Ask HN: How locked down are your work machines?

My current employer (regional O&G multi) loads all laptops with the most horrid mix of itsec garbage known to man. We have both the compliance module of AnyConnect (without using the VPN part) AND Zscaler for VPN.

Upon boot this has a 50/50 chance of triggering a chicken and egg problem where AnyConnect wants to connect to the complience server but can't because of Zscaler is not yet authenticated through PingID, but PingID cannot be reached because of the aforementioned complience check not succeeding. Or atleast that is my theory. Toggling the network adapter in the Windows control panel 1-2-3 times tends to solve it. Not 100% sure about my theory of what's going on, but my tickets about this are getting ignored so theorising is the best I can do. Atleast we as IT staff get local admin, so It's not all bad.

At my previous workplace (mid size SSC) the work machines themselves were less bloated and could do anything other than change UEFI settings, but certain servers we were assigned to maintain were monitored down to the keystroke level. The itsec shift gave me a call at around 3am to chat about my choice for script filenames (suckmydick.PS1) like 30 seconds after I created it.

Devices are completely locked down users do not have admin rights and must make a request for anything to be installed or executed. They cant even use a USB without getting approval. Software must come from our internal software repo and we run updates so often that known mac haters beg for macs to escape the win11 hell we've created. Its awful and I feel gross helping manage such a user hostile environment. Yesterday our update tool shutdown someones computer in the middle of a important action. It prompted him 3 times with 15min intervals then shut down his pc. He was going berserk as he lost a lot of progress.

Most of this is because of the strict compliance requirements our security team enforces on us. But some of it is done because we dont know how to implement the stuff in a way that is strict but lenient. Mac is way better because we dont have as much invasive tooling that supports it.

Our computer policies:

- Force disables the firewall.

- Disables SSH key auth.

- Disables Touch ID.

- Disables FileVault.

- Disables software updates. I'm not sure if this is on purpose or the policy is broken. I get different answers, depending on who I ask.

- Sets up a service account with a weak password (cartoon character name plus two digit number)

- Removes admin for us

- Sets the wi-fi interface as the preferred interface, even if using ethernet.

- Gives full-time admin to the level 1 help desk staff despite our computers having boatloads of confidential data.

When it was Intel Macs, I had a secret exploit to disable the forced MDM that I kept secret as hell, but with the introduction of Apple Silicon Macs, that exploit went away.

No, none of this is a joke.

We have some basic endpoint security (Huntress) and DNS filtering (Was Cisco OpenDNS, something else now but not a clue what it is as I never installed the client).

We used to have local admin accounts as our normal logins, but we changed that for Cyber Essentials Plus, so now we have our normal logins and then our elevated name_admin accounts to do anything thats needed.

Not really bothered by any of that, but what I do care about is we recently put a new GPO that locks the background to the company approved branded one, that upset me a touch I liked my background. Now I have this garish purple and orange background :(

The Windows laptop that I never use is totally owned by IT.

The Ubuntu laptop that I actually use they won't touch. I make sure it's updated and secure.

I find this situation perfect.

Totally standard / "normal" at BigCo (fortune 500, banks, etc.).

At MegaCorp, there is a never ending arms race between security/compliance teams locking things down, adding approval and surveillance checks, and everyone else just trying to do their job.

Usually there are workarounds and backdoors available to people in the know. If you kick up a fuss, you'll be seen as "difficult". A key part of the job is finding tricks to get things done _despite_ all of the rules / checks in place trying to protect you from yourself.

It's interesting to hear this, because my machines have basically never been locked down. Okay, in some companies that's because the company had us use our own PCs, so they didn't bother to do anything to restrict what they were capable of anyway.

But even when a company gave me a 'free' computer to do work on, they never really locked it down that much. We could still install programs and browser extensions and visit just about any site we wanted, and network security was basically non-existent. We didn't usually need a VPN to access our email or workspace, and much of the time they let us access work email on our phones or personal devices like it was any other account.

This was when I was working for two large organisations, one media company and one fintech one.

At $DAY_JOB our Windows laptops are locked down and supported.

Linux & macOS people have zero support (outside hardware, corp VPN) and the password to the local admin account (thankfully Jamf does not reset sudoers file)

As more developers/operators opt for Linux or macOS I'm surprised support hasn't been expanded.

