DoIT Departmental Support - Managed Security Layer (MSL) - How it Works

The DoIT Departmental Support (DS) Managed Security Layer (MSL) service bundles centrally available endpoint management and security tools offered by UW–‍Madison and the Office of Cybersecurity into an affordable service that can assist UW departments to align with cybersecurity best practices and comply with UW–‍Madison and UW System policies regarding endpoint management, endpoint security and IT asset management.

Enrollment

DoIT Desktop Support customers:

If you receive desktop support services from DS, all new Windows and Mac systems provisioned for your department by DS technicians are automatically enrolled in the MSL service and will come preinstalled with Cisco AMP, Qualys Cloud Agent, and Spirion.

DoIT Standalone MSL customers:

Once your department has signed an MSL agreement, you will be provided a custom BigFix installer that you can use to install on your department's systems to enroll them in the service.

Windows enrollments: After BigFix has been installed on a Windows computer, it will receive updated security software installations for Cisco AMP, Qualys Cloud Agent, and Spirion, and will begin receiving centrally distributed patches and application updates.
Mac enrollments: The BigFix client can be installed and will then install Workspace ONE. User approval of a Workspace ONE profile is required to fully enroll the device. The system will then receive updated security software installations for Cisco AMP, Qualys Cloud Agent, and Spirion, and will begin receiving centrally distributed patches and application updates.

Update Schedule

The 3rd Tuesday of every month is the maintenance window DoIT uses to deploy updates to managed systems with BigFix. BigFix allows DoIT Departmental Support to target updates only to those systems that require them.

The week before updates are release, they are first tested on specially created virtual machines and on internal DoIT test systems before being released to customer systems on the 3rd Tuesday of every month.
Certain updates may require the system be rebooted for those updates to complete their installation
- If one such update is installed on a system, BigFix will cause a popup to appear informing the user of the need to reboot. It will NOT reboot the system for the user.
- Please note the existence of the BigFix restart popup does NOT necessarily indicate that any software has been installed through BigFix: the appearance of the BigFix popup can also be triggered by other software installations that require the system be rebooted.

Testing Pool

DoIT tests patch baselines on a pool of test machines the Friday prior to the 3rd Tuesday of the month. If you are an MSL customer and would like to participate in this process, please contact doit-seam-support@doit.wisc.edu with the names of any machines you would like to have added to this pool.

Update Types

DoIT Departmental Support deploys both OS and 3rd party software updates via BigFix as part of the process of updating customer systems.

Windows Critical Updates
- Defined as any Windows Update listed as a "critical update" by Microsoft
- Service Packs and Major Updates
  - Yearly updates to Microsoft's "H2" updates, approximately 6 months after they're released.
    - Windows 10 - release information
    - Windows 11 - release information
macOS Security Updates
- Defined as any Apple Software Update listed as a "security update" by Apple
  - Due to changes in how Apple handles macOS updates, DoIT is piloting Nudge to ensure end users are installing their own updates
Windows and macOS 3rd Party Application Updates
- A full list of applications DoIT updates is available here: https://kb.wisc.edu/62903

Additional Deployments

In addition to updates, BigFix also allows deployment of additional software, scripts, and system policies. Below is a list of some of the items currently being deployed to MSL managed systems:

Windows
- Dell Warranty Script
  - Stores warranty information locally on Dell systems for reporting purposes
- Java exception.sites file
  - A white list file allowing Java versions 7u51 and later to interact correctly with legacy Java applications
Mac
- Apple Warranty Script
  - Stores warranty information locally for Apple systems for reporting purposes

Automatic Restarts

In order to ensure security updates are properly installed, computers that have not been restarted for over 60 days will be automatically restarted. More information can be found here: https://kb.wisc.edu/104201

Keywords:	msl overview managed security layer endpoint management TEM BigFix Tivoli Endpoint Manager software update windows update flash player adobe reader acrobat mozilla firefox "TEM Tuesday" Suggest keywords	Doc ID:	124008
Owner:	Patrick D.	Group:	DoIT Departmental Support
Created:	2023-02-13 10:17 CDT	Updated:	2023-05-24 18:32 CDT
Sites:	DoIT Departmental Support, DoIT Help Desk, DoIT Staff
Feedback:	0 0 Comment Suggest a new document