Oakland University guidelines are in place to assist staff in accessing University computing resources remotely. Whether remote access is a normal part of a staff members job or a temporary situation, these guidelines are essential in keeping University data and computing resources secure.

Remote Work

  • All positions have a primary campus work location designation of an Oakland University owned or leased facility. Alternative locations may be supported for short periods and do not change the primary work location for a position. Employees may work from alternative locations, such as their home, for part of their regular work week. More information is available at https://www.oakland.edu/fwa/

Contents

Remote work considerations

Relevant University policies

SANS Training

  • In order to ensure university resources and information are properly protected SANS Security Awareness Training should be completed prior to engaging remote work.

Inventory

  • We advise keeping an inventory of any personal equipment used for remote work that includes pertitent information such as Make, Model, Serial Number, Operating System Version, and installed software. In the event equipment gets lost, stolen, or compromised this information can be valuable in determining the impact the institution.

Configuration Guidance

  • All equipment, including personally owned devices, must conform to the applicable Security Baselines provided by University Technology Services. Generally speaking configuration assistance and technology support for remote work is limited in nature to what an employee would receive at an on-campus location. OU is unable to provide assistance with configuration, troubleshooting, and securing home networks (e.g. cable modems, routers, wireless, etc) and personal computing equipment. We do recommend enabling full disk encryption (Bitlocker, FileVault, etc.) on personal devices. Configuring home networks and personal equipment in accordance with OU's Security Baselines is the employee’s responsibility. The SANS Security Awareness: Creating a Cyber Secure Home video provides an excellent overview on how to secure home networks. You may also check with your equipment manufacture and/or Internet Service Provider (ISP) for instructions specific to your environment. If you would like assistance securing your home network we suggest working with a reputable technology support provider such as Best Buy’s Geek Squad, Micro Center's Priority Care+ team. - Note - These vendors are provided as examples.

Web Browser Guidance

  • UTS realizes that there are a variety of software options and browser features to improve the user experience. Some common examples of these tools are ad-blockers, save\remember passwords, and bookmark synchronization tools. It is important to note that all software used to interact with university based systems is obtained in accordance with OU’s procurement process (https://www.oakland.edu/uts/faculty-and-staff-services/software/)

  • In accordance with University Policy 860 OU credentials \ passwords should never be stored in a browser (e.g. “save credentials”) or synchronized across sessions (e.g. Chrome Synchronization tool). When using personal equipment UTS strongly recommends using a dedicated browser for work related activity. (E.G. Use a separate browser to conduct personal business or visit recreational sites)

Temporary File and Backup Guidance

  • Some programs create temporary files on your computer. One such example of this is the Auto Save feature in MS Office Applications that automatically creates and stores copies of the file you are working. In these situations a standard file delete may not remove all instances of the content on your computer, therefore UTS recommends disabling these features and\or frequently clearing temporary files when using a personal devices to conduct University business. Please note these settings are unique to the Operating System (OS) and applications in use, please refer to the applicable vendor documentation on how perform these tasks. Some equipment (such as mobile phones) and applications (such as MS Office) may also be configured to automatically back up or synchronize files to a personal cloud. When using personal equipment you must ensure backups and synchronization are disabled or configured to exclude applications used for remote work.

VPN - Virtual Private Network Access

  • GlobalProtect Client is used to access the OU Faculty and Staff VPN service provided by University Technology Services (UTS). GlobalProtect Client allows for remote staff members to make secure connections to remote workstations and other on-campus resources. Directions on obtaining and installing Palo Alto's GlobalProtect Client are available at https://kb.oakland.edu/uts/GrizzVPN_Instructions_for_Faculty_and_Staff

  • Please note VPN access is not required to access all University services, many internet-based services are already available remotely. Examples of commonly used services that can be accessed from off-campus without using the VPN include:

    • * Gmail/GSuite including Google Hangouts
    • * Microsoft Office 365
    • * Moodle
    • * MySAIL
    • * Panopto
    • * SAIL

    • * Zoom

    • However, If you require administrative Banner access or an “on-campus” experience we suggest using the VPN.

      Note: Banner ODBC access and printing are only available by accessing an on-campus computer via the VPN, as detailed below.

Method Required for Faculty/Staff Handling High Risk University Data Example Audience:

  • University employees handling highly confidential types of university data, including but not limited to social security numbers, credit card data, HIPAA data, or protected donor data. More information on the Oakland Data Classification Standard can be found at: Policy 860: Data Management and Information Security

  • Access to Confidential Unclassified Information (CUI), export-controlled research data or controlled by a Technology Control Plan (TCP) requires additional vetting by the Information Security Office.

  • A laptop issued to an employee in advance of working remotely, or a laptop available as needed in an emergency situation, is the most secure option for working remotely. Work can be performed directly on the OU-issued computer; in fact, it may already be the employee’s primary workstation. Most often this would be done via a portable laptop, but this could extend to an employee using the workstation they typically use in their office if no other portable option exists and the local leadership for the unit has authorized such usage.


