Microsoft Intune is a cloud-based service the University of Houston uses to manage and secure university-owned Windows computers. It runs in the background to keep your device up to date, protected, and reliable, whether you are on campus or working elsewhere.

We use Intune for three main reasons:

• Better security: Your device gets automatic updates and settings that protect university data and help prevent problems.
• Faster support: Your local IT team can troubleshoot and fix many issues remotely.
• State requirements: Intune lets UH meet Texas cybersecurity rules that require central management of university-owned devices. Those rules are the reason for the program, but the main benefit is a smoother, safer experience for you.

Jamf Pro is a device management service the University of Houston uses to configure, secure, and support university-owned Mac and iOS devices. It runs in the background to keep your device up to date, protected, and reliable.

We use Jamf Pro for three main reasons:

• Better security: Your device gets automatic updates and settings that protect university data and help prevent problems.
• Faster support: Your local IT team can troubleshoot and fix many issues remotely.
• State requirements: Jamf Pro lets UH meet Texas cybersecurity rules that require central management of university-owned devices. Those rules are the reason for the program, but the main benefit is a smoother, safer experience for you.

New state rules from Texas require central management of university-owned devices. These rules are what prompted the change, but they have also allowed us to put in place tools that make your device more secure, up to date, and reliable with less disruption to your work.

Your UH-owned devices will stay updated and aligned with university security standards.

Your local IT may be able to provide remote support depending on the situation.

You are not expected to self-enroll. Devices are typically enrolled by local IT staff during setup or provisioning.

Device management at the University of Houston applies only to university-owned computers - not personal devices. 

Will Be Enrolled:

• UH-owned Windows laptops, desktops, and tablets (including Digital Signage).
• UH-owned Apple (macOS/iOS) laptops, desktops, tablets, and cell phones
• Any computer purchased with university funds, regardless of location

Will NOT Be Enrolled:

• Personally owned devices (including laptops, phones, and tablets)
• Student-owned computers

Important: This is not a BYOD (Bring Your Own Device) program. Device management applies strictly to university-owned machines. Your personal devices remain outside the scope of this system.

Enrollment is performed by your department’s IT support team. You are not expected to enroll your own device.

For Windows Devices (Intune):
Most UH-owned Windows devices are enrolled remotely by departmental IT using existing tools such as MECM (SCCM).

• The process typically takes 15 to 20 minutes and runs in the background.
• You can continue working during enrollment.

For macOS/iOS Devices (Jamf Pro):
Apple devices are enrolled manually by departmental IT staff, typically during initial setup or when reconfiguring an existing device.

• Enrollment may require you to bring the device to campus.
• You might be prompted to approve certain settings or authenticate with your CougarNet credentials during the process.

What You Might See During or After Enrollment:

• A message such as “Your organization is managing this device”
• A new application on your system (e.g., Company Portal on Windows or Self Service on macOS)
• A one-time request to sign in with your CougarNet ID

If Action Is Needed:
Your department’s IT team will contact you directly with instructions. If you are not contacted, no action is required.

No. For both Windows and Apple devices, your day-to-day experience remains the same.

What Stays the Same:

• You continue logging in with your CougarNet ID
• Your files remain in place
• Installed applications (that are not on the prohibited technology list) function as they always have
• You access network drives, email, and UH systems the same way
• Your passwords, bookmarks, and personal settings are unchanged

What’s New (but unobtrusive):

• Security updates and policies are applied automatically in the background
• Local IT staff can provide remote support when necessary
• A new tool may appear on your system:
  • Company Portal (Windows)
  • Self Service (macOS)

For the most part, no. You will still request software the same way you do now, and your privileges are set by your local IT team.

Device management does add one helpful tool: the Company Portal app on Windows devices (via Intune) or the Self Service app on Macs (via Jamf). Your local IT can use it to offer a catalog of pre-approved apps you can install yourself, or to automatically push the software you need most. It usually makes getting standard university tools faster and easier.

