Frequently Asked Questions

The purpose of this FAQ is to document the practices of the Partners Enterprise Apple Support (PEAS) program, its software, and its processes in order to provide an authoritative reference to the community served by PEAS and foster understanding and transparency.

1. What is PEAS?
2. How are Macs enrolled in PEAS?
3. Is my Mac required to be enrolled in PEAS?
4. What is an institutionally owned Mac?
5. If my Mac is personally owned, do I need to enroll in PEAS?
6. How can a personally owned Mac validate compliance?
7. Is my Mac is enrolled in PEAS?
8. What is Self Service?
9. How do I enroll my Mac in PEAS?
10. What is going to happen to my Mac when enrolled in PEAS?
11. What changes does PEAS make to my Mac?
12. What policies are required for Macs but not enforced by PEAS?
13. Will I still have administrative privileges on my Mac?
14. Does PEAS block any services such as iCloud, Dropbox, Google Drive, etc?
15. Will enrollment in PEAS cause performance problems?
16. Will PEAS allow people to remotely access to my Mac?
17. What data is NOT inventoried by PEAS?
18. What data is inventoried by PEAS?
19. What is done with the data inventoried by PEAS?
20. How is PEAS helping to limit data inventoried?
21. Who has access to PEAS?
22. Is there an opt-out option?
23. What if I have other questions?

1. What is PEAS?
Partners Enterprise Apple Support is the program of services that supports Apple devices within the Partners HealthCare community. Key to this support is the ability to facilitate compliance with federal and state regulations, and Partners HealthCare policies. PEAS also provides the Self Service application, the Partners app store providing access to Enterprise software and resources for our community.

2. How are Macs enrolled in PEAS?
All Macintosh computers purchased with institutional funds as of September 2013 are enrolled in the PEAS program. ERIS Technicians install the PEAS agent and Self Service application, then asset tag all Macs prior to receipt by the end user.

3. Is my Mac required to be enrolled in PEAS?
You are required to be enrolled in PEAS if you are conducting business on an institutionally owned Mac as defined by Partners IT Asset Management Standards for Apple Macintosh Products (EISS- 8.1d) which are effective August 1 2015. View the "Partners PEAS Standard: IT Asset Management Standards for Apple Products" presentation (PHS login required).

4. What is an institutionally owned Mac?
Any Mac purchased through hospital or corporate funds including research grants and sundry funds are institutionally owned. Additionally, any Mac that has been donated, such as sponsor funded equipment is institutionally owned. All institutionally owned Macs are provisioned a Partners Asset Tag which can be found on the bottom or rear of the device.

5. If my Mac is personally owned, do I need to enroll in PEAS?
Personally owned laptops used as a primary device for accessing Partners HealthCare systems or data (including email) are required validate compliance to Information Security Policies, Standards and Procedures by enrolling in PEAS. Personally owned desktops not used as a primary device are not required to enroll in PEAS.

6. How can a personally owned Mac validate compliance?
Currently, there is only one acceptable method of validation that has been accredited and certified: PEAS.

7. Is my Mac is enrolled in PEAS?
To check if you’re enrolled in PEAS, open your Applications folder. If the Self Service application is installed, you’re enrolled. To open your Applications folder, use the shortcut ⌘command-shift-A from your desktop or Finder.

8. What is Self Service?
Self Service is an application similar to Apple's App Store. Self Service allows you to download software like MS Office 2011, software updates, and helpful web links. It offers Mac users flexibility in choosing what to install, and when to install it. Self Service automatically installs in your Applications folder once your Mac is enrolled in to PEAS. The contents of Self Service are centrally managed by ERIS, and are updated regularly, so check back often.

9. How do I enroll my Mac in PEAS?
To enroll your Mac in the PEAS Program, visit our Self Enroll page. The process takes less than 2 minutes and you will not need to reboot.

10. What is going to happen to my Mac when enrolled in PEAS?
In accordance with Partners Enterprise encryption policy, Macs enrolled in PEAS will have FileVault encryption turned on. Through PEAS, Partners will inventory your Mac to validate compliance to this policy. Inventory does not collect personal information, application usage or online activities.

11. What changes does PEAS make to my Mac?
The PEAS program follows the Partners HealthCare change management process. All changes are documented within ServiceNow, reviewed by the Change Advisory Board (CAB), and approved by ERIS leaders.

  • PEAS installs an end-user client and the Self Service application on your Mac.
  • A service account called "PHS Admin" will be created that has administrator privileges and is hidden from the login screen. The PHS Admin account only used by PEAS infrastructure. No one at Partners knows this password. The account allows for secure communications between your Mac and the central inventory server. This password is changed automatically once per month to a randomized 24 digit password that is unique to your Mac.
  • PEAS will enable FileVault for encryption.
  • PEAS will disable Remote Login over SSH to prevent unauthorized access to your Mac. Remote Management is still enabled.
  • PEAS installs a Mobile Device Management (MDM) enrollment profile. The MDM profile allows for remotely configured and enforces security settings on your Mac.
  • Certain configuration settings will be set to ensure compatibility with Partners applications, for instance Safari settings for Java and VPN.
  • For a full listing of the software components installed by the agent, please refer to JAMF Software's Kbase Article: JAMF Software Components Installed on a Managed Workstation.

12. What policies are required for Macs but not enforced by PEAS?
Macintosh computers are subject to all Partners policies and procedures. A few policies that require you to make changes to your Mac's configuration include the Screen Saver or Computer Timeout policy, the Partners Password Management Policy and the Vulnerability Management policy. View our Secure Your Mac page for more details.

13. Will I still have administrative privileges on my Mac?
Enrolling in PEAS will not remove administrative privileges nor will it prevent the download or installation of software.

14. Does PEAS block any services such as iCloud, Dropbox, Google Drive, etc?
No services are blocked by PEAS. The intent is not to impede your ability to collaborate and do work, but to allow us to be able to provide better support and services.

15. Will enrollment in PEAS cause performance problems?
Enrollment in PEAS has never caused a performance issue on any of it's 7000 Mac computers. If you are experiencing a problem, please contact us by opening a Service Desk request.

16. Will PEAS allow people to remotely access to my Mac?
No PEAS administrator or technician will access your Mac remotely without your premission. PEAS administrators and technicians always leverage TeamViewer to allow you to exclusively grant access to your Mac for remote support.

17. What data is NOT inventoried by PEAS?
The PEAS inventory and policy server does not monitor application usage. It does not track online activities, browser history, or block websites. It does not catalog the contents of hard drives and does not inventory iTunes or iPhoto libraries. The inventory and policy server does not collect any of the following data. This list is not meant to be exhaustive, any information not listed as being collected above is not subject to collection.

  • Passwords
  • Location information
  • Browser history, form, bookmarks, credit card, or cache data
  • iCloud Keychain data
  • Contacts
  • iMessage history
  • Online activities
  • Reminders
  • Notifications
  • iTunes or iPhoto libraries
  • Any file, directory, or other hard drive content
  • Email and Calendar information
  • iCloud settings
  • Social media settings
  • Internet Account information
  • Security and Privacy settings outside of FileVault
  • iCloud drive information
  • AirDrop Data
  • Find My Mac status
  • Notes
  • System or event logs
  • iSight camera status
  • FaceTime information
  • PEAS does not alter any files or force install software

18. What data is inventoried by PEAS?

The inventory and policy server captures the following data from enrolled Macintosh computers. This data is not collected to inhibit personal privacy, but to support the Security & Privacy needs of the organization. PEAS may add additional collection fields when deemed necessary by the institutions. The majority of these collection points are required by the PEAS system in order to provide services. Any custom configured data collection determined by Partners is listed in the Extension Attributes section. This page will be updated to reflect any changes in collection, access, or policy.

General Information:

  • Computer name
  • PEAS Site (for departmental purposes)
  • Last inventory update (based on polling of client)
  • Last check-in date (the client contacted the server)
  • IP address
  • JAMF version (client software version)
  • Managed or Unmanaged
  • Last enrollment date
  • MDM capabilities
  • JAMF computer ID (ID assigned by server)
  • Asset Tag
  • Bluetooth low energy capable
  • Logged into iTunes store (not used)
  • Time Machine encryption status
  • Time since boot

Hardware information:

  • Make, Model, Model identifier
  • UDID (unique device ID)
  • Serial number
  • Processor type and number of processors
  • Bus speed
  • Cache size
  • Primary and secondary MAC address
  • Total RAM and available RAM slots
  • Battery capacity
  • SMC version (System Management Controller)
  • NIC Speed (Network Interface Controller)
  • Optical drive information, Boot ROM

Operating System:

  • Operating System, OS version, and build number
  • Active Directory status (bound to domain or not)
  • Master password set
  • FileVault users

Ownership information:
(populated by PPD and Active directory)

  • Partners HealthCare ID
  • Full name
  • Email address
  • Phone number
  • Job title
  • Department
  • Institution
  • Location (building and room number)

Purchasing:

  • Purchased or leased (we do not lease)
  • Purchase order number and date
  • Vendor (Harvard, Apple, etc. – not used)
  • Warranty Expiration date (AppleCare end date)
  • AppleCare ID
  • Lease expiration (not used)
  • Purchase price (not used)
  • Life expectancy (refresh date - not used)
  • Purchasing account (not used)
  • Purchasing contact (not used)

Storage and disk encryption:

  • Disk model and revision number
  • Disk serial number
  • Disk drive capacity
  • S.M.A.R.T. status (Self-Monitoring, Analysis and Reporting Technology)
  • Number of disk partitions
  • Partition name(s) and size
  • Percentage of disk in use
  • FileVault 2 state
  • Core storage (Core Storage is a layer between the disk partition and the file system)
  • Partition scheme
  • FileVault 2 partition encryption state
  • Individual recovery key validation
  • Institutional recovery key (if individual recovery key is missing)
  • Disk encryption configuration
  • FileVault 2 enabled users

Extension Attributes (PEAS custom collected data)

  • Adobe flash player installed and version number
  • Apple Software updates needed
  • Bash vulnerability patched (ShellShock)
  • Cisco AnyConnect version
  • Current AirPort network (Wifi network)
  • EnCase installation (Forensic Client Software)
  • Enterprise Vault installed and version
  • iWorm botnet detection
  • Java collection: JRE version, Java Web Plugin and version
  • Patch management enabled (beta program)
  • Patch management group (beta program)
  • PEAS terminator (un-enrollment tool)
  • PGP encryption status and percentage
  • Recovery partition presence
  • Screen-saver timeout
  • SSH Last used date
  • Syncplicity installed and version

19. What is done with the data inventoried by PEAS?
Information collected by PEAS is used to produce standard metrics (products purchased, operating system information, number of encrypted devices and enrollment per institution). PEAS provides reports on vulnerable systems, out of date devices, warranty information (Apple Care expiration), and other information.

20. How is PEAS helping to limit data inventoried?
PEAS keeps logs for 1 week. Information about the last check-in status is maintained.

21. Who has access to PEAS?

  • PEAS System Admins: Full access to the PEAS server and inventory is given only to JAMF Certified administrators within the PEAS program. Full administrator access is global for provisioning policy, accessing inventory, and software distribution.
  • Technicians: Access to a limited subset of services is granted to ERIS technicians for troubleshooting and inventory purposes. This group has access to view and update inventory data. This group cannot provision policy or software.
  • Site Admins: Access is limited to that departments’ owned Apple device inventory, and restricts policy changes and software distribution.
  • Information Security Officers: Read-Only access is granted to inventory and reporting features.

For a detailed list of Partners employees who are members of these groups, please contact the Service Desk: http://www.partners.org/isservicedesk.

22. Is there an opt-out option?
A variance process exists for systems that cannot be encrypted or have software installed on them (E.G., instrumentation). This variance must be applied for and approved by Information Security. Initiate this process by completing the ISPO Cybersecurity Variance Request Form in ServiceNow.

23. What if I have other questions?
For assistance please contact the Service Desk: http://www.partners.org/isservicedesk or contact the Information Security & Privacy Office at CISPO@partners.org.