HMS Endpoint Program FAQs
The HMS Endpoint Services Program helps HMS IT create a holistic view of the entire HMS computing environment, ensure highest levels of information security, reduce the impact of planned and unplanned outages, and identify and implement new services to the HMS community faster.
HMS has chosen 3 separate applications for use on Harvard owned computers. Each application is geared towards a specific platform and need. We selected solutions that are recognized as best in class and widely adopted across many sectors, in order to get the best possible results for our community.
- For Windows computers, we have chosen LANDesk. LANDesk provides a full suite of tools and application designed to enhance the desktop support process.
- For Macintosh computers, we have chosen Casper by Jamf Software. Casper provides a full suite of tools and applications designed to enhance the desktop support process.
- For certain “specific use” computers running Window XP, we have chosen Bit 9. Bit 9 is being targeted specifically to Windows XP computers that perform functions in research areas and cannot be easily replaced.
A “specific use” computer is a computer used in a particular capacity, such as one connected to an instrument or serves a very unique purpose.
Enrollment in the program requires the installation of a Self Service Application.
The Self Service application is comprised of two main components
- A “helper” application, responsible for making the connection to the server.
- The “Self Service” application. This allows a computer user or CSR to sign in and perform installations of software from a portal on the computer.
- The helper application is a non-intrusive application that is installed on the computer. The helper application runs periodically on a scheduled basis, usually about once per day. The rest of the time the agent is sleeping, unless initiated during a remote session or by the self-service portal. When it is not running it uses little to no computing resources. There is no performance impact while the agent sleeping.
- The helper application runs in the background and communicates with the management server to send certain information back to the server. The information is sent in an encrypted format.
- The helper application allows the management server to do the following:
- Receive information about the current OS version.
- Receive information about the current OS patch status.
- Receive information about the installed applications and version.
- Receive information about the installed hardware and current status (i.e., hard drive full, disk errors, memory page errors, total RAM, hard drive capacity, etc.)
- Receive BIOS information about the computer, such as serial number, IP address, MAC address. BIOS passwords are NOT captured.
- Push approved OS patches to the target computer(s) as needed.
- Push approved application updates to the target computers(s) as needed.
- Apply approved configurations to the target computer(s) as needed, such as Wi-Fi configurations, Wi-Fi Certificates, email server configurations, printer configuration files, etc.
- Apply policy configurations to target computer(s) as needed, such as blocking certain OS or application patches, blocking known malware or spyware applications, enforcing encryption polices, etc.
Information is sent to the server approximately once every 24 hours. Information is only sent while the computer is online. The information is sent in a secure encrypted format. The data that is sent contains only information about the hardware and software configuration. No personal data of any kind is ever collected or sent to the server.
From time to time, we will push applications, application patches, OS patches, configurations or policies to the computer. We will make every effort to notify you prior to doing so, however some circumstances may require us to push certain critical updates prior to fully notifying you of the update.
We have not established a regular schedule for deploying software updates that are not critical, however we can push updates upon request, and can configure computers to install updates provided by the manufacturers.
The Self Service application is a tool that can be used by you to self-install software provided by HMS. From this single interface, you will be able to select certain applications to install on your computer, and may be able to access certain other IT support resources. Your Client Services Representative can also use this helper application to install software on your computer when they visit.
Initially, the list of available software will be limited to currently supported application for which there is normally no charge to you. This may include Microsoft Office, MATLAB, LaserGene, FireFox, and Adobe Reader.
We may also make available pre-configured printer packages that will allow you to self install and configure the printer or printers located in your areas.
Eventually, as the self service interface matures, we expect to be able to offer additional applications that have a license fee associated with it, such as Adobe Acrobat, Creative Suite, and FileMaker Pro, as well as others.
Windows: Start-> Programs->LANDesk Management-> Portal Manager.
The first time you launch the self service application, it may take a few minutes for all available applications to appear. You can also click the Refresh button to load the portal faster.
Macintosh: Macintosh HD->Applications->HMS Self Service
The first time you launch the self service application, it may take a few minutes for all available applications to appear.
HMS IT carefully selected endpoint management tools with performance impact as a key factor. The applications that are installed on the computer are very small and take up very little processing power when running. The helper application runs only once per day, and only runs for a few minutes. The Self Service application only runs when initiated by you.
BYOD Mobile devices such as smart phones, smart watches, and tablets are not being managed at this time. Mobile devices purchased with Harvard funds may be subject to management at a future date.
All HMS Faculty and Staff are eligible to receive Endpoint services.
Students working in a lab or office, as an HMS or HSDM staff member, are eligible. Students not working in an official capacity for HMS/HSDM are NOT eligible for endpoint services.
In most cases the necessary software will be pre-installed on your computer. If not, you can self install the software or your Client Services Representative can install it.
In some cases, students may need to have their PI or department administrator specifically request access to these services.
Any computer in use by faculty, staff, Postdocs or students that have a reasonable expectation of support by the HMS IT Client Services Group, including, but not limited to:
- On Quad computers used for daily HMS related work
- Off Quad Work computers used primarily for HMS related work.
