University of Southampton

iSolutions

Cyber Essentials Compliance

More like this

This article will guide you on the requirements for Cyber Essentials, what to do to ensure your university provided computing devices are compliant and includes frequently asked questions.

Table of Contents

 

Cyber Essentials (CE)

What is Cyber Essentials?

Cyber Essentials is a government backed scheme overseen by the National Cyber Security Centre (NCSC). It is designed for organisations and companies to demonstrate best practice in cyber security, helping them build resilience against cyber-attacks and protecting sensitive data.

At the University, Cyber Essentials compliance is often necessary to secure research funding and that’s why it is vital we adhere to it.

The scheme outlines five technical control themes:

  • firewalls
  • secure configuration
  • user access control
  • malware protection
  • and security update management.

Compliance with the scheme is achieved by applying security controls in each of these areas. The University currently holds Cyber Essentials certification but every year it will need to be recertified to meet the requirements.

For more details on Cyber Essentials, please refer to the scheme overview.

What is changing within Cyber Essentials (CE)?

The Montpelier question set released in April 2023 is the latest specification the University has achieved. A far as we know, there are no immediate plans to drastically change it in until 2025 while the IASME Consortium gather feedback on the CE standard and overall certification process.

We are currently being assessed for Cyber Essentials Plus - this is where auditors scan CE devices to ensure that:

  • We are meeting all of the requirements,
    and
  • The tests conducted will determine with confidence if we are adhering to the standard.

What is changing at the University?

The way CE devices are managed in the university is changing in February 2024. Devices with no Nessus agent installed on them will be reverted to a standard build on the 6th February 2024. Users with devices that do not have the Nessus agent installed will be removed from the Cyber Essentials user group and will not be able to connect to the Secure Research VPN after this date.

To keep your CE access and have the Nessus agent installed on your CE devices, please email infosec@soton.ac.uk with the asset serial numbers or asset tags of the hardware you want to continue to use to conduct CE work.

The process by which new users are onboarded into the secure environment has also changed. Please see “Registering your existing computing device” for more information.

Cyber Essentials compliance is often necessary to secure research funding therefore it is essential the University aligns with the requirements. With this in mind, the Cyber Essentials Compliance Policy is now in place detailing the scope and requirements going forward. 

As part of these requirements, colleagues must only use university provided computing devices which are managed by iSolutions to access the University’s network services (any service used to store or process data).

What is classed as a university provided computing device?

The devices include any:

  • Microsoft Windows laptops and desktops that have been supplied by iSolutions
  • Apple iOS smartphones and iPad tablet devices that have been enrolled by iSolutions
  • Android smartphones and tablet devices that have been enrolled by iSolutions

Please note at this time, Mac devices are currently not included within the compliance scope.

Who will be impacted by these changes?

The whole CE user community will be affected by these changes.

The recertification will only apply to colleagues (and their IT equipment) who are working on research or enterprise contracts where compliance with Cyber Essentials is specified in the contract.

What happens if you have not been identified as a Cyber Essential user

If you have not been identified as a Cyber Essential user, you cannot access the application. In this case, if you try to access the compliance page (or the secure VPN), you will see the following message:

Dialog box that says you do not have assigned access to the application 

I will be impacted, what do I need to do?

To ensure your device is compliant with Cyber Essentials, you will need to complete the following steps: 

  1. Ensure all your university provided computing devices are registered with iSolutions. Please refer to the section Registering your existing computing device for more information.
  2. Check the compliance status on all your computing devices. Please refer to the section Checking compliance on your computing device for more information.
  3. For Windows laptops and desktop users, please be aware of the following changes that will be applied to your device:
    • The Cyber Essentials standard does not allow individuals to be granted admin rights on day-to-day accounts therefore all local admin rights will be removed from your devices. If you urgently require admin rights to install software, please contact ServiceLine.
    • Your device may receive a prompt asking you to run a Windows 10 operating system update. Please complete this update as soon as conveniently possible.
    • From Monday 1 August, you will be required to connect to a secure VPN to access the University’s network services. Please refer to the section "Connecting to a secure VPN on Microsoft Windows devices" for more information.
    • If any additional device requirements are detected, you may be contacted by iSolutions.

---

Back to the top

 

Registering your existing computing device 

Onboarding process for users to be granted access to the CE environment:

  1. User(s) must register for CE access with a ServiceNow ticket for Information Security, including in the description:
    1. include their chosen CE device(s)
    2. if applying as a team, please list all users and their devices
  2. Once approved, users chosen CE devices will have the Nessus vulnerability management agent installed, and the asset is reflected as a CE device in CMDB
  3. After Nessus installed, use your user ID will be added to be added to the relevant security group
  4. Manual remediations (if any required) are carried out on the device
  5. User & device are fully setup to use the Secure-VPN. Please familiarise yourself with the usage policy and this guide to ensure you remain compliant.

I have an Apple iOS smartphone or iPad tablet, what do I need to do?

You will need to install a specific application to register the device and allow iSolutions to manage the compliance. 

Please note this process will only work on devices supplied by iSolutions. If you currently use your personal device or a device provided by another service, you will need to order a new device

1. On the iPhone/iPad home screen, open the App Store.

Example of an iPhone screen with app on the background

2. Click on the Search tool, type ‘Intune Company Portal’ and install the app. 

Intune Company Portal app preview from the Apple Store

3. Open the Intune Company Portal app on your device and when prompted select Sign In.

"Sign in" button

4. Log into the application using your University username and password. Select Next.

Sing in window. On the bottom right, the "Next" button

5. The setup wizard will inform you of the notification settings. Select OK.

Setup wizard informing you that the notification settings is turned on

6. The setup wizard will then instruct you to set up your University of Southampton access. Select Begin.

Window asking to set up your University of Southampton access. On the bottom, the "Begin" button  

7. The setup wizard will detail what the University can and cannot access when managing the device. (Further details on what the University can and cannot access is provided under the question "What information does the University have access to once the device is enrolled?"). Select Continue.

Information window about what the University can and cannot access when managing the device

8. A small prompt will appear asking you to allow a website to download a configuration profile. Select Allow

Window asking to allow a website to download a configuration profile

Once the profile has downloaded, another prompt will appear confirming this. Select Close.

9. The next step will be to install the profile you have just downloaded. Follow the next step on the setup wizard and select Continue.

Windows notifying that s the set u process starts from here. On the bottom, the "Continue" button that allows you to go on

10. As instructed on the setup wizard screen, minimise the application and go to:

  1. Settings
  2. General
  3. VPN & Device Management.

Select Management Profile and click Install.

Instructions about how to install management profile Management profile section "Install" button on the top of the Management Profile section

11. You will then be asked to confirm the passcode currently set on the device. Enter the passcode, select Done and click Install.

Passcode area "install" button that allows you to install the app

12. The setup is now complete and your device has been registered. You may receive a prompt asking you to change your passcode. Please update your passcode and ensure it has 6 or more characters numeric characters.

"Passcode requirement" banner. At the bottom left the "Later" button, on the bottom right the "Change now" button New passcode requested Re-enter your new passcode. At the bottom, the "Set password" button and the "Emergency call" button

---

Back to the top

 

I have an Android smartphone or tablet, what do I need to do?

You will need to install a specific application to register the device and allow iSolutions to manage the compliance. 

Please note this process will only work on devices supplied by iSolutions. If you currently use your personal device or a device provided by another service, you will need to order a new device

1. On the Android smartphone/tablet home screen, open Play Store.

Play Store icon

2. Click on the Search tool, type ‘Intune Company Portal’ and install the app.

Intune Company Portal app on Play Store

3. Open the Intune Company Portal app on your device and when prompted select Sign In.

Sign in button within the company portal

4. Log into the application using your University username and password. 

Select Next once you have entered your username, then select Sign In once you have submitted your password.

Sign-in window Window requesting your password

5. The setup wizard will then instruct you to set up your University of Southampton access. Select Begin.

Access setup window

6. The setup wizard will detail what the University can and cannot access when managing the device. (Further details on what the University can and cannot access is provided under the question question "What information does the University have access to once the device is enrolled?"). Select Continue.

Details of what the University can and cannot access when managing the device.

7. The setup wizard will inform you of the permissions required by iSolutions. This will include:

  1. Allow permission to make and manage phone calls. iSolutions need to register the device’s serial number and a cellular antenna ID to interact with the device to keep it secure. Please note iSolutions and the Intune Company Portal app cannot make phone calls.
  2. Activate Android administrator. Allows iSolutions to apply required settings to the device.
  3. Confirm KNOX privacy notice. If you have a Samsung device, you will need to accept an additional privacy notice.

Please click Next.

Information about the next steps

8. The Intune Company Portal requires additional controls to help support compliancy, and to ensure the device can be securely erased should it be lost or stolen. It will list what actions are enabled once activated. This includes:

  1. Delete all data. Erase the phone’s data without warning by performing a factory data reset.
  2. Change the screen lock.
  3. Set password rules. Control the length and the characters allowed in screen lock passwords and PINs.
  4. Monitor screen unlock attempts. Monitor the number of incorrect passwords typed when unlocking the screen and lock the phone or erase all the phone’s data if too many incorrect passwords are typed.
  5. Lock the screen. Control how and when the screen locks.
  6. Set screen lock password expiry. Change how frequently the screen lock password, PIN or pattern must be changed.
  7. Set storage encryption. Require that stored app data be encrypted.
  8. Disable cameras. Prevent use of all device cameras.
  9. Disable some screen lock features. Prevent use of some screen lock features.

