Information Security

Endpoint Device Encryption Standard

Last modified 1/13/2021

1/13/2021 Update

This standard document has been updated with two new sections: Exemptions and Exemption Examples. This update is to assist individuals in understanding when an exemption request is appropriate.

University academic and business activities often rely on processing data. Data protection is of critical importance to prevent data loss. To ensure the security of institutional data, device encryption is required for endpoint devices.

Standard

All University-owned endpoint devices must have full-disk encryption enabled. All personally-owned endpoint devices where institutional data is processed must have full-disk encryption.

Exemptions

Endpoint devices that meet all of the following are exempt from this standard:

  1. The device is unable to enable encryption due to at least one of the following limitations:
    • Technical limitation where no encryption solution can be used.
    • Access limitation where encryption would result in the inability for users of the device to access it.
  2. The device has compensating controls applied in place of encryption.
  3. The device has had an exemption request submitted to the Information Security Office and approved by the Chief Information Security Officer.

Exemption Examples

Access Limitation

We have identified that encrypting computer lab endpoint devices running the macOS operating system will result in an access limitation for users. When encryption is enabled on macOS devices, users need to enter an unlock key when the device is powered on. This unlocks the encryption and allows the operating system to start normally. In a lab environment, this requires an undue burden for lab users to access the computers.

Under these circumstances, even though there is not a technical limitation, an exemption request for this standard can be submitted defining the compensating controls in place to mitigate risk of data breach.

Additional Information

The following items are to provide context or better understanding of this standard:

  • What is an Endpoint?

Broadly speaking, the term can refer to any network connected device: desktop computers, laptops, smartphones, tablets, printers, or other specialized hardware like POS terminals or retail kiosks, that act as a user endpoint in a distributed network.

  • Requesting an Exemption

In the event that this standard cannot be met, an exemption can be requested and will be evaluated on a case-by-case basis. All exemptions will require documentation of the device, the data use on the device, the reason the standard cannot be met, and then executive approval determined by the area requesting and that data at risk.

  • Known Solutions

Microsoft BitLocker

BitLocker is a drive encryption feature provided by Microsoft for the Windows operating system. It is built into Windows and offers a variety of encryption algorithms.

Encryption Algorithms

  • AES - 128 Bit / 256 Bit
  • XTS-AES - 128 Bit / 256 Bit (Windows 10, version 1511 and above)
  • AES-CBC - 128 Bit / 256 Bit (For Removable Drives)

University Use

At the university, BitLocker can be managed in two ways. The primary difference is with regard to where the encryption key is stored. Endpoint teams can either use a dedicated tool called Microsoft BitLocker Administration & Monitoring (MBAM) or they can configure BitLocker on the computer to store the key in Active Directory.

Microsoft has implemented the features of MBAM into Microsoft Endpoint Configuration Manager (formerly, "System Center Configuration Manager" and also known as, "ConfigMgr" or "SCCM"). Endpoint devices currently using MBAM for drive encryption will be required to use ConfigMgr in the future.

Apple FileVault 2

FileVault 2 is a security encryption feature provided by Apple for the macOS operating system (macOS 10.7 and above).

Encryption Algorithm

  • XTS-AES-128 with a 256 Bit key

University Use

At the university, FileVault 2 can be managed by a Mobile Device Management (MDM) tool to enforce encryption and escrow the personal key of the device into the tool.

The primary MDM for macOS at the University is Jamf.

iOS / iPadOS

iOS and iPadOS devices use a file encryption solution provided by Apple called Data Protection that is built-in to the operating system.

Encryption Algorithm

  • AES

University Use

iOS and iPadOS devices that are "Corporate-Owned" (i.e. University-owned) can be managed by a MDM tool to force a passcode on the device. When the passcode is set, Data Protection will be enabled and encryption will begin.

Available MDMs for iOS/iPadOS - Jamf Pro, Intune, or Airwatch

Android

Android 5.0 - Android 9

Android devices use a built-in full-disk encryption provided by Google that is based on dm-crypt.

Android 7.0 and Above

Android 7.0 and above supports file-based encryption provided by Google.

On Android 10 and above, file-based encryption is required despite configuration.

Encryption Algorithms

  • AES 128 Bit (Full-Disk Encryption)
  • XTS-AES-256 (File-Based Encryption)

University Use

Android devices that are "Corporate-Owned" (i.e. University-owned) can be managed by a MDM tool to force a passcode on the device. When a passcode is set, encryption can be enabled manually.

Available MDMs for Android - Intune or Airwatch