Use this service to request an exception to the administrative-privilege standards established by the UM Information Security Office (ISO). This request type applies specifically to shared or group-use devices that are not assigned to a single individual, such as lab systems, instructional devices, kiosks, or other multi-user environments.
All requests are evaluated by the ISO and are approved only when administrative access is demonstrably necessary for the operation of the shared device and when required management or academic functions cannot be effectively performed using UM-supported IT systems while maintaining an acceptable security posture.
The Information Security Office (ISO) is responsible for protecting the University’s data and information assets through the UM Information Security Policy and UM Information Security Program. To support these efforts, the ISO establishes standards and controls that must be followed by all University-owned information systems. Exceptions to these standards are not intended to be permanent. Instead, the exception process provides limited approval for non-standard configurations while the requesting unit works toward compliance or an alternative long-term solution.
Please note that, depending on the exception and associated risks, the University’s Cyber Liability Insurance may not cover incidents or compromises that arise from the approved exception.
When Exceptions May be Considered
An exception to an information security policy, standard, or control for shared or group-use devices may be considered under circumstances such as:
-
A temporary operational need where immediate compliance would disrupt critical instructional, research, or administrative functions.
-
A legacy shared environment that cannot reasonably meet the standard until retirement or replacement.
-
Long-term operational requirements where compliance would significantly impair essential University activities.
-
Situations in which required software, drivers, or workflows on shared devices cannot function without administrative privileges.
-
Environments that require frequent installation, configuration, or updating of specialized software that cannot be centrally managed.
When an exception is approved, the requesting unit acknowledges and accepts the associated risks on behalf of the University.
Security Requirements
All devices approved under this exception must have the SentinelOne endpoint protection agent installed and actively reporting, unless a documented exception is explicitly granted by the Information Security Office. Devices that cannot support SentinelOne must be identified in the request and will be reviewed on a case-by-case basis.
How to request
Click Create a Ticket (top right of this page) and provide the following required information:
1. Justification (Required)
Explain why the administrative-privilege standard cannot be followed for the shared or group-use devices.
The justification must include:
-
A clear explanation of the operational or technical need for administrative access.
-
The expected duration of the exception, including whether the need is temporary or ongoing.
-
A timeline describing any planned remediation, system changes, process improvements, or replacement efforts that may reduce or eliminate the need for elevated privileges in the future.
Requests that do not include an expected duration or timeline may be delayed or denied.
2. Privileged Access Details (Required)
Clearly identify all users or mechanisms that will have administrative or elevated access on the device(s), including:
-
Named user accounts or groups.
-
Shared administrative accounts, if applicable.
-
Privilege elevation tools or software (e.g., run-as tools, elevation agents, or similar mechanisms).
All administrative access must be explicitly documented. Requests that do not fully disclose privileged access may be denied.
3. Supporting Documentation (Optional)
Attach any relevant documentation that supports the request, such as software requirements, vendor documentation, or system diagrams.
Availability and Access
This service is available to individuals with a current UM affiliation.
Requests are typically reviewed within 10 business days
Questions
For additional information, contact the Information Security Office at itsec@mso.umt.edu.