���˴�Ƭ

In September 2024, Queen's Information Technology Services (ITS) launched new security measures to keep Queen’s digital ecosystem secure. Called the Endpoint Protection Project, these new measures aim to protect all devices used to perform Queen’s-related work from increasingly sophisticated and evolving cyber threats, using a suite of digital tools.  

More than 4,600 faculty and staff have enrolled in the program since it debuted, with over 8,400 devices now benefiting from advanced protection.  

For some potential users, the new tools raised some questions about user participation and privacy. Queen’s Information Security Officer Paul Muir spoke to the Queen’s Gazette to discuss the program and clarify some of the most frequently asked questions.  

—

Can you briefly explain the endpoint protection project and how it works?  

The Endpoint Protection Project employs a set of apps to protect user devices—called “endpoints”—from evolving cyber threats. These apps perform two main functions, called endpoint assessment and endpoint protection.  

The app for endpoint assessment is installed on both Queen’s-funded devices and personal devices used to access Microsoft 365. The app for endpoint protection is installed on any device used to access protected Queen’s applications, like Peoplesoft.  

What do these programs do?  

Endpoint assessment uses software called Microsoft Intune to evaluate devices attempting to access Queen’s systems for how secure they are against several factors. It checks for essential protections like existing anti-malware or antivirus software, and up-to-date operating systems. It also looks at applications with known vulnerabilities, and existing firewall protections, which are used to defend against unauthorized connections.  

Endpoint protection is a second layer of protection that uses Microsoft Defender for Endpoint (MDE) to provide users’ devices with anti-malware and antivirus protection, and protection against browser-based threats. The software also has capabilities to respond to detected threats on those devices, enhancing user security.  

You mentioned that all Queen’s devices, including personal devices used for Queen's work, must be enrolled in the program. What do staff and faculty need to know about their participation in the program and their set of responsibilities?  

Community members have four key responsibilities regarding digital safety at Queen’s. The first is understanding how cyber threats impact them. We offer annual Cybersecurity Awareness training for this purpose. Community members also must protect their identity by using strong passwords. (MFA) is an added layer of protection against unauthorized access. Thirdly, they must protect their devices (endpoints), which means ensuring software is up to date, installing antivirus or anti-malware protection, and being careful about the websites they visit. Finally, community members should let us know when they think something is wrong by reporting to the IT Support Centre.

Some community members have raised concerns about device privacy, particularly the privacy of personal devices used for work. Can you tell us a little about how Queen’s balances data protection and privacy?  

The Responsible Use of Digital Resources Policy establishes the University’s commitment to provide security and privacy protections to all community members. The Electronic Monitoring Transparency Policy outlines the limitations on how data and information collected by safeguards may be used while respecting individual privacy. The Access Authorization Procedure provides the authorization procedure to ensure that both commitments of the responsible use policy and the limitations of the electronic monitoring policy are practically implemented.

So, as it pertains specifically to this suite of apps, what information does Queen’s have access to on devices—particularly personal devices—enrolled in the program?

First, let me state unequivocally that Queen’s does not use this software to access data or information stored on personal devices or within apps on the device. Microsoft Intune, the software required to access Microsoft 365 on personal devices, only reads the device settings to determine the security and health of the device.  

MDE generally does not access or collect personal information on devices, however, there are some cases where such access may be necessary. The ITS team has published more detailed information about what data is collected by MDE and how it is used on the . Queen’s staff and faculty do not need to install MDE on personal devices to access Microsoft 365. Intune is all that is required.