Security
-
Install Cisco Secure Endpoints (formerly AMP for Endpoints)
Introduction This article covers the standard installation procedure for Cisco Secure Endpoint (formerly AMP for Endpoints) on Windows and Mac devices. Applicability This article is intended for use by end-users looking to install Cisco Secure Endpoint on their laptops or desktop computers. Procedure Contents Installation Instructions (Windows) Installation Instructions (Mac) Mac Post Install Instructions / Grant Full Disk Access Installation Instructions (Windows) Download and open the Windows installer file (CCID required). If asked to allow Cisco Secure Endpoint to make changes on your computer, click Yes. Click Install. Click Next. Click Close. If the installation was successful, you should see the following window pop up. Click the gear icon in the bottom left-hand corner: 7. Verify that the Policy Name is Protect on the Cisco Secure Client window that pops up: Installation Instructions (Mac) NOTE: Due to the privacy and security design of macOS, you may be required to re-authorize System Extensions or network content filtering occasionally when new updates for AMP for Endpoints are released. Download and open the Mac installer file (CCID required). Launch the installer file and double click the installer icon (ciscoampmac_connector.pkg) Click Continue. Click Continue. Click Continue. View the End User License Agreement, click Agree, then click Continue. Click Install. Enter the user name and password you use to log on to your computer, click Install Software, then click Install. At this point in the install you will see two things happen. Firstly, you will be asked whether you want "AMP for Endpoints Connector" to notify you. You may click Don't Allow, or Allow as shown below: Secondly, you will be informed that a System Extension was blocked. Allow the System Extension as shown below. Click Open Security Preferences Unlock your computer by clicking the yellow lock and entering the user name and password you log into your computer with. Click Allow, then lock the computer again by clicking the yellow lock and close or minimize the Security & Privacy window. Due to a known bug in macOS, the developer for the system extension may be named Placeholder Developer. Enable both, then click OK. You will be prompted to filter network content. Click Allow. The installation will complete. Click Close. You will be prompted to Keep the installer or Move to Trash, the choice is yours. If you move it to the trash you will need to allow "Installer" access to files in your Downloads folder. Mac Post Install Instructions / Grant Full Disk Access After install you will notice that the Cisco AMP icon in the menus has an exclamation point on it. You are being asked to grant full disk access AMP. Please complete the following steps: In System Preferences, under Security and Privacy, go to the Privacy tab. Click on the lock to make changes. Select Full Disk Access from the left pane, and then enable both AMP for Endpoint Services and AMP Security Extension. Keywords: Cisco AMP, endpoints, security, amp, malware, antivirus, amp4e, secure, endpoint
-
Canadian Anti-Spam Legislation (CASL) Inquiries
Introduction This article indicates the location of information provided by the University regarding the Canadian Anti-Spam Legislation. Applicability This article is intended for any person looking for more information on CASL. Details Information regarding CASL can be found half-way down the page on the Office of the General Counsel website located here: https://www.ualberta.ca/general-counsel/resources.html Keywords: casl, canada, canadian, antispam, spam, legislation, mail, email, mailman,
-
Install Cisco Secure Endpoints (formerly AMP for Endpoints) - BYOD
Introduction This article covers the standard installation procedure for Cisco Secure Endpoint (formerly AMP for Endpoints) on Windows and Mac devices for personal devices only. Do not use this policy for University of Alberta computers. Applicability This article is intended for use by end-users looking to install Cisco Secure Endpoint on their personal laptops or desktop computers. Procedure Contents Installation Instructions (Windows) Installation Instructions (Mac) Mac Post Install Instructions / Grant Full Disk Access Installation Instructions (Windows) Download and open the Windows installer file (CCID required). If asked to allow Cisco Secure Endpoint to make changes on your computer, click Yes. Click Install. Click Next. Click Close. If the installation was successful, you should see the following window pop up. Click the gear icon in the bottom left-hand corner: 7. Verify that the Policy Name is Protect on the Cisco Secure Client window that pops up: Installation Instructions (Mac) NOTE: Due to the privacy and security design of macOS, you may be required to re-authorize System Extensions or network content filtering occasionally when new updates for AMP for Endpoints are released. Download and open the Mac installer file (CCID required). Launch the installer file and double click the installer icon (ciscoampmac_connector.pkg) Click Continue. Click Continue. Click Continue. View