Host Information Profile (HIP) checks for SMPH Departmental VPNs
What is a HIP check?
The GlobalProtect Host Information Profile (HIP) feature can be used to collect information about the security status of the endpoints -- such as whether they have the latest security patches and antivirus definitions installed, whether they have disk encryption enabled, or whether it is running specific software you require within your department, including custom applications. This information can then be used in firewall rules to decide if the endpoint is allowed to access specific resources or not.
What will SMPH IIT be checking for, and why?
IIT will be checking devices for the following:
- Operating system is up to date and patched - To ensure a device is not running a vulnerable operating system
- Antivirus is installed and running - To prevent malicious programs from running
- The boot drive is encrypted - To prevent unauthorized data access in case the device is lost or stolen
- The device firewall is running - To prevent a malicious program from "phoning home"
- A certificate provided by DoIT's Identity and Access Management team is installed - To ensure the device was provided by SMPH IIT.
- The Qualys and/or Cisco AMP agents are running - To track all running processes and services on (and physical location of) a device
For more information, please see the SMPH Endpoint / Device Standards
Who/What devices does this apply to?
Students
Currently, SMPH students that wish to use personal devices to access SMPH student resources have MDM installed from Shared Services on their devices. This is being phased out in favor of students connecting to SMPH-provided Azure virtual desktop instances. These instances will be accessible from anywhere, and will control which resources each student is allowed to access via Azure policies and Role Based Access Control (RBAC).
Faculty/Staff/Student Workers
Any device provided by an SMPH department will be enrolled in HIP checks. Nobody will be allowed to access departmental resources from their personal devices.
Recommendations
IIT Cybersecurity is recommending that departments begin enforcing the following policies on SMPH-owned devices in order to connect to departmental resources via VPN:
macOS Endpoints
Check |
Passing Value |
Minimum OS |
13 (Ventura) |
Antivirus |
Cisco Secure Endpoint is installed AND Real-time protection is enabled |
Drive Encryption |
Enabled |
Firewall |
Enabled |
Certificate |
UWCADSPRODRootCA UWCADSPRODIssuingCA |
Processes |
QualysAgent is running |
Windows Endpoints
Check |
Passing Value |
Minimum OS / Patch Management |
19045.5131 (Windows 10 Enterprise 22H2) |
Antivirus |
Cisco Secure Endpoint is installed AND Real-time protection is enabled |
Drive Encryption |
Enabled |
Firewall |
Enabled |
Certificate |
UWCADSPRODRootCA UWCADSPRODIssuingCA |
Processes |
QualysAgent is running |
Android Endpoints
Check | Passing Value |
Minimum OS | 12 |
Rooted | No |
iOS Endpoints
Check | Passing Value |
Minimum OS | 15 |
Jailbroken | No |