Å·ÃÀÉ«ÇéƬ

Skip to main content
University of Nebraska System logo

Endpoints

In accordance with EM 16, all university-owned endpoints (desktops, laptops, tablets, mobile devices) will be enrolled in endpoint management when made available by ITS. This means that ITS will be able to deliver appropriate security posture configurations and keep more devices updated and patched, leaving them less vulnerable to attacks.

Action Items

  1. Complete the Endpoint Inventory Survey (November 21, 2022) (Complete)
  2. Complete the Enterprise Endpoint Management Training (December 31, 2022) (Complete)
  3. Enroll all university-owned Endpoints in Management (May 22, 2023) (Complete)
  4. Identify and Organize High Risk Endpoints (May 22, 2023) (Complete)
  5. Upgrade Unsupported OS or Request an Exception (August 1, 2023) (Complete)
  6. Remove Shared Accounts & Configure Endpoints to use Managed Identities (August 1, 2023) (Complete)
  7. Identify and Organize Medium Risk Endpoints (March 15, 2024) (Complete)
  8. Identify and Organize Low Risk Endpoints (July 8, 2024) (Complete)

Timeline

The following is a tentative timeline for reaching the goal of having all endpoints enrolled in endpoint management with appropriate security. ITS will be working directly with college/department technicians to implement these changes.

December 31, 2022 (Complete)

All new university-owned endpoints are enrolled in management were made available by NU-ITS and comply with Baseline Endpoint configuration controls.

  • Complete College/Department Endpoint Survey by November 21 
    • Estimated total for all endpoints by Operating System
    • Identification of High Risk teams or positions
  • High Risk Configuration Controls
    • Applied to ITS on November 7
      • Infrastructure (Level 10) edge network enforcement on November 14, VPN on November 30
    • Applied to Enterprise Endpoint Management Architecture on December 5
  • Enterprise Endpoint Management Training Must be Completed
    • Legacy access to SCCM & Jamf will be removed
    • Technicians will be reminded to complete training at 60 & 30 days
    • All New Apple endpoints purchased in eSHOP will automatically enroll in Jamf
      • Inventory Managers should claim endpoints before unboxing

March 1, 2023 (Complete)

Continue enrolling university-owned endpoints in management where made available by NU-ITS. Essential Security services will be applied to all managed endpoints. (, and .

  • Enforcement of Essential Security Services
    • All managed endpoints automatically enroll in , , &
    • High Risk managed endpoints receive Splunk forwarder for system, application, and security logs
  • Low & Medium Minimum Security Controls Enabled
    • Applied to Enterprise Endpoint Management Architecture
  • IT Support Teams Continue Organizing Employee Endpoints by Risk Classification
    • Identified High Risk Endpoints receive High Risk Minimum Security Controls, ITS recommends that all other Faculty & Staff Endpoints receive Medium Risk Security Controls
  • Routine Progress Reports Delivered to IT Support Team Leaders

May 22, 2023 (Complete)

All university-owned endpoints are enrolled in management where made available by NU-ITS. High Risk endpoint security posture required to access High Risk Information Systems.

  • All High Risk Endpoints Configured with High Risk Minimum Security Controls
    • High Risk Controls Required on Edge Network & VPN to access High Risk Information Systems
    • VPN access to High Risk Information Systems requires a university owned endpoint configured with High Risk Controls
  • IT Support Teams Continue Organizing Endpoints by Risk Classification
    • ITS recommends All Faculty & Staff endpoints receive Medium Risk Security Controls unless identified as High Risk
    • ITS recommends All Classrooms, Labs, Kiosks, and other shared endpoints receive Low Risk Security Controls

July 5, 2023 (Complete)

Remote VPN access to Medium Risk Information Systems will require Medium Risk endpoint security posture.

Inbound access to general endpoint roles in Edge Network Levels 1, 2, & 3 will be limited to secure remote access protocols and ITS Remote Support service.

  • Medium Risk Security Posture
    • University-owned endpoints will require enrollment in Enterprise Endpoint Management and Medium Risk security posture
    • BYOD endpoints will require all configuration items identified as Personal Device Security https://services.nebraska.edu/service/personal-device-security

August 1, 2023 (Complete)

Unified Edge Network access to Medium Risk Information Systems will require Medium Risk endpoint security posture for university-owned and BYOD endpoints. Disk Encryption will not be required for Medium Risk university owned and BYOD endpoints until March 1, 2024.

Supported OS required on university owned endpoints to authenticate on the Unified Edge Network (Level 2 and above).

Removal of Shared Accounts for accessing University Information Systems.

Low Risk endpoint security posture and individual user accounts will be required to authenticate university-owned endpoints to Low-Risk Network (Level 2).

