Automated Computer Management with Microsoft Endpoint Manager
Microsoft Endpoint Manager at Western
Western uses Microsoft Endpoint Manager (replacement for SCCM) to provide a comprehensive management solution for Windows computer systems.
Endpoint Manager allows us to proactively manage all Windows devices by maintaining systems and software, limiting exposure and responding to security threats, distributing settings, identifying potential and actual hardware problems, and analyzing inventory data. It enables us to deploy new operating system builds, applications, and the latest updates to Windows users quickly, and cost-effectively. This allows us to assure that every Windows system managed on our network stays current, protects PCs from exploitation of software vulnerabilities, and improves overall network security for campus. If you would like to learn more about Configuration Manager, please read below and/or visit the Microsoft website.
What benefits do we receive from Endpoint Manager?
- Reliability: Your device will quickly receive software updates and patches with little to no interruption to you.
- Time Efficiency: You can be more productive as deployment and updating processes run in the background, freeing up more time for teaching, research, administrative, technical, and other work. Additionally, IT staff can be more proactive and productive.
- Flexibility: For new software and some updates, you can choose when to install through the Software Center if you want. If you don’t choose to install yourself, your computer will be updated in a later maintenance window so your computer will stay current.
- Security: IT professionals will manage the security of your machine so you don't have to. You can rest assured that software patches, antivirus protection, and firewalls are well maintained.
- Confidentiality: Your data and files will remain confidential; no personal data is scanned, indexed, or transmitted off your device. Servers also keep full audit logs of any actions performed by IT administrators.
- Compliance: Your device’s configuration will always be in compliance with federal laws governing requirements for research or student data on University computers.
How do updates work?
SCCM's software updates and patching will usually be invisible to you. Software updates are downloaded to your computer in the background at a speed that allows your computer tasks to proceed without interruption or delay. The updates will be installed during a maintenance window late at night. To complete the installation process, many updates require your computer to restart. To ensure the restart(s) occur during the maintenance window, please turn off your computer at the end of your workday, especially on Monday, Tuesday, and Wednesday nights.
If your computer was not able to restart during the maintenance window, a particular update may require you to restart your PC. If you are logged in you should see a message in the lower right hand corner of your display letting you know how much time is left before your PC is restarted automatically.
In rare cases - usually when the PC is infected with spyware or other damaging software - an update may cause a system crash. If that happens, you will see a "blue screen" or other indication of abnormal functioning. Contact the Help Desk or your departmental IT staff so a technician can promptly respond and repair your system.
How is new software installed?
Most new software installations can be initiated by users through Software Center application (see below), while some software will be deployed as needed and/or requested.
What is Software Center?
Software Center is similar to a mobile device app store like Google’s Play Store or Apple’s App Store but it provides university-approved software for University Windows systems. Software purchased through ATUS Software Services will also be available for download through Software Center. Software Center gives you the flexibility of choosing what to install and when to install it. To access Software Center, just touch the Windows key on your keyboard and type Software Center. Double-click an application to install it.
Can I connect to Software Center when I am off-campus?
For Software Center to function, the device must be on Western Washington University’s network by being physically located on campus or connected via our Virtual Private Network (VPN).
What changes does the installation of Configuration Manager make to a PC?
Configuration Manager installs the agent to your PC. The agent runs in the background and will not interfere with the operation of your computer. Additionally, Configuration Manager installs the Software Center application and the Configuration Manager control panel object.
What policies are enforced?
The university enforces most security benchmarks recommended by the Center for Internet Security (CIS). This focuses on proven best practices by employing the expertise of the global IT community and is trusted by security leaders in the private sector and governmental and education communities.
Who can use Endpoint Manager and how much does it cost?
Information Technology Services (ITS) purchases a Microsoft Campus Agreement, which includes the purchase of Endpoint Manager so, in addition to ATUS-managed computers in departments, classrooms, and computer labs, most decentralized department computers are managed (or are in the process of being managed) by Endpoint Manager at no additional cost
Who supports Endpoint Manager?
The system is administered by ATUS, but decision-making is collaborative between ATUS, EIS, and key college and departmental IT support professionals who meet regularly.
How does Endpoint Manager work?
The Endpoint Manager infrastructure consists of several high-performance, redundant servers which provide a database of computer information and data storage for programs, applications, and operating system images for deployment to end-user computers. Endpoint Manager utilizes a small software utility known as an "agent" to communicate with the servers. This agent inventories hardware specifications, software installation information and provides for the automated installation of software updates and security patches. Included with the agent is another application called Software Center, which is described elsewhere on this page.
Additionally, all client/server communication is encrypted by a certificate pair configured when the agent is installed.
What information does Endpoint Manager collect?
Western’s implementation of Endpoint Manager collects only the data needed to support computers running a Microsoft Windows operating system. This information includes:
- Hardware Specifications
- Installed Applications & Usage
- Services Running
- Available Software Updates
- Local User Accounts and Login/Logout Timestamps
- Security Status (Firewall, SSH, etc.)
- Connected Peripheral Devices
No personal information is collected, such as the contents or names of personal files (documents, email, etc.) or any browsing history.
What if automatic updates via Endpoint Manager could abort a process running on a machine and cause it to fail (e.g., a machine running a sample analysis for multiple days)?
You may request an exemption from automatic Endpoint Manager updates for a machine(s) by contacting the Help Desk or your departmental IT support staff. If your machine is exempted and on the university’s network, the machine must be updated manually by a system owner at an appropriate date/time each month to be in compliance with the university’s security policies.
What if I have other questions?
For more information, please contact the Help Desk, Rick Nichols, Associate Director of Academic Technology and User Services, or your departmental IT staff.