Uhh "users can't install software themselves" is how things are supposed to be. If you're still giving everyone admin rights you're going to have a fun time every time one of them falls for phishing.
Welcome to bigtime shadow IT then in a white collar / high performing workforce. People will be using personal laptops, spinning up AWS instances etc to get work done especially if they collaborate with others.
I worked at a place, folks had to go to the neighboring copy/print place to FAX themselves documents, because IT in its wisdom had locked down their machines and prohibited scanning docs (ie, they faxed to a virtual fax, then took those PDFs and sent them on).
I am convinced that part of the AWS appeal for many folks is to escape this "best practice" IT control that just results in no progress / ability to get work done. This was 10x during pandemic.
When IT hasn't yet gotten Zoom into default image, and you need Zoom or whatever to talk with others practically, so annoying.
AWS for us is even more locked down. Nobody gets access to that. Unless they sign up with their own account and pay for it themselves perhaps?
But the idea is of course that the applications needed for work are all available in the company software catalog. When we locked this down we did extensive pilots.
As an EU company we have to certify each tool for privacy anyway and we can't allow unvalidated tools (and even worse: cloud services) for this reason. The fines are huge and we have a responsibility to our customers.
Personal machines are explicitly forbidden and not allowed on the network using 802.1x.
The admin rights prevent people from bypassing security controls. Such as disabling the proxy which checks for forbidden services for which we don't have a data processing agreement, like Dropbox.
I know it's not easy. But letting people do what they please is causing the kinds of data leaks we're seeing in the media almost every day.
I agree some things are a step too far and inevitably drive people into shadow IT but admin rights are pretty low hanging fruit these days.
And really, since we did this the company is still running :)
In my experience I would say that limiting users in this way, unless they have a very standardized workflow and will never be expected to deviate from it, is a terrible idea. Most of the risks you're actually afraid of don't need local admin to do significant damage. Locking people out of their local OS just protects the local OS (which is trivially reimaged), not their documents, and not the resources they have access to on the network; you know, the stuff you actually care about. Sure, there are a (very) small number of new attack vectors opened into your network by programs which can get local admin, most of which you should be mitigating against anyway, but compared to the added friction you cause the users by taking it away those are just not worth it. And that's before you consider privilege escalation attacks that make it irrelevant if the user even has local admin.
This is also why I always complained that no-root-by-default is not particularly advantageous for Linux way-back-when: basically, stuff I care about is in my $HOME.
Main driver to want a Free Software system for public institutions is that it's a Free Software system, allowing for local companies to participate in development and fairly compete to only add on to the software, avoiding the entire provider lock-in.
The risk for us is more one of uncertified tools. People using stuff like Dropbox which we don't have a data processing agreement with. Or stuff like TeamViewer.
Locking down admin rights is not just to lock down the OS but to ensure security restrictions aren't easily circumvented.
For the files we use AIP which protects against copying. You can't open those in a personal machine for example.
I work in IT in a German company. Every user has admin rights on the local machine. Why? Because the IT-Boss couldn't figure out how to allow installing updates (software and OS) on Win 7 without having admin. And then there is the semi-official "shadow IT".
I just heard that our new hire got his company issued laptop and can’t do work because he can’t install the software he needs. He has to organise with it to get it installed. To do software qa.
If i was in that situation I would just reformat the computer. Luckily I don’t have a company issued laptop. I gave it back because it was a Dell XPS aeroplane. I use my own laptop for work.
Is this also true for developers? I’ve only seen “install anything you want” types of setups yet, are there companies that don’t allow that on your work laptop?
