IT Open Meeting November 2023 | Your questions answered | For Staff

20 November 2023

IT Open Meeting November 2023 | Your questions answered

The IT Executive Team answered questions put to them by staff from across the University.

View the recording of the meeting (you may need to login with your University username and password if you are not already logged into Microsoft 365).

The questions are divided into the following sections:

Identity and Access Management
Computer equipment
Wireless network
M/N drive migration
Other questions

Identity and Access Management

What has happened to the Delinea trial (using temp elevated privileges)? Are there any plans to make it simpler for researchers to install custom software?

We want to ensure that people have the access they need, when they need it, without putting the University at risk by providing administrative privileges all the time. The Delinea software allows researchers and others to have “just in time” access to temporary administrative privileges to access and download software. This means you do not have administrative privileges all the time, but only when you need them. This allows the University to manage privileges securely, as they are a prime target for hackers. The Delinia Privileged Access Management solution has been in pilot for the last year to test the product and gather information about how it would be used. The Identity and Access Management (IDAM) project has given us the underlying information we need to roll Delinia out, and we intend to restart the project soon to roll it out across the University.

As we are rolling out Delinea we are also increasing the size of our client software team so that we can add research software to the areas we support, and ensure it is updated and patched as required.

It is really important that anyone who is installing any software goes through our Contract Information for Software Compliance (CISC) process. It's an information security checklist, and although it may seem a little bit difficult to complete, it allows us to ensure that we've got the right software, that it can be supported and that we're legally allowed to use it. Additionally, it ensures that if there are any issues, for example if we hear that an urgent security update is required, we can come directly to you.

If you have had access to the Delinea pilot, you should still be able to continue using it, so if you are having problems with it, please raise a ticket with the IT Service Desk through the IT website. . If we are not able to resolve your issues until the project is re-established, we can offer alternatives in line with the existing established processes.

When will IDAM be working correctly and what is the interim measure for new username requests?

The Identity and Access Management (IDAM) project is there to make sure that only authorised people have access to University systems and data, and that the right people have access at the right time. Implementing an automated IDAM solution in our environment is one of the most complex projects in our Digital Enablement and BeSafe Programme.

We’re resolving complex issues with how we’ve historically managed digital identity and access to University systems and data. This is fundamental to our digital strategy and to reduce cyber security and regulatory risk.

Staff accounts are now being created automatically as soon as a record is created in SAP, which should be done in 10 days, and the following day an IT account is automatically created in the IT systems. This is a significant step forward for the University. An all staff email explaining the new process was sent out on 3 November 2023.

There are a small number of issues impacting the accounts of re-joiners and those changing identity attributes. We are working to have a permanent fix in place as a priority, but in the meantime, we do have manual processes in place.

The automated processes for new students and student leavers, and staff leavers, are expected to be in place by the end of the year. We won’t roll these out if we aren’t ready to do so and have a “Gold Group” of colleagues from outside IT in place helping us to manage risk.

A small subset of accounts - those in LUU (Leeds University Union), Yorkshire Universities, ARC (Advance Research Computing), University administrative accounts, and PICANet (Paediatric Intensive Care Audit Network) - are still set up using the username application form.

If you have, or are aware of, a specific problem that you’d like to discuss further with our team, please contact the team at idam-project@leeds.ac.uk.

What are the timescales for creating a new username?

There is more information on the IT website, but the SAP record should be created by the HR team in 10 working days, then their IT account is generated automatically within one further working day. However, the new starter does not receive their username until one day before they start. So they will not have access to University systems until then, but you can order equipment etc for them before that.

As soon as their IT account has been created, you will be able to see their username – the easiest way is just to type their name into Teams. You will be able to send emails and meeting invites to them, but they will not see them until the day before they start.

Computer equipment

Previous guidance says it is possible (although not recommended) that you can order kit on behalf of an individual and change the owner once the username is created - it seems that this will now be the rule rather than the exception. Is there any way to avoid this, taking into account the current lead times for the delivery of laptops?

The current lead times for delivery of standard laptops is now two to three days. We advise you should put in a request for standard equipment two weeks before the new starter starts to ensure that their equipment is ready for their first day. For non-standard equipment, lead times can vary widely depending on requirements. In rare cases, ultra-bespoke equipment can take months to specify, order, configure and deliver; this can be very dependent on manufacturer stock levels. Non-standard equipment can still be ordered prior to the start date though.

You can put your request for equipment in as soon as you know the new person will be starting, and we can change the owner once they arrive. There is information on the IT website on how to order equipment.

Can new laptops be shipped to an office on campus?

Normally we only deliver to off-campus addresses, and people should collect equipment on campus, or arrange for someone else to collect it for them. However, if there is a specific issue, such as accessibility, why the equipment needs to be delivered on campus, please put that in the original request and we will prioritise that.

The reason we cannot normally deliver on campus is simply due to capacity within our teams. However, we do have a lot of recruitment going on at the moment and we will be able to start prioritizing more of this work in future. We may also be able to arrange delivery to the faculty or school reception.

