Understanding Devices and Connectivity: Managed, Assured, Unassured, Personal BYOD, and Other Institution Devices at School of Clinical Medicine
Introduction
This page presents a matrix of the different types of computers and various systems they may wish to connect to and outlines what is and what is not possible and what the recommended solutions to access each system.
Device Management Types - Definitions
People within the Clinical School use a mix of University and personally owned devices. This page classifies them as follows:
Managed University devices (running the University Managed Desktop (UMD))
Receive full support and are actively managed by CSCS.
Unmanaged University devices (but assured by CSCS, by exception)
Unmanaged University devices that were paid for by a department or University grant
Have been assured to Acceptable Use Policy (AUP) standards. Scientific computers are often assured where UMD is not appropriate. CSCS assurance of computers is done by exception only. These devices are supported on a reasonable‑endeavours basis only.
This category can also include University‑owned computers managed by other departments or institutions within the University of Cambridge, only where CSCS has reviewed the configuration with the responsible IT group and confirmed that they meet the necessary assurance and security standards.
CSCS have complete discretion to determine which computers or types of computers to manually assure.
Unmanaged University devices (Not assured by CSCS) and/or Personal/BYOD devices
Unmanaged University devices that were paid for by a department or grant, that have not been assured by CSCS to AUP standards.
Personal/BYOD devices that were paid for and owned by individuals, but used for work purpose.
Other‑institution managed devices
Computers owned and managed by an organisation outside the University of Cambridge (for example NHS Trusts, other universities, research institutes, industry partners).
In these cases the external institution typically retains administrative access, and the user cannot make significant changes to the device. As a result, CSCS cannot support, configure or troubleshoot these devices.
The University’s Acceptable Use Policy
Any computer or mobile device accessing University systems, files or data needs to be compliant with the University’s Acceptable Use Policy (AUP) which requires the computer to:
Run anti-virus software and update it promptly:
Defender for Managed University devices (UMDs)
Trellix Endpoint Security for CSCS assured University devices
Any other for anti-virus software for University owned devices, not assured by CSCS or Personal/BYOD devices
Run an up-to-date Operating System that has automatic security updates set up, which are installed within 14 days of receiving notification of the update.
Run up-to-date software and applications, which are updated promptly within 14 days of receiving notification of the update.
Full hard-disk encryption to protect any data saved or sent.
Use only a University email account to send confidential data.
Have a password or PIN to lock and secure it.
Have automatic screen locking after 10 minutes of inactivity.
Have an installation of the University software and patch compliance monitoring tool, Tanium.
Note: CSCS is seeking to confirm if Tanium could be installed on:
University devices, not assured by CSCS
Personal/BYOD devices
Other‑institution managed devices
However, current UIS guidance is that it cannot.
IT Services by Device Management Type
Service
| Managed University devices (University Managed Devices/UMDs) | Unmanaged University devices (CSCS Assured, by exception) | Unmanaged University devices (CSCS Unassured) or Personal/BYOD devices | Other‑institution managed devices |
|---|---|---|---|---|
Does it comply with AUP? | Yes, by design. Monitored and updated by IT | Yes, once assured. Updates and patches managed by user, but monitored by IT for compliance. | Possibly Configuration, updates and patches managed by user, no IT assurance. | Possibly Other-institution devices may be manually assured. This is to be assessed on a case-by-case basis. |
Continual Compliance Verification | Yes | No | No | No |
Level of Support | Fully supported CSCS provides hardware, Operating System and core software support, configuration, security hardening and troubleshooting. Primary, recommended device for University work. | Reasonable endeavours only CSCS will connect to University services, but will not maintain or repair the device, Operating System or any software. Troubleshooting time spent will be limited to 15 minutes for a particular issue. | Reasonable endeavours only CSCS will help connect to University services, but will not maintain or repair the device, Operating System or any software. Troubleshooting time spent will be limited to 15 minutes for a particular issue. | No support Users generally cannot make significant configuration changes themselves. CSCS therefore cannot configure or troubleshoot these devices; the institution will support and manage the computer. |
Wired Network | Full access, where authorised Wired and wireless networking on CSCS network and eduroam, subject to AUP and minimum standards. | Limited access, where authorised
| Not allowed | Not allowed |
Wi‑Fi Eduroam / UniOfCam-Guest | Allowed | Allowed | Allowed | Allowed |
UIS VPN | Allowed and recommended, where appropriate UMDs can use UIS VPN to reach centrally‑hosted services (e.g. CUFS, where required) and other UIS‑provided resources in line with policy. | Allowed, where appropriate Assured devices can use UIS VPN to reach centrally‑hosted services (e.g. CUFS, where required) and other UIS‑provided resources in line with policy. | Possible, but not recommended Unmanaged and unassured devices pose a security risk to University computing assets. Lacks AUP compliance and monitoring. | Possible, but not recommended Unmanaged and unassured devices pose a security risk to University computing assets. Lacks AUP compliance and monitoring. |
Institutional / Departmental VPN | Allowed and recommended, where appropriate Institutional/departmental VPNs are used to reach departmental servers and to remote connect to UMDs. They are designed to be used from UMDs, in conjunction with remote‑access policies. | Allowed, where appropriate Institutional/departmental VPNs are used to reach departmental servers and to remote connect to UMDs. They are designed to be used from UMDs, in conjunction with remote‑access policies. | Not allowed
| Not allowed |
Email, MS Teams & other browser‑based Office365 services | Allowed Outlook, MS Teams, SharePoint, OneDrive, HR and other web/browser-based apps are available for use.
