Computer Setup
To ensure that the initial configuration goes smoothly, it is important that:
- The primary user of the computer is the first person to log in to the machine: Many IT professionals are accustomed to completing computer setup from initial log in, including installing applications and performing administrator-level work, then delivering the computer to the end user. However, if an IT professional enters their own email address during the Secure Computing automatic deployment setup, the computer will be configured for the IT professional as the primary user rather than the intended end user. It would then require additional configuration to reassign the computer to the end user with proper login rights.
- In the event that the primary user needs assistance setting up their new Apple or Dell computer, the IT professional should walk through the configuration with their end user, rather than setting up the computer ahead of time and then delivering to the customer.
IT Professionals FAQ
Take a look at the general Secure Computing FAQ for additional information. If you have a question that isn't answered on the OIT website, please contact the IT Service Center or ask in the IT Community of Practice Microsoft Team.
Meeting the Secure Computing Standard
What is the role of an IT professional in meeting and supporting the Secure Computing standards?
All campus IT professionals have a responsibility to incorporate IT security safeguards into the IT services and products provided to the university community. IT professionals should be familiar with the Secure Computing standards and, where appropriate, determine how best to apply these standards to the configuration and management of endpoints and servers in consideration of end users and specific departmental needs. Frequently, IT professionals are the direct point of contact for IT requests and issues, and therefore in the unique position of sharing security best practices and helping others understand how to implement these in the course of their job duties. Foundational training is provided to IT professionals in support of this important role.
Do the standards apply to research institutes? Will we have assessment/audits?
The Secure Computing standards do apply to research institutes. Some institutes already adhere to stricter data protections imposed by external partners; in those cases, the more stringent requirements should be followed. In a future phase, all departments who opt to meet the standards outside of the framework offered by OIT will have to self-attest their compliant posture.
What will enforcement of the standards look like?
Understanding that all university-owned devices will not be in compliance with these standards immediately, a slow approach is being taken to enforcement. In the near term, OIT will be generating reports for campus leadership and IT professionals showing progress in their areas and highlighting areas for improvement, which could include machines with out-of-date software or those lacking an endpoint detection and response software.
Is there a financial cost to departments to adhere to the Secure Computing standard?
CU Boulder's Microsoft A5 agreement provides the appropriate licenses needed to ensure the Secure Computing standards on desktops and laptops. OIT is subsidizing licenses for the EDR (Endpoint Detection and Response) solutions for servers through FY24, but will likely require departments to pay for their EDR licenses beginning in FY25. The Jamf endpoint management for Apple computers, along with those needed by the Windows 3rd-party application patching utility, require licenses that are being purchased by OIT on behalf of departments through FY24. OIT will provide more information to departments about financial costs related to the components of Secure Computing as soon as we can.
Ordering and Deployment
There is a new field in the Marketplace order form for Dell computers that asks for a department abbreviation. What is this for?
This is not a required field. However, the department abbreviation helps make sure that computers ordered for specific departments will work with custom computer deployment workflows that have been provided by the department. If this field is left blank, the Dell machine will run through the default Secure Computing workflow when the customer first logs in to the computer.
What if I have a problem on a computer that is caused by the default policies included in the Secure Computing framework?
Please reach out to the IT Service Center at oithelp@colorado.edu and OIT's Endpoint Management Services team will reach out to you.
Can the Secure Computing framework be deployed on existing computers?
Yes, IT professionals have access to a set of tools to deploy the framework on existing computers. IT professionals should note that existing computers must be reset or re-imaged as part of the process of enrolling them in the program. Additionally, OIT is working on a streamlined approach that will allow end users to enroll their existing campus computer in the Secure Computing program. More information on this enrollment method will be provided as it becomes available.
Does the Secure Computing policy apply to phones and tablets?
While the standard applies to all university-owned devices, the project has not yet created an implementation strategy for phones and tablets, and the recommended tools may not be supported by these device types. Components of the standard should be applied, including: up-to-date operating system and software, whole disk encryption, and cloud backups. A future phase of the project will consider a more robust tool suite to secure technologies other than computers and servers.
Are the exceptions available for unsupported or end-of-life software?
Yes, exceptions may be requested for unsupported and end-of-life software. Where adequate compensating controls are in place and sufficient business justification exists, these exceptions may be approved.
Does the Secure Computing standard apply to virtual desktops?
Yes, the Secure Computing standard applies to virtual desktops.
We currently use our own endpoint management tool for Windows. Can we continue to use it to manage our departmental computers?
In most cases, yes. While the Secure Computing standard requires systems to run the Configuration Manager client, many endpoint management tools will work in parallel with Configuration Manager. It's important that you test the two tools side-by-side to check for compatibility issues.
We are on our own Active Directory domain. Are we still required to adhere to the Secure Computing standard?
Yes, your computers must still adhere to the Secure Computing standard. If you are unable to meet the requirements, you will need to request an exception to the standard. Visit the Computer Standard Exception Process page for a detailed description of the process, as well as the necessary forms to fill out.
I have had issues with BitLocker in the past. Can I use self-encrypting disks instead?
No. BitLocker technology, combined with TPM chips, has come a long way. The Secure Computing framework escrows the backup copy of the encryption keys used for a specific computer. If there is a compelling business reason why BitLocker cannot be used, you may consider seeking an exception. Visit the Computer Standard Exception Process page for a detailed description of the process, as well as the necessary forms to fill out.
Does the primary user of the computer have admin access?
Yes, the primary user who initially logged in to the computer during the initial setup process is configured as a local administrator on the computer. As a result, if your customer needs help with a task that requires administrative access, they will need to work alongside you during that task so they are able to enter their password when it is needed.
Do I need to do anything when my customer receives their Dell or Apple computer?
Yes, we recommend that you walk through a few automatic setups with your customers to be sure the new process goes smoothly and so you can provide feedback to OIT. You will continue to help customers with additional departmental applications and settings.
Framework Customizations
Can I customize the Secure Computing automated deployment for my customers?
Yes, but it is the responsibility of the IT professional making these changes to ensure that the customized deployment still meets all the requirements of the Secure Computing standard. To get started with a custom deployment for your department, please send your request to the IT Service Center at oithelp@colorado.edu and OIT's Endpoint Management Services team will reach out to you.
Is it possible to accidentally create a departmental customization that would prevent the computers from being fully compliant with the Secure Computing standard?
Yes, when making customizations to these computers in your Active Directory OU, Jamf or Configuration Manager, it is possible to change something that would cause your computers to no longer be compliant with the standard. It is the responsibility of the IT professional making these changes to ensure that they do not impact the ability of the computer to meet all the requirements of the Secure Computing policy.
What if I make a departmental customization that overwrites one of the default Secure Computing configurations and breaks functionality for my department?
In the event that a departmental customization is causing unintended behavior with a computer in a department, OIT will ask the IT professional to build an additional computer that is enrolled in the default framework only to confirm the problem is being caused by a departmental customization rather than default framework itself. Once confirmed that the issue is being caused by a departmental customization, it will be the IT professional's responsibility to review their customizations to isolate and fix the issue.
Help and Support
If you need assistance, visit the ITCP Secure Computing Project Teams channel or contact the IT Service Center at 303-735-4357 or oithelp@colorado.edu.