August 8, 2023
1. What is PEAS?
The Program for Enterprise Apple Services supports Apple devices within the Mass General Brigham community. Key to this support is the ability to facilitate compliance with federal and state regulations, and Mass General Brigham policies. PEAS also provides the Self Service application, the MGB app store providing access to Enterprise software and resources for our community.
2. How are Macs enrolled in PEAS?
PEAS leverages JAMF Pro on all of our Mac desktops and laptops. Apple computers purchased with institutional funds as of September 2013 are enrolled in the PEAS program automatically. Our Apple Professional Services provider will install the JAMF agent and Self Service application, then asset tags all Macs prior to receipt by the end user.
3. Is my Mac required to be enrolled in PEAS?
You are required to be enrolled in PEAS if you are conducting business on an institutionally owned Mac as defined by the IT Asset Management Standards for Apple Macintosh Products (EISS- 8.1d) policy.
4. What is an institutionally owned Mac?
Any Mac purchased through hospital or corporate funds including research grants and sundry funds are institutionally owned. Additionally, any Mac that has been donated, such as sponsor funded equipment is institutionally owned. All institutionally owned Macs are provisioned a Mass General Brigham Asset Tag which can be found on the bottom or rear of the device.
5. If my Mac is personally owned, do I need to enroll in PEAS?
Personally owned laptops used to access Mass General Brigham systems or data (including email) are required validate compliance to Information Security Policies, Standards and Procedures by enrolling in PEAS.
6. How can a personally owned Mac validate compliance?
Currently, there is only one acceptable method of validation that has been accredited and certified: PEAS.
7. Is my Mac is enrolled in PEAS?
To check if you’re enrolled in PEAS, open your Applications folder. If the Self Service application is installed, you’re enrolled. To open your Applications folder, use the shortcut ⌘command-shift-A from your desktop or Finder.
8. What is Self Service?
Self Service is an application similar to Apple's App Store. Self Service allows you to download software like Office O365, software updates, and helpful web links. It offers Mac users flexibility in choosing what to install, and when to install it. Self Service automatically installs in your Applications folder once your Mac is enrolled in to PEAS. The contents of Self Service are centrally managed by the PEAS team, and are updated regularly, so check back often.
9. How do I enroll my Mac in PEAS?
To enroll your Mac in the PEAS Program, visit the enroll.partners.org page. The process takes less than 2 minutes and you will not need to reboot.
10. What is going to happen to my Mac when enrolled in PEAS?
In accordance with the Mass General Brigham encryption policy, Macs enrolled in PEAS will have FileVault2 encryption turned on. Through PEAS, Partners will inventory your Mac to validate compliance to this policy. Inventory does not collect personal information, application usage or online activities.
11. What changes does PEAS make to my Mac?
The PEAS program follows the Mass General Brigham change management process. All changes are documented within ServiceNow, reviewed by the Change Control Board (CCB), and approved by ERIS leaders.
- PEAS installs an end-user client and the Self Service application on your Mac.
- A service account called "MGB Admin" will be created that has administrator privileges and is hidden from the login screen. The MGB Admin account only used by PEAS infrastructure. No one at Mass General Brigham knows this password. The account allows for secure communications between your Mac and the central inventory server. This password is changed automatically once per month to a randomized 24 digit password that is unique to your Mac.
- PEAS will enable FileVault2 for encryption.
- PEAS installs a Mobile Device Management (MDM) enrollment profile. The MDM profile allows for remotely configured and enforces security settings on your Mac.
- Certain configuration settings will be set to ensure compatibility with Partners applications, for instance Safari settings for Java and VPN.
- PEAS installs the ForeScout SecureConnector (NAC agent) on your Mac for network access control and compliance.
- CrowdStrike Anti-Virus is installed. To verify, look for Falcon.app in the applications folder.
- The PEAS Menu is a widget in the toolbar with quick links to Mac compliance status & remediation, H: Drive, and others
- For a full listing of the software components installed by the agent, please refer to JAMF Software's Kbase Article: JAMF Software Components Installed on a Managed Workstation.
12. What policies are required for Macs but not enforced by PEAS?
Macintosh computers are subject to all Mass General Brigham policies and procedures. A few policies that require you to make changes to your Mac's configuration include the Screen Saver or Computer Timeout policy, the Mass General Brigham Password Management Policy and the Vulnerability Management policy. View our Secure Your Mac page for more details.
13. Will I still have administrative privileges on my Mac?
Enrolling in PEAS will not remove administrative privileges nor will it prevent the download or installation of software.
14. Does PEAS block any services such as iCloud, Dropbox, Google Drive, etc?
No services are blocked by PEAS. The intent is not to impede your ability to collaborate and do work, but to allow us to be able to provide better support and services.
15. Will enrollment in PEAS cause performance problems?
Enrollment in PEAS has never caused a performance issue on any of its 20,000+ Mac computers. If you are experiencing a problem, please contact us by opening a Service Desk request.
16. Will PEAS allow people to remotely access to my Mac?
No PEAS administrator or technician will access your Mac remotely without your permission. PEAS administrators and technicians always leverage TeamViewer to allow you to exclusively grant access to your Mac for remote support.
17. What data is NOT inventoried by PEAS?
The PEAS inventory and policy server does not monitor application usage. It does not track online activities, browser history, or block websites. It does not catalog the contents of hard drives and does not inventory iTunes or iPhoto libraries. The inventory and policy server does not collect any of the following data. This list is not meant to be exhaustive, any information not listed as being collected above is not subject to collection.
- Location information
- Browser history, form, bookmarks, credit card, or cache data
- iCloud Keychain data
- iMessage history
- Online activities
- iTunes or iPhoto libraries
- Any file, directory, or other hard drive content
- Email and Calendar information
- iCloud settings
- Social media settings
- Internet Account information
- Security and Privacy settings outside of FileVault
- iCloud drive information
- AirDrop Data
- Find My Mac status
- System or event logs
- iSight camera status
- FaceTime information
- PEAS does not alter any files or force install software
18. What data is inventoried by PEAS?
The inventory and policy server captures the following data from enrolled Macintosh computers. This data is not collected to inhibit personal privacy, but to support the Security & Privacy needs of the organization. PEAS may add additional collection fields when deemed necessary by the institutions. The majority of these collection points are required by the PEAS system in order to provide services. Any custom configured data collection determined by Mass General Brigham is listed in the Extension Attributes section. This page will be updated to reflect any changes in collection, access, or policy.
- Computer name
- PEAS Site (for departmental purposes)
- Last inventory update (based on polling of client)
- Last check-in date (the client contacted the server)
- IP address
- JAMF version (client software version)
- Managed or Unmanaged
- Last enrollment date
- MDM capabilities
- JAMF computer ID (ID assigned by server)
- Asset Tag
- Bluetooth low energy capable
- Logged into iTunes store (not used)
- Time Machine encryption status
- Time since boot
- Make, Model, Model identifier
- UDID (unique device ID)
- Serial number
- Processor type and number of processors
- Bus speed
- Cache size
- Primary and secondary MAC address
- Total RAM and available RAM slots
- Battery capacity
- SMC version (System Management Controller)
- NIC Speed (Network Interface Controller)
- Optical drive information, Boot ROM
- Operating System, OS version, and build number
- Active Directory status (bound to domain or not)
- Master password set
- FileVault users
(populated by PPD and Active directory)
- Mass General Brigham ID
- Full name
- Email address
- Phone number
- Job title
- Location (building and room number)
- Purchased or leased (we do not lease)
- Purchase order number and date
- Vendor (Harvard, Apple, etc. – not used)
- Warranty Expiration date (AppleCare end date)
- AppleCare ID
- Lease expiration (not used)
- Purchase price (not used)
- Life expectancy (refresh date - not used)
- Purchasing account (not used)
- Purchasing contact (not used)
Storage and disk encryption:
- Disk model and revision number
- Disk serial number
- Disk drive capacity
- S.M.A.R.T. status (Self-Monitoring, Analysis and Reporting Technology)
- Number of disk partitions
- Partition name(s) and size
- Percentage of disk in use
- FileVault 2 state
- Core storage (Core Storage is a layer between the disk partition and the file system)
- Partition scheme
- FileVault 2 partition encryption state
- Individual recovery key validation
- Institutional recovery key (if individual recovery key is missing)
- Disk encryption configuration
- FileVault 2 enabled users
Extension Attributes (PEAS custom collected data)
- Adobe flash player installed and version number
- Apple Software updates needed
- Bash vulnerability patched (ShellShock)
- Cisco AnyConnect version
- Current AirPort network (Wifi network)
- EnCase installation (Forensic Client Software)
- Enterprise Vault installed and version
- iWorm botnet detection
- Java collection: JRE version, Java Web Plugin and version
- Patch management enabled (beta program)
- Patch management group (beta program)
- PEAS terminator (un-enrollment tool)
- PGP encryption status and percentage
- Recovery partition presence
- Screen-saver timeout
- SSH Last used date
- Syncplicity installed and version
19. What is done with the data inventoried by PEAS?
Information collected by PEAS is used to produce standard metrics (products purchased, operating system information, number of encrypted devices and enrollment per institution). PEAS provides reports on vulnerable systems, out of date devices, warranty information (Apple Care expiration), and other information.
20. How is PEAS helping to limit data inventoried?
PEAS keeps logs for 1 week. Information about the last check-in status is maintained.
21. Who has access to PEAS?
- PEAS System Admins: Full access to the PEAS server and inventory is given only to JAMF Certified administrators within the PEAS program. Full administrator access is global for provisioning policy, accessing inventory, and software distribution.
- Technicians: Access to a limited subset of services is granted to ERIS technicians for troubleshooting and inventory purposes. This group has access to view and update inventory data. This group cannot provision policy or software.
- Site Admins: Access is limited to that departments’ owned Apple device inventory, and restricts policy changes and software distribution.
- Information Security Officers: Read-Only access is granted to inventory and reporting features.
For a detailed list of Mass General Brigham employees who are members of these groups, please contact the Service Desk.
22. Is there an opt-out option?
A variance process exists for systems that cannot be encrypted or have software installed on them (E.G., instrumentation). This variance must be applied for and approved by Information Security. Initiate this process by completing the ISPO Cybersecurity Variance Request Form in ServiceNow.
23. How do I un-enroll from PEAS?
To request an un-enrollment from PEAS, please submit a request to the IS Service Desk massgeneralbrigham.org/isservicehub. Your Site Security officer will review the request and either approve or deny, then transfer the request to the appropriate queue to be unmanaged and removed from Apple’s DEP (Device Enrollment Program) if applicable.