Cardinal Protect

Whether you work with High Risk Data or simply want more protection, Cardinal Protect provides an all-in-one managed secure desktop that includes modern endpoint management, enhanced threat detection, and automatic backups for optimal data protection.

Cardinal Protect eliminates the need to use a separate Privileged Access Workstation (PAW) device to access administrative accounts and manage high-risk systems.

Features

You can expect a comprehensive set of security features, including:

Modern endpoint management. Automated device management for more convenient software deployments.
Advanced endpoint protection. Endpoint security platform delivered by Crowdstrike EDR to guard against breaches, data theft, and cyber-attacks.
Automated backup. Automated backups with version control performed via CrashPlan to help fend off ransomware attacks that could make your data inaccessible.
Anytime, anywhere, any device access. The virtual desktop (VDI) version allows you to access highly sensitive data from your Stanford-issued laptop/desktop or mobile device via web browser, Horizon client on macOS, Windows OS, iOS and Android.

For Windows systems

Hardware reporting (model, serial, BIOS/TPM status)
Automated OS build version tracking/updates
Alerts issued for changes in System Integrity Protection and secure configurations
- BigFix/Intune
- CrowdStrike
- BitLocker
Enforcement of local firewall, with default deny and reporting of open ports
Auto-install of core applications
- Firefox/Chrome/Opera/Brave
- uBlock Origin
- Microsoft 365
- Jabber
- Slack
- Zoom
- Cisco AnyConnect VPN
Automated system backup (Crashplan)
Local log monitoring
Remote wipe capability (under Intune)

For macOS systems

Hardware reporting (model, serial, etc.)
Automated OS version tracking/updates (n-1 supported)
Alerts issued for changes in System Integrity Protection and secure configurations
- BigFix/Jamf
- CrowdStrike
- FileVault2
Alerting for changes to Apple File Sharing and Remote Desktop. SMB sharing disabled
Enforcement of local firewall, with default deny and reporting of open ports
Auto-install of core applications
- Firefox/Chrome/Opera
- Microsoft 365
- Jabber
- Slack
- Zoom
- Cisco Secure Client VPN
Automated system backup (Crashplan)
Local log monitoring
Remote wipe capability

Designed for

Departments that want to provide a higher level of endpoint security for their users
Stanford University faculty and staff, including university directors and deans, who work with sensitive information or simply want more protection
System Administrators and other PAW users who want to simplify to one device for all their work

Requirements

Windows Service

An existing CrashPlan Backup service subscription
Requires Windows 11 capable system, either new (out of the box) or eligible for restoring.
- Windows 10 compatibility coming soon
Users may need to back up their Windows device before converting to Cardinal Protect
Windows OS must be within Microsoft’s support window.

macOS Service

An existing CrashPlan Backup service subscription
New or existing macOS devices with an Apple T2 or newer security chip
Devices must be purchased through Stanford procurement or the University bookstore and registered in Apple School Manager (ASM)
Users may need to back up their macOS device before converting to Cardinal Protect
Supported devices must be within the two most recent macOS versions.

Virtual Desktop Service

An existing CrashPlan Backup service subscription
Windows 10+, macOS 10.14+, Linux, iOS 12+, and Android OS
Laptop, desktop, or mobile device that runs any of the previously mentioned operating systems
Browser access requires HTML 5

Data security

This service meets the Information Security Office requirements.

Rates

See the Cardinal Protect rates page.

Get started

To learn more about or to request Cardinal Protect, submit a Request.
To get started with Cardinal Protect Virtual Desktop, submit a Request.

Get help

For questions or support

Submit a Help request to your local IT department for general troubleshooting
Escalate Help requests to the UIT EUX Product Support Team (PST) for Cardinal Protect specific troubleshooting
Escalate Help requests to the UIT Client Infrastructure Solutions Group for Cardinal Protect VDI specific troubleshooting
Cardinal Protect FAQ for IT admins

Learn more

Why must my device be registered in Apple School Management (ASM) for macOS Cardinal Protect?: ASM, which is Apple’s device management portal for educational institutions, enables the installation of Cardinal Protect. You can learn more about ASM by navigating to the Apple School User Guide.
How do I know if my device is registered in Apple School Management (ASM) for macOS Cardinal Protect?: If you have a Stanford device that was purchased through Smartmart or from the university bookstore, your device is registered in ASM upon purchase.
How do I back up and restore my macOS device?: Refer to Apple's Back up your Mac webpage for instructions on how to backup or restore your Mac. If you need additional technical assistance, contact your department IT support.
What are the benefits of Cardinal Protect for those who currently use Privileged Access Workstation (PAW)?: Cardinal protect simplifies your day-to-day work experience by providing the protection that you need on one single device, eliminating the need to use a separate PAW device to access administrative accounts.
Does Cardinal Key work with Cardinal Protect?: Yes. Cardinal Key works on a Cardinal Protect device just like any other supported device.
Do I have to wipe my device before converting to Cardinal Protect?: Yes, in order for a macOS device to enroll with Cardinal Protect, it must be completely wiped.
What firewall limitations will be imposed?: The firewall is enabled to block unauthorized applications, programs, and services from receiving incoming connections, except for essential Internet services like DHCP, IPSec, and authenticated/signed applications.