17
Ask HN: How locked down are your work machines?
I've been working as a Software Engineer for 20+ years.
Places I worked in the early years barely had an IT department at all. As a developer you were expected to be able to maintain your machine. We'd install whatever we want, experiment with different operating systems, etc. Total free rein, box was our tool to get work done with, they didn't care how you did it.
That went away a long time ago. Basic corporate spyware and rules came pretty early but still free rein over our tools.
I've worked with the same company for close to a decade now, and they have been tightening and tightening the noose slowly but surely. We're purportedly a software company, but we lost admin rights, installable software went from a blocklist to an allowlist. Everything we install needs to get approved by IT, and that approval takes weeks.
Today they took our Chrome extensions away. They've got an allowlist of about 15 extensions we can install. Everything I submitted for approval got rejected.
I'm frustrated with this arrangement and am wondering how standard this is these days in this industry?
So I'm genuinely curious, Hacker News: How big of a company do you work for, what industry, and how locked down is your machine?
We have some basic endpoint security (Huntress) and DNS filtering (Was Cisco OpenDNS, something else now but not a clue what it is as I never installed the client).
We used to have local admin accounts as our normal logins, but we changed that for Cyber Essentials Plus, so now we have our normal logins and then our elevated name_admin accounts to do anything thats needed.
Not really bothered by any of that, but what I do care about is we recently put a new GPO that locks the background to the company approved branded one, that upset me a touch I liked my background. Now I have this garish purple and orange background :(
The Windows laptop that I never use is totally owned by IT.
The Ubuntu laptop that I actually use they won't touch. I make sure it's updated and secure.
I find this situation perfect.
It's interesting to hear this, because my machines have basically never been locked down. Okay, in some companies that's because the company had us use our own PCs, so they didn't bother to do anything to restrict what they were capable of anyway.
But even when a company gave me a 'free' computer to do work on, they never really locked it down that much. We could still install programs and browser extensions and visit just about any site we wanted, and network security was basically non-existent. We didn't usually need a VPN to access our email or workspace, and much of the time they let us access work email on our phones or personal devices like it was any other account.
This was when I was working for two large organisations, one media company and one fintech one.
Devices are completely locked down users do not have admin rights and must make a request for anything to be installed or executed. They cant even use a USB without getting approval. Software must come from our internal software repo and we run updates so often that known mac haters beg for macs to escape the win11 hell we've created. Its awful and I feel gross helping manage such a user hostile environment. Yesterday our update tool shutdown someones computer in the middle of a important action. It prompted him 3 times with 15min intervals then shut down his pc. He was going berserk as he lost a lot of progress.
Most of this is because of the strict compliance requirements our security team enforces on us. But some of it is done because we dont know how to implement the stuff in a way that is strict but lenient. Mac is way better because we dont have as much invasive tooling that supports it.
Our computer policies:
- Force disables the firewall.
- Disables SSH key auth.
- Disables Touch ID.
- Disables FileVault.
- Disables software updates. I'm not sure if this is on purpose or the policy is broken. I get different answers, depending on who I ask.
- Sets up a service account with a weak password (cartoon character name plus two digit number)
- Removes admin for us
- Sets the wi-fi interface as the preferred interface, even if using ethernet.
- Gives full-time admin to the level 1 help desk staff despite our computers having boatloads of confidential data.
When it was Intel Macs, I had a secret exploit to disable the forced MDM that I kept secret as hell, but with the introduction of Apple Silicon Macs, that exploit went away.
No, none of this is a joke.
Totally standard / "normal" at BigCo (fortune 500, banks, etc.).
At MegaCorp, there is a never ending arms race between security/compliance teams locking things down, adding approval and surveillance checks, and everyone else just trying to do their job.
Usually there are workarounds and backdoors available to people in the know. If you kick up a fuss, you'll be seen as "difficult". A key part of the job is finding tricks to get things done _despite_ all of the rules / checks in place trying to protect you from yourself.
Chrome extensions shouldn’t be in the hands of users, no matter their title. CEO included. As a device sysadmin I feel this strongly. None of you can be trusted to vet extensions. Honestly anyone who uses vanilla Chrome has a suspect threat model.