the End User License Agreement, click Agree, then click Continue. Click Install. Enter the user name and password you use to log on to your computer, click Install Software, then click Install. At this point in the install you will see two things happen. Firstly, you will be asked whether you want "AMP for Endpoints Connector" to notify you. You may click Don't Allow, or Allow as shown below: Secondly, you will be informed that a System Extension was blocked. Allow the System Extension as shown below. Click Open Security Preferences Unlock your computer by clicking the yellow lock and entering the user name and password you log into your computer with. Click Allow, then lock the computer again by clicking the yellow lock and close or minimize the Security & Privacy window. Due to a known bug in macOS, the developer for the system extension may be named Placeholder Developer. Enable both, then click OK. You will be prompted to filter network content. Click Allow. The installation will complete. Click Close. You will be prompted to Keep the installer or Move to Trash, the choice is yours. If you move it to the trash you will need to allow "Installer" access to files in your Downloads folder. Mac Post Install Instructions / Grant Full Disk Access After install you will notice that the Cisco AMP icon in the menus has an exclamation point on it. You are being asked to grant full disk access AMP. Please complete the following steps: In System Preferences, under Security and Privacy, go to the Privacy tab. Click on the lock to make changes. Select Full Disk Access from the left pane, and then enable both AMP for Endpoint Services and AMP Security Extension. Keywords: Cisco AMP, endpoints, security, amp, malware, antivirus, amp4e, secure, endpoint
-
Self-Service: How To Encrypt a Windows or macOS Computer
Introduction This article is written for University of Alberta staff, faculty, or students who are utilizing personal devices to store university data. If you are a staff member who has enrolled a personal device into the University of Alberta's Work From Home Program, then you are required to encrypt your personal device and take additional security measures to secure your PC, as detailed here. The University of Alberta requires that any portable device (laptop, Macbook, cell phone or tablet) that stores university related data needs to be encrypted. Encryption technologies scramble the data on the storage drive. This prevents a threat actor who may gain access to your device in an unauthorized manner from accessing sensitive data stored on the drive. Please be advised, Information Services & Technology (IST) provides these guidelines to assist clients with safeguarding their personal computing devices, however we do not provide any technical support or assistance for personal computers, even those registered in the Work From Home Program. Managing the encryption and access of a personal computer is the sole responsibility of the individual that owns the device in question. If you have a computer provided by the University of Alberta or your department and you would like assistance with encryption, please contact IST at 780-492-8000 or log a ticket with us via our website. More information about encryption and why it is important can be found on our website here. Procedure The following links direct to both Microsoft (Windows) and Apple (macOS) support sites with instructions to setup the encryption tools they provide for their respective platforms. These instructions are for personally owned devices only. It is strongly recommended you review the information provided in this article before following the instructions in the provided links. IST cannot assist in encrypting your personally owned computer beyond providing these guidelines. Instructions: Encrypting a Windows Computer Microsoft offers two solutions for encryping your Windows 10 or 11 computer, Device Encryption and Bitlocker Drive Encryption. Device Encryption is the preferred method for encrypting personal computers. Device Encryption requires the use of a Microsoft Account. The encryption key is tied to the account, and data is only accessible when an authorized account logs into the device. Please be aware, if you lose access to your Microsoft Account used in the encryption process, you will lose access to all of your data stored on the device. IST will not be able to assist with any technical issues that may arise in this scenario. Bitlocker Drive Encryption is an alternative method of encrypting a Windows computer. Not all Windows computers allow for Bitlocker Drive Encryption. With Bitlocker, a 25 character encryption key is created in a separate text file. This file cannot be stored on the drive that was encrypted, and it is recommended to be stored in a secure personal (i.e non-University of Alberta) cloud location such as Google Drive, or in a personal password manager solution. If a computer is lost or stolen the data on the drive is inaccessible without an authorized account or the 25 character key stored in the text file. Please be aware, if you lose access to the encryption key file and your computer makes a request for