Mitigating software security vulnerabilities is an important practice for any organization. University Information Services has adopted multiple technologies such as Symantec Altiris, JAMF and Active Directory Group Policy to configure, update, maintain and monitor devices owned by the University. Client management systems also allow the Helpdesk to perform remote service functions on a machine such as installing software or checking for malware (in conjunction with antivirus and antimalware software such as Symantec Endpoint Protection and MalwareBytes). Client management software is also used to help enforce the Workstation Standards outlined in Pacific’s healthcare compliance policies on clinic workstations.
Removing Client Management Software
Client management and antivirus/antimalware software should never be removed from any university-owned computer.
The Symantec Altiris Client is installed on all university-owned Windows and MacOS computers (with the possible exception of some older computers that UIS has not yet had access to). On Windows computers, the client appears in the taskbar. On Mac computers, it appears in the menu bar.
JAMF is being used to manage some iOS devices (e.g. iPads) and some MacOS computer labs. All new iPads that are purchased with university funds will be purchased with JAMF licenses for JAMF management. In addition to client management, JAMF is utilized as a tool to distribute iOS app store apps purchased with university funds.
Active Directory Group Policy
Group Policy applies to all Windows computers on the Pacific domain, which should include all university owned computers, and is used to deliver settings to those computers. Different settings are sent to different Windows computers depending on where and how they are used. Settings applied to all university-owned Windows computers include settings that:
- Prevent the computer from joining a home group.
- Prevent Windows from offering One Drive.
- Prevent the standard Windows first-time-login animation.
- Prevent web browsers from offering to store passwords (note that using web browsers to save your PUNet password is a violation of the Pacific University Password Management Policy).
- Prevent Windows from trying to manage default printers.
- Prevent Windows from listing “nearby” computers on the network.
- Set default web browser home pages (which can then be changed by users).
Windows Software Updates
Client management is being used to manage the following software packages on all university owned Windows computers. Client management is used to ensure that supported software is up to date with the latest versions. In some cases, client management ensures that the software is present, or uninstalls software that is not consistent with our policies. Software we currently manage includes:
- Adobe Acrobat and Adobe Reader
- Adobe Air
- Adobe Flash Player
- Adobe Shockwave
- Box Edit
- Ccleaner (Uninstallation)
- Citrix Receiver
- Google Chrome
- MalwareBytes (not visible)
- Microsoft Office
- Microsoft Silverlight
- Mozilla Firefox ESR
- One Drive (Uninstallation)
- Quicktime (Uninstallation)
- Symantec Endpoint Protection
- Xythos Drive (Uninstallation)
Update Times and Restrictions
Our client management systems retrieve updates whenever they are available. Available updates are generally applied every three hours. Updates are generally available whenever the device is connected to the internet, whether on or off campus.
Operating System Updates
Our client management software is used to manage the installation of important operating system updates. In addition to makings sure important updates are installed, we can also delay the installation of updates while testing for compatibility (see Supported Operating Systems and Known Issues) or so that users can schedule around lengthy updates.
If an update requires a system restart to complete, the Symantec Management Agent will alert you that a restart is required. You will be presented with the option to "Restart Now" or "Postpone". You can postpone the update for up to 24 hours.
Here is an example of the restart notification: