Workstation Services, IST, July 2017
Laptops present unique management challenges not faced on desktop computers. The intent of this document is to help new campus-owned laptop users ascertain proper laptop management, from installing applications to making sure this computer stays properly patched, given that it is not always on campus.
It is assumed, that all University of Waterloo owned computers, including laptops, are be joined to the Nexus active directory. This is crucial for many security reasons, but also makes the user experience far friendlier relating to authentication and access to resources. Given that Nexus user credentials stay cached on a laptop, long stretches away from campus will not affect their use, the way IST has configured them.
From a laptop users perspective, the biggest advantage for having their laptop managed is access to campus and departmental applications (https://magnolia.nexus.uwaterloo.ca/Windows/Nexus/Tools/List_UW_Apps.asp ). IST packages and delivers well over one-hundred applications required by departments across campus.
From a security perspective, the biggest advantage of keeping a computer managed, is that the person using it no longer needs to be concerned that it has fallen behind in installed patches or application, anti-virus or malware updates, leaving it susceptible to the latest attack. Also, user and workstation policies are tweaked to protect these PCs.
Each of these is huge but there are many other advantages, like easily upgrading to the latest operating system, which has been pre-tested with campus applications and synchronized with other departmental PCs. For a complete list of services provided by SCCM, see the Microsoft page here: https://www.microsoft.com/en-ca/cloud-platform/system-center-configuration-manager .
Laptops are used differently than desktops. They aren’t always tethered, and connect to the wireless network when in transit. Sometimes they stay connected to the wireless network even if the laptop doesn’t leave the desk. Add to that the presentations, and note-taking and moving around campus as well as off campus, and it’s easy to see that management can be challenging. How to keep these up-to-date, without impacting the client?
For this to happen effectively, two things have to happen. First, the laptop must remain on the network, and second, while connected, it must not be in sleep, or hibernation mode, and not be powered off, when not in use. These two things allow IT staff to find windows of opportunity to do what has to be done while the client is away.
In addition to being in the domain, we made some assumptions; namely:
1. We assume clients do not wish to have their laptops managed when they are away from campus (due to the impact on home internet quotas or fragmented up-times)
2. There will be times when the laptop is on campus when it ideally should not be managed (like during presentations)
3. We cannot be assured that a laptop will remain docked long or often enough for all management to happen
This is why we chose to give clients more control over when management happens.
When a laptop is docked, or plugged into the campus wired network, all rules applied to desktop PCs apply, and most management is postponed until night time, with reboots limited (whenever possible) to Thursday mornings. For laptop users, this is achieved by making sure your laptops are not allowed to “sleep” or “hibernate, and must stay powered on overnight.
Then there are all the other times when the laptop is portable. There will almost certainly be times when it will not be in heavy use, and could be managed. There will also be times when the laptop is left overnight on campus, but connected wirelessly to the network. For these times, a laptop user has the ability to subscribe to wireless management (as well as wired). This is accomplished by adding the laptop name to a Nexus security group. By doing so and connecting to Eduroam on campus, management will happen as if it were wired.
Then, there is another level. The above allows the laptop to be managed, but only when no one is logged on. By adding a userid to a second Nexus security group, you’ve agreed to allow management to happen (only) when those users are logged on to that laptop (that is already managed wirelessly). This way, if you use a different userid to give a presentation (for instance), nothing will happen during those times. Handy right?
These measures were introduced because only a laptop client can know their usage patterns.
· The computer must be in Active Directory and a member of Campus-WiFi-Managed-Workstations
· The user account must be a member of Campus-WiFi-Managed-Users
· Connect to EDUROAM before logging into Windows, this will authenticate as the laptop.
· As a user, connect as NEXUS\userid not firstname.lastname@example.org.
The laptop will receive regular software updates and new software in the same fashion as a wired workstation. This will make management of the laptop more consistent and remove any surprise software installations/updates when the user plugs into the wired network.
· An address in the 10.24.16.0/20 range.
· This subnet is fully dynamic and requesting a static IP is not possible.
Administrators can Remote Desktop to the laptop and manage them as long as they are connecting from a host on the wireless access control list. The hosts at time of writing are:
· Magnolia (220.127.116.11)
· Berlin (18.104.22.168)
· Dresden (172.16.68.123)
· Mercury (22.214.171.124)
· Artsmercury (126.96.36.199)
· Ahs-sccm (188.8.131.52)
· Envdeploy (184.108.40.206)
· Pithos (172.16.76.44)
· Mapdp01 (172.27.7.34)
Users are unable to remote desktop from a wired desktop system or with the VPN.