Desktop and Laptop Support Policy

• What is the policy for desktop and laptop support in CELS?
  • Operational/Administrative
  • Standard Linux Desktop
  • Managed Scientific
  • Unmanaged Scientific (Argonne-owned)
• CELS Systems Laptop Support
  • CELS Systems will provide support for any laptop that meets the following criteria
  • What it means when we say Systems will support your laptop
  • What are your responsibilities as a Laptop User?

What is the policy for desktop and laptop support in CELS?

In CELS, we have defined four types of machines: Operational/Administrative, Standard Linux Desktop, Managed Scientific, and Unmanaged Scientific. This document outlines the configuration and management policy for each classification.  For purposes of this document, a “researcher” is anyone of an employment category that is not primarily administrative.  PT, RD, and Postdocs fall into this category.  When there is question, the user’s supervisor and CELS Systems will jointly agree on whether or not someone is a “researcher”. Also, “laptop” and “desktop” are interchangeable in this document.

Operational/Administrative

These laptops are used by non-researchers and are considered part of the “operational” infrastructure. They are typically used by staff involved in the administrative and operational aspects of their divisions, including financial, HR, and administrative assistants. However, anyone can request a laptop of this configuration.The following properties are part of an Operational/Administrative laptop:

• Built from a CELS Systems-established image/configuration
• CELS Systems has root access to the machine.
• The end user does not have root/administrative rights on the machine, except for the limited ability to add printers where applicable.
• Disk Encryption is enabled (via File Vault for Macs, via McAfee for Windows). The master password (emergency backup) password for file vault is maintained by Jamf Pro and/or McAfee.
• Time Machine disks (where applicable) are also set to be encrypted. The password for decryption is set by CELS Systems, saved in the user’s keychain, and secured in the same fashion as the File Vault master passwords.
• Users are directed to use Box Drive for documents whenever possible. Shortcuts are placed on the desktop and in the user’s folder hierarchy to make this easy to do.
• The machines are fully managed by Jamf Pro (Mac) or Argonne’s AD Group Policy and other Windows Administration tools (Windows), including all software installs, software updates, and OS updates. These are managed by CELS Systems (macOS) or BIS Desktop Support (Windows).
• Mandatory endpoint management software (Eracent, Jamf Self Service) is installed as part of this build.

The standard software suite includes the current versions of: Office, Chrome, Firefox, Box Drive, and the laboratory’s preferred antivirus solution.

Standard Linux Desktop

These are standard CELS linux desktops (sometimes called “green desktops). They use the GCE account system for authentication (managed at https://accounts.cels.anl.gov), and mount the CELS filesystems via NFS. Users may install software in userspace, however software requiring administrative rights is installed by CELS Systems. Users do not get administrative privileges on these machines.

The following properties are part of an Standard Linux Desktop:

• Built from a CELS Systems-established image/configuration.
• CELS Systems has root access to the machine.
• The end user does not have root/administrative rights on the machine.
• The machine is joined to the CELS LDAP, and uses these accounts for login purposes,
  • except for the local administrative account which is controlled by CELS Systems.

For more information, see our GCE pages.

Managed Scientific (also called Co-Managed)

These laptops are used by divisional researchers who are comfortable handling some level of systems administration on their machine. The machines are moderately managed by CELS Systems, however the end user maintains administrative rights and can install software and updates on his/her own. (Also may be known as “co-managed”, jointly managed by the laptop user and CELS Systems.) This is the default configuration for a laptop for a researcher that comes through Systems for configuration. Only researchers may request a laptop of this configuration, and they must agree to the below configuration, as well as any additional TMS training that may be triggered by their having administrative control over a lab-owned machine. The following properties are part of a Managed Scientific laptop:

• Built from an established image/configuration
• CELS Systems has root access to the machine.
• The end user also has root access to the machine via the Administrator group in macOS, or via a local administrator account for Windows machines.
• Windows machines may be joined to the Argonne Active Directory or use AD accounts for login purposes,
  • except for a local administrative account which is controlled by CELS Systems.
• the user may also have a local administrative account distinct from the AD account.
• Disk Encryption is required via File Vault or McAfee. The master password (emergency backup password) for that machine’s file vault may be maintained by Jamf and/or McAfee.
• Time Machine disks are also set to be encrypted. The password for decryption may be set by CELS Systems, saved in the user’s keychain, and secured in the same location as the File Vault master passwords. Or, if the user chooses, he or she may maintain the decryption password.
• macOS laptops are monitored and minimally managed by Jamf Pro, including all software installs, software updates, and OS updates. CELS Systems will inform the user if the machine requires software updates, and will install them if requested.
• Mandatory endpoint management software (Eracent, Jamf Self Service) is installed as part of this build.

