernando <f.bresme@imperial.ac.uk<mailto:f.bresme@imperial.ac.uk>>; Wood, Nicholas E M <nicholas.wood@imperial.ac.uk<mailto:nicholas.wood@imperial.ac.uk>>; Ochieng, Washington Y <w.ochieng@imperial.ac.uk<mailto:w.ochieng@imperial.ac.uk>>; Kamara, Lloyd D <l.kamara@imperial.ac.uk<mailto:l.kamara@imperial.ac.uk>>; McCann, Julie A <j.mccann@imperial.ac.uk<mailto:j.mccann@imperial.ac.uk>>; Constantinides, George A <g.constantinides@imperial.ac.uk<mailto:g.constantinides@imperial.ac.uk>>; Villamil, Juan <juan.villamil@imperial.ac.uk<mailto:juan.villamil@imperial.ac.uk>>; physics-departmental-computing <physics-departmental-computing@imperial.ac.uk<mailto:physics-departmental-computing@imperial.ac.uk>>; White, Duncan C <d.white@imperial.ac.uk<mailto:d.white@imperial.ac.uk>>; White, Luke A <luke.white@imperial.ac.uk<mailto:luke.white@imperial.ac.uk>>; French, Paul (PHOT) M W <paul.french@imperial.ac.uk<mailto:paul.french@imperial.ac.uk>>; Craster, Richard V <r.craster@imperial.ac.uk<mailto:r.craster@imperial.ac.uk>>; Pietzuch, Peter R <prp@imperial.ac.uk<mailto:prp@imperial.ac.uk>>; Whitehouse, Dan <d.whitehouse@imperial.ac.uk<mailto:d.whitehouse@imperial.ac.uk>> Cc: Joannou, Ingrid <i.joannou@imperial.ac.uk<mailto:i.joannou@imperial.ac.uk>>; Taylor, James A <james.a.taylor@imperial.ac.uk<mailto:james.a.taylor@imperial.ac.uk>> Subject: RE: Securing Imperial : Post Audit and Risk Committee Follow Up Hi all, Rather than multiple replies - I'll try and pick out the relevant queries and cover them in one email.
@Peter Pietzuch - what happened to the category of unmanaged research machines? At least Computing's (and I suspect other department's as well) concerns about compulsory MDM/JAMF-managed machines are not addressed by the information below.
@Colling, David J - In all the discussion that we had (over about 4
months) we drew up a list of different categories of machines
including the category of unmanaged research machines, these had
slightly more support than BYOD and had JAMF (or windows equivalent)
installed but in a mode where it didn't interfere but only gave
warning
@Colling, David J - One was asset tracking only (which is what I meant by turning your college bought machine into a BYOD and I admit that I should have mentioned asset tracking), the next one up was the software just sent warning, then different levels of management with greater access to the college systems as the management increased.
This was previous discussed at the last time this group met. However, I appreciate that not everyone was able to attend, and I should have included it in my email so apologies. That proposal went to UMB for approval/confirmation and the recommendation was to setup a Cyber Security Taskforce who will regularly review/ratify the roadmaps for Cyber Security - this would include the approach that you've mentioned above. This group is in the process of being setup - sorry it wasn't clear in my original email.
