USNH Centrally-Managed Devices and Computer Quarantine FAQ

Summary

This is a list of frequently asked questions regarding the USNH Computer Quarantine effort to help keep the data of all USNH employees secure. This article is for faculty, staff, and students.

 

Questions

 

Q1 - Why is ET&S going to centralized management of devices running Windows?

Q2 - How is Internet connectivity limited when the device is quarantined?

Q3 - How long do I have to enroll my device before it is quarantined? 

Q4 - At this point, are all institution-owned, unmanaged Windows devices quarantined, or are a subset still unaffected and may change to quarantined status soon?

Q5 - How to I enroll my device?

Q6 - Do I have to enroll my personal devices?

Q7 - What if a device is no longer in use?

Q8 - Besides people specifically reaching out and telling us, what method are we using to determine what’s a personal device vs a USNH asset? Eg wifi vs ethernet, MAC registration, something else?

Q9 - Just to confirm, who will this communication below be sent to, and who has already been notified of this info?

Q10 - What devices are affected? 

Q11 - How do I get my device in compliance?

Q12 - What if my device can’t be managed? 

Q13 - How do I request an exemption to this process?

 

Answers

 

A1 - Why is ET&S going to centralized management of devices running Windows?

• This time-sensitive effort produces the following benefits for USNH:
  • ​Creates a safer and secure environment for all students, faculty and staff and protects not just the UNH workplace information but your own private information.
  • Enables our researchers to meet increasing cybersecurity requirements associated with grant opportunities.
  • Enables our teams to proactively apply security patches and policies to your devices, eliminating the need for you to manage these items on your own.
  • Ensures the maintenance of a central device inventory.
  • Reduces our risk of experiencing a major cybersecurity event.
• Back to Questions

 

A2 - How is Internet connectivity limited when the device is quarantined?

There is no internet access, the only access you receive when quarantined is to the remediation site.

• Can the device not connect to external sites, USNH services, both? Web vs other specific ports, specific sites, etc?
  • No, the device should not be able to connect to anything while quarantined. Note this only impacts the device if it is connected to the USNH network. This will not affect a system on a home network. 
     
• Is it expressly communicated through a webpage when the device is quarantined, or do users infer it from certain network services being unavailable? 
  • Yes, there is a splash page as well as an email notifying you of quarantine.
     
• Is quarantining the same on wifi-connected devices vs Ethernet-connected devices?
  • Yes.
     
• Back to Questions

 

A3 - How long do I have to enroll my device before it is quarantined? 

• 24 hours from the date you receive the message. 
• Back to Questions

 

A4 - At this point, are all institution-owned, unmanaged Windows devices quarantined, or are a subset still unaffected and may change to quarantined status soon?

• No, only a subset of targeted machines the endpoint team has identified has been quarantined. As we discover new USNH-owned, unmanaged Devices we will inform the identified owner and initiate the quarantine process. This process will be ongoing.
• Back to Questions

 

A5 - How to I enroll my device?

• Install software to allow Enterprise Technology & Services to manage the device. This will ensure the computer always has the latest protections and security patches. Refer to Instructions for Installing Microsoft's "System Center Configuration Manager" (SCCM). 
• Back to Questions

 

A6 - Do I have to enroll my personal devices?

• No. You only have to enroll institutionally-owned devices. 
• Back to Questions

 

A7 - What if a device is no longer in use?

• At UNH, if the device is no longer in use and should be disposed of, please complete the SEED form to notify Enterprise Technology & Services of the disposal need.
• Back to Questions

 

A8 - Besides people specifically reaching out and telling us, what method are we using to determine what’s a personal device vs a USNH asset? Eg wifi vs ethernet, MAC registration, something else?

• A combination of data is leveraged to determine this. Net Registration information as well as device name and mac address are examples of data elements the team is leveraging. This is not an exact science, and we will be increasing the fidelity of this information in the future as well as refreshing our asset management processes, hence why we are conducting this exercise. 
• Back to Questions

 

A9 - Just to confirm, who will this communication below be sent to, and who has already been notified of this info?

• The quarantine message will be sent to the identified device “owner”. The follow-up communication below can be sent as needed to the research community or any identified distribution lists.
• Back to Questions

 

A10 - What devices are affected? 

• Devices identified at risk need to be brought into compliance to improve our cybersecurity posture at the University System of New Hampshire and ensure a safe computing environment for all.
  • You will receive an email notification if your device is at risk.
  • ​​​​​​​This process only impacts specific devices that have been identified as out of compliance. 
• Back to Questions

 

A11 - How do I get my device in compliance?

• This can be accomplished by leveraging the self-service process outlined in the notification you would have received if your device is at risk, or by reaching out to the Help Desk or your associated desktop management liaison. 
  • The device management process installs a Windows Client called Microsoft Endpoint Configuration Manager on the machine. This effort currently impacts institutionally owned desktops and laptops running Windows OS.
  • The remediation process has been designed to be fully transparent and have minimal to no impact on the machine. The self-service process can be completed in approx. 5-10 minutes per machine.
  • In some cases, it is unclear if the devices we have identified are personal or university system assets. If you have a device we identified that is a personal device, then please notify the Help Desk (603-862-4242) and we will take it out of quarantine as it should not be impacted. 
• Back to Questions

 

A12 - What if my device can’t be managed? 

• Every attempt should be made to ensure that the device is managed. 
• Research devices that can’t be rebooted automatically will be put in a separate portion of Active Directory to protect it from automatic updates / reboots applied. 
• If for some reason the device cannot be managed, then the Cybersecurity Risk Exception process can be leveraged. The RCC staff and cybersecurity team will help you with this process. 
• Back to Questions

 

A13 - How do I request an exemption to this process?

• If for some reason the device cannot be managed, then the Cybersecurity Risk Exception process can be leveraged.  The RCC staff and cybersecurity team will help you with this process. 
• Back to Questions

 

Further Readings

Instructions for Installing Microsoft's "System Center Configuration Manager" (SCCM) 

SEED form

Cybersecurity Risk Exception

 

Need additional help?

In some cases, it is unclear if the devices we have identified are personal or university system assets. If you have a device we identified that is a personal device, then please notify the Help Desk (603-862-4242) and we will take it out of quarantine as it should not be impacted. 

Visit the Technology Help Desk Support page to locate your local campus contact information or to submit an online technology support request.  For password issues you must call or visit the Help Desk in person.