The standard software suite includes the current versions of: MS Office, Chrome, Firefox, Box Drive, and the laboratory’s preferred antivirus solution.

All macOS computers ordered through Argonne must be either fully managed or co-managed.

Unmanaged Scientific (Argonne-owned)

These laptops are functionally equivalent to laptops not owned by Argonne in terms of Systems Administration. They are not managed by Systems. Only researchers may request a laptop of this configuration, and they must agree to the below configuration, as well as any additional TMS training that may be triggered by their having administrative control over a lab-owned machine.  Any laboratory-issued tablets (including Apple, Android, or Surface) automatically fall into this category.

• Users will be provided instructions on how to install required software banners and implement required and recommended security policies.
• Users will be informed by Systems or ANL Cybersecurity as quickly as possible of detected vulnerabilities and infections, however the user is required to keep the machine current in software configuration and secure.
• Users must install mandatory endpoint management clients on their computers where they are available.  CELS Systems will provide the packages to be installed.

 

CELS Systems Laptop Support

CELS Systems will provide support for any laptop that meets the following criteria

• It was of a configuration specified or approved by Systems. Depending on your operating system preference, this will either be a Dell laptop (Windows) or MacBook (macOS). It should be noted that asking Systems to order a laptop for you does not imply it is approved by Systems. We will notify you if you’re ordering something that is non-standard, and that you are on your own for support.
• It is using either the Operating System that came with it, or an Operating System installed by Systems. If it is a dual boot system, Systems will only support the OS that meets the above criteria, and no others.
• Systems must have root/Administrator level access to the machine.
• Any hardware or peripherals must be ones that come with the laptop, or are specifically specified by Systems.
• The software is software installed or recommended by Systems.
• If it is a particularly old laptop, using an old Operating System, we may recommend upgrading the laptop or the Operating System.  Out of date operating systems are regularly blocked on Argonne networks by Cyber Security.
• If it’s not under warranty, we may not be able to support it. Generally, this applies to laptops that are older than three years old.

What it means when we say Systems will support your laptop

• Administrative/Operational machines are fully supported, the same as any other machine for which CELS Systems is the sole Administrator.
• For other laptops, as with any machine not under our direct control, the operator or other specified person is the primary point of support for the machine. If the primary point of support cannot solve the problem, Systems will work with the user/support contact to get it solved.
• We will do our best to solve any problem in a non-destructive manner. We will never intentionally erase any data without explicit permission from the user.
• If it is determined to be a hardware problem, we will work with the vendor/support contract holder to get it fixed. We have no control over how fast this happens once it leaves our building. We may or may not have a loaner machine available. If a loaner machine is available, it may not be the same type as is being repaired.
• After a reasonable amount of time trying to solve the problem, we may recommend any of the following as a solution: Reinstall the offending application, upgrade the Operating System, reinstall the Operating System, completely erase the hard disk and rebuild the Operating System from the System Restore utility of the laptop, or purchase a new laptop. Some of these solutions will result in a loss of data. Users are strongly encouraged to back up their laptops regularly.
• If the “System Restore” option is chosen, this will result in the laptop being returned to the state it was in when delivered from the factory or given to you initially by Systems.
• In the event of a hardware or software failure Systems may suggest repair methods, techniques, specific vendors, or best practices for resolving the issue. If the user chooses to pursue alternative repair methods or disregard the suggestion given by systems, any new or worsened issues that arises from these alternative methods may then become the responsibility of the user.

What are your responsibilities as a Laptop User?

• If you self-administer your machine, keep your machine updated with the latest security patches for your operating system and installed software.
• Please ensure you are running Antivirus software.  Systems will provide AV software if it is not already installed, or make recommendations for laptops that are not laboratory-owned.
• Please install any applications recommended by Systems, and keep up to date with any announcements from Systems.
• Do not install any applications you are unsure of without consulting Systems first.
• Users are strongly encouraged to back up their local data regularly.  Use of networked solutions like Box is preferred.
• Do not open any email attachments unless you are expecting the attachment and you know what it is.
• Keep your laptop secure via methods available. Password protected screensavers, hard disk passwords and BIOS passwords are recommended, and Systems will assist with this.
• Keep your laptop physically secure. Systems will provide you with a laptop lock if requested. Do not leave your laptop unattended. If you lock it down, lock it down in a secure manner (around a table leg does is not secure).