Accelerator Division End User Computer Support Standard

This document is intended to provide end users, Distributed Experts, and department management the information to procure, deploy, and utilize computer and network resources in Accelerator Division (AD). This standard is only applicable to desktop and laptop computers used for lab business. This standard does not apply to other network devices, such as scopes that run embedded operating systems (these devices are generally restricted to the protected Controls system network).

This standard has been created by and is managed by the Accelerator Division Controls Networking Group (Networking Group). Any questions about this standard can be addressed to the Networking Group at bd-network@fnal.gov

This standard is a supplement to Fermilab's Policy on Computing and is not a replacement for it. This standard establishes the expectations for service levels provided to Accelerator Division end users as well as the additional restrictions and requirements placed upon all Accelerator Division personnel. This also serves to document various required procedures used to implement these policies and standards.

Summary

Please continue below for full details. In short, the AD End User Computer Support Standard is:

Support

Computers in Accelerator Division are supported by a multi-tiered structure:

Users

Computers in AD are government-purchased resources made available to users for the purpose of conducting lab business. It is the responsibility of the user to make the most of these resources and to protect the availability of these resources by using them in a manner consistent with lab policies and division standards. Core Computing Division and the Networking Group have made available for users numerous online information resources to use in solving routine issues. In the event users are unable to correct issues on their own with the aid of these resources, it is the responsibility of the user to contact and work with the Service Desk or their Distributed Expert to correct the problem.

Service Desk

The Service Desk is a section of Core Computing Division. If a user is unable to contact their Distributed Expert, they should contact the Service Desk. The Service Desk will forward the request for assistance to the appropriate party in AD. The Service Desk should be able to handle some minor issues, such as managed print problems, account unlocks and password resets, for users directly. The Service Desk can be reached at x2345 or here: https://fermi.service-now.com/fsc/.

Distributed Experts

Each department has at least one Distributed Expert. More often than not, these Distributed Experts are pulled from the ranks of the department, but they might also be a member of the Networking Group. Distributed Experts are the primary contacts for users' computer questions and concerns. Distributed Experts meet occasionally with the Networking Group and follow the guidance and procedures established by the Networking Group. Distributed Experts share responsibility for the administration of computer systems in their department. Distributed Experts are expected to escalate unsolved issues to the Networking Group or the Service Desk accordingly.

A list of Distributed Experts is available here: http://www-bd.fnal.gov/net/localadminlist/.

Networking Group

The members of the Networking Group are the division's domain administrators. Using the Core Computing Division's policies, the Networking Group oversees and provides for the best possible utilization of computing resources in the division. The Networking Group coordinates with Core Computing Division to provide access to site-wide services to the division. The Networking Group is responsible for the network infrastructure—cabling, switches, access points, routers— and networking resources—IP addresses, VLANs, etc.—used in the division. The Networking Group is responsible for most network servers in the division and assists in the administration of the remaining servers not under their direct control. The Networking Group is responsible for the creation of all machine OS images used in the division, and all computing resources in the division ultimately fall under the supervision of the Networking Group. The Networking Group manages software licensing for some applications used division-wide and assists departments in managing departmental software licensing. The Networking Group provides centrally managed resources for use by all division users to protect Fermilab data through file and/or image backups.

Supported Platforms

Microsoft Windows, Apple Mac OS X, and Scientific Linux Fermi are all supported Operating System (OS) platforms in AD, but the Networking Group will only approve and support particular versions of each of these operating systems for use (please see next section). Operating systems that do not meet the currently approved levels will not be allowed on the general network.

Provided they are in accordance with Fermilab computing policy, the Networking Group continually evaluates and tests operating systems and platforms with the goal of providing the best resources for computer users in AD. If there is a non-approved OS a user believes is needed for use, that user can make a claim for an exception. This exception must be approved by the Networking Group, the user's department head, and division management.

Operating Systems & Patch Levels

In order to be allowed access to the general network, user's machines must run certain operating systems, security updates, applications, and plug-ins and maintain each at specific minimum patch levels. For a complete listing of the current software versions, please go to http://adtiny.fnal.gov/15

Operating System Images

OS images insure that a machine properly abides by all of the lab's baselines and security policies. It is the expectation that all physical and virtual machines in the division utilize an OS image, provided an image is available for the platform. The Networking Group determines which machines are eligible to run an OS image and create all OS images used in the division. If there is not an image available for a particular computer, the Networking Group will need to confirm the machine’s configuration before it can be deployed on the network. Machines not running an AD OS image will be given the lowest priority.

Multiple OS Booting

Multiple OS Booting, aka dual booting, is prohibited without exception.

Computer Procurement

The Networking Group is tasked with the responsibility of obtaining new computers for users. This process is normally handled through the purchasing of “bulk order” machines. The bulk order is made up of computers, both Windows & Linux compatible systems as well as Apple Macintoshes, that the Networking Group have determined best meet the needs of the division at the time of purchase.

Unless an exception has been granted, only bulk order machines will be deployed to users when a new or replacement computer system is requested. In the event of a special usage case, users or their department can request a special order machine be purchased. This special order must be approved by the Networking Group, the department head, and divisional management. Departments are responsible for the cost of special orders and are required to submit a Purchase Requisition with the AIP.

All requests for new computers, whether bulk order or special order, must be submitted via the Abbreviated Implementation Plan (AIP) form, available here: https://www-bd.fnal.gov/cgi-net/AD_AIPForm.pl

The Networking Group will evaluate each AIP individually and will approve/deny before forwarding on to the department head and then to division management, for approval. The AIP evaluation process is the point at which it will be determined if a laptop or a desktop system best matches the user's computing needs.

All newly purchased machines, whether bulk order or special order, will be delivered directly to the Networking Group for initial configuration, with no exceptions.