If you need specific software or have questions about permissions, reach out to your department's tech manager or local IT for assistance.

No, device management is not designed to monitor your activity or personal behavior. Your privacy is a priority, and Microsoft Intune and Jamf Pro are used only to keep university-owned devices secure, up to date, and running reliably.

To be clear:

What UIT does not see:

• Your personal files, documents, photos, or downloads
• Your web browsing history or search activity
  Your personal email accounts (e.g., Gmail, Yahoo, Outlook.com)
• Your screen content or what you're working on
• Your text messages or private communications
• Your passwords or login credentials
• Your keystrokes or anything you type
• Your social media activity
• Your personal app data (e.g., banking or shopping apps)

What UIT can access:

• Device name and hardware model
• Operating system version
• Security update and patch status
• Antivirus activity status
• Disk encryption status (e.g., BitLocker or FileVault)
• List of installed applications (not usage or personal data)
• Device compliance status (e.g., meets required settings)
• Last check-in time with the management platform

No. Device management at UH does not provide access to your personal content.

Can UIT read my email?
No. UIT cannot access the content of your email, whether it's through Outlook, Gmail, or any other email client.

• What UIT can see: Whether Outlook is installed and configured correctly
• What UIT cannot see: Subject lines, message content, attachments, or sender/recipient details

Can UIT see my documents or files?
No. UIT cannot view or open your documents, spreadsheets, presentations, or any file stored on your device.

• What UIT can see: Whether Microsoft Office or other managed software is installed
• What UIT cannot see: File names, file contents, folder locations, or what you're working on

Can IT monitor my screen?
No. IT cannot view your screen or activity during regular use.

• The only exception: If you request help and explicitly approve a remote support session, your local IT may temporarily view your screen to assist with troubleshooting. This process always requires:

1. 1. You initiating the support request
   2. You granting permission for the connection
   3. A visible prompt or confirmation before it begins
   4. You being able to end the session at any time

Bottom line: These tools manage the device - not the user. UIT cannot and does not monitor your work, access your content, or observe your activity without your knowledge or consent.

IP address data is used strictly for security purposes. It helps UIT detect suspicious activity - such as logins from unexpected locations that may indicate a compromised account.

For example:
If your CougarNet credentials are used from Houston and a foreign country within minutes of each other, that’s a red flag. The IP address helps UIT identify and respond to those threats.

IP data is not used to monitor user behavior or track physical location. It supports cybersecurity, not surveillance.

Device management collects only a small set of device-level details needed to keep your university-owned computer secure, up to date, and reliable.

Data Collected and Its Purpose

Device Inventory (used for asset tracking and warranty management)

• Device name, serial number, model
• Hardware details (CPU, RAM, disk size)

Security Compliance (used to protect against cyber threats)

• Operating system version and patch status
• Antivirus and firewall status
• BitLocker/FileVault encryption status
• Last security update installed

Application Inventory (used for license tracking and prohibited app detection)

• List of installed applications and versions
• Install/uninstall dates
• No application usage or personal data is collected

Device Health (used for proactive troubleshooting and support)

• Battery health (for laptops)
• Available disk space
• System errors or crash data
• Network connectivity information

User Information (used for device assignment and compliance reporting)

• CougarNet username and assigned user

Policy Compliance (used to meet state and institutional policy requirements)

• Device compliance with required configurations
• Policy evaluation results and any violations
• Remediation status for non-compliant devices

What Intune and Jamf Do Not Collect

UH IT does not access or collect:

• Personal documents, files, or media
• Web browsing history, cookies, or cache
• Email content or metadata
• Screen activity or keystrokes
• Personal app usage (e.g., banking, social media)
• Private communications (texts, calls, chat)

Data collected through Microsoft Intune (for Windows) and Jamf Pro (for macOS/iOS) is safeguarded using industry-standard security practices and governed by university and state policies.

• All data is stored in Microsoft Azure (Intune) or Jamf Cloud (Jamf Pro) and encrypted both at rest and in transit
• Only authorized IT personnel have access to management data
• All administrative access is logged and subject to audit
• Systems comply with applicable data protection laws, including FERPA, HIPAA (where applicable), and state of Texas regulations
• Data is automatically deleted when a device is unenrolled from the system

UIT prioritizes security and privacy in every aspect of device management.

Yes. Devices enrolled in the University of Houston’s management systems - Microsoft Intune for Windows and Jamf Pro for Apple - can be configured to apply security controls that help protect institutional and research data. These measures are designed to reduce risk while minimizing disruption to daily work.

How Managed Devices Help Protect Research Data

1. Full-Disk Encryption

• BitLocker can be enabled on Windows computers and Jamf can enforce FileVault (macOS)
• These tools encrypt data at rest, making it unreadable if a device is lost or stolen
• Encryption helps meet institutional and regulatory expectations for securing research data

2. Security Updates and Patch Management

• Managed devices can receive operating system and security patches automatically
• Timely updates reduce exposure to malware, ransomware, and known vulnerabilities
• Updates are coordinated by local IT, not dependent on end users

3. Compliance and Access Controls

• Device compliance with UH security policies can be enforced through Intune or Jamf
• Non-compliant or out-of-date devices are flagged for review by your local IT.
• Helps ensure only secure endpoints interact with sensitive data and services

4. Remote Support

• Local IT can assist with diagnostics, troubleshooting, and certain software updates remotely
• Management platforms function over the internet, helping maintain security regardless of user location

Enrollment is handled by UIT, typically in coordination with your department’s local IT support. Most users will not need to initiate enrollment themselves.

For Windows Devices (Intune)

• Enrollment is usually performed remotely by local IT using tools such as MECM (SCCM).
• You may receive a brief prompt to sign in with your CougarNet credentials.
• The process typically takes 15–20 minutes and runs in the background.

After enrollment, you may notice:

• A Windows notification that “your organization is managing this device”
• A new app called Company Portal in your Start menu
• Security settings and software applied automatically

For macOS and iOS Devices (Jamf Pro)

• Apple devices are typically enrolled manually by local IT during setup or when brought in for configuration.
• This process requires the device to be physically present with local IT staff or set up using a remote session.
• You may be asked to approve device profiles or security settings during the setup process.

After enrollment, you may notice:

• A new application called Self Service installed on your Mac
• System notifications requesting permission for management settings

For Windows devices (Intune):

• Open the Company Portal app. If it opens and shows your device, it’s enrolled.
• Go to Settings > Accounts > Access work or school and check whether your device is connected to UH’s Azure AD.

For macOS devices (Jamf Pro):

• Look for the Self Service app in your Applications folder.
• Open System Settings > Profiles and confirm there’s a University of Houston configuration profile installed.

Most new UH-owned devices are enrolled before delivery or during initial setup. Your departmental IT will coordinate this process. If you’re unsure, contact your local IT support to confirm enrollment status.

Windows Devices (Intune):
No. Enrollment does not erase files or reformat the device. Your data, applications, and settings remain unchanged.

macOS/iOS Devices (Jamf Pro):
A full wipe and setup may be required. This ensures the device is placed under proper management with security controls enforced from the start.

Your departmental IT will notify you if this is the case and guide you through the reconfiguration process.

Each UH-owned device must be enrolled separately, but it's the same easy process for each one.

Company Portal is the Microsoft companion app for Intune. It serves as your interface to UH’s device management system and software catalog.

Key Features

1. Software Installation

• Browse and install app pre-configured by your local IT
• No tickets or wait times - just click and install

2. Device Compliance Status

• See if your device meets security requirements
• View status: compliant, warning, or non-compliant
• Click "Resolve" for instructions if needed

3. Device Info and Troubleshooting

• View device name, OS version, and last sync time
• Use the "Sync" button to update compliance status

Self Service is the companion app for Jamf Pro on UH-managed macOS devices. It provides access to UH-approved software and helpful tools, all curated by your departmental IT.

