Get Connected

How to check if your Device is Compliant

Definitions:

Conditional Access is a tool that allows us to protect systems and data by ensuring certain conditions are met before USMA allows a user or device  to connect to the West Point Research and Education Network (WREN).  Conditions may include who the user is, where the user is connecting from, to which resources the user is connecting, the application being connected from, the state of the machine being used, and many others.  Conditional Access Policies look at the state of the user, the device, and the service to determine if the system will permit access.

Compliance is a tool that allows us to ensure devices that connect to USMA data meet a security standard.  Compliance policies look at operating system, operating system version, anti-virus status, password complexity, and a number of other device configuration parameters.

Multi-Factor Authentication (MFA) is a means to ensure that a user is who they say they are.  It requires a user to know their username and password (something you know) and have possession of their phone (something you have) or other supported identification factor.  In some cases, we can enable biometrics as an additional factor (something you are).

Applying Compliance and Conditional Access:

We have configured our compliance policies to permit a 7-day grace period.  Users with non-compliant devices will receive 4 emails throughout that grace period notifying them that their device is non-compliant and directing them to the Company Portal application to determine what issues the user needs to resolve.  Devices the system labels as non-compliant and are outside of their grace period will be unable to sign-in to USMA O365 resources using a thick client application (Outlook, Teams, OneNote, OneDrive, etc.).  At the culmination of this plan, USMA will not permit non-compliant devices to connect to WREN VPN or WREN Wireless networks.  USMA CIO/G6 will provide a means to remediate computers that must use WREN Wireless to become compliant.  Non-compliant Windows or MacOS devices may connect to USMA O365 resources through a browser.  Devices that cannot have Company Portal installed on them will automatically be marked as non-compliant.

To get to an end-state where compliance and conditional access are enforced and fully protecting USMA data, CIO/G6 will use the following timeline:

Already Complete 

Compliance for mobile (iOS and Android) is configured and being enforced (device must be enrolled in Company Portal and compliant with requirements).

20 May – The compliance policy for Windows and MacOS devices will increase to include password complexity and Windows version 1809 or newer or MacOS version 10.15.  A new grace period with the email warnings included will begin for those that do not meet these standards. The compliance policy for iOS devices will increase to iOS version 13.4.1.

25 May – Devices not enrolled in Company Portal will not be permitted to connect to WREN VPN.

1 Jun – Devices not enrolled in Company Portal will not be permitted to connect to WREN Wireless.

3 June – The compliance policy for Windows will be increased to include mandatory enrollment in Defender ATP.

17 June – Windows devices will require Firewall and Anti-virus turned on; MacOS devices will require that the Firewall is turned on.

24 June – Windows devices will require Anti-Spyware and Defender be turned on and Security Intelligence be up to date.  MacOS devices will require System Integrity Protection be enabled and increase iOS version to 13.5.1.

1 July – Windows devices will require Real-time Protection be enabled and a minimum Defender version of 4.18.2005.5.

Coming Soon

1 OCT – Non-compliant devices will not be permitted to connect via WREN VPN

7 OCT – iOS version changing to 14.0.1 or later

TBD – Windows devices will require Bitlocker and TPM be enabled.  MacOS devices will require Data Encryption be enabled.  Android devices will require Data Encryption be enabled.

TBD – Non-compliant devices will not be permitted to connect to WREN Wired.

Current Conditional Access Policies

1. Require MFA for Admins​: Requires any user with any USMA administrative role (not cadets or faculty that are local administrators on their computer) to use Multi-Factor Authentication anytime that they log in to a westpoint.edu service.
2. Restrict Admins to WREN IP space​: Requires any user with any USMA administrative role to be inside of the WREN IP space (wired, wireless, or VPN) to conduct administrative duties.
3. Enforce MFA for Medium Risk Users​: If a user’s online behavior (device, location, activities) raises their Microsoft Behavioral Analysis assessed risk level to medium, Multi-Factor Authentication will be necessary.
4. Block High Risk Users​: If a user’s online behavior (device, location, activities) raises their Microsoft Behavioral Analysis assessed risk level to high, they will be blocked from accessing westpoint.edu services until the cyber team can investigate and resolve risk issues.
5. Block Legacy Services (POP, IMAP, ActiveSync)​: USMA does not authorize or support services that do not support modern authentication within westpoint.edu except by exception.
6. Enforce iOS/Android Compliance​: Ensure that a user’s mobile device meets the minimum compliance standards.
7. Enforce Mac Compliance​​: Ensure that a user’s MacOS device meets the minimum compliance standards.
8. Enforce Windows Compliance​: Ensure that a user’s Win10 device meets the minimum compliance standards.
9. Permit Browsers to Connect from Outside WREN​: As long as a user is outside of the WREN IP space, permit them to connect to O365 services through a browser. This policy permits users on borrowed computers or computers that cannot abide by compliance policies (DoD, Linux, etc.) to connect through a browser.
10. Require MFA for non-US or anonymous locations: Users that are connecting from non-US IP addresses will be required to use Multi-Factor Authentication every time they connect. USMA relies on geolocation data provided by Microsoft to determine if an IP address is anonymous or outside the 50 US states and various territories.

End-state Compliance Policies

Compliance policies are something that will continue to change over time.  Each time an operating system vendor updates their operating system, we will follow by requiring users keep their devices up to date.  Additionally, Microsoft continues to enable more features that are visible to compliance policies.  The below list does not include settings that Microsoft requires, such as enabling location services for the Company Portal.  For the latest requirements, look at the Company Portal app.  At the time of this writing, the end-state (by mid-M 2020) compliance policies follow:

Windows 10:

• Require Microsoft Defender ATP risk score be medium or lower
• Require a complex password that is 15 characters or longer – How to change your Windows Hello PIN 
• Prohibit any of the previous 5 passwords from being reused
• Require Bitlocker be turned on – How to turn on Bitlocker Encryption
• Require TPM be enabled – How to enable TPM
• Require Secure Boot be enabled
• Require Code Integrity be enabled
• Require the Windows firewall be enabled – How to Check Firewall is Enabled
• Require Microsoft Defender be enabled and running – How to Check Defender is Enabled and up to Date 
• Require Microsoft Defender security intelligence is up-to-date
• Require Microsoft Defender real-time protection be enabled
• Require a minimum of 60 minutes of inactivity before the screen is locked – Adjust the Lock Screen Timeout
• Minimum OS version: 1903 (815) – How to check which Windows version I am running

Mac OS:

• Minimum OS version, 10.15.4
• Require a complex password that is 15 characters or longer
• Prohibit any of the previous 5 passwords from being reused
• Require data encryption be enabled
• Require system integrity protection be enabled
• Require the MacOS firewall be enabled
• Require a minimum of 60 minutes of inactivity before the screen is locked

iOS:

• Minimum OS version, 13.4.1
• Prohibit jailbroken devices
• Require a password that is 6 characters long or greater
• Require a minimum of 5 minutes of inactivity before the screen is locked
• Require a minimum of 5 minutes of inactivity before a screen lock password is required
• Prohibit any of the previous 5 passwords from being reused

Android OS:

• Minimum OS version, 7.0
• Prohibit devices from being rooted
• Require Google Play Services be enabled
• Require Threat scan on apps be enabled
• Require a complex password that is 6 characters long or greater
• Require a minimum of 5 minutes of inactivity before password is required
• Prohibit any of the previous 5 passwords from being reused
• Require data encryption be enabled
• Prohibit apps from unknown sources
• Require Company Portal app runtime integrity be enabled