the encryption key, you will lose access to all of your data stored on the device. IST will not be able to assist with any technical issues that may arise in this scenario. Instructions: Encrypting a macOS Computer Apple offers one solution, called Filevault, to encrypt macOS devices. Filevault allows you to either tie the encryption key to your Apple ID, or create a separate 25 character recovery key to store in a text file. When following the instructions for setting up Filevault, you will be asked which method you prefer. It is strongly recommended to utilize your Apple ID to store your encryption key, however if you lose access to your Apple ID account you will lose access to all of your data stored on the device. IST will not be able to assist with any technical issues that may arise in this scenario. If you select the option to create a 25 character recovery key, the key must be manually typed out into a separate text file, and it is recommended that you store it in a secure personal (i.e non-University of Alberta) cloud location such as Google Drive, or in a personal password manager solution. If a computer is lost or stolen the data on the drive is inaccessible without an authorized account or the 25 character key stored in the text file. Please be aware, if you lose access to the encryption key file and your computer makes a request for the encryption key, you will lose access to all of your data stored on the device. IST will not be able to assist with any technical issues that may arise in this scenario. Keywords: windows 10, windows 11, macOS, apple, microsoft, encrypt, encryption, bitlocker, security, SPED, data privacy, VPIT, VP-IST, laptop, tablet, cell, phone, self-service
-
Self-Service: How To Encrypt a Cell Phone or Tablet (iOS and Android)
Introduction This article is written for University of Alberta staff, faculty, or students who are utilizing personal cell phone or tablet devices to store university data. The University of Alberta requires that any portable device (laptop, Macbook, cell phone or tablet) that stores university related data needs to be encrypted. Encryption technologies scramble the data on the storage drive. This prevents a threat actor who may gain access to your device in an unauthorized manner from accessing sensitive data stored on the drive. Please be advised, Information Services & Technology (IST) provides these guidelines to assist clients with safeguarding their personal computing devices, however we do not provide any technical support or assistance for personal cell phones or tablets, even those registered in the Work From Home Program. Managing the encryption and access of a personal cell phone or tablet is the sole responsibility of the individual that owns the device in question. If you have a cell phone or tablet provided by the University of Alberta or your department and you would like assistance with encryption, please contact IST at 780-492-8000 or log a ticket with us via our website. More information about encryption and why it is important can be found on our website here. Procedure Modern mobile cell phones and tablets are very straightforward to encrypt, with no account or separate encryption key file required. Apple (iOS) devices use a File Based Encryption method, while Google (Android) devices use a Disk Based Encryption method. Both methods scramble the personal data of the individual using the device, and encryption ensures only an authorized user can get into the phone or tablet. These instructions are for personally owned devices only. It is strongly recommended you review the information provided in this article for your relevant phone or tablet operating system; you may have to consult the manual or support website from your device manufacturer to complete some steps. IST cannot assist in encrypting your personally owned cell phone or tablet beyond providing these basic guidelines. Encrpyting an Apple (iOS) Device When you setup an iPhone or iPad encryption is enabled automatically when you setup a passcode or Touch/Face ID to unlock the device. It is strongly recommended you utilize Touch/Face ID, as biometric unlocking is unique to the individual user, while a passcode can be forgetten, guessed, or stolen. To confirm your device is encrypted, open the Settings app and navigate to Face ID & Passcode. Scroll to the bottom of the page, if you see a message that reads Data protection is enabled, your device is encrypted. If you do not see this message, enable Touch/Face ID or a passcode to encrypt your device and follow the on-screen prompts to setup. Please be advised IST cannot assist with the setup or technical support of encryption on personal devices. Encrypting a Google (Android) Device When you setup an Android device encryption is enabled automatically if you choose to setup a biometric (fingerprint or face scan) login to the device, or a PIN, passcode, or password. If you do not have one of these options turned on, enabling them in your phone will encrypt your device. It is strongly recommended to use a biometric option, as a PIN, passcode, or password may be guessed or stolen. The challenge with Android devices