This article will guide you on the requirements for Cyber Essentials, what to do to ensure your university provided computing devices are compliant and includes frequently asked questions.
Cyber Essentials is a government backed scheme overseen by the National Cyber Security Centre (NCSC). It is designed for organisations and companies to demonstrate best practice in cyber security, helping them build resilience against cyber-attacks and protecting sensitive data.
At the University, Cyber Essentials compliance is often necessary to secure research funding and that’s why it is vital we adhere to it.
The scheme outlines five technical control themes:
Compliance with the scheme is achieved by applying security controls in each of these areas. The University currently holds Cyber Essentials certification but every year it will need to be recertified to meet the requirements.
For more details on Cyber Essentials, please refer to the scheme overview.
The Montpelier question set released in April 2023 is the latest specification the University has achieved. A far as we know, there are no immediate plans to drastically change it in until 2025 while the IASME Consortium gather feedback on the CE standard and overall certification process.
We are currently being assessed for Cyber Essentials Plus - this is where auditors scan CE devices to ensure that:
The way CE devices are managed in the university is changing in February 2024. Devices with no Nessus agent installed on them will be reverted to a standard build on the 6th February 2024. Users with devices that do not have the Nessus agent installed will be removed from the Cyber Essentials user group and will not be able to connect to the Secure Research VPN after this date.
To keep your CE access and have the Nessus agent installed on your CE devices, please email infosec@soton.ac.uk with the asset serial numbers or asset tags of the hardware you want to continue to use to conduct CE work.
The process by which new users are onboarded into the secure environment has also changed. Please see “Registering your existing computing device” for more information.
Cyber Essentials compliance is often necessary to secure research funding therefore it is essential the University aligns with the requirements. With this in mind, the Cyber Essentials Compliance Policy is now in place detailing the scope and requirements going forward.
As part of these requirements, colleagues must only use university provided computing devices which are managed by iSolutions to access the University’s network services (any service used to store or process data).
The devices include any:
Please note at this time, Mac devices are currently not included within the compliance scope.
The whole CE user community will be affected by these changes.
The recertification will only apply to colleagues (and their IT equipment) who are working on research or enterprise contracts where compliance with Cyber Essentials is specified in the contract.
Some settings are controlled by the university. These have been set to ensure that university devices meet the required security settings.
The settings that are managed on university devices include:
The settings that are managed on university devices include:
The settings that are managed on university devices include:
If you have not been identified as a Cyber Essential user, you cannot access the application. In this case, if you try to access the compliance page (or the secure VPN), you will see the following message:
To ensure your device is compliant with Cyber Essentials, you will need to complete the following steps:
---
Onboarding process for users to be granted access to the CE environment:
You will need to install a specific application to register the device and allow iSolutions to manage the compliance.
Please note this process will only work on devices supplied by iSolutions. If you currently use your personal device or a device provided by another service, you will need to order a new device.
1. On the iPhone/iPad home screen, open the App Store.
2. Click on the Search tool, type ‘Intune Company Portal’ and install the app.
3. Open the Intune Company Portal app on your device and when prompted select Sign In.
4. Log into the application using your University username and password. Select Next.
5. The setup wizard will inform you of the notification settings. Select OK.
6. The setup wizard will then instruct you to set up your University of Southampton access. Select Begin.
7. The setup wizard will detail what the University can and cannot access when managing the device. (Further details on what the University can and cannot access is provided under the question "What information does the University have access to once the device is enrolled?"). Select Continue.
8. A small prompt will appear asking you to allow a website to download a configuration profile. Select Allow.
Once the profile has downloaded, another prompt will appear confirming this. Select Close.
9. The next step will be to install the profile you have just downloaded. Follow the next step on the setup wizard and select Continue.
10. As instructed on the setup wizard screen, minimise the application and go to:
Select Management Profile and click Install.
11. You will then be asked to confirm the passcode currently set on the device. Enter the passcode, select Done and click Install.
12. The setup is now complete and your device has been registered. You may receive a prompt asking you to change your passcode. Please update your passcode and ensure it has 6 or more characters numeric characters.
---
You will need to install a specific application to register the device and allow iSolutions to manage the compliance.
Please note this process will only work on devices supplied by iSolutions. If you currently use your personal device or a device provided by another service, you will need to order a new device.
1. On the Android smartphone/tablet home screen, open Play Store.
2. Click on the Search tool, type ‘Intune Company Portal’ and install the app.
3. Open the Intune Company Portal app on your device and when prompted select Sign In.
4. Log into the application using your University username and password.
Select Next once you have entered your username, then select Sign In once you have submitted your password.
