University of Wisconsin–Madison

Endpoint Management Project

An endpoint is a computing device that communicates back and forth with a network, including but not limited to desktops, laptops, servers, and smartphones. Endpoint protection is critical to reduce threats to university networks.

The protection of UW–Madison endpoints that access University data is essential to reducing the overall security risk to the data these devices encounter. This project will curate and deliver a set of flexible endpoint management and security tools, supported by core campus IT organizations and used by distributed IT organizations.

Planned Service Offering

The following will be provided for campus units using the service:

  • HCL BigFix and VMware Workspace ONE as platforms for endpoint management
  • Cisco AMP (Advanced Malware Protection) for departmental endpoint security
  • Packages for deployment of UW–Madison enterprise software titles
  • Reporting tools to meet UW–Madison and UW System reporting requirements
  • Service documentation and support
  • Managed infrastructure and dedicated vendor support

Product Comparison

HCL BigFix, which is currently being used by many groups across campus, will continue to be offered as a central service. VMWare Workspace ONE will be offered as well. Units are encouraged to choose whichever tool best meets their needs.  A summary of some of the differences between these two products is available below. 

HCL BigFix provides a more traditional endpoint management solution. Although modern management features are not currently available,* it comes at a significantly lower price per endpoint than Workspace ONE and offers a great deal of flexibility in how deployments, patching, and reporting takes place. We recommend this product for departments that are primarily managing Windows and Linux devices, Windows Server devices, or are already using BigFix and satisfied with its capabilities. 

Workspace ONE provides a modern Unified Endpoint Management (UEM) solution. We recommend this product for departments that require modern management or mobile device management capabilities, have specific compliance requirements that only certain modern management functions can provide, or departments that desire a “one lens” view where all user devices can be managed in one console.

  HCL BigFix VMware Workspace ONE
Supported Operating Systems (OS) Windows (desktop and server), macOS, Linux Windows (desktop only), macOS, Android, iOS, Chrome OS
Features check Advanced reporting
block Conditional access
block Encryption key management
check Endpoint management
block Mobile device management
block Modern management features for Windows and macOS*
block Out-of-box provisioning
block Software license management
block Advanced reporting
check Conditional access
check Encryption key management
check Endpoint management
check Mobile device management
check Modern management features for Windows and macOS
check Out-of-box provisioning**
check Software license management
Training Vendor documentation Self-paced online training
Vendor documentation
Support Business hours support provided by DoIT Business hours support provided by DoIT
Vendor homepage HCL BigFix VMware Workspace ONE

*HCL has recently introduced a BigFix Modern Client Management (MCM) module that provides modern management features for newer versions of Windows and macOS.  DoIT is evaluating whether this should be added to the current campus BigFix environment
**Requires “Advanced” license

Documentation

Project timeline

High-level milestones

Line art image of a magnifying glass in a circle

Tool inventory & requirements elicitation

Line art image of a light bulb in a circle

Vendor research, peer benchmarking, RFI process

Line art image of a coin

FY19 funding, FY20 budget, RFP

Line art image of a check mark in a circle

 

Line art image of a check mark in a circle

 

Line art image of a computer with arrows going outward in a circle

 

Frequently asked questions

This is an accordion element with a series of buttons that open and close related content panels.

What’s an endpoint?

An endpoint device is an internet-capable computer hardware device on a TCP/IP network. This includes but is not limited to computers, laptops, smartphones, tablets, thin clients, printers, and other specialized hardware such POS terminals and smart meters. From a security perspective, a server is also considered an endpoint.

Although we’re not managing many of them to the same degree as desktop computers and laptops, we also consider the following endpoints for this project:

  • Printers that are network addressable. (For example, a stand-alone printer connected to a switch is an endpoint whereas a local printer connected to a PC or Mac device that is only addressable by that device is not.)
  • Copiers that are network addressable.
  • Mobile devices that were purchased with UW funds for conducting UW business.
  • Network-connected lab devices or similar.
  • Network-connected freezers and refrigerators.
  • Network-connected AV equipment.
  • Network-connected IP cameras.

In short, an endpoint is a computing device that communicates back and forth with a network. All endpoints, when connected to a network, are open to a number of vulnerabilities if not properly protected.