Computer Assignment

AD will provide a computer for each employee whose supervisor determines there is a need. Only one machine will be assigned to a user at one time unless there is a valid exception, based upon a lab business need and with the approval of the Networking Group, department management, and division management. Deploying multiple machines to users without a valid need results in extra costs, is an inefficient use of resources, and can lead to management and security concerns. Assigned computers will be evaluated every three to five years and, in the interest of the best utilization of resources, be upgraded or replaced if needed. Supervisors can request an earlier machine replacement through an AIP with proper justification.

AD does not provide separate systems for use offsite in user's homes. If a user has a recurring and compelling need for having to use a Fermilab computer offsite, that computer will be a laptop which they can use both on and off site for lab business.

Users, their immediate supervisors, and the Networking Group will work together to determine which computing platform (Windows, Mac OSX, or Scientific Linux Fermi) will be deployed to the user. This choice will largely be based upon the software applications that will be needed for the user to properly perform their job.

Temporary Use Machines

Temporary Use Machines (a.k.a. “Loaner” or “Summer Student Machine”) can be requested from the Networking Group without having to make a formal AIP request. Temporary Use Machines will be available on a first-come-first-served basis. The stock of Temporary Use Machines is likely to be comprised of previously deployed and/or older model machines. The expectation is that Temporary Use Machines will be deployed for a limited period of less than six months. If a user or department needs a machine for longer than this limited time period, they must either seek a exception from the Networking Group or request a permanently deployed machine via the AIP process.

Departing User’s Machines

In the event a user leaves the lab, the computer assigned to the user at the time of their departure must be returned to the Networking Group. If needed, the Networking Group will work with the user's manager to archive the user's data to a network file share. If the department needs to maintain use of the computer, a request can be made to the Networking Group to retain the machine. If the Networking Group agrees to the request, the department must return a different computer to the Networking Group to fulfill the machine return.

Virtual Machines & Terminal Servers

Ideally the computer assigned to a user will meet that user's software needs. In the event a user needs to run a particular application(s) not available on their assigned platform or needs an environment for development use, users should work with the Networking Group to have the application(s) installed and configured on one of the managed Terminal Servers for remote use of the application. If the application will not properly work with a Terminal Server or off-line access is needed, a virtual machine can be used.

All virtual machine guest operating systems must originate from OS images created by the Networking Group. If a user's virtual machine needs can not be met by a Networking Group OS image, the user can create a new virtual machine image but that newly created virtual machine will be held to certain restrictions, up to and including the denial of any network access.

All virtual machines must be used in accordance with lab and division computer policies.

Virtual machines running any version of Windows must be requested through the AIP form, available here: https://www-bd.fnal.gov/cgi-net/AD_AIPForm.pl. The Networking Group will approve/deny each AIP before department head and division management approval. All costs associated with a Windows installations on virtual machines will be charged to the user’s department.

Computer Hardware Lifecycle

When dealing with aged computers, the Networking Group will work with the Distributed Experts to determine the usefulness of older systems. It is in the interest of the division to maximize the use of and length of time served of each deployed computer, but this usage must be weighed against cost-to-maintain, performance issues, and security concerns, etc. Under certain circumstances, it might be possible to cascade some older systems into deployments where computing needs are less or maintain an older system for an extended period of time to support a particular experiment or system. Redeployed older machines will likely be subject to certain restrictions, such as network access being limited to the Controls Network only, or the user might have greater responsibilities placed upon them for the administration of the machine.

The Networking Group will take all factors into consideration when making its decision about the classification of the system. If the Networking Group determines that there is some utility left in a particular computer, that system will be redeployed for use. If the Networking Group determines that a computer has reached the end of its useful life, that system will be declared End of Life (EoL). All EoL computers will be transferred to Surplus. EoL machines sent to Surplus can not be recovered for use in the general AD network.

Please refer to the Operating Systems & Patch Levels section for further details about what classifies a machine as current.

Client & Inventory Management Software

All physical and virtual machines must run, without exception, client and inventory management software utilized by the Networking Group. Failure to run said software will forfeit network access for that particular machine.

Network Services

Network services include such functions as file sharing, internet sharing, web hosting, and FTP server hosting. Other than SSH with Kerberos authentication and Windows Remote Desktop secured through domain policy, users will not be allowed to run network services on individual machines unless an exception has been granted by the Networking Group and approved by both the user's supervisor and division management. The Networking Group provides centrally managed servers that can provide all needed network services and can grant users access to these servers and services if needed. Users can contact bd-net-support@fnal.gov with requests. Requests must include justification.

Data Backup

All data created with Fermilab computers is the property of the Department of Energy. Per Department of Energy and Fermilab policies, users are responsible for ensuring the reliability and reproducibility of all data created, edited, or altered for lab business. In AD, the preferred way to handle this task is to use the network shares (“Y” and “Z” drives) provided for all users. The Y drive is a "group share" that can be accessed by everyone in the same department. The Z drive is a "users share" that can only be accessed by the individual user.These shares are accessible from any of the supported platforms provided the user's machine has a valid network connection and a Domain or Kerberos principal. These shares are backed up to tape nightly by the Networking Group.

Time Machine or disk cloning is a valid way of backup/reproducing data if lost.

Personally Owned Computers & Devices

Personally owned computers and devices (iOS devices, Android OS devices, etc) are restricted to the lab's FGZ wireless DHCP network. Personally owned devices will not be granted a static IP address and may be restricted from accessing certain network services. All DOE, Fermilab, and division computing policies, including the potential search and seizure by the DOE Office of the Inspector General, are applicable to personally owned computers and devices when those systems are connected to any FNAL network.

Last Edited: August 31, 2015

Security, Privacy, Legal