- HMS owned & supported computers connected to instruments.
- Computers purchased through the HMS TechRefresh Program will have the software installed by default.
- Any computer that has Harvard University or Harvard Medical School Site licensed or volume licensed software installed on it.
- Certain software licensing agreements that HMS or Harvard University participate in may require management tools to be installed on the computer as long as the licensed software is installed.
- Computers that are not supported by HMS IT are not eligible.
- Students NOT working in an HMS lab or office position.
- Home computers (See next section for a definition of Home computer).
- Instrument computers that are fully supported by a vendor. (Little if any support effort on the part of HMS).
- Computers too old to run the self service software.
- Computers that are taken to a non-HMS supported facility (i.e., hospital) and/or have no measurable support effort are considered unsupported by HMS IT for the purposes of endpoint management tools.
- Some computers that are used by clients with multiple appointments may have to abide by rules implemented by other affiliates. In these cases, the device is exempted from HMS management.
- A “Home” computer is defined as either:
- A computer purchased with personal funds used at home primarily for non-HMS related activities. There is no expectation of support by HMS.
- Even if some HMS related work is performed, if the computer was purchased and used primarily for home use, HMS does not consider it a supported computer. Home computers are not eligible for HMS licensed software such as Microsoft Windows or Microsoft Office.
- A computer retired by HMS and given to staff, faculty or researchers and used at home. There is no expectation of support by HMS.
- HMS considers all retired computers to be no longer supported. They do not qualify for HMS licensed software and are not eligible for endpoint management.
- An “Off Quad Work” computer is defined as:
- A computer specifically purchased for use in a location other than the worker’s primary HMS office. Typically this means a computer taken home, but may also mean a computer taken to another office location. It is assumed that a reasonable level of support has been extended in some manner to this device, and is treated by HMS IT as a supported device.
- Off Quad Work computers taken to an off quad office location may also be subject to the IT policies of the institution where the office is located. Those polices may take precedence over HMS policies.
HMS IT specifically implemented software that is unable to perform tasks such as monitoring what actions or work is performed on a computer. Specifically, these tools cannot:
- Collect any personally identifiable information.
- Collect information about what data files you currently have open or have opened in the past.
- Collect information about what is in your home folder.
- “Scan” or “troll” through your computer.
- Create a list of the files or documents on your computer.
- We can see a list of applications, and we can report on how long a specific application has been running in the foreground in total hours and minutes.
- View what files an application has accessed or the history of any files that may have been opened. This includes any kind of email or web browser history.
- Report on how long any one session lasted with any given application, or what you were doing within the application.
- View any kind of browser history, browser caches files, browser downloads, etc.
- We can report on how long a specific web browser has been running in the foreground in total hours and minutes. We cannot report on how long any one session lasted with any given browser, nor can we determine what websites were visited or how much time was spent on any given website.
- Log or watch “keystrokes”.
- Determine what activities were performed during the time the user was logged in.
Read about HMS IT's Commitment to Data Privacy.
Harvard University policy and Massachusetts state law require all mobile devices, including laptops, smartphones and tablet devices to be fully encrypted using Whole Disk Encryption (WDE) tools. Desktop computers are not included in this policy.
More information is available here:
Yes! HMS Information Technology is committed to maintaining full security of all data utilized in the day-to-day operations of the School. In the course of utilizing endpoint management, some information is collected and used to enhance our ability to provide services to the HMS Community.
The applications selected by HMS IT to provide this service collect, transmit and store non-personalized information about the computer in a secure database within a secure HMS managed facility.
At no time is your personal information touched or collected.
For more information about how HMS IT handles your private information, please review the HMS IT Privacy Statement.
If you leave HMS with a computer currently being managed, our licensing agreements with software manufacturers require us to remove ALL Harvard licensed software. Harvard owned software includes any application or suite of applications provided by HMS to you at no charge or any software that was purchased by the lab or department using a Harvard University 33 digit billing code. Any software purchased with your own funds is yours to keep.
You may at any time opt-out of the HMS Endpoint Services Program and request the software be removed from the computer by contacting your local Client Services Representative. If you choose to opt-out of the HMS Endpoint Services Program, HMS IT remains committed to providing the highest quality of support available. Individual organizational units, such as administrative departments with high risk roles (e.g. Finance, Admissions, Payroll, Registrar, HR) will choose to require participation in the program for their staff to ensure proper protection of their computer systems.
If you do opt-out some new and improved service offerings may not be available to you as they will require HMS Endpoint services being installed on your computer. Certain software applications may require participation in the program in order to be compliant with the licensing agreements or state or federal law.
The HMS Endpoint Service Program is an opt-out computer systems management service. If you choose to opt-out of the HMS Endpoint Services Program, HMS IT remains committed to providing the highest quality of support available. However, some new and improved service offerings may depend on HMS Endpoint services being installed on your computer. Certain software applications may require participation in the program in order to be compliant with the licensing agreements or state or federal law.
You may at any time opt-out of the HMS Endpoint Services Program and request the software be removed from the computer by contacting your local Client Services Representative.