Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Businesses Communications Technology

Managing Personal Electronics and Software In the Workplace 387

darien writes "Last night Symantec hosted a round-table discussion on the topic of consumer devices in the workplace. John Brigden, Symantec's senior VP for EMEA, pointed out that regardless of the policies businesses may lay down, individuals will always try to use their favorite gadgets and websites at work. Reminds me of when I worked in IT support: no matter how many times we told users they weren't allowed to install ICQ, or to connect their personal laptops to the corporate network, they insisted on doing it. Frequently they even asked us to help them do it."
This discussion has been archived. No new comments can be posted.

Managing Personal Electronics and Software In the Workplace

Comments Filter:
  • by BobMcD ( 601576 ) on Tuesday September 30, 2008 @11:06AM (#25205601)

    You have to shore these up with human controls: enforced policies, employee agreements, and the like.

    This is a human problem caused by our adaptation to technology in our entire lives. Should the computer have been a device you only run into at work, the draconian idea of 'you may only do what we say' may have stuck. But since people get to experience life outside this kind of control, they're going to crave it everywhere.

    And resisting it is mostly just frustrating everyone.

    Now, I'm not saying you have to support every oddball app on the planet. I would recommend you have an 'approved software' list, and back that software up with support. Saying 'that is not supported, use this' is far better than locking things down, from my experience.

    Focus on the wetware, not the software and hardware...

    • by khasim ( 1285 ) <brandioch.conner@gmail.com> on Tuesday September 30, 2008 @11:17AM (#25205765)

      And resisting it is mostly just frustrating everyone.

      Now, I'm not saying you have to support every oddball app on the planet. I would recommend you have an 'approved software' list, and back that software up with support. Saying 'that is not supported, use this' is far better than locking things down, from my experience.

      Good luck with that.

      Since you seem to believe that setting one limit is unenforceable, why do you believe that setting a different limit is enforceable?

      You cannot use IM app X because:
      a. You are not allowed to use IM at work.
      b. You are only allowed to use IM app Y (which does not connect to the service you want to use).

      And, from TFA:

      Unless companies are prepared to lock down their systems in unprecedented ways - or otherwise radically reconceive their computing operations - this accelerating, unmanaged influx of new devices and services is going to force IT departments into a reactive role.

      Why do so many people see "No" as "reactive"? You can evaluate new technology and new products and determine that they present security issues that outweigh their benefits.

      In just about every other aspect of business this would be a non-issue. You don't allow people to replace the phone system with their own phone that is incompatible with your PBX but it's okay because they can just call the phone company and run a POTS line to their cubicle.

      While they wait for that, they'll fire up a deep fryer in their cubicle and make up a batch of donuts for everyone.

      • It has been pretty darned simple where I've worked at in the past....you plug an unauthorized computer onto the network, it is detected, they find you and immediately escort you off premise and you don't come back.

        Heck, you are actually limited on bringing in any non-official laptops...but, then again, these places were pretty secured facilities.

        Anyway....a policy of use it and LOSE it...pretty effective against any unauthorized electronics in the work place...

        • Because once you allow people to connect personal items to the network your security model is non-existent. And connecting them to the workstations counts as having them on the network in this instance.

          If they want to play music or whatever, they can bring radios / players / etc in. But they cannot use the company's workstations to load iTunes and fill up their iPod. That just creates another potential issue that IT has to deal with.

          Now, if they'd be willing to take a pay cut so IT could afford a few more e

          • Re: (Score:3, Informative)

            by stewbacca ( 1033764 )

            Now, if they'd be willing to take a pay cut so IT could afford a few more employees who would handle iTunes problems and such ... say ... $100 a month ... each.

            Nah. I'd rather just be given the appropriate access to fix that stuff myself and get rid of IT altogether.

        • by MyLongNickName ( 822545 ) on Tuesday September 30, 2008 @11:56AM (#25206301) Journal

          I think this is one of those things where you need to identify the work environment you are in. I have worked in banking. It the operation division, what you said would be absolutely true. No second chances. If you went over to corporate, you'd find a more lax attitude. Whether you like it or agree with it, that is the way it was.

          If you go to a smaller company, you will probably see an even laxer attitude. The policies vary greatly depending on the organization.

