Versions Compared

Old Version 3

changes.mady.by.user user-29411

Saved on

compared with

New Version 4

changes.mady.by.user user-29411

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. The extent of the problem the change was meant to address.
  2. The measure by which the expected change to the systems occurred.

Oliver take

We request that software installed on computers to provide connectivity to central computer inventory and management tools by default make no changes to any system on which the client is installed.

At Cornell the two management tools used are focused on two supported computer operating systems (OS):

  • Microsoft's Configuration Management (CM), for Microsoft Windows.
  • Jamf's Jamf Pro, for Apple MacOS.

Just having the client installed, even when not doing anything to a computer, provides us (IT professionals, A&S management, and CU Audit) valuable, trustworthy visibility to computers with the clients. Information includes the last time a computer has reported into the central console (implies whether asset is active), the computer's configuration (for example, our screen lock-related settings and if the OS current), software (and their versions) installed.

The client is the ONLY method the university provides to get data automatically into Remedy. Remedy has Cornell-specific fields to help ensure university policy-related deviations from compliance. Thus we should be promoting the use of these clients and reducing practices which impede their use.

CIT provides these tools. CIT, by default, makes no changes to any system on which the client is installed.

Chemistry IT has been using these powerful central computer inventory and management tools for many years (8?). Indeed, when we add a Windows computer to AD, we automatically install the CM client. Always. Not only do these clients provide central visibility of our computers and their "state", but they also afford us other advantages. They include:

Enable logging in with NetID, automatically credentiallying to central services such as SFS and policy-based mounting, etc., etc.

Enable logging in with AD accounts (x #) so passwords are centrally managed and not distributed among different computer making their management untenable

Enable easy access via Active Directory.

the use of policies independent

Central computer management tools can also be used to make changes to computers on which the client is installed.

These capabilities must be made optional for any given computer and groups make these desired changes easy to apply to many computers at a time.

There is no reason to "force" changes to computers running these valuable clients. And if this long-standing practice changes, it will force us to remove the client to better protect ... (flesh out consequences...)

 

Question

  • Was action taken out of ignorance (didn't understand meaning of action, nor it's consequences), irresponsibility (knew potential to harm trust and compromise fidelity of infrastructure but went ahead anyway), or some other reason?

...