So far my strategy is to just ignore it and pray that the problem goes away by itself. If I have to deal with it eventually - quitting is the most appealing option.

However, the reason I asked here is to get a feeling about how common this thing is. Is this normal? Am I the rat in the lab, or am I just late to the party?

This is spreading but still we must try to stop it. We will fail as we have failed so many times in the past but still we must try.

Say, we fought against DRM and while the music industry have completely abandoned it, that victory turns out to be useless because the video streaming industry have embraced it total and there's not even resistance against it this time.

I am so, so tired of fighting against these. I translated Doctorow's anti DRM speech in 2004 into my native tongue as one of my last acts as a Hungarian journalist. We have been fighting for so long. And the DRM war is lost.

Nonetheless , we need to stand. We, who have the privilege to be able to say "meh, I quit" because we know the next job is just days away. We need to for the sake of all those who do not have such a privilege.

> We will fail as we have failed so many times in the past but still we must try.

This is a thing the unions would have exterminated in the past. Problem is, most developers are not in a union.

There is still the choice to "just say no".

I do not know Drata, but an endpoint agent on a company machine is not that odd. Generally, they come from the big EDR companies, such as Carbon Black, CrowdStrike, etc. They would mostly run in the background and scan for malware, push out Group Policy changes, and yes, provide a backdoor to run scripts on your machine. Drata sounds a bit more like spyware though. Technically, EDR agents can do session captures (recording the screen, showing what was run on the computer over history, processes, network traffic). Generally, though its only utilized for incident response and not tracking a contractors time, making sure they are working, etc. Although I must admit, theoretically there is nothing preventing that, although its at a more technical level then most management would know how to decipher. I second the recommendations above. Only agree to install it on a company machine, same for any agent or company AV, etc. If they wont provide it then its a no go on any personal hardware of yours.

> So far my strategy is to just ignore it and pray that the problem goes away by itself. If I have to deal with it eventually - quitting is the most appealing option.

It won't go away by itself because if they're asking it means you are in their corporate directory and showing up as noncompliant in the Drata dashboard.

It's extremely normal on company hardware used for business purposes. The conflict here is trying to run multiple clients on the same personal hardware. Never do that.

If they're willing to give you a company-owned laptop, take that. Then it is their machine to configure however they like. If not, tell them you'll lease a laptop dedicated to them only and pass on the monthly cost (with some profit margin) as part of your monthly invoice.

Am a contractor and have to use their VPN. It has provision for "end point scanning" on logon but they don't use it, yet.

Recently they provided a Macbook pro, in which I installed Little Snitch and taped the camera, so I don't worry any more.

I don't know first hand, but I would suspect it's more common in financial services and/or with government contractors.