Microsoft Intune is a cloud-based service used by the University of Houston to manage and secure state-owned Windows computers. It runs in the background and helps ensure each device remains secure, compliant, and supported - on or off campus.

UH is implementing Intune to support three main goals:

• Improved security: Devices receive required security updates and configuration policies that help protect university systems and data.
• Remote support capabilities: Intune enables IT staff to assist with certain support tasks remotely, reducing the need for in-person troubleshooting in many cases.
• State of Texas compliance: Intune helps UH meet the requirements of Texas Senate Bill 1893, which mandates that public universities centrally manage and secure all state-owned devices, including blocking specific high-risk applications.

Jamf Pro is a macOS device management service used by the University of Houston to configure, secure, and support state-owned Apple computers. It allows UH IT to manage university-owned Macs remotely and apply security policies that align with institutional standards and state of Texas requirements.

UH is implementing Jamf Pro to support three main goals:

• Improved security: Jamf Pro enforces essential settings such as encryption, firewall configuration, and system updates to help protect university data and resources.
• Remote support capabilities: IT staff can use Jamf Pro to perform certain troubleshooting and support tasks without requiring the device to be on campus.
• State of Texas compliance: Jamf Pro helps UH meet the requirements of Texas Senate Bill 1893, which mandates centralized management of state-owned devices and enforcement of restrictions on specific high-risk applications.

This effort is driven by growing cybersecurity needs and new requirements from the state of Texas. Intune and Jamf support modern, off-campus work environments while helping UH meet mandated compliance standards.

Your UH-owned devices will stay updated and aligned with university security standards.

IT may be able to provide remote support depending on the situation.

You are not expected to self-enroll. Devices are typically enrolled by local IT staff during setup or provisioning.

Device management at the University of Houston applies only to state-owned computers - not personal devices. UH uses Microsoft Intune for Windows and Jamf Pro for macOS.

Will Be Enrolled:

• UH-owned Windows laptops, desktops, and tablets
• UH-owned Apple (macOS) laptops and desktops
• Any computer purchased with university funds, regardless of location

Will NOT Be Enrolled:

• Personally owned devices (including laptops, phones, and tablets)
• Student-owned computers
• Servers or lab-based systems with highly customized configurations

Important: This is not a BYOD (Bring Your Own Device) program. Device management applies strictly to university-owned machines. Your personal devices remain outside the scope of this system.

Enrollment is performed by your department’s IT support team. You are not expected to enroll your own device.

For Windows Devices (Intune):
Most UH-owned Windows devices are enrolled remotely by departmental IT using existing tools such as MECM (SCCM).

• The process typically takes 15 to 20 minutes and runs in the background.
• You can continue working during enrollment.

For macOS Devices (Jamf Pro):
Apple devices are enrolled manually by departmental IT staff, typically during initial setup or when reconfiguring an existing device.

• Enrollment may require you to bring the device to campus.
• You might be prompted to approve certain settings or authenticate with your CougarNet credentials during the process.

What You Might See During or After Enrollment:

• A message such as “Your organization is managing this device”
• A new application on your system (e.g., Company Portal on Windows or Self Service on macOS)
• A one-time request to sign in with your CougarNet ID

If Action Is Needed:
Your department’s IT team will contact you directly with instructions. If you are not contacted, no action is required.

No. For both Windows and macOS devices, your day-to-day experience remains the same.

What Stays the Same:

• You continue logging in with your CougarNet ID
• Your files remain in place
• Installed applications (that are not on the prohibited technology list) function as they always have
• You access network drives, email, and UH systems the same way
• Your passwords, bookmarks, and personal settings are unchanged

What’s New (but unobtrusive):

• Security updates and policies are applied automatically in the background
• IT staff can provide remote support when necessary
• A new tool may appear on your system:
  • Company Portal (Windows)
  • Self Service (macOS)

Your privacy is important. UIT uses Microsoft Intune and Jamf Pro to manage state-owned devices in a way that supports security and compliance - not to monitor user activity or personal behavior.

