Best Practices: GitHub Enterprise for Educational Institutions

Enterprise Configuration

Use a Standard GitHub Enterprise.

  • GitHub has two types of enterprise accounts: Standard and Enterprise Managed Users (EMU).

  • Both provide a single point for management and enforcement of policies and settings for your institution's GitHub account.

  • However, standard enterprises are more flexible and therefore recommended for educational institutions.


  • What's in an Enterprise Account?
    • Organizations
    • Policies and Settings for All Organizations
    • Security Insights
    • GitHub Server License Keys
    • GitHub Connect (connects Server instances to Cloud instances for customers using GitHub Enterprise Server in addition to GitHub Enterprise Cloud)
    • Enterprise Audit Log
    • GitHub Compliance Documentation
  • Why are standard enterprise accounts recommended for educational institutions?
    • Standard enterprises include the option for public facing resources.
      • Public facing resources include things such as public repositories, issues, discussions, gists, and pages.
      • Public facing resources are important for various use cases.
        • Example: A research group working on AI wants to share their newest AI skill with the braoder AI research community. They can do so by making the repo public.
    • Standard enterprises support SAML 2.0 SSO with Shibboleth.
      • Shibboleth is used by many educational institutions for identity management.
      • Other supported identity providers include Microsoft Entra ID (previously known as Azure AD), Microsoft Active Directory Federation Services (AD FS), Okta, OneLogin, and PingOne.
      • Supported SAML 2.0 Identity Providers
    • Organizations and repositories can be transfered into or out of the enterprise via the GitHub UI.
      • When educational institutions set up their GitHub enterprise, they often have multiple affiliated teams or people already working in existing GitHub organizations and repositories that should be, but are not, centrally managed by the institution.
        • Example: A university IT department is already actively working in an existing GitHub organization. The organization does NOT have any authentication security in place, and the IT department head is expensing the cost of the GitHub organization each month.
      • Educational institutions need a simple way to transfer such organizations or repositories into their enterprise.
        • Note: Organizations and repositories can be transferred into a standard enterprise via the UI with enterprise owner/admin approval and current owner/admin approval.
      • Sometimes educational institutions also need a simple way to transfer repositories out of the enterprise.
        • Example: A student writes code for their Computer Science class. The code is added to a repository in the organization that belongs to their class. When the class ends, the student gets admin approval to transfer the repo into the student's personal namespace, so the student can continue working on their project and show their code, commit history, pull requests, etc., to a potential employer.
        • Note: organizations and repositories can be transferred out of an enterprise via the UI with current and future owner/admin approval.
      • Inviting an Organization to Join an Enterprise
      • Repository Transfers
    • GitHub Enterprise features, such as GitHub Actions, Advanced Security, Codespaces, and Copilot, can be governed at the enterprise level.
      • Educational institutions can set policies that permit or block access to certain features for all or selected organizations.
        • Example: Features like GitHub Advanced Security can be purchased for selected organizations, such as one used by the institution's web development team, while still being blocked for all other organizations.
      • Enterprise Policies Overview
    • GitHub Contribution graphs reflect user activity in the enterprise.
      • Contribution graphs appears on the public facing profile page of a GitHub user's personal account.
      • Contribution graphs NEVER show details about commits made to private repositories, however, they do show the number of commits made on any given day regardless of whether that commit was made to a public or private repo.
      • Many developers, especially students, use their Contribution Graph to market themselves to the larger development community and to future employers. The contribution graph shows that they are actively committing code.
      • GitHub Profile & Contribution Graph
  • Why aren't EMU accounts recommended?

    • EMU enterprises do NOT include any public facing resources.

    • Shibboleth is NOT a supported Identity Provider for SSO.

    • All EMU user accounts, including student accounts, belong to the enterprise.
      • In EMU enterprises, enterprise owners/admins create individual accounts for EMU enterprise members.
      • These individual user accounts are only available to the member in the context of the EMU enterprise.
      • Any repositories created by the user in their individual account, belong to the enterprise rather than the user.
    • Moving existing GitHub organizations and repositories into an EMU enterprise requires a migration.
      • Migrations can be completed with GitHub's self-service CLI tool, GitHub Enterprise Importer, but bringing them into the enterprise will requires time spent planning, coordinating, and executing the migration.
Setup SSO at the Enterprise level.
  • Give every member of your community access to the GitHub enterprise via your identity provider (IdP).

  • Why give every community member access to the GitHub enterprise?
    • Give community members access to the GitHub enterprise as part of the standard system access they receive when joining the educational institution.
    • This makes it easier to manage access over the long term.
      • Example: When organization owners/admins, such as a professor or department head, wants to invite new students to an organization, they will not need to also ensure that the students have access to the GitHub enterprise. Students will already have access via the your instutition's IdP.
    • Notes:
      • With this setup, any member of your community with a GitHub personal account can go to the enterprise landing page and login to the institution's enterprise account with SSO via your IdP.
        • If they do so and have NOT been invited to an organization, they will have access to an empty enterprise landing page.
      • Community members will need to be invited to an organization by an organization owner/admin to view the organization's resources (repos, issues, discussions, etc.).

  • Configure SAML 2.0 SSO on an Enterprise

Setup multiple organizatons for different user groups.
  • Educational institutions often have multiple distinct user groups that need their own organizations.

  • What's in an Organization?
    • Repositories
    • GitHub Classrooms
    • Copilot Access (when permitted at the Enterprise level)
    • Projects
    • Packages
    • Discussions
    • Teams
    • Actions in Private Repositories (when permitted at the Enterprise level)
    • Security & Org Level Insights
    • GitHub Advanced Security (when purchased and permitted at the Enterprise level)
    • Audit Log
    • Organizations can have their own admins.
  • Why set up organizations for different groups?
    • Organizations can be used for groups who work closely together and need access to many of the same repositories.
    • Each organization can have its own members, public and private repositories, and teams (groups of members with varying levels of permissions).
    • Enterprise admins can give selected organizations access to certain features, such as GitHub Advanced Security and Actions.
    • Organization admins can manage organization membership and settings for features made available to the organization by the enterprise admin.
  • Example Use Cases for Organizations
    • Biology Department
      • Members: professors and grad students who teach in the department.
      • Repos: tooling used for data analysis.
      • Feature Access:
        • GitHub Actions can be used in public and private repositories.
        • No access to GitHub Advanced Security.
        • No access to Copilot licenses through the university.
    • Class: CS101
      • Members: professors, TAs, and students for all CS101 class sections.
      • Repos: starter projects used in all CS101 classes regardless of who teaches them.
      • GitHub Classrooms: unique GitHub classrooms for each CS101 section and managed by the professor and TAs for that section.
      • Feature Access:
        • No access to GitHub Actions for private repositories.
        • No access to GitHub Advanced Security.
        • No access to Copilot licenses paid for by the university.
    • IT Department
      • Members: staff in the IT Department.
      • Repos: scripts and applications managed by IT.
      • Feature Access:
        • GitHub Actions in private repositories.
        • Copilot Business licenses through the university.
        • No access to GitHub Advanced Security.
    • University Web App Development Team
      • Members: seveloper team that creates and maintains the university website.
      • Repos: any relevant applications or microservices.
      • Feature Access:
        • GitHub Actions in private repositories.
        • Copilot Business licenses paid for by the university.
        • GitHub Advanced Security.
    • Student Group
      • Members: small group of students who have decided to work on coding projects together over the summer and want to make a website for their student group.
      • Repos: code for the student group's projects and website.
      • Feature Access:
        • No access to GitHub Actions on private repositories.
        • No access to GitHub Advanced Security.
        • No access to Copilot licenses through the university.
  • Organizations and Enterprise Accounts
  • Organizations Overview

Organization Management

Give staff in a central IT/services office GitHub enterprise support entitlements.
  • With GitHub support entitlements, IT/services staff will be able to open, view, and comment on support tickets for the enterprise account and any organizations within the enterprise via GitHub's support portal.
  • Notes:
    • Support entitlements are only available with paid educational enterprise plans.
    • Enterprise owners/admins will automatically have support entitlements.

Manage organization creation through the central IT/services office.
  • A central IT/services office should create GitHub organizations.

