Summary
This article will cover the self-managed device process, relevant articles, and also include template emails. All requests for self-managed devices must follow this process. Standardizing the process ensures proper tracking and approval of self-managed devices, resulting in improved endpoint security and inventory management.
Environment
- Any Windows, Mac, or Linux device not already fully managed by LSA systems or services.
Directions
To begin the formal self-managed device request process, follow these steps:
-
Request the device owner to complete the Request to self-manage an LSA Device TDx form. If the device owner is unable to complete the form themselves, a different person may do so. However, the device owner will be contacted directly and asked to confirm they have read and agreed to the self-managed device requirements.
Note: A separate form must be completed for each device. Completed forms are attached to the device’s asset record in TDx for improved tracking.
-
Submitted forms are routed to the local Desktop Support manager to review and add additional context as necessary. The local Desktop Support manager can then:
Note: If the request is denied but the decision is appealed the request can be escalated to the Security team.
-
Forms are routed to the Security team, who will review the request and take into account the following information, and may confer with additional Subject Matter Experts:
-
Data sensitivity levels
-
Device location
-
Stated reasons for a self-managed device
-
University policies and standards
-
LSA policies and standards
-
Attestation to security policies
Note: If the device owner was not the one who filled out the request, Security will reach out to the device owner to confirm they have read and agreed to the self-managed device requirements. A response must be received to continue the approval process. Refusal to respond may result in network access restrictions.
-
Security will review the request, and issue an Approval or Denial. This process is expected to take 5 business days or less once all required information has been provided.
If a device is approved for self-management
-
Security will notify the device owner, requestor (if different from device owner), and local Desktop Support manager that the request has been approved.
-
Desktop Support will complete the following tasks:
-
Verify a TDx asset record exists
-
Confirm the "Self-Managed" function detail checkbox is checked
-
Confirm the Security Compliance section, Approved Exception Form checkbox for Self-Managed is also checked
-
Confirm the Security Compliance section, Security Review date field is set to 4 years from approval date
-
Work with the device owner, or user, to install Crowdstrike Falcon, Tenable, Malwarebytes, Keyserver, and any relevant LSA device management tools (e.g. WLMS Lite) and mark these checkboxes are checked in the TDX asset record under the Security Compliance section, Required Software Compliance
Note: A separate Security exception must be requested if Crowdstrike Falcon or Tenable cannot be installed. If an exception is required for one of these tools, reach out to LSA.Security@umich.edu to begin this process.
-
Tool installation requirement timelines:
-
New devices: 30 days
-
Existing devices 60 days
-
If the required security tools are not installed within the required time frame, network access may be restricted.
-
For newly purchased self-managed devices, approximately 4 years after purchase date, Security will send a notice to the device owner reminding them that any replacement equipment must also go through this process.
If a device is denied:
-
Security will notify the device owner, requestor (if different from device owner), and local Desktop Support manager that the request has been denied, and include details about how an LSA managed device can still meet their technical requirements.
-
The local Desktop Support manager will follow up with the requestor and/or device owner on how to move forward with a managed device.
-
If there are additional technical issues or needs, Security will revisit the request. If the additional information is enough to grant an approval, a new request form must be submitted to ensure the form attached to the device’s asset record has all the necessary and proper information.
-
In the event of significant pushback, Security and the local Desktop Support manager will notify the CA of the situation.
Email templates:
Denial
|
Hello {Name}
After careful consideration we believe all of your technical requirements can be met with a LSA-managed device. The technical requirements you listed that you needed were:
{List of reasons}
A managed LSA {Operating System} device comes with {Details on how the requirements above can still be met}.
Substantial efforts have been invested in our management environments to provide researchers the flexibility they need while still meeting University security requirements.
Given that the above technical requirements are able to be met with an LSA managed device, your petition for a self-managed device is declined. We understand and appreciate that this represents a change over your past experiences, however LSA and the broader University is seeing a substantial increase in malicious actors specifically targeting self-managed devices. As a result of these increased threats, and to protect our students, faculty and staff, LSA, along with the broader University, is reducing both the footprint of self-managed devices and the number of University services accessible by self-managed devices. I have included {DS manager and anyone else as necessary} on this update so they can assist you moving forward.
Thank you for your understanding
|
Approval
|
Hello {Name}
After careful consideration of the technical requirements below, your petition for a self-managed device is approved:
{List of reasons}
A self-managed device must still meet the following requirements:
Note: requests for exemptions for security tool installation must complete a secondary process. Security tool exemptions can only be approved once proven the tools interfere with work.
I have included {DS manager and anyone else as necessary} on this update so they can assist you in this process, including getting the required security and licensing tools installed.
|
Device owner attestation confirmation
|
Hello {Name}
In order to continue the review of your self-managed device request please confirm that you have read and agree to follow the University's and LSA's policies around self-managed devices:
Regards,
|
Escalation heads-up to Chief Administrator:
|
Hello {Name}
{Requestor/Device owner} submitted a request for a self-managed device. Following LSA policy, there must be a technical requirement to receive approval for a self-managed device. The technical requirements {Requestor/Device owner} provided were:
{List of reasons}
After careful consideration and a review of the technical requirements, it has been determined, an LSA-managed device does not impose a technical restriction on their work. As a result, their request was declined.
{space for specifics around the escalation}
If you have any questions please let me know
|
4 Year reminder
|
Hello,
Our records indicate that approximately 4 years ago you purchased a device that had a technical requirement necessitating self-management. As that device may be nearing your planned replacement cycle, we wanted to remind you that all devices, even replacement devices, must go through a self-management request process. Once you are ready to replace this device please reach out to us so that we can help guide you through this process.
Regards,
|
Related Article
Self-Managed Device talking points
External resources
LSA Security Self-Managed Device policy
UM DS-23 Endpoint Security Administration This article notes Security tools like Crowdstrike Falcon are required and exceptions must be formally reviewed
UM SPG 601.27
University expectations for self-managing a device
LSA InfoSec Vulnerability Mitigation Exception procedure