  • This setup requires:

    • OU-issued and managed laptop (or workstation) with full disk encryption, such as Microsoft Bitlocker or Mac Filevault and the GlobalProtect client. These laptops should meet all required Minimum Security Standards for the handling of sensitive data and should be maintained departmentally, by qualified IT staff, following best practices for systems management including those found in Policy 880: System Administration Responsibilities

    • Staff members accessing services secured by DUO Multi-Factor authentication should ensure that the additional authentication method is a phone that can be accessed. If an office telephone is currently used to authenticate an additional factor (such as a personal mobile phone or a home phone) it needs to be added as an authentication method. Information using DUO Multi-Factor authentication is available at: https://kb.oakland.edu/uts/DUO.

    • A broadband Internet connection: A home broadband Internet connection such as DSL, fiber, cable or satellite is recommended as other methods such as dial up, cellular or WiFi hotspots may provide less reliable connectivity.

Method Required for Faculty/Staff Handling Moderate Risk University Data Example Audience:

  • University employees handling confidential or controlled types of university data that are not considered High Risk (above), including but not limited to comprehensive student records (e.g., the entire student cohort for a department), HR information, unpublished research data, internal memos and email. More information on the OU Data Classification Standard can be found at: Policy 860: Data Management and Information Security If a department is unable or unwilling to issue university owned equipment to employees to facilitate remote work, a staff member's personal computer may be used to connect remotely to a workstation residing on campus. Keep in mind that you should never save any data of any type to any personal device.

  • For reasons of both security and policy, University work must not be performed directly on a staff member's non-UT-owned equipment. Such equipment should be used only to connect to a remote computer such as your on-campus workstation on which all work is performed.


  • This setup requires:

    • The GlobalProtect client: A software application which is used to access the OU Faculty and Staff VPN service provided by University Technology Services (UTS). This allows for remote staff members to make secure connections to remote workstations and other on-campus resources. Directions on obtaining and installing the GlobalProtect Client are available at https://kb.oakland.edu/uts/GrizzVPN_Instructions_for_Faculty_and_Staff.

    • Staff members accessing services secured by DUO Multi-Factor authentication should ensure that, if an office telephone is currently used to authenticate an additional factor (such as a personal mobile phone or a home phone) needs to be added as an authentication method. Information using DUO Multi-Factor authentication is available at: https://kb.oakland.edu/uts/DUO.

    • Windows: Remote Desktop Protocol for remotely connecting to campus-based laptops/desktops running Windows, the Remote Desktop Protocol (RDP) can be used. Connections can be made to campus Windows workstations from personal devices running Windows, Mac, iOS, or Android operating systems; see the How do I access my work computer section at https://kb.oakland.edu/uts/GrizzVPN_Instructions_for_Faculty_and_Staff. Campus workstations should have their firewalls configured to allow RDP only from the network ranges used on campus and by the campus VPN service. Distributed Technology Staff can assist with workstation configuration.

    • Macintosh: Apple Remote Desktop, or Virtual Network Computing over Secure Shell for remotely connecting to campus-based systems running macOS, Apple Remote Desktop (ARD) can be used. ARD runs Virtual Network Computing (VNC) using AES 128-bit encryption. If ARD is unavailable, macOS's built-in VNC server (called Screen Sharing) can be used; however, as it is unencrypted, it must be tunneled over the campus VPN service. SSH authentication should preferentially make use of certificate-based authentication, though password authentication over the campus VPN is acceptable, provided the remote workstation is configured with a strong password.

    • Linux: Virtual Network Computing (VNC) and/or Secure Shell for remotely connecting to campus-based systems running a distribution of Linux with a graphical user interface, VNC can be used; however, as it is unencrypted, it must be tunneled over an SSH connection. For distributions without a graphical user interface, SSH can be used directly. Campus workstations should have their firewalls configured to allow SSH only from the network ranges used on campus and by the campus VPN service. SSH authentication should preferentially make use of certificate-based authentication, though password authentication over the campus VPN is acceptable, provided the remote workstation is configured with a strong password.

    • A broadband Internet connection: A home broadband Internet connection such as DSL, fiber, cable or satellite is recommended as other methods such as dial up, cellular or wifi hotspots may provide less reliable connectivity.

Method Required for Faculty/Staff Handling Low Risk University Data Example Audience:

  • University employees handling controlled or published types of university data that are not considered High or Moderate Risk (above), including but not limited to narrowly focused student records, research data, information that is otherwise considered public.

  • In exigent situations, this includes lecturers or faculty members interacting with students via learning management platforms, developing course materials, etc.

  • More information on the OU Data Classification Standard can be found at: Policy 860: Data Management and Information Security

  • The use of personal computing devices for handling sensitive University data is generally restricted by policy. Departments unable to support the methods above may request a security exception for their entire department (or select systems) from the Information Security Office to seek approval for remote work configurations that do not conform to these guidelines.

  • Departments should ensure that their end users are able to comply with these general computing guidelines in protecting personal computing devices, especially ensuring that they are aware of related risks. The department head should also be aware of and approve of accepting the residual risks associated with such use cases (e.g., confidential data potentially residing on an unsecured personal computer). The department should also ensure that all associated system hard-drives be securely wiped or disposed of before the devices are donated, etc., so as not to unnecessarily expose unexpected confidential university data that might have been copied to the device.

  • A broadband Internet connection: A home broadband Internet connection such as DSL, fiber, cable or satellite is recommended as other methods such as dial up, cellular or WiFi hotspots may provide less reliable connectivity.

Helpful Links:

Questions: