End User Computing Technical Standard

This standard applies to all staff members of the University community. It applies at the University or elsewhere, and refers to all University-owned end user computers running Microsoft Windows or Apple OS-X operating systems.

It is envisaged that in future updates relevant standards covering Linux operating systems will be included.

Where local administrative access has been granted to an end user, it is the responsibility of the end user to not take any action to disable, remove or interfere with any standard listed here.

Please note that some standards are technical and only relevant for IS support staff. If you are unsure, please contact your local IS team.

This standard serves to establish mandatory guidance to be used across the University in relation to Windows and Apple Mac PC design and management. Exceptions are possible where there are valid business reasons that are deemed by Faculty and Service Division IT management to outweigh the application of the individual standard. This process is covered under the Exception Management section of this document.

The standard is supported by End User Computing Technical Guidelines. The guidelines offer further guidance to University IT Technicians on best practises in relation to Windows PC and Apple Mac design and management.

• Exception Management
• Active Directory Authentication
• Anti-virus
• Application versions
• Asset client
• Build tracking registry entry – Windows
• Client management
• Common build contents
• Desktopinfo - Windows
• Firewalls
• Local administrative access
• Login screen
• Login screen saver
• Microsoft Enhanced Mitigation Experience Toolkit (EMET) - Windows
• Microsoft management framework – Windows
• Operating Systems for new builds
• Remote support
• Security signoff
• Updates and patch management

Exception management

1. Where an exception to a standard listed below is required, it is the requirement of the end-user to provide a valid, justifiable business reason for the exception and to have this agreed by their manager and the faculty or service division IS manager responsible for support of the device.

2. Exceptions will only be granted where the standard will impact on the activities being undertaken, such as in some research computing activities, computers connected to machinery, eLecterns, meeting room computers and public displays.

3. If the end-user or use of the device substantially changes and invalidates the business reason for the exception then the end-user must immediately inform the faculty or service division IS manager.

4. The faculty or service division IS manager must record and manage all exceptions including the date of the exception and agreed business reason in the central exceptions log: http://tinyurl.com/UOA-Desktop-Exceptions

Active Directory authentication

5. All Windows end user computers must be joined to a University Active Directory domain.

6. All new or rebuilt Windows end user computers are to be joined to the UOA domain.

7. When joined to the domain, the domain search suffix must be set correctly to ensure correct name resolution.

8. Where Apple Macs are assigned to a fixed location on the wired (Ethernet) campus network, they are to use Active Directory to enable authentication.

Anti-virus

9. All University-owned end user computers must have the nominated anti-virus product installed. There will generally be no exceptions to this rule.

Application versions

10. The latest vendor-recommended minor version updates of software is to be included in a build where there is no major behavioural change or business reasons against this approach.

11. Upgrading to a new major version of an application in a common build is to be decided by the Application Packaging and Build Service Governance Group.

Asset client

12. All end user computers are to have the latest approved (at time of installation) KeyAccess client installed.

Build tracking registry entry - Windows

13. To allow on-going information regarding build usage for Windows desktop computers, the following registry key must be created for each final build: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation\Manufacturer\Build
The format used is:
1W [Year][Month] [UCType] [Semester] [Faculty-2 letter code] [Separate Faculty build], e.g. 1W 201401 UC1 S1 EN Robotics

Client management

14. All end user computers are to have the latest centralised management client installed. For Apple Macs this is the JAMF Casper Suite client and for Windows end user computers this is the SCCM 2012 client.

15. Users are not allowed to take action to disable or interfere with any management clients.

Common build contents

16. The Application Packaging and Build Service Governance Group is responsible for deciding the contents of the common builds Desktopinfo - Windows.

17. For Windows desktop computers the Desktopinfo application must be launched at user logon with custom settings to display the following information:

Mac Address
IP Address
Host Name
Domain Name
Build (collected from Build tracking registry entry above)

Firewalls

18. On Windows desktop computers the Windows Firewall must be left turned on except as part of any temporary fault diagnosis.

Local administrative access

The standard for administrative access to end user computing has been approved by the Cyber Security Task force and is incorporated in the University’s register of standards. It is summarised here as:

19. Professional and Academic Staff (including Research Students) will not have administrative access to their devices except where the access is needed for specialist applications to work correctly; where staff carry out IT development work; to assist requirements for travel and mobility and where staff perform other specialist roles where the IS Manager deems that the nature of their work requires Administrative Access.

20. Administrative access will be granted to IT Support staff.

21. Any staff member granted local administrative access must be shown this standard and agree to not take any action to disable, remove or interfere with any standard listed in this document.

Login screen

22. The University of Auckland Marketing department is to supply the required login screen image for each Faculty and ITS EUS to deploy to their managed computers. Any updates to this image is to also be controlled by the University of Auckland Marketing department.

Login screen saver

23. A 15 minute inactivity timeout screen saver which requires the user to re-enter their login credentials is to be implemented across all end user computers. eLecterns, meeting rooms and public display computers will not have this applied.

Microsoft Enhanced Mitigation Experience Toolkit (EMET) - Windows

24. For Windows end user computers the latest recommended version of Microsoft EMET allows protection from zero day exploits and malicious behaviour. It is included in the common build and must be included in any builds unless it’s presence is proven to cause a serious issue.

Microsoft management framework - Windows

25. The latest recommended version of the MS Management Framework is included in the One Windows All Use Cases build and must be part of any Windows builds unless its presence is proven to cause a serious issue. The Management Framework includes updates to WMI, PowerShell and Remote Management.

Operating Systems for new builds

26. Any new Windows builds must be produced using an approved, supported version of the Operating System. Unless there is a valid business reason, this should be using a 64-bit version of the Operating System

Remote support

27. The end user must be asked and give their permission before the technician remotely connects.

Security signoff

28. To ensure that vulnerabilities are reduced, all Windows and Apple Mac end user computer builds must be approved by the UOA Security team. For common builds it is the responsibility of the ITS EUSI team to arrange this approval. For all other builds this review and signoff must be arranged by the Faculty / Service Division IT team who have commissioned the build.

Updates and patch management

29. Where configurable, all packaged applications must have automatic updates disabled.

30. Any installations of unpackaged applications must have application security updates installed in a timely manner. This can either be done manually by local IT support or the user (if they have local administrative access). This should be done preferably by the use of automatic updates.

31. The automatic update functionality of the Mac App Store and the Apple Software Update tool must also be turned off.

32. All automated patching of Windows end user computers will be done using the SCCM-integrated solution managed by the ITS EUSI team.

33. Apple Macs must be patched using the JAMF Casper Suite.

34. Faculty/Service Division IT must populate both the patch pilot computers groups and patch exemption groups and feed any reported issues back to the ITS EUSI team through the standard service management tools.

The following definitions apply to this document:

64-bit is a computing term which is used in this document to indicate that 64-bit Windows should be used rather than 32-bit. 64-bit Windows handles large amounts of memory more effectively than 32-bit Windows.

Active Directory is a directory service developed by Microsoft that all University owned Windows computers (and some Apple Macs) connect to. The University’s active directory is also referred to as the UOA AD.

Apple Mac (Mac) refers to a University-owned Apple Mac computer used by an IT end user. It includes both desktop and laptop computers but excludes iOS based devices (e.g. iPhones and iPads) and servers.

Desktopinfo is an application for Windows end user computers which displays useful system information on the background of your computer.

Domain Search Suffix is set to allow a computer to find other computers on the same network.

eLecterns in the University are computers used in Lecture Theatres for presenting information. They can be used for lectures or meetings and are normally built into the lectern.

EMET refers to the Microsoft Enhanced Mitigation Experience Toolkit, which is recommended by Microsoft to be used in conjunction with Antivirus software as a tool to reduce the risk of malware running on a Windows computer.

End User Computers refers to both Apple Macs and Windows Desktops as defined in this section.

IT end user means any member of the University community using IT resources.

KeyAccess client is a software client installed on all the University’s end user computers, across Windows, Apple Mac and Linux operating systems. It regularly inventories the computer and reports installed software and it’s usage to allow informed management decisions.

Mac Address is a universally unique code which is embedded into each network card on a computer.

Registry key is an entry in the Windows configuration settings database on an individual computer.

University means the University of Auckland.

University community includes all staff (whether permanent, temporary or part time), honorary staff, students (whether full time or part time), contractors, subcontractors, consultants, alumni, associates, business partners or official visitors or guests of members of the University or UniServices.

University owned means purchased or leased by the University (including all purchases by Service Divisions, Faculties and Research Groups).

Windows desktop refers to a University-owned computer running a Windows workstation operating system used by an IT End User. It includes both desktop and laptop computers but excludes Windows servers or desktop level computers running Windows Server Operating Systems.

Include the following:

• Computing Equipment Procurement Standard
• Data Governance Policy
• Administrative Access to End User Computers Standard
• IT Acceptable Use Policy
• IT Privacy and Monitoring Policy
• IT Security Policy
• End User Computing Technical Guidelines

Owner: Chief Digital Officer (CDO)
Content manager: Director ITS
Approved by: Chief Digital Officer (CDO)
Date approved: 6 August 2015
Review date: 6 August 2020