Topics Map > IT Operations > Customer Support and Policies > Remote Desktop
Topics Map > IT Operations > Customer Support and Policies > VPN
Topics Map > IT Operations > Customer Support and Policies > Networking
Topics Map > IT Operations > Customer Support and Policies > Desktop Support
DIT Policy Based Networking
What is Policy-Based Networking?
Policy-Based Networking (PBN), also called Role-Based Access networking, is a way to control access to University resources. Currently this is managed at what we might call the “software” level, but the new model will manage these permissions by ensuring that traffic over the network itself is permitted to its destination. It is a significantly more secure method of controlling access to sensitive University resources, using a combination of programs such as OnGuard, Grouper, Intune/JAMF, and other technical network solutions.
The goal of Policy-Based Networking is to ensure that sensitive University resources are accessed only by appropriate University members, via a secure University-owned device. PBN rules will not apply directly to what DivIT calls a “Data center.”
What will be affected by Policy-Based Networking? What’s changing?
The most notable changes will be the following:
-
One computing device per network jack - this requires the removal of all routers and simple switches. Phones will be unaffected.
-
Automatic network assignments on wired & wireless - no need to register University-owned devices or request IPs for wired networking in the EIT-Supported environment
-
Complete compliance with IT-20 requirements for UMD-owned devices
-
UMD-owned devices MUST be centrally managed (e.g. Intune/JAMF) and include ClearPass OnGuard or be registered by EIT as a shared device
-
UMD members MUST log in with their UMD credentials to their UMD-owned devices (e.g. via Active Directory or JAMF Connect)
-
UMD-owned devices may NOT log in via local user accounts moving forward
-
-
Personal devices may access the University network, but may not have access to sensitive resources
What is a “Resource”?
A “resource” is defined by DivIT as any networkable device that isn't a regular computer. It refers to devices such as printers, audiovisual devices, temperature sensors, and certain research equipment, including but not limited to network attached storage (NAS).
Resources will need to be registered with Engineering IT
How will I access Resources?
You will need to log in to a Campus program called “OnGuard,” which will authenticate your role over the network. You will only need to log into OnGuard when you change your UMD passphrase. Then, based on your role within your department, you will be able to access any resources and services the same way you have in the past. If it required the GlobalProtect VPN before, it will likely still require the GlobalProtect VPN moving forward. Accessing the majority of things from off-campus will always require the GlobalProtect VPN.
What about my personal devices?
Previously, personal devices were only allowed on the wireless network via Eduroam. Under the new network policies, we are told that any device may be allowed to access the internet, but if the device is not validated as one, being university owned, or two, being logged into by a known UMD user, then the device will not be able to access UMD resources over the network.