...
We request that software installed on computers to provide connectivity to central computer inventory and management tools continue to make no changes by default to any system on which the client is installed.
By giving primacy for clients to report inventory information, and not also by default forcing any changes to a computer, we increase the number of computers which can be characterized using central reporting tools. This importantly increases the number of systems visible within the centrally-provided inventory tool, Remedy Asset Management, all without needing new processes or tools.
If centrally provided management services are NOT opt-in, all TSPs will need to understand exactly what will or will not happen to their systems, now and in the future. This will be true even for proposed solution which an area may not have a demonstrated need or desire for. TSPs should not have to be made to make an effort to "defend" ourselves from default actions taken centrally. Instead, every TSP should be responsible to vet any proposed policy they elect to apply to their systems, and subsequently and deliberately put those systems into groups to affect those changes.
I strongly recommend CIT and A&S IT continue making investments to report on the current state of the most critical parameters of our systems with these clients. An important example are the fields being developed with Audit, ITSO, and others within Remedy Asset Management to better characterize our security posture of every single computer which has the client. Of course A&S IT can also invest in developing and vetting solutions to improve on those measures. And when some of those solutions happen to depend on central management clients, do as CIT does and offer them to TSPs so that we may deliberately opt in our systems into the appropriate groups, as best fits the need of each unit.
Additional details
The two management tools used at Cornell are each focused primarily on one of two supported computer operating systems (OS):
- Microsoft's Configuration Management (CM), for Microsoft Windows.
- Chemistry uses CM on xx number of computers, which is yy % of the College's computers using CM.
- Jamf's Jamf Pro, for Apple MacOS.
- Chemistry uses Jamf Pro on xx number of computers, which is yy % of the College's computers using Jamf Pro.
And offer select solutions as opt-in to those who may benefit, on their own schedule.
- Retaining this standard of practice, which has been in place for years (8+ years?) and is enabled by CIT's provisioning of these central services, will increase the number of the college's computer assets in the Chemistry Department made visible to management and audit.
- It's important we continue our efforts to increase the number of our assets made centrally visible, and Increasing the number of assets made visible, concurrent with investments being made to improve reporting within these centralized tools such as putting data into Remedy Asset Management, will also increase the accountability of the configuration these same assets. This can help target our technical and social efforts to further improve our security posture without compromising required functions or trust in centrally-provided tools.
- By compelling IT support providers to opt-in to affecting changes to systems under their management, it will continue to promote a culture of engagement and accountability on when these powerful centralized tools are most effectively brought to bear on identified problems, increasing their effectiveness.
...
So if I may turn your question on its head: It would be nice to have a solid reasoning behind why we must enforce the name change on all ARTS computers. What would be the negative effect of making this policy available to every area?
Additional details
The two management tools used at Cornell are each focused primarily on one of two supported computer operating systems (OS):
...