Do other universities enable NAC on wired ports that connect university-secured
machines? For instance, what are your policies on lab
computers, faculty/staff computers, etc.
We haven't enabled NAC on the academic side yet (only in the dorms), and we're
worried that the NAC compliance rules we have for students may not work well
with university managed computers.. For instance, we have our university
computers pointed at an internal WSUS server, but we don't want students using
our WSUS server because when they graduate from the university (or leave the
dorms), we don't think they will change their settings back to Windows Update
instead of our WSUS.
A problem this would cause would be if a student were to log into a university
machine that has purposely received a different set of updates (for instance,
perhaps a computer lab has temporarily withheld a patch until they can properly
test to make sure it doesn't interfere with specific apps), the machine would
be required to have the "student requirements." The private enterprise probably
doesn't run into these issues as much as larger universities, where all the
different academic departments run disparate computer policies.
We are already aware of Profiler to identify non-compliant devices and things
of that nature. I guess the main point of this post is to find out what your
policy is for university computers, and whether there is anything on the NAC
Appliance road-map to take Active Directory machine accounts into consideration
(for instance, if AD user account has "student" group memberships and the
computer object exists with "COSC computer lab" security group, then use Policy
A, else just use Policy B).
Thanks in advance.
