UM Endpoint Management & Configuration Standard

   
Issued Under Authority of UM Information Security Policy
Responsible Office UM Information Security Office
Category Technology and Platform Security

IN PLAIN LANGUAGE

Every device used for University work — laptops, desktops, servers, tablets, and even personal devices — needs to meet basic security requirements. This standard sets the rules for how those devices must be configured, patched, protected, and monitored. Key requirements include keeping software up to date, using approved security tools, encrypting stored data, and enabling multi-factor authentication for administrative access. University-owned devices must be enrolled in an approved device management solution that supports remote lock and remote wipe, so that University Data can be protected if a device is lost or stolen. Personal devices may be used for some University work but must never be used to access or store confidential or high-risk data. If a device is lost, stolen, or compromised, it must be reported immediately.

1. Purpose

The purpose of this Standard is to establish minimum requirements for the secure configuration, management, and protection of endpoint devices and servers that store, process, or access University Data. Effective endpoint management reduces the risk of data compromise, service disruption, and unauthorized access while supporting the University's academic, research, and administrative missions.

This Standard implements the endpoint and system security requirements of the University's Information Security Program and aligns with the NIST Cybersecurity Framework (CSF) 2.0.

2. Scope

This Standard applies to:

  • University-owned or University-managed servers
  • University-owned endpoints, including desktops, laptops, tablets, and mobile devices
  • Personally owned devices that access University systems or University Data
  • Devices located on University networks, affiliated campus networks, remote locations, or cloud-hosted environments

This Standard applies regardless of physical location when devices are used for University business or connect to University Information Technology Resources.

3. Device Categories

For purposes of this Standard, devices are categorized as:

Servers — Physical or virtual systems providing shared services or applications.

Endpoints — University-owned desktops, laptops, tablets, and mobile computing devices.

Personal Devices — Non-University-owned devices authorized to access University systems or data.

4. Roles and Responsibilities

4.1 Chief Information Security Officer (CISO)

The CISO is responsible for:

  • Establishing and maintaining this Standard
  • Approving exceptions to endpoint security requirements
  • Escalating material endpoint-related risks to executive leadership

4.2 Information Technology Organizations

UM IT, UM System IT, and Distributed IT are responsible for:

  • Implementing and maintaining endpoint management and security controls
  • Deploying approved management, monitoring, and protection tools
  • Supporting vulnerability remediation and incident response activities

4.3 System and Endpoint Administrators

Administrators are responsible for:

  • Configuring and maintaining systems in accordance with this Standard
  • Ensuring systems remain supported and properly patched
  • Documenting configurations and approved exceptions

4.4 Device Users

Users of University or personal devices are responsible for:

  • Using devices in compliance with University policies and standards
  • Protecting devices from loss, theft, or unauthorized access
  • Promptly reporting lost, stolen, or compromised devices

5. Configuration and Security Requirements

5.1 General Configuration Baseline

All servers and endpoints must:

  • Be configured using secure baseline configurations based on vendor guidance and CIS benchmarks where applicable
  • Disable unnecessary services and default accounts
  • Enforce least privilege access principles
  • Use supported operating systems and software versions

5.2 Patch and Update Management

  • Security patches must be applied on a regular and consistent schedule
  • High and Critical vulnerabilities must be prioritized for remediation
  • Patch testing should occur prior to production deployment where technically feasible

Patch timing expectations are defined in the Vulnerability Management Standard and may be adjusted through approved exception.

5.3 Malware Protection and Endpoint Detection

  • University-approved Endpoint Detection and Response (EDR) or anti-malware tools must be installed on eligible servers and endpoints
  • Protection mechanisms must be enabled and kept up to date

5.4 Encryption

  • Data stored on servers and endpoints must be protected using full-disk encryption where technically feasible
  • Data transmitted over networks must be encrypted using approved protocols
  • Only secure TLS/SSL protocols and cipher suites may be used

5.5 Identity, Access, and Authentication

  • Access must be provisioned based on documented business need and least privilege
  • Individual user accounts must be used for access
  • University-assigned devices are configured with standard, non-privileged user accounts by default
  • Users must not be granted local administrative privileges on assigned devices unless a documented business or operational need exists
  • Exceptions granting local administrative privileges must be approved by the CISO or designee, documented with risk justification, and reviewed periodically
  • Users granted local administrative privileges remain subject to the requirements of the Account Security Standard
  • Multi-factor authentication is required for administrative or privileged access
  • Access must be reviewed periodically and removed when no longer required

5.6 Logging and Monitoring

  • Endpoint and server logging must be enabled in accordance with University logging standards
  • Security-relevant events must be protected from unauthorized modification

5.7 Backup and Recovery

  • Systems storing University Data must use University-approved backup solutions
  • Backups must be protected from unauthorized access and tested periodically

5.8 Remote Access

  • Remote access must use secure, encrypted methods approved by UM IT
  • Administrative remote access must require multi-factor authentication

5.9 Vulnerability Management Integration

  • All servers and endpoints must participate in the University Vulnerability Management Program
  • Vulnerabilities must be remediated or managed in accordance with the Vulnerability Management Standard

5.10 Remote Device Management and Emergency Response

University-owned endpoints and mobile devices must be enrolled in a University-approved Mobile Device Management (MDM) or Remote Monitoring and Management (RMM) solution prior to being placed into service. Enrollment must be maintained for the life of the device's active use.

Enrolled devices must support and be configured for the following remote management capabilities:

  • Remote lock — the ability to immediately lock a device and prevent access without valid authentication
  • Remote wipe — the ability to securely erase University Data and restore the device to a factory or baseline state
  • Location tracking — where technically supported and consistent with applicable law and University policy, the ability to locate a missing device

For personally owned devices authorized to access Restricted (Moderate Risk) or Confidential (High Risk) Data, UM IT should implement application-level containerization or conditional access controls that allow selective removal of University Data where technically feasible and supported by the device management platform in use.

Remote wipe actions must:

  • Be authorized by UM IT or the Information Security Office in coordination with the device user's supervisor or unit lead, except in cases where immediate action is required to prevent data loss
  • Be initiated promptly when a device is reported lost, stolen, or compromised and cannot be recovered
  • Be documented in the associated incident record, which serves as the record of sanitization for purposes of the UM IT Data Disposal and Media Sanitization Standard

Remote lock or wipe must not be initiated for purposes unrelated to data protection, loss, theft, or compromise without appropriate authorization.

6. Personal Devices

Personally owned devices authorized to access University systems or data must:

  • Meet minimum security requirements defined by this Standard
  • Be protected with device locking and encryption where supported
  • Be promptly reported if lost, stolen, or compromised

Personally owned devices must not be used to store, process, or access Confidential (High Risk) Data.

Access to Restricted (Moderate Risk) Data from personally owned devices may be permitted only when explicitly authorized and when required security controls are in place, as defined by applicable standards and procedures.

7. Exceptions

Exceptions to this Standard must:

  • Be documented with risk justification
  • Identify compensating controls where applicable
  • Be approved by the CISO or designee
  • Be reviewed periodically

8. Review and Maintenance

This Standard must be reviewed at least annually and updated as necessary to reflect changes in risk, technology, or regulatory requirements.

9. References

  • UM Information Security Policy
  • UM Data Governance Policy
  • UM Data Security Standard
  • UM Vulnerability Management Standard
  • NIST Cybersecurity Framework (CSF) 2.0
  • Center for Internet Security (CIS) Benchmarks
Print Article