Information Services Help Desk

Providing High-Quality Customer Service for the CU School of Medicine

Jamf Information Follow

Updated

Summary: The School of Medicine Information Services (ITSS) team has implemented an Apple mobile device management (MDM) solution called Jamf. For groups with an active desktop support MOU with ITSS, all new macOS, iOS, and iPadOS devices purchased with CU funds will be automatically enrolled in Jamf to ensure compliance with campus baseline computing standards.

Last Edited: March 4, 2025

 

Update: In October 2024, the campus implemented new baseline computing standards that all CU-owned desktops and laptops must adhere to. For macOS devices, these standards include being managed by a mobile device management (MDM) platform such as Jamf. Information Services will be updating the macOS Jamf restrictions to better match the standards for the campus. Release date for these new policies is March 1, 2025.

 

Background

 

What is Jamf?

Jamf is one of the most commonly used Apple MDM solutions on the market. This system allows IT to manage and secure all Apple devices that are running macOS, iPadOS, and iOS.

 

Why do we need Jamf?

Before the utilization of Jamf, IT would procure, set up, and deploy Apple devices. However, once the device was deployed, IT had no way to manage, secure, or update the device. We could not guarantee perpetual security compliance without physical intervention of the device. This is not a feasible way of managing devices and leaves the University at risk for a security breach.

All computers and mobile devices that are owned by an institution or corporation should be fully managed by the IT staff for that organization. This device management ensures that data owned by the institution is secure and the device itself remains compliant based on organization and legal requirements.

The implementation of Jamf also alleviates issues that IT struggles with while supporting Apple devices. These issues are discussed more in-depth in the policy section of this document.

 

When is Jamf being implemented?

All new macOS devices received on or after April 3, 2023 and all new iPadOS devices received on or after March 1, 2023 will automatically be enrolled into Jamf.

 

What devices will be enrolled into Jamf?

All newly purchased macOS devices (MacBooks, iMacs, or Mac desktops) and iPadOS devices (iPads) will be enrolled into Jamf. iOS devices (iPhones) are also eligible for enrollment.

Only CU-owned devices belonging to groups that have an active desktop support MOU with ITSS will be enrolled into Jamf.

 

Policies/Restrictions for macOS Devices

The purpose of applying policies to managed devices is to ensure the device is always compliant with CU Anschutz | Denver baseline computing standards, doesn't pose any risk to the organization, and streamlines IT support for the device. These policies and restrictions are not meant to hinder workflow in any way. If you feel that the policies outlined below will impact patient care and hinder your workflow without providing alternative solutions, please submit a ticket to support@medschool.zendesk.com or work with your assigned IT Professional.

 

macOS Policies (effective March 1, 2025)

Local Account Passwords - Campus baseline computing standard #7 requires that all local account passwords adhere to university password standards. macOS local account passwords must now meet these Jamf requirements:

  1. Password must be set (No PIN, but Touch ID will be allowed)
  2. Must contain at least one letter and one number
  3. Minimum password length is 16 characters
  4. Must contain at least one special character
  5. Must reset password every 180 days
  6. Cannot reuse passwords

A utility called Kerberos SSO has been activated on all managed macOS devices. This tool will allow you to sync your local account password with your CU credentials, eliminating the need to remember multiple 16 character passwords. To use this tool, connect to the CU network and click the key icon in the top menu bar.

Screen Inactivity Lock - Campus baseline computing standard #9 requires devices to enable password protected screen savers and automatic idle session locks. The idle lock will occur after 15 minutes of inactivity and users will be required to enter their password to log back into the computer.

Firewall Enabled - Campus baseline standard #4 requires devices to have the local firewall enabled. Firewall is now enabled, but incoming connections are not blocked at this time. Stealth mode is not enabled and users can adjust firewall settings.

Automatic Software Updates - Campus baseline computing standard #1 requires devices to run current, supported software and be set to have this software automatically update. The use of operating systems and software that are not being actively updated, are no longer supported by the vendor, or are considered end of life is prohibited. All standard software installed by Jamf is set to update automatically. Operating system updates are in place to allow users 60 days to push them at their convenience. Outdated operating systems will automatically update, unless an operating system exception exists for that device. Rapid Security Responses are also installed automatically.

FileVault Encryption - Campus baseline computing standard #3 requires devices be encrypted with whole disk encryption. This is accomplished by utilizing Apple's native encryption utility, FileVault.

Windows Defender Installation and Configuration - Campus baseline computing standard #5 requires Microsoft Defender to be installed with real-time scanning enabled to prevent, detect, and remove malware of potential vulnerabilities. Windows Defender is installed via Jamf and real-time scanning settings are applied based on direction from OIT Security Operations.

 

macOS Restrictions (effective March 1, 2025)

Disabled Settings:

  • Family Sharing
  • Parental Controls
  • Wallet & Apple Pay - This is blocked for user security. Blocking Wallet and Apple Pay will prevent accidental purchases using personal funds. This will also protect sensitive, personal user information when IT is using the device and logged in as the user.
  • Allow Classroom to perform AirPlay and View Screen without prompting
  • Password Sharing
  • Proximity based password sharing

The software listed in the old restrictions will no longer be blocked. Please be aware that certain software in the list is still restricted for university use. However, we are aware that legitimate business cases exist on campus for these restricted applications. Please refer to the campus approved technology list for more details.

 

Policies/Restrictions for iPadOS Devices

Policies

iPad passcode required - To comply with baseline computing standards for CU, we are requiring devices to be secured with a passcode.