    • Indeed, as well as every 3 months somebody publishes a study to say that "evil lusers" are doing bad things sometimes to be more productive and sometimes to slack off. Unfortunately, like many things in life it is a sliding scale rather than a one size fits all solution. Sure block the pr0n, day-trading, ebay side business managing clowns, but for $deity's sake don't set the default home page to the bloated ass corp intranet portal. If I fire up a browser window to read some html documentation or to check a

    • i have a simple solution for stopping employees from using unauthorized gadgets at work:

      1. put all workstations and authorized office electronics in faraday cages.
      2. purchase & install a large NNEMP (non-nuclear electromagnetic pulse) device.
      3. put on a lead apron and/or jockstrap.
      4. set the NNEMP generator to turn on at random intervals.
      5. ???
      6. profit.

      you might also want to make sure that your company health plan doesn't cover work-related sterility.

  • ISeekYou (Score:4, Funny)

    by negRo_slim ( 636783 ) <mils_orgen@hotmail.com> on Tuesday September 30, 2008 @11:06AM (#25205603) Homepage

    No matter how many times we told users they weren't allowed to install ICQ

    Ahhh, 1998 was a great year, wasn't it?

    • I still have an ICQ account. Thanks to Pidgin, I'm even logged in on it. And I don't think anyone has *ever* tried to contact me with it.

  • by umStefa ( 583709 ) on Tuesday September 30, 2008 @11:07AM (#25205615) Homepage

    Companies need to start looking at WHY their employee's want to connect personal devices to coporate systems. If its just so that they can import calenders, contact lists, etc into their PDA or calender at home then set up systems to allow it. If its to take confidential materials out of the office to work on at home (since how many people actually work a 40 hour week anymore), then set up proper encryption protocals to allow this but at the same time minimize the risks associated with data being lost.

    Remember the best way to get somebody to do something is to tell them they are not allowed to.

    • I agree completely. Blanket bans on all devices or software beyond the bare minimum ITS wants to support is going to do nothing but create circumventions. A lot of that circumvention will be done as surreptitiously as possible, probably improving the chances of problems down the road.

      A better approach is probably to allow employees to request exceptions, with explanation. For example, my personal laptop is currently plugged into my office. I do a lot of work on it and it travels with me when I go to mee

    • No Facebook, MySpace, or YouTube at my workplace. I don't think iTunes works either, but I haven't tried.

      Since our business has no use for those sites, they are simply blocked. Along with a host of others, including known malware sites of course.

      My field support days often included long and tedious recoveries from users 'needing' Limewire so they could sync their music at work. No, they don't read the warnings, so when they got pwned they feigned ignorance.

      And at my current employer, since they provide t

      • Arguments that you 'want' to sync to your home system result in admonitions that corporate data is not to be on your home systems, in fact on nothing but provided corporate systems.

        Great. That means no webmail, no VPN unless you give me a company laptop, etc. Which means as soon as I'm out the door, work will wait until I get back. If the customers (either internal or external) don't like that, I can just tell them "sorry, company policy".

        • Hey, if you're expected to give more support than 9-5, office-time, then you company needs to give you the tools, eh?

          My corporate notebook does offer VPN access, which is very functional, and with that I can do everything offsite but walk over 2 rows and chitchat about the Packers. And we have managed IM for that. I'm expected to proxy through the corporate firewall for Internet sites, cause if I don't, and there is a compromise, I was warned specifically about this and I will be sitting in a courtroom.

  • Not a problem (Score:5, Insightful)

    by smooth wombat ( 796938 ) on Tuesday September 30, 2008 @11:08AM (#25205629) Journal

    We block certain website groups (adult, gambling, games, etc) by default and everyone must go through our proxy to the outside world. Web logs are checked throughout the day and those who try 30 different ways to get to boobsgonewild.com are reported.

    Most people have only User permissions so they can't install something and we regularly do sweeps of unapproved software on those people who do have admin privileges. I'm the one who generally gets the call to remove the software. We also check for firewalls on PCs and other software which can potentially bypass our firewall or hide the user.

    As far as electronics are concerned, the worst we have are people using fans or heaters, depending on the season.

    Not sure what the big deal is. These are just basic network security measures which any decent admin should do and have set up.

    • Re:Not a problem (Score:5, Insightful)

      by MobyDisk ( 75490 ) on Tuesday September 30, 2008 @11:23AM (#25205867) Homepage

      I don't see why some IT departments bother to block web sites. It is a double-edged sword, and both edges cut against the company.

      On one hand, if employees are visiting porn sites on company time, they should be fired. Setup a proxy, trap it, and get them out of there. Don't block them, and keep an unhappy unproductive employee around.

