The Michigan Medicine community depends on computing services for all aspects of research, education, clinical, and administrative work. HITS strives to continuously improve our managed devices to support innovation and teamwork. Yet, in the face of increasing cybersecurity threats, we must also take steps to keep the enterprise safe while using these devices.
What is Michigan Medicine’s Device Strategy?
-
Michigan Medicine resources are only accessible from a managed device or virtual desktop connection.
-
All faculty, staff, and learners get access to a Michigan Medicine-provided device that includes managed software and security updates, printing, privileged network access, and lifecycle management.
To achieve this strategy, we will first reduce, and eventually eliminate, support for unmanaged devices by 2025. Efforts will be focused on four key areas:
-
Technology Advancements for Modern Tooling: Provide modern tools that allow the Michigan Medicine community to accomplish their work in an increasingly hybrid/remote work environment.
-
Access to Managed Devices: Provide secure, managed devices to all faculty, staff, and learners.
-
Reducing Risk: Limit the devices and accounts connecting to our network and the risk they present.
-
Emergency Planning: Ensure our ability to recover critical assets in the event of an emergency.
Technology Advancements for Modern Tooling
-
CoreImage Modernization: Improve the user experience of our managed Windows device service by offering more self-service options for getting new devices and making routine changes, like adding printers or installing software:
- Adding Printers : HITS has introduced a new application that allows you to add, remove, and modify printers without contacting the HITS Service Desk.
- CoreImage devices and Software Distribution: Allow users to install common applications without needing to contact the Service Desk and streamline the device setup process.
- Asset management: Reduce complexity and decrease support workload by reducing the amount of manual data entry and update required for asset tracking of CoreImage devices.
- IP Address Management (IPAM): IPAM functionality will move from the retiring CWDB (custom solution built on PHP) to, recently deployed, Infoblox for DNS and DHCP server capability.
-
Privilege Management (EPM): Provides administrative access to managed-only devices to ensure “just in time/time-limited” permissions.
Access to Managed Devices
- Faculty and student device program: Distribute managed devices to historically undermanaged areas.
Reducing Risk
-
Appropriate access for non-Michigan Medicine employees: Limit the amount and scope of IT accounts for sponsored accounts (e.g., contractors, vendors).
-
Access to VPN: Limit VPN access to authorized devices. Non-managed and/or BYOD devices would instead leverage Windows Virtual Desktop.
Emergency Planning
- Identify, inventory, and assign ownership of Critical Assets
- Information Assurance staff will require departmental help in identifying, cataloging, and managing Critical Assets.
- An extension of the Continuity of Operations Plan (COOP), Critical Assets are necessary to provide a COOP Critical Function (e.g., refrigerator for medical specimens needs electrical power).
- Improve/expand IT Vulnerability Scanning
- Vulnerability scanning will be conducted
- Through a more reliable process [credentialed scanning]
- Will be expanded to include more than just the Public IP space. This activity is expected to uncover a significant amount of IT vulnerabilities that will need to be owned and remediated by system owners.
- The response activities will be phased to minimize organizational impact.
Frequently Asked Questions
Will CoreMac support continue?
Yes. Initial plans primarily focus on the majority PC fleet, and do not include changes to CoreMac support.
Certain services may not be as fully featured for CoreMac users. While HITS continues to enable ways of connecting to services on unmanaged devices (e.g., Windows Virtual Desktop, web-based interfaces), it will become increasingly difficult to work within our protected environment on an unmanaged device.
How will the Michigan Medicine community be engaged in this work?
HITS will partner with multiple stakeholders throughout this effort to ensure all aspects of these changes are considered. IT-aligned faculty will help evaluate technical solutions, ITS and vendor partners will serve as collaborators, and HITS will connect with peers to learn how they addressed similar challenges.
Can I use a personally-owned device at Michigan Medicine? What can I access with it?
The goal of the CoreImage Modernization Program is to provide a safe and secure managed device to every faculty, staff, and learner. While it will become increasingly difficult to work within our protected environment on an unmanaged device, you may use a personally-owned Windows or Mac device to connect to the eduroam wireless network or to use Windows Virtual Desktop (WVD). For more information on how HITS supports personally owned devices, please visit michmed.org/byod.
What types of managed devices are offered by Michigan Medicine?
The Michigan Medicine managed device service includes several options:
-
CoreImagePC)– Personally assigned or shared Windows laptops and desktops
-
CoreMac – Personally assigned or shared Mac laptops and desktops
-
Kiosk PC– Shared/walk-up devices deployed across the enterprise
-
Flex PC for Research – Windows desktops configured specifically for researchers
-
Linux for Research - Provides essential software on a secure Linux OS for research computing
-
Windows Virtual Desktop - Remote access to Michigan Medicine resources from any computer or browser, without the need for VPN,
How do I get a device managed by Michigan Medicine?
If you have a device that is not managed by Michigan Medicine and you would like to be able to connect to Michigan Medicine secured networks and/or store sensitive data, please refer to this article for more information on your options.