@Whitehouse, Dan - I would just note that despite point 2 in Toms email (*Ability to create local accounts *), I believe that I have recently been involved in an email thread from the Service Desk with respect to ticket RITM0054412 (dated approximately 18th May or just before) when a request to set up a local account was refused on the basis that:
All I can say is that this is regretfully disappointing that we (ICT) are still sending out inconsistent messages - I thought we had sorted this issue but I'm disappointed that we haven't. I will again talk to the Service Desk to get this resolved. When the fully automated self service feature comes in place hopefully this will reduce the chances even more. Thanks Tom -----Original Message----- From: Peter Pietzuch <prp@imperial.ac.uk<mailto:prp@imperial.ac.uk>> Sent: Wednesday, June 21, 2023 6:01 PM To: Colling, David J <d.colling@imperial.ac.uk<mailto:d.colling@imperial.ac.uk>>; Bennett, Jason W <jason.bennett@imperial.ac.uk<mailto:jason.bennett@imperial.ac.uk>>; Willson, Thomas H <t.willson@imperial.ac.uk<mailto:t.willson@imperial.ac.uk>>; Robb, Mike A <mike.robb@imperial.ac.uk<mailto:mike.robb@imperial.ac.uk>>; Oliver, Gareth <w.oliver@imperial.ac.uk<mailto:w.oliver@imperial.ac.uk>>; Stephenson, Richard <r.stephenson@imperial.ac.uk<mailto:r.stephenson@imperial.ac.uk>>; Halimi, Amine <m.halimi@imperial.ac.uk<mailto:m.halimi@imperial.ac.uk>>; Cohen, Jeremy <jeremy.cohen@imperial.ac.uk<mailto:jeremy.cohen@imperial.ac.uk>>; Haynes, Sian B <s.haynes@imperial.ac.uk<mailto:s.haynes@imperial.ac.uk>>; Shaw, Rosie A <r.a.shaw@imperial.ac.uk<mailto:r.a.shaw@imperial.ac.uk>>; Boyle, David <david.boyle@imperial.ac.uk<mailto:david.boyle@imperial.ac.uk>>; McLachlan, Duncan J <duncan.mclachlan@imperial.ac.uk<mailto:duncan.mclachlan@imperial.ac.uk>>; Taborda, David M G <d.taborda@imperial.ac.uk<mailto:d.taborda@imperial.ac.uk>>; Wong, Harmony <w.wong@imperial.ac.uk<mailto:w.wong@imperial.ac.uk>>; Bearpark, Michael J <m.bearpark@imperial.ac.uk<mailto:m.bearpark@imperial.ac.uk>>; Galvan, Stefano <s.galvan@imperial.ac.uk<mailto:s.galvan@imperial.ac.uk>>; Bresme, Fernando <f.bresme@imperial.ac.uk<mailto:f.bresme@imperial.ac.uk>>; Wood, Nicholas E M <nicholas.wood@imperial.ac.uk<mailto:nicholas.wood@imperial.ac.uk>>; Ochieng, Washington Y <w.ochieng@imperial.ac.uk<mailto:w.ochieng@imperial.ac.uk>>; Kamara, Lloyd D <l.kamara@imperial.ac.uk<mailto:l.kamara@imperial.ac.uk>>; McCann, Julie A <j.mccann@imperial.ac.uk<mailto:j.mccann@imperial.ac.uk>>; Constantinides, George A <g.constantinides@imperial.ac.uk<mailto:g.constantinides@imperial.ac.uk>>; Villamil, Juan <juan.villamil@imperial.ac.uk<mailto:juan.villamil@imperial.ac.uk>>; physics-departmental-computing <physics-departmental-computing@imperial.ac.uk<mailto:physics-departmental-computing@imperial.ac.uk>>; White, Duncan C <d.white@imperial.ac.uk<mailto:d.white@imperial.ac.uk>>; White, Luke A <luke.white@imperial.ac.uk<mailto:luke.white@imperial.ac.uk>>; French, Paul (PHOT) M W <paul.french@imperial.ac.uk<mailto:paul.french@imperial.ac.uk>>; Craster, Richard V <r.craster@imperial.ac.uk<mailto:r.craster@imperial.ac.uk>> Cc: Joannou, Ingrid <i.joannou@imperial.ac.uk<mailto:i.joannou@imperial.ac.uk>>; Taylor, James A <james.a.taylor@imperial.ac.uk<mailto:james.a.taylor@imperial.ac.uk>> Subject: Re: Securing Imperial : Post Audit and Risk Committee Follow Up Hi David, Jason, Thomas, I thought that unmanaged research machines would be asset-tracked in a database only and not have any ICT management software/policies running on them (no MDM/JAMF/etc, as the term 'unmanaged' suggests). Like BYOD, they would be prevented from accessing certain critical College systems directly. Cheers, Peter On 21/06/2023 17:03, David Colling wrote:
HI Jason,
This doesn't answer Peter's question. In all the discussion that we
had (over about 4 months) we drew up a list of different categories of
machines including the category of unmanaged research machines, these
had slightly more support than BYOD and had JAMF (or windows
equivalent) installed but in a mode where it didn't interfere but only
gave warning. There was also the option of taking a college bought
device and turning it into a BYOD by having JAMF removed (or never
installed).
