Skip to main content
uta
uta

How to Maintain Encryption Compliance

Department heads working with their Information Security Administrator (ISA) and/or Desktop Support Associate (DSA) are required to ensure that computers under their purview are encrypted in accordance with institutional requirements and standards. All department heads, ISA's and DSA's can check on the latest compliance for their department by logging onto ISO-BRIDGE (https://isobridge.uta.edu available from on campus networks or VPN). If an ISA, DSA or other authorized user does not have the necessary permissions to ISO-BRIDGE, please contact the ISO at security@uta.edu.

Please access the "Encryption Compliance Calculation" website for details on how full disk compliance is calculated for university owned computers.

Computers in Scope for Full Disk Encryption (see the Full disk Encryption page for additional details)

  • Laptops: All university owned laptops must be encrypted. Devices that may be tablets, but run a typical laptop operating system, are considered to be a laptop for compliance calculations (i.e. the Dell Surface Pro tablets run Windows OS).

  • Desktops: All University owned desktops purchased after September 1, 2013, any identified by the department head as being high risk, and any OIT reimaged desktops must be encrypted.

  • Mobile Devices: All university owned mobile devices (non-Windows OS tablets, phones, etc.)

  • Perronal devices: Users who have permission to store University data must meet the same security configuration specifications. (See Personal Full Disk Encryption). Note that encryption compliance of personally owned devices are not monitored and licensed encryption software is not available for these systems.

Approved Encryption Management Software for University Owned Computers

  • SecureDoc: SecureDoc is the primary method for encrypting most computer assets.

  • Jamf/FileVault 2:  Apple Macs can now be managed by Jamf and encrypted using the native FileVault 2 encryption. Encryption Status is reported to Jamf daily, or upon the next logon.

  • Key Ring/Apple Ring: Internally developed key management applications that will allow the use of native bitlocker encryption for windows devices, and FileVault2 encryption for Apple devices that will safely escrow encryption keys. These applications were developed as a temporary solution to allow for encryption of devices that could not be encrypted using SecureDoc.

  • Airwatch MDM Solution:  Approved method to protect university owned mobile devices. 

  • Encryption Exceptions:  Approved Encryption Exceptions are recorded in https://isobridge.uta.edu compliance site, and are considered compliant if all risk mitigation requirements are met. (ie cable locks, DeepFreeze if required).  Exceptions will be set to expire after 1 year, upon which they will need to be reviewed.

Encryption Exceptions

Encryption Exceptions are granted on a case by case basis, especially where verifiable compensating controls such as DeepFreeze exist.  Requests may be made by sending "Form 18-1 Computing Device Encryption Exception Request" to the ISO at security@uta.edu. Deep Freeze status will be uploaded to the https://isobridge.uta.edu compliance site once a month.

Non-Compliance Caused by Orphan Devices

ISOBridge links the UTA Asset number from property management to the computer name that reports form the various data sources.  Sometimes an asset number may not report compliant because it is considered an "Orphan."  Orphans in ISOBridge are created when there is more than one computer name in the system for the same asset tag number, or when they are not yet reconciled with the asset management list of devices.  To ensure the correct compliance is reported, orphan's must be "claimed" to link the correct name to the asset tag number.  For instructions to claim an orphan device see the Claiming an Orphan in ISOBridge page.

ISO-BRIDGE Compliance Data Feed Update Schedule

  • SecureDoc: Encryption status is automated to uploaded to the https://isobridge.uta.edu compliance site 3 times a day.

  • Jamf/FileVault 2:  The FileVault2 encryption status and Mac DeepFreeze status will be manually uploaded from Jamf to the https://isobridge.uta.edu compliance site weekly.

  • Key Ring/Apple Ring:  Key Ring and Apple Ring managed devices report automatically to the https://isobridge.uta.edu compliance site.

  • Encryption Exceptions:  Exceptions are entered into https://isobridge.uta.edu as they are approved.

  • Airwatch MDM Solution:  Airwatch compliance statistics will be manually uploaded to the https://isobridge.uta.edu site on a weekly basis 

  • DeepFreeze:   DeepFreeze Status will be manuallyu uploaded into https://isobridge.uta.edu on a monthly basis

  • Computer Asset List:  Asset lists will be manually uploaded from UT Share to the https://isobridge.uta.edu site on a onthly basis.

How to maintain compliance

Encryption compliance requires devices to "check in" at least once every 120 days.  This is to show that they are still active devices and are still encrypted. For details on how compliance is calculated see the Encryption Compliance Calculation page.

Listed below are ways to ensure your devices regularly check in based on device and encryption types.

Windows Desktops or Laptops Running SecureDoc

1. Best results are obtained by regularly connecting the unit to the campus wired Ethernet with wireless disabled.
2. Go to the task bar and right click on the SecureDoc icon:

                 SecureDoc Icon     SecureDoc Icon
3. Select "communicate with server".
4. Wait for a pop-up message stating "SecureDoc communicated to Server successfully".

Apple Macintosh Computers Running SecureDoc

1. Best results are obtained by regularly connecting the unit to the campus wired Ethernet with wireless disabled.
2. Locate the SecureDoc icon for the SecureDoc Control Center, a rectangular icon with a key that should be available on the upper right hand side of your Status Menu bar:

                SecureDoc Icon               
2. Right click on the icon
3. Select "communicate with server".
4. Wait for a pop-up message stating "SecureDoc communicated to Server successfully".

Apple Macintosh Computers Using FileVault2 with JAMF

1. Best results are obtained by regularly connecting the unit to the campus wired Ethernet with wireless disabled.
2. Power up the unit and log in.
3. Leave the unit plugged in for an hour

OSA Encrypted Computers

1. After making sure that the computer is connected to a network, power off the compter then power it on.
2. Log on past the SecureDoc login screen.

Windows BitLocker Encrypted Devices using KeyRing Key Escrowing

1. These devices require SCCM to be installed for reporting compliance.
2. Best results are obtained by regularly connecting the unit to the campus wired Ethernet with wireless disabled.
3. Power up the unit and log in.
4. Leave the unit plugged in for an hour

Devices Not on Campus

1. Users will need to VPN into UT Arlington’s network to allow communication as described above.
2. Description: Cisco VPN AnyConnect client is used to connect to UTA VPN on most platforms, including 64-bit operating systems.
3. How to Get: Click on the link to sign in with your UTA NetID and Password and begin installation.
Direct link https://vpn.uta.edu
4. How to Use:
  • Browse to https://vpn.uta.edu from an off-campus network connection.
  • Enter your NetID (in all lower case letters) and Password. You may need to put uta\ in front of your NetID.
  • Follow the on-screen instructions.