Should IT Shops Let Users Manage Their Own PCs?

An anonymous reader writes "Is letting users manage their own PCs an IT time-saver or time bomb waiting to happen? 'In this Web 2.0 self-service approach, IT knights employees with the responsibility for their own PC's life cycle. That's right: Workers select, configure, manage, and ultimately support their own systems, choosing the hardware and software they need to best perform their jobs.'" Do any of you do something similar to this in your workplace? Anyone think this is a spectacularly bad idea?

in the perfect world...

[AdamReyher]

In a perfect world this would actually work. But then we'd run into pirating like crazy and companies being sued all of the the place. I certainly support a more liberal approach to what employees are allowed to use on their machines, but restrictions certainly need to be in place.

Re:in the perfect world...

[MooseMuffin]

We already run this way at where I work. We're a small place and there's no in-house IT department. If one of us in development needs more ram or a new harddrive, the procedure is to go buy it and install it yourself and give management the bill. Nearly everyone is savvy enough to handle this on their own, and if you aren't its easy enough to ask someone to help you.

Re:in the perfect world...

[fm6]

There are better ways to deal with piracy than locking down computers. Nowadays, companies face all kinds of legal issues: discrimination suits, corruption investigations, export control laws... The standard solution is to force your employees to attend a bunch of brief classes covering these issues. I had to work through a half-dozen online lessons when I got my current job.

Piracy has nothing to do with the fondness of IT departments for locking down user computers. Really, it's a response to nitwits who fancy themselves experts and know just enough to get them into trouble. Of course, it's pretty frustrating for those of us who really do know what they're doing, but face it, we're a tiny minority.

Re:in the perfect world...

[homer_ca]

For a microcosm of this problem just look at users with local admin on their computers. Some people do fine. Other are always getting infected with crapware or calling with stupid questions, e.g. when they wanted to install printer drivers, but installed 300MB of printer crapware with 3 tray icons they don't understand.

Re:in the perfect world...

[ushering05401]

Hardware is one thing. Software, and the BSA, is another.

Your shop may be small enough to avoid attention, but allowing users to install their own software could put a company in hot water fast.

Re:in the perfect world...

[KillerCow]

"I'm trying to make an Internet on my desktop but I can't get the file to program."

Can those people really manage their own machines?

Re:in the perfect world...

[mapsjanhere]

People in my shop can tell me what they want hardware wise, but most don't get more than user privileges. For a while I told people they can put anything on their machines as long as they drop off a license, but it just didn't work. Too many people bringing in "free but for commercial use" programs and running them in total disregard of the real licenses. Even worse, one guy brings it in after buying a registration, but 10 people copy it assuming "if he has it, it must be ok". Plus, my time needed for TLC due to user error has gone from 10h/week to 2h/month since all machines are locked down. Selfish bastard of IT guy!

Re:in the perfect world...

[pvera]

Absolutely not.

The easiest way is to break your users into four groups:

1. The hopeless. The nice ones are actually thrilled when you can take some of your very busy time to deal with their problem.

2. The middle of the road. Many of these people are more than capable to turn into power users, they simply are too busy or just not interested. They are usually good about cooperating with IT because they see these problems as a distraction from whatever their job happens to be.

3. The ones that think that they are power users. These are more dangerous than a real computer illiterate moron. They know everything and will not hesitate to wipe their asses with your IT procedures under general principles. They also work behind your back, giving your users contradicting advice that creates confusion and resentment later. You'll spend an afternoon carefully crafting your business case for buying four brand new whatevers, for example, Mac Book Pros. At the same time, these idiots go behind your back and whisper into the right ear that Mac Book Pros are overpriced, that Mac Books will do fine. The purchase goes for the cheaper item, and when bad things happen, they will blame you regardless, while the weasela keep a low profile.

4. The real power users. These are the only ones that you can trust to do most of the management, more because not only they display the knowledge and experience, but also a healthy level of restraint. This is the kind of guy that knows what he is doing but won't mess with the equipment simply because he is bored. After all, he is busy enough doing his own job, no time to do yours unless he understands it to be a honest emergency.

The best combination I have seen so far was at a previous job during the dot com years. They didn't trust anyone, but once they figured out if you were not dangerous, they would yield control little by little. I was running all of the programmers in the company, and from early programmers and IT got along like thieves. As each new programmer got hired, we pretty much threatened to kick their asses if they did anything to antagonize the IT folks. It worked, as a norm my team's IT requests were handled faster and with less hassle than some other group full of prima donnas that treated the IT folks as if they were scum.

Re:in the perfect world...

