IT Policy on Computing Provisioning and Lifecycle Management

1.1 Purpose

This policy defines the standards and procedures for the provisioning, maintenance, security, and retirement of computing equipment issued to UA&P employees. The primary goal is to shift to a Performance- and Risk-Based Model to maximize asset lifespan, ensure security, and maintain employee productivity.

1.2 Scope and Eligibility

1.2.1. This policy applies only to Full-Time Faculty and Staff who are eligible to be issued a primary computing device. Provisioning is strictly Needs-Based, Not Universal. Laptops are issued only to full-time employees whose work requires a mobile device or specialized computing power, as jointly determined by the IT Office and the relevant Department Head.

1.2.2. Eligibility Exclusion for Part-Time/Fixed-Term Personnel. Part-time and fixed-term contract employees are not eligible for a University-issued device. Exceptions must follow the stringent Standardization Exception Process (SEP) outlined in Section 2.2.

1.3 Accountability Reminder (Ref. ICT 015/2012, Section C.2)

All equipment remains the property of the University. The user is accountable to the University for all use of resources assigned to them and is financially responsible for damage caused by negligence.

2.1 Standard Institutional Device (SID) and Standardization Mandate

2.1.1 Standardization Mandate. All new purchases of computing devices for institutional use must conform to the specifications and required Designated Technical Platform of the Standardized Institutional Device (SID). The IT Office shall define the SID’s Technical Specification (hardware, OS, and base security features) based on the criteria detailed in ITG-002 Strategic Justification for Computing Fleet Standardization.

2.1.2 Designated Technical Platform. The Designated Technical Platform is the operating system and core hardware architecture (e.g., macOS) selected by the IT Office to serve as the foundation for the Standardized Institutional Device (SID). This platform is chosen based on criteria outlined in ITG-002, prioritizing security, centralized management, and long-term cost of ownership.

2.1.3 Elimination of Dedicated Desktops and Provisioning of Essential Peripherals: The provisioning of dedicated desktop computers for standard roles is eliminated in favor of the mobile SID. To maintain workplace ergonomics and productivity, the IT Office will provide essential peripherals (e.g., external monitor and standard input devices). Provisioning is granted only upon request and the formal joint approval of the IT Office and the Unit Head. The approval requires documented justification of the peripherals' necessity for the employee's role and sustained productivity.

2.2 Standardization Exception Process (SEP)

The SEP provides the auditable mechanism for approving devices other than the Standard Institutional Device (SID).

2.2.1 Technical Necessity: A role-essential, documented software application is either technically incompatible with the SID platform or requires sustained hardware resources (CPU, RAM, GPU, Storage) that exceed the specifications of the SID.

2.2.2 No Equivalent Software: For cases of technical incompatibility, the requesting unit must certify that no suitable equivalent software exists for the SID platform.

2.2.3 Role-Essential Transferability: The need for the non-standard device must be demonstrably tied to the technical requirements of the role itself and the device must be deemed transferable and supportable for the next incumbent in that role.

2.2.4 Security Compliance: The NSDE device must still meet the minimum hardware specifications for security compliance.

2.2.5 Prohibition on Personal Choice: Exceptions will not be granted for preferences related to brand, size, color, ergonomic familiarity, or any other factor that is not a documented, non-negotiable technical prerequisite for the role's function.

2.3 Employee Cost and Funding Mandate

The practice of employees shouldering the additional cost of an 'upgrade' or non-standard device is strictly prohibited. All approved costs must be fully covered and funded by the University.

2.4 SEP Procedure

1. Request. Employee submits an SEP Form detailing the objective, technical necessity for a non-standard device.

2. Technical Assessment. The IT Office verifies that the SID is incapable of supporting the job's essential technical requirements and formally certifies that the non-standard device is transferable and maintainable for future incumbents of the role.

3. Final Approval. Approval is required by the Head of the IT Office. All approved costs must be fully covered by the University.

2.5 Provisioning Priority for Unassigned Full-Time Employees

Full-time employees whose job functions require an institutional device but who have not yet been assigned a University-owned device shall be prioritized for SID issuance above all replacement requests. Issuance priority within this group shall be determined by the IT Office based on the following criteria, ranked by order of importance:

2.5.1 High-Risk Job Function: Roles where the primary tasks require dedicated, non-public institutional software or systems that cannot be accessed or run securely on a personal device.

2.5.2 High-Risk Data Access: Roles requiring sustained access to Highly Sensitive Institutional Data (e.g., confidential research, financial or legal records).

2.5.3 Productivity Impact: Roles directly impacting student services, core teaching functions, or revenue generation.

2.5.4 Tenure: Length of continuous full-time service.

2.6 Peripherals and Accessories

Necessary ergonomic and productivity peripherals (e.g., external monitor, keyboard, mouse, docking station) can be issued separately based on a specific, documented IT needs assessment of the employee's fixed office workspace (See Annex A for rationale).

The fixed age-based replacement cycle is replaced by a variable Support Life Cycle which dictates the need for Repair, Refurbishment, or Replacement based on defined risk and performance thresholds.

3.1 Non-Negotiable Replacement Triggers (Immediate Action)

These conditions apply to all University-owned devices and lead to mandatory and immediate Retirement and Replacement, as the device poses an unacceptable security or compliance risk.

• Operating System (OS) End-of-Life (EOL): The device's operating system (e.g., macOS version, Windows version) has reached its official end-of-support date from the vendor. Rationale: Devices running EOL operating systems no longer receive critical security patches, creating a high-risk security vulnerability for the entire institutional network and violating compliance mandates.

• Firmware/Hardware End-of-Life (EOL): The manufacturer has declared the device model or its core firmware non-supported. Rationale: Lack of firmware updates prevents the device from protecting against modern hardware-level exploits and renders the device incompatible with current security software agents.

