CCIT Endpoint Encryption Mandate

 

As members of CCIT and the IT community at-large, we are constantly exposed to evolving technologies and as a result, constant threats. It is our responsibility to ensure that the University’s systems, services, and data are managed and safeguarded appropriately. CCIT and the Office of Information Security are taking steps to minimize the risk of unauthorized access to data on the devices we use to perform our daily work by requiring full disk encryption (FDE) on endpoint devices.

It is best practice to have a backup of your data before attempting any disk encryption activities.

Windows Desktops and Laptops:

All Windows devices should be managed by Intune, which allows you to protect the data on the hard drives with BitLocker encryption. BitLocker is a native feature of Windows that encrypts the entire drive and prevents unauthorized access.

To use BitLocker, your devices must meet the system requirements and configurations that are listed here. It is highly recommended that Windows 10 devices are loaded with UEFI and that the system BIOS is up to date. Once your devices are enrolled in Intune as Corporate Devices, they will automatically be encrypted with BitLocker. You do not need to enable it manually. If you encounter any issues or need assistance, please contact your IT consultant or the IT help desk. They can also help you recover the encryption keys for your devices if you lose them or forget the password.

Apple Desktops and Laptops:

All macOS devices should be managed by JAMF, which allows you to protect the data on the hard drives with FileVault encryption. FileVault is a native feature of macOS that encrypts the entire drive and prevents unauthorized access.

To use FileVault, your devices must meet the system requirements and configurations that are listed here. Once your devices are enrolled in JAMF as Corporate Devices, they will automatically be encrypted with FileVault. You do not need to take any action. The encryption key will be escrowed to JAMF and securely stored in the cloud.

If you encounter any issues or need assistance, please contact your IT consultant or the IT help desk. They can also help you recover the encryption keys for your devices if you lose them or forget the password.

Linux Desktops and Laptops:

Existing Linux installations should have at minimum the /home and /swap partitions encrypted with a utility such as encrypt-fs. See Ubuntu example here.

All new installations of Linux should use the full system encryption option available during installation. This feature is available on most major distributions, including Fedora and Ubuntu.

iPhone and iPad (iOS):

Any iOS device with iOS 8 or newer can be encrypted by setting a device passcode. While a basic four-digit passcode will work, we recommend a longer numerical passcode or password. If your device is using Touch ID or Face ID, you’ve already set up a passcode and your device is encrypted.

1. Head to Settings

2. Select Touch [Face] ID & Passcode (or Passcode) for older devices.

3. Click on the Turn Passcode On option

4. Enter a strong passcode or numeric password

Android (Phones and Tablets):

Android users should use built-in encryption settings to protect these devices.

1. Ensure that a screen lock PIN or password has been set for your device and that it is charged and plugged in.

2. In Settings, choose Security > Encrypt Device. (On some phones, you’ll need to choose Storage > Storage encryption or Storage > Lock screen and security > Other security settings to find the “Encrypt” option).

3. Follow the onscreen instructions. During encryption, your device might restart several times.

• Some device menu items may differ slightly due to manufacturer customization. Refer to your user manual for more specific instructions or read here.

Windows Phone:

Windows Phone users should use built-in encryption settings to protect these devices. Encryption is turned off by default on these systems.

  1. While in the Start screen, swipe left to bring All apps, then search for and open the Settings app, and tap on System.
  2. Next, tap on Device encryption.
  3. Finally, make sure to slide the Device encryption pill switch to the On position to enable the feature.