is that several manufacturers make Android hardware, and create customized versions of the Android operating system to run on their phone. This makes it difficult to provide specific walkthroughs to help enable these options. In general, you can find these options under Settings > Security and privacy. If you're unable to locate these options, consult the support manual from your device manufacturers website. Popular Android phones include the Samsung Galaxy lineup, and the Google Pixel phone line. Please be advised IST cannot assist with the setup or technical support of encryption on personal devices. Device Compatibility All current in-market Apple iPhone and iPad models have encryption capabilities, and all previous models dating back to the original support encryption functionality. However, if your personal iPhone or iPad cannot receive major software or security updates from Apple due to it's age, it's recommended to upgrade the device to keep your data as secure as possible. All current in-market Android devices have encryption capabilities, and models dating back to Android version 4.4 have this functionality. However, if your personal Android device cannot receive major software or security updates from Google or your device manufacturer due to it's age, it's recommended to upgrade the device to keep your data as secure as possible. Appendix Apple – About encrypted backups on your iPhone, iPad, or iPod touch Apple – About Face ID advanced technology Apple – Use a passcode with your iPhone, iPad, or iPod touch Apple – Use Touch ID on iPhone and iPad Google – Back up or restore data on your Android device IST – Service Catalog ualberta – Encryption ualberta – Tips for a secure password Back to Top Keywords: encrypt, encryption, mobile, iOS, Android, iPhone, iOS 7, iOS 8, iOS 9, iOS 10, iPad, blackberry, mobile device, password, encryption, procedure, process, standard, VPIT, VP-IST, vice-provost, security, password, setup, policy
-
University of Alberta Cybersecurity Information
Introduction This article provides a high level overview of help available to all members of the University of Alberta community who require assistance related to cyber-security, information security and all other security aspects of UofA technology or information assets. Applicability This article is written for all members of the University of Alberta regardless of role or function. This includes anyone with a University of Alberta issued CCID such as students, academic staff, support staff and guests. This also includes anyone with University of Alberta owned networking or computing resources such as laptops, desktop, tablets, servers, etc. General Information A substantial amount of information around existing initiatives, best practices and roles and responsibilities can be found on the website of the Chief Information Security Officer: https://uab.ca/ciso Getting Help If the information you are looking for cannot be found on the CISO website listed above then direct any questions, comments or concerns to one of the following email addresses based on the most relevant description: Anything related to policy, governance, decision making, breaches (confirmed or suspected), or theft of devices etc, please email ciso@ualberta.ca For all other inquiries including phishing, spam, odd account behavior, day to day security operations, hacking attempts, malware infections, suspected vulnerabilities and exploits, etc please email abuse@ualberta.ca Anything related to harassment, unwanted attention or personal safety contact University of Alberta Protective Services (UAPS) at 780-492-5050. If the situation is LIFE OR DEATH contact 911. Keywords: virus, viruses, hack, hacked, hackers, malware, trojan,adware, norton, symantec, fsecure, f-secure, ciso, security, amp4e. amp
-
Clear Browser Cache & Cookies
Introduction This article provides instructions on how to clear your browser's cache & cookies. Applicability This applies to all users at the University of Alberta and can be used to resolve a variety of internet browser issues. Symptoms Clearing your cache & cookies may be beneficial when running into strange log in issues, pages not loading, or receiving Security Certificate error messages. Cause Cookies, which are files created by websites you've visited, and your browser's cache, which helps pages load faster, make it easier for you to browse the web. However, sometimes these saved files have issues when changes are made to websites, and cause problems for your internet browser. Resolution Each browser has their own way to clear the cache & cookies. Computers: Google Chrome: https://support.google.com/accounts/answer/32050?co=GENIE.Platform%3DDesktop&hl=en Mozilla Firefox: https://support.mozilla.org/en-US/kb/how-clear-firefox-cache Microsoft Edge: https://support.microsoft.com/en-us/help/10607/microsoft-edge-view-delete-browser-history Safari: https://support.apple.com/en-ca/guide/safari/sfri47acf5d6/mac Opera: https://blogs.opera.com/mobile/2016/04/clear-browsing-history/ Mobile Devices: Google Chrome (Android & iOS): https://support.google.com/accounts/answer/32050?co=GENIE.Platform%3DAndroid&hl=en Mozilla Firefox (iOS): https://support.mozilla.org/en-US/kb/clear-browsing-history-firefox-ios Mozilla Firefox (Android): https://support.mozilla.org/en-US/kb/clear-your-browsing-history-and-other-personal-data Safari (iOS): https://support.apple.com/en-ca/HT201265 Other ‘built-in’ Android browsers: https://www.wikihow.tech/Clear-Your-Browser%27s-Cache-on-an-Android
