Why am I not able to access some features on my ECU-managed macOS computer?
We are all responsible for the ECU information in our care. Some default features included in the macOS do not comply with security guidelines and ECU regulations and may leave work data vulnerable.
To comply with auditing and regulation requirements, ECU is following the Center for Internet Security (CIS) benchmarks by enabling some features while disabling other, consumer-oriented features.
By following these best practices, we aim to provide users the utility required for work while protecting ECU data.
Which features are enabled?
- Eject at Logout – Prevents harm to externally-connected devices if a user logs out and forgets to eject a device. Also prevents inadvertently passing along a DVD if another person borrows the system.
- Activation Lock – Activation Lock is managed by ITCS.
Which features are disabled?
- Apple ID (consumer-oriented feature) – Your Apple ID account will not be included on your ECU-managed macOS device.
- Family Sharing (consumer-oriented app) – Allows sharing of Apple services like iCloud storage with other family members. Sharing iCloud storage and photos with others is a concern if ECU data is unknowingly backed up to the iCloud space.
- TV app (consumer-oriented app) - Used to discover and watch TV on your device.
- Wallet & Apple Pay (consumer-oriented app) – Apple Pay allows contactless purchases in stores, apps or on the web. Wallet stores payment and other access information.
- Game Center – (consumer-oriented app) Participation allows sharing of personal information that can be read and used by others, including Apple. Can be enabled by department chair request.
- Game downloads – Default games that come with macOS are not affected. However, games downloaded by the user will be blocked.
- Home app – (consumer-oriented app) Controls smart home products; uses iCloud keychain which contains all the user’s passwords, both personal and ECU-related. Not secure.
- Password sharing – ECU does not allow any type of password sharing.
- iCloud sync – iCloud is NOT approved storage of ECU data. Approved storage for ECU data is Microsoft OneDrive cloud storage and Piratedrive.
- Find My Mac – Once enabled, the system can only be unlocked by the Apple ID used to enable it. This is a problem if the computer needs repair or the user leaves ECU and returns the system; it cannot be repaired, re-imaged or reassigned to another user while this feature is enabled.
- Freeform - You can't be sure that the others you are collaborating with are who they say they are.
What if I need any of these apps or services for my ECU work?
Submit an ECU Technology Request form through the ECUPORT system to request a software exception.
The Software and Data Collection Services Acquisition Regulation requires all software - purchased and free - "to be reviewed by the Technology Acquisition Committee for duplication/replication of an existing software/service, compatibility with existing infrastructure and applications, security and accessibility of the software or services and risks associated with its use" (https://www.ecu.edu/prr/08/05/11).
If the software stores or uses sensitive data but has not had a Technology Security Assessment, submit the TSA request. Part of this assessment addresses installation and remote access. If the software stores, processes, or transmits sensitive data, data steward(s) or committee(s) approval is required to prior to installation.
Why can’t I use the Family Sharing, Wallet & Apple Pay features?
These consumer-oriented features are disabled for ECU-managed systems to prevent accidental sharing of ECU data.
Family sharing allows a group to share access to Apple services like Apple Music, Apple TV+, iTunes, Apple Books and app store purchases as well as an iCloud storage plan and family photo album. Sharing iCloud space and photos with others is a concern if ECU data is unknowingly stored in that iCloud space (see the approved ECU data storage information in the Related Articles section.)
I see that Game Center is also disabled.
This consumer-oriented app allows access to game saves, high scores and friends on all Apple devices, both work and personal, through iCloud.
Apple’s Game Center terms document states the service allows participation in leader boards, multi-player games and tracking achievements. Use of this service could require certain software and fees may apply.
Other excerpts from the terms explain that:
- “The personal information you share is visible to other users and can be read, collected or used by them. You are responsible for the personal information you choose to submit.“
- “Features allow you to submit materials (including links to third-party content) on areas of the Service accessible and viewable by the public.”
- “You agree to provide accurate and complete information in connection with your submission of any materials on the Service or in providing or marketing the Service, without any compensation or obligation to you.”
What is "Eject at Logout"?
When you log out of the system, any USB flash drives or DVDs still in the system automatically eject. This prevents:
- Harm to the USB or CD/DVD drives or media
- CDs/DVDs inadvertently being passed to another user
Will I be able to control lights and other smart home devices through the HOME app?
This computer-oriented feature is disabled as it requires that iCloud keychain be enabled. iCloud keychain contains all the user's passwords, both personal and ECU-related and could leave this information vulnerable.
Can I share my WiFi password between my ECU-managed macOS computer and iOS phone?
No. ECU does not allow any kind of password sharing.
Why am I not able to sync my documents and desktop to iCloud?
iCloud is not an approved storage service for ECU data. For more information, see the article, File Storage Security, linked in the related articles section. Also helpful is the Storage Feature Comparison: OneDrive & Pirate.
Why is the Find My Mac feature disabled?
When you enable this feature for your ECU-managed macOS device, your Apple ID password or device passcode is required to unlock the system. Not even ECU IT admins can access this device. If you leave ECU and return the system to your department, it cannot be repaired, re-imaged or reassigned to anyone else. Therefore, the Find My Mac feature is disabled for users and the Activation Lock feature is managed by IT admins.
What happens if I try to install a blocked program?
The program can be installed but will be automatically blocked on launch. A pop-up message will alert you that the program has been terminated or blocked.