Policies for MacBook Administrators
Note: This document is Legacy IA Policy. It is under review and likely to be withdrawn or substantially revised soon. Before using this content for a project, contact the Security team.
All User accounts are created as ‘Admin’ to allow for software installation as part of normal business requirements.
Each laptop has a separate Admin account (created on build) to allow for User deletion and password resets
These policies must be adhered to by all MacBook Fleet Administrators.
These policies ensure two things:
- That administrators have a clear understanding of what is considered acceptable, so that they do not inadvertently perform an administrative action which is later considered unacceptable.
- In the event that a security incident does occur in relation to the MacBook Fleet, that there is a clear policy which can be referred to, to support any action that is taken.
Actions requiring authorisation
The following actions require formal authorisation (e.g. an email confirming that the action can proceed) from at least 2 of the following 3:
- The Chief Digital Officer.
- The Chief Information Security Officer (CISO) for the Ministry of Justice (MoJ).
- The MoJ Digital Information Assurance Lead.
- Creating a Mac account for a non MoJ member of Staff.
- Access any other users’ locally held data (active or suspended).
- Transfer any user’s locally held data (active or suspended) to another user. This also requires a request from the business area Service Manager.
Things you must do
- Maintain the active list of all active users.
- Raise an incident with the Security team when leaving Staff have not returned all MoJ assets in their possession.
- If anyone who has a MacBook account leaves the organisation for any reason.
- Retrieve the Users equipment and suspend the account.
- If requested by a Head of Profession, transfer user’s data to a user decided on by their line manager. This also requires a request from the business area Service Manager.
- On a minimum quarterly basis conduct a random percentage audit to check the encryption status of Mac Books and/or Airs.
If you have any questions or comments about this guidance, such as suggestions for improvements, please contact: email@example.com.