Endpoint Management Policy

In an effort to improve the consistency, efficiency, and security of endpoint management on the UT campus, the IT Leadership Council Endpoint Management (EPM) Standing Committee, in partnership with the Information Security Office, is leading a campus-wide initiative to develop and implement endpoint management practices and centrally managed endpoint management tools for university desktops, laptops, and tablets.

More details on this can be found here: Endpoint Management (EPM) Centralization and Standardization Program

UT is leveraging EPM tools for Microsoft and Apple devices. Apple laptops and tablets are to be installed with JAMF while Microsoft devices will be installed with MECM (Microsoft Endpoint Management Configuration Manager), formerly SCCM.

This software will be installed before we deploy devices to end users.

Patching and system reboots

Patching, updates and upgrades are necessary tasks for all systems. Regular security patching is important to keep the system up-to-date with the latest updates to keep the system safe from vulnerable packages.

In order to keep in compliance with policies set by the security office, regular updates will come with regular reboots when necessary.

MacOS

For MacOS with Jamf, ITS has published Jamf Community Practices (no login required). More information about what to expect can be found in OS Patching: UT Macintosh Security Updates and Reboot Policy

Windows

A similar practice is applied to Windows running MECM.

Attention

It is important to note the policies above can change at any time. Sysnet has no control over these practices put in place by ITS.

Linux

Our Linux desktops and servers are enrolled in Ubuntu Pro and receive daily security updates as new patches are released. All other updates will be applied once a week, usually on Monday. We will be increasing the cadence of software updates to minimize our syncronization time with the mirror.

Along with the security patches, regular reboots will be required when a new kernel or a package requiring a reboot is installed. To comply with University policy, we will be more aggressive and will reboot desktops when required. Our process follows:

  • unattended-upgrade runs periodically to perform updates

  • On Friday, we check for the presence of /var/run/reboot-required. If this exists, we begin to send out notifications hourly to any open terminals and schedule a reboot for the following Sunday morning at 3am.

It will be responsibility of the user(s) to be aware of when a reboot is required. Sysnet will not be responsible for lost data during reboot periods.

Note

Servers are a special case and will be handled differently than the desktops when it comes to rebooting. Sysnet will contact groups or centers prior to rebooting servers.

EPM Software

JAMF

In 2021, the Oden Institute purchased licenses from JAMF to manage our fleet of Apple devices. Shortly after, UT worked out an agreement with JAMF to provide licenses for the campus. Sysnet’s work is nearly complete with a few outstanding laptops and several portable devices still needing to be migrated. Instuctions on how to migrate JAMF are outlined below:

MECM

We worked out an agreement to with Aerospace Engineering to use their MECM instance since we have so few Windows devices. As we deploy Windows laptops and desktops, they must be bound to Austin Active Directory (AAD) and have MECM installed.

PUPPET

Puppet is a complete configuration management tool for Linux desktops. For desktops Sysnet manages or does not fully manage, Puppet will be installed. Puppet allows us to have a consistent desktop offering across the institute. In addition, we purchased Ubuntu Pro to allow us to keep up to date with security packages not readily available on other Debian variants.

NESSUS

All laptops, desktops, and servers are to have Nessus agents installed as part of the Minimum Security Standards for Systems Nessus agents provide vulnerability scanning for systems.