Oakland University guidelines are in place to assist staff in accessing University computing resources remotely. Whether remote access is a normal part of a staff members job or a temporary situation, these guidelines are essential in keeping University data and computing resources secure.

Remote Work

  • All positions have a primary campus work location designation of an Oakland University owned or leased facility. Alternative locations may be supported for short periods and do not change the primary work location for a position. Employees may work from alternative locations, such as their home, for part of their regular work week. More information is available at https://www.oakland.edu/fwa/

Remote work considerations

Relevant University policies

VPN - Virtual Private Network Access

  • Pulse Secure Client is used to access the OU Faculty and Staff VPN service provided by University Technology Services (UTS). Pulse Secure Client allows for remote staff members to make secure connections to remote workstations and other on-campus resources. Directions on obtaining and installing the Pulse Secure Client are available at VPN_Pulse_Security_Faculty_and_Staff

  • Please note VPN access is not required to access all University services, many internet-based services are already available remotely. Examples of commonly used services that can be accessed from off-campus without using the VPN include:

    • * Gmail/GSuite including Google Hangouts
    • * Microsoft Office 365
    • * Moodle
    • * MySAIL
    • * Panopto
    • * SAIL
    • * Webex

    • However, If you require administrative Banner access or an “on-campus” experience we suggest using the VPN in accordance with the following guidance :

      Note: Banner ODBC access and printing are only available by accessing an on-campus computer via the VPN, as detailed below.

Method Required for Faculty/Staff Handling High Risk University Data Example Audience:

  • University employees handling highly confidential types of university data, including but not limited to social security numbers, credit card data, HIPAA data, or protected donor data. More information on the Oakland Data Classification Standard can be found at: Policy 860: Data Management and Information Security

  • Access to Confidential Unclassified Information (CUI), export-controlled research data or controlled by a Technology Control Plan (TCP) requires additional vetting by the Information Security Office.

  • A laptop issued to an employee in advance of working remotely, or a laptop available as needed in an emergency situation, is the most secure option for working remotely. Work can be performed directly on the OU-issued computer; in fact, it may already be the employee’s primary workstation. Most often this would be done via a portable laptop, but this could extend to an employee using the workstation they typically use in their office if no other portable option exists and the local leadership for the unit has authorized such usage.

This setup requires:

  • OU-issued and managed laptop (or workstation) with full disk encryption, such as Microsoft Bitlocker or Mac Filevault and the Pulse Secure client. These laptops should meet all required Minimum Security Standards for the handling of sensitive data and should be maintained departmentally, by qualified IT staff, following best practices for systems management including those found in Policy 880: System Administration Responsibilities

  • Staff members accessing services secured by DUO Multi-Factor authentication should ensure that the additional authentication method is a phone that can be accessed. If an office telephone is currently used to authenticate an additional factor (such as a personal mobile phone or a home phone) it needs to be added as an authentication method. Information using DUO Multi-Factor authentication is available at: https://kb.oakland.edu/uts/DUO.

  • A broadband Internet connection: A home broadband Internet connection such as DSL, fiber, cable or satellite is recommended as other methods such as dial up, cellular or wifi hotspots may provide less reliable connectivity.

Method Required for Faculty/Staff Handling Moderate Risk University Data Example Audience:

  • University employees handling confidential or controlled types of university data that are not considered High Risk (above), including but not limited to comprehensive student records (e.g., the entire student cohort for a department), HR information, unpublished research data, internal memos and email. More information on the OU Data Classification Standard can be found at: Policy 860: Data Management and Information Security If a department is unable or unwilling to issue university owned equipment to employees to facilitate remote work, a staff member's personal computer may be used to connect remotely to a workstation residing on campus. Keep in mind that you should never save any data of any type to any personal device.

  • For reasons of both security and policy, University work must not be performed directly on a staff member's non-UT-owned equipment. Such equipment should be used only to connect to a remote computer such as your on-campus workstation on which all work is performed.

This setup requires:

  • The Pulse Secure client: A software application which is used to access the OU Faculty and Staff VPN service provided by University Technology Services (UTS). This allows for remote staff members to make secure connections to remote workstations and other on-campus resources. Directions on obtaining and installing the Pulse Secure Client are available at VPN_Pulse_Security_Faculty_and_Staff.

  • Staff members accessing services secured by DUO Multi-Factor authentication should ensure that, if an office telephone is currently used to authenticate an additional factor (such as a personal mobile phone or a home phone) needs to be added as an authentication method. Information using DUO Multi-Factor authentication is available at: https://kb.oakland.edu/uts/DUO.

  • Windows: Remote Desktop Protocol for remotely connecting to campus-based laptops/desktops running Windows, the Remote Desktop Protocol (RDP) can be used. Connections can be made to campus Windows workstations from personal devices running Windows, Mac, iOS, or Android operating systems; see the How do I access my work computer section at VPN_Pulse_Security_Faculty_and_Staff. Campus workstations should have their firewalls configured to allow RDP only from the network ranges used on campus and by the campus VPN service. Distributed Technology Staff can assist with workstation configuration.

  • Macintosh: Apple Remote Desktop, or Virtual Network Computing over Secure Shell for remotely connecting to campus-based systems running macOS, Apple Remote Desktop (ARD) can be used. ARD runs Virtual Network Computing (VNC) using AES 128-bit encryption. If ARD is unavailable, macOS's built-in VNC server (called Screen Sharing) can be used; however, as it is unencrypted, it must be tunneled over the campus VPN service. SSH authentication should preferentially make use of certificate-based authentication, though password authentication over the campus VPN is acceptable, provided the remote workstation is configured with a strong password.

  • Linux: Virtual Network Computing (VNC) and/or Secure Shell for remotely connecting to campus-based systems running a distribution of Linux with a graphical user interface, VNC can be used; however, as it is unencrypted, it must be tunneled over an SSH connection. For distributions without a graphical user interface, SSH can be used directly. Campus workstations should have their firewalls configured to allow SSH only from the network ranges used on campus and by the campus VPN service. SSH authentication should preferentially make use of certificate-based authentication, though password authentication over the campus VPN is acceptable, provided the remote workstation is configured with a strong password.

  • A broadband Internet connection: A home broadband Internet connection such as DSL, fiber, cable or satellite is recommended as other methods such as dial up, cellular or wifi hotspots may provide less reliable connectivity.

Method Required for Faculty/Staff Handling Low Risk University Data Example Audience:

  • University employees handling controlled or published types of university data that are not considered High or Moderate Risk (above), including but not limited to narrowly focused student records, research data, information that is otherwise considered public.

  • In exigent situations, this includes lecturers or faculty members interacting with students via learning management platforms, developing course materials, etc.

  • More information on the OU Data Classification Standard can be found at: Policy 860: Data Management and Information Security

  • The use of personal computing devices for handling sensitive University data is generally restricted by policy. Departments unable to support the methods above may request a security exception for their entire department (or select systems) from the Information Security Office to seek approval for remote work configurations that do not conform to these guidelines.

  • Departments should ensure that their end users are able to comply with these general computing guidelines in protecting personal computing devices, especially ensuring that they are aware of related risks. The department head should also be aware of and approve of accepting the residual risks associated with such use cases (e.g., confidential data potentially residing on an unsecured personal computer). The department should also ensure that all associated system hard-drives be securely wiped or disposed of before the devices are donated, etc., so as not to unnecessarily expose unexpected confidential university data that might have been copied to the device.

  • A broadband Internet connection: A home broadband Internet connection such as DSL, fiber, cable or satellite is recommended as other methods such as dial up, cellular or wifi hotspots may provide less reliable connectivity.

Helpful Links:

Questions: