In accordance with EM 16, all university-owned endpoints (desktops, laptops, tablets, mobile devices) will be enrolled in endpoint management when made available by ITS. This means that ITS will be able to deliver appropriate security posture configurations and keep more devices updated and patched, leaving them less vulnerable to attacks.
- Complete the Endpoint Inventory Survey (November 21, 2022) (Complete)
- Complete the Enterprise Endpoint Management Training (December 31, 2022) (Complete)
- Enroll all university-owned Endpoints in Management (May 22, 2023)
- Identify and Organize High Risk Endpoints (May 22, 2023)
- Upgrade Unsupported OS or Request an Exception (August 1, 2023)
- Remove Shared Accounts & Configure Endpoints to use Managed Identities (August 1, 2023)
- Identify and Organize All Endpoints by Risk Classification (March 1, 2024)
The following is a tentative timeline for reaching the goal of having all endpoints enrolled in endpoint management with appropriate security. ITS will be working directly with college/department technicians to implement these changes.
December 31, 2022 (Complete)
All new university-owned endpoints are enrolled in management were made available by NU-ITS and comply with Baseline Endpoint configuration controls.
- Complete College/Department Endpoint Survey by November 21
- Estimated total for all endpoints by Operating System
- Identification of High Risk teams or positions
- High Risk Configuration Controls
- Applied to ITS on November 7
- Infrastructure (Level 10) edge network enforcement on November 14, VPN on November 30
- Applied to Enterprise Endpoint Management Architecture on December 5
- Applied to ITS on November 7
- Enterprise Endpoint Management Training Must be Completed
- Legacy access to SCCM & Jamf will be removed
- Technicians will be reminded to complete training at 60 & 30 days
- All New Apple endpoints purchased in eSHOP will automatically enroll in Jamf
- Inventory Managers should claim endpoints before unboxing
March 1, 2023
Continue enrolling university-owned endpoints in management where made available by NU-ITS. Essential Security services will be applied to all managed endpoints. (Cortex XDR, Vulnerability and Patch Management).
- Enforcement of Essential Security Services
- All managed endpoints automatically enroll in Cortex XDR, Vulnerability Management, & Patch Management
- High Risk managed endpoints receive Splunk forwarder for system, application, and security logs
- Low & Medium Minimum Security Controls Enabled
- Applied to Enterprise Endpoint Management Architecture
- IT Support Teams Continue Organizing Employee Endpoints by Risk Classification
- Identified High Risk Endpoints receive High Risk Minimum Security Controls, ITS recommends that all other Faculty & Staff Endpoints receive Medium Risk Security Controls
- Routine Progress Reports Delivered to IT Support Team Leaders
May 22, 2023
All university-owned endpoints are enrolled in management where made available by NU-ITS. High Risk endpoint security posture required to access High Risk Information Systems.
- All High Risk Endpoints Configured with High Risk Minimum Security Controls
- High Risk Controls Required on Edge Network & VPN to access High Risk Information Systems
- VPN access to High Risk Information Systems requires a university owned endpoint configured with High Risk Controls
- IT Support Teams Continue Organizing Endpoints by Risk Classification
- ITS recommends All Faculty & Staff endpoints receive Medium Risk Security Controls unless identified as High Risk
- ITS recommends All Classrooms, Labs, Kiosks, and other shared endpoints receive Low Risk Security Controls
July 5, 2023
Remote VPN access to Medium Risk Information Systems will require Medium Risk endpoint security posture.
Inbound access to general endpoint roles in Edge Network Levels 1, 2, & 3 will be limited to secure remote access protocols and ITS Remote Support service.
- Medium Risk Security Posture
- University-owned endpoints will require enrollment in Enterprise Endpoint Management and Medium Risk security posture
- BYOD endpoints will require all configuration items identified as Personal Device Security https://services.nebraska.edu/service/personal-device-security
August 1, 2023
Unified Edge Network access to Medium Risk Information Systems will require Medium Risk endpoint security posture for university-owned and BYOD endpoints.
Supported OS required to authenticate on the Unified Edge Network (Level 2 and above).
Removal of Shared Accounts for accessing University Information Systems.
Low Risk endpoint security posture and individual user accounts will be required to authenticate university-owned endpoints to Low-Risk Network (Level 2).
- All University Endpoints will use Managed Identities
- All endpoints will leverage an ITS Identity Management System
- Managed Idle Position Shifts from Low Risk (Level 2) to Untrusted (Level 1)
- Posture assessments & managed identities will be required to elevate to Low Risk (Level 2)
- Security Posture Assessment for Low Risk Servers in the Unified Edge Network
- Upgrade Unsupported Operating Systems
- Managed & BYOD endpoints will be required to run Windows 10 or 11, macOS 12, 13, or 14 to authenticate on the Unified Edge Network (Level 2 and above).
- Posture Checks for Endpoints Accessing Medium Risk (Level 3)
- Medium Risk endpoint security posture required to authenticate on Unified Edge Network for access Medium Risk Information Systems
- BYOD endpoints on the Unified Edge Network will require OnGuard and all configuration items identified as Personal Device Security https://services.nebraska.edu/service/personal-device-security
- Medium Risk Security Posture Includes: Supported & Patched OS, Cortex XDR, Local Firewall, and Disk Encryption with BitLocker or FileVault.
March 1, 2024
All university-owned endpoints will operate with the Enterprise Endpoint Management and Minimum Security Controls. Will be enforced on University Networks.
- All Managed Endpoint Inventory Migrated to Enterprise Inventory
- Low & Medium Risk Controls will be Enforced on Edge Network & VPN
- Migrate All endpoint computer objects into the Endpoints OU stem in Active Directory
- Legacy Organizational Units in Active Directory will be removed
- Tag All Endpoints in Jamf according to Risk Classification
- Defaults for new endpoint enrollments will be set at Medium Risk