IT Services - Secure Connect: UISL Guide to Preparing for NAC Enforcement

Overview

This document is the ITS-recommended checklist for Departments getting ready to roll out the NAC phase of Secure Connect, including wireless, VPN, and wired enforcements.

Upon deciding on your enforcement date, ITS will create a timeline to do the technical work in time for your enforcement date. This will be shared during the weekly UISL check-ins and can be updated as needed.

Getting Prepared for Enforcement

1. Prepare Communications

Communication is sent out to impacted users with information about when enforcement is happening, steps to take in preparation, and what to expect. If you need templates on what ITS sent out to their users, please ask the Secure Connect team and we will share the direct wording with you to modify.

Make sure to include Intune installation guides: Intune Installation Guide: Mac and Intune Installation Guide: Windows

Communication Recommendations and Timeline

Communication	Timeline	Message Focus
Initial Communication to spread awareness	1.5 - 2 weeks before enforcement day	What's happening: NAC enforcement is being rolled out to your group Why: Enhance security through device compliance – Link to Secure Connect Blink When: Dates for enrollment opening and enforcement start What you need to do Where to get help: Links to support and documentation
Inform Users Enrollments has been Enabled	1 week before enforcement	“Action required” Messaging Ex: Intune enrollment is now open for your device Clear guidance: Ex: Do I need Intune, Enrollment steps (Blink Page) any locally relevant FAQ, videos Emphasize the deadline and outcome of inaction (eg. loss of access to trusted resources) Point of contact: UISL/IT Support Team
Countdown & Monitoring Messaging	7 days to 1 day before enforcement based on risk levels	Countdown: “X days left to enroll before access is restricted” Reiterate urgency and consequences Re-share help resources UISLs can request optional division, group level compliance/readiness reports for targeted follow-up

2. Prepare Support

For the days leading up to as well as days after, ITS Service Desk can provide on-site support for your end users. Request help by contacting the Project Team at support-secureconnect@ucsd.edu
- For specific assistance with Wired enforcement and labs, you can request additional support through this intake form.
The project team will have an all-day open Zoom room to troubleshoot issues as they come up on the day of Enforcement and any requested days after. Please request any additional days you’d like.
Review the Sysadmin’s Toolkit and request any additional information you need to troubleshoot and support your end users. All related documentation on each phase of the NAC enforcement will also be linked in the Toolkit.
- You can request additional documentation through the Secure Connect project team or by emailing support-secureconnect@ucsd.edu.

3. Technical Steps

ITS will need an AD group for your department to put into enforcement at least 1 week prior to your department’s enforcement date.
- Criteria for your AD Group:
  - No UE or GE employees are included in enforced AD groups as they are currently out of scope
  - All in-scope employees are included within enforced AD groups to mitigate any issues with devices not being able to access UCSD-Protected
Ensure all devices that need exceptions have a request submitted/added into CMDB. This step does not apply to the VPN rollout.
- Bulk Exceptions Form - Each Department would have got its own Bulk Exceptions Form, but if you do not have it, please ask the Secure Connect project team.
- SNOW form for individual exceptions
The following steps will be taken by ITS before your enforcement date.
- For Wireless:
  1. Confirm end users have E3 licenses
  2. Apply configurations in Intune (Windows and Mac policy sets/apps)
  3. For MECM devices, deploy certificate via GPO and add AD device group to enforcement
  4. Push certificates at least 2-3 days before enforcement to ensure that users have time to receive it for Jamf and MECM devices
  5. After pushing out device certificates, communications can be sent out to users to connect to the VPN or to a wired connection to ensure they receive the certificate
- For VPN:
  1. All exceptions will be entered into CMDB.
  2. E3 licenses will be added to the AD groups provided by the UISLs.
- For Wired: TBD

During Enforcement Checklist

UISLs will be invited to a meeting for Enforcement Day. During the time, ITS/your team will do the following, based on your agreement in your one-on-one meetings:
- For Wireless:
  1. Push out network configurations for Jamf devices
    - SecureConnect NAC: A JAMF Implementation Guide
  2. Deploy and apply network GPO for MECM devices
    - SecureConnect NAC: A MECM Implementation Guide
  3. Apply wifi settings for Intune
  4. Add AD group to universal Secure Connect ISE group
- For VPN:
  1. ITS will apply appropriate settings into Intune
  2. AD groups provided by the UISLs will be added to the appropriate ISE group for enforcement.
Throughout Enforcement ITS can check the following:
Verify un-managed device portal redirect matching (ISE) (ensure username/password authentication redirect works)
Verify MDM rules matching (ISE) (compliant/non-compliant devices are displaying correctly)

ITS Service Desk will provide a dedicated phone line and email support for IT personnel seeking assistance with Secure Connect compliance. The internal phone number and email address will be shared using the sysadmin mailing list. You can also contact the ITS Service Desk directly by calling (858) 246-4357, emailing support@ucsd.edu, or submitting a ticket at support.ucsd.edu. There is also a dedicated Secure Connect Teams Channel for support. Please contact the team if you have not been added to the Teams channel.

Secure Connect: UISL Guide to Preparing for NAC Enforcement