5. The setup wizard will then instruct you to set up your University of Southampton access. Select Begin.
6. The setup wizard will detail what the University can and cannot access when managing the device. (Further details on what the University can and cannot access is provided under the question question "What information does the University have access to once the device is enrolled?"). Select Continue.
7. The setup wizard will inform you of the permissions required by iSolutions. This will include:
Please click Next.
8. The Intune Company Portal requires additional controls to help support compliancy, and to ensure the device can be securely erased should it be lost or stolen. It will list what actions are enabled once activated. This includes:
Please click Activate.
The application will begin the process of registering the device. This may take several minutes.
---
If you use a Microsoft Windows laptop or desktop, you may not need to register as iSolutions have already preloaded some devices. You will need to verify this by checking the compliance status of your device.
---
You may not need to do anything as Microsoft Windows devices may already be enrolled and compliant with Cyber Essentials.
You can check whether your device is compliant by opening the Software Center application in the start menu or clicking on the Additional Software icon on your desktop. Select Device compliance.
If your device is not compliant, a pop-up prompt will appear informing you that it does not meet the compliance requirements when trying to access the University resources.
You will need to open the device management portal and complete additional steps.
Select Open.
A pop-up window will appear from the Software Center detailing the device asset number and stating it is non-compliant.
Select Check compliance.
A pop-up window will appear with additional information on why you are not meeting the compliance requirements and what issues need to be fixed.
To fix these issues, you will need to submit a ticket via ServiceLine.
Once these issues have been resolved, your device will be compliant. You can check this by opening the Software Center application in the start menu or clicking on the Additional Software icon on your desktop. Select Device compliance.
---
To check compliance, please enter this URL (https://security-compliance.soton.ac.uk/) into the web browser on the device.
The Security Compliance webpage will appear and inform you whether the device is compliant or is not compliant.
If the device is compliant, you do not need to do anything.
If the device is not compliant, a prompt will appear informing you that it does not meet the compliance requirements. Please submit a ticket via ServiceLine.
---
You will need to order a new computing device if:
Essentials compliance is specified in the contract.
---
---
1. Turn on the new device and follow the initial setup wizard. Select your preferred language, location and quick start options.
2. Choose the wireless network you wish to connect to. Please select Eduroam if you are based at the University. If you require support connecting your device to Eduroam, please follow the article "How to connect your mobile device to eduroam". Once connected, the device should then activate, this may take a few minutes.
3. Continue the initial setup wizard as instructed on the device. The Data & Privacy screen will appear, please read through and select Continue. There is an option to learn more if you wish to do so.
4. On the Apps & Data screen, please select the option which is relevant to your situation. If this is a brand-new device, please select Don’t Transfer Apps & Data.
5. Select Next on the Remote Management enrolment screen. This is to allow the University to manage the device you will be using, to ensure compliance with the relevant legislation and guidance.
You will Login is now at this point, then you will be asked to sign into the device using your university details:
6. Once the device has configured, you will be asked to setup Touch ID then to create a passcode. Touch ID is optional therefore skip this step if you wish to do so, but a passcode is required for the device.
Please note that you will be required to change your passcode later as part of the compliance process.
7. Sign in with your Apple ID and password. If you do not have one, please select Forgot password or don’t have an Apple ID? and follow the on-screen steps to create one.
8. Please continue the final steps of the initial setup wizard. The steps will include:
9. The Apple setup wizard is now complete. You may receive a prompt asking you to change your passcode. Please update your passcode and ensure it has 6 or more numeric characters.
10. You will see the following message whilst the Intune Company Portal app is being downloaded and installed on your device.
11. It will then automatically open the Intune Company Portal app and ask you to sign in using your University username and password.
Enter your username and select Next.
Enter your password and select Sign In.
12. Once you have logged in, the setup wizard will inform you of the notification settings. Select OK.
13. The Intune setup wizard will then instruct you to set up your University of Southampton access. Select Begin.
14. The setup wizard will then check the device settings, this may take several minutes. It will then go back to the Set up University of Southampton access setup screen, please select Continue.
15. The device is now registered. Click Done.
You will now need to check the device compliance. Please refer to the section "Checking compliance on your computing device".
---
Samsung devices are managed slightly differently to other Android devices. The initial setup procedure and screens will therefore look different, but ultimately all Android devices have the same settings applied and are managed as university devices.
Turn on the new device and trace a ‘plus’ symbol (+) on the screen.
Scan the QR code you received with the new device.
If you receive an error, check with the person who issued you the device that you have the correct QR code. There are different QR codes for Samsung and non Samsung devices.
Follow the initial setup screens to select your preferred language and location.
You will then be asked to agree to the privacy setting, you will need to the ‘End user licence’, you do not need to agree to send diagnostics data to Samsung
You should then connect to a wireless network. You will need some form of network connectivity to continue. For a device with a Sim card, you can use cellular data. However please be aware that if you are on a contract with a minimum amount of data, this setup may use your monthly data allowance.
You will receive a warning that your device is protected by Knox Cloud Service, please select OK to continue past this warning message.
Your device will then update and setup a Work and Personal profile.
Once you get a screen saying ‘Welcome to Chrome’ the setup will proceed as per step 6 in the instructions for non-Samsung devices.
---
1. Turn on the new device and click in the background space 5 times when the welcome screen appears. Please note you may be asked at this stage to select your preferred language, please select as appropriate.
2. When the camera screen opens, scan the QR code you received with the new device.
3. Choose the wireless network you wish to connect to. If you are based at the University, please select Eduroam. If you require support connecting your device to eduroam, please follow the article "How to connect your mobile device to eduroam".
Select Connect.
4. Once connected, the setup wizard will inform you that the device belongs to your organisation (the University), select Next.
5. The setup wizard will then ask you to set up a work profile, select Agree. It will then create a work profile for the device. The University will be able to manage the device through this work profile.
6. The setup wizard will ask you to agree to the Google Terms and Conditions. Please read and agree by selecting Accept & Continue.
7. Once the work profile has been created, a sign-in page will appear. Please enter your University username and select Next.
Please note you may be asked to authenticate your sign-in here as part of the University’s Multi-Factor Authentication process.
8. The screen will then display Your work checklist where you will need to firstly set up a screen lock. Please select Set up and set up a password for the device.
9. Once the screen lock has been activated, you will need to install work apps for the device.
Please select Install to install applications such as Microsoft Authenticator (MFA) and Intune Company Portal, the University management gateway. Additional apps may be included in this process in the future.
10. Once the work apps have been installed, you will need to register your device on the Intune Company Portal app. Please select Set up.
11. The Intune Company Portal app will appear, please select Sign in.
12. As part of the sign in process, the device will ask for your University password. Please enter your password and click Sign in.
13. The app will then ask you to register the device, please select Register.
14. The device is now registered with iSolutions. Please follow the rest of the Android setup wizard at this stage as there will be further options to select (for example, setting up a Google account, device backup options). These options are personal choice and will not affect the Cyber Essentials compliance.
Once this is complete, your device will begin to install any required apps and settings.
You will see several notifications and installations taking place whilst the device completes its setup therefore please do not turn off the device for at least 1 hour.
You will now need to check the device compliance. Please refer to Checking compliance on your computing device.
---
To connect your device to the university's Virtual Private Network (VPN), please read the article "How to set up the Virtual Private Network (VPN) via GlobalProtect".
---
Due to the changes with Cyber Essentials, all computing devices you use to access University resources must be checked and managed by iSolutions.
This means that if you are currently using a personal device or a device provided by another service (including laptops, desktops, smartphones and tablets), you will no longer be able to use it to access University resources.
If you require a computing device for business purposes, the University will issue you with one. Please refer to the section "Ordering and setting up a new computing device".
All devices are subject to mobile device management to ensure compliance only; the University cannot monitor what you are doing on the device.
The University has access to:
The University does not have access to:
Useful link: Microsoft – What information can my organisation see when I enroll my device?
The Cyber Essentials standard does not allow individuals to be granted admin rights on day-to-day accounts therefore all local admin rights will be removed. If you urgently require admin rights to install software, please contact ServiceLine.
You can use Office 365 to store data as this needs to be covered by Cyber Essentials. All individuals who have access to this data should be covered by Cyber Essentials as well.
Please do not use Dropbox, Google Drive, Box.com, or any other cloud storage devices.
You can still use Research Filestore or the J drive to store any data which also needs to be covered by Cyber Essentials, but everyone else who can access this data should also be covered by this policy.
If you use an iSolutions server or virtual server (VM) to store or process data which needs to be covered by Cyber Essentials, please get in touch with ServiceLine so we can make sure that the server is also in compliance.
Work apps are marked with a briefcase icon so you can distinguish them from personal apps. To access your work apps:
---
If you need technical support, please contact ServiceLine or visit our Tech Hubs.
If you have any questions or concerns, please contact the project team by emailing cyberessentials@soton.ac.uk
---
Cyber Essentials SharePoint Site
National Cyber Security Centre (NCSC) website
Cyber Essentials – Scheme Overview
Cyber Essentials Compliance Policy
Microsoft – What information can my organisation see when I enrol my device?
Android – What is a work profile?
Was this article helpful?
If you have any further comments, please put them below.
Please note that feedback is anonymous - if you require a reply or assistance, please raise a ticket via ServiceLine.
Thank you for your feedback, it is much appreciated.