I can't even send attachments using Gmail. The restrictions opened up the world of KVM switches for me. I have a personal mini computer and at the touch of a button I switch between my work laptop and home mini computer using the same keyboard and screen.

Chrome extensions shouldn’t be in the hands of users, no matter their title. CEO included. As a device sysadmin I feel this strongly. None of you can be trusted to vet extensions. Honestly anyone who uses vanilla Chrome has a suspect threat model.

On the rest I rather agree with you. General-purpose computers are key tools over which users should be admin. Sysadmins provide a security backstop. Full lock down is the sign of an unhealthy understanding of how the org’s value is actually created.

    /Library/Managed Preferences/{username}/com.google.Chrome.plist

It is hard for IT departments to continue to allow that freedom as the company grows and compliance requirements creep in. I am in the weird position of being responsible for Risk & Compliance while also directing the IT policy for personal machines. I've managed to hold on and grant everyone local admin access, but I get a LOT of push back every year from auditors and customers running their own audits. I'm hoping that continues, but it's probably 50/50.

Sounds like it's time for some malicious compliance. I have been enjoying the freedom I get on my machines ever since I left Fortune 500 but even there I had enough permissions to install the software required to do my job. You might not get some conveniences back but I hope that after a few days of "I'm waiting for IT to let me do my job" standup reports they'll reassess.

Small company, < 50 people, industrial automation.

Machine not locked down at all, I could install OS/2 and nobody would care.

This is basically a requirement for certain types of security certifications and for liability CYA reasons in the context of evolving laws about stuff like data breaches.

This is standard, especially when the size of the company grows. Actually, Microsoft might be a rare exception.

Extensions are full of malware of various sorts, so it makes sense that they take them away. Allow list vs. block list makes sense as a block list is impractical to maintain.

Only thing you can do is complain to management and prove with real #s how this is impacting productivity.

But if you're a webdev, it's super unlikely today that you need local admin and cannot work within an allow list of applications. If you're a driver dev, sure I can see how it might be a blocker.

Previous employer issued Macs with all sorts of Jamf spyware stuff on them but I could more or less install things as needed via brew (both internal-vended "taps" or whatever the term is) and "normal" end-user stuff without issue (it was often expected you'd do so).

Worth noting this absolutely impacted usability and stability to a massive degree. The machine ran far hotter to the touch than my personal (equivalent model) MBP, and would make it maybe a month of uptime before it failed to wake from sleep/kernel panic'd/locked up the desktop.

Most other typical desktop software was "vended" via internal software "store" thing (managed browsers, etc), but I could, and did, install various extensions on Firefox (internal Wikis even encouraged using Tampermoney (or whatever the successor is called now) like UBO/Sideberry etc.

Current employer issued machine is a Windows laptop with no admin and basically locked-down.

Even getting something like Docker installed/WSL configured is a whole episode in frustration.

The huge positive is this Enterprise-whatever version of Windows has minimal slop--no CoPilot things or ads in the start menu/lockscreen, but I can't even change the desktop wallpaper. Also, the CPU idles at basically 40% utilization with the various agent things/endpoint security running. For any sort of local development, I largely "sidestep" things by running whatever I need in containers/WSL, so it's really not a huge problem. There's minimal Windows-specific use outside of Teams/Outlook whatever.

So locked down I can hardly work. I tend to do most stuff on my home lab these days. I can't even "burn" an ISO because USB drives are blocked. I can't install docker (which I need to test new promising tools). Can't install python. When I raised this for the point of managing our onprem support lab they just shrugged. Find a way, in other words use your personal stuff like everyone else does.

It's just stupid. The security team gets to show pretty pictures to leadership claiming everything is super secure. But because people can't do their work they find other ways using personal equipment etc. So you get this whole shadow IT landscape. Nobody cares because it doesn't show up in the pretty pictures. It's just a lot of security theater.

prev company, $3b market cap probably 2000 engineers at the company, vertically integrated e-commerce, we had admin access with an MDM profile added to spy on us

[dead]

Never worked for a place that locked down and one of my jobs is in healthcare tech.

Enjoy being crippled and use the time to be mediocre and just collect checks.