Desktop and Laptop Support

From CELS IT Wiki

(Redirected from Laptops)

What is the policy for desktop and laptop support in CELS?

In CELS, we have defined four types of machines: Operational/AdministrativeStandard Linux Desktop, Managed Scientific, and Unmanaged Scientific. This document outlines the configuration and management policy for each classification.  For purposes of this document, a "researcher" is anyone of an employment category that is not primarily administrative.  PT, RD, and Postdocs fall into this category.  When there is question, the user's supervisor and CELS Systems will jointly agree on whether or not someone is a "researcher". Also, "laptop" and "desktop" are interchangeable in this document.

Contents

Operational/Administrative

These laptops are used by non-researchers and are considered part of the “operational” infrastructure. They are typically used by staff involved in the administrative and operational aspects of their divisions, including financial, HR, and administrative assistants. However, anyone can request a laptop of this configuration. The following properties are part of an Operational/Administrative laptop:

  • Built from a CELS Systems-established image/configuration
  • CELS Systems has root access to the machine.
  • The end user does not have root/administrative rights on the machine, except for the limited ability to add printers where applicable.
  • The machine is joined to the Argonne Active Directory, and uses AD accounts for login purposes,
    • except for the local administrative account which is controlled by CELS Systems.
  • Disk Encryption is enabled (via File Vault for Macs, via McAfee for Windows). The master password (emergency backup) password for file vault is maintained by CELS Systems.
  • Time Machine disks (where applicable) are also set to be encrypted. The password for decryption is set by CELS Systems, saved in the user’s keychain, and secured in the same fashion as the File Vault master passwords.
  • Users are directed to use Box Sync for documents whenever possible. Shortcuts are placed on the desktop and in the user’s folder hierarchy to make this easy to do.
  • The machines are fully managed by Casper (Mac) or Argonne's AD Group Policy and other Windows Administration tools (Windows), including all software installs, software updates, and OS updates. These are managed by CELS Systems.
  • Eracent is installed to manage software licensing.

The standard software suite includes the current versions of: MS Office, Firefox, Adobe Flash, Box Sync, and the laboratory's preferred antivirus solution.

Standard Linux Desktop

These are standard CELS linux desktops (sometimes called "green desktops). They use the CELS account system for authentication (managed at https://accounts.mcs.anl.gov under the workstation resource), and mount the CELS filesystems via NFS. Users may install software in userspace, however software requiring administrative rights is installed by CELS Systems. Users do not get administrative privileges on these machines.

The following properties are part of an Standard Linux Desktop:

  • Built from a CELS Systems-established image/configuration.
  • CELS Systems has root access to the machine.
  • The end user does not have root/administrative rights on the machine.
  • The machine is joined to the CELS LDAP, and uses these accounts for login purposes,
    • except for the local administrative account which is controlled by CELS Systems.

For more information, see our Linux pages.

Managed Scientific

These laptops are used by divisional researchers who are comfortable handling some level of systems administration on their machine. The machines are moderately managed by CELS Systems, however the end user maintains administrative rights and can install software and updates on his/her own. (Also may be known as "co-managed", jointly managed by the laptop user and CELS Systems.) This is the default configuration for a laptop for a researcher that comes through Systems for configuration. Only researchers may request a laptop of this configuration, and they must agree to the below configuration, as well as any additional TMS training that may be triggered by their having administrative control over a lab-owned machine. The following properties are part of a Managed Scientific laptop:

  • Built from an established image/configuration
  • CELS Systems has root access to the machine.
  • The end user also has root access to the machine via the Administrator group in OS X, or via a local administrator account for Windows machines..
  • The machine is joined to the Argonne Active Directory, and uses AD accounts for login purposes,
    • except for a local administrative account which is controlled by CELS Systems.
  • the user may also have a local administrative account distinct from the AD account.
  • the user may request the laptop not be bound to AD (Mac only).
  • Disk Encryption is recommended via File Vault or McAfee. If desired, the master password (emergency backup) password for that machine’s file vault is maintained by CELS Systems.
  • Time Machine disks are also set to be encrypted. The password for decryption may be set by CELS Systems, saved in the user’s keychain, and secured in the same location as the File Vault master passwords. Or, if the user chooses, he or she may maintain the decryption password.
  • Mac laptops are monitored and partially managed by Casper, including all software installs, software updates, and OS updates. CELS Systems will inform the user if the machine requires software updates, and will install them if requested.
  • Eracent is installed to manage software licensing.

The standard software suite includes the current versions of: MS Office, Firefox, Adobe Flash, Box Sync, and the laboratory's preferred antivirus solution.

Unmanaged Scientific (Argonne-owned)

These laptops are functionally equivalent to laptops not owned by Argonne in terms of Systems Administration. They are not managed by Systems. Only researchers may request a laptop of this configuration, and they must agree to the below configuration, as well as any additional TMS training that may be triggered by their having administrative control over a lab-owned machine.  Any laboratory-issued tablets (including Apple, Android, or Surface) automatically fall into this category.

  • Users will be provided instructions on how to install required software banners and implement required and recommended security policies. 
  • Users will be informed by Systems or ANL Cybersecurity as quickly as possible of detected vulnerabilities and infections, however the user is required to keep the machine current in software configuration and secure. 
  • Users will self-report licensed software to CELS Systems when requested in order to ensure accurate software licensing.  Users can avoid this option by having Eracent installed on the machine.

 

CELS Systems Laptop Support

CELS Systems will provide support for any laptop that meets the following criteria

  • It was of a configuration specified or approved by Systems. Depending on your operating system preference, this will either by a Lenovo Thinkpad (Windows) or Macbook (Mac OS X). It should be noted that asking Systems to order a laptop for you does not imply it is approved by Systems. We will notify you if you're ordering something that is non-standard, and that you are on your own for support.
  • It is using either the Operating System that came with it, or an Operating System installed by Systems. If it is a dual boot system, Systems will only support the OS that meets the above criteria, and no others.
  • Systems must have root/Administrator level access to the machine.
  • Any hardware or peripherals must be ones that come with the laptop, or are specifically specified by Systems.
  • The software is software installed or recommended by Systems.
  • If it is a particularly old laptop, using an old Operating System, we may recommend upgrading the laptop or the Operating System.
  • If it's not under warranty, we may not be able to support it. Generally, this applies to laptops that are older than three years old.

What it means when we say Systems will support your laptop

  • Administrative/Operational machines are fully supported, the same as any other machine for which CELS Systems is the sole Administrator.
  • For other laptops, as with any machine not under our direct control, the operator or other specified person is the primary point of support for the machine. If the primary point of support cannot solve the problem, Systems will work with the user/support contact to get it solved.
  • We will do our best to solve any problem in a non-destructive manner. We will never intentionally erase any data without explicit permission from the user.
  • If it is determined to be a hardware problem, we will work with the vendor/support contract holder to get it fixed. We have no control over how fast this happens once it leaves our building. We may or may not have a loaner machine available. If a loaner machine is available, it may not be the same type as is being repaired.
  • After a reasonable amount of time trying to solve the problem, we may recommend any of the following as a solution: Reinstall the offending application, upgrade the Operating System, reinstall the Operating System, completely erase the hard disk and rebuild the Operating System from the System Restore utility of the laptop, or purchase a new laptop. Some of these solutions will result in a loss of data. Users are strongly encouraged to back up their laptops regularly.
  • If the "System Restore" option is chosen, this will result in the laptop being returned to the state it was in when delivered from the factory or given to you initially by Systems. 
  • In the event of a hardware or software failure Systems may suggest repair methods, techniques, specific vendors, or best practices for resolving the issue. If the user chooses to pursue alternative repair methods or disregard the suggestion given by systems, any new or worsened issues that arises from these alternative methods may then become the responsibility of the user.

What are your responsibilities as a Laptop User?

  • If you self-administer your machine, keep your machine updated with the latest security patches for your operating system and installed software.
  • Please ensure you are running Antivirus software.  Systems will provide AV software if it is not already installed, or make recommendations for laptops that are not laboratory-owned.
  • Please install any applications recommended by Systems, and keep up to date with any announcements from Systems.
  • Do not install any applications you are unsure of without consulting Systems first.
  • Users are strongly encouraged to back up their laptops regularly.
  • Do not open any email attachments unless you are expecting the attachment and you know what it is.
  • Keep your laptop secure via methods available. Password protected screensavers, hard disk passwords and BIOS passwords are recommended, and Systems will assist with this.
  • Keep your laptop physically secure. Systems will provide you with a laptop lock if requested. Do not leave your laptop unattended. If you lock it down, lock it down in a secure manner (around a table leg does is not secure).
Personal tools