Currently, the best way to keep this tracked is to put in a separate request for delivery and set up, but the client team is very busy and there will be a delay. Please include any accessibility issues or other special requirements so these can be prioritised appropriately.

As our recruitment continues and we set up faculty squads we will be able to work with a member of your faculty who is responsible for prioritisation, and they will be able to help move things to the top of the queue.

We are also looking to set up a new service where equipment is delivered straight from the manufacturer. This is in the very early stages, and we hope to have a pilot running by summer 2024 and roll the service out during the next academic year.

When a laptop is returned by a leaver does it need reimaging or is there something less time consuming we can do?

At present we are asking for the device to be re-issued via IT so that we can be sure that we are processing it correctly, updating the inventory and ensuring the laptop is issued in a secure, working state, compliant with our policies. The time taken for a "reimage" request is a result of the wider backlog of requests, not the time it takes to make the individual device ready for the next recipient.

We recognise that you may have received conflicting information in the past, so have ensured the IT Service Desk are aware of this so you don’t continue to receive conflicting messages.

We will be working on new processes that enable the remote re-issue of a Windows 11 device without it having to physically return to IT. This will be live next year.

There is more information on the IT website about returning laptops, and we will be updating this as the process is updated.

Wireless network

We have had issues using the wireless network, having to manually reconnect several times a day both on campus (in the Worsley building) and at home. We have also had syncing issues with OneDrive. What steps are the IT executive leadership team taking to make sure systems operate effectively and limit these issues?

If this is happening at home as well as on campus, then it sounds like you have a fault with your laptop. If you haven’t already done so, please log a ticket with the IT Service Desk.

When Worsley was reconfigured for hybrid working, we ensured every desk had a dock, monitor and network cable attached to the dock. The majority of the campus (most buildings up until 4 years ago) was designed to have Wi-Fi for student use, but the offices do not always have full coverage as we did not have the funding for this level of coverage, and most people used the wired network. We are working with faculties to achieve a better Wi-Fi service for staff, funding permitting.

We have a trial in the Helix space in EC stoner looking at the next generation of Wi-Fi, which will be much quicker. Part of this work is to forecast costs for a campus refresh to deliver a better Wi-Fi service across campus. Please help support us to obtain funding to improve Wi-Fi by sharing your feedback.

If there is a specific area where you can’t use a network cable, or want to work in a hybrid style, then we can get a quote for additional wireless access points. It should be noted that the access points in Worsley are no longer on sale, and we can’t mix and match them, so we’d need to upgrade another area and then use the recovered access points in Worsley. Please log a ticket and make your BRM/Faculty business manager aware.

We are also working on a design for a corporate Wi-Fi, which is different to eduroam, and will automatically give staff access without needing a username and password or joining the VPN. If you are logged into your University device it will automatically get wireless network access through this secure corporate Wi-Fi network. This will provide a better service to staff – for example you would no longer need to use Windows Virtual desktop to access SAP. It is being designed now, we will do some pilots early in the year, and then hopefully by Easter 2024 we should be able to roll that out to everybody.

More generally, we will be providing faculty aligned support squads, called customer squads. We are piloting these in the Business School, and this pilot has just started. We will have more information about this later in November. These squads will do things like checking IT clusters and faculty clusters and similar work in phase one. When we have recruited more staff (by April 2024) they will also work on small changes, as prioritised with the Faculty Operations Directors (FODs) and business managers. Then by August 2024 the squads should also be supporting research better, with specific research support roles.

These customer squads are not a replacement for the IT Service Desk. They will help to build relationships within a faculty and be more visible.

M/N drive migration

Is there an update on when the M and N drives are being shutdown, and where we should store data, particularly research data which cannot be put in cloud services such as SharePoint?

The project is being reviewed, and we are going to maintain the M and N drives for now. The reason for this is that we have consulted with people across the University and, although the majority of information could be moved, there is some which could not be moved or would result in changes to processes. We recognise staff in faculties and services are very busy and may not be able to allocate the resources to support a large migration. Consequently, we have devised a new proposal that will safeguard the data by moving it to newer infrastructure. The data that has been moved will still be accessed as the M and N drives and the migration will be transparent to users.

Running alongside this there will be a review of how data is handled across the University. That should allow any new options to be phased in over a longer period and with greater levels of support.

As the M and N drives run on old technology, we advise using OneDrive (for files you would previously have saved on your M drive) or SharePoint where possible. To move us off the M and N drives over time, you will see quotas introduced. If you have a business need for an increased quota, you will need to put a request in to the IT Service Desk.

We have had some queries about whether cloud services are secure. In fact, OneDrive and SharePoint are very secure when used correctly, probably more so that M and N drives, and even when you have OneDrive/SharePoint information synced to your own device it is still encrypted.

We will also be providing additional education and guidance on using SharePoint and OneDrive and where you should store different types of data (in conjunction with the Secretariat).

For research storage, we have specific research storage available. This is chargeable, but provided at cost, and currently we have 10 petabytes available. We are also working as part of the Research IT project to look at what future research storage will look like. Work on the tender to purchase this is happening now, and we are expecting it to be available in 2024.

For Staff