  • Why manage organization creation through a central IT/services office?
    • Manage organization creation via a central office to:
      • Limit the number of Enterprise owners and support entitlements needed for the GitHub enterprise.
      • Allow for better monitoring and management of the enterprise.
  • What will the IT/services office need to do to set up an organization?
    • Create the new organization in the institution's enterprise account.
    • Invite an organization owner/admin to the organization.
    • Invite initial members to the organization.
    • Notes:
      • Organizations must be created via the GitHub UI, so some IT/services staff will need owner/admin access to the Enterprise.
Provide a process for individuals to request new organizations.
  • Providing a process for requesting a new GitHub organization will make it easy for members of your community to get started with GitHub.
  • Notes:
    • Allow for flexibility in who can request a GitHub organization.
      • Example: Allow students, professors, and staff to request organizations, rather than only department heads.
    • Too many restrictions on who can request or obtain a GitHub organization can delay projects and discourage community members from working on projects in organizations that can be monitored/governed by the educational institution.

Add an organization owner/admin when the organization is created.
  • Make the individual requesting the organization, or another designated person, an organization owner/admin.
  • Among other things, organization owners/admins can:
    • Configure policies and settings on the GitHub organization that aren't already governed by the enterprise.
    • Invite organization members.
    • Add additional organization owners.
    • Create repositories within the organization.
    • Create repository rule sets.
    • Create teams of members to manage access to repositories within the organization.

  • What are Repository Rule Sets?
    • Repository Rule Sets are rules that control how members of an organization can interact with selected branches and tags in a repository.
      • Examples:
        • Control who can push commits to a specified branch.
        • Require pull requests for specified branches.
        • Control who can delete or rename a tag.
    • Repository Rules can be configured per a repository or for all repositories in an organization.
    • Repository Rule Sets
  • What are Teams?

    • Teams are groups of organization members.

    • Teams are used grant/control repository and organization access permissions.

    • Teams are used for communication within GitHub (e.g., notifying a team that a particular PR needs attention).

    • What's in a team?What's in a team?
      • Members
      • Repository access controls
      • Project access controls
      • Organization role controls

    • GitHub Teams

  • Organization Roles

Make features such as GitHub Actions, Advanced Security, Codespaces, and Copilot available to selected organizations.
  • Some groups within your community will need access to additional GitHub features in their organization.
    • Example: A university web develpment team needs access to GitHub Actions to test and deploy their applications and Advanced Security to scan their code for security vulnerabilities and secrets.

Provide GitHub Enterprise server licenses to research teams or other groups as needed.
  • Research groups may have especially stringent compliance requirements, where even their code, not just their data, must be in a high compliance environment.
  • In such cases, running a GitHub server instance in a high compliance environment is the best option.
  • Note: GitHub Enterprise Server licenses are included with GitHub Enterprise plans.


Monitoring Enterprise and Organization Activity

Use the GitHub Audit Log.
  • The audit log is available via the UI or API at the enterprise and organization levels.
  • At the enterprise level, the audit log can be streamed to various SIEMs.
  • Use the Audit Log to monitor enterprise and organization activity.
  • Set up alerts for unexpected activity, such as changes to enterprise policies.

Provide organization owners with tools to maintain and monitor organization settings.

Making the Most of GitHub

Encourage students and faculty to take advantage of free GitHub offerings.
  • Many features are available for free to faculty and students OR on public facing repositories.

Encourage faculty to use GitHub Classroom for technical courses.
  • GitHub Classroom provides professors, teachers, and school administrators with a digital classroom space.
  • With GitHub Classroom, professors and teachers can:
    • Create assignments with due dates for individual students or groups of students.
    • Provide feedback and grade assignments.
    • Track assignments on a classroom dashboard.
    • Integrate with other educational tools.

Share GitHub Skills with facutly and staff.
  • GitHub Skills is a collection of self-guided resources for learning about GitHub.
  • GitHub Skills includeds lessons on things like Markdown, Pull Requests, and getting started with Actions.

Purchase Expert Services workshops for faculty and staff so they can become GitHub Champions and provide further training to other faculty, staff, and students.
  • Expert Services workshops teach developers how to use GitHub effectively.