      Second, if small things like checking the sports scores, or stocks, or news is what keeps them happy at work, then don't waste resources trying to stop them. Their boss has measures to determine if an employee is wasting time - let those measures work. If you want to keep logs of how often they do it, then fine. But don't try to block them because ultimately you can't. You can't stop them from talking about it at the water cooler or checking the scores on their cell phones, or bringing in magazines and newspapers. It isn't the IT departments job to police social behavior in the office. That's their boss's job. Often times these types of activities lead to comradery like the after-work fantasy football league. It bonds the employees and makes them more stable.

      • Re:Not a problem (Score:4, Informative)

        by smooth wombat ( 796938 ) on Tuesday September 30, 2008 @11:36AM (#25206057) Journal

        if employees are visiting porn sites on company time, they should be fired.

        Absolutely agree. However, working for the government, the union will not let you just fire someone. You have to document everything from now til Tuesday, give them a warning, note it in their file, THEN bring action at which point the union makes all kinds of excuses for why the person shouldn't be fired.

        I know for a fact that there was someone who, every day, was trying to get to dozens of different adult sites for 20 minutes at a time. Supposedly it was all documented and set on to the higher ups but the guy still has a job. Whether it wasn't pursued or the union found an excuse to keep the guy, I don't know. If it were up to me, anyone trying for more than five minutes should get auto-fired. No appeal.

        It's one thing to accidentally type in a wrong address or click a link without looking (I did that recently) but the logs will clearly show you left the link quickly once you realized your mistake. It's another to see the same person day after day trying to get to slutsrus.com.

        if small things like checking the sports scores, or stocks, or news is what keeps them happy at work,

        We don't block those kind of sites. SI, MarketWatch, CNN are all perfectly accessible. Even overseas web sites are accessible. I look at two Japanese sites and the BBC and there is someone here who checks a Chinese-language site daily. The only ones we do block are what are considered time wasters (games, chat rooms, etc).

        Some places are more strict, others more permissive. It all depends on the agency. I think the policy in place here strikes a good balance between letting people check news and such while limiting time wasters.

      • I have no problem giving users access to something like iGoogle, or my.yahoo. We log how much time they're connected to non-intranet sites, and if this gets excessive, we notify HR. However, it is CRITICAL that we block access to any unapproved URL. Not doing so is a huge security risk for more reasons than i can count.

        If the site is safe, it takes about 10 minutes for a helpdesk ticket to be filed, approved, and that site added to a white list. It's easy to log how much time they spend on these sites,

    • by ccguy ( 1116865 ) *
      Your company seems like a joy to work for, where do I send my CV?
    • Re: (Score:3, Insightful)

      by Just Some Guy ( 3352 )

      I guess I'm lucky to work for a more enlightened company. Our policy is simple: we're all adults with a job to do, and as long as you do it efficiently without causing problems, nothing else really matters. Honestly, I'd hate working for your employer and probably wouldn't last a month.

      • Same where I work. We're all grown-ups. Do your job, meet your deadlines - the rest are details. Engineers are black boxes. Requests for work go in, results come out. Who cares what's in the box?

        I'm currently surfing Slashdot and watching ST:TNG from my USB drive while my compiler is doing its thing. Sometimes I'll open up a non-network connected VMware player image from my USB drive and work in a programming environment on personal projects.

        As long as I get my assigned work done why should they c

    • Or they company can ban nothing, hire more real workers to make up for the loss of productivity, and fire the IT people who's job it is to police the networks.
    • I remember downloading a program and having it get sweeped off my computer. Apparently they saw the word "Game" in app name and assumed I downloaded a game. When in reality it was a "game" hack type of program that allowed you to look into the contents of all the ram and search for values, since the environment we were working with didn't give excellent debugging, and I just wanted something quick that I knew worked.

      The best part was... they left all MS games and there was this 1 person who played Solitai
    • by rtechie ( 244489 ) *

      We block certain website groups (adult, gambling, games, etc) by default and everyone must go through our proxy to the outside world. Web logs are checked throughout the day and those who try 30 different ways to get to boobsgonewild.com are reported.

      As other people have pointed out, you really shouldn't do this unless you're a K-12 school (or a library or similar), and that's just for liability reasons. You might block something important, users can get around this, it's a waste of money and time for the filtering software, and your employees WILL find other ways to waste their time. The can surf the web on their iPhones, for example.