What are endpoint management and security tools?

Endpoint management tools help keep track of devices used in a system to ensure their software is secure and up-to-date.

Some of the endpoint management and security software (tools) in use on campus today include Symantec Endpoint Protection, Cisco Advanced Malware Protection, Palo Alto TRAPS™, System Center Configuration Manager and IBM BigFix, which support virus protection and operating system and software updates and patches.

What is included in an endpoint management and security program?

Important components of an endpoint management and security program include:

  • Consistent management of university-owned devices including inventory, patching, and vulnerability management
  • Identification of security threats and active mitigation of threats such as malware
  • Protection for mobile devices such as tablets and smartphones

Because many people in the UW-Madison community bring their own devices to campus, the project will also include recommendations for personally-owned and unmanaged devices used throughout the university.

Why does UW–Madison need this project?

An endpoint security system is developed to protect the endpoints and their network from malicious threats. It provides a central method to secure the IT network and give visibility to vulnerabilities and risks over time.

Currently, endpoint management is inconsistent across campus. In addition, license and support contracts for our current security agents are due to end. This project seeks to deploy a solution that provides the ability to centrally manage endpoints and provide security agents for over 80% of the campus computing environment.

What is the scope of this project?

The UW System Information Security Program requires UW-Madison to standardize on tools that will enable a campus-wide inventory of university-owned computing devices, provide the capability to connect to all devices, and enable central logging and activity reporting. In addition, the protection of UW-Madison computing devices or endpoints (e.g., desktops, laptops, servers, mobile devices, etc.) that access University data is critical to reducing the overall security risk to the data these devices encounter.

In order to meet UW System requirements and ensure the protection of UW-Madison data, rationalized and strategically sourced endpoint management and security tools are needed. This project will curate and deliver a set of flexible endpoint management and security tools, supported by core campus IT organizations and used by distributed IT organizations, to achieve the goals stated in the UW System Information Security Program.

UW-Madison is evaluating leading industry and forward-thinking technology solutions that address disparities in endpoint management and security across organizations, which will help us meet the UW System requirements and our own endpoint management and security needs.

In case you missed it

Get updates in your inbox

Subscribe to the Endpoint Management & Security Project mail list for updates on progress and outcomes.

We want to hear from you

Questions about the Endpoint Management & Security Project?

Email us for answers

Project Team

This is an accordion element with a series of buttons that open and close related content panels.

Executive sponsor

David Pagenkopf, Deputy CIO

Endpoint Implementation Leadership Team

  • Tamara Walker (DoIT)
  • Bob Turner (CISO)
  • Kevin Cherek (AIMS)
  • Chris Spencer (SMPH)
  • Stefan Wahe (CALS)
  • Susan Weier (L&S)
  • Pete Boguszewski (GLS)
  • Lauren Bruce, Communications
  • Mark Treiber, PM

Endpoint Implementation Core Team

  • Chris Poser (Co-Chair/Service Lead)
  • Jon Dickenson (Technical Lead)
  • Pat Daley (Technical Lead)
  • Karl Weirauch (Technical Lead)
  • Dave Schroeder (Technical Lead)
  • Oakes Dobson (Technical Lead)
  • Cory Chancellor/Derek Tessman – AIMS
  • Curt Shomberg/Matt Schultz – SMPH
  • Sterling Anderson – L&S
  • Chris Wiswell — Athletics
  • Charlie Maurice – Engineering
  • Drew Gardner – WID
  • Jon May – DoIT Data Center
  • Kerry Tobin – CALS-Biochemistry
  • Will May – Information School
  • Susan Weier – LSS
  • Sara J Nagreen – Mathematics
  • Thomas Hartman (or Sara Lien) – CALS-CALS IT
  • Jen Sutherland (ITIL)
  • Sara Tate-Pederson (IT Policy)

Communication Team

  • Lauren Bruce, DoIT
  • ISCOM
  • Cybersecurity

Procurement

  • Bruce Reilly

Other Advisory Teams

  • CIO Cabinet
  • T&L TAG
  • Research TAG
  • Core Services Advisory Group