The Endpoint Management Tools service offers IT staff an efficient, secure method for managing workstations.

• Lowers the cost of workstation support by automating repetitive tasks and creating a standardized environment for end users.
• Applies software patches and upgrades in the background without impacting the user.
• Helps reduce the risk of workstation compromises, which can be costly in terms of lost productivity for the user and support staff time required for forensics and remediation.

Base Components

Master Task Sequence for Imaging Computers

The master task sequence is updated monthly so that newly imaged computers have all the latest OS updates, application versions, and supported drivers for supported desktop hardware. This drastically reduces the amount of time IT staff have to spend prepping computers after imaging. Unit admins can copy and use the master task sequence directly, or use it as a base for creating their own task sequences.

Software Packaging of Common Applications

Common applications used in the Cornell environment (Flash, Identity Finder, Firefox ESR, WebEx, etc.) are packaged and continually updated, for use in task sequences and application deployments. This feature can eliminate the duplication of effort of each unit packaging those applications themselves.

Software Updates/Security Patches

A weekly deployment of Microsoft and third-party updates is pushed centrally. Units that subscribe to the central update deployments save themselves the effort of managing their own.

Secunia third-party patching solution is part of the service offering. The software provides access to a database of over 50,000 programs, applications, and plug-ins. Subscribers have access to dashboard reports providing them with information about the risk profile of their (Windows) desktop environment. They can then prioritize remediation efforts.

Testing of software and updates added to the Endpoint Management Tools libraries is a collaborative venture, with 70-200 participants from all over campus. This helps mitigate the risk for the entire campus of service impacts following software updates.

Subscribing to the centrally maintained weekly patching schedule relieves units of the task of scheduling and managing their own patching process.

CIT welcomes suggestions for making centrally provided software libraries more useful for campus units to minimize duplication of IT staff effort.

Policy Compliance

In addition to contributing to a more stable and secure environment for users, the Endpoint Management Tools service supports the goal of policy compliance with the following features:

• Apply whole-disk encryption to workstations (University Policy 5.10)
• Install and configure malware protection (5.10)
• Visibility into patch and configuration state of endpoints (5.10)
• Gather and escrow whole disk encryption keys (5.3)
• Enable good systems inventory practices (5.7, 5.10)
• Assist with security incident response (5.10, 5.4.2)
  • Gather system info
  • Review of applications and processes
  • Deployment of forensic tools

You can find out more about university IT policies.