-
Reset or modify a domain password
Introduction Your Active Directory/Domain account is used to log into Employee workstations on most domains across campus with the exception of workstations used by the Faculty of Medicine and Dentistry. While we set these account usernames to be the same as your CCID, they are two separate accounts and can have different passwords. KBA Objective: This article provides instructions on how to reset/update your Central Domain password on your Windows computer Refer to KBA - Confirming if your computer is part of the Central Domain (sts.ad.ualberta.ca) to check if your computer is connected properly Applicability Target Audience: Anyone with a Windows computer on the central domain Non-applicable: Do not apply for MacOS. Refer to web – Reset your Mac login password for the official instructions. Do not apply to CCIDs. Refer to KBA – Reset a CCID password. For help with IT services, please contact the Shared Services Staff Service Center. Procedure Basic Information Standard Process 1.0 Physically at your work computer 2.0 Connected Remotely via RDP Appendix Related Knowledge Basic Information The Central Domain is also sometimes referred to as the STS domain or the sts.ad.ualberta.ca domain. A domain account, also referred to as an Active Directory or AD account is used to access shared network resources such as computer workstations, network drives, and printers. This collection of shared network resources and the accounts that are used to access them are collectively referred to as a domain. Please note that although your CCID and your Central domain user name are likely the same, they are DIFFERENT accounts and are not connected. Changing your CCID password will not affect your Central domain password and vice-versa. Your CCID account is used to log in to services like U of A Gmail, BearTracks, etc. If you wish to change, test, or reset your CCID password go to: https://myccid.ualberta.ca/ NOTE: If you are unable to log on to your computer this procedure will not work. Please contact IST by emailing ist@ualberta.ca or phoning 780-492-9400 Standard Process The method used to update your password depends on whether or not you are physically at your work computer and whether you are using a Windows or Mac computer. Choose either of the sections below. 1.0 Physically at your work computer Sign on to your computer Enter the key combination Ctrl + Alt + Delete on your keyboard You will be presented with the following screen, please select Change a password Please fill in the following fields User name should be in the format: STS\your_user_name Old password: enter your old password here New password: enter your new password here Confirm password: enter your new password here. Passwords must be at least 8 characters long and be different from the last 24 passwords used. Click on the arrow next to the Confirm password field to apply the changes. You should then receive a success message stating that you have successfully changed your password, as seen here 2.0 Connected Remotely via RDP Sign on to your remote desktop computer (Direct to Desktop) or the Terminal Server Refer to KBA – Remote directly into desktops or Terminal Server for instructions to connect Enter the key combination Ctrl + Alt + End on your keyboard You will be presented with the following screen, please select Change a password Please fill in the following fields: User name should be in the format: STS\your_user_name Old password: enter your old password here New password: enter your new password here Confirm password: enter your new password here. Passwords must be at least 8 characters long and be different from the last 24 passwords used. Click on the arrow next to the Confirm password field to apply the change You should then receive a success message stating that you have successfully changed your password, as seen here, click OK Appendix ualberta – myCCID web – Reset your Mac login password Related Knowledge Confirming if your computer is part of the Central Domain (sts.ad.ualberta.ca) Remote directly into desktops or Terminal Server Reset a CCID password Back to Top
-
Switching to Cisco VPN client from Fortinet VPN client - Engineering
