This post is the eighth in a series of ten posts that have been created to identify the best practice found in FE colleges by the Jisc infrastructure review service. An introduction to the infrastructure review synthesis project is provided in the first post in the series.
Most colleges have a mix of Windows desktops and laptops. Most colleges have a mixture of Apple Mac OS X desktops and Windows PCs, however in almost all mixed installations the Windows machines vastly outnumber the Apple Macs. Where Macs are used, they are often joined to or managed by Active Directory and are managed by automated tools.
Tablets and other consumer grade ‘appliance’ equipment is in use, but this trend has declined: Interestingly many colleges that have deployed tablets or ‘appliance’ grade devices such as Chromebooks are reversing these decisions and are instead deploying Windows laptops. In some cases, this revision to policy has been down to utility or performance problems, in others it has been related to management or compliance concerns.
The most mature IT organisations make use of automated tools such as SCCM (System Centre Configuration Manager) or MDT (Microsoft Deployment Toolkit) to deploy operating systems and software. A minority of colleges use other tools, such as device imaging, this is a useful finding as we would consider such tools to be obsolete. A small number of colleges have started to use cloud-based management tools such as Microsoft Intune, although such tools are rarely used to manage desktops or laptops (within a campus LAN) that are running Windows 10.
The majority of colleges use WSUS (Windows Server Update Services) or SCCM to patch Windows endpoints inclusive of desktops, laptops etc. The minority of colleges do not utilise such automated management tools, this results in a difficult cyber-security posture as patches are not applied in a timely manner and IT teams cannot be certain that all endpoints are fully patched against various security risks. In some cases additional effort is expended to ensure that college owned laptops are patched, in these cases the effort is useful as users benefit from secure machines that are more usable, as they do not waste users time when critical updates are required prior to use.
It is useful to identify that the majority of colleges use WSUS or SCCM to patch servers, or IT teams carefully manually patch servers. In some cases, critical servers are manually patched, and less critical services are patched using automated tools. All of these options are reasonable so long as the management of critical and important security patching is approached systematically.
The minority of colleges do not patch servers in a timely fashion, this is resulting in a very challenging cyber-security posture where data protection and operational security present a high level of risk for organisations. In most cases where colleges do not follow the expected best practice around patch management this can usually be linked to having a smaller than expected IT team, or in a minority of cases to a lack of recent technical training for the team.
In the most mature organisations third party software patching is not overlooked, unfortunately in many cases this area of security patching is not fully addressed. In some cases, this means that applications provided by software companies other than Microsoft may be patched rarely or simply not at all. This could lead to critical software vulnerabilities potentially being exploited by malware or bad actors (hackers).
The best performing colleges have a mature MDM (mobile device management) system to manage iPads and other mobile devices. Very few colleges use an MDM to manage corporately owned mobile phones.
The vast majority of colleges use WEEE approved recycling services to ensure that devices are properly disposed of and that data protection policy is maintained.
Microsoft software licensing is routinely provided by EES agreements that are now replacing the previous Campus volume licencing agreements.
The majority of colleges are encrypting laptops and other mobile devices. The minority of colleges are actively technically controlling the use of removable storage, this means that flash drives and other similar devices could be used to exfiltrate data, creating a potential data protection concern.
Most colleges can improve some aspect of device management, whilst this is mostly about improving security or data protection it is also about ensuring a high quality and consistent user experience.
- The Jisc infrastructure review service can often highlight device management best practice improvements; indeed, few reviews do not highlight at least some of the points made above.
- The Chest agreements include Microsoft EES agreements and are a useful way of ensuring best value when procuring such software.