End-User Device Guide

End-user devices are the tools we use every day to connect, work, teach, and learn at Texas A&M University. This includes desktops, laptops, tablets, smartphones, and even removable media like USB drives. While essential, these devices are also primary gateways to university data and systems, making their secure management crucial. Improperly secured devices can expose the university and individuals to significant risks, including data breaches, financial loss, and non-compliance with laws and regulations. Mobile devices like smartphones and laptops require special attention due to their portability and higher risk of loss or theft.

This guide outlines the key requirements from the Texas A&M Security Controls Catalog for using end-user devices safely and responsibly.

It's important to distinguish between two types of devices:

University-Owned Device

Any device purchased with university funds (including grant funds) or tracked as a university asset.

Personally-Owned Device

Any device owned by an individual employee, student, or affiliate, not by the university.

To ensure security and compliance, all devices owned or operated by Texas A&M University, regardless of cost, MUST be managed by Technology Services. A device is considered "managed" when:

• It is enrolled in the university's central device management systems (e.g., Intune for Windows; Jamf for Macs) (CM-1, RA-5).
• Technology Services can remotely apply security policies and configurations (RA-2).
• Technology Services can remotely deploy operating system and software updates/patches (CM-1, RA-5).
• User accounts are synced with NetID credentials, and standard (non-administrator) accounts are used for daily tasks (AC-2, AC-6, IA-5).
• University-approved endpoint protection (anti-malware/anti-virus) software is installed and active (SI-3, RA-2).
• Privilege elevation (using admin privileges) is managed using the university-approved EPM tool (ABR for Windows; Privileges for Macs) (CM-1, RA-2)
• The device's storage is encrypted according to the classification of data it handles (e.g., full-disk encryption for devices handling University-Confidential or or higher data) (SC-13, RA-2, MP-7).
• Data Loss Prevention (DLP) software may be required depending on the data handled (DC-6, RA-2).

These management controls allow IT staff to maintain device health, apply necessary security updates, and protect university data consistently across campus.

A note about Privilege Elevation:

Faculty and staff may be granted the ability to temporarily elevate their device permissions using Admin By Request (Windows) or Privileges (macOS). This access is intended to support productivity and flexibility while maintaining a secure computing environment. For more information, please visit our documentation page.

As a general rule, personally-owned devices (laptops, tablets, etc.) should not be used to conduct university business. This is because ensuring compliance with security controls on personal devices is very difficult.

Exceptions

In limited circumstances, an exception might be granted if a university-issued device cannot meet a specific business need. This requires:

• A documented business justification.
• Approval through the formal IT policy exception process.
• Verification that the personal device meets all university security requirements, potentially requiring IT staff access to the device for verification. This often includes enrolling the device in university management systems.
• Understanding that the device may be subject to public information requests if used for university business.

No Sensitive Data

Exceptions will generally not be granted for personally-owned devices that will store or process data classified higher than University-Internal.

Communication/Collaboration Tools

Accessing certain university-provided communication platforms (like checking email via Outlook Web Access) from a personal device is typically permissible. However, you must not download or store Confidential or Critical university data onto the local storage of an unmanaged personal device. Remember that state prohibited technology rules still apply if using a personal device for university business (DC-5, DC-6).

When using any device (university or personally owned under an exception) for university purposes:

• Use standard, non-privileged accounts for everyday tasks.
• Install and use only authorized and properly licensed software.
• Protect your NetID password and never share your account.
• Handle university data according to its classification level, ensuring it is appropriately secured.
• Maintain physical control over your devices at all times, especially mobile devices. Lock your screen when stepping away.
• Promptly report lost or stolen devices, or any suspected security incidents, to IT support or the Security Operations Center (SOC).

Traveling internationally with university devices requires extra precautions:

Minimize Data

Only store data on the device that is essential for the trip. Sanitize the device before leaving by removing any non-essential university data.

Use Loaner Devices

It is strongly recommended to request a clean "loaner" device from Technology Services for international travel. Travel to certain high-risk countries (as defined by the TAMU System) with university-owned devices containing university data is prohibited; a loaner device must be used.

Physical Security

Maintain physical control of the device whenever possible. Be aware of potential inspection or confiscation risks at border crossings.

Limit Use

Use the device primarily for official university business during international travel.

Secure Connections

Always use the university-provided VPN service when transmitting university data over untrusted networks (like hotel or public Wi-Fi).

Password Change

Change your NetID password immediately upon returning from international travel.

Device Check

Have university-managed devices checked by IT staff upon return to scan for potential compromise.

By following these guidelines, we can all contribute to protecting Texas A&M's valuable information resources and ensuring the secure use of end-user devices.