Guidelines on use of a workstation at the University of Waterloo

Preamble

This document is a supplement to its parent document Guidelines on use of Waterloo Computing and Network Resources. Guidelines from both apply to workstations at UWaterloo (UW).

Computing resources are important components of the university infrastructure. Workstations, whether desktops, laptops, tablets, smart phones or virtual desktops, are what clients use to access UWaterloo services and resources. These Guidelines govern the appropriate and ethical use of these resources and inform clients of expectations and responsibilities assumed on their use, and clarify the context. By following these guidelines, a client can expect a faster, more secure and more stable workstation and a quicker response time to concerns or requests.

Guiding principles

General

  • Waterloo encourages and supports the use of UW-owned workstations but also allows for the use of secure and up-to-date client-owned or managed workstations, tablets and hand-held devices

  • Workstations supplied by UW are expected to be built and maintained by UW IT staff
  • Client-owned or managed devices are expected to be kept up-to-date and secure
  • There may be situations where a UW-owned workstation could be considered to be wholly or partially client managed
  • The guidelines presented here pertain mainly to Microsoft Windows workstations but are evolving for other operating systems

UW-owned workstations

  • UW-owned resources are provided primarily to support and further the mission of UW
  • As such, some tools like locally installed clients required for remote management, are expected to be present
  • System Center Configuration Manager (SCCM) is the primary management, update and software delivery tool supported by IST and most faculties. At time of writing, SCCM is currently limited to Windows desktops, some laptops and is evolving for Macintosh computers.
  • It is strongly recommended that all desktops and laptops be registered in campus and/or Nexus DNS. Wireless only devices already require authentication to use our network, so are exempt.
  • All workstations are expected to join the Nexus active directory
  • Administrative access to workstations is the primary responsibility of local UW IT staff. Administrative access is only granted to the client in exceptional circumstances. A business case should be presented and approved by the client’s manager for this to happen.
  • When administrative access by the client can be justified, a secondary account is to be created, used only when required and not as the primary account. (Our convention is to put a character like a “!” in front of their regular UWDIR account and to assign a different and often more complex password to this administrative account.)
  • Laptops and tablets are to be treated the same as desktops in terms of management and administration
  • UW reserves the right to rebuild the OS and reinstall all applications at any time if it is deemed necessary

Client-managed, UW-owned workstations

In addition to all of the above guidelines:

  • The use of client-managed workstations to access UW resources is only permitted if the devices are secure and kept up-to-date in terms of the OS, patches and all applications
  • Administrative access is shared between UW IT staff and the client. Access to resources will be denied if IT administrative access is tampered with.
  •  Administrative access, when required, should be made available via secondary elevated accounts that are only used when needed
  • UW IT staff is not responsible for client-installed software
  • If client-installed software interferes with the business the workstation was intended for, the client will be asked to remove this software
  • Removal or tampering of management applications (like SCCM) installed by UW IT staff is not permitted
  • Even though some software may be client managed on these PCs, common applications should still be managed by central or departmental IT staff whenever possible. This assures that as much of the PC as possible stays current, secure and up-to-date.

Client-owned workstations

  • The use of client-owned workstations to access UW resources is only permitted if the devices are secure and kept up-to-date in terms of the OS, patches and all applications
  • It is still possible to subscribe to UW IT management for patches and common applications. The success rate of all software installs may be reduced, because the state of the operating system and additional software is unknown. When successful however, updating common apps centrally is still better than having the client manage everything themselves.

