Every operationally-deployed management platform that's accepting enrollments today, by product. Multi-platform postures are the norm — record each. Empty selection is a hard finding: a documented management platform is the prerequisite for every other field on this page (and for every downstream EUC sub-domain).

Of the OS classes the district operates (Windows, macOS, ChromeOS, iOS/iPadOS, Android — whichever apply), how many are actually enrolled in a management platform from F1. Distinct from enrollment rate within a covered OS class (see F3). “Most endpoints unmanaged” is a hard finding.

Of endpoints that ARE enrolled (F2 confirmed scope), how many are actually communicating with the platform on a recent cadence. Enrollment without check-in is enrollment on paper — devices that disappeared from the network, retired without unenrollment, or sit in storage. <75% (or unknown) is a hard finding: at that level the platform's data isn't a reliable picture of the fleet.

Whether the “which platform manages which device class” mapping is written down — distinct from whether the platforms are deployed (F1) or covering the fleet (F2). Knowledge-in-heads becomes a real risk when staff turn over. “No mapping” is a hard finding; informal mapping is below max but acceptable in small districts with stable IT staff.

How new devices reach a managed state on first boot. Autopilot (Windows) / DEP via ASM (Apple) / Google ZTE (ChromeOS) are the modern zero-touch paths — devices ship from the vendor pre-bound to the district's tenant and self-configure at first boot. Manual imaging and hand-enrollment is a hard finding: it's labor-intensive, error-prone, and doesn't scale to refresh cycles or 1:1 deployments.

Whether enforceable configuration baselines (CIS, vendor, or district-defined) are actually deployed to managed endpoints from the platform — distinct from how they enforce (see F7). Cross-ref NET-WI F4: 802.1X wireless certificate distribution rides on the same baseline-delivery channel, so gaps here cascade into wireless auth gaps. “No baselines defined” is a hard finding.

How aggressively the baselines from F6 actually enforce. Report-only mode is the right starting point for a new baseline (scope the impact before flipping the switch), but a posture that's predominantly report-only is a hard finding — non-compliant devices remain on the network with no consequence, which makes the compliance machinery decorative.

Whether compliance state from F7 actually gates access to anything — M365 / Workspace resources, 802.1X network access, instructional SaaS apps. Conditional access is the layer that turns “the platform says this device is non-compliant” into “the device cannot reach the resource.” Cross-ref legacy-cyber IAM (forthcoming): identity federation is what makes conditional access possible. “No conditional access” is a hard finding.

How operating-system and platform updates are rolled out across the fleet. This field captures the EVIDENCE (Intune update rings, WSUS console, Munki manifests, ChromeOS auto-update channels) — the patching maturity score lives in legacy-cyber VRM (forthcoming), per the registry's settled boundary. “No update ring strategy” is a hard finding: ad-hoc patching cascades into emergency outages when a bad update lands on the whole fleet simultaneously.

How often the management platform itself is reviewed — orphaned device records, drifted compliance policies, expired certificates, stale baselines, retired admin accounts. Distinct from reviewing the fleet through the platform (F3); this asks about reviewing the platform's own health. “Ad-hoc only” and “Never” are hard findings. Continuous (tool-driven) postures use platform analytics in lieu of scheduled reviews.

How console access is structured. RBAC (role-based access control) with least-privilege roles is the modern floor: helpdesk staff don't need full global admin to reset a password or wipe a lost device. Shared admin credentials (one “EUC-admin” account everyone logs in as) is a hard finding — it eliminates auditability and turns one phished credential into platform-wide compromise.

How platform data reaches anyone outside the console — IT leadership, district administration, the school board. Reports-on-request only is below max but workable; no reporting at all is a hard finding (the platform's data isn't influencing decisions). Cross-references this back to F10's hygiene cadence and F3's check-in rate — those data points need somewhere to surface.