To be clear:

What UIT does not see:

• Your personal files, documents, photos, or downloads
• Your web browsing history or search activity
  Your personal email accounts (e.g., Gmail, Yahoo, Outlook.com)
• Your screen content or what you're working on
• Your physical location or GPS data
• Your text messages or private communications
• Your passwords or login credentials
• Your keystrokes or anything you type
• Your social media activity
• Your personal app data (e.g., banking or shopping apps)

What UIT can access:

• Device name and hardware model
• Operating system version
• Security update and patch status
• Antivirus activity status
• Disk encryption status (e.g., BitLocker or FileVault)
• List of installed applications (not usage or personal data)
• Device compliance status (e.g., meets required settings)
• Last check-in time with the management platform

Device management tools are focused on maintaining security and ensuring state policy compliance - not collecting or reviewing personal information.

No. Device management at UH is focused on maintaining system security and compliance - it does not provide access to your personal content.

 
Can UIT read my email?
No. UIT cannot access the content of your email, whether it's through Outlook, Gmail, or any other email client.

• What UIT can see: Whether Outlook is installed and configured correctly
• What UIT cannot see: Subject lines, message content, attachments, or sender/recipient details

Can UIT see my documents or files?
No. UIT cannot view or open your documents, spreadsheets, presentations, or any file stored on your device.

• What UIT can see: Whether Microsoft Office or other managed software is installed
• What UIT cannot see: File names, file contents, folder locations, or what you're working on

Can IT monitor my screen?
No. IT cannot view your screen or activity during regular use.

• The only exception: If you request help and explicitly approve a remote support session, your local IT may temporarily view your screen to assist with troubleshooting. This process always requires:

1. 1. You initiating the support request
   2. You granting permission for the connection
   3. A visible prompt or confirmation before it begins
   4. You being able to end the session at any time

Bottom line: These tools manage the device - not the user. UIT cannot and does not monitor your work, access your content, or observe your activity without your knowledge or consent.

No. Neither Intune nor Jamf Pro uses GPS or location tracking.

What UIT cannot see:

• Your physical location (GPS coordinates)
• Where you're working from (e.g., home, campus, off-site)
• Your travel history or movement between locations
• Whether you are in the office or working remotely

What UH IT can see:

• The last time your device checked in with Intune or Jamf Pro (e.g., “Last check-in: Jan 15, 2025, 2:30 PM”)
• The IP address used during check-in, for security monitoring

IP address data is used strictly for security purposes. It helps UIT detect suspicious activity - such as logins from unexpected locations that may indicate a compromised account.

For example:
If your CougarNet credentials are used from Houston and a foreign country within minutes of each other, that’s a red flag. The IP address helps UIT identify and respond to those threats.

IP data is not used to monitor user behavior or track physical location. It supports cybersecurity, not surveillance.

UIT collects a limited set of data necessary to manage, support, and secure university-owned devices. This data supports compliance with state law, helps protect university systems, and enables IT to respond quickly to issues.

Data Collected and Its Purpose

Device Inventory (used for asset tracking and warranty management)

• Device name, serial number, model
• Hardware details (CPU, RAM, disk size)

Security Compliance (used to protect against cyber threats)

• Operating system version and patch status
• Antivirus and firewall status
• BitLocker/FileVault encryption status
• Last security update installed

Application Inventory (used for license tracking and prohibited app detection)

• List of installed applications and versions
• Install/uninstall dates
• No application usage or personal data is collected

Device Health (used for proactive troubleshooting and support)

• Battery health (for laptops)
• Available disk space
• System errors or crash data
• Network connectivity information

User Information (used for device assignment and compliance reporting)

• CougarNet username and assigned user

Policy Compliance (used to meet state and institutional policy requirements)

• Device compliance with required configurations
• Policy evaluation results and any violations
• Remediation status for non-compliant devices

What Intune and Jamf Do Not Collect

UH IT does not access or collect:

• Personal documents, files, or media
• Web browsing history, cookies, or cache
• Email content or metadata
• GPS or location data
• Screen activity or keystrokes
• Personal app usage (e.g., banking, social media)
• Private communications (texts, calls, chat)

Data collected through Microsoft Intune (for Windows) and Jamf Pro (for macOS) is safeguarded using industry-standard security practices and governed by university and state policies.

