Computer Onboarding & Offboarding

This document outlines MTE's Standard Operating Procedures for "cradle to grave" handling of computers, desktops and laptops. Mobile devices (Tablets & Phones), Servers, network equipment, and other such devices are covered elsewhere. For the purposes of this document, the term "computer" shall refer to desktop and laptop (including rugged) devices.

Of particular importance is the proper handling and final disposition of any data storage device. This includes but is not limited to internal hard drives (spinning or flash), USB drives, SD cards, and such. It is vital that any MTE data is properly destroyed prior to or as a part of the disposal process.

Vendors and Ordering

Computers shall be acquired through approved vendors and ordered by the IT Support Supervisor. As of January 1, 2023, the approved vendor is Dell Computer. Models shall be business class systems, currently Dell OptiPlex, Latitude, and Precision Workstations. Other models will be considered for special circumstances or as Dell changes their model lineup. Contact information for Dell and our sales representatives is found in the appendix, Vendors.

Receiving and Initial Inventory

Upon physically receiving the computers, their serial numbers and other data shall be uploaded into Freshservice, MTE's Help Desk management platform. Various asset states can be tracked with the system and the initial state shall be "In Stock" until such time as the systems are deployed. Asset tags shall be applied and recorded.

Initial Configuration

Initial configuration shall be via one of two methods as outlined below.

The computer's drive is imaged from MTE's imaging server (FOG, as of this writing) to provide a base configuration. This includes Microsoft Windows as well as a default load of application software. Additional software will be loaded from our software distribution platform or other sources, as needed.
The computer will be purchased with an approved base load from the vendor and additional software will be loaded and/or updated during the preparation stage.

Aside from Microsoft Windows, additional software that is part of our standard deployment is found in the appendix, Standard Software. Additional approved software shall be loaded as needed by the department or individual employees. During this time, the following shall also be completed:

Join domain and place into appropriate OU.
Ensure BitLocker is enabled.
Run Microsoft and Vendor updates.

Security Standards

All system shall adhere to the designated IT Security Standards. Basically, these are CIS Controls Level 1, plus BitLocker, which are configured via AD Group Policy. Security and management software are as follows.

Carbon Black
Cyber Ark EPM
Cisco Secure Client (Umbrella)
Global Protect (VPN)
Rapid 7 Insight Client
nFront Password Filter
Workspace ONE

All internal Windows drives shall be encrypted with Microsoft BitLocker. Drives in non-Windows systems shall be encrypted with similar technology from their respective operating system.

Deployment

Upon deployment, the system's inventory record in Freshservice shall be updated to "In Use" and appropriate fields for user, location, etc. shall also be updated. Upon delivery, HD staff shall work with the employee and ensure that they are comfortable with their new computer and are able to perform their job duties.

Drive Replacement and Other Repairs

Any maintenance that requires the replacement of the hard drive shall adhere to the same drive handling procedures as found in Decommissioning. If possible, drives being replaced under warranty shall be wiped prior to returning to the manufacturer. An exception is granted for any drives that are unable to be recognized or unable to be wiped. All drive replacements shall be recorded in the computer's Inventory record within Freshservice.

Decommissioning

The following procedures shall be performed when a computer is removed from active service and will be disposed.

Asset tags and/or computer name labels are removed.
Freshservice inventory updated to "Retired".
Hard drive is removed or replaced with "clean" drive.
"Dirty" drive is placed in designated receptacle for such drives. These are then wiped as per approved standards. Once wiped, the drive can be returned to service, including being installed in a computer for a "Sharing Change" purchase.
It is imperative that any storage media containing MTE data be secured. These shall be stored in a designated container that is used exclusively for this purpose. Once wiped, the drives can be reused or disposed of without any further precautions.
The computer's records/licenses shall be removed from the following services/systems:
1. Active Directory: Computer is disabled and moved to the "To Be Deleted" OU. The computer is then deleted 30 days later.
2. Carbon Black
3. Cyber Ark EPM
4. PDQ Inventory and Connect
5. Workspace ONE

Disposal

Decommissioned computers are made available to the employee who has been using it. They may "purchase" the computer for by making a donation to MTE's Sharing Change. If the employee does not want the computer, it will be made available to the next person on the waiting list. If the computer is still not taken, disposal shall be done by an approved recycling company. Freshservice Inventory shall be updated with the appropriate status, Disposed or Sharing Change.

Missing / Stolen

Missing and/or stolen computers shall be immediately disabled (to the extent possible) with MTE's device management system, currently Workspace ONE. If warranted, a police report can be filed.

Appendix - Vendors

Dell Computer
- Avery, Outside Sales Rep, Avery Chastain, avery.chastain@dell.com, 615-812-6987
- Cat Gambill, Inside Sales Rep, cat.gambill@dell.com, 512-513-8342

Appendix - Drive Wipe/Sanitization

Drive sanitization for disposal (destruction or redistribution) shall be through an approved vendor that provides services as per NIST SP 800-88 Rv. 1, IEEE 2883-2022, or other such approved standard. Sanitization can be performed in-house by utilizing Microsoft's utility, diskpart.exe, with the "clean all" option for the drive.

Appendix - Standard Software

Included with Gold Image

Adobe Acrobat

Carbon Black

Cisco Secure Client (Umbrella replacement. With VPN disabled.)

CyberArk Endpoint

Dell Command Update (and whatever else is needed)

Font_Installer

Freshservice Discovery Agent

Global Protect

Interaction Desktop

iVUE Desktop Manager

Logitech Options+

Microsoft 365 Apps for Enterprise

Microsoft OneDrive

Microsoft Teams (new Teams for Work or School)

nFront Password Filter Client

Phish Alert

PrinterLogic

Rapid 7 Insight Client

Snagit

Installed at time of deployment

Workspace ONE Assist

Workspace ONE Intelligent Hub