Secure Software Installation Process

ITS has a process for installing new software programs on college-owned computers which allows authorized individuals to add approved programs to their system(s) securely.  The goal of this process is to balance the convenience of the end user installing software themselves while also guarding against the security risks of malware and stolen credentials. 

When end users need to install a program, they submit an Install Application request at least one business day in advance per the support plan. If the software is approved, ITS will provide the end user with a temporary username and password that will allow them to install the application(s) on the desired computer(s).  That password will then expire after the new program is working. 

This process applies to individuals wanting to install software on their college-owned laptop or workstation as well as to those who manage multiple computers, for example computers in a lab or a set of laptops for periodic classroom use. 

For updating existing approved program, please submit an Update Application request.

For removing a program, please submit a Remove Application request.

This approach attempts to balance the convenience of enabling individuals to install applications that are specific to their needs and limiting the exposure of stolen account names and passwords.  When usernames and passwords with software installation privileges are captured, the risk to college's network and data increases significantly.  Limiting the ability to install software to specific computers for a specific time lowers the risk that a captured password would allow future harm. 

When a user calls or emails to request the ability to install software, the Service Desk will need the following info to be able to proceed:

• software title and version
• application vendor and link to website for the software
• username which will be used to perform the installation
• machine name(s) on which the software is to be installed

We will then verify the following:

1. The username in question represents someone with appropriate authority to alter the configuration of the requested machines.  
2. The requested software is in the ITS applications inventory of approved programs.
3. If the application is available in Software Center (Windows) or Jamf self-service (Macs), we will assist the requestor with installing the software using that method.  (Any application that has been deployed to a computer or to a user is available in the software center for that machine or user.  For example, a chemistry faculty member will see ChemDraw in the software center on any machine while anyone logging into the LIBLAB workstations will see Python v3.7.4.) 
4. If the application is not available in Software Center or Jamf, ITS will determine whether the application is allowed on college-owned machines. 

Once approval has been granted to install the application on the requested machines, the following steps are followed. If the user is installing the software on only one or two machines:

1. The Service Desk will provide a temporary local administrator password for each college-issued Windows machine affected.
2. If a college-issued Mac, we will execute the promote/demote process in Jamf.
3. We will provide the password(s) to the user who will perform the installation (not to someone calling on that person’s behalf) by voice, text, or encrypted email and set the expiration date for the password to expire 24 hours from the time it is provided.
4. If longer than 24 hours is requested, we will set the account’s expiration date to no more than one week from the date of the request.