Managing Personal Electronics and Software In the Workplace

darien writes "Last night Symantec hosted a round-table discussion on the topic of consumer devices in the workplace. John Brigden, Symantec's senior VP for EMEA, pointed out that regardless of the policies businesses may lay down, individuals will always try to use their favorite gadgets and websites at work. Reminds me of when I worked in IT support: no matter how many times we told users they weren't allowed to install ICQ, or to connect their personal laptops to the corporate network, they insisted on doing it. Frequently they even asked us to help them do it."

Give it a rest

[aggles]

Shore up your applications and let users do what they will. Its a losing battle to lock down personal systems, especially for those with tech experience. Do YOU use a restricted system image? Most IT professionals do what they want, yet try to get others to follow their stupid rules. I'm fighting my IT department now because I've disabled all their crap except anti-virus and now my machine runs MUCH faster. I had zero tech support calls till they made me enable specialized spyware detectors, software installers and firewall software. With it running, blue-screens, hung applications and performance sucked. Now - their crap is disabled again. I'll take care of my own machine, thank you very much. Stay the fark out of my machine! I use my work PC for personal reasons and work during personal time. I'll fight them till they fire me.

Re:Fire them!

[clang_jangle]

And how much revenue will you produce without your network, smartass?

Re:Technologies are a part of life now...

[Sandbags]

First, Group Policy makes it very easy to prevent a user with standard credentials from installing and software at all. Network scanning tools like Spiceworks make tracking down unaproved applications quick and easy. If it's a real problem, software like Altiris of Ghost Enterprise can simply re-image the machines nightly, overwriting and changes.

Second, proper firewalling and filtering, combined with a white list of approved sites, and further user based site access tracking quickly stops both employees who try to go where they're not allowed and also stops employees wasting "as much as 3 hours a day surfing the web."

Third, Disable plug and play. Now connected devices won't automatically be accessible. (certain models of mouse and keyboard, and company distributed thumb drives will be installed by default and work automatically) Other devices will need a helpdesk employee to remotely connect to your system to activate. This not only protects you from users installing unaproved software, but also deflects one of the key ways a corporation gets a virus, and also limits data theft. We also disable the DVD drive (or at least hide the icon so you can't access disks) Want to bring files from home? We have a web accessible space for that and all file transactions are logged.

Fourth, block access, using group policy, to any control panel or feature a user should not have access to. Leave them there themes, and any other settings that would otherwise be considdered an ergonomic or user preference, but block everything else, even sleep other power settings.

Fifth, Lock down file write permissions. Corporate users should not be able to save ANYTHING to their local machine from any application. Everything should go to shared storage.

Lastly, (at least all I'm bothering with, there's certainly more), Users at the office are expected to be working. They don't need access to all sorts of software and devices that don't directly lead to productivity or company business. On the other hand, we need to allow them their comforts (music players, etc) so some social applications like iTunes should be approved. If they want something to be available to them, they need to fill out a help request ticket. Any user trying to bypass this process is subject to instant termination or reprimand.

Users will also typically request access to personal e-mail accounts and chat applications. Since we don't want to introduce virus potential (or let them waste too much time per day on it) we allow them to request that helpdesk add additional POP e-mail accounts to their corporate e-mail account, provided they're through approved servers like gmail or MSN. This way, all mail passes through the company's strong filtering systems, and can be considdered safe, plus we can also keep an eye on employees over using personal accounts (typically, we throw a red flag if they send more than 15 personal e-mails a day). We allow pre-approved chat applications and rely on floor managers to make sure they're not over abusing that privilidge (plus all chat is logged to a corporate system, so if there's an HR issue, we can persue it).

Face the facts. You're at work. Unless you're on break, you're expected to leave your personal life at the door. We don't mind you customizing button bars, or loading personalized wallpaper (though we do need it to go though the helpdesk to insure youre not putting copywritten or HR worrysome images on corporate equipment), but beyond that, the machine was provided to you to accomplish a job. We don't mind that you need to keep in touch, and be able to receive critical notifications from family, doctors, school administrators, etc while at work, but generally we prefer people call you instead since e-mail and chat should not be trusted in emergencies, and can easily be checked when on breaks.

Surfing the web, especially social sites, and even reading the news, should strictly be limited to your time on break. If you want to bring your own notebook to work to do that, we