      Most people have only User permissions so they can't install something and we regularly do sweeps of unapproved software on those people who do have admin privileges.

      If you think this prevents people from using "unapproved software" you're incredibly naive. Unless you have a whitelist

  • Hmm (Score:3, Funny)

    by LizardKing ( 5245 ) on Tuesday September 30, 2008 @11:09AM (#25205645)

    Looking around my desk I see the following electronic widgets that are mine rather than the companies:

    A pair of DEC Shark computers.
    A Sparc based luggable.
    Coffee percolator.
    Blender.

    As long as I got them checked out for electrical safety the system support people here were fine with it, and this is nothing as compared to some of the stuff I saw at a big dot.com that likes exclamation marks. One guy had a pinball machine in his cube, and another had a large tropical fish bubbling away while percolators were everywhere.

  • To solve the issue of personal laptops being connected to the corporate network, there needs to be some kind of server software where every approved device's MAC address is registered. When a non-approved device is connected, it will not be assigned an IP address by the DHCP server. This will cut 90% of the devices from ever being connected, since most lusers have no idea about MAC addresses, IP addresses, DHCP, and the fact that they can manually assign an IP address if they know the proper range. This doe

    • by thatskinnyguy ( 1129515 ) on Tuesday September 30, 2008 @11:23AM (#25205879)

      ...since most lusers have no idea about...

      you set up all computers used by lusers to boot

      What kind of attitude is this? You come-off as a condescending PHB. All the other stuff is good but damn. That just put a bad taste in my mouth.

    • We have something like this too called DeepFreeze.
      It prevents permanent changes to the OS and no virtual Machines. We use it in the public library.

      • by genner ( 694963 )

        We have something like this too called DeepFreeze. It prevents permanent changes to the OS and no virtual Machines. We use it in the public library.

        Deep Freeze doesn't work for anything but a public console.
        It doesn't let you save anything to the drive. Your office drones need their word documents.

    • Using 802.1X with machine based authentication--requiring a certificate issued from your company CA, you can control which devices accesses your network. For anything that doesn't support 802.1X natively (printers, net cams, etc), you can white list the MAC on a port.
      • For anything that doesn't support 802.1X natively (printers, net cams, etc), you can white list the MAC on a port.

        Look at me! I'm a printer! Hack hack hack.

  • I know when I am at work, I am supposed to be working. Nevertheless, there really doesn't need to be an all or nothing policy as it improves employee morale to allow some personal flexibility in the workplace. I know my company tries very hard to lock things down, and yet does allow some off-topic internet browsing (Slashdot, right now for example) and the occasional personal telephone call. They are, however, quick to remind us that the electronic networks to which we connect are a) company property and b)

  • Problem solved. I thought this was standard operating procedure in most corporate IT shops by now anyway.
    • Associating MAC addresses with specific switches and addresses on the DHCP server is precisely how my place does things. It means that even if someone does sneak in their laptop, plugging it into a network socket is going to result in no connection. Compare that to when I was on site as a consultant at a very large investment bank last year - they had personal wireless access points and laptops all over company network. Some of the company access points were unsecured while the personal ones were brought in

      • My girlfriend got a job as a sysadmin at a new media agency by pulling out her Tungsten C and cracking their wireless networks right there. "You need these secured." One of her first jobs was to run Ethernet everywhere and keep one very locked-down wifi in the conference room.

        (They got wifi everywhere cos it was l33t and k3wl and stuff. And it was several networks all on channel 6, as were the ones for other businesses on the floors above and below that were interfering. FAIL.)

      • Why do things the hard way? Active Directory + Radius + 802.1x would simplify things quite a bit for you. It's also much more secure.

      • by Nutria ( 679911 )

        Compare that to when I was on site as a consultant at a very large investment bank last year - they had personal wireless access points and laptops all over company network.

        With lax internal controls like that, is it any wonder that so many banks have collapsed?

  • Ten years ago it was a topic, has anything changed recently that makes this a less exhausted subject? Whoever thought up this "round table" idea doesn't have enough to do I guess.

  • "Reminds me of when I worked in IT support: no matter how many times we told users they weren't allowed to install ICQ, or to connect their personal laptops to the corporate network, they insisted on doing it. Frequently they even asked us to help them do it."

    1. Users WILL attempt to install stuff
    2. If they can't, they will eventually give up

    However, if they manage, then they will push for more and more stuff, and demand support for stuff they never should of installed in the first place.

