Laptops, notebooks, and tablets
With advances in management tools and methods, laptops/notebooks and tablets (herein called ‘devices’) are now treated almost the same as a desktop. IST images laptops and tablets with our own in-house Windows image, but tablets are generally left alone. When a device is connected to the Nexus domain and managed, many security policies will apply, which increases the security of the device. Having your device managed severely reduces any security concerns.
Having your device managed by IST
IST highly recommends having your device managed so that deployed applications can be automatically updated and Microsoft patches can be installed through SCCM. IST now also has the ability to manage software over eduroam for roaming devices.
Migrating to a managed environment
If your device is not yet managed, the following checklist will help to get you there.
All user files stored on the device must be backed up and moved to a network drive
It is highly recommended that the BIOS settings be in UEFI mode
BitLocker encryption works best with UEFI mode, especially on devices made after 2013.
Unless it is a tablet, the device should be reimaged with our in-house Windows image
When you join the Nexus domain, some domain policies will apply to increase security
Notes regarding managed devices
A number of changes will take place on your device as a result of the application of Group Policies. Here is a short summary:
The "standard" application suite will be installed. These include:
Adobe Acrobat Reader, Adobe Flash Player, Google Chrome, Java, Microsoft Office 2016, Mozilla FireFox, UW Emergency Notification, and WatSAFE desktop notification (new Windows-based emergency communications software that will eventually replace UW Emerge; Mac client coming soon)
The Administrator and Guest accounts will be renamed
The Administrator password will be randomized and stored in Nexus through the LAPS tool
Automatic windows updates will be managed by the SCCM server and Windows Updates will no longer function
The computer object must have the proper software security groups added and the computer object must be added to the campus Wi-Fi management group
All portable devices must be BitLocker encrypted
This is an automatic process that will encrypt the hard disk to specifications established by IST
After these changes, you should log on to the device using your WatIAM credentials, even if you are not connected to the campus network.
Other notes
Passwords: You may notice that the "Change Password" option on the log on screen has been removed. To change your password, use the WatIAM User Access page. Note that local userids are not affected.
Offline files: If the device is in a “Laptop” OU, then "Offline Files" will be available to configure. This is configured with Windows Explorer under Tools and Folder Options. It's a very convenient way of keeping a copy of all of your network files (your "N" drive) on your device and synchronizing changes made to these files. The Synchronize panel (All Programs, Accessories) is used to configure your preferences for the automatic or manual synchronization of files between your device and the network storage device.
Internet Explorer components: One of the security changes of the managed environment is to disable the automatic install of Internet Explorer components. This feature is often exploited by malware. If you require the installation of an Internet Explorer component, log on using your administrator account and perform the installation (often by visiting the web site of the component provider).
Printers: Typically, Group Policies disable the ability to "access this computer from the network". This will affect your ability to share a local printer. Note that some departments have requested to be exempted from this policy.
Windows Update: If you are off campus for an extended period of time and not connected to the SCCM server, your laptop should still download patches from Microsoft. But any software updates will not be done until back on campus.