Summary: For groups with an active desktop support MOU with SOM ITSS, all new iPad devices purchased with CU funds will be automatically enrolled in JAMF starting March 1, 2024.
Background
What is Jamf?
Jamf is one of the most commonly used Apple MDM solutions on the market. This system allows IT to manage and secure all Apple devices that are running macOS, iPadOS, and iOS. OIT does not currently have a system configured to manage Apple devices, so it's the responsibility of the individual IT departments to set up and configure systems that will manage their Apple devices. ITSS is one of 10 groups on campus utilizing Jamf to manage their Apple devices.
Why do we need Jamf?
Before the utilization of Jamf, IT would procure, set up, and deploy Apple devices. However, once the device was deployed, IT had no visibility around the device. We could not guarantee perpetual security/HIPAA compliance without the physical intervention of the device. This is not a feasible way of managing devices and leaves the University at risk for a security breach.
All computers and mobile devices that are owned by an institution or corporation should be fully managed by the IT staff for that organization. This device management ensures that data owned by the institution is secure and the device itself remains compliant based on organization and legal requirements.
The implementation of Jamf also alleviates issues that IT struggles with while supporting Apple devices. These issues are discussed more in-depth in the policy section of this document.
Policies/Restrictions
The purpose of applying policies to managed devices is to ensure the device is always compliant with CU security standards, doesn't pose any risk to the organization, and streamlines IT support for the device. These policies and restrictions are not meant to hinder workflow in any way. If you feel that the policies outlined below will impact patient care and hinder your workflow without providing alternative solutions, please complete the Exception Application form.
Policies
iPad passcode required: For our devices to be HIPAA-compliant, they must have a passcode.
The passcode must be at least 4 characters long.
The passcode must be changed every 180 days: We are matching OIT’s password policy for security purposes, due to the 4-character passcode requirement. 4-character passcodes are not very secure so these should be changed periodically.
Cannot reuse the last 12 passcodes: We are matching OIT’s password policy.
Use of AirPlay without prompting/passcode is disabled: To ensure that sensitive data isn’t accidentally displayed, AirPlay must be used with a passcode.
AirDrop blocked: The security and encryption of data flowing through AirDrop is in question, so this will be blocked indefinitely. Multiple groups, including the Chinese government, claim they can obtain user data from AirDrop transfers, so we will not be allowing AirDrop use until this has been patched.
Voice dialing while the device is locked is restricted: We do not want unauthorized users utilizing voice dialing on CU-owned iPads, especially if they have been lost or stolen.
Siri use while the device is locked is restricted: We do not want unauthorized users utilizing Siri on CU-owned iPads, especially if they have been lost or stolen.
Connections to Siri servers to improve Siri/dictation or translation are blocked: Apple servers are not approved for storing any CU data, so this is blocked.
Erase all content and settings are blocked: Users can get with IT if they need to wipe their iPad for any reason. This is blocked to prevent data from accidentally being deleted (it is not recoverable if the iPad is erased.)
Find My Friends is disabled: This is not necessary to perform work duties and will prevent accidental/unauthorized tracking of our devices.
Booting into recovery by an unpaired device is blocked: This will prevent our iPads from being wiped if they are lost or stolen.
Proximity-based password sharing is blocked.
Use of Apple Wallet and all Apple Wallet notifications are blocked.
Control Center, Notification history, and today's view are all hidden from the lock screen: This will prevent unauthorized users from viewing data on the lock screen.
Files app is blocked: Due to the low complexity of the 4-character passcode requirement, access to the file server is blocked on iPads.
Modifying device names is restricted: IT will control the names of the iPads for tracking and support purposes.
Defer software updates for 90 days: Similar to the macOS policy, users will have 90 days to install software updates on iPads. If updates are not installed in 90 days, these updates are forced.
Purchasing Apps:
Adding iPads to Jamf will also allow users to purchase iOS apps using a SpeedType. If users log into their iPad with their personal Apple ID, they are also able to purchase apps with their personal funds. All work-related apps being purchased with a SpeedType must go through IT. Due to University policy, we cannot reimburse for work apps purchased with personal funds.
Exception:
We are confident that these policies and restrictions will not interfere with any work duties, so a Jamf exception for iOS devices will not be necessary. If there are specific use cases that our policies interfere with, we are happy to work with those users individually to find a solution that works best for them.