Endpoint Management (EPM) Centralization and Standardization Program: EPM Support Model

The success of the Endpoint Management (EPM) centralization and standardization effort is dependent on a robust support model. This support model calls for a limited number of centrally managed and centrally funded tools and infrastructure to be used by all CSUs. A EPM Core team will be established in ITS to administer and maintain central EPM tools and platforms. The service will have robust change management and communication processes to ensure responsiveness. 

A “Partner” program will be established that permits CSUs with qualified EPM staff to have a level of local control, such as making CSU-specific configurations, specific software packages for their end users, and scheduling the application of patches. 

An advisory board, reporting to the ITLC, will be responsible for oversight of both the central service and CSU Partners. The ISO will also be enabled to enforce the use of the centrally provided tools, standards, and practices. 

The implementation of this support model will require significant organizational and cultural change as end user devices have never been centrally managed.   

 

Infrastructure and Licensing 

The necessary infrastructure, including servers or cloud-hosted services, will be administered by ITS Campus Solutions in consultation with the EPM Core Team. 

All required tools, infrastructure and licensing will be provided centrally at no cost to CSUs.  

 

EPM Team Staff and Structure 

This team will be responsible for EPM tool management; the creation and curation of standard compliance policies and configurations; the creation and curation of standard OS and application software packages, OS and application software patches, and computer “image” workflows; and device compliance reports. 

The proposed core EPM team will be established within ITS. Ideally, this team will be staffed by applicants from existing CSUs with EPM experience. The core EPM team consists of the following staff and their general responsibilities: 

  • Service Director – responsible for overall direction of EPM service, reports to ITS AVP  

  • Program Manager – responsible for customer outreach/feedback/communication to and from CSUs, service stability, change management 

  • Sr Systems Engineers (2 FTE) – responsible for overall administration, management, and configuration of Windows, macOS and Linux EPM platforms 

  • Systems Engineers (2 FTE) – responsible for development of Windows, macOS and Linux software packages, application and OS patch creation, “imaging” workflows 

  • Systems Engineers (2 FTE) – responsible for management of additional support platforms (backup, malware protection, remote support) 

  • Project Manager (1 FTE) – responsible for service improvement projects 

  • System Administrator (.25 FTE) – responsible for management of underlying systems and storage 

  • Systems Architect (.25 FTE) – responsible for core architecture of EPM systems 

  • Developer (1 FTE) – responsible for development and application of API integrations, reporting, Q/A, testing 

See the Appendix: Responsibility Matrix for a breakdown of the specific responsibilities of the core EPM team. 

 

CSU Partners and IT Support teams 

CSU IT Support teams will no longer have core EPM management responsibilities. However, qualified staff in CSUs (hereafter “Partners”) may be approved by the Advisory Board (see Governance section) to handle certain endpoint management functions that are specific to their CSU needs.  

These responsibilities can include the creation and curation of CSU-specific application patches and software packages; CSU-specific “imaging” workflows (such as for student labs); CSU-specific computer policies and configurations; and scheduling appropriate patch windows for their devices. 

Many units will not require a Partner role, as their basic needs can be accommodated by the central endpoint management offering. If a CSU does require customizations and doesn’t have qualified staff within their CSU, they may obtain contracted endpoint management support (at their own cost) from another unit such as TRECS or LAITS.  If TRECS or LAITS stop offering endpoint management services, CSU Partner-equivalent positions will be created within the core EPM team to accommodate this campus need. 

CSU IT Support teams, in conjunction with their Partner, will continue to be responsible for end user support, delivery of OS and application patches to end user devices, delivery of software packages, and initiating imaging of devices. 

See the Appendix: Responsibility Matrix for a breakdown of the specific responsibilities of each function. 

CSU Partners will be required to participate in the established change management processes, adhere to established business processes, and are expected to contribute to the core EPM team as a ‘community of interest’. 

Note that there are approximately 20 FTEs performing EPM roles across CSUs. Many of these positions have additional responsibilities outside of EPM. 

 

Business Processes 

The success of this support model will hinge on the successful implementation of business processes such as change management, communications, and best practices. 

A robust change management process that involves both the core EPM team, CSU Partners, and CSU IT Support team leaders will be established to ensure awareness of forthcoming changes and their expected impact.  

The Program Manager position will be primarily responsible for ensuring effective and regular communication to appropriate parties in CSUs.  

Best practice implementations, using the provided enterprise toolset, endorsed by the Advisory Board, will be required by all parties for their entire fleet of devices. Improvements to best practices or variances for specific CSU needs, may be proposed by CSUs and approved by the Board. Changes in best practices will be orchestrated through the Advisory Board. 

The ISO will act as independent auditors, at the behest of the Board, to assess compliance and issuing quantifiable grades, ideally on a semi-annual basis. 

Purchasing standardization and inventory process improvements are important prerequisites for the success of assignment of devices to appropriate CSUs. However, these items are out of scope of this proposal. 

 

Operational Governance 

The central EPM service as well as the CSU Partner program shall be governed by an Advisory Board, reporting to ITLC, and initially composed of nine (9) representatives from: 

  • Large CSUs (Business, Engineering, Liberal Arts, Natural Sciences, TRECS) - 5 members 

  • Small/Medium CSUs (rotating representation) - 2 members 

  • ISO - 1 member 

  • EPM Service Director - 1 member 

 

The chair of the Advisory Board shall rotate among large CSUs. The ISO will act as an independent compliance auditor with semi-annual assessments. The Program Manager will provide administrative support to the Advisory Board. 

