uva-fnwi / deviceportal Goto Github PK

User data should be removed six months after end of their contract.

Add a remarks field per device that can be edited by institute and faculty managers. Store all changes as per #22.

Send mails as HTML to avoid this

Institute managers should be able to see a list of the users in their institute, with registered devices and security status, including a brief summary showing totals.

Provide the user of an overview of all UvA-registered devices, as registered in the UvA's CMDB (for now my a monthly Excel import) and the security status (Intune activated yes or now).

In the institute tiles in https://secure.science.uva.nl/faculty, add more some info:

• Instead of just complete/incomplete, show four different statuses: Intune completed, portal check submitted, portal check authorized, none
• Add a progress bar for devices as well (with the same statuses)

The institute manager should be able to choose which users can use the device security check in the portal. By default no users are authorized for this, and they should be able to turn it on for selected users.

So I can see what the application looks like when logged in as that user.

To prevent double devices. If the serial number is already there from Intune, it should merge rather than course a new device.

Right now you get a modal confirmation whenever you approve a check. If you have lots of checks this can be a bit annoying; we we add an option to skip it or make it a non-modal banner?

For each registered non-Intune device, an authorized user should be able to fill out the security check form, consisting of the following requirements:

• The equipment must have encrypted storage;
• The local accounts should be accessible only with strong passwords;
• A mobile device (telephone, tablet) is provided with a strong access code (minimum 6
  characters) other than the SIM card PIN code;
• The OS and all applications are maintained by a supplier or community, and are up to date
  including security updates;
• Applicable anti malware and antivirus solutions are present, active and up to date;
• Local (application) firewall is active and alerts the user to unusual behaviour;
• Laptop or desktop should be automatically locked after a pre-set period of inactivity after a
  maximum of 15 minutes and phones or tablets after 5 minutes;
• Remote wipe, lock, or effective data protection measures to prevent loss of setting
  information in the event of theft should be in place;

In general:

• Each requirement is a yes/no question, where in the case of no an explanation is required.
• Some requirements are specific to a certain device type.
• It should be possible for an admin to edit the requirements, but this doesn't need to be done via a UI (some kind config file is perfectly fine).

Set up an email notification for approvers.

Allow users to add/remove columns from big tables, saving their personal preference. Also expand the table so it uses the entire screen.

Add a date 'checked against cmdb' to a device that is set when it matches the current cmdb entry?

Clear the field on changes by users in the cmdb-fields.

Slight change of plan: change 'authorized' so it can only be toggled by admins and not by department managers.

For e.g. https://secure.science.uva.nl/users/hafsarm1 the Android device is in there multiple times because it has multiple Intune registrations (I think?). It should match by serial number here, it seems.
(Also these have an odd device type)

Add a group level below the institute that users can belong to. Institute managers can add/remove users from groups and filter views by group. Can we get these from SAP?

Add a 'disposed' status and hide these from all views. When processing the CMDB export, mark CMDB-devices that don't occur on the list anymore as disposed, e.g. DTB161483.

Per question and OS there should be a brief recommendation on how this point can be satisfied, possibly with links to external resources. We will need an html/markdown field to store this.

Add an Excel export option for the institute manager device list, including the email address of the device user.

Show all available info from CMDB when you click a device.

Add a mapping:
mapping.txt

Add in the #35 dialog the ability to edit fields (with history being saved):

• Building (maybe as a dropdown with the values in the mapping from #34)
• Room
• Outlet
• User

The Fortinet gateway has some additional information on certain machines that is useful to have. Import this information periodically into the portal. Fields:

• The labnet number/name (if any) a device is in (labnets have an owner as well which we are probably going to want to register as well at a later stage)
• Show the security category based on IP address: <128, 128-191, >191
• Operating system (type + version): use Intune if available, then labnet, then CMDB

Devices can be matched to Intune and CMDB on MAC address.

This is essentially a different view of #4, showing a table with a row per device and different filtering options.
One relevant field that we will need here is whether the device (desktop/laptop) is managed or not. This is an enum with five categories:

• Managed standard ("UvA Standaard SCCM")
• Managed special ("UvA Spec. SCCM")
• Self support ("UvA Zelfsupp.")
• Other (everything else from the list)
• BYOD (created manually by user)

For tablets/phones there are only two categories, UvA or BYOD. They can be placed under 'Other'.

Users should be able to add and edit names for their devices (separate from the device ID and serial number). For manually added devices this name is already there (and should be editable), for devices from the CMDB it should be an option.

For users with approver rights (as set up in #6), the portal should show an overview of open approval requests, allowing them to view the fields filled out and approve/reject the form.

When a user performs the security check, as a first question, show the current device OS and allow them to switch between macOS/Windows/Linux (the mobile OS can be read-only once entered). Also allow them update the version field.
(Where they change the OS, the instruction texts in the form should update to match.)

The institute manager should be able to set up which users can approve security checks filled out by users. This can either be a fixed pool of users, or it can be based on the HR-structure: a user's manager can approve the security check.

Sync user state with DataNose so that

• New users are added so that devices can be assigned to them
• Users who have left the UvA get an inactive status

Set up a process that sends an email one per week to all authorized users who have at least one device that still needs a check to be submitted.

Add a view where an admin can see all devices for which a change has been done with respect to the CMDB data.

Add a dialog/page that you get when clicking a device, with all available fields.

Allow the user to add a new personal device, with basic info:

• Name
• Type (phone/tablet/laptop/desktop)
• OS

I think we looked at this one before but I'm not sure if it is fully implemented. IoP has three subinstitutes (WZI, ITFA, HEF). The IoP view should also show devices/users under these institutes.

Right now, all approvers see all requests. They should only see requests from the institutes they are linked to.

If some info about a device is incorrect, there should be a way to indicate this, e.g.

• Device doesn't exist anymore
• Device doesn't belong to me
• Operating system has changed

Store these changes as a delta with respect to the CMDB data, so that they can be reported to ICTS and that in a new CMDB export we can see whether they have been processed.

All devices that are not in the CMDB should have the BYOD category (maybe with an icon), including the ones imported from Intune (which I think we now classify as 'other').

Add a checkbox per device (e.g. in the detail page from #35) that can be turned on to indicate that a device is shared (i.e, there are multiple users). Add an icon to the list for shared devices.

Add a button to show the full history. Also store and show the user who has made the changes.

Use a
SELECT * FROM [DWHPM].[dbo].[FNWI_portal]
on
MSSQL-PRD-AO1.FORET.NL\MSSQLNOAGPRD_1,1710

Set up a process that sets devices with a submitted check to insecure again after one year (be careful: Intune devices are also secure and should not be reset).

Faculty managers should be able to see the information for institutes, in particular be able to easy to see things like:

• How many users have been authorized for the security check?
• How many users have completed it?
• How many devices have been added?

In https://secure.science.uva.nl/requests, I want to see the institute so that I know which institutes still need to do their approving.

Implement SURFconext login via Open ID Connect.