[jwo7777777]

In my business, I force my users to submit all requests in triplicate and reject any that aren't perfect in spelling and I allow no smudges, tears, or other obvious defects on the submission. I provide the forms in the building basement and keep the inbox on the second floor.

Users are required to change their password every login. Only approved software is allowed on the machines and access to our intranet is strictly controlled by a hypervisor proxy installed on each and every machine.

Our one and only security breach was when my wife slapped me and choked the common network and local admin password out of me after she demoted me to assistant adjutant information technician.

She will pay for her insolence. I have already connected together the velcro-like fasteners on several of the baby's size 5 disposable diapers, creating a low cost darknet to create a denial-of-diaper attack on the server I used to control.

She will pay ... oh yes ... she will pay.......

mixed feelings

[the4thdimension]

Bad idea for those that run shops with people who are clueless to computers. These types of people are walking disasters for the entire IT dept. Good idea for those young-ins that know what they are doing with computers. These types of people not only already save the IT dept. a lot of hassle(I personally help numerous people in my area with computer problems that might otherwise get relegated to IT), but they will know how to work and manage all the software and tools that they opt to install.

Sure

[Dan+East]

Sure. I'm getting them to write their own software too, but the learning curve is a little steep. We would like to have them fabricating their own chipsets by 2010. Of course we'll have them start with FPGAs first before actual silicon, because that only makes sense.

Tagging?

[fuocoZERO]

Any idea why this article hasn't been tagged "whatcouldpossiblygowrong" yet?

One Size Cannot Fit All

[dhavleak]

So the answer is basically, "it depends".

For security reasons its always important to manage the AV, updates, etc. on the machine.

If you have important IP on laptops, it becomes even more important to have a good policy to manage machine health, rather than leaving it to individual discretion.

And finally, if you have well-defined and relatively narrow roles for which machines are required, again it makes sense to lock them down.

So depending on how much of the above is true, the answer will vary, but in general IT shops should not trust users to manage their own machines especially because users really don't know much when it comes to keeping a machine secure.

I should be so lucky

[elrous0]

If I tried to go through my IT department to get anything done, I would never have time for work. Basically, I have to work from my home computer to get anything done. My work computer is absolutely worthless (can't install any software on it, most of the internet is blocked with Websense blocking software, takes months to get any software approved for it). Basically, I just finally told my boss that I would buy my own personal equipment and software and set that up at home. It serves me well, as I do freelance work at homne anyway.

If I went through IT at work, I would still be using Photoshop 5.0 and some ancient version of Pagemaker. They're so slow (and this is a true story, honest to God) that the last time they approved any work software for me, the company had stopped making the version they approved before they finally approved it.

Re:I should be so lucky

[couchslug]

"Basically, I just finally told my boss that I would buy my own personal equipment and software and set that up at home. It serves me well, as I do freelance work at homne anyway."

The vast majority of auto mechanics are expected to provide their own hand tools, and a well-stocked toolbox can run tens of thousands of dollars. Why not have users provide their own computer (cheap by comparison) if they support it?

I'd be happy to provide my own PC anywhere I worked if it were permitted. I bring my own peripherals anyway.

Fuck no

[Nimey]

Some of my users would and can do a fine job of that, but they're outnumbered by the ones who aren't trained and/or bright enough to be trusted administering their own box. Click on shiny! free tool to clean spyware that it just detected when you visited this website, oh yes. Install all kinds of crap and wonder why the computer's crawling & BSODing. Get us audited by the BSA, etc.

Maybe for the better sort of user, but gods no for the unwashed masses.

The answer is yes

[Overzeetop]

Is letting users manage their own PCs an IT time-saver or time bomb waiting to happen? It is both. I'm not sure about the new kids coming out of school, but us old-school computer guys are just as literate as most of the IT folks. The problem is that when we screw something up, it's screwed up pretty badly. I would venture to say that 95% of those who want to manage their computers can do so far more efficiently than the corporate IT staff. The other 5% will likely cause major grief.

For those in IT who think this is not the case, consider your power users. Many really can function - even if not to corporate standards of security or conformity - with very little help. They probably will spend an extra $200-$400 per machine for stuff that has marginal use, but they'll feel better about it and be productive. The problem is that there's that one guy - and everyone in IT know who he is - that is way out of his depth and just doesn't know it. You spend a lot of time praying he doesn't screw up more than his own workstation. The good thing is that considerably more than half of modern staffs will likely just want you to set it all up and keep it running.

In the case for users managing their own PCs, NASA used to be this way where I worked in the 90s. We ordered our own PCs, set them up, installed all software. The IT staff would help get us on the network and keep the network running. There were exceptionally few problems. This was, however, before most people had access to the internet, and predominantly before the web existed.