  • All University Endpoints will use Managed Identities
    • All endpoints will leverage an ITS Identity Management System
  • Managed Idle Position Shifts from Low Risk (Level 2) to Untrusted (Level 1)
    • Posture assessments & managed identities will be required to elevate to Low Risk (Level 2)
  • Security Posture Assessment for Low Risk Servers in the Unified Edge Network
  • Upgrade Unsupported Operating Systems
    • Managed & BYOD endpoints will be required to run Windows 10 or 11, macOS 12, 13, or 14 to authenticate on the Unified Edge Network (Level 2 and above).
  • Posture Checks for Endpoints Accessing Medium Risk (Level 3)
    • Medium Risk endpoint security posture required to authenticate on Unified Edge Network for access Medium Risk Information Systems
    • BYOD endpoints on the Unified Edge Network will require OnGuard and all configuration items identified as Personal Device Security https://services.nebraska.edu/service/personal-device-security
    • Medium Risk Security Posture Includes: Supported & Patched OS, Cortex XDR, Local Firewall, and Disk Encryption with BitLocker or FileVault. Disk Encryption will not be required for Medium Risk university owned and BYOD endpoints until March 15, 2024.

March 15, 2024 (Complete)

All Medium Risk university-owned endpoints will operate with Enterprise Endpoint Management and Minimum Security Controls. Medium Risk endpoint security posture required to access Medium Risk Information Systems on University Networks.

  • Migrate Medium Risk Windows endpoint computer objects into the Endpoints OU stem in Active Directory
  • Classify Medium Risk macOS endpoints in Jamf
  • Defaults for new endpoint enrollments will be set at Medium Risk
  • Disk Encryption required for Medium Risk university owned and BYOD endpoints
  • Medium Risk Security Posture will be Enforced on the Edge Network & VPN

    July 8, 2024 (Complete)

    All Low Risk university-owned endpoints will operate with Enterprise Endpoint Management and Minimum Security Controls to access to Low Risk University Networks.

    • Migrate Low Risk Windows endpoint computer objects into the Endpoints OU stem in Active Directory
      • Classify Low Risk macOS endpoints in Jamf
      • Low Risk Security Posture for University-Owned Endpoints will be Enforced on the Edge Network & VPN

      What is an "endpoint"?

      A University-owned endpoint is a computing device used directly by a user. Examples include but are not limited to: desktops, laptops, and tablets.

      What is Endpoint Management?

      Endpoint Management describes a system of technologies and processes that provide University endpoints with a baseline of automated services that ensure optimal productivity and security. At the University of Nebraska System, these services include:

      • Essential Security and Productivity Software
      • Self Service App for Additional University Software
      • Routine Software Patching and Vulnerability Remediation
      • Role-Based Access to the University Network
      • Real-Time Malware & Antivirus Protection
      • Default Data Encryption
      • Appropriate Security Configurations to meet Specific Data Risk Requirements
      • Access to a Secure Off-Campus VPN (Virtual Private Network)

      Will my university-owned desktop and/or laptop need to be enrolled in endpoint management?

      Yes. university desktops and laptops will need to be enrolled in the appropriate management system to receive essential configurations and regular security patches. All university endpoints and systems must implement access controls, including passwords and/or biometric security.

      What information does ITS collect from managed endpoints?

      Endpoint Management describes a system of technologies and processes that provide University endpoints with a baseline of automated services that ensure optimal productivity and security. At the University of Nebraska System, these services include:

      • Essential Security and Productivity Software
      • Self Service App for Additional University Software
      • Routine Software Patching and Vulnerability Remediation
      • Role-Based Access to the University Network
      • Real-Time Malware & Antivirus Protection
      • Default Data Encryption
      • Appropriate Security Configurations to meet Specific Data Risk Requirements
      • Access to a Secure Off-Campus VPN (Virtual Private Network)

      Who has access to my university endpoint?

      Select members of your college/department's IT support group have the ability to manage your university-owned endpoint, plus ITS Security Services. All endpoint management actions are logged and can be audited for compliance with university policy.

      Will I have any control over when my endpoint is updated/patched?
      • Yes. Managed endpoints will provide users with an opportunity to defer regular patches/updates for a period of time so that the update process can occur at a convenient time. Once the maximum deferrals have been reached, patches will be automatically installed. Details on the patch process will be made available. 
      • Some patches/updates deemed immediately necessary due to the risk level could be made within minimal notification by our Information Security team. 
      • Campus links to the patch process:
        • Kearney: 
        • Lincoln: 
        • Omaha: 

      Will I have administrative access to my university-owned endpoint?

      There will be no automatic changes to account privileges when enrolling in endpoint management. Your IT support team will contact you if any privilege changes occur within your organization.

      Are servers included in the definition of "endpoints"?

      No, servers are included in the definition of “systems”.  Applicable systems, such as servers, must also enroll in the appropriate endpoint management system to receive essential security configurations and routinely patch software to address identified vulnerabilities.

      Can I store university data on my university-owned endpoint?

      Yes, any university-owned endpoint meeting the minimum security controls may store university data. Best practice would be to only store the relevant data needed to complete your job responsibilities. Data should be maintained in the system of record and should not be duplicated or replicated in other information systems.

      Responsible Use of University Computers and Information Systems

      Read Executive Memorandum 16

      COOKIE USAGE:

      The University of Nebraska System uses cookies to give you the best online experience. By clicking "I Agree" and/or continuing to use this website without adjusting your browser settings, you accept the use of cookies.

      PRIVACY SETTINGS