Please click Activate

List of the actions you can activate

The application will begin the process of registering the device. This may take several minutes.

---

Back to the top

 

I have a Microsoft Windows laptop or desktop, do I need to register this?

If you use a Microsoft Windows laptop or desktop, you may not need to register as iSolutions have already preloaded some devices. You will need to verify this by checking the compliance status of your device.

---

Back to the top

 

Checking compliance on your computing device

I have a Microsoft Windows laptop or desktop, what do I need to do?

You may not need to do anything as Microsoft Windows devices may already be enrolled and compliant with Cyber Essentials.

You can check whether your device is compliant by opening the Software Center application in the start menu or clicking on the Additional Software icon on your desktop. Select Device compliance.

Device compliance banner. In this example, the result of the test is positive

If your device is not compliant, a pop-up prompt will appear informing you that it does not meet the compliance requirements when trying to access the University resources. 

You will need to open the device management portal and complete additional steps.

Select Open.

"Get access to this resource" window. Clicking on the "Open" button on the bottom right, you will get access

A pop-up window will appear from the Software Center detailing the device asset number and stating it is non-compliant.

Select Check compliance.

Device compliance banner

A pop-up window will appear with additional information on why you are not meeting the compliance requirements and what issues need to be fixed. 

Device compliance banner. In this example, the result of the test is negative and the software advise on the next actions

To fix these issues, you will need to submit a ticket via ServiceLine.

Once these issues have been resolved, your device will be compliant. You can check this by opening the Software Center application in the start menu or clicking on the Additional Software icon on your desktop. Select Device compliance.

Device compliance banner. In this example, the result of the test is positive

---

Back to the top

 

I have a mobile device (Android, Apple iOS smartphone or iPad), what do I need to do?

To check compliance, please enter this URL (https://security-compliance.soton.ac.uk/) into the web browser on the device.

The Security Compliance webpage will appear and inform you whether the device is compliant or is not compliant.

If the device is compliant, you do not need to do anything.

Webpage informing you that the device is compliant

If the device is not compliant, a prompt will appear informing you that it does not meet the compliance requirements. Please submit a ticket via ServiceLine

Screen informing the device is  not compliant

---

Back to the top

 

Ordering and setting up a new computing device

When will I need to order a new device?

You will need to order a new computing device if:

  • You currently use a personal device or a device provided by another service to access University resources.
  • You have an existing device that was supplied by iSolutions but it needs to be replaced or updated.
  • You are a new starter at the University and will be working directly on a research and enterprise contract where Cyber

Essentials compliance is specified in the contract. 

---

Back to the top

 

How do I order a new device?

  1. Log onto the ServiceNow Portal
  2. Click on Request Something
  3. Under Categories on the left-hand side, select Equipment Requests
  4. Select the relevant request form and submit. You will need to include a SubProject Code, please check this with your Line Manager.

---

Back to the top

 

I’ve received a new iOS iPhone or iPad device, what do I need to do?

1. Turn on the new device and follow the initial setup wizard. Select your preferred language, location and quick start options.

Welcome message Language settings. The device is showing a list of available languages, English is the first Select your Country region section Quick start banner

2. Choose the wireless network you wish to connect to. Please select Eduroam if you are based at the University. If you require support connecting your device to Eduroam, please follow the article "How to connect your mobile device to eduroam". Once connected, the device should then activate, this may take a few minutes.

Screen requesting to select a Wi-Fi network Message saying that it may take a while to activate your iPhone

3. Continue the initial setup wizard as instructed on the device. The Data & Privacy screen will appear, please read through and select Continue. There is an option to learn more if you wish to do so. 

Information about your privacy

4. On the Apps & Data screen, please select the option which is relevant to your situation. If this is a brand-new device, please select Don’t Transfer Apps & Data

Apps & Data screen asking to select the option which is relevant to your situation

5. Select Next on the Remote Management enrolment screen. This is to allow the University to manage the device you will be using, to ensure compliance with the relevant legislation and guidance.

Remote management screen

You will Login is now at this point, then you will be asked to sign into the device using your university details:

  1. Enter your username and select Next
    ""
  2. Enter your password and select Sign In
    ""
  3. You may then be asked to confirm your identity using MFA. 

