Re: Duo enforcement for students

["Chester, Heather" <htomley () LUC EDU>]

First off, many thanks to the Educause community for constantly sharing.  There was a wealth of information we used to 
plan our roll-out.  We focused on a very collaborative deployment and balancing impact to the Service Desk. See 
attached/below and use if helpful.

We had a roll-out plan over 5 months, for active faculty, staff, students.  We also requested Student Development, 
Deans of Schools, and Leaders of Staff Divisions to identify when would be the best time for their group to enable MFA 
over a couple weeks (and remind them that anyone could opt-in at any time ahead of time).  We enabled groups of people 
weekly (comm outline below).  Due to COVID, we deferred our initial launch plans (Jan thru May, now May-Sept).

Overview
Pilot with internal IT teams (2 or 3 enablement’s)
Pilot “friendly” operations non-IT groups that use ITS service often (to gain a wider university perspective)
Presented the launch of MFA to the Cabinet (and sent additional communications to Dean’s Council of this initiative) 
and Global Comm to University this would be required
Sought partnership with Student Development, Deans of Schools, and Leaders of Staff Divisions when would be best for 
their areas to be enabled during this timeframe (gave 2 weeks to respond. Goal was to have all groups scheduled within 
2-3 weeks & deploy over 4 mo’s).
Roll-out over 4 months, first with faculty after graduation (May/June), then staff (June and July), then students 
(June/July/early August). Moved all inactive accounts over the course of the deployment, or new accounts as they were 
enabled.
Communicated through 5-7 unique channels (faculty, staff, and student) encouraging self-enrollment (even before 
required by scheduled group dates, which drove adoption).
Had video’s, we have detailed step-by-step instructions, and FAQ’s on the website, and offered weekly Zoom Drop-In 
sessions on Monday & Tuesday (and offered individuals to schedule a 1-1 walk thru with Info Security Office)

Weekly Enablement’s
Example, on Monday 6/1 we emailed individuals mentioning they would be enabled the following Wednesday 6/10 at 9am 
(which gave users 10 days to self-enroll)
Example, on Monday 6/8 we emailed individuals mentioning they would be enabled the following Wednesday 6/10 at 9am 
(which gave users 2 days to self-enroll)
Example, on Tuesday 6/9 we emailed individuals mentioning they would be enabled the following Wednesday 6/10 at 9am 
(which gave users 1 day to self-enroll, final reminder)

Due to COVID, we changed our deployment, however, the increased security for our online community was important to 
everyone so the timing did not matter as much.  We did still take into consideration, avoiding Students, Faculty, and 
Student Service (Bursar, Reg&Rec, etc) around 2 weeks before & after start of school, which was preferred. We avoided 
staff around start of school too and avoided staff around annual enrollment (as part of our initial planning) or end of 
year around 2 weeks before & after end of year, that is preferred.

Thank you,
Heather

Heather Tomley Chester, MBA, MEd, PMP, ITIL, MSIT (Spring 2021)
ITS Sr. Project Manager
Loyola University of Chicago

[LUC 150 logo]



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of randy
Sent: Friday, October 9, 2020 4:36 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Duo enforcement for students

We picked a July 5, 2016 as our cutover date for everyone (F/S/S). We had a voluntary 6 month cutover period prior to 
that (1/2016-6/2016) where anyone could switch over before the official switchover date.
-Randy Marchany
VA Tech IT Security Office & Lab

On Fri, Oct 9, 2020 at 4:31 PM Kristen Dietiker <000001c25973bc27-dmarc-request () listserv educause 
edu<mailto:000001c25973bc27-dmarc-request () listserv educause edu>> wrote:
For those institutions that require Duo or some other multi-factor auth for students, how did you time the enforcement 
in terms of the academic calendar? Summer? Winter or Spring break? When classes were in session? And would you keep 
that choice if given a do-over?

Thank you!

--
Kristen Dietiker
Chief Information Security Officer
Santa Clara University
(408) 554-5554


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Attachment: Two Factor Lessons Learned - EDUCAUSE.pdf
Description: Two Factor Lessons Learned - EDUCAUSE.pdf

> --- Begin Message ---
>
>
> From: Chad Schonewill <cschonewill () COLORADOCOLLEGE EDU>
>
> Date: Mon, 10 Feb 2020 15:25:06 +0000
>
> 1. How far in advance did you begin communicating this coming change to students, and via which mediums (email, social, 
> portal injection pages, etc.)?
>
> We let students know it was coming months in advance in a general way as we were working on faculty and staff. Once we 
> started on students, we’d send them an email about 1 week prior to their account getting automatically enrolled letting 
> them know about that deadline and pointing them to the self-enrollment link.
>
>
>
> 2. Did you add all students at once, or did you use a staged approach (opt-in period, segmented populations, etc.)?
>
> We started with a batch of 50 students to see how that went, and then the next batch was 100, the next was 200, etc. 
> until the final batch of about 400.
>
>
>
> 3. What MFA options do your students have (token, app/push notifications, others)?
>
> Push notifications in the app / texted code on their phones / token (very few took advantage of the token)
>
>
>
> 4. Do your students retain their accounts after graduation, and if so, how do you handle this with regard to Duo? Do 
> they remain enrolled?
>
> They do retain their accounts after graduation. We have an automated process that runs for graduates which makes 
> changes to their accounts – one of those changes it to remove them from Duo.
>
>
>
> 5. Did you receive a large amount of pushback from students? What were your main complaints?
>
> We did not receive a large amount of pushback, but we heard through the grapevine that students complained to each 
> other and to faculty. Basically they just didn’t like the idea of the extra step. We had some spoonfulls of sugar to 
> help the medicine go down, though (such as removing forced password resets every 6 months once peoples’ accounts were 
> protected by Duo).
>
>
>
> 6. What LMS do you use, and how is Duo integrated with your LMS?
>
> Canvas, which we have integrated with our single sign-in (CAS). Since Duo applies to all CAS apps, nothing special had 
> to happen for Canvas.
>
>
>
> 7. How do you handle Duo enrollment for new, incoming students? Do they have a grace period for enrollment?
>
> Our plan is to have them do it immediately upon receiving their accounts over the summer. We found that Duo enrollment 
> is by far easiest and simplest when done at the beginning. Once people configure exchange profiles and such on various 
> devices, it becomes exponentially harder.
>
>
>
> 8. Any other lessons learned you'd like to share?
>
> ·         You need a plan for when students inevitably lose / break their cell phones after hours. We were able to 
> pretty easily develop a basic app through the Duo API which allows users to generate their own bypass codes (good for 3 
> uses for students) and we put that link on the single sign in page itself right next to the password reset link.
>
> ·         Be aware of which students are studying abroad and skip them until they are back on campus if possible.
>
> ·         Note that there are a lot of restrictions on Duo in China (notably, google play store is not available in 
> China, Duo push won’t work in China, and phone callback may or may not work in China) See more at 
> https://help.duo.com/s/article/2094?language=en_US so make sure that students who live in China or anyone who is 
> travelling there is aware of what to do.
>
>
>
> -----
> Chad Schonewill ‘03
> Office of Information Technology (ITS)
> Assistant Director, Solutions Services
> (719) 389-6941
> COLORADO COLLEGE
>
>
>
> From: The EDUCAUSE IT Communications Community Group Listserv <ITCOMM () LISTSERV EDUCAUSE EDU> On Behalf Of April Burke
> Sent: Monday, February 10, 2020 7:34 AM
> To: ITCOMM () LISTSERV EDUCAUSE EDU
> Subject: [ITCOMM] Student Duo Implementation
>
>
>
> This email originated outside Colorado College. Do not click links or attachments unless you know the content is safe.
>
>
>
> Good Morning Fellow Communicators,
>
>
>
> At Georgia Southern University, we're in the beginning stages of planning to roll out Duo for our entire student 
> population. This group was such a tremendous help in rolling Duo out to our faculty and staff that I thought I would 
> pick your brains once again. Below are a few questions our team has about implementing this service for students:
>
>
>
> 1. How far in advance did you begin communicating this coming change to students, and via which mediums (email, social, 
> portal injection pages, etc.)?
>
>
>
> 2. Did you add all students at once, or did you use a staged approach (opt-in period, segmented populations, etc.)?
>
>
>
> 3. What MFA options do your students have (token, app/push notifications, others)?
>
>
>
> 4. Do your students retain their accounts after graduation, and if so, how do you handle this with regard to Duo? Do 
> they remain enrolled?
>
>
>
> 5. Did you receive a large amount of pushback from students? What were your main complaints?
>
>
>
> 6. What LMS do you use, and how is Duo integrated with your LMS?
>
>
>
> 7. How do you handle Duo enrollment for new, incoming students? Do they have a grace period for enrollment?
>
>
>
> 8. Any other lessons learned you'd like to share?
>
>
>
> If you're willing to answer any or all of the questions above, your feedback is incredibly appreciated. Hope you all 
> have a great Monday.
>
>
>
> Thanks,
>
>
>
> April
>
>
>
>
>
>
>  
> <https://d36urhup7zbd7q.cloudfront.net/dff2249b-40aa-4b2a-9e79-b6f305bed7e3/ITScompleteRGB.format_png.resize_200x.png#logo>
>
>         April Burke
> Executive Communications Manager
>
> 912-478-8748<tel:912-478-8748>
>
> GeorgiaSouthern.edu/ITS<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgeorgiasouthern.edu%2FITS&data=02%7C01%7Ccschonewill%40COLORADOCOLLEGE.EDU%7Cf829088686be41923f7608d7ae365b00%7Ccfc7b13c12964387b3085de08fd13c99%7C1%7C0%7C637169420798025999&sdata=bYUbwv8ajLJnlJqrEaC57%2F1fEP5%2FTZEAXvxewCaV5%2Fc%3D&reserved=0>
>
> PO Box 8122 Statesboro GA 30460
>
>
>
>
>
>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
> person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
> and subscription information can be found at 
> https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ccschonewill%40COLORADOCOLLEGE.EDU%7Cf829088686be41923f7608d7ae365b00%7Ccfc7b13c12964387b3085de08fd13c99%7C1%7C0%7C637169420798025999&sdata=i0WN4hxuaSbTA10lr%2F37ZbnGvz1tLWEoerBctLwDhyY%3D&reserved=0>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
> person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
> and subscription information can be found at https://www.educause.edu/community
>
>
> --- End Message ---