On the rest I rather agree with you. General-purpose computers are key tools over which users should be admin. Sysadmins provide a security backstop. Full lock down is the sign of an unhealthy understanding of how the org’s value is actually created.
Also if you can’t figure out how to get around the Chrome extension restriction, you either have remarkably competent CPEs (not me, so unlikely), or you’re not trying hard enough. Go download Canary to start.
Canary respects the systems MDM rules.
I can't even send attachments using Gmail. The restrictions opened up the world of KVM switches for me. I have a personal mini computer and at the touch of a button I switch between my work laptop and home mini computer using the same keyboard and screen.
At $DAY_JOB our Windows laptops are locked down and supported.
Linux & macOS people have zero support (outside hardware, corp VPN) and the password to the local admin account (thankfully Jamf does not reset sudoers file)
As more developers/operators opt for Linux or macOS I'm surprised support hasn't been expanded.
Exactly how we started down this path.
We were an open macOS shop acquired by major locked down Windows using corporation. Started with nothing, slowly Jamf -> Intune -> Intense Corporate MDM Controls.
Out of habit (and corporate experience) I default to ~/.local/ where possible in case lockdown happens at some point in the future.
It is hard for IT departments to continue to allow that freedom as the company grows and compliance requirements creep in. I am in the weird position of being responsible for Risk & Compliance while also directing the IT policy for personal machines. I've managed to hold on and grant everyone local admin access, but I get a LOT of push back every year from auditors and customers running their own audits. I'm hoping that continues, but it's probably 50/50.
Sounds like it's time for some malicious compliance. I have been enjoying the freedom I get on my machines ever since I left Fortune 500 but even there I had enough permissions to install the software required to do my job. You might not get some conveniences back but I hope that after a few days of "I'm waiting for IT to let me do my job" standup reports they'll reassess.
Small company, < 50 people, industrial automation.
Machine not locked down at all, I could install OS/2 and nobody would care.
This is basically a requirement for certain types of security certifications and for liability CYA reasons in the context of evolving laws about stuff like data breaches.
This is standard, especially when the size of the company grows. Actually, Microsoft might be a rare exception.
Extensions are full of malware of various sorts, so it makes sense that they take them away. Allow list vs. block list makes sense as a block list is impractical to maintain.
Only thing you can do is complain to management and prove with real #s how this is impacting productivity.
But if you're a webdev, it's super unlikely today that you need local admin and cannot work within an allow list of applications. If you're a driver dev, sure I can see how it might be a blocker.
prev company, $3b market cap probably 2000 engineers at the company, vertically integrated e-commerce, we had admin access with an MDM profile added to spy on us
Previous employer issued Macs with all sorts of Jamf spyware stuff on them but I could more or less install things as needed via brew (both internal-vended "taps" or whatever the term is) and "normal" end-user stuff without issue (it was often expected you'd do so).
Worth noting this absolutely impacted usability and stability to a massive degree. The machine ran far hotter to the touch than my personal (equivalent model) MBP, and would make it maybe a month of uptime before it failed to wake from sleep/kernel panic'd/locked up the desktop.
Most other typical desktop software was "vended" via internal software "store" thing (managed browsers, etc), but I could, and did, install various extensions on Firefox (internal Wikis even encouraged using Tampermoney (or whatever the successor is called now) like UBO/Sideberry etc.
Current employer issued machine is a Windows laptop with no admin and basically locked-down.
Even getting something like Docker installed/WSL configured is a whole episode in frustration.
The huge positive is this Enterprise-whatever version of Windows has minimal slop--no CoPilot things or ads in the start menu/lockscreen, but I can't even change the desktop wallpaper. Also, the CPU idles at basically 40% utilization with the various agent things/endpoint security running. For any sort of local development, I largely "sidestep" things by running whatever I need in containers/WSL, so it's really not a huge problem. There's minimal Windows-specific use outside of Teams/Outlook whatever.
[dead]
Never worked for a place that locked down and one of my jobs is in healthcare tech.
Enjoy being crippled and use the time to be mediocre and just collect checks.