6. Once the device has configured, you will be asked to setup Touch ID then to create a passcode. Touch ID is optional therefore skip this step if you wish to do so, but a passcode is required for the device.

Configuration message Touch ID screen asking to continue the setup Create a password screen

Please note that you will be required to change your passcode later as part of the compliance process.

7. Sign in with your Apple ID and password. If you do not have one, please select Forgot password or don’t have an Apple ID? and follow the on-screen steps to create one.

8. Please continue the final steps of the initial setup wizard. The steps will include:

  1. Terms and Conditions – please read through and select Agree.
  2. Keep Your iPhone Up to Date – please select Continue.
  3. Location Services – please enable Location Services.
  4. Siri – this is optional, set up if you wish to do so.
  5. Screen Time - this is optional, set up if you wish to do so.

Terms and conditions Screen saying "Keep your iPhone up to date" Location services screen

Siri screen Screen time

9. The Apple setup wizard is now complete. You may receive a prompt asking you to change your passcode. Please update your passcode and ensure it has 6 or more numeric characters. 

Example of an iPhone's screen New passcode requested Re-enter your new passcode. At the bottom, the "Set password" button and the "Emergency call" button

10. You will see the following message whilst the Intune Company Portal app is being downloaded and installed on your device.

Message saying that Guided access app is unavailable

11. It will then automatically open the Intune Company Portal app and ask you to sign in using your University username and password.

Enter your username and select Next.

Enter your password and select Sign In.

Microsoft Intune sign in Enter your password screen

12. Once you have logged in, the setup wizard will inform you of the notification settings. Select OK.

Notification settings

13. The Intune setup wizard will then instruct you to set up your University of Southampton access. Select Begin.  

Setup access

14. The setup wizard will then check the device settings, this may take several minutes. It will then go back to the Set up University of Southampton access setup screen, please select Continue.

Setup screen

15. The device is now registered. Click Done.

Messaged informing you that everything has the process was successful

You will now need to check the device compliance. Please refer to the section "Checking compliance on your computing device".

---

Back to the top

 

I have received a new Android or tablet device, what do I need to do?

If you have received a Samsung device (Both mobile and tablets)

Samsung devices are managed slightly differently to other Android devices. The initial setup procedure and screens will therefore look different, but ultimately all Android devices have the same settings applied and are managed as university devices. 

Turn on the new device and trace a ‘plus’ symbol (+) on the screen.

Scan the QR code you received with the new device. 

If you receive an error, check with the person who issued you the device that you have the correct QR code. There are different QR codes for Samsung and non Samsung devices. 

Follow the initial setup screens to select your preferred language and location. 

You will then be asked to agree to the privacy setting, you will need to the ‘End user licence’, you do not need to agree to send diagnostics data to Samsung

You should then connect to a wireless network. You will need some form of network connectivity to continue. For a device with a Sim card, you can use cellular data. However please be aware that if you are on a contract with a minimum amount of data, this setup may use your monthly data allowance.
 
You will receive a warning that your device is protected by Knox Cloud Service, please select OK to continue past this warning message. 

Your device will then update and setup a Work and Personal profile. 

Once you get a screen saying ‘Welcome to Chrome’ the setup will proceed as per step 6 in the instructions for non-Samsung devices.

---

Back to the top

 

If you have received a non-Samsung device

1. Turn on the new device and click in the background space 5 times when the welcome screen appears. Please note you may be asked at this stage to select your preferred language, please select as appropriate. 

Tap 5 times on the welcome screen

2. When the camera screen opens, scan the QR code you received with the new device.

Example of a black square  in place of a QR code

3. Choose the wireless network you wish to connect to. If you are based at the University, please select Eduroam. If you require support connecting your device to eduroam, please follow the article "How to connect your mobile device to eduroam".

Select Connect

Connect to Wi-Fi options and settings

4. Once connected, the setup wizard will inform you that the device belongs to your organisation (the University), select Next.

Message saying that this device belongs to your organisation

5. The setup wizard will then ask you to set up a work profile, select Agree. It will then create a work profile for the device. The University will be able to manage the device through this work profile.

Screen saying "Getting ready for work setup" Updating process screen "Set up a work profile" screen Progression bar of the profile creation

6. The setup wizard will ask you to agree to the Google Terms and Conditions. Please read and agree by selecting Accept & Continue.

Welcome to Chrome message

7. Once the work profile has been created, a sign-in page will appear. Please enter your University username and select Next.

Sign in screen

Please note you may be asked to authenticate your sign-in here as part of the University’s Multi-Factor Authentication process

8. The screen will then display Your work checklist where you will need to firstly set up a screen lock. Please select Set up and set up a password for the device.