Introduction This article describes how to transition from the Faculty of Engineering's Fortinet Virtual Private Network (VPN) service to the University of Alberta's Cisco VPN service. Applicability This knowledge article applies to anyone from the Faculty of Engineering who has been using the Fortinet VPN that was previously supplied and supported by EnggIT, to access Engineering services from off campus. Details Important Notes: During the transition period the Cisco AnyConnect VPN and Fortinet VPN products CAN coexist on the same machine. However, it is recommended to remove the Fortinet VPN client to keep things tidy and to reduce confusion when this service stops functioning at 22:00 on October 24, 2023. Also please note that you can only use one VPN client at a time. The Cisco VPN uses your CCID to connect When connecting to the Cisco VPN, you will need to append @engg onto the end of your CCID in the username field to be able to access Engineering resources. If you do not supply the @engg at the end of your CCID, then you'll still be connected to the UofA VPN, however, it will not be able to access Engineering networks. Some existing devices were configured to sign into VPN at Windows login. This option is not available with the Cisco AnyConnect client. This feature was used to simplify the overall process, but will not impact the usability of the VPN with it not being available. Cisco AnyConnect VPN Client installation 1. IST will attempt to push out the Cisco AnyConnect VPN client automatically to any managed devices that the tools can reach to simplify this software transition. 2. For any non-managed devices, personal devices, or devices off campus, you will likely need to manually install the Cisco AnyConnect VPN Client. Installation and connection instructions can be found at KB00121258. Connecting to the Cisco AnyConnect VPN Client for Engineering users From the system tray in the bottom right corner of the screen (near the clock), you'll see the Cisco AnyConnect VPN client (may need to click on the up arrow to show it). Right click on the icon, and click on Connect. In the VPN field, you'll need to enter vpn.ualberta.ca, then click Connect. You'll then be asked for your CCID & Password. Tip! Be sure to append @engg at the end of your CCID to ensure you connect to the right part of the VPN for Engineering resources. Fortinet Client Removal There are two main scenarios of how the Fortinet VPN was installed & used. 1. Downloaded and installed manually from the Engineering website before Service Excellence Transformation (SET). This would include non-managed devices or personal devices. 2. Installed by IT staff during device setup or deployment, or delivered automatically through a central software management service. Non-Managed Devices Non-managed devices would be any machine that was not setup or configured by EnggIT or IST, including personal computers, and potentially some older laptops. 1. To uninstall Fortinet Client, right-click on the Start menu and select Apps and Features 2. Scroll down in the list and look for FortiClient VPN and click uninstall. 3. Follow any prompts during the uninstall process. 4. If prompted to restart your computer, go ahead and restart it. Managed Devices Managed devices would be any devices that was setup by EnggIT or by IST. IST will attempt to automatically remove the Fortinet VPN client for you if the tools can reach your managed device. In this case, there may be nothing you need to do. However you may want to check the Programs & Features in Windows settings to verify the Fortinet Client has been removed. Contact the Service Desk for assistance if the above methods fail. 780-492-9400. Related Articles KB0012158 Installing the University of Alberta VPN Client KB0012202 Central VPN Service - Overview and FAQ's Keywords: vpn cisco fortigate anyconnect
-
Lost or Stolen Mobile Device Procedure
Introduction This article explains what to do in the event of a lost or stolen University owned or Personal Expense Reimbursement (PER) mobile device. Applicability The article is intended for the campus community. Procedure Where possible, please first check to see if you are able to locate your device using any available built-in location tracking services. For example "Find My" or equivalent. Please try to remotely wipe the device, if this feature is available. For stolen items, please make sure you file a report with University of Alberta Protective Services (UAPS) at 780-492-5050. Please create a ticket with the Service Desk with the following information: Device make and model, and date lost/stolen If the device was stolen, please include the UAPS case number that you were given when you contacted UAPS. Completed Breach Reporting Form Please fill this out to the best of your ability and email it to both ciso@ualberta.ca and privacy@ualberta.ca. We may contact you later if we have any questions. The form can be found here: https://www.ualberta.ca/information-and-privacy-office/media-library/information-and-privacy-office/library/forms/breach-reporting-form.doc SMS also requires that an asset disposal form be completed and returned to smssurplus@ualberta.ca. Please note that this must be completed by you/your department. IST is not able to submit these on your behalf. The form can be found here: https://www.ualberta.ca/finance-procurement-planning/media-library/finance/documents/fs-office-site/forms-cabinet/assetdisposalformassetretirement.docx If you will be requesting a new device to replace the old one, please follow your department's standard method for ordering new equipment. Keywords: remote wipe, phone wipe, erase, iphone, android, blackberry, stolen, missing, cellular, suspend, telecom, telephone cellphone, mdm, mobile device management