• Core (Mandatory Security/Administrative) Software Incompatibility: The device cannot successfully operate or maintain mandatory University security software (e.g., antivirus, patch management agents, or VPN clients) or administrative software required for system management. Rationale: Lack of compatibility prevents the IT Office from enforcing the security baseline and policy compliance, making the device a direct threat to institutional data integrity.

3.2 Performance and Cost-Based Triggers

These conditions initiate the Employee-Initiated Device Assessment (EIDA) Protocol (See Section IV) to determine the most fiscally responsible action (Repair, Refurbishment, or Replacement).

• Productivity Threshold Failure (KPI Failure): The device consistently fails one or more defined Key Performance Indicators (KPIs) (See Section V). Rationale (Initiates EIDA Assessment): This is the primary trigger for assessing a device based on sustained, objective proof of end-user impact. The EIDA assessment is initiated when documented evidence proves the device's technical limitations are chronically impeding staff productivity.

• Repair Cost Threshold (Fiscal Trigger): The cost of repair (parts and labor) for the device exceeds 45% of the cost of a new Standard Institutional Device (SID). Rationale (Initiates Mandatory Retirement/Replacement): This establishes the fiscal tipping point for retiring an asset. Spending nearly half the cost of a brand-new, warrantied device on repairing an aging asset is deemed fiscally inefficient and violates the University's Total Cost of Ownership (TCO) objectives.

• Frequent Failure Rate (Reliability Trigger): The device records three (3) or more unique, hardware-related service tickets within any rolling 12-month period. Rationale (Initiates EIDA Assessment): Repeated component failure indicates poor reliability and suggests the device has reached the point of systematic decline. Retiring the device prevents high, recurring labor costs and chronic staff downtime, justifying an EIDA assessment to determine if immediate replacement is more cost-effective than continued repair.

4.1 The Employee-Initiated Device Assessment (EIDA) Protocol is the formalized, objective procedure for employees who believe their currently assigned computing device is causing a sustained negative impact on their job performance due to technical limitations or failure.

4.2 The EIDA Protocol is the formalized, objective procedure for employees who believe their device is causing a sustained negative impact on job performance. The IT Office commits to providing a final decision (Repair, Refurbish, or Replacement) within a maximum 10 business days from the date the device is dropped off for assessment. The final decision is based exclusively on the outcome of the objective audit against the KPI Triggers defined in Section V.

4.3 The EIDA steps are outlined below:

1. Assessment Request and Scheduling. The Employee initiates the process by submitting a Service Desk ticket via https://uapasia.jitbit.com/ with the subject “Device KPI Assessment.” IT will schedule the device for an In-Person Assessment.

2. Device Drop-Off and Protocol Execution. The Employee delivers the device to the IT Office at the scheduled time. The IT Staff executes a standardized stress test protocol, including a maximum 1-hour resource utilization test, to verify if the device meets the performance thresholds (Section V). If the assessment is expected to exceed one business day, the employee may opt to receive a loaner unit (service laptop).

3. Automated and Manual Validation. The IT Staff performs both: 

• Automated Audit. IT verifies system failures and security triggers by generating reports from Endpoint Monitoring Reports and ticket logs.

• In-Person Audit: IT validates the performance metrics (CPU/RAM, Boot Time) using the results of the official stress test protocol. The assessment is solely data-driven.

4. Final Decision. The Head of the IT Office approves the recommendation, concluding the EIDA process within the committed 10-day SLA, and initiating the approved action (Repair, Refurbish, or Replace) to restore staff performance.

The Employee-Initiated Device Assessment (EIDA) is triggered when objective evidence demonstrates a Sustained Failure of the targets below. Evidence is collected via Automated Reports (ESET Protect/Ticket Logs) or verified via In-Person Stress Test (Section IV, Step 2).

5.1 Standard Institutional Device (SID) Targets

The KPI Metrics and the corresponding Target Threshold (Trigger for Replacement Assessment) are outlined below.

• Boot/Login Time (In-Person Assessment) – Records 5 IT-monitored boot cycles exceeding 120 seconds (2 minutes).

• Sustained CPU/RAM Usage (In-Person Assessment) – IT-monitored stress test shows CPU usage exceeding 85% OR Free RAM falling below 10% for a minimum of 1 consecutive hour.

• Battery Health Capacity (In-Person Assessment) – Maximum charge capacity falls below 70% of the original design capacity.

• Application Stability (Automated Endpoint Monitoring Report) – Records 3 or more critical application crashes or system kernel panics within the monitoring period.

5.2 Legacy Device Targets (Windows Laptops/Desktops)

These targets apply only to the existing Windows fleet until retirement.

• Boot/Login Time – Records 5 IT-monitored boot cycles of startup time exceeding 180 seconds (3 minutes).

• Disk I/O Latency – IT-monitored stress test shows Disk Queue Length above 2.0 for a minimum of 1 consecutive hour during the EIDA protocol.

• Application Stability – Records 3 or more critical application crashes or system kernel panics within a 10-day assessment period (as captured by Endpoint Monitoring).

6.1 Loaner Unit Policy

A standardized Loaner Unit will be provided if the employee's primary device is undergoing repair exceeding 2 business days or is pending replacement. The employee is responsible for the security and prompt return of the loaner unit upon restoration of their primary device or receipt of their replacement device. All loaner units must be immediately returned to the IT Office.

6.2 Software and Configuration

The user shall not attempt to install additional software or hardware, nor remove software, nor change the system configuration settings, without formal written permission from the IT Office (via a ticketed request). Unauthorized changes will void the device's warranty, may compromise institutional security, and may necessitate device forfeiture and immediate re-imaging.