• All data is stored in Microsoft Azure (Intune) or Jamf Cloud (Jamf Pro) and encrypted both at rest and in transit
• Only authorized IT personnel have access to management data
• All administrative access is logged and subject to audit
• Systems comply with applicable data protection laws, including FERPA, HIPAA (where applicable), and state of Texas regulations
• Data is automatically deleted when a device is unenrolled from the system

UIT prioritizes security and privacy in every aspect of device management.

Yes. Devices enrolled in the University of Houston’s management systems - Microsoft Intune for Windows and Jamf Pro for macOS - can be configured to apply security controls that help protect institutional and research data. These measures are designed to reduce risk while minimizing disruption to daily work.

How Managed Devices Help Protect Research Data

1. Full-Disk Encryption

• Intune can enable BitLocker (Windows) and Jamf can enforce FileVault (macOS)
• These tools encrypt data at rest, making it unreadable if a device is lost or stolen
• Encryption helps meet institutional and regulatory expectations for securing research data

2. Security Updates and Patch Management

• Managed devices can receive operating system and security patches automatically
• Timely updates reduce exposure to malware, ransomware, and known vulnerabilities
• Updates are coordinated by local IT, not dependent on end users

3. Compliance and Access Controls

• Device compliance with UH security policies can be enforced through Intune or Jamf
• Non-compliant or out-of-date devices can be set up to be blocked from accessing protected university systems
• Helps ensure only secure endpoints interact with sensitive data and services

4. Remote Support

• Local IT can assist with diagnostics, troubleshooting, and certain software updates remotely
• Management platforms function over the internet, helping maintain security regardless of user location

Enrollment is handled by UIT, typically in coordination with your department’s local IT support. Most users will not need to initiate enrollment themselves.

For Windows Devices (Intune)

• Enrollment is usually performed remotely by IT using tools such as MECM (SCCM).
• You may receive a brief prompt to sign in with your CougarNet credentials.
• The process typically takes 15–20 minutes and runs in the background.

After enrollment, you may notice:

• A Windows notification that “your organization is managing this device”
• A new app called Company Portal in your Start menu
• Security settings and software applied automatically

For macOS Devices (Jamf Pro)

• Apple devices are typically enrolled manually by local IT during setup or when brought in for configuration.
• This process requires the device to be physically present with IT staff or set up using a remote session.
• You may be asked to approve device profiles or security settings during the setup process.

After enrollment, you may notice:

• A new application called Self Service installed on your Mac
• System notifications requesting permission for management settings

Enrollment ensures your device is properly secured, supported, and compliant with state of Texas requirements.

For Windows devices (Intune):

• Open the Company Portal app. If it opens and shows your device, it’s enrolled.
• Go to Settings > Accounts > Access work or school and check whether your device is connected to UH’s Azure AD.

For macOS devices (Jamf Pro):

• Look for the Self Service app in your Applications folder.
• Open System Settings > Profiles and confirm there’s a University of Houston configuration profile installed.

Most new UH-owned devices are enrolled before delivery or during initial setup. Your departmental IT will coordinate this process. If you’re unsure, contact your local IT support to confirm enrollment status.

Windows Devices (Intune):
No. Enrollment does not erase files or reformat the device. Your data, applications, and settings remain unchanged.

macOS Devices (Jamf Pro):
A full wipe and setup may be required. This ensures the device is placed under proper management with security controls enforced from the start.

Your departmental IT will notify you if this is the case and guide you through the reconfiguration process.

Each UH-owned device must be enrolled separately, but it's the same easy process for each one.

Company Portal is the Microsoft companion app for Intune. It serves as your interface to UH’s device management system and software catalog.