    Surely they should

    • Re: (Score:3, Insightful)

      by eagee ( 1308589 )
      Yea, try locking down the computer in a software RND department. If you succeed, you'll most likely have trouble keeping them around. IMHO there has to be a balance between security and freedom. Some security risks need to be a cost of doing business in order to keep your employees happy. I know if I couldn't read slashdot - I'd have a serious morale problem.
    • by ccguy ( 1116865 ) *

      1. Users WILL attempt to install stuff 2. If they can't, they will eventually give up

      I'm afraid you have it wrong. They WILL attempt to install stuff and one of these will happen

      a) They will succeed
      b) They will fail but break something serious in the process (by booting from a special CD from a friend or something like that)
      c) They will fail but find some decent-work around
      d) They will tell you to fuck off and find a better place to work
      e) If they are incompetent enough to do a, c or d they will g

  • Netbook (MSI Wind): EUR400
    3G Modem (O2): EUR19.00 + EUR20.00 per month

    Problem solved.
  • If I had a nickel for every time I absolutely had to install Real Player or get someone's personal camera to work with their work computer and it was a "life or death" situation, I would have enough money to buy lunch at London New York.
  • by eagee ( 1308589 ) on Tuesday September 30, 2008 @11:18AM (#25205791)
    To quote Einstein: "The prestige of government has undoubtedly been lowered considerably by the Prohibition law. For nothing is more destructive of respect for the government and the law of the land than passing laws which cannot be enforced. It is an open secret that the dangerous increase of crime in this country is closely connected with this."

    The same kind of thing applies in a corporation. You don't want to lower morale, and you especially don't want employees to lose respect for your policies. That certainly poses more risk to the success of an organization than connecting your iPhone to the wifi network.

    Maybe a better solution would be investing in IT infrastructure.
    • Re: (Score:3, Interesting)

      by jimicus ( 737525 )

      The same kind of thing applies in a corporation. You don't want to lower morale, and you especially don't want employees to lose respect for your policies. That certainly poses more risk to the success of an organization than connecting your iPhone to the wifi network.

      Maybe a better solution would be investing in IT infrastructure.

      It's a bit awkward in IT. Hey, it's always a bit awkward.

      You let everyone install anything they like and do whatever they want -> Congratulations, you've just been picked for BSA Raid of the Month! (In some countries, directors are criminally liable so you have to take it seriously) With extra interest from the PRS if MP3 files are found!

      You let nobody install anything -> well, the implications depend entirely on the role of the end user. If the PC is being used by someone in a call centre, this i

  • by Kohath ( 38547 ) on Tuesday September 30, 2008 @11:23AM (#25205871)

    When IT doesn't serve the users, the users have to be their own IT. Users are bad at it and it causes problems.

    The answer is to stop saying NO when users ask for reasonable (non-harmful) things. Help the users instead of trying to make your own job easier.

  • Symantic would be happy to sell you some sort of "proactive compliance solution" to address this deep and serious problem that they were nice enough to convene a roundtable about.
    • by jimicus ( 737525 )

      Symantic would be happy to sell you some sort of "proactive compliance solution" to address this deep and serious problem that they were nice enough to convene a roundtable about.

      Yep. Symantec Endpoint Compliance.

      They've basically taken the antivirus product as far as it's possible to go so now when you buy the corporate version you get centrally managed antivirus, firewall, intrusion prevention and a certain degree of management over what devices may be plugged in and what software (if anything) may be executed.

      Most of this can already be done with Group Policies in Active Directory so unless you haven't got AD or anything analogous to it, I can't really see what the benefit is.

  • Nice thing of us having an all Mac office (even better would be Linux) is that users generally don't have compatible software, so employee installation are at a minimum.

    On a few of our networks we have a wifi outside of the internal network which could be connected, though we provide enough computers so they should not require that.

    I think part of the thing admins should look into is why are they wanting to connect their stuff or install software. If there is a valid unfilled need, then that should be addr

  • At work right now so I guess I'm a bit of a hypocrit, but anyways...

    You'd be surprised the crap people try to get away with at work. I work at a college and we have several computers on mobile carts with projectors for class lectures. I do the immediate repair and updates to the systems and I've found registry scrubbers, online gambling software, chat programs, itunes downloads, and all sorts of shady things that shouldn't be on the systems. They aren't even the professor's office systems. These are only us

    • These are only used during class. What could they possibly be doing while students are there in front of them?

