Host Information Profile (HIP) checks for SMPH Departmental VPNs

This KB document describes how SMPH IIT uses the HIP feature on the campus Palo Alto firewalls to protect SMPH departmental resources.

What is a HIP check?

The GlobalProtect Host Information Profile (HIP) feature can be used to collect information about the security status of the endpoints -- such as whether they have the latest security patches and antivirus definitions installed, whether they have disk encryption enabled, or whether it is running specific software you require within your department, including custom applications. This information can then be used in firewall rules to decide if the endpoint is allowed to access specific resources or not.

What will SMPH IIT be checking for, and why?

IIT will be checking devices for the following:

  • Operating system is up to date and patched - To ensure a device is not running a vulnerable operating system
  • Antivirus is installed and running - To prevent malicious programs from running
  • The boot drive is encrypted - To prevent unauthorized data access in case the device is lost or stolen
  • The device firewall is running - To prevent a malicious program from "phoning home"
  • A certificate provided by DoIT's Identity and Access Management team is installed - To ensure the device was provided by SMPH IIT.
  • The Qualys and/or Cisco AMP agents are running - To track all running processes and services on (and physical location of) a device

For more information, please see the SMPH Endpoint / Device Standards

Who/What devices does this apply to?

Students

Currently, SMPH students that wish to use personal devices to access SMPH student resources have MDM installed from Shared Services on their devices.  This is being phased out in favor of students connecting to SMPH-provided Azure virtual desktop instances.  These instances will be accessible from anywhere, and will control which resources each student is allowed to access via Azure policies and Role Based Access Control (RBAC).

Faculty/Staff/Student Workers

Any device provided by an SMPH department will be enrolled in HIP checks.  Nobody will be allowed to access departmental resources from their personal devices.

Recommendations

IIT Cybersecurity is recommending that departments begin enforcing the following policies on SMPH-owned devices in order to connect to departmental resources via VPN:

macOS Endpoints

Check 

Passing Value 

Minimum OS 

13 (Ventura)

Antivirus 

Cisco Secure Endpoint is installed AND Real-time protection is enabled

Drive Encryption 

 Enabled

Firewall 

 Enabled

Certificate 

UWCADSPRODRootCA 

UWCADSPRODIssuingCA 

Processes 

QualysAgent is running

Windows Endpoints 

Check 

Passing Value 

Minimum OS / Patch Management 

19045.5131 (Windows 10 Enterprise 22H2)

Antivirus 

Cisco Secure Endpoint is installed AND Real-time protection is enabled

Drive Encryption 

Enabled

Firewall 

Enabled 

Certificate 

UWCADSPRODRootCA 

UWCADSPRODIssuingCA 

Processes 

QualysAgent is running

 

Android Endpoints 

Check Passing Value 
Minimum OS 12
Rooted No

iOS Endpoints 

Check Passing Value
Minimum OS 15
Jailbroken No



Keywords:
HIP Palo Alto SMPH MDM GlobalProtect 
Doc ID:
138906
Owned by:
Thom C. in SMPH
Created:
2024-08-05
Updated:
2024-12-17
Sites:
School of Medicine and Public Health