Skip to content Skip to site navigation

Cardinal Protect

Whether you work with High Risk Data or simply want more protection, Cardinal Protect provides an all-in-one managed secure desktop that includes modern endpoint management, enhanced threat detection, and automatic backups for optimal data protection.

Cardinal Protect eliminates the need to use a separate Privileged Access Workstation (PAW) device to access administrative accounts and manage high-risk systems.




You can expect a comprehensive set of security features, including:

  • ​Modern endpoint management. Automated device management with Jamf (for macOS) for more convenient software deployments. 
  • Advanced endpoint protection. Endpoint security platform delivered by Crowdstrike EDR to guard against breaches, data theft, and cyber-attacks. 
  • Centralized logging. System activity records are sent to Splunk, providing centralized logs for security analysis and intrusion detection.
  • Automated backup. Automated backups with version control performed via CrashPlan to help fend off ransomware attacks that could make your data inaccessible.

Designed for

  • Departments that want to provide a higher level of endpoint security for their users
  • Stanford University faculty and staff, including university directors and deans, who work with sensitive information or simply want more protection
  • System Administrators and other PAW users who want to simplify to one device for all their work



  • An existing Code42 CrashPlan Backup service subscription
  • New or existing macOS devices with an Apple T2 or newer security chip
  • Devices must be purchased through Stanford procurement or the University bookstore and registered in Apple School Manager (ASM)
  • Users may need to back up their macOS device before converting to Cardinal Protect
  • Supported devices must be within the two most recent macOS versions. With Apple’s traditional fall release schedule, the latest macOS version will not be fully supported by Cardinal Protect developers until the following summer and so will not be certified for new deployments until then.
  • Look for Cardinal Protect on Windows devices to roll out in 2021


Data security

This service meets the Information Security Office requirements.


Cardinal Protect is available by subscription for a total cost of $116 per year, per device ($99 for support plus $17 for licensing fees). Computer Resource Consulting (CRC) clients and Privileged Access Workstation (PAW) users are required to pay licensing fees only ($17).


Get started

  • To learn more about or to request Cardinal Protect, submit a Help request

Get help

For questions or support

Learn more

Why must my device be registered in Apple School Management (ASM)?
ASM, which is Apple’s device management portal for educational institutions, enables the installation of Cardinal Protect. You can learn more about ASM by navigating to the Apple School User Guide.
How do I know if my device is registered in Apple School Management (ASM)?
If you have a Stanford device that was purchased through Smartmart or from the university bookstore, your device is registered in ASM upon purchase. ASM registration cannot be added to a device after purchase.
How do I back up and restore my Mac device?
Refer to Apple's Back up your Mac webpage for instructions on how to backup or restore your Mac. If you need additional technical assistance, contact your department IT support.
What are the benefits of Cardinal Protect for those who currently use Privileged Access Workstation (PAW)?
Cardinal protect simplifies your day-to-day work experience by providing the protection that you need on one single device, eliminating the need to use a separate PAW device to access administrative accounts.
Is Cardinal Key integrated with Cardinal Protect?
Cardinal Protect is integrated with Cardinal Key for easy, automatic installation of Cardinal Key upon deployment of Cardinal Protect.
Do I have to wipe my device before converting to Cardinal Protect?
Yes, in order for a macOS device to enroll with Cardinal Protect, it must be completely wiped.

See also

Last modified November 24, 2021