 |
|
 |
Personally Owned Mac Laptops - Technical GuidanceUpdated on Wed, 11/11/2009 - 3:20pm
IntroductionOn May 15, 2009 UAB approved the Portable Computing Security Initiative – Laptop Standard found at: http://main.uab.edu/Sites/it/documents/63069.pdf. This policy defines acceptable configurations for both UAB owned and personally owned laptops which are conducting UAB Business (as defined within the policy). The policy requires that all such laptops meet certain technical specifications regarding disk encryption, antivirus, and password configuration. Users who wish to use personal laptops for UAB Business are required to take the necessary steps to bring their laptops into compliance with the policy and then obtain departmental approval for their device prior to using it for UAB Business. These documents are provided as a guide for the steps necessary to bring your personal laptop into compliance with the policy. They are intended only as an overview and not as a definitive step-by-step procedure, since there are many variants of the Mac OS and your personal configuration could slightly change the appearance or steps required. If you have questions specific to your machine, please contact your local IT staff for assistance. UAB IT has also produced a series of videos documenting how to perform these steps. You may access them at http://main.uab.edu/Sites/it/internal/all/information-security/60079/ Procedure OverviewThe steps you will need to perform are outlined below.
Step 1. Perform Apple Software UpdateEnsure that your system has received all of the latest updates from Apple. You can run Apple Software Update by going to clicking the Apple menu -> Software Update. Make sure that any new software available has been installed before proceeding. Step 2. Verify/Obtain Current Antivirus SoftwareThe policy requires that all laptops conducting UAB Business run current antivirus software. If you are already running antivirus software, verify that you have the latest set of virus definitions. If you need to obtain antivirus software, UAB will provide Sophos Antivirus for Mac free-of-charge. You may download Sophos at http://main.uab.edu/Sites/it/internal/all/software-library/antivirus/ Step 3. Configure your ScreensaverThe policy requires a screensaver which locks to a password in no more than 15 minutes of inactivity. To configure a screensaver in Mac OS, click the Apple menu -> System Preferences... -> Desktop&Screen Saver. Choose the Screen Saver tab and set the “Start screen saver” slider to 15. To configure your Mac to require a password to wake from the screen saver, you must choose the Security option in the System Preferences window. Within the Security window, the following options should be enabled:
Step 4. Verify You are Using a Strong PasswordThe policy requires that the user accounts on the laptop have a strong password. UAB has published guidance about strong passwords at http://main.uab.edu/Sites/it/faqs/49118/ Step 5. Backup your LaptopYou should always backup your laptop before starting encryption. There are many ways to backup a laptop. Options include backing up to an external hard drive such as a Seagate FreeAgent (most of these products come with backup software), using an online backup service such as Mozy, or transferring your files over a network to another computer. Step 6. Encrypt your LaptopNote: To perform this step, you should have an active Internet connection and be connected to an A/C power source. UAB has approved two data encryption mechanisms for the Mac OS platform, and their recommendation varies depending on the type of hardware you have. Users with Intel-based Macs should use PGP Whole Disk Encryption. If you have an older Mac model with a PowerPC processor, you should use FileVault. Mac PGP Whole Disk EncryptionCaveat: UAB IT has advised that Mac users who encrypt with PGP Whole Disk Encryption should not upgrade to OS X 10.6 until UAB IT has had time to validate PGP Whole Disk Encryption on that version of the OS. Please see UAB IT's Mac PGP Whole Disk Encryption documentation which can be found at: http://main.uab.edu/Sites/it/faqs/58672/. This page includes system requirements, limitations, and step-by-step procedures. Note in Step 8 of that document, you are asked to enter your BlazerID and password in the PGP Enrollment dialog box. This step will register your copy of the PGP Software with UAB (for license tracking purposes) and will allow the AskIT helpdesk to help you perform a recovery of your laptop in the event that you forget your password. In Step 10 of the PGP installation procedure and Step 3 of the Disk Encryption procedure, you are again asked for a username and password – in both cases you should use the username and password that you use to log into your laptop. This is the password that PGP will use for decrypting the hard drive once it is encrypted. Mac OS FileVault (PowerPC Macs Only)Please see the documentation that UAB has provided concerning the appropriate configuration of the FileVault software for compliance with the policy. The system requirements, limitations, and step-by-step procedure can be found at http://main.uab.edu/Sites/it/faqs/55621/. Step 7. Obtain Departmental Approval for UAB BusinessOnce you have completed the steps above, you will need to present your laptop to your local IT staff to receive confirmation that it is configured correctly and approval to use the laptop for UAB Business. Your IT staff is required to keep an inventory of all laptops being used for UAB Business, and they will collect information such as your MAC addresses, serial number, model number, and the type of UAB Business performed with the laptop. You may also be asked to present your laptop for a compliance audit at regular intervals in the future. |
