IT Services - SecureConnect NAC: A MECM Implementation Guide

Overview

This article provides instructions for IT teams across the UC San Diego campus on using MECM (Microsoft Endpoint Configuration Manager), formerly SCCM, to deploy Certificates and Network configuration items as part of the campus-wide SecureConnect initiative for managed devices.

For more resources for the Secure Connect NAC, refer to the Support IT's Guide to SecureConnect NAC Enforcement.

Critical Concepts

MECM is an on-premises-based MDM tool that supports Windows Desktops and Servers. This tool provides advanced features for managing Windows devices through the campus Active Directory and includes options like drive mapping, printer configurations, etc. It also uses PatchMyPC for third party application updates.

Your department and supported users may fall into one of the following categories regarding MECM:

We are part of the ITS-managed MECM platform. What should we do to prepare for NAC enforcement?
- Instructions for Deployment within the ITS-Managed MECM Platform
We manage our own MECM instance. How can we integrate with the ITS-managed platform for NAC enforcement?
- Instructions for Migrating into the ITS-Managed MECM Platform
We use a different MDM solution to manage our devices. What are our options?
- Instructions for Migrating to ITS-Managed Intune
- Exception process for departments using other MDMs (Coming Soon)

Instructions for Deployment within the ITS-Managed MECM Platform

The IT group from each department involved in rolling out SecureConnect will need to provide ITS with their respective Active Directory (AD) groups for both users and computers. Providing these AD groups is necessary for the Secure Connect team to grant machines access to the certificate template and apply GPOs to the appropriate OUs.

If your department has not yet started this process, please contact ITS as soon as possible to ensure a smooth transition to NAC enforcement.

Instructions for Migrating into the ITS-Managed MECM Platform

To request to use the ITS-Managed MECM Platform, please submit a ticket via the IT Services & Support Portal.

In the “What service does this relate to?” field, please input “Microsoft On-Premise Tools” and someone from the MECM team will reach out to you.

There is an internal tech wiki for more instruction on how to use MECM. Please contact the MECM team using the IT Services Support Portal link above if you do not have access to this documentation.

Common Troubleshooting Techniques

Checking for the device certificate:

Option 1: Navigate to the certificate manager by going to the Start menu, typing in certlm.msc and clicking the ENTER key.
- Click on the folder labeled "Personal" > "Certificates". If the device successfully received the device certificate, there should be a certificate issued by "UCSD Active Directory Intermediate CA-A1".
Option 2: Have the user open the Command Line as an administrator.
- Type and run “gpresult /r” into the prompt. If the device successfully received the device certificate, the certificate “MES_SECURECONNECT_CERTIFICATE” should appear under the "Applied Group Policy Objects" section.
If the device certificate does not appear, please connect the device to a wired network or connect the device to the UCSD VPN on a different wifi network so that the device can receive the certificate.

ITS Service Desk will provide a dedicated phone line and email support for IT personnel seeking assistance with Secure Connect compliance. The internal phone number and email address will be shared using the sysadmin mailing list. You can also contact the ITS Service Desk directly by calling (858) 246-4357, emailing support@ucsd.edu, or submitting a ticket at support.ucsd.edu.