The screen displays "Your work checklist" password setup section

9. Once the screen lock has been activated, you will need to install work apps for the device. 
Please select Install to install applications such as Microsoft Authenticator (MFA) and Intune Company Portal, the University management gateway. Additional apps may be included in this process in the future.

Screen showing your screen lock has been activated Apps installations progression screen

10. Once the work apps have been installed, you will need to register your device on the Intune Company Portal app. Please select Set up.

Your work checklist. You can now register your device

11. The Intune Company Portal app will appear, please select Sign in.

Sign in button in the middle of the Intune app screen

12. As part of the sign in process, the device will ask for your University password. Please enter your password and click Sign in.

Enter your password

13. The app will then ask you to register the device, please select Register

Screen requesting to register your device

14. The device is now registered with iSolutions. Please follow the rest of the Android setup wizard at this stage as there will be further options to select (for example, setting up a Google account, device backup options). These options are personal choice and will not affect the Cyber Essentials compliance. 

Once this is complete, your device will begin to install any required apps and settings.

You will see several notifications and installations taking place whilst the device completes its setup therefore please do not turn off the device for at least 1 hour.

You will now need to check the device compliance. Please refer to Checking compliance on your computing device.

---

Back to the top

 

Connecting to a secure VPN on Microsoft Windows devices

To connect your device to the university's Virtual Private Network (VPN), please read the article "How to set up the Virtual Private Network (VPN) via GlobalProtect".

---

Back to the top

 

Frequently asked questions (FAQs)

Am I able to use a computing device that hasn’t been supplied by iSolutions?

Due to the changes with Cyber Essentials, all computing devices you use to access University resources must be checked and managed by iSolutions. 

This means that if you are currently using a personal device or a device provided by another service (including laptops, desktops, smartphones and tablets), you will no longer be able to use it to access University resources.

If you require a computing device for business purposes, the University will issue you with one. Please refer to the section "Ordering and setting up a new computing device".

 

Can the University monitor what I am doing on the device?

All devices are subject to mobile device management to ensure compliance only; the University cannot monitor what you are doing on the device.

 

What information does the University have access to when I enroll the device?

The University has access to:

  • Owner details
  • Device name, serial number, IMEI, model (e.g. Google Pixel) and manufacturer (e.g. Microsoft)
  • Operating system and version (e.g. iOS 12.0.1)
  • App inventory and app names

The University does not have access to:

  • Browsing history
  • Personal emails, documents, contacts or calendar
  • Passwords
  • Photos
  • Device location

Useful link: Microsoft – What information can my organisation see when I enroll my device?

 

I currently have admin rights on my University device, can I still access this?

The Cyber Essentials standard does not allow individuals to be granted admin rights on day-to-day accounts therefore all local admin rights will be removed. If you urgently require admin rights to install software, please contact ServiceLine.

 

What cloud services can I use to store my data?

You can use Office 365 to store data as this needs to be covered by Cyber Essentials. All individuals who have access to this data should be covered by Cyber Essentials as well.

Please do not use Dropbox, Google Drive, Box.com, or any other cloud storage devices.

 

Can I use Research Filestore or the J Drive to store my data? 

You can still use Research Filestore or the J drive to store any data which also needs to be covered by Cyber Essentials, but everyone else who can access this data should also be covered by this policy.

 

If I use an iSolutions server or virtual server (VM) to store my data, what should I do?

If you use an iSolutions server or virtual server (VM) to store or process data which needs to be covered by Cyber Essentials, please get in touch with ServiceLine so we can make sure that the server is also in compliance.

 

I have an Android device, how do I access my work apps?

Work apps are marked with a briefcase icon so you can distinguish them from personal apps. To access your work apps:

  1. Swipe up from the bottom of your screen to the top.
  2. Tap the "Work" tab.
  3. Tap the app that you want to open.

---

Back to the top

 

Getting IT help

If you need technical support, please contact ServiceLine or visit our Tech Hubs.

If you have any questions or concerns, please contact the project team by emailing cyberessentials@soton.ac.uk

---

Back to the top

 

Related content

Cyber Essentials SharePoint Site
National Cyber Security Centre (NCSC) website
Cyber Essentials – Scheme Overview
Cyber Essentials Compliance Policy
Microsoft – What information can my organisation see when I enroll my device?
Android – What is a work profile?

Attached files:

Was this article helpful?

If you have any further comments, please put them below.

Please note that feedback is anonymous - if you require a reply or assistance, please raise a ticket via ServiceLine.


Thank you for your feedback, it is much appreciated.

Tweet This Article

Back to List

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we will assume that you are happy to receive cookies on the University of Southampton website.

×