An alternative is people install the software they choose to on the machines they're using. Optionally write a list of suggested programs down somewhere.
In that world, there is no central IT team pushing changes to machines and arguing with developers about whether they really need to be able to run a debugger.
I don't know how to keep windows machines alive. It's probably harder.
- Ensure the machines are up-to-date and users are not just indefinitely postponing OS updates?
- Same as above but with programs/software
- How do you ensure correct settings configuration in terms of security? Say default browser, extensions, program access etc?
- Re-image or reinstall the OS when there are issues or PC handover to another employee? Manually with a USB stick?
This kind of control exists and is needed for Linux and MacOS too. RMM is not a Windows only thing...
The critics here see Intune but what if they used another RMM and they compromised another cloud RMM account? Same issue.
Also, here there is no "arguing". They order the software from our portal and it gets pushed into Company Portal via Intune...
Write down a list you say... idk what to say. You have only worked for small startups I gather? Nothing wrong with that but please recognize that these types of limits and programs are not deployed for fun or to ruin your day.
I hear zero-trust is a trendy buzzword at the moment, so let's apply the basic idea here: having a hard shell and a soft and chewy center is not a security posture that works, in practice. You need to harden at every level. RMM uber-admin credentials are the ultimate soft center: you compromise those, you can kill the entire IT infrastructure. The only alternative is to distribute access: have multiple smaller IT teams that adminster small parts of the system, with more 'central' roles providing services but not having full control of most machines. It's not a fun option, but it might also work a lot better if each team can actually adjust policies for the environment they're working in as opposed to trying to have one completely unified policy for an entire multi-thousand employee company. And, for critical systems, I would seriously consider the wisdom of having a remote 'wipe and reformat' button at all.
At a bare minimum, your backup systems should have a completely disjoint set of credentials to your main systems, stored and controlled differently, ideally by a seperate team, if you have the resources.
(And the arguing becomes a problem when IT ceases to consider their job to be solving problems for users within some constraints, and just starts to consider their job to be enforcing those constraints. This also mixes badly with incompetence, which tends to turn everything into a tedious tick-box exercise that neither improves security nor solves user's problems. It's not a good time to have an IT department that can't resist any new security checkbox a vendor offers but can't figure out how to work any of their fancy tools to make life even the slightest bit smoother for their users)
Everyone doing it doesn't make it a good idea. The big tech companies and governments are I think a little more paranoid about rouge admins, so they do at least try to limit the blast radius of any given credential, but almost no-one else has that level of maturity, which creates this pretty big chasm in the resiliance of IT organisations as you go from small to large.
(There's also a certain irony about IT complaining that a change to improve security would mean they can't do their job as easily)
I think you do not understand what a massive undertaking even securing a tenant in GSuite or Office 365 can be. Plus networking. Plus end user computing.
On top of this you want companies and governments to make their own tools?
You have a vision... of something zero trust. Now make it and implement it. Oh, not so easy?
S3 buckets used to be open by default. Office 365 had MFA as optional for a looooong time. So things are improving.
I, for one, don't really want employees to install video games, porn cam clients, torrenting apps, shady vpn clients, crypto miners, remote access tools, dns "optimizers" and more generally viruses on their work computers.
On HN, if you have a valid point but get unnecessarily aggressive about it, people will downvote you for attitude. This mostly keeps the forum under control.
I am sorry and I get carried away sometimes but it is frustrating seeing comments from cowboy devs saying to just give everyone admin, have an excel sheet of software and have people manage their own PC and to get rid of IT just because as here they got phished or breached.
That works for a 5 person company but not a 1000 person company. Or a 10 person company with 1000 machines.
I used to work in test automation for a huge company with terribly annoying IT. I can tell you for a fact that our entire department had well-developed workarounds for the most annoying policies. We even had a few intune 0-days that we literally kept to ourselves to be able to do our jobs properly.
Because in the end, it’s not IT on the line for their odious policies causing late delivery, it was us.
What was so annoying? Having to reboot for Windows updates/programs and MS Defender running?
Also, if the company is certified in some way there are audits for these things, you understand? Such as updates, backups, security, PAM, antivirus etc :)
Subvert these controls intentionally, especially security ones = bye bye. Logs don't lie. We see you.
We never got caught or fired. I won’t detail the 0-days we used because I’m pretty sure the team is still using them, but I can assure you that the logs DID lie.