      I believe the cleaning crew are the culprits, not your profs. They get physical access everywhere, so they feel every computer is theirs to use at 3AM.

  • by scorp1us ( 235526 ) on Tuesday September 30, 2008 @11:43AM (#25206137) Journal

    Just give them VMPlayer and a XP/SP3 image that is only like 5 gigs and they can install whatever they want.

    Then lock down the the company machine.

    If something goes wrong with the VM, just give them a new one. Sorry, but there is no support other than that. If they lose stuff in the VM, then that's not your problem.

  • by jonnyj ( 1011131 ) on Tuesday September 30, 2008 @11:50AM (#25206221)

    We're already there in the UK Financial Services industry. Earlier this year, the FSA (our financial regulator) issued a report on best practice [fsa.gov.uk] that, amongst other things, recommends that

    • organisations should work on the assumption that staff do not know what the firm's policies and procedfures are
    • staff handling customer data should not be allowed to have mobile phones or personal belongings at their desks
    • staff should not have access to external email or the internet unless there is a genuine business need
    • all USB ports should be disabled so that only approved, encrypted devices will work

    If you're in the industry and doing less, expect regulatory sanctions if anything goes wrong. It's time to get tough on slack security.

  • The problem is that already taxed desktop support teams are going out to fix problems that would have never been caused if the application had never been installed. If there is a bona-fide need for a particular piece of software, it should aquire, test, and support it.

    As a state insitution, we had employees go out and buy various smart-devices all of which ran proprietary "push" clients; some of wich worked well, others not, others securely, others non-securely. The issue was we had literally hundreds of
  • Then companies must institute to converse policty too: "the company cannot contact you using a electronic device outside of regular work hours." No phoning, email, computers ...
  • I mean, we do not allow people to send email using any outlook client, but thats for obvious and technical reasons. We first tried to enforce this by policy since I sort of expect people to obey policy. We had one guy who insisted on using it no matter how many times I tolled him not to. So we explicitly disallow it at the server. Along with this we disallowed common non-encrypted services like windows shares and the like.

    However, whats the hatred of IM services? I mean, this sort of thing is a social probl

    • However, whats the hatred of IM services? I mean, this sort of thing is a social problem not a technical one. The only reason you would usually try to keep a lid on it is if you supposed employees were wasting their time, and this is a problem for HR or management, not the IT department. If its simply a matter of installing unauthorized software then you have two choices from a technical point of view, authorize it or disallow users installing software using a technical solution. If your platform does not let you have this kind of control then your using the wrong platform for the kind of control you seek.

      Your homework assignment for tonight: setup a yahoo messenger account, setup pidgin on a machine that's on 24/7, walk away for 24 hours.

      If you can count the number virus wielding chatterbots that have messaged you on one hand, then please see a doctor about the extra twenty digits you've somehow acquired. Internal IM is nice, but even then it can quickly become a productivity drain.

  • The answer is, you really have to design your systems in a secure way so that some new kid can plug in his iPhone and not cause havoc. It's a totally new world and I'm even trying to get used to it. Feeling like a fuddy-duddy in your early 30s is scary sometimes.

    I work in the client-side computing world, taking care of standards-setting for client systems in a large company. For the most part, gone are the days of an IT department absolutely mandating configurations and software choices. Even if you try, pe

  • There's a discussion like this every few months on /., and it almost always boils down to the same argument:

    "I can be trusted to do anything I like on a PC, therefore everyone in the company can be trusted to do anything they like on a PC, therefore locking them down achieves absolutely nothing and it pisses everyone off. Hell, don't even bother putting any software on them - just hand them out as they left the factory and let end-users do that. Much easier than having to wait for someone from IT to come

  • by darkpixel2k ( 623900 ) on Tuesday September 30, 2008 @02:10PM (#25208097)

    no matter how many times we told users they weren't allowed to install ICQ, or to connect their personal laptops to the corporate network, they insisted on doing it.

    We're not assholes about IT like you are apparently. We tell them "sure, bring in your personal laptops". The switches run 802.1x. If your computer hasn't been issued a certificate, you get an internet-only connection which blocks outbound SMTP, and monitors your traffic with SNORT. If it appears you have a virus or are passing bad traffic, you get blocked.

A committee takes root and grows, it flowers, wilts and dies, scattering the seed from which other committees will bloom. -- Parkinson

Working...