Deutsch Intern
  • 50-jähriges Jubiläum des Rechenzentrums
Information Technology Centre

Operation of private end devices in the university network

Private end devices

In the university network, end devices (with the exception of the university-wide WLAN and the VPN access operated by the IT service center) may only be operated with the knowledge and approval of the locally responsible IT manager. It is irrelevant whether a device was procured via the university or privately. In contrast to the use of end devices procured by the university, privately procured end devices raise additional questions when connecting to the university network, such as responsibilities, business/scientific relevance, maintenance effort, maintaining a secure operating status or logging and analysing traffic data if necessary. For these reasons, many universities generally prohibit the use of private end devices in the internal data network.

However, the reality at the university is that a large number of private end devices are operated in the university network. The reasons for this are

  • The private end device is more powerful than the workstation provided by the university.
  • The private end device makes it possible to have your own workstation in the first place.
  • Private laptops enable mobile working and no laptop is provided for work purposes.
  • The exclusive use of a system for student work may not be guaranteed over longer periods of time.
  • ...

Whether the operation of private end devices is permitted in a subnet of the university network and under what conditions is determined by the local IT manager in consultation with the responsible IT area manager. Before access is granted, the IT manager must explain these boundary conditions to the user and the user must accept them. It makes sense to record the underlying information and consent in writing.

Beyond the above regulations, however, private mobile phones may be used for multi-factor authentication for the use of university IT services.

Before a privately procured end device can be connected to the university network, the network manager needs basic information. This serves as a decision-making aid as to whether (and under what conditions) an end device can be connected to the university network. This necessary information includes

  • The user's contact information
  • The installation location of the end device (with room number and network socket)
  • The type of device and operation (laptop/stationary PC, workstation/server, ...)
  • The MAC addresses of the network interfaces (TP, WLAN)
  • Used operating system (OS)
  • Intended use / expected period of use
  • Who is responsible for maintaining the device as the system manager?
  • IP address/DHCP pool assigned by the network manager
  • Are costs covered by the department/chair?

The "User Regulations for Information Processing Systems of the University of Würzburg", "User Regulations for the University Network of the University of Würzburg" and the "Guidelines for the Operation and Development of WWW-based Information Systems at the University of Würzburg" also apply to privately procured end devices when operating in the university network. The various regulations can be viewed at https://www.rz.uni-wuerzburg.de/infos/benutzungsordnung-und-konzepte/. Additionally local regulations may also apply.

It is the task of the network managers to ensure that users comply with the various rules and regulations.

The user (or the system manager) is responsible for the secure operation of the end device. This includes setting up automatic online updates for the operating system and applications, installing a suitable anti-virus software with regular, prompt updates and, if required, a personal firewall on the end device. The settings made must be checked periodically by the user (or the system manager) in order to detect any errors in these critical areas.

Network services and protocols that are not required for the intended use must be disabled. In particular, ensure that the network is configured correctly (DHCP, no network bridges between different network interfaces).

Access to the device must be protected by suitable measures (e.g. password).

It is the task of the network manager to initially check the basic settings mentioned. To do this, the network manager must be able to access the end device (in the presence of the user). Changes to the basic settings may only be made in consultation with the network manager.

In the event of an error, access authorisation can be revoked by the network manager or IT area manager until the error has been rectified.

It is advisable to document the accepted basic status of the end device in a suitable manner.

The University cannot accept any liability for damage to a privately procured end device or the data on it. It is the responsibility of the user to take appropriate measures (e.g. backups, backup to network drives, locking the room).

Prior to using a private end device, it must be clarified whether it will be used to process particularly sensitive data. When processing personal data, there is an obligation to comply with the applicable data protection regulations. Depending on the necessary level of protection, suitable protective measures must be taken. On a mobile device, for example, this may mean that the data may only be transported in encrypted form or not at all. The data may possibly only be be processed offline or in an isolated network.

The licence terms for software often explicitly distinguish between "home" and "office" use of the software (in addition to a variaty of other variants). In the latter case, a distinction is sometimes made between "commercial" use and use in "research and teaching". Thus, software that is free for private home use may be subject to a fee-based license condition in the context of “office use” on the university network. Similarly, software used on a laptop and licensed for the university network may not be used in a private home environment. It is the user's responsibility to check whether the licenses used cover the desired usage scenarios and, if necessary, to apply for additional licenses through their department.

Costs may be incurred when using the central software offerings of the IT Service Center (software from the web shop). If costs are incurred for software licenses, these are to be borne by the respective department.

If the basis for use ceases to exist, the software installed for use must be uninstalled in accordance with the applicable license terms. Software licenses acquired for business purposes remain the property of the university after use.

Unlicensed software may result in claims for damages from the licensor. The installation of software is sufficient for the licence obligation!

It is the task of the person responsible on site to inform the user about the licensing issue.

In order to connect an end device to the university network, an entry in the IT Service Center's component database (CMDB) is required. From there, entries for registered devices are automatically created in the IT Service Center's central DHCP and DNS servers. To add a device, personal information like contact information, MAC/IP address, ect. are required.

In addition, electronic logging of traffic data may be necessary to ensure proper computer and network operation. In the event of errors, suspected misuse, or security incidents, the IT Service Center staff responsible for administration or the responsible IT area manager must be able to access the user's data after consultation with the data protection officer.

It is the responsibility of the network manager to inform the user of these points. The user must sign a declaration of consent to these requirements.

The example form addresses the points mentioned above. Please note that the sample form represents an initial prototype and is intended to serve as a basis for discussion/source of ideas.