Device Classification and Administrative Access Policy

1.0 Introduction 

This policy defines how computer devices at Aberystwyth University are classified into one of several groups. These groups have varying levels of centralised management and end-user control, with the aim to increase the University’s overall Cyber Security posture and compliance whilst also providing flexible options for staff performing research and duties that would otherwise not be compatible with a fully managed endpoint service. 

 2.0 Administrative Access 

Administrative access to AU owned and managed devices is typically not available, but exceptions can be made if no other solution is appropriate for the type of work being carried out. For example, administrative access may be required for staff who frequently travel to workshops or conferences, or who are managing externally attached scientific hardware. 

Requests for administrative access must be processed via the Microsoft Form and the approval of the requestor’s Line Manager as well as Information Services must first be sought. Prior to granting administrative access, Information Services will work with the requestor to identify whether alternative solutions that do not involve administrative access would be appropriate.  

Requests will not be unduly withheld, and best efforts will be made to ensure that a solution is delivered within a timely manner. The Director of Information Services, or nominated representative, must be satisfied that there is no other viable alternative than providing administrative access. Every request will be evaluated on a case-by-case basis, and a risk-based approach will be used when considering requests.   

To ensure that solutions are delivered within the required timeframe, staff are requested to begin engaging with Information Services on their request as early as possible. 

All requests must include written justification outlining why administrative access is required. Examples of such justification include, but are not limited to: 

  • The need to install specialist software at short notice (e.g., working at a remote site), where centralised installation by Information Services would be impractical,
  • The need to continuously manage system settings or software (e.g., instrumentation devices connected to specialised laboratory equipment),
  • There is no other way to achieve desired research or academic outcomes without administrative access being granted.

Administrative access must be requested on a per-user per-machine basis and will be reviewed annually to ensure that it is still required. 

2.1 Terms of Use – Administrative Access 

Administrative access MUST only be used to carry out duties outlined in the original request for administrative access. If the reason for requiring administrative access changes substantially from what was originally requested, another request must be made.  

Examples of inappropriate use of administrative credentials include, but are not limited to: 

  • Attempting to remove the device from centralised management (InTune, Jamf, InSalt).
  • Attempting to circumvent security measures (e.g., changing Microsoft Defender settings).
  • In the case of shared devices, attempting to access the user profile data of other users without their prior consent.

Administrative access is a privilege, not a right, and can be revoked by Information Services at any time if it is identified that such access is being abused. Any abuses of such access will be escalated via the appropriate HR and IS disciplinary procedures.  

Devices must comply with other Information Services regulations and policies regardless of their level of management. 

Anti-malware Policy 

Vulnerability Management Policy 

3.0 Classification Definitions 

PAU Fully Managed 

The default categorisation for all devices owned by the University. Suitable for many academic and clerical staff, these devices are fully controlled by Information Services and the responsibility for ensuring their security and updates is centralised.  

PAU Partially Managed 

These devices start life as PAU Fully Managed, but staff can be granted administrative access via LAPS following the approval process outlined in 2.0.  

PAU Self-Managed 

These are devices which have no centralised management by Information Services. Prior approval to have a device ‘self-managed’ must be sought from Information Services via a request to the IS Helpdesk. Devices in this category will have restricted access to sensitive corporate data (e.g., ABW and AStRA), and are only to be used for academic or research purposes.  Personal or sensitive data must not be accessed, stored, or processed on these devices. 

Appropriate uses for this device category include: 

  • Devices used solely for one specialised purpose which does not involve processing personal or commercially sensitive information.
  • Devices which do not require Cyber Essentials compliance.
  • Devices which do not require any network access.

Research (CE Compliant) 

These devices are in a special category where a researcher requires administrative access to perform their duties, but also requires Cyber Essentials certification. Every case where this access will be required will need to be carefully evaluated on a case-by-case basis and discussed with a member of Information Services’ Cyber Security Team. Please contact cybersecurity@aber.ac.uk if you believe your device falls into this category.  

Teaching Laboratory Devices 

These are devices which are used in a teaching setting and do not form part of the University’s centralised “PSV” (Public Service) infrastructure. For example, these may be Raspberry Pi computers used in practical sessions. Personal or commercially sensitive data must not be accessed, stored, or processed on these devices. Information Services staff will be happy to assist departmental technicians in correctly configuring these devices on the network. 

PAU Instrumentation – Managed 

Devices in this category are typically found in research laboratories and are connected to specialist pieces of scientific equipment. Some of these devices may be suitable for full management by Information Services, but this will often depend on many factors, including the software and driver requirements of the associated hardware.  

Devices in this category must have an up-to-date and supported operating system. Internet access and access to some internal resources will be permitted. 

Appropriate uses for this category include: 

  • Devices as part of an embedded system or appliance (e.g., a computer delivered by a supplier of a scientific piece of laboratory equipment)

PAU Instrumentation – Self-managed 

Categorisation is as above, however, devices in this category may also: 

  • Require the use of unsupported or outdated operating systems (e.g., Windows XP)
  • Be unable to be centrally managed (cannot be joined to an Active Directory Domain, for example)
  • Have other requirements whereby the centralised management or Information Services’ implementation of security policies would impact the use of the attached equipment.

These devices will have extremely limited internal network access, and no internet access. 

BYOD (Bring Your Own Device) 

These devices are those solely owned by an individual, and not purchased by the University or any external grants issued to the University. Examples of such devices may include personal mobile phones, laptops, and tablets. 

It is not acceptable to purchase a device for University use, using University money, and then classify it as ‘Bring Your Own Device’. All devices owned by the University must fall into one of the above categories so that they can be inventoried and tracked by Information Services for compliance and reporting purposes.  

Devices in this category will get full internet access, and some access to internal resources. Some internal resources will require the use of the GlobalProtect VPN to access them from these devices, even when connected to eduroam. 

4.0 Device Classifications 

Classification  

CE Compliant  

Admin Access  

Central Replacement  

IS Supported  

Example Devices  

PAU Managed  

(Default) 

Yes  

No  

Yes  

Full  

Standard staff laptops, lecture theatre PCs, etc  

PAU Partially Managed  

No  

Ad-hoc  

Yes  

Partial  

AU owned devices where on-demand, temporary administrative access is granted to staff to install specialist software  

PAU Self-Managed 

No  

Yes  

No  

None  

Specialised staff devices e.g., Linux devices, or research devices with specialist software requirements  

Teaching Labs  

No  

Yes  

No  

None  

Raspberry Pi devices, robots, etc  

PAU Managed Instrumentation  

Yes  

Yes  

No  

Partial  

Devices connected to instruments that run current, supported operating systems and software  

PAU Unmanaged Instrumentation  

No  

Yes  

No  

None  

Devices connected to instruments that cannot run supported operating systems or software  

Research (CE Compliant)  

Yes  

Ad-hoc  

No  

Partial  

Devices which are not compliant with AU policies but require Cyber Essentials certification. These devices must be assessed on a case-by-case basis.  

BYOD  

No  

Yes  

No  

None  

Devices owned by staff, students