What is a HIP check?

The GlobalProtect Host Information Profile (HIP) feature can be used to collect information about the security status of the endpoints -- such as whether they have the latest security patches and antivirus definitions installed, whether they have disk encryption enabled, or whether it is running specific software you require within your department, including custom applications. This information can then be used in firewall rules to decide if the endpoint is allowed to access specific resources or not.

What will SMPH IIT be checking for, and why?

IIT will be checking devices for the following:

• Operating system is up to date and patched - To ensure a device is not running a vulnerable operating system
• Antivirus is installed and running - To prevent malicious programs from running
• The boot drive is encrypted - To prevent unauthorized data access in case the device is lost or stolen
• The device firewall is running - To prevent a malicious program from "phoning home"
• A certificate provided by DoIT's Identity and Access Management team is installed - To ensure the device was provided by SMPH IIT.
• The Qualys and/or Cisco AMP agents are running - To track all running processes and services on (and physical location of) a device

For more information, please see the SMPH Endpoint / Device Standards

Who/What devices does this apply to?

Students

Currently, SMPH students that wish to use personal devices to access SMPH student resources have MDM installed from Shared Services on their devices.  This is being phased out in favor of students connecting to SMPH-provided Azure virtual desktop instances.  These instances will be accessible from anywhere, and will control which resources each student is allowed to access via Azure policies and Role Based Access Control (RBAC).

Faculty/Staff/Student Workers

Any device provided by an SMPH department will be enrolled in HIP checks.  Nobody will be allowed to access departmental resources from their personal devices.

Recommendations

IIT Cybersecurity is recommending that departments begin enforcing the following policies on SMPH-owned devices in order to connect to departmental resources via VPN: