Our EVPMA and Medical School Dean, Dr. Marschall S. Runge, has conveyed the importance of increasing the security of our Michigan Medicine networks. The Network Admission Control, or NAC, initiative is one way we can better secure the wired and wireless networks by limiting access to the following:
For more information, see the What is NAC and why are we implementing it? document.
HITS teams are in the process of inventorying all devices that access either network and ensuring that all devices have the necessary security protocols in place. Devices are categorized as follows:
- Institutionally-owned devices - those provided by or paid for by Michigan Medicine. If you have purchased a computing device with your own funds, but are then reimbursed for the purchase by the university or a research department or project in some fashion, this device is considered an institutionally-owned device. All institutionally-owned devices must be configured as "Core" (CoreImage or CoreMac) devices - with the proper security protocols in place - in order to connect to the Michigan Medicine network.
- Personally-owned devices - those acquired by an individual and paid for by personal funds. For personally-owned devices or non-Core devices to connect to the Michigan Medicine network, AirWatch must be installed on the device. AirWatch is the device management tool which provides encryption and the security policy needed. NAC will be enabled over the course of this year for devices connecting to the wired and wireless networks:
- The UMHS-8021X wireless network requires devices to be registered/inventoried or enrolled in AirWatch in order to connect after April 27, 2017, regardless of location. Network admission controls have been enforced across the entire wireless network.
- Controls for the wired network, aka any port in the wall that currently allows devices to connect to the internet/intranet by Ethernet cable, have a target completion date of December 2017 for all of Michigan Medicine. Wired network controls will be enabled in stages based on physical location. The wired switchover will occur floor-by-floor, building-by-building, through the end of the year.
Check the Wired Deployment Schedule to see when your area is scheduled. (Please be aware that dates may change to have less disruption to customers and patients).
HITS-Communications will be sending out targeted emails to specific areas as network controls are put in place in a location.However, all Michigan Medicine staff may take the following steps now:
- Ensure that institutionally-owned devices are currently inventoried or configured as "Core" (CoreImage or CoreMac) devices.
Users may schedule to have a device inventoried by contacting the Service Desk or visiting a Help Me Now location.
- Enroll personally-owned devices requiring access to internal resources in AirWatch. Internal resources include:
- Internal websites and SharePoint sites
- Network shared files and folders
- Accounts and systems requiring Level-2 credentials
For assistance with any of the above, stop in at a Help Me Now location or contact the HITS Service Desk at (734) 936-8000, option 9.
Signs that network controls are coming to an area or already in force may be visible on the doors of conference rooms.The signs that controls are in place will let people know that in these areas, everyone has complied by enrolling in AirWatch or is using a Core device to connect to the Michigan Medicine network. Employees who choose not to enroll in AirWatch may use MWireless-UMHS as an alternative. Visitors, patients, and families only may use the MGuest-UMHS network for a WiFi Internet connection. Please note that MWireless and MGuest do not provide access to internal health system resources.