Versions Compared

Old Version 7

changes.mady.by.user user-29411

Saved on

compared with

New Version 8

changes.mady.by.user user-29411

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

We request that software installed on computers to provide connectivity to central computer inventory and management tools by default continue to make no changes by default to any system on which the client is installed.

  • Retaining this standard of practice, which has been in place for years and is enabled by CIT's provisioning of these central services, will increase the number of the college's computer assets in the Chemistry Department made visible to management and audit.
  • Increasing the number of assets made visible, concurrent with investments being made to improve reporting within these centralized tools such as putting data into Remedy Asset Management, will also increase the accountability of the configuration these same assets. This can help target our technical and social efforts to further improve our security posture without compromising required functions or trust in centrally-provided tools.
  • By compelling IT support providers to opt-in to affecting changes to systems under their jurisdictionmanagement, it will continue to promote a culture of engagement and accountability on when these powerful centralized tools are most effectively brought to bear on given problems.identified problems, increasing their effectiveness.

If this long-standing practice were to change, it cannot be done quickly. (8 days, with almost no processing or communication, was recently presumed.) A change will force us in Chemistry to remove the client from many of our systems to better protect ... (flesh out consequences...). We don't see how making "forced" changes to computers simply because they are running these valuable clients is balanced or appropriate, especially given that these are centrally provisioned tools for which we are not provided alternatives and that they will feed into central inventory systems such as Remedy.

Additional details

The two management tools used at Cornell are each focused primarily on one of two supported computer operating systems (OS):

  • Microsoft's Configuration Management (CM), for Microsoft Windows.
    • Chemistry uses CM on xx number of computers, which is yy % of the College's computers using CM.
  • Jamf's Jamf Pro, for Apple MacOS.
    • Chemistry uses Jamf Pro on xx number of computers, which is yy % of the College's computers using Jamf Pro.

Just having the client installed, even when not doing anything to a computer, provides us (IT professionals, A&S management, and CU Audit) valuable, trustworthy visibility to computers with the clients. Information includes the last time a computer has reported into the central console (implies whether asset is active), the computer's configuration (for example, our screen lock-related settings and if the OS current), software (and their versions) installed.

...

CIT provides these tools. CIT, by default, makes no changes to any system on which the client is installed. Arts and Sciences IT should do the same and let compel the local IT support providers to "own" changes made to their systems, while facilitating installation of the client on all possible university-owned computer assets.

...

  • Enable logging in with NetID.
    • This means our department does not have to manage log-in accounts, such as password resets.
    • Using this technology also provides automatically credentialing to central services such as SFS and policy-based mounting, etc., etc.
  • Enable logging in with AD accounts (number of these easy to get? It's many!)
    • Centrally-managed passwords provide for one location to update passwords on many systems at once.  distributed among different computer making their management untenable
  • Enable easy access via Active Directory.

the use of policies independent

  • Enrolling all our Administrative computers, and many others, to central patching and other "standards" not appropriate to many research systems we also manage.

Of course central computer inventory and Central computer management tools can also be used to make changes to computers on which the client is installed.These However, these capabilities must be made optional for any given computer and groups make these desired changes easy to apply to many computers at a time.

There is no reason to "force" changes to computers running these valuable clients. And if this long-standing practice changes, it will force us to remove the client to better protect ... (flesh out consequences...) 

 

Oliver's further takes, FWIW

...