These classes machines would have the limited access to college
systems - essentially through web browsers etc. This was about
managing risk so that college systems were safe and researchers and
educators were still able to do their jobs.
This we thought was a good solution for all concerned. In email
conversations with Juan this is, I believe, what he thinks the
situation to be. However, from Tom's communications it appears that
this is not actually the case and that all machines will have JAMF (or
windows equivalent) regardless of whether the user wants it or not.
This will cause significant unhappiness and result in many people
buying (especially) apple devices on their grants by routes other than
through the college supplier. Whereas most would have been happy with
the mode where their device was monitored and just received warnings
(because most people do want to be good citizens) they now have no
warnings and zero visibility to ICT.
What was wrong with the solution that we all thought that we had agreed?
Best,
david
On 21/06/2023 15:21, Bennett, Jason W wrote:
Hi all,
With Toms permission I am just clarifying this section.
Windows Devices
*All* Windows devices purchased via the College preferred channels
are automatically enrolled into our Intune tenancy.
Laptops
* Very similar to the Jamf process.
* Sent to a staging centre after purchase to be Autopilot
pre-provisioned- meaning they can then be shipped straight to
customer.
* Are managed by Intune and Configuration Manager (Co-managed).
* Are Azure-AD bound but have no awareness of Active Directory (and
thus have no GPO applied).
With laptops, and as with Jamf, *there is no such thing as a "College
build"* - we are using the OS as the vendor intended and applying MDM
profiles to apply, typically security orientated, settings.
Desktops
* Although they are enrolled into Intune, they are typically sent
to
ICT to "wiped and loaded". This includes reinstalling an OS,
alongside installing several applications.
* Devices are managed by Configuration Manager.
o In time they will also be managed by Intune.
* Devices have AD awareness and settings are applied via GPO.
* This is currently considered the Classic method, but in time will
be
Legacy.
Other notes:
* We have 15k active Windows devices in Configuration Manager.
o Of these, 2759 are co-managed between Intune and
Configuration
Manager.
* We are currently testing Autopilot on desktops and hope to roll
this
out soon.
* We will be updating the Device Management webpages in due course
to
outline both of the above outlined systems.
Thanks,
Jason
*From:*Peter Pietzuch <prp@imperial.ac.uk<mailto:prp@imperial.ac.uk>>
*Sent:* Wednesday, June 21, 2023 12:52 PM
*To:* Willson, Thomas H <t.willson@imperial.ac.uk<mailto:t.willson@imperial.ac.uk>>; Robb, Mike A
<mike.robb@imperial.ac.uk<mailto:mike.robb@imperial.ac.uk>>; Oliver, Gareth <w.oliver@imperial.ac.uk<mailto:w.oliver@imperial.ac.uk>>;
Stephenson, Richard <r.stephenson@imperial.ac.uk<mailto:r.stephenson@imperial.ac.uk>>; Halimi, Amine
<m.halimi@imperial.ac.uk<mailto:m.halimi@imperial.ac.uk>>; Cohen, Jeremy
<jeremy.cohen@imperial.ac.uk<mailto:jeremy.cohen@imperial.ac.uk>>; Haynes, Sian B
<s.haynes@imperial.ac.uk<mailto:s.haynes@imperial.ac.uk>>; Shaw, Rosie A <r.a.shaw@imperial.ac.uk<mailto:r.a.shaw@imperial.ac.uk>>;
Boyle, David <david.boyle@imperial.ac.uk<mailto:david.boyle@imperial.ac.uk>>; McLachlan, Duncan J
<duncan.mclachlan@imperial.ac.uk<mailto:duncan.mclachlan@imperial.ac.uk>>; Taborda, David M G
<d.taborda@imperial.ac.uk<mailto:d.taborda@imperial.ac.uk>>; Wong, Harmony <w.wong@imperial.ac.uk<mailto:w.wong@imperial.ac.uk>>;
Bearpark, Michael J <m.bearpark@imperial.ac.uk<mailto:m.bearpark@imperial.ac.uk>>; Galvan, Stefano
<s.galvan@imperial.ac.uk<mailto:s.galvan@imperial.ac.uk>>; Bresme, Fernando
<f.bresme@imperial.ac.uk<mailto:f.bresme@imperial.ac.uk>>; Wood, Nicholas E M
<nicholas.wood@imperial.ac.uk<mailto:nicholas.wood@imperial.ac.uk>>; Ochieng, Washington Y
<w.ochieng@imperial.ac.uk<mailto:w.ochieng@imperial.ac.uk>>; Kamara, Lloyd D
<l.kamara@imperial.ac.uk<mailto:l.kamara@imperial.ac.uk>>; Colling, David J
<d.colling@imperial.ac.uk<mailto:d.colling@imperial.ac.uk>>; McCann, Julie A
<j.mccann@imperial.ac.uk<mailto:j.mccann@imperial.ac.uk>>; Constantinides, George A
<g.constantinides@imperial.ac.uk<mailto:g.constantinides@imperial.ac.uk>>
*Cc:* Joannou, Ingrid <i.joannou@imperial.ac.uk<mailto:i.joannou@imperial.ac.uk>>; Taylor, James A
<james.a.taylor@imperial.ac.uk<mailto:james.a.taylor@imperial.ac.uk>>; Bennett, Jason W
<jason.bennett@imperial.ac.uk<mailto:jason.bennett@imperial.ac.uk>>
*Subject:* Re: Securing Imperial : Post Audit and Risk Committee
Follow Up
Dear Thomas,
Thanks for your email, but I'm confused now: what happened to the
category of unmanaged research machines? At least Computing's (and I
suspect other department's as well) concerns about compulsory
MDM/JAMF-managed machines are not addressed by the information below.
Cheers,
Peter
On 21/06/2023 12:39, Willson, Thomas H wrote:
Dear all,
Apologies for not sending out this email sooner.
Recent events, such as the unfortunate incident at Manchester
University (as reported by the BBC
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww
.bbc.co.uk%2Fnews%2Fuk-england-manchester-65855002&data=05%7C01%7Ct.w
illson%40imperial.ac.uk%7Cec40fadd39e9468de33308db72791ef8%7C2b897507
ee8c4575830b4f8267c3d307%7C0%7C0%7C638229636825496411%7CUnknown%7CTWF
pbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6
Mn0%3D%7C3000%7C%7C%7C&sdata=pc1BE1XmthERipeBUE2U%2B2b3zVUWe8hTYoEYv2
PBC6M%3D&reserved=0
<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fww
w.bbc.co.uk%2Fnews%2Fuk-england-manchester-65855002&data=05%7C01%7Ct.
willson%40imperial.ac.uk%7Cec40fadd39e9468de33308db72791ef8%7C2b89750
7ee8c4575830b4f8267c3d307%7C0%7C0%7C638229636825496411%7CUnknown%7CTW
FpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI
6Mn0%3D%7C3000%7C%7C%7C&sdata=pc1BE1XmthERipeBUE2U%2B2b3zVUWe8hTYoEYv
2PBC6M%3D&reserved=0>) and the
incidents that affected Imperials pension providers; SAUL
(https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fww
w.imperial.ac.uk%2Fhuman-resources%2Fpay-and-pensions%2Fpensions%2Fsa
ul%2Fsaul-data-breach%2F&data=05%7C01%7Ct.willson%40imperial.ac.uk%7C
ec40fadd39e9468de33308db72791ef8%7C2b897507ee8c4575830b4f8267c3d307%7
C0%7C0%7C638229636825496411%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sda
ta=JL2OAF2cqYAZxhIIoOXERpbwKsB7XtJgGviaeITgCgg%3D&reserved=0
<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fww
w.imperial.ac.uk%2Fhuman-resources%2Fpay-and-pensions%2Fpensions%2Fsa
ul%2Fsaul-data-breach%2F&data=05%7C01%7Ct.willson%40imperial.ac.uk%7C
ec40fadd39e9468de33308db72791ef8%7C2b897507ee8c4575830b4f8267c3d307%7
C0%7C0%7C638229636825496411%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sda
ta=JL2OAF2cqYAZxhIIoOXERpbwKsB7XtJgGviaeITgCgg%3D&reserved=0>)
and USS
(https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fww
w.imperial.ac.uk%2Fhuman-resources%2Fpay-and-pensions%2Fpensions%2Fus
s%2Fcapita-cyber-incident%2F&data=05%7C01%7Ct.willson%40imperial.ac.u
k%7Cec40fadd39e9468de33308db72791ef8%7C2b897507ee8c4575830b4f8267c3d3
07%7C0%7C0%7C638229636825496411%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wL
jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C
&sdata=Itr1qKg%2Fw60L7b4rvbNkrLww9ieA4prc3apgWrKPyts%3D&reserved=0
<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fww
w.imperial.ac.uk%2Fhuman-resources%2Fpay-and-pensions%2Fpensions%2Fus
s%2Fcapita-cyber-incident%2F&data=05%7C01%7Ct.willson%40imperial.ac.u
k%7Cec40fadd39e9468de33308db72791ef8%7C2b897507ee8c4575830b4f8267c3d3
07%7C0%7C0%7C638229636825496411%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wL
jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C
&sdata=Itr1qKg%2Fw60L7b4rvbNkrLww9ieA4prc3apgWrKPyts%3D&reserved=0>)
serve as a stark reminder as to the importance of Cyber Security -
including understanding the posture of our devices (e.g. patching,
central reporting, running supported operating systems etc.),
endpoint protection, MFA etc.
