Skip to content Skip to navigation

Device Compliance Frequently Asked Questions

Security mandate questions

Compliance questions

My Devices questions

Enrollment questions

Encryption questions

VLRE questions

Technical support questions

Instructions

Security mandate answers

What is Stanford's computer security mandate and how does it affect me?

For more information see Vice President for Business Affairs Randy Livingston's announcement, as well as Stanford's Information Security Office's Security Requirements Questions and Answers.

Who is covered by the mandate?

All Stanford University employees are subject to the mandate requiring encryption. This includes student employees who will have access to High Risk Data. Some University schools, departments, or organizations might impose more stringent requirements.

Compliance answers

Why is my device not compliant when I've done everything I'm supposed to do?

Make sure the device is connected to the Internet. This is especially important if it has been out of use for a while (more than 90 days).

If the device will have access to High Risk Data, be sure BigFix is installed and configured for SWDE (Stanford Whole Disk Encryption) settings management: in My Devices, you should see "Yes" for SWDE under Management System Information. Normally this is achieved by running the SWDE application to encrypt the device, but a BigFix administrator can remotely configure SWDE management using the "[STANFORD][SWDE] Enable SWDE Management" fixlet. Also see What is SWDE?

If BigFix is installed but Management System Information in My Devices is missing, incorrect, or out-of-date (see the "Last Check-in Time"), there might be a problem with BigFix. See the BigFix troubleshooting steps.

How do I request an exception for a device that can't be made compliant?

In some unusual cases, as when a device is used to run specialized equipment, it won't be possible to comply with Stanford's encryption rules. In such cases you should submit an exception request.

Why am I being required to encrypt during network self-registration when I'm not covered by the mandate?

If NetDB templates are configured to require enrollment and encryption, there might be a need for special handling of devices whose users are exempt or that have REDCap exceptions. Network administrators can manually create NetDB node records for these devices rather than allowing self-registration.

My Devices answers

Why aren't the changes I've made reflected in My Devices?

My Devices is only periodically updated throughout the day, and once updated, in some cases there has to be additional processing, which can take time. If a change isn't reflected after 24 hours for a device that's currently on the network, submit a HelpSU request for assistance.

If you're making changes to NetDB node records, it's best to take some additional steps:

  1. Delete the existing node record, rather than editing it.
  2. Wait for up to two hours to give the Device Registry time to receive notice of the deletion.
  3. Create a new node record for the device.

If you don't follow this procedure, you might not get the results you want.

Why are devices that don't belong to me showing up in My Devices?

If a device that once belonged to you is being used by someone else at Stanford, it will continue to appear in My Devices until the new user runs the Enrollment Application to change the primary user SUNet ID.

Technical Notes:

  • In some cases a device that once belonged to you could appear in My Devices if your SUNet ID is listed as a user in NetDB. The solution will be for your LNA to edit the NetDB record manually.
     
  • A less common but very confusing problem can arise if a network interface is passed around among different devices, as can happen with USB ethernet adapters, laptop docking stations, some computer displays, and so on. In such a case these adapters are functioning like other network devices (e.g., a Wi-Fi router or ethernet switch), and should be registered in NetDB as network devices with their own node record specifying an appropriate make and model. If devices like these are used solely with one computer, they should be registered as an interface of that computer.

What if I see a device in My Devices that doesn't belong to me?

Use the Remove button in My Devices.

What if I don't see a device in My Devices that belongs to me?

Make sure the device is on the network. If it is and you still don't see it, submit a HelpSU request.

What if I see multiple entries for a single device in My Devices?

Make sure the relevant NetDB node records are correct. If you're still having problems, submit a HelpSU request.

Enrollment answers

How do I update my enrollment answers?

It will often be necessary to update enrollment answers, for example, when a device changes hands, or when its access to High Risk Data changes. See Updating Enrollment answers below.

What is a primary user, and is it necessary to specify one?

The primary user is the person responsible for a device's security and maintenance. In many cases this is unambiguously the person who is the sole user of a device, but sometimes it will be a system administrator, or one user in a collection of occasional users.

It is necessary to specify a primary user's SUNet ID during enrollment in order for a device to be associated with that user in My Devices. A Mac OS or Windows device can have any number of secondary users, whose enrollment answers are saved, but ignored for compliance purposes.

Who should be listed as the primary user for shared devices?

In some cases a shared system, such as a lab or kiosk computer, will have no primary user as such. In these cases it's usually most appropriate for the system administrator to list him- or herself as the primary user.

Why are all users of a shared device being prompted to enroll?

If BigFix is installed on a device, it will continue to prompt all new local users of a system to enroll until someone self-identifes as the primary user .

Encryption answers

Why is my device reported to be unencrypted when I'm sure it's encrypted?

BigFix might not be checking in, or only partially checking in. In My Devices, the encryption status "last checked" time might be too far in the past. See the BigFix troubleshooting steps.

Why is my device reported to be partially encrypted?

If a device has multiple fixed disks, all of them are required to be encrypted; and if at least one is, while one or more is not, the device might be reported to be partially encrypted. See Encrypting multiple fixed disks.

As of December 2015 only Mac OS devices in BigFix that have multiple unencrypted disks will be reported to be partially encrypted, but at some point in 2016 the same will hold for Windows devices as well. Administrators can access BigFix web reports that will list all such devices (that have BigFix installed on them) in their areas: "[STANFORD] Mac OS Multiple Unencrypted Disks" and "[STANFORD] Windows Multiple Unencrypted Disks".

IMPORTANT: Currently we can only escrow recovery keys for the system volume.

What are the requirements for removable media?

At this time, removable storage devices (e.g., USB hard drives, USB flash memory) are exempt from encryption requirements. Nonetheless, if a device is being used to store (e.g., to back up) High Risk Data, every effort should be made to encrypt it, and to keep it physically secure.

What is SWDE?

SWDE stands for "Stanford Whole Disk Encryption", and refers both to the SWDE Application, which is used to encrypt Stanford Mac OS and Windows devices, and to SWDE settings management, which is enabled by the SWDE Application and provided by BigFix. SWDE settings management is required for all Mac OS and Windows devices that will have access to High Risk Data. The most noticeable effect is a 15-minute screen lock idle timeout.

For more information please see the SWDE service page.

Where can I find in-depth technical information about SWDE?

Please see the SWDE Information for Technical Support Staff web page.

What if my operating system won't support encryption?

You should upgrade to an OS that will support BitLocker or FileVault 2 encryption. Submit a HelpSU request for assistance.

VLRE answers

What if I have a problem with VLRE?

If you can't find an answer on the VLRE service page, submit a HelpSU request.

Technical support answers

What if I see that a user's affiliation is incorrect in the administrative view of My Devices?

One example is students who are former staff but who appear as current staff in the source system: in this case you should inform HR that the student must be removed from the list of current staff. Otherwise submit a HelpSU request for assistance.

How do I remove BigFix from devices I administer that should no longer be tracked?

The user can contact the Help Desk at 725-HELP, or submit a HelpSU request, to obtain the SUDS program, which will remove all Stanford software. This is the most appropriate course for users who have left Stanford.

A BigFix administrator can also deploy an action to remove the client remotely. Submit a HelpSU request for assistance.

Why is my Chromebook not being correctly identified?

A network administrator can edit the NetDB node record so that the make and model are "Samsung Chromebook" and the operating system is "Chrome OS".

Instructions

BigFix troubleshooting steps

A BigFix administrator will have to take the first two steps, an end user or support person the third:

  1. Try a BigFix console refresh.
  2. Deploy a BigFix action, "[STANFORD] Troubleshooting: Client Forced Refresh", to force a client refresh.
  3. Completely remove and reinstall the BigFix client on the endpoint.

To completely remove BigFix on Windows, use the appropriate version of this utility (generally the most recent):

www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Tivoli%20Endpoint%20Manager/page/BES%20Remove%20Utility

To completely remove BigFix on Mac OS, use the BigFix uninstaller script included with the BigFix installer disk image on ESS.

Sometimes the removal and reinstallation steps need to be repeated once or twice. If all else fails and the system will have no access to High Risk Data, try VLRE. Otherwise it might be necessary to rebuild the system.

Encrypting multiple fixed disks

IMPORTANT:

  • We can only escrow BitLocker recovery keys for the system volume. Any additional volumes encrypted using BitLocker will need to have their recovery keys manually recorded, by saving them to a removable drive, or printing them out, or writing them down.
  • For Windows, be sure BitLocker is configured to be unlocked automatically.
  • Be sure your computer is being backed up before encrypting.

Multi-boot systems in the general case cannot be encrypted. Unofficial instructions for encrypting Apple Boot Camp devices can be found on the web, e.g., but the steps are many and complicated. These days, for most purposes, it's almost always preferable to run additional operating systems in a virtual machine. If a system must remain multi-boot, the user should request an exception.

Windows
technet.microsoft.com/en-us/magazine/ff404223.aspx
www.tomsguide.com/faq/id-2318737/encrypt-usb-flash-drive.html

Mac OS:
www.theinstructional.com/guides/encrypt-an-external-disk-or-usb-stick-with-a-password

Updating Enrollment answers

  • You can manually run the Device Enrollment app to update existing answers.
  • If BigFix is installed, you can delete the enrollment.txt file on the endpoint system to force re-enrollment. The file locations are:

Windows XP: \Documents and Settings\All Users\Application Data\Stanford\enrollment.txt
Windows 7 and above: \ProgramData\Stanford\enrollment.txt
Mac OS: /Library/Application Support/Stanford/enrollment.txt

  • A BigFix administrator can use the "[STANFORD][SWDE] Delete Enrollment Answers" fixlet, which can selectively delete existing user enrollment answers on both Windows and Mac OS devices. Non-expiring actions targeting all Stanford BigFix clients will then prompt users to enroll or re-enroll, until someone self-identifies as the primary user.

The fixlet provides three possible actions:

  • Delete primary user enrollment answers only. Each new local user who has not previously provided any enrollment answers will be prompted to enroll. Answers from non-primary users will be preserved, and those users will not be prompted to re-enroll.
  • Delete all user enrollment answers. All local users will be prompted to enroll or re-enroll at their next logon. Use this action if existing non-primary users might need to be promoted to primary, or to start from scratch for any reason.
  • Delete enrollment answers for a specific SUNet ID. Enrollment answers for the specified SUNet ID will be deleted whether or not that user is identified as primary. If this action deletes a primary user, new local users will be prompted to enroll until a new primary user self-identifies.

A copy of the existing enrollment.txt file will be saved before modification or deletion.

Last modified January 7, 2016