Laptops and tablets

  • It is highly recommended that laptops and all portable workstation devices have at least sensitive data folders encrypted. See: Data Encryption for more information.
  • If the “Offline Files” option is selected, data that is normally only stored on a client’s “N:” or “homedrive” is now copied to a special directory on the laptop so that it appears as if the laptop is still connected to this resource, even when it’s not. Even though this data is encrypted, extra physical access precautions should be exercised when these laptops leave the campus.
  • If the intent of a laptop is primarily to provide portability on campus, meaning it will rarely if ever, leave the campus, “Offline Files” should be disabled
  • Software, updates and patches are delivered via SCCM to a laptop and tablet only when a “wired” network connection is present. Although managing a laptop while connected wirelessly is doable, most clients prefer this not happen. If management is required on a laptop when connected wirelessly it is the client’s responsibility to make UW IT staff aware of this requirement.
  • Laptops and tablets left in a client’s open-or-shared office or workspace should be secured via cable-lock to the desktop or in a locked drawer when the client is not present

Macintosh workstations

  • Macs are not “officially” supported in Academic Support and some other parts of campus
  • Although there are Mac support documents and staff that are able to help, at time of writing there is no widely accepted central support structure to manage Macs like we do PCs. Some areas have their own infrastructure but no consensus has been established for one common Mac infrastructure across campus. As a result, maintaining, updating and supporting the Mac often falls on the client.
  • All the same requirements exist on a Mac as they do for a Windows workstation in terms of keeping the operating system and all applications secure and up-to-date
  • Proper software management has to include all current patches and updates
  • Mac hardware maintenance, unlike Windows workstations however, remains the responsibility of the client (or their managers) to negotiate, preferably with a certified Mac vendor like the Campus Tech shop, when repairs are required
  • These are important facts for clients and managers to be aware of before requesting or approving a Mac for UW staff

Rights/responsibilities

Contained within and following from the Guiding Principles are rights and responsibilities of both the client and the University. Some of these are presented below.

University of Waterloo rights and responsibilities

  • UWaterloo is responsible for the security and maintenance of all UW-owned workstations
  • As such UW reserves the right to rebuild or replace any workstation deemed to be insecure or beyond repair. This would be done with the client’s knowledge and consent at an agreed upon time. (In the meantime, the workstation may be disconnected from the network.)
  • UW will make every effort to keep the operating system and all UW-installed applications up-to-date. Updates will be delivered on a schedule defined by the Information Security Services team, or by the application champions assigned to that task.
  • Older versions of software that are being replaced with newer versions are removed unless specifically justified by the application champion
  • Applications with dependencies to software like .NET, will have the dependencies delivered as well as the application when that software is requested
  • Departmental-specific common-applications can be automatically installed and updated on a managed PC. IST is willing to track and maintain these if requested.
  • Additional applications will be made available or advertised to a workstation, depending on requirements, so the client or a local support representative can install that software themselves without administrative credentials
  • The operating system and common applications can be delivered or advertised, in such a way so as to avoid the requirement of the client or a local support representative becoming an administrator on a workstation
  • To keep a workstation up-to-date, it is necessary for SCCM to collect audit information from that PC. Information collected includes a full hardware audit as well as a full software audit. This information is kept confidential and is only available to a select trusted few.
  • In order for proper IT decisions to be made, it is sometimes necessary that software usage information be collected. This is called software metering and happens as required.

User rights and responsibilities

  • A workstation, whether connected wired or wirelessly, should ideally be wired-network available enough for UW IT to remotely manage that workstation as required within a reasonable time frame
  • Workstations removed from the UW network for periods of six months will see their OS and some applications start to degrade because of Microsoft KMS licenses that reside on UW servers. Clients that have this requirement should tell their IT departments that this is the case before their PC is built. That way a MAK licensing model can be applied that does not have this restriction. This is especially relevant to laptop computers that leave the campus for extended periods of time.
  • Availability also means local administration should not be removed for local IT staff or service accounts that need to manage these workstations. If this level of administration is removed, the workstation will be removed from Nexus, and the management of that PC will come into question.
  • Local management client applications, such as the local SCCM client, should be left installed and running in all of the areas on campus where SCCM is used to manage that workstation
  • It is assumed that all application installs and uninstalls are performed by qualified IT staff, and not by the client. Every time an application is installed on a workstation, the possible success rate of installing other applications may be compromised. The same is true if an application is not properly uninstalled. Residue is often left behind from previously installed applications that can compromise workstation integrity.

This document was prepared by the IST Workstation Services team and sanctioned by IST management.