Key Features

1. Software Installation

• Browse and install app pre-configured by your local IT
• No tickets or wait times - just click and install

2. Device Compliance Status

• See if your device meets security requirements
• View status: compliant, warning, or non-compliant
• Click "Resolve" for instructions if needed

3. Device Info and Troubleshooting

• View device name, OS version, and last sync time
• Use the "Sync" button to update compliance status

Self Service is the companion app for Jamf Pro on UH-managed macOS devices. It provides access to UH-approved software and helpful tools, all curated by your departmental IT.

1. Software Installation

• Browse and install apps pre-approved by your local IT
• No tickets or wait times—just click and install
• Common tools include Microsoft Office, VPN clients, browsers, and security utilities

2. Device Utilities and Scripts

• Run maintenance tasks (e.g., update inventory, flush caches)
• Apply fixes provided by IT without submitting a request
• Used to resolve common macOS issues quickly

3. IT Resources and Support

• Links to documentation, support contacts, and departmental tools
• May include request forms or setup instructions specific to your area

 

No. Under normal conditions, neither Microsoft Intune (Windows) nor Jamf Pro (macOS) causes noticeable performance issues or battery drain.

Performance
Both Intune and Jamf Pro are lightweight tools designed to run silently in the background. They use minimal system resources and do not interfere with your daily tasks. Most users will not notice they are running.

Battery Impact
Battery usage is minimal. These systems check in periodically to sync settings or apply updates but do not run continuously or perform heavy background tasks. When software or system updates are installed, you may see a temporary increase in activity - similar to any software installation.

This is Texas state law, not just a UH policy. Let's break down the legal requirements:

The Law: Texas Senate Bill 1893 In 2023, the Texas Legislature passed Senate Bill 1893, codified as Texas Government Code Chapter 620. This law legally mandates that all state agencies and public universities prohibit specific "high-risk technologies" from any state-owned or state-leased device.

Who Decides What's Prohibited? The Texas Department of Information Resources (DIR) maintains the official list of prohibited technologies. DIR identifies apps and services that pose potential security risks—primarily those that may be compelled by foreign governments to provide user data without U.S. legal protections.

Currently Prohibited Technologies Include:

• TikTok, Lemon8, CapCut (ByteDance products)
• WeChat (Tencent product)
• Kaspersky (Russian antivirus)
• WPS Office (Kingsoft product)
• Huawei and ZTE networking equipment
• And others - see the full DIR list

UH's Role: UH System implemented this state mandate through System Administrative Memorandum (SAM) 07.A.12: "Prohibited Technologies and Covered Applications." UH Information Technology is tasked with enforcing this law - we didn't create these rules, but we must follow them.

If a prohibited application is found on a managed UH device, the system will automatically enforce compliance. This process supports UH's obligations under state of Texas law and ensures secure computing environments.

What Happens:

1. Detection
   Microsoft Intune (Windows) and Jamf Pro (macOS) routinely check for prohibited software on enrolled devices.
   
   
2. Automatic Enforcement
   If a prohibited app is detected:
   • The device is marked non-compliant.
   • The app is blocked from launching using AppLocker or system policies.
   • While conditional access is not currently enforced, the device's compliance status will reflect the violation.
3. Remediation
   Users or departmental IT are expected to uninstall prohibited applications. Departmental IT may follow up as needed to help resolve non-compliance.
4. Return to Compliance
   Once the prohibited app is removed, the device’s compliance status updates automatically.

UHS may permit exceptions authorizing the installation and use of Prohibited Technologies on UHS-owned devices for the purposes of:

• Law enforcement and public safety;
• Investigations and adjudications required by law, regulation, or policy;
• Enforcement of university-owned intellectual property rights;
• Research when the researcher uses Prohibited Technologies as part of their field of study, but only if such use would be conducted from university-issued devices used solely for Prohibited Technologies and would not be used for any other university purpose or to access any other university service;
• Teaching when faculty use Prohibited Technologies as part of their curriculum, but only if such use would be conducted from university-issued devices used solely for Prohibited Technologies and would not be used for any other university purpose or to access any other university service; or
• Other specific business needs as approved.

All exception requests must be submitted to UHS Information Security for review using the Exception Request Form. UHS Information Security will submit the exception request to the UHS Chancellor or applicable university president for approval and report the exception to DIR as required.