In the case where standard device management policies interfere with the University academic and/or business processes and an alternative solution cannot be reached, a user may request an exclusion from a specific management policy. An example of this would be a computer used in a recital hall needing to be excluded from the traditional forced reboot schedule to prevent reboots during a recital.

In those cases, a user that is responsible for the device may submit a support request for a Management Policy Exclusion, along with a justification, and the IT Consultant will begin the Management Policy Exclusion process. The workflow will be reviewed by a representative from IT Support Services, IT Infrastructure and Systems, and the Office of Information Security for approval before excluding the device from a management policy. 

Who must request an exclusion?

The end-user that is the responsible party for the device that needs the exclusion, can request the exclusion through a Computer Assistance Request.  The IT agent will then start the internal process by submitting the Management Policy Exclusion request in Jira under IT Agents.

How long does an exclusion last?

An exclusion will last 365 days from the final approval date. After 365 days, the user will get a notification prompting them to review the management exclusion and they can send it through the approval process again to continue the exclusion for another 365 days.

How many exclusions can be requested?

There is no limit to the number of exclusions requested per computer, but a consultant should only submit one request per computer. Additional exclusions requested should go on the original Jira ticket. This is to ensure we track one Jira ticket per computer.

IT Agent Process for Requesting the Exclusion?

  1. First, when an IT Agent receives a Computer Support Request for an exclusion from the user:
    1. They should follow up with the user to make sure there is no other way to resolve their issue without the need for the exclusion.
  2. If still needed, the agent can start the internal process using the Management Policy Exclusion request listed below
    1. Visit and submit a Management Policy Exclusion Request:
      1. Summary Field
        1. Provide the specific management policy that needs to be excluded. Here are some examples:
          1. Patching
            1. Application Patching (i.e. Google Chrome Updates)
            2. Minor OS Updates (i.e. security updates with or without reboots)
            3. Major OS Upgrades (i.e. Reminders to upgrade to latest OS)
          2. Settings
            1. Auto Logout or Lock Settings
            2. Account Deletion
              1. Local Account Deletion
              2. AD Account Deletion
            3. Energy settings
            4. Etc.
      2. Justification Field - use the justification/use case provided by the user
      3. Responsible Party
        1. This is the specific end user that has requested the exclusion and will be responsible for approving the exclusion each year.
  • ***NOTE: the responsible party will be responsible for maintaining the machine in a secure, patched, and supportable state once a management policy exclusion has been applied.
  1. Technical Implementation
    1. Not all exclusion requests may be technically possible from SCCM or Jamf Pro.
    2. Some software is not eligible for exclusions:
      1. Malware Protection: Cisco AMP
      2. Intrusion Prevention & Detection: Cisco AMP
      3. Centralized Logging: ELK
      4. Emergency Desktop Notifications: Alertus Desktop
    1. If the request is approved Systems will add the device to the available technical implementation for exclusions. 
    2. ***NOTE: 
  2. Auditing Exclusions
    1. After 365 days, the SLA timer expires and a linked request gets created for the DSS consultant to review
    2. The consultant needs to reach back out to the responsible party to confirm the exclusion is still needed for another year
    3. Document the response in the ticket and close it (the associated Systems agent should be included on the linked ticket and will get the notification.  If not, @mention the associated Systems agent in the ticket).
    4. Systems agent then handles the refresh of the Exclusion ticket by restarting the approval process for another year

Risk/Responsibility Acceptance

You, the responsible party, will be responsible for maintaining the device in a secure, patched, and supportable state once a management policy exclusion has been applied.