Elevated Managed Workstation

This role is assigned to workstations (Windows, macOS, Linux) that are well-managed by Ohio State IT (Information Technology) teams and are assigned to an individual faculty, staff, or student employee. Assignment of this network role will be limited to only individuals’ workstations that directly access and work with restricted data, including but not limited to HIPAA, PHI, ITAR, and CUI. Certificate authentication and authorization (via Shared Directory and Endpoint Services) is required, and user logon to the workstation is restricted to authorized individuals only.

Network role at a glance:

• Wi-Fi (eduroam) and wired connectivity options available
• Public IP addressing
• DHCP reservations are not supported. Dynamic DNS used instead
• All outbound traffic permitted
• Inbound traffic limited to management tools
• Traffic between elevated workstations disallowed

Network Role Characteristics

Aliases for this role include

• elevated workstation
• osulan-elevated

Network Traffic Permissions

Outbound traffic is limited to:

• Traffic destined to endpoints outside of the elevated workstation role

Inbound traffic is limited to:

• IT management tools (e.g., Active Directory, Config Manager, Jump hosts, etc.)
• Remote access tools (e.g., Guacamole, RDP gateway, etc.)

How to connect

Ohio State IT staff must configure the device to use a computer certificate to connect successfully to this network role. The device’s certificate must be issued and chained to a root that has been trusted by OTDI (Office of Technology and Digital Innovation) network authentication and authorization services. If the device is bound to Shared Directory and Endpoint Services (including Ohio State’s Jamf), that trust is already in place. Reach out to OTDI Networking for any questions regarding certificate issuance for network authentication and authorization.

Once configured, connect the device to a wired port on OTDI’s Managed Network Service or choose eduroam from the list of Wi-Fi networks. 

IP (Internet Protocol) Addressing

Devices placed in the elevated workstation role are assigned to publicly routable IP address space. All IPv4 addresses are dynamically assigned through DHCP, and address reservations are not supported. IPv6 addresses are established through IPv6 route advertisements and neighbor discovery processes. 

After receiving an IP address, the campus DHCP service will dynamically create a DNS A record for the endpoint in the DNS zone bcd.it.osu.edu. For example, an endpoint with hostname “OH12345678” would have a DNS record of OH12345678.bcd.it.osu.edu. In the event the endpoint has no configured hostname, the mac address of the device will be used instead.