The Advisory Board will be responsible for: 

  • developing a rubric for evaluating quality and responsiveness of the service 

  • developing requirements, approval, and a review process for CSU Partners 

  • approving significant changes to service 

  • annual review of service 

 

Enforcement 

CSUs and ISO will develop a mutually agreed upon process to establish the device inventory to which a given CSU is accountable. 

CSUs with unsanctioned systems management tools will receive one warning and then be quarantined by the ISO unless an exception is submitted to and approved by the ISO. 

Devices that do not meet the established EPM standards (including devices without adequate reporting) will be quarantined by the ISO unless an exception is submitted to and approved by the ISO. If a significant number of a CSUs devices consistently do not meet these standards, the ISO may request decertification of the CSU Partner by the Advisory Board. Continued issues will be escalated to appropriate Deans and campus leadership. 

 

Maintenance and Sustainability 

The EPM standards, including the CSU Partner certification process, must be re-approved on an annual basis by the ISO to account for changing industry standards. 

CSU Partners must be participants in the change management process, and their configurations and policies must be regularly reviewed to ensure duplication of effort is not taking place. 

The Advisory Board, with input from the central EPM team and CSU Partners, will perform an annual review of the status of the various tools and practices in use. This process will include evaluation of product features, deficiencies, and roadmaps, to ensure we have ample time and runway to change platforms when necessary. 

 

Core EPM Team 

CSU Partners 

CSU IT Support Teams 

Overview 

  • OS and Standard Application Patches 

  • Standard Software Packages 

  • Standard “Imaging” Workflows 

  • Standard Policies (GPOs) and Configurations 

  • Device Compliance Reports 

  • Training/Documentation for CSU Partners/Embedded Engineers/CSU IT Support Teams 

  • Tool Management 

  • Systems Management Platforms 

  • Malware Protection 

  • Backup 

  • Remote Support (Bomgar) 

  • Apple School Manager 

  • CSU-Specific Application Patches 

  • CSU-Specific Software Packages 

  • CSU-Specific “Imaging” Workflows 

  • CSU-Specific Policies (GPOs) and Configurations 

  • Delivery of OS and Application Patches to Devices 

  • Delivery of Software Packages to Devices 

  • “Imaging” of Devices 

  • Device Remediation (Malware, Backup) 

  • Minimum Hardware Requirements 

  • Minimum OS Requirements 

  • Computer Purchases 

  • End User Computer Deployments 

  • End User Admin Account Management 

Patching 

  • Create standard OS and application patches 

  • Push zero-day patches (with change management notification to TSCs) 

Pushes patches to “standard” devices exceeding defined patch window threshold 

  • Create remediation solutions for standard OS and application vulnerabilities when no vendor patches are available. 

  • Creates CSU-specific OS and application patches 

  • Create remediation solutions for CSU-specific application vulnerabilities when no vendor patches are available. 

  • Push OS and application patches to devices based on CSU schedule 

 

Software 

  • Creation and curation of “standard” software packages 

  • Self Service portal management for end users and dept TSCs 

  • Contribute to creation and curation of “standard” software packages 

  • Creation and curation of CSU-specific software packages 

Provide CSU-specific software packages to Self Service portals 

  • Push software packages to devices 

  • Manage software licenses and allocation 

  • Access as privileged user to self-service to push individual software packages to dept computers 

Imaging and Deployment 

  • Development of “standard” image workflows for CSUs 

  • Management of Apple School Manager 

  • Development of CSU-specific image workflows 

  • Responsible for proactive communication to EPM team/CSU Partners for computers that receive non-standard image workflows (ie, "these tag numbers should receive CSU computer lab configuration") 

  • Deployment of computers to end users 

Systems Management and Compliance 

  • Implements compliance policies based on CSUs and device groups 

  • Management of systems management tools 

  • Configuration of systems management structure 

  • Maintain log of ISO-approved exceptions, and implement in reporting tools 

  • Implementation of CSU-specific policies 

  • Implementation of ISO approved exceptions (approved through change management) 

  • Submits and negotiates exception requests to ISO 

 

Active Directory 

  • AD structure management 

  • Implementation of top-level GPOs 

  • Creation of CSU-specific GPOs 

  • Creation of CSU-specific OUs and management of CSU-specific computer account attributes not controlled by core EPM team (e.g., Managed By attributes) 

  • AD group management 

  • Management of CSU-specific GPOs 

Asset Management (Device Inventory) 

  • Configuration and management of reporting tools 

  • Notification to CSUs of computers not checking into systems management tools 

  • Create standard report templates for internal and CSU use 

  • Create CSU-specific custom reports using native reporting features of management tools and/or via API access 

 

 

  • Regular review and correction of device in campus device registry 

  • Remediation of computers not checking into system management tools 

  • Use provided reports to aid in device management and remediation 

Exception Management 

  • Implements ISO-approved exception requests (typically by policy or by group exclusion) 

  • Implements ISO-approved exception requests (typically by policy or by group exclusion) 

  • Submits and negotiates exception requests to ISO 

Backup Management 

  • Configure standard backup policies and groups for each unit 

  • Notification on non-backed up devices sent to CSU TSC 

 

 

  • Remediates non-backed up computers 

  • Regular audit of backed up users and devices 

  • Management of users/devices assigned to a CSU 

Malware Protection and Remediation 

  • Development of standard policies for malware protection 

  • Management of malware protection tool(s) 

  • Management of CSU groups and TSC accounts 

  • Reporting on device assignment and status 

 

  • Submit requests for add/move/delete of TSC accounts 

  • Review/remediation of devices 

  • Management of enrolled devices (moves/adds/deletes) 

Remote Management 

  • Configure and manage remote management tool 

 

  • Manage remote management TSC accounts (add/move/delete)