Cise IT continues to work with Central IT to ensure our college's computers meet the university auditors' requirements. This includes being able to ensure assets are accounted for, personal computers (desktops and laptops) are encrypted, security patches are applied, the OS is under support, vulnerable applications are patched, antivirus is in place and configured, and that we can provide proof of all this to Central IT.

Up to this point, our team has mostly focused on Windows management, but Central IT is under increasing pressure from the university auditors to ensure all systems meet these requirements, which includes our college's Macs. As our college has been allowed to bear the responsibility of managing our own systems instead of Central IT, we need your help in meeting these requirements in a way that empowers you in the least obtrusive way we can.

None of this is with the purpose to remove Sudo or your ability to manage your own machine, to burden the system needlessly, nor to breach the privacy you deserve. We ask you to help us by doing the following four things:

1. Enroll your Mac in JAMF if it is not already
2. Install JAMF Protect as replacement for Symantec
3. Rename your computer to help us better identify it and contact you if necessary
4. Install Key Access to help us with auditing and reporting

If you have any difficulty performing any of this or if you would prefer our help, please let us know and we'll be happy to assist.

Central IT manages university-owned Macs using a third-party tool known as JAMF. JAMF offers an easy platform to provide self-service software installs such as Microsoft Office, Acrobat, the Ivanti Secure VPN client, etc. Additionally, it will keep those same products up-to-date, and can be used to easily connect to shared department printers (something that we will be working to add). It also ensures patches are vetted by Central IT and installed in a timely manner, FileVault recovery keys are escrowed should the password be forgotten, and the system can be remotely wiped if it is permanently lost or stolen. Finally, it includes an antivirus agent called JAMF Protect that replaces Symantec.

While many of our Macs come enrolled in JAMF from the vendor, we are finding that many are not, and we simply don't know what we are currently missing. If you do not have the “JMU Self Service” App on your system (a purple computer icon with the JMU logo), we ask if you could please enroll your system:

1. visit https://it-jss.jmu.edu:8443/enroll/?invitation=104234302386851384255413330477527103933 to download the management profile
2. open the management profile you downloaded, then install it using the Profiles page of the Settings App
3. after restarting, there should be additional profiles loaded which you can review, and the JMU Self Service App will be added to the Applications folder and Dock (it can be unpinned)
   

Once the JMU Self Service App is installed, open the App and look under the “featured” list for JAMF Protect. We are not currently pushing this product to systems as we would like you to have the opportunity to opt-in when it is convenient for you to do so. We will discuss with the departments the appropriate time that it should be deployed more broadly.

We also ask if you could name your Mac using either its ESN tag (YY-####) or your eID, using “CISE-” as a prefix. This will help us differentiate systems since names like “iMac” or “MacBook Pro” aren't terribly helpful and will specifically ensure CISE machines managed by Cise IT.

Open the Terminal app and run the following commands:

sudo scutil --set HostName cise-<eID/ESN>.cise.jmu.edu
sudo scutil --set LocalHostName cise-<eID/ESN>
sudo scutil --set ComputerName cise-<eID/ESN>
dscacheutil -flushcache
sudo shutdown -r now

Finally, we ask if you could install the Key Access client from the JMU Self Service App. Key Access is part of Sassafras AllSight - a product we (Cise IT) have started using this past year to consolidate information from both Microsoft and JAMF. It gives us a bigger picture of our college's overall computing resources and provides easy auditing and reporting of this information. AllSight gives us further insights that JAMF does not, including warranty information, reporting on which systems can be upgraded to the latest version of the OS and which cannot, which systems have not rebooted in 60+ days and are likely missing patches, if a system has been offline for over a year and may have been retired, etc. AllSight has made the biggest improvement in how we are able to identify and address issues and provide validation to Central IT.

We do not currently have a timeframe for implementing policies needed to meet each of the auditor's requirements, but we will discuss any such changes with college leadership before doing so and provide clear communication with each of you well in advance. My suspect is that we will use the spring semester for you to individually opt into anything and evaluate your experiences before any further changes this coming year.

We understand any hesitancy to have your systems managed beyond your own fingertips. You are all experts in your field and have managed your own systems for years. We do not want to take any of that away from you nor diminish your expertise. We have no intention of removing Sudo permissions or dictating how you use your systems and will never use any such tools to surveil upon you. We will ensure you continue to have full agency to work as you need in the privacy you deserve. We simply ask you to allow us to work with you to ensure we meet the university's computing goals so our college can maintain its autonomy. If we can shoulder some of the burden of ensuring the security of your systems, we hope to leave you more time to do what you do best - teach our next generation.

We really appreciate your help and your continuing trust in allowing us to help manage your computers. If you have any questions or concerns, if you would like to discuss any of this further, or if you need anything else, please let us know. We are here to support you and to listen to your needs. Thank you!