Secure Connect: What to Expect with the Implementation of Network Access Control

Dear UC San Diego Community,

As part of the Secure Connect program, UC San Diego is implementing Network Access Control (NAC) to ensure that only secure, compliant devices can connect to trusted university resources. This phased rollout, specifically tailored for our campus, supports a UC-wide cybersecurity mandate and prioritizes user experience, privacy, and operational continuity.

What’s Changing?

To connect to trusted resources through UCSD-PROTECTED Wi-Fi, campus Virtual Private Network (VPN), or most Wired networks, your device must meet a set of mandated security standards.

Managed devices (overseen by a designated Unit Information Security Lead) will be handled by the local IT teams. Unless you hear otherwise from your IT support staff, no action is required.
Unmanaged (personal or self-managed) devices will require installation of Microsoft Intune or obtaining an approved exception. Microsoft Intune will automate steps required to meet mandated security standards. Learn more about Microsoft Intune and how it will be used.
Mobile devices including tablets are out of scope of this effort.

What’s a trusted resource and do I need it to do my job?

Any IT resource (systems, database, equipment, etc.) that is not accessible from off-campus, without connecting to the VPN first, is considered a trusted resource.
Most business applications, instructional systems, productivity software and collaboration tools do not require access to trusted resources. E.g. Zoom, Microsoft Teams, Google Workspace, UCPath, Canvas, Kuali Research, OneDrive, etc.
Additionally, we expect that as of June 1, 2025, Library resources will be available via Single Sign-on (SSO) and no longer require the VPN.
Local printers will be accessible, if configured, from Eduroam Wireless. Intune enrollment is not required.

What to expect for devices connected via UCSD-PROTECTED Wireless and VPN

To minimize disruption and ensure adequate and timely support for our users, Network Access Control will be enabled in phases beginning with UCSD-PROTECTED Wireless for all academics and staff (excluding students and student employees), starting in May 2025.
IT Services, in collaboration with a variety of IT groups across campus, is leading the way in adopting this solution, to help ensure a smooth transition for the rest of the university. We’re grateful for these partners and the early adopters joining us in this important step forward.

NAC Phased Enforcement Schedule

Phase 1 – Starting May 27, 2025

ITS-Supported Areas
UC San Diego Health Sciences
SDSC IT 2
OEC IT (enforcement will begin on June 3)

Phase 2 - Starting June 17, 2025

Extended Studies
SPS IT
Social Sciences
Arts & Humanities
Global Policy & Strategy

Phase 3 - Starting July 1, 2025

San Diego Supercomputer Center
Scripps Institution of Oceanography
Preuss IT

Phase 4 - Starting July 15, 2025

Rady School of Management
Biological Sciences
School of Computing, Information & Data Science (incl. HDSI)
Physical Sciences (5 depts)
Qualcomm Institute / CalIT2
Jacobs School of Engineering (7 depts)
Preuss School
The Library

What to expect once enforcement begins

Once the enforcement phase begins and Intune enrollment is enabled, users with unmanaged devices, who require access to trusted resources but are not yet compliant will be redirected to enroll in Microsoft Intune.
Users who require access to trusted resources but cannot enroll in Microsoft Intune will be given the option to contact support and/or file an exception for review.
Upon successful enrollment in Intune or with an approved exception on file, users will be able to access trusted resources through the UCSD-PROTECTED wireless network.

What to expect for devices connected via the Wired Network

Devices connected via the Wired Network will be handled on a lab-by-lab basis, to reflect the unique needs of our research enterprise.
Each unit will reach out to their faculty and researchers separately to schedule time to onboard their lab.
Once an individual lab is prepared and the readiness sign-off has been completed by the responsible faculty or researcher and submitted to the UISL, Network Access Control for the physical location will be enabled.

What can I do now to prepare for this change?

If you have an unmanaged device that requires access to trusted resources on UCSD-PROTECTED Wireless, you can prepare for this change by enrolling in Microsoft Intune ahead of your scheduled go-live. You will receive a notification once your account is enabled for enrollment.
If you have an unmanaged device that you know cannot enroll in Microsoft Intune and you require an exception, please reach out to your Unit Information Security Lead (UISL) before the enforcement date of your unit.

Need information or support?

Campus ITS Service Desk
- Campus Secure Connect website
- Web portal: support.ucsd.edu/its
- Email: support@ucsd.edu
- Phone: (858) 246-4357
Health IS Service Desk
- Health Secure Connect website
- Web portal: 3help.ucsd.edu
- Email: 3help@health.ucsd.edu
- Phone: (619) 543-4357

We want to acknowledge that while cybersecurity is a shared responsibility, our approach was designed specifically to balance security while minimizing burden on staff and faculty, and to proceed with transparency and a focus on individual privacy. Any data collected by the necessary software is considered an electronic communications record as defined by the University of California's Electronic Communications Policy (ECP).

Sincerely,

Kevin Chou
Acting Chief Information Security Officer, UC San Diego

Scott Currie
Chief Information Security Officer, UC San Diego Health

University of California San Diego, 9500 Gilman Drive, La Jolla, CA, 92093