1. Software Installation

• Browse and install apps pre-approved by your local IT
• No tickets or wait times—just click and install
• Common tools include Microsoft Office, VPN clients, browsers, and security utilities

2. Device Utilities and Scripts

• Run maintenance tasks (e.g., update inventory, flush caches)
• Apply fixes provided by your local IT without submitting a request
• Used to resolve common macOS issues quickly

3. IT Resources and Support

• Links to documentation, support contacts, and departmental tools
• May include request forms or setup instructions specific to your area

 

No. Under normal conditions, neither Microsoft Intune (Windows) nor Jamf Pro (macOS/iOS) causes noticeable performance issues or battery drain.

Performance
Both Intune and Jamf Pro are lightweight tools designed to run silently in the background. They use minimal system resources and do not interfere with your daily tasks. Most users will not notice they are running.

Battery Impact
Battery usage is minimal. These systems check in periodically to sync settings or apply updates but do not run continuously or perform heavy background tasks. When software or system updates are installed, you may see a temporary increase in activity - similar to any software installation.

This is Texas state law, not just a UH policy. Let's break down the legal requirements:

The Law: Texas Senate Bill 1893 In 2023, the Texas Legislature passed Senate Bill 1893, codified as Texas Government Code Chapter 620. This law legally mandates that all state agencies and public universities prohibit specific "high-risk technologies" from any state-owned or state-leased device.

Who Decides What's Prohibited? The Texas Department of Information Resources (DIR) maintains the official list of prohibited technologies. DIR identifies apps and services that pose potential security risks—primarily those that may be compelled by foreign governments to provide user data without U.S. legal protections.

Currently Prohibited Technologies Include:

• TikTok, Lemon8, CapCut (ByteDance products)
• WeChat (Tencent product)
• Kaspersky (Russian antivirus)
• WPS Office (Kingsoft product)
• Huawei and ZTE networking equipment
• And others - see the full DIR list

UH's Role: UH System implemented this state mandate through System Administrative Memorandum (SAM) 07.A.12: "Prohibited Technologies and Covered Applications." UH Information Technology is tasked with enforcing this law - we didn't create these rules, but we must follow them.

If a prohibited application is found on a managed UH device, the system will automatically enforce compliance. This process supports UH's obligations under state of Texas law and ensures secure computing environments.

What Happens:

1. Detection
   Microsoft Intune (Windows) and Jamf Pro (macOS/iOS) routinely check for prohibited software on enrolled devices.
   
   
2. Automatic Enforcement
   If a prohibited app is detected:
   • The device is marked non-compliant.
   • The app is blocked from launching using AppLocker or system policies.
3. Remediation
   Users or departmental IT are expected to uninstall prohibited applications. Departmental IT may follow up as needed to help resolve non-compliance.
4. Return to Compliance
   Once the prohibited app is removed, the device’s compliance status updates automatically.

UHS may permit exceptions authorizing the installation and use of Prohibited Technologies on UHS-owned devices for the purposes of:

• Law enforcement and public safety;
• Investigations and adjudications required by law, regulation, or policy;
• Enforcement of university-owned intellectual property rights;
• Research when the researcher uses Prohibited Technologies as part of their field of study, but only if such use would be conducted from university-issued devices used solely for Prohibited Technologies and would not be used for any other university purpose or to access any other university service;
• Teaching when faculty use Prohibited Technologies as part of their curriculum, but only if such use would be conducted from university-issued devices used solely for Prohibited Technologies and would not be used for any other university purpose or to access any other university service; or
• Other specific business needs as approved.

All exception requests must be submitted to UHS Information Security for review using the Exception Request Form. UHS Information Security will submit the exception request to the UHS Chancellor or applicable university president for approval and report the exception to DIR as required.