For small companies only

[SparkleMotion88]

This sort of thing would never fly at a sufficiently large company. Once you get to a certain size, the pressure to "standardize" becomes too strong to resist. I suppose this is reasonable, because the licensing, support, etc. is much cheaper this way. Oh, and arguing that individual choice makes workers more productive is useless: productivity can't be easily measured -- therefore it doesn't exist.

Run it for an imperfect world

[Gription]

We have 7 techs supporting 2000+ computers in 800+ offices. We give guidance but we don't tell them they have to run them any any specific manner. The biggest advice is, "Boring is good".

License compliance is one detail were you can't offer any wiggle room. There are a number of good auditing software (including some free ones!) that will report on the installed software. That will keep you out of legal trouble.

Goose versus Gander

[Nakito]

In the days when I was on a large network, I thought it was a bad practice for the IT department to have better setups than the end users. Some IT people had not just faster computers but leaner images with less integration and less overhead. Their machines flew.

But of course they had no appreciation of how bad it was to be in the trenches. Their computers performed so much better than the equivalent computers of the end users that they often did not realize how hard it was to get work done on a standard image.

When I reached the point where I ran one of the departments, I kept an old standard-image computer as my main computer and made sure I was always at the end of the upgrade queue. My view was that if something worked well on my computer, it would work on anyone's. And if something didn't work well on my computer, then it meant some of my users were having a bad experience.

So maybe if the IT department would just use the same image and hardware as the end users, they'd know enough to provide a decent standard image, which would solve a lot of user complaints.

Re:Select own software?

[vertinox]

I have a 72 years old guy in a next cubicle ...I don't think the man knows the difference between a CPU and motherboard ..

I don't think he knows the difference between a 401K and lottery tickets either.

Did web 2.0 magically make end users not stupid?

[reemul]

Maybe end users have changed miraculously from when I was still doing desktop support, but I doubt it. IT doesn't develop policies limiting supported configurations just to be mean (generally). They do it because that's all they can in fact support given existing staffing and support metrics. Maybe you can get small numbers of users to be sufficiently knowledgeable that they can support themselves, but the overwhelming majority of users don't know enough, and don't *want* to know enough, to do this. They'd come to rely on some absurdly obscure or broken application, then call IT when it doesn't do what they want it to, and IT would have no idea how to fix it. Plus they'd end up with massive amounts of pirated material. The techs aren't going to memorize the manuals for every possible bit of code a user might take a fancy to, and they certainly can't test every possible combination of applications to test for incompatibilities.

Letting end users choose their own machines and apps sounds like a lovely and empowering idea, right up until the point where they need to call tech support. And find out that it might be days before IT can fix whatever is broken, since they are starting with zero idea what is wrong because of the wacky config. Those days of lost productivity can be hugely expensive compared to the costs of testing a few specific configs that can be easily and quickly supported. Some tech hours of advance testing and some possible minor losses of productivity from using applications that aren't the user's favorite choices are far cheaper than having an employee turn in no billable hours for several days because his computer is down.

The question is too broad

[Weaselmancer]

Is letting users manage their own PCs an IT time-saver or time bomb waiting to happen?

It's a good idea if your users have a clue. It's a bad idea if they don't. It entirely depends on the users.

In my shop we're all coders, so that plan would work. In fact it's vital to our work. Originally we were locked down and had to have an admin install pretty much anything we wanted to use. IT became an inhibitor rather than a helper. They eventually had to lift the ban. The policy was in the way.

On the other side of the coin, I've also held IT positions managing users. Giving some of my former customers the keys would have been an immediate disaster. In that case a lockdown was a lifesaver.

You're out of your mind

[Calyth]

I worked as help desk at a bioinformatics research facility, with roughly 200 people, and I can fit the number of power users that I could remotely trust to run their own machine in one hand. And 3 of them have gone over our heads - one wiped his own RHEL Linux (not that I'm a fan, but it's managed) with his own Ubuntu install, causing us grief when we change settings. He also cause a Kent State Computing Science PhD (who's more like a n00b who can't type his password right) to demand the "same" setup, burning up weeks of time for 2 out of 4 IT staff, myself included. The other 2 would routinely try to install pirated software on work computers.

And we do try to install software in time for our users. We would try to allocate the right software in time, and if there's no reasonable way to do it (i.e. the user can't get the funding), we try to offer alternatives. In the past, yes, the IT department had been sluggish, but the majority of them have left, and we do try to provide good service.

Apparently, in a bioinformatics research facility, most of the staff who do research don't know jack about computers, or how to maintain them. If the users are allowed to manage their own machine, I would spend so much time fixing machines, I would want to jump off the building.

Thank god I left that place. It was bad enough with the existing setup. To think that most users can maintain their machines is pure folly.

I worked as a site tech in one place...

[DaedalusHKX]

A government institution, to be precise, and the locals were using government computers, government media (CDR's) and various other resources to pirate everything from Windows to Games for Windows... and you know what? I was nearly fired for bringing it up. Taking action with my "superiors" in IT over what I perceived to be a legitimate issue, and being not only stonewalled but also treated like scum, is what resulted in me tendering my resignation shortly thereafter. Total time on job? Less than a year... far less. Reason? Dirty business practices. Yes, this was a SCHOOL... these are the people teaching your kids what to think, and possibly (in rare instances of "good teachers") even how to think. Another example of government "honesty" and examples of justice. Piracy reigned, and when notified, my "superiors" felt offended that I did not remove the offending software. After much correspondence and arguments, and nothing getting done, I finally got fed up and left. There is a reason schools enjoy Linux like pricing on software. So many of the teachers pirate everything in sight, with full oversight of the various officials.

And then they teach kids that "crime doesn't pay". Talk about hypocrisy.

Another reason to pick up homeschooling.

Re:I worked as a site tech in one place...

[cb8100]

Yes, this was a SCHOOL... these are the people teaching your kids what to think...

I like to let the TV teach my kid what to think

Re:Select own software?

[peragrin]

My old(as in previous) boss is finally retiring at the age of 80. he was still working a 55-60 hour work week.

He didn't need the money, but did it so he wouldn't get bored. I have another friend who is 63 has 4 seasonal jobs to keep himself busy and gives him just enough extra cash to play. he doesn't need the work, but he works to keep himself going.

You don't have to stop hard when you retire, you just change priorities.

Re:How do you handle the following issues?

1. User just deleted a "critical" data directory/file.
backups exist.

2. User just deleted an OS directory and their computer will not run.
backups exist.

3. User kept everything on his/her local drive and it just caught fire.
backups exist.

4. User wants an email from 3 years ago that user had deleted from his/her last computer 2 years ago.
see 5. (anyway, even many "managed/locked down" setup (like in small companies) don't have this one solved so, not a huge deal.

5. The legal department wants all email to/from Mr.X, Mr.Y and Mr.Z.
email archived server side, without any implication on the client side

6. User keeps getting infected with viruses.
enforce running AV

Letting the users do some stuff doesn't mean not running AV / backup. Of course, one can hack the machine to disable all of this.. but honestly.. these people can be fired too ;)

I'm not saying it is the way to go, but your points are not really proving it one way or another.

They are valid ONLY for centralized operations.

[khasim]

I don't understand why parent is modded down. These are all valid answers to the issues listed.

No.They are not "valid answers" in a decentralized operation because there is no way you can backup the user's machines.

Saying that "backups exist" does not address the question of HOW the backups are made when the user can put any file anywhere on their system.

With a centralized system, the users can be restricted to ONLY saving files on their TEMP directory and the servers. Those are MUCH easier to backup and lots of packages exist for that exact purpose.

Re:How do you handle the following issues?

[sulfur]

reimage, reimage, reimage until the user learns

So you want to pay desktop support techs to re-image users' computers all the time? In our company re-image takes about 8 hours due to hard drive encryption, which translates into lost productivity of the user.

I've worked as a desktop support tech both in my college where users had admin rights to their PCs, and for a company that had locked-down environment with packaged software where almost nobody had admin rights and no non-approved software could be installed. I'd say on average I spent 3 times longer to put the users in the college back online, and to restore their data. Of course there's the whole issue of weatherbug/toolbars/ActiveX/other crapware that the users installed on a regular basis.

Re:madness!!!

[Selanit]

Have you considered putting a table right next to the copier?

Alternatively, if there's one already there, have you put coasters on it, as a hint?

And if it's got coasters already, have you considered purchasing a cheap mug, drinking coffee out of it just once so it'll have an authentic ring-stain in the bottom, and then setting it on one of those coasters permanently as an added hint?

Failing that, have you taken a bunch of tennis balls, cut them in half, duct taped them to the top of the copier and spray painted them the same beige as the rest so there's no flat place to put drinks?

Further, have you considered sneaking into their cubicles by dead of night and supergluing their cups and mugs to the desk?

If all else fails, have you considered supergluing your coworkers themselves to their desks? I bet their productivity would go up. The smell might get bad after a while, though ...