  • Passcode must be at least 4 characters long
  • Passcode must be changed every 180 days: We are matching OIT’s password policy for security purposes, due to the 4 character passcode requirement. 4 character passcodes are not very secure so these should be changed periodically.
  • Cannot reuse the last 12 passcodes

Use of AirPlay without prompting/passcode is disabled - To ensure that sensitive data isn’t accidentally displayed, AirPlay must be used with a passcode.

Voice dialing while device is locked is restricted - This policy prevents unauthorized users utilizing voice dialing on CU-owned iPads, especially if they have been lost or stolen.

Siri use while device is locked is restricted - This policy prevents unauthorized users utilizing Siri on CU-owned iPads, especially if they have been lost or stolen.

Connections to Siri servers to improve Siri/dictation or translation is blocked - Apple servers are not approved for storing any CU-data, so this is blocked.

Erase all content and settings is blocked - Users can get with IT if they need to wipe their iPad for any reason. This is blocked to prevent data from accidentally being deleted (it is not recoverable if the iPad is erased.)

Booting into recovery by an unpaired device is blocked - This policy will prevent our iPads from being wiped if they are lost or stolen.

Proximity based password sharing is blocked

Control Center, Notification history, and today view are all hidden from the lock screen - This will prevent unauthorized users from viewing potentially sensistive data on the lock screen.

Modifying device name is restricted - IT will control the names of the iPads for tracking and support purposes.

Defer software updates for 90 days - Similar to the macOS policy, users will have 90 days to install software updates on iPads. If updates are not installed in 90 days, these updates are forced.

 

Restricted Software

Find My Friends - This is not necessary to perform work duties and will prevent accidental/unauthorized tracking of our devices.

Apple Wallet

Files app is blocked - Due to the low-complexity of the 4 character passcode requirement, access to the file server is blocked on iPads.

 

 

 

Other Information 

AirDrop Approval

The Risk and Compliance (RAC) team has approved AirDrop for Confidential Low Impact use. Please see the Data Classifications and Adverse Impact Tables here for more information. An AirDrop Best Practices document can be downloaded from the bottom of this information article.

 

What is considered "Confidential" data?

This type includes data elements usually not disclosed to the public but are less sensitive than highly confidential data. If a legally required and applicable Colorado Open Records Act (CORA) request is submitted, these records may be released.

Some examples include:

  • Faculty and staff personnel records, benefits, salaries, performance evaluations and employment applications
  • University insurance records
  • Donor contact data and non-public gift amounts
  • Fundraising data
  • Non-public policies
  • Internal memos and emails, and non-public reports
  • Purchase requisitions, cash records, budgetary plans
  • Non-public contacts
  • University and employee ID numbers
  • Levels 2 and 3 of student data
  • Research proposals
  • Research plans and results
  • Internal/unpublished business documents

What is considered "Low Impact" use?

The potential impact is loss of confidentiality, integrity or accountability could be expected to have a limited adverse effect on organizational operations, organizational assets or individuals.

A limited adverse effect might result in:

  • Degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the function is noticeably reduced.
  • Minor damage to organizational assets.
  • Minor financial loss.
  • Minor harm to individuals.

Which data is not approved for use with AirDrop?

Below are examples of highly confidential data which should not be transferred via AirDrop:

  • Protected health data
  • Social Security numbers
  • Payment card numbers
  • Financial account numbers including university account numbers, student account numbers and faculty and staff direct deposit numbers
  • Driver's license numbers
  • Levels 4 and 5 of student data
  • Grievances/disciplinary action records
  • Research, proposals, research plans and results to International Traffic in Arms Regulations/Export Administration Regulation (ITAR/EAR)
  • Controlled Unclassified Information (CUI)

 

Risk and Compliance (RAC) official message regarding cloud storage

Certain types of cloud storage services, such as Dropbox and iCloud, do not meet university expectations for protecting university data. The risks associated with acquisition of these types of services are significant enough that the services have not been approved for secure and compliant use at this time.  This is a result of safeguards that were found to be missing that would normally ensure that security and privacy requirements are followed that protect user accounts and data, and that support implementation of required technology controls. Examples of missing safeguards include the following:

  1. Missing enterprise (campus-wide) contract. Without a contractual agreement in place, the cloud storage provider will not protect university information and data in accordance with applicable polices, laws, and security frameworks.
  2. The cloud storage service has not been authorized to store university data.
  3. Only individuals that are authorized in university policy (Chancellor or designees) may sign and agree to contractual terms associated with cloud storage services.
  4. The cloud storage service has not been assessed for the implementation of security and compliance protections.  Account management, security and compliance safeguards, and university-managed technology support are not in place to ensure that the university has the ability to protect the account and data that would be provisioned by the service provider.
  5. The university will not have the ability to access personal/non-university owned accounts that have been or will be used to conduct university related business.
  6. The university will not be able to access data that are stored in personal/non-university accounts that have been or will be used to conduct university related business.

As an alternative to using Dropbox or iCloud, we recommend using OneDrive, which has pre-built safeguards that can be enabled to meet university security and compliance requirements. You may obtain assistance regarding use of OneDrive here. For additional information on how to use OneDrive please visit this webpage. A representative from the IT Risk and Compliance is also available to meet with you to address any additional questions or concerns that you may have about this information. IT Risk and Compliance can be reached at CU-Anschutz-OIT-Risk-And-Compliance@cuanschutz.edu