Re: Duo enforcement for students

["Chester, Heather" <htomley () LUC EDU>]

Kristen,
Thank you for asking.  It depends on what you’d like to put into it, if you have project managers, and what 
communication channels/support you may have.

The weekly enablement emails can be a lot of work but it’s very helpful to have a balanced enablement spread out over a 
couple months and let leaders decide when to enable their groups.  We are fortunate b/c we had a dedicated PM and were 
able to get another resource to help with creating / refreshing the not-enrolled distribution groups, (b/c some people 
would have self-enrolled). The PM also created a lot of the marketing materials and shared with over 15 different 
communication touch points to help get the word out (newsletters, social media, weekly faculty communications, 
orientation materials, high traffic app log-in pages mentioning MFA required).  If you can create generic 
communications (for faculty, staff, and students), and obtain support from campus partners with sending out the 
communications on a schedule, that would be immensely helpful. Perhaps you could share a general communication for the 
different communication channels to share, with their own emphasis (you just need a tag line – our tag line was “MFA 
protects you even if your password becomes compromised”).

We are very lucky as collaboration and buy-in is very important across our institution and several academic and 
operational groups were committed to schedule a “best week” or “best month” for their areas to be enabled.

You would need:
1 presentation at the Cabinet, requesting support
1 email for the Dean’s Council, requesting support (and that they can share with their schools)
1 email that you will be sending individually to each academic leader or operations leader requesting their support to 
schedule their division/group
1 email for the university community mentioning the kickoff and why the university is enabling MFA (formalizing what to 
expect, hi-level)
A couple marketing ideas about how to pitch MFA (we mentioned, “MFA is required for the Fall.  Enroll today! 
https://www.luc.edu/its/services/mfa/ “) or (“Get double the protection with MFA.  Enroll today”).
1 enablement email that you will send three times
A PM or IT resource to dedicate 20% of their time to coordinating the work, creation / deployment of the marketing 
materials, running weekly project mtgs to address any concerns/issues, create distribution groups for not-enrolled 
users.

On another note, from our research, several other universities have deployed with a big bang approach and usually see 
an impact to the service desk for 2-3 days.  With all the “change” around the pandemic, we wanted as little “new” to 
people’s adoption to technology and security, while ensuring the value of enabling MFA remained high (which we’ve even 
received several likes on social media, which was a bonus).  Another smaller institution deployed as we also deployed 
and they mentioned it was very helpful with providing a balanced approach that was very supportive across the 
university community.  Happy to discuss further if it may help.

Thank you,
Heather
htomley () luc edu<mailto:htomley () luc edu>

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Kristen Dietiker
Sent: Monday, October 12, 2020 11:03 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Duo enforcement for students

Thanks Heather, I'm intrigued by your weekly rollout plan. My initial fear is that it would create additional burden on 
IT staff to manage the logistics and communications for so many enrollment days. How did you manage that?
--
Kristen Dietiker
Chief Information Security Officer
Santa Clara University
(408) 554-5554



On Mon, Oct 12, 2020 at 6:50 AM Chester, Heather <htomley () luc edu<mailto:htomley () luc edu>> wrote:
First off, many thanks to the Educause community for constantly sharing.  There was a wealth of information we used to 
plan our roll-out.  We focused on a very collaborative deployment and balancing impact to the Service Desk. See 
attached/below and use if helpful.

We had a roll-out plan over 5 months, for active faculty, staff, students.  We also requested Student Development, 
Deans of Schools, and Leaders of Staff Divisions to identify when would be the best time for their group to enable MFA 
over a couple weeks (and remind them that anyone could opt-in at any time ahead of time).  We enabled groups of people 
weekly (comm outline below).  Due to COVID, we deferred our initial launch plans (Jan thru May, now May-Sept).

