CCIT Endpoint Encryption Mandate

 

As members of CCIT and the IT community at-large, we are constantly exposed to evolving technologies and as a result, constant threats. It is our responsibility to ensure that the University’s systems, services, and data are managed and safeguarded appropriately. CCIT and the Office of Information Security are taking steps to minimize the risk of unauthorized access to data on the devices we use to perform our daily work by requiring full disk encryption (FDE) on endpoint devices.

It is best practice to have a backup of your data before attempting any disk encryption activities.

Windows Desktops and Laptops:

Windows machines should have the Trend Full Disk Encryption Agent for Microsoft BitLocker installed. This agent uses the native Microsoft BitLocker to secure hard disk data while securely backing up the encryption key to the protected Trend Encryption database managed by OIS.

Supported system configurations and requirements can be found here. It is highly recommended that Windows 10 devices are loaded with UEFI and that the system BIOS is up to date.
TrendMicro Endpoint Encryption self-installers with documentation are available here. Please contact your IT consultant if you are unable to complete the install.

Apple Desktops and Laptops:

Apple computers should have the Trend Full Disk Encryption Agent for Apple FileVault installed. This agent uses the native FileVault application to secure hard disk data while securely backing up the encryption key to the protected Trend Encryption database managed by OIS.

Supported system configurations and requirements can be found here.
TrendMicro Endpoint Encryption installer with documentation is available here. Please contact your IT consultant if you are unable to complete the install.

Linux Desktops and Laptops:

Existing Linux installations should have at minimum the /home and /swap partitions encrypted with a utility such as encrypt-fs. See Ubuntu example here.

All new installations of Linux should use the full system encryption option available during installation. This feature is available on most major distributions, including Fedora and Ubuntu.

iPhone and iPad (iOS):

Any iOS device with iOS 8 or newer can be encrypted by setting a device passcode. While a basic four-digit passcode will work, we recommend a longer numerical passcode or password. If your device is using Touch ID or Face ID, you’ve already set up a passcode and your device is encrypted.

1. Head to Settings

2. Select Touch [Face] ID & Passcode (or Passcode) for older devices.

3. Click on the Turn Passcode On option

4. Enter a strong passcode or numeric password

Android (Phones and Tablets):

Android users should use built-in encryption settings to protect these devices.

1. Ensure that a screen lock PIN or password has been set for your device and that it is charged and plugged in.

2. In Settings, choose Security > Encrypt Device. (On some phones, you’ll need to choose Storage > Storage encryption or Storage > Lock screen and security > Other security settings to find the “Encrypt” option).

3. Follow the onscreen instructions. During encryption, your device might restart several times.

• Some device menu items may differ slightly due to manufacturer customization. Refer to your user manual for more specific instructions or read here.

Windows Phone:

Windows Phone users should use built-in encryption settings to protect these devices. Encryption is turned off by default on these systems.

  1. While in the Start screen, swipe left to bring All apps, then search for and open the Settings app, and tap on System.
  2. Next, tap on Device encryption.
  3. Finally, make sure to slide the Device encryption pill switch to the On position to enable the feature.