Many staff members work on a computer that has been issued by VU Amsterdam, for example. Some of the computers are managed (orange/green) while others are not (red). In addition, some staff members are used to working on a privately owned device. We have provided an illustrated overview of the access options and actions in the diagram below.
NB: all VU Amsterdam staff members will receive detailed guidance and instructions about these actions two weeks prior to the go live date.
The main impact explained
Security: access when using different types of device
Security is paramount in the new digital workplace. The Office 365 programs are secured using Azure MFA authentication, for example, and university data will be brought back under the management of the university. Because of this, the following decision has been made: as long as you are using a university device, you will be able to work locally using all programs and data. If you use a device that has not been issued by the university, you will have online access to the programs and data. The reason is that in the case of devices which have been issued and are managed by the university, we can verify whether they meet the security and privacy requirements we must comply with as a university. As privately owned devices are unknown to the IT department, the risk they pose in terms of potential data breaches or breaches of privacy, for example, is too great for the university.
Security: Azure MFA authentication tool
VU Amsterdam has decided to implement Azure MFA as Multi-Factor Authentication for all Microsoft products. This tool is similar to TiQr or Yubikey, which you already use, and has several key benefits. For example, you can install Azure MFA on multiple devices and you are no longer reliant on the Service Desk. Azure MFA ensures that only authorized individuals can access the university's systems. In this way we jointly prevent virtually all account abuse and, as a staff member or student, you help to keep the campus secure. For the new products such as MS Teams, Office 365 and OneDrive, you will be prompted for verification with Azure MFA from the moment of go live. TiQr and Yubikey will continue to be used for other products for the time being.
Go live while working from home: EduVPN
When we are all working at a VU Amsterdam location, everyone can easily connect to the university network. This is also what we did in previous IT projects: connect your computer regularly to the VU Amsterdam internet cable and you automatically receive the correct updates and programs. However, a large number of staff are currently working from home. This led to the launch early last year of EduVPN: a Virtual Private Network (VPN) service developed by SURF for students and staff of education and research institutions which makes it possible to connect remotely to VU Amsterdam's network.
If you are not connected by the university's network cable but you do use an orange university computer then you will get the new Office products over EduVPN. This is not necessary for privately owned devices since the products cannot be locally installed on them.
Security: registering red devices
Red workplaces are devices which in some cases are issued to staff members with special workplace requirements. Staff members have slightly more freedom in terms of individual options for settings on a red device compared with other types of workplace. It remains a university-owned device, however, meaning that the university is responsible and also legally obliged to provide for the administration of the device. The ICT Facilities Regulations state, for example, that security monitoring of all devices belonging to VU Amsterdam should be possible. With the roll-out of the new digital workplace, we therefore ask users to register their red device on first use.
This has a number of security benefits. Registering red devices provides VU Amsterdam with greater insight and control when data breaches, theft and improper use of university equipment occur. The university can also check whether a device meets the basic security requirements. Following registration, the user may see notifications about security actions that may be implemented, such as installing a new virus scanner, for example.