Overview
Pilot with internal IT teams (2 or 3 enablement’s)
Pilot “friendly” operations non-IT groups that use ITS service often (to gain a wider university perspective)
Presented the launch of MFA to the Cabinet (and sent additional communications to Dean’s Council of this initiative) 
and Global Comm to University this would be required
Sought partnership with Student Development, Deans of Schools, and Leaders of Staff Divisions when would be best for 
their areas to be enabled during this timeframe (gave 2 weeks to respond. Goal was to have all groups scheduled within 
2-3 weeks & deploy over 4 mo’s).
Roll-out over 4 months, first with faculty after graduation (May/June), then staff (June and July), then students 
(June/July/early August). Moved all inactive accounts over the course of the deployment, or new accounts as they were 
enabled.
Communicated through 5-7 unique channels (faculty, staff, and student) encouraging self-enrollment (even before 
required by scheduled group dates, which drove adoption).
Had video’s, we have detailed step-by-step instructions, and FAQ’s on the website, and offered weekly Zoom Drop-In 
sessions on Monday & Tuesday (and offered individuals to schedule a 1-1 walk thru with Info Security Office)

Weekly Enablement’s
Example, on Monday 6/1 we emailed individuals mentioning they would be enabled the following Wednesday 6/10 at 9am 
(which gave users 10 days to self-enroll)
Example, on Monday 6/8 we emailed individuals mentioning they would be enabled the following Wednesday 6/10 at 9am 
(which gave users 2 days to self-enroll)
Example, on Tuesday 6/9 we emailed individuals mentioning they would be enabled the following Wednesday 6/10 at 9am 
(which gave users 1 day to self-enroll, final reminder)

Due to COVID, we changed our deployment, however, the increased security for our online community was important to 
everyone so the timing did not matter as much.  We did still take into consideration, avoiding Students, Faculty, and 
Student Service (Bursar, Reg&Rec, etc) around 2 weeks before & after start of school, which was preferred. We avoided 
staff around start of school too and avoided staff around annual enrollment (as part of our initial planning) or end of 
year around 2 weeks before & after end of year, that is preferred.

Thank you,
Heather

Heather Tomley Chester, MBA, MEd, PMP, ITIL, MSIT (Spring 2021)
ITS Sr. Project Manager
Loyola University of Chicago

[LUC 150 logo]



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of randy
Sent: Friday, October 9, 2020 4:36 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Duo enforcement for students

We picked a July 5, 2016 as our cutover date for everyone (F/S/S). We had a voluntary 6 month cutover period prior to 
that (1/2016-6/2016) where anyone could switch over before the official switchover date.
-Randy Marchany
VA Tech IT Security Office & Lab

On Fri, Oct 9, 2020 at 4:31 PM Kristen Dietiker <000001c25973bc27-dmarc-request () listserv educause 
edu<mailto:000001c25973bc27-dmarc-request () listserv educause edu>> wrote:
For those institutions that require Duo or some other multi-factor auth for students, how did you time the enforcement 
in terms of the academic calendar? Summer? Winter or Spring break? When classes were in session? And would you keep 
that choice if given a do-over?

Thank you!

--
Kristen Dietiker
Chief Information Security Officer
Santa Clara University
(408) 554-5554


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://urldefense.com/v3/__https:/www.educause.edu/community__;!!MLMg-p0Z!TABpbU_Tdta6-IBjxcvj9z-c6XtDHlvWof1I01sK8T8FuOVXrmfA7Rg37iyDsp2D$>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://urldefense.com/v3/__https:/www.educause.edu/community__;!!MLMg-p0Z!TABpbU_Tdta6-IBjxcvj9z-c6XtDHlvWof1I01sK8T8FuOVXrmfA7Rg37iyDsp2D$>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://urldefense.com/v3/__https:/www.educause.edu/community__;!!MLMg-p0Z!TABpbU_Tdta6-IBjxcvj9z-c6XtDHlvWof1I01sK8T8FuOVXrmfA7Rg37iyDsp2D$>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community