| Allowed, at the moment Outlook, MS Teams, SharePoint, OneDrive and other web/browser-based apps are available for use provided the device remains AUP compliant. However, conditional access and security controls may change over time, as policies change and become more restrictive. These devices are suitable for occasional or specific use cases, but regular or sensitive work should normally be done from a UMD. | Allowed, but subject to increasing restriction Historically possible to use personal/home PCs for browser-based services only such as Webmail & MS Teams, SharePoint etc. The CISO office advised that personal devices will face increasing restrictions on accessing MS Teams, Webmail, SharePoint and OneDrive. Treat access from Personal/BYOD as transitional and at risk. | Allowed, but limited Where the user has a University account, they may use browser‑based access to University Office 365 services from their own device, subject to eventual conditional access policies. CSCS does not support or endorse long‑term routine use of these devices for core systems. |
Office 365 Desktop apps | Fully supported This is the preferred option as MS Office Desktop apps are installed and maintained via Company Portal / Self Service with security updates and configuration. | Allowed Assured University‑owned devices can install MS Office Desktop apps but user must manage security updates and configuration. Users must manage security updates and configuration themselves. Updates must be applied within 14 days of becoming available, | Allowed, but not recommended University Microsoft licensing arrangements allow for installation of MS Office Desktop apps on personal/BYOD devices, but user must manage security updates and configuration. Users must manage security updates and configuration themselves. Updates must be applied within 14 days of becoming available. | Not Allowed It is assumed that the originating institution will provide the licence for MS Office Desktop apps and manage security updates and configuration. Installing MS Office Desktops apps with University licensing on visitor devices is not allowed or supported. |
Data Storage OneDrive & SharePoint | Allowed, and recommended Yes, by design. Includes sync-clients that can be installed; local data can be protected via policies, encryption and central controls. | Allowed Browser‑based access only | Allowed, but subject to increasing restriction CISO office advises that browser-based access to OneDrive/SharePoint from personal devices will see increasing restrictions as cybersecurity strengthens. Use should be kept to lightweight or occasional use (preferably via browser), not as a primary long‑term working location. | Allowed by invitation only Visitors with a University account may access collaboration folders via browser if invited to share files. Syncing to visitor‑owned devices is not supported or recommended. |
File Access IFS / group drives & similar research storage mapped as drives | Allowed, expected way to access UMDs can map IFS/group drives via a wired connection and over a VPN connection, following CSCS guidance. This is the expected way to access departmental files and data. | Allowed Explicitly assured institutional devices can map IFS/group drives on‑site and over VPN, following CSCS guidance. | Possible, but not recommended Unmanaged and unassured devices pose a security risk to University computing assets. Lacks AUP compliance and monitoring. | Possible, but not recommended Unmanaged and unassured devices pose a security risk to University computing assets. Lacks AUP compliance and monitoring. |
Printing | Allowed, and recommended Printing via the University Managed Print Service (UMPS) using the PrintDeploy app, is set up and maintained on UMDs. Printing is then available via a wired network connection, over a VPN or Wifi. | Supported where PaperCut Print Deploy can be installed. Users on non-UMD assured devices can install the PrintDeploy app themselves when connected to the wired network or VPN. Printing is then available via a wired network connection, over a VPN or Wifi. CSCS support is limited to connectivity and existing printer access for these devices only. | Supported where PaperCut Print Deploy can be installed. Users on unassured devices can install the PrintDeploy app themselves when connected to the wired network or VPN. Printing is then available via a wired network connection, over a VPN or Wifi. CSCS support is limited to connectivity and existing printer access for these devices only. | Not allowed
|
HPC & Secure Research Platforms UIS HPC cluster, SRCP, Safe Havens where applicable | Allowed, and recommended SSH clients, Citrix Workspace apps available to reach HPC/SRCP in line with UIS documentation. Supports data‑protection and funder requirements when used with appropriate workflows (e.g. compute where data lives). | Allowed Users on non-UMD assured devices can install appropriate apps to reach HPC/SRCP in line with UIS documentation. | Allowed, but subject to increasing restriction Users on unassured devices can install appropriate apps to reach HPC/SRCP in line with UIS documentation. However, personal/BYOD devices are higher‑risk and may fall foul of tightening security requirements (eg. security patching, anti virus, encryption etc.) Treat as transitional only; users should plan to access HPC/SRCP from a UMD or other assured institutional device. | Allowed only under HPC/SRCP policies Rules regarding connecting to HPC and SRCP are governed by UIS HPC/SRCP, not CSCS. |
Research / departmental servers & remote admin CSCS‑hosted servers, VMs, scientific computers and servers | Allowed, where authorised Managed University devices (UMDs) can remotely connect via departmental/ Institutional VPN to CSCS hosted server, scientific computers etc. when authorised and in line with remote‑access policies. | Allowed, where authorised Assured devices can remotely connect via departmental/ Institutional VPN to CSCS hosted server, scientific computers etc. when authorised and in line with remote‑access policies. | Not allowed
| Not allowed
|
Finance, HR & other high‑risk admin systems e.g. CUFS, CHRIS, etc. | Allowed, and recommended CUFS and related apps, eg. Java and browser configuration are up-to-date and available to UMDs. UMDs provide the required security posture for finance/HR data. | Allowed Assured devices can use Finance, HR and other high risk systems, however users will be responsible for installing an appropriate version of Java. Very limited CSCS support is available. | Allowed, but subject to increasing restriction Technically, CUFS and some HR systems can be reached via browser from unassured devices, although users will be responsible for installing an appropriate version of Java. However, similar high‑risk services are among those that may see increasing restrictions from personal devices and any current access is at risk and unsupported; regular users should move to UMDs or assured institutional machines. | Not Allowed Access to these systems is expected to be from UMD.
|
Moodle | Allowed | Allowed | Allowed | N/A |