Managed Devices Overview and FAQs

Generally, when IT staff enrol your device, Windows will restart 2 (or in rare cases 3) times over about a 15 minute period. Installation of the Endpoint Manager client and services will continue in the background and you should be able to leave campus in less than 2 hours. This may take longer if large software packages are pending.

Installation will require a couple of reboots on your computer when the client is first installing.  After that the installation will continue to run in the background without niceable impact to the user.

Yes. At this time, it is required to bring it to campus to do the initial install Endpoint Manager. Once this is accomplished, it will function off-campus.

We can usually have Endpoint Manager install if you are in your office or otherwise on campus and can trigger the process and monitor it remotely.

In the case you do need to come in to our offices:

You are requested to wear a mask when visiting the IT Services office

We recommend IT support staff use one of the following methods to service your laptop:

• use RDP (remote desktop) or TeamViewer
• use an external keyboard and mouse
• use gloves and wipe down the keyboard and trackpad with alcohol-based wipes when receiving and returning the device. this ensures safety from contaminated surfaces, and alcohol-based wipes are safe for the electronics
  (do not use Windex or other water-based cleaners on your laptop!)

The IT Services implementation of Endpoint Manager has been customized to collect only the data needed to support computers running a Microsoft Windows operating system. This information includes:

• Hardware Specifications
• Installed Applications & Usage
• Services Running
• Available Software Updates
• Local User Accounts and Login/Logout Timestamps
• Security Status (Firewall, encryption, etc)
• Connected Peripheral Devices

No personal information is collected, such as the contents or names of personal files (documents, email, etc) or any browsing history. All data is stored on-premises as of July 2020. 

(If you have roaming profiles for backup on your desktop or backup on your laptop, these files are stored on SFU's servers separately from Endpoint Manager)

To find out if your computer is enrolled, look for the Endpoint Manager object found in the Windows Control Panel. Additionally, you may look for “Software Center” in your Windows Start menu.

The Software Center application is similar to a mobile device app store (similar to Managed Software Center on University Macs), but it provides customized content for university Windows systems. This content includes access to University approved software, maintenance task scheduling, support options, and other documentation.

Beginning October 26, 2020, MEM clients are able to take configuration and software updates from off-campus. 

Devices that have not been on campus since this date must connect to the campus network one last time in order to pick up this new policy change. The SFU VPN service is adequate for performing this from off-campus. See your local IT support staff for more information.

UPDATING SOFTWARE

The Software Center gives you the flexibility of choosing which applications to update and when to update them.

Additonally, the Options tab allows clients to choose "Business Hours" when updates should not run in order to minimize interruptions.

The software install deadline is clearly shown. After this date, clients are given a couple days to defer, but after this point all updates are forced to install. 

Setting updatea auto-install options

Open Software Center and click the "Options" tab on the left. Here you may specify "Business Hours" which is effectively the times that MEM may not install software and updates. Please choose a reasonable time frame.

All software deployments have a deadline of 14 days from notifiaction. Failing to allow Windows to apply updates within this two week period will result in a forced install that may interrupt your work day!

The Endpoint Manager infrastructure consists of several high-performance, redundant servers which provide a database of computer information and data storage for programs, applications, and operating system images for deployment to end-user computers. Endpoint Manager uses a small software utility known as an "agent" to communicate with the servers. This agent inventories hardware specifications, software installation information and provides for the automated installation of software updates and security patches. Included with the agent is another application called "Software Center", which will be described below.

All client/server communication is encrypted by a certificate pair configured when the agent is installed.

Endpoint Manager installs the agent to your PC. The agent runs in the background and will not interfere with the operation of your computer. Additionally, Endpoint Manager installs the Software Center application and the Endpoint Manager control panel object.

Device management doesn't preclude ownership nor administration of the PC. 

Managed Windows at SFU adopts best practices for security, patching and configuration options as specified by your IT unit. 

There will be no automatic changes to the privileges of your user account by enrolling in Endpoint Manager. Your local IT support will contact you if changes are to be made.

Firewall, security, and Applocker policies are default on all managed Windows systems at SFU. Additional distribution of policies is the responsibility of individual local IT manager. If you have any questions about what policies are enforced, please contact your local IT support.

IT Services does provide and maintain a large catalog of software, maintenance tasks, and other links in Software Center. The Software Center catalog may also be supplemented by your local IT support, with support for self-service items (for example, Adobe Acrobat Pro to users with SFU Adobe Enterprise IDs).

The Endpoint Manager infrastructure consists of several high-performance, redundant servers which provide a database of computer information and data storage for programs, applications, and operating system images for deployment to end-user computers. Endpoint Manager uses a small software utility known as an "agent" to communicate with the servers. This agent inventories hardware specifications, software installation information and provides for the automated installation of software updates and security patches. Included with the agent is another application called "Software Center", which will be described below.

All client/server communication is encrypted by a certificate pair configured when the agent is installed.

Not necessarily. The understanding is that we work on the computer (on your behalf) so that you can focus on your work. Management does not preclude ownership nor administration of the workstation. Some owners of managed Macs are administrators on their own computers. However, most software or configuration requests can be handled quite quickly and readily (usually faster than most users can obtain the software themselves).

Pursuant to the previous point, it is still possible for many classes of users to install their own versions of software, either from the App Store or via other means. Additionally, it is always possible to install applications in your home ~/Applications folder to meet your organizational goals. Don't see software that you need? Ask for it, we can usually assign new software titles in minutes.

The list is extensive, and ever changing. Suffice to say (with a few exceptions) that any managed Mac gains access to almost ALL the software the University has license for.

I.T. Services is slowly rolling out a backup service for all administrative staff managed Macs. Talk to your local support person for more information.

The managed Mac team at Simon Fraser University has an ongoing committment to ensuring a safe, reliable and productive computing environment on campus. To this end, we try and respond to all reasonable requests for help. For more information, simply email mac-help@sfu.ca