Skip to main content
uta
uta

How to Maintain Encryption Compliance

TABLE OF CONTENTS:

Background

Department heads working with their Information Security Administrator (ISA) and/or Desktop Support Associate (DSA) are required to ensure that computers under their purview are encrypted in accordance with institutional requirements and standards. All department heads, ISA's and DSA's can check on the latest compliance for their department by logging onto ISO-BRIDGE (https://isobridge.uta.edu available from on campus networks or VPN). If an ISA, DSA or other authorized user does not have the necessary permissions to ISO-BRIDGE, please contact the ISO at security@uta.edu.

Please access the "Encryption Compliance Calculation" website for details on how full disk compliance is calculated for university owned computers.

Computers in Scope for Full Disk Encryption (see the Full disk Encryption page for additional details)

  • Laptops: All university owned laptops must be encrypted. Devices that may be tablets, but run a typical laptop operating system, are considered to be a laptop for compliance calculations (i.e. the Dell Surface Pro tablets run Windows OS).

  • Desktops: All University owned desktops purchased after September 1, 2013, any identified by the department head as being high risk, and any OIT reimaged desktops must be encrypted.

  • Mobile Devices: All university owned mobile devices (non-Windows OS tablets, phones, etc.)

  • Personal devices: Users who have permission to store University data must meet the same security configuration specifications. (See Personal Full Disk Encryption). Note that encryption compliance of personally owned devices are not monitored and licensed encryption software is not available for these systems.

Typical Reasons why Devices are not Compliant

The Encryption Compliance and Management portion of ISO Bridge (https://isobridge.uta.edu) gives a status for compliance.  It uses asset data from UT Share as a basis for compliance and, and then compares against the various encryption management systems (e.g. SecureDoc, JAMF, etc.) or our encryption exception database to verify compliance.

Note that any discrepancy that exists in UT Share on asset cost-center ownership, device form factor or physical location will be reflected in ISO Bridge. To correct this, please contact Property Management (property_management@uta.edu).

There are several reasons why a device may appear non-compliant.

  1. Devices are not encrypted using approved encryption methods.

  2. Devices have not checked in or communicated encryption status within the past 120 days. This typically occurs with computers that are not turned on frequently.

  3. Devices have not received an approved exception from ISO.

  4. Devices that have received an exception with Deep Freeze software as a compensating control are not communicating with the Deep Freeze console to verify implementation.

  5. Devices have been surplused but paperwork not completed or misfiled. To correct this, please contact Property Management (property_management@uta.edu).

  6. Devices are lost, stolen or otherwise not accounted.

  7. “Orphaned” computers – computers that are verified as encrypted in the encryption management system – are not linked to UT Share assets because computer naming conventions are not followed.

Non-Compliance Caused by Orphan Devices:

ISO Bridge automatically links the UTA Asset number from UT Share to the asset tag number that is included in the computer name of a computer. The various managed encryption methods are used as data sources – these systems list these computer names in the respective systems and include status. 

Sometimes an asset number may not report compliant because it is considered an "Orphan."  Orphans in ISO Bridge are created:

  • When they are not yet reconciled with the UT Share asset management list of devices, or 
  • When there is more than one computer name in the system for the same asset tag number (this can occur due to a typo or reimaged computer).

To ensure the correct compliance is reported, orphan's must be "claimed" to link the correct name to the asset tag number.  For instructions to claim an orphan device see the Claiming an Orphan in ISO Bridge page.

Non-Compliant Statuses

The following are explanations of the various non-compliance statuses in ISO Bridge.

A. Not Encrypted:

  • Not Compliant - Cannot verify encryption. The device is not reporting as having been encrypted by one using approved encryption methods. This is usually a device that was listed on the Property Management Asset List in UT Share but has not been encrypted.

B. Recent Communication. Devices are required to communicate on the network at least once every 120 days:

  • Not Compliant - has not communicated recently. The device has not communicated within the past 120 days to either SecureDoc or OSX devices encrypted with FileVault2 and managed by JAMF.
  • Not Compliant - MDM - has not communicated recently. A mobile device managed by Airwatch has not communicated within the past 120 days
  • Not Compliant - SecureDoc - Unencrypted or No Communication > 365 days. The device has not communicated with SecureDoc for more than 365 days or has been decrypted.
  • Not Compliant - Drive(s) C have not communicated recently. The device has not reported to SCCM within the last 120 days.

Approved Encryption Exceptions but Not Compliant:

  • Not Compliant - Exception - Deepfreeze - has not been frozen yet. The encryption exception requires DeepFreeze to be used, but the device is not reported to be frozen in the DeepFreeze Console.
  • Not Compliant - Exception - MDM - AirWatch is not registered. The encryption exception required the device to still be enrolled in AirWatch, but the device is not reporting to be enrolled.
  • Not Compliant _ Exception Expired. The exception has reached its expiration date.  Contact the ISO to verify if it is still needed and should be renewed.

Other Encryption Method Specific Reasons:

  • SecureDoc specific:
    • Not Compliant - SecureDoc - Currently Encrypting. The SecureDoc console is reporting that it was in process of encrypting the device the last time it checked in with the server.  Try Logging onto the device an allow it to communicate to the SecureDoc Server.
    • Not Compliant - SecureDoc - Partially Encrypted. SecureDoc is reporting that the device is not fully encrypted. Is there a second drive attached that is not encrypted?
    • Not Compliant - SecureDoc - Removable Media Only. SecureDoc is reporting that it is set to only encrypt Removable Media leaving the hard drive unencrypted.
    • Airwatch/MDM Specific:
      • Not Compliant - MDM – compromised. Airwatch is reporting this device to be compromised.  Airwatch considers compromised devices to include “jailbroken” iOS and “rooted” Android devices that a user has actively altered from the manufacturer's presets.
      • Not Compliant - MDM – NonCompliant. The device is reporting as not compliant in Airwatch, most likely a policy has not been applied.  Try logging on and opening the Airwatch client to allow the policy to apply.
      • Not Compliant - MDM – NotAvailable. Airwatch is not able to report a status for this device it may require opening the Airwatch client on the device to allow more time to communicate; otherwise it may require the device to be enrolled into Airwatch again.
      • Not Compliant - MDM – PendingComplianceCheck. Airwatch is reporting that the device is still in the enrollment process and needs to communicate to the device to complete the enrollment.  The device will need to login and open the Airwatch client to allow it to complete and do a compliance check to ensure the required policies are assigned and working.
    • SCCM (Microsoft Security Center Configuration Manger) Specific:
      • Not Compliant - is not communicating with SCCM. The device was encrypted with Bitlocker and the encryption Key was escrowed using the ISOBridge KeyRing application but the device is not reporting a status to SCCM.
      • Not Compliant - Drive(s) C are not encrypted. SCCM is reporting that the listed drive is not encrypted or is no longer encrypted.
    • Bitlocker or Manually Escrowed Encryption Keys:
      • Not Compliant - Key has not been escrowed. A device that may be compliant has not escrowed an encryption key in the ISOBridge.uta.edu system.

Approved Encryption Management Software for University Owned Computers

  • SecureDoc: SecureDoc is the primary method for encrypting most computer assets.

  • Jamf/FileVault 2:  Apple Macs can now be managed by Jamf and encrypted using the native FileVault 2 encryption. Encryption Status is reported to Jamf daily, or upon the next logon.

  • Key Ring/Apple Ring: Internally developed key management applications that will allow the use of native bitlocker encryption for windows devices, and FileVault2 encryption for Apple devices that will safely escrow encryption keys. These applications were developed as a temporary solution to allow for encryption of devices that could not be encrypted using SecureDoc.

  • Airwatch MDM Solution:  Approved method to protect university owned mobile devices. 

  • Encryption Exceptions:  Approved Encryption Exceptions are recorded in https://isobridge.uta.edu compliance site, and are considered compliant if all risk mitigation requirements are met. (ie cable locks, DeepFreeze if required).  Exceptions will be set to expire after 1 year, upon which they will need to be reviewed.

Encryption Exceptions

Encryption Exceptions are granted on a case by case basis, especially where verifiable compensating controls such as DeepFreeze exist.  Requests may be made by sending "Form 18-1 Computing Device Encryption Exception Request" to the ISO at security@uta.edu. Deep Freeze status will be uploaded to the https://isobridge.uta.edu compliance site once a month.