At our last meeting, a number of issues were raised and hopefully
they should all be addressed below.
Standard Response
The standard response that Academia (supplier of Apple equipment)
and the Service Desk should be providing members of Imperial if
they
ask about device management is:
/We enrol all devices purchased by Imperial College London into
Apple School Manager, as we are contractually obliged to do by
the
College. The ICT department has provided the following
information:/
/Devices are setup using Apple's Mobile Device Management (MDM)
framework, details of which can be found on //Apple's support web
pages/
<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsu
pport.apple.com%2Fen-gb%2FHT204142&data=05%7C01%7Ct.willson%40imperia
l.ac.uk%7Cec40fadd39e9468de33308db72791ef8%7C2b897507ee8c4575830b4f82
67c3d307%7C0%7C0%7C638229636825496411%7CUnknown%7CTWFpbGZsb3d8eyJWIjo
iMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C
%7C%7C&sdata=HzfZYaXTV%2FRNJA4hx00MwGzFdhL7bs0nsIHaF8a6uGg%3D&reserve
d=0>/. /
/ There are no known performance issues with MDM,and itis highly
configurable. If there is a specific configuration you need for
your
work, please //contact the ICT Service Desk/
<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fww
w.imperial.ac.uk%2Fadmin-services%2Fict%2Fcontact-ict-service-desk%2F
&data=05%7C01%7Ct.willson%40imperial.ac.uk%7Cec40fadd39e9468de33308db
72791ef8%7C2b897507ee8c4575830b4f8267c3d307%7C0%7C0%7C638229636825496
411%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBT
iI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=98eblGGnfHHTlJU1RZXGu
39rWWcrBT7LN0JFe9WEZFM%3D&reserved=0>/who
will be happy to help./
/Apple devices have been managed by ICT for over 10 years on an
opt-in basis, this is now mandatory to address the increased
threat
of cyber-attacks. In addition, it will also assist Imperial in
achieving //Cyber Essentials/
<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fww
w.ncsc.gov.uk%2Fcyberessentials%2Foverview&data=05%7C01%7Ct.willson%4
0imperial.ac.uk%7Cec40fadd39e9468de33308db72791ef8%7C2b897507ee8c4575
830b4f8267c3d307%7C0%7C0%7C638229636825496411%7CUnknown%7CTWFpbGZsb3d
8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7
C3000%7C%7C%7C&sdata=YkhbCSiF9oLOXRUezuUQ1hsxJ77dMnzxRevVwTyauDQ%3D&r
eserved=0>/which will
support some members of Imperial in their research applications./
Requestable Exceptions for Apple Devices
We are aware of 3 additional features/capabilities, which are
exceptions that can be requested by logging a ticket with the
Service Desk and for which a self-service form to automatically
process these requests will be available in July-August 2023 (we
will be sharing the link to this form as soon as it is available)
Those exceptions are:
1. *Ability to run unnotarised applications* (i.e. applications
not
downloaded from either the Apple App Store and/or
applications
not notarised). This is a one-time exception request and
lasts
for the life of the device not each time a member of Imperial
wants to run an unnotarised application. This is not
required
to run code that was developed on the device e.g. python code.
