SPS-IT UC San Diego Secure Connect: Enhancing Network Security and Access Control

The Secure Connect project is a campus-wide initiative designed to enhance network security and streamline access control for all users in the School of Physical Sciences. This multi-phase project introduces Network Access Control (NAC) to secure both wireless and wired connections, ensuring that only authorized, compliant devices can access trusted campus resources.

Phase 1: Wireless and VPN Enforcement

Starting July 14, 2025, all users in the School of Physical Sciences connecting to Wireless or VPN networks will be required to enroll their devices through the Intune Company Portal. This step ensures that every device is compliant with university security standards, safeguarding sensitive data and reinforcing network integrity.

Requirements for Access to Trusted Network Resources:

To connect to trusted resources through UCSD-Protected Wi-Fi, Campus Virtual Private Network (VPN), or most Wired networks, your device must meet a set of mandated security standards.

• Requirements: Current MacOS (macOS Mojave 10.14+) and Windows (10/11) Systems  
  (Linux OS will require exception process: Contact sps-it@ucsd.edu )
• Mobile devices including tablets are exempt from this program.
• Enrollment in the Intune Company Portal Windows | MacOS . Configures AV agents, enrolls device and provides posturing.
• Trellix (EDR) and Qualys (VAS) End Point Protection Agents. Will be autoinstalled with Intune or available from sps-it@ucsd.edu
• Connection through Cisco VPN for remote secure authentication or UCSD-PROTECTED WiFi while on campus.
• Device compliance checks for both University-owned and Personal Devices that wish to access trusted campus resources.

What Are Trusted Campus Resources?

Any IT resource (systems, database, equipment, etc.) that is not accessible from off-campus, without connecting to the VPN first, is considered a trusted resource.

• File Sharing Services (NFS/SMB Campus Servers)
• Data Repositories
• Remote Desktop and Visualization

Phase 2: Wired Network Access Control

Following the successful implementation of wireless and VPN controls, Wired Ethernet Network Access Control will be introduced for:

• Labs
• Data Centers
• Office Spaces 

This phase will be managed based on physical locations and unit readiness, with faculty and researchers playing a key role in tracking and verifying device compliance and requesting exceptions where appropriate. 

Requirements for Exempted Systems

• Use private VLANs/IP spaces and firewalls (when applicable).
• Implement alternative protections (e.g., segmentation, logging, restricted access).
• Be manually monitored for threats.
• Undergo annual review for continued exemption.

Next Steps for Users:

• Prepare your devices for Intune enrollment by updating them to the latest available OS version.
• Ensure the Cisco VPN client is installed and configured.
• Look out for communication from SPS-IT with further instructions and support.

How Intune MDM will be used
Intune MDM will be used to:

Install and configure a university-issued certificate to uniquely identify the device and register it in the university’s Configuration Management Database (CMDB), which is used to track which machines are accessing the network and who is logged into them at any given time.

Install and update university required security software (Qualys Vulnerability Management and Trellix Endpoint Detection and Response security software (EDR))

Help your device meet the minimum requirements for accessing trusted resources

Intune MDM will not be used to:
• Access your personal applications, messages, emails, or call history.
• Read or collect your personal files, photos, or browsing history.
• Track your real-time location or collect GPS data.
• View, modify, or delete personal apps on your device.
• Monitor personal activity, keystrokes, or phone calls.
• Perform a full device wipe on personally owned (BYOD) devices.

Intune Enrollment Lifecycle

One can enroll and unenroll from Microsoft Intune at will, directly from the device (assuming the user has appropriate permissions on the device):

Removal Instructions: https://support.ucsd.edu/services?id=kb_article_view&sysparm_article=KB0035675

Once the device has been unenrolled from Intune, the certificate and associated configuration will be automatically removed. ITS is currently exploring settings that will allow them to also automate the removal of Trellix and Qualys. ITS has confirmed that both pieces of software can be manually removed once the device has been unenrolled from Intune.

Privacy Protections: (Electronics Communication Policy - ECP 135.5)

• Consent Requirement: The university generally requires the advance written or oral consent of a holder before examining or disclosing electronic communications records. If multiple holders exist, consent from any one holder suffices.
• Holder Definition: A "holder" is defined as an electronic communications user who, at a given time, possesses or receives a particular electronic communications record, regardless of whether they are the original creator or a recipient.
• Notification: In cases of non-consensual access, the authorizing official or designee must notify the holder of the electronic communications records about the actions taken and the reasons for such actions at the earliest appropriate opportunity.

Access Without Consent: The university may access electronic communications records without the holder's consent under specific circumstances:

• When required by and consistent with law.
• In compelling circumstances, such as situations posing significant risk.
• Under time-sensitive, critical operational circumstances.
• When there is substantiated reason to believe that violations of law or university policies have occurred.

• Emergency Circumstances:In emergencies, the university may access records without prior authorization, provided the action is the least perusal necessary to resolve the emergency. Subsequent ratification from the authorizing official is required without delay.
• Internal Audit Access: The university's Internal Audit department may examine electronic communications records in accordance with the UC Internal Audit Charter, except where prohibited by law.

Questions or Requests

Contact SPS-IT at: sps-it@ucsd.edu