.. vim: syntax=rst .. include:: ../global.rst .. _policy-policy_docs-epm: ========================== Endpoint Management Policy ========================== In an effort to improve the consistency, efficiency, and security of endpoint management on the UT campus, the IT Leadership Council Endpoint Management (EPM) Standing Committee, in partnership with the Information Security Office, is leading a campus-wide initiative to develop and implement endpoint management practices and centrally managed endpoint management tools for university desktops, laptops, and tablets. More details on this can be found here: `Endpoint Management (EPM) Centralization and Standardization Program`_ UT is leveraging EPM tools for Microsoft and Apple devices. Apple laptops and tablets are to be installed with JAMF while Microsoft devices will be installed with MECM (Microsoft Endpoint Management Configuration Manager), formerly SCCM. This software will be installed before we deploy devices to end users. Patching and system reboots =========================== Patching, updates and upgrades are a necessary task for all systems. Regular security patching is important to keep the system up-to-date with the latest updates to keep the system safe from vulnerable packages. In order to keep in compliance with policies set by the security office, regular updates will come with regular reboots if necessary. MacOS ----- For **MacOS** with Jamf, UT's has published `Jamf Community Practices`_ (no login required). Windows ------- A similar practice is applied to **Windows** running MECM. .. attention:: It is important to note the policies above can change at any time. Sysnet has no control over these practices put in place by ITS. Linux ----- Our **Linux** desktops and servers are enrolled in Ubuntu Pro and receive daily security updates as new patches are released. All other updates will be applied once a week, usually on Monday. We will be increasing the cadence of software updates to minimize our syncronization time with the mirror. Along with these security patches, regular reboots will be required when a new kernel is installed.To comply with University polices, we will be more aggressive and will require rebooting desktops and servers when a new kernel is released. To minimize disruption to the end user, we will issue a warning once and then reboot on the following Sunday at 3am after a new kernel has been installed. It will be responsibility of the user(s) to be aware of when a reboot is required. Sysnet will not be responsible for lost data during these reboot periods. EPM Software ============ JAMF ---- In 2021, the Oden Institute purchased licenses from JAMF to manage our fleet of Apple devices. Shortly after, UT worked out an agreement with JAMF to provide licenses for the campus. Sysnet is working on migrating devices from our JAMF instance to UT's JAMF instance. Instuctions on how to migrate JAMF are outlined below: :ref:`JAMF Migration Instructions for MacOS ` MECM ---- We worked out an agreement to with Aerospace Engineering to use their MECM instance since we have so few Windows devices. As we deploy Windows laptops and desktops, they must be bound to Austin Active Directory (AAD) and have MECM installed. PUPPET ------ Puppet is a complete configuration management tool for Linux desktops. For desktops Sysnet manages or does not fully manage, Puppet will be installed. Puppet allows us to have a consistent desktop offering across the institute. In addition, we purchased Ubuntu Pro to allow us to keep up to date with security packages not readily available on other Debian variants. NESSUS ------ All laptops, desktops, and servers are to have Nessus agents installed as part of the `Minimum Security Standards for Systems`_ Nessus agents provide vulnerability scanning for systems.