Non-Compliance Caused by Orphan Devices

ISOBridge links the UTA Asset number from property management to the computer name that reports form the various data sources.  Sometimes an asset number may not report compliant because it is considered an "Orphan."  Orphans in ISOBridge are created when there is more than one computer name in the system for the same asset tag number, or when they are not yet reconciled with the asset management list of devices.  To ensure the correct compliance is reported, orphan's must be "claimed" to link the correct name to the asset tag number.  For instructions to claim an orphan device see the Claiming an Orphan in ISOBridge page.

ISO-Bridge Compliance Data Feed Update Schedule

  • SecureDoc: Encryption status is automated to uploaded to the https://isobridge.uta.edu compliance site 3 times a day.

  • Jamf/FileVault 2:  The FileVault2 encryption status and Mac DeepFreeze status will be manually uploaded from Jamf to the https://isobridge.uta.edu compliance site weekly.

  • Key Ring/Apple Ring:  Key Ring and Apple Ring managed devices report automatically to the https://isobridge.uta.edu compliance site.

  • Encryption Exceptions:  Exceptions are entered into https://isobridge.uta.edu as they are approved.

  • Airwatch MDM Solution:  Airwatch compliance statistics will be manually uploaded to the https://isobridge.uta.edu site on a weekly basis 

  • DeepFreeze:   DeepFreeze Status will be manuallyu uploaded into https://isobridge.uta.edu on a monthly basis

  • Computer Asset List:  Asset lists will be manually uploaded from UT Share to the https://isobridge.uta.edu site on a onthly basis.

How to Maintain Compliance

Encryption compliance requires devices to "check in" at least once every 120 days.  This is to show that they are still active devices and are still encrypted. For details on how compliance is calculated see the Encryption Compliance Calculation page.

Listed below are ways to ensure your devices regularly check in based on device and encryption types.

Windows Desktops or Laptops Running SecureDoc

1. Best results are obtained by regularly connecting the unit to the campus wired Ethernet with wireless disabled.
2. Go to the task bar and right click on the SecureDoc icon:

                 SecureDoc Icon     SecureDoc Icon
3. Select "communicate with server".
4. Wait for a pop-up message stating "SecureDoc communicated to Server successfully".

Apple Macintosh Computers Running SecureDoc

1. Best results are obtained by regularly connecting the unit to the campus wired Ethernet with wireless disabled.
2. Locate the SecureDoc icon for the SecureDoc Control Center, a rectangular icon with a key that should be available on the upper right hand side of your Status Menu bar:

                SecureDoc Icon               
2. Right click on the icon
3. Select "communicate with server".
4. Wait for a pop-up message stating "SecureDoc communicated to Server successfully".

Apple Macintosh Computers Using FileVault2 with JAMF

1. Best results are obtained by regularly connecting the unit to the campus wired Ethernet with wireless disabled.
2. Power up the device and log in. If the device has been powered on for a while, reboot it.
3. Open the Terminal Window and issue the following command:

sudo jamf policy

4. Leave the unit plugged in for an hour.

OSA Encrypted Computers

1. After making sure that the computer is connected to a network, power off the compter then power it on.
2. Log on past the SecureDoc login screen.

Windows BitLocker Encrypted Devices using KeyRing Key Escrowing

1. These devices require SCCM to be installed for reporting compliance.
2. Best results are obtained by regularly connecting the unit to the campus wired Ethernet with wireless disabled.
3. Power up the unit and log in.
4. Leave the unit plugged in for an hour

Devices Not on Campus

1. Users will need to VPN into UT Arlington’s network to allow communication as described above.
2. Description: Cisco VPN AnyConnect client is used to connect to UTA VPN on most platforms, including 64-bit operating systems.
3. How to Get: Click on the link to sign in with your UTA NetID and Password and begin installation.
Direct link https://vpn.uta.edu
4. How to Use:
  • Browse to https://vpn.uta.edu from an off-campus network connection.
  • Enter your NetID (in all lower case letters) and Password. You may need to put uta\ in front of your NetID.
  • Follow the on-screen instructions.