2. *Ability to create local accounts *- this is possible upon
request. The primary user, who raised the request, can be an
admin and everybody a standard user.
3. *Ability to defer update warnings* - updates are not forced,
but
people will be alerted/reminded when updates are
available/required to be installed.
Historically ICT have alerted users when updates were available
with
additional popup notifications. Those notification had in the
past
resulted in our patch compliance reaching a peak of 79% on the
20^th
July 2022. These additional notifications were disabled (in
January
2023) as requested by some members of Imperial College because
Apple
had marked an OS upgrade to Ventura as a minor update.
Unfortunately, this has resulted in our patching compliance dropping
to an all-time low of 19% on the 24^th May 2023.
The prompt installation of security updates is a key component in
the device against cyber-attacks with the aim of installing
updates
that mitigate critical/high rated vulnerabilities within 14 days
of
release.
The new notifications that will be pushed out will look similar
to
the following:
A screenshot of a computer Description automatically generated
with
medium confidence
This will be reintroduced at the beginning of July 2023.
Jamf Platform
Some questions were raised about the Jamf platform regarding
security standards, privacy notices etc. The Jamf website has a
considerable amount of information on these topics and is
available
here:
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww
.jamf.com%2Ftrust-center%2F&data=05%7C01%7Ct.willson%40imperial.ac.uk
%7Cec40fadd39e9468de33308db72791ef8%7C2b897507ee8c4575830b4f8267c3d30
7%7C0%7C0%7C638229636825496411%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLj
AwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&
sdata=P8Ipx4PXB70N3ZayUzpeMlPiMhKUG4Lfe76oKkpwqdg%3D&reserved=0
<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fww
w.jamf.com%2Ftrust-center%2F&data=05%7C01%7Ct.willson%40imperial.ac.u
k%7Cec40fadd39e9468de33308db72791ef8%7C2b897507ee8c4575830b4f8267c3d3
07%7C0%7C0%7C638229636825496411%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wL
jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C
&sdata=P8Ipx4PXB70N3ZayUzpeMlPiMhKUG4Lfe76oKkpwqdg%3D&reserved=0>
Python Development
A number of people highlighted concerns around issues with Python
development on managed Apple Devices. Our RCS team (whose
devices
are managed by JAMF) have recently published a blog post which
people might find helpful -
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fblo
gs.imperial.ac.uk%2Fresearch-software-engineering%2F2023%2F04%2F20%2F
python-development-on-m1-macs%2F&data=05%7C01%7Ct.willson%40imperial.
ac.uk%7Cec40fadd39e9468de33308db72791ef8%7C2b897507ee8c4575830b4f8267
c3d307%7C0%7C0%7C638229636825496411%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiM
C4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7
C%7C&sdata=wXXEc%2BbleqRBSESIeZVU6AZ7kQyZh9SZ%2FXglZcbuE%2B8%3D&reser
ved=0
<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbl
ogs.imperial.ac.uk%2Fresearch-software-engineering%2F2023%2F04%2F20%2
Fpython-development-on-m1-macs%2F&data=05%7C01%7Ct.willson%40imperial
.ac.uk%7Cec40fadd39e9468de33308db72791ef8%7C2b897507ee8c4575830b4f826
7c3d307%7C0%7C0%7C638229636825496411%7CUnknown%7CTWFpbGZsb3d8eyJWIjoi
MC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%
7C%7C&sdata=wXXEc%2BbleqRBSESIeZVU6AZ7kQyZh9SZ%2FXglZcbuE%2B8%3D&rese
rved=0>
Website Changes
The content for the following website hasn't changed
significantly
(aside from some updates to the FAQs). It is worth letting you
all
know that there the content for the Apple pages will be
completely
refreshed in the coming weeks.
Windows Devices
There were some questions if Windows devices were being dealt
with
in a similar way as Apple ones and they are: /any devices
purchased
since December via official channels would have been enrolled
into
our Intune tenancy - note this only applies to Windows laptops./
Cyber Task Force
I don't have a date for its creation/setup yet but as soon as I
do
the information will be circulated.
Thanks
Tom