Desktop Security Initiatives

In this article, we'll discuss the different ways we're securing the SJU desktop computing environment.

 

Full Disk Encryption

What can I expect during the encryption process?

To encrypt your laptop, OIT will utilize the encryption software already installed on your machine. This will NOT impact the performance of your device. We will install a multi-platform management application called Workspace One (also known as AirWatch) on your device to facilitate the encryption process. Going forward, you will continue to unlock your computer with your SJU username and password.

For all Mac devices, encryption using Apple FileVault will be enabled automatically, and there will be no need for an OIT technician to touch your laptop. On July 31st, 2019, users will be prompted in Managed Software Center to perform a reboot, which will start the encryption process.

For Windows laptops, OIT will use the native BitLocker application for encryption. There will be a few steps that you will need to follow in order to begin the encryption process, which we will be assisting with.

OIT staff will securely store the recovery keys for your encrypted computer in the event that there is a need to decrypt and recover data.

 

I have a desktop, what does this mean for me?

For Windows desktops, nothing will happen to your machine at this time. Laptops are a greater risk to be stolen or lost, so OIT will focus on mitigating this risk first. Once all laptops are encrypted, OIT will turn attention to desktop encryption and we will communicate this plan to faculty and staff.

As all Mac desktops and laptops are already enrolled in Workspace One, we will encrypt all MacBook Pros, iMacs, Mac Minis, and Mac Pros starting on July 31st, 2019.

 

How does this affect files that I move from my encrypted computer to another location (Google Drive, USB drives, etc)?

Full Disk Encryption works by encrypting all of the data on the drive contained in your computer. If a laptop with an encrypted hard drive is stolen, all the files are safe. If you copy a file to another location, it is no longer being stored on the encrypted hard drive, so it will be stored in an unencrypted fashion unless the target location is also running Full Disk Encryption. Your files are only as safe as the drive they are stored on.

The goal of this project is to remove the risk of confidential or sensitive data being accessed from a stolen laptop. However, if you store confidential/sensitive data on your USB drives, we recommend that you either delete this type of data from your USB drive and instead store it on Google Drive or that you encrypt your USB drive. If you would like assistance in encrypting a USB drive, please contact the Technology Service Center at 610-660-2920. Be aware that if you lose the password and recovery key associated with your USB drive, neither you, nor OIT, will be able to recover your data. If you have questions about confidential or sensitive data, please refer to our Data Classification Policy.

 

Additional Security Changes

Timeouts and Lockouts

Several security changes will be introduced to coincide with the encryption initiative:

First, OIT is now required to activate a setting on University computers that places a computer in a locked state after a certain amount of inactivity. When your computer is not used for 20 minutes (while plugged into an outlet), the inactivity threshold will be exceeded, and your computer will be locked. You will not lose any work in progress, however, you will be required to re-enter your SJU username and password to resume any work.

Note: if you are using a laptop and running on battery power, you will see more aggressive system timeouts that will put your laptop to sleep. Upon "waking up" the laptop, you will also be required to enter your password again.

The second security change that will be implemented pertains to University accounts. These accounts will be locked for 10 minutes after there have been 10 failed login attempts. This is an important security measure that will help prevent unauthorized access to SJU computers, your account, and your data, where a hacker uses an automated process to try thousands of passwords to gain access. This security measure has also been strongly recommended by our security auditors.

Please see our article here that provides the security settings in greater detail.

 

Windows Software Center

Patch Management & Automatic Reboots

We will be introducing a new comprehensive tool called Microsoft System Center Configuration Manager (SCCM) that will allow us to better deploy applications, security updates and patches to Windows computers.

Windows users already take advantage of using tools like Windows Update to keep their SJU-issued computers up to date, and this will further ensure they are being routinely patched to mitigate security vulnerabilities.

Another advantage of using SCCM will be the Software Center, which will serve as a type of self-service portal, allowing users to select University-licensed applications and install them on their own without the need to submit a ticket. For more information, please see this article.

 

Find My Mac

Currently, some macOS users have enabled and configured Find My Mac on their SJU-issued Mac. Find My Mac uses a personal, non-SJU iCloud account to track the location of your Mac. As we'll be using our management tool, Workspace One, to manage encryption and the security of each SJU-issued Mac, we will require Find My Mac to be disabled. This will add an additional layer of security so that University data is not being stored in non-University locations, and will allow the University to ensure devices are not being remotely tracked, locked, or wiped from a compromised iCloud account.

For the Mac users who may currently be using Find My Mac, OIT will begin a targeted outreach so that it can be disabled.

 

Who should I contact with questions about any of the initiatives outlined above?

Please contact the Technology Service Center at 610-660-2920.

Was this helpful?
0 reviews

Details

Article ID: 79290
Created
Wed 5/29/19 12:24 PM
Modified
Thu 9/12/19 11:52 AM