They go home, fire up their Costco PC [snip] and it all works together with no problem

Really? 'Cause my users are always asking me for help with viruses, spyware, and messed up apps. And when I roll my eyes and remind them we went through this 2 months ago, they mutter that their kids "installed some stuff." That comes in handy if they have questions about why they need my permission to install software on their work machine.

(And that permission is usually granted. They understand the rules: I'm glad to help out, if I say no it's because I *know* there's a problem, and if there's an issue I reserve the right to back up their data and restore them to company default. I'll make a best effort to save their iTunes and iPhoto libraries, but no promises, and if I *do* save them it may be hours or days after I restore the stuff they need to do their job.)

Again, there's nothing wrong with a lockdown policy as long as exceptions are handled promptly and decisions are made on the basis of reliability instead of out of a fear that employees might be having fun while they work. If your IT department can't handle that, you have bigger problems than your desktop lockdown policy.

Dave,

Not all the users are like that. I know I certainly am not. At home I have a network of three machines, with a firewall and internet filtering (for the kids). AND none of my machines uses the "standard" windows that I am forced to use at work. But IT clings to it "one size fits" all approach I can't choose the type of machine I'd like to use for work. I would choose a MacBook Pro, not some cheap bargain basement machine and I would administer and secure it myself and do just fine.

But IT would stop me. This is where the the bureaucratic mindset of modern IT departments would raise its head. I would face no end of excuses and explanations as to why they couldn't accommodate my preferred computing environment. Some of them would be reasonable, but here's the rub that follows on what Bob is talking about, many of their reasons for not allowing me to use whatever I like would be in the form of condescension and ridicule.

But what all the discussion on this does for me is reinforce what Bob is saying. IT is so wrapped up in their culture of control that they don't realize that people don't WANT to do their work based on ITs rules. And as must as IT wants to say people would screw this up, they really don't know what will happen because they don't even want to try it. (I know you get people asking you to help them with their own machines, but think about it, what percent of users really ask you to help them with their own machines, its a really small per

I have been following the issues PC User policies with interest (I am involved in support).

The issues gets down to this; buy-in at the most senior levels, and (related to this), the budget to do this.

For example, let’s say for any given hardware/software combination each bug particular to that configuration takes 5 man-hours to diagnose and 1 man-hour to correct. If each particular hardware/software combination has 10 bugs particular to it, a new model would cost 60 man hours to de-bug and have it working properly.

So the cost of a new computer model is 20 man-hours a years (assuming a particular model is used for 3 years). Let’s change this to 20 different models (we will assume they are all “business class,” identical parts inside). It now costs you 400 man-hours to get these computers business ready (Note: this does not take into account bug issues with various software combinations).

So here is the question to the CEO: Will you authorize a 2,000% increase in labor budget so employees can choose their own computer?

Jason,

I'll assume that you are as technically adept as you state. The problem is that for everyone that is, there are several more that claim to be, but aren't. Unless IT begins testing for its users, they have no way of determining who really knows their stuff, and who is just saying they do. Because there are many a user that have no idea what they are doing with their PCs. It's been a few years since I've been on the support "front lines" but I can recall one particular company where the IT director decided that we would look at employees personal PCs "if we had time". In this office of 90-100 employees we had 2-3 personal PCs a month being brought in.

I find myself somewhere on the middle for this issue, as I can't agree with Dave completely either. The idea of addressing the work/life balance and home use issues by simply stating that they should take his approach of leaving work at work is exactly the type of dictatorial support that gives IT a bad name.

I would be willing to compromise. I'll let users have a more open, 'portal' PC, when they can prove a demonstrable understanding of the workings of said PC to achieve the level of security neccesary to integrate into the corporate network. A home-admin like Jason wouldn't have a problem, and the rest of the users too lax to even bother reading this whole post could be kept from mucking up the system I have a fiduciary & legal responsiblity for.

Matt,

But should your IT staff be taking the time to test their users on their abilities? Not to mention then tracking who is allowed freedom and who isn't? What happens if you make a mistake? Taking away the freedom may lead to problems. Also I never want to be the IT rep that has to tell users that we've decided he cannot handle having his computer open, while his cubemate can.

My desktop team of 4 field technicians(they do double duty answering the helpdesk phones) support 900 users and 1300 devices at our headquarters building. We have no AD (still NT4!) and therefore no desktop lockdown policies. Everyone is a local admin on their own equipment. And you know what? We do just fine! Granted, we make good use of tools such as Altiris Client Management Solution to help us out via automation. But, with only 4 headcount we keep the desktops running pretty smoothly, we keep viruses and spyware out (for the most part), and our customers still get to install what software they feel they need. There is no crushing overload of work, no astronomical increase in support costs. We get 4-6 after hours calls a week, mostly having to do with VPN troubles. We have our evenings and our weekends to ourselves, barring the occasional emergency.

I think this is a situation where common/traditional knowledge is wrong. Traditional IT thinking tells you that opening up users to have local admin rights on their PCs would make the business come to a grinding halt. I am here to tell you that is NOT the case.

Now, having said all that, isn't desktop lockdown a Sarbanes-Oxley requirement? If so, wouldn't that make this discussion a moot point for publicly traded companies?

Corporate IT should champion pure web based applications for telecommuters. These web based apps should require nothing more than a functional browser and a decent internet connection.

Where non-web based applications must be supported by remote workers, they should use secure remote desktop access to their computer at work.

Another relatively simple concept is to provide corporate users with a dual boot capability - one partition that is locked down and the other for "wild" apps. The users must understand that they and their department are responsible for supporting their wild partition. If they call support, they will only get help on their locked down partition or restoring their wild partition to a "like-new" state.

Shawn, I talk to my users in person(gasp!)on their first day. I find out what they know, I ask them a couple of questions and it is quickly apparent if they know what they are talking about or not. Ask them to explain Subdirectories, in about 30 seconds you'll know if they know anything about PC's. Listen to their answer, grab the buzzwords they use, and quiz them on that, usually within about 3-4 minutes I know if I can trust someone or if they are going to be a pain. I admin. about 150 machines, all are OPEN with admin. access to the machine. I have approx. 1-2 problems per year with software/virus/etc. that causes problems. Maintain a list of 'NO-NO software, if its on the list and they install it they lose privileges. So Simple!

-Joe

Tom wrote:
> Corporate IT should champion pure web based applications for telecommuters. These web based apps
> should require nothing more than a functional browser and a decent internet connection.

I think this may be getting to the heart of it. I've consulted with many organizations (never in a support role). I've seen many internal fat-client apps developed with such terribly low quality practices that any change in the MS system DLLs will cause them to fail. I've seen them continue to install out-dated versions of 3rd-party apps that are bug-ridden and incompatible with just about everything else. Needless to say, their support costs were pretty high, even those that had locked-down desktops.

I've also seen organizations that only installed a browser, office suite, VPN and security suite (AV, firewall, etc) on the machines. They could access all the IT systems with a browser (usually IE). These organizations had very low support costs and very happy users. I'm guessing Joel works at a similar place.

A couple of posts here have come close to expressing my feelings on this matter, but none has done so completely. Therefore, here is my take on the situation.

SarbOx aside, the right policy depends on the type of people who work there; a software-developmet house could be expected to have people with a vastly different level of expertise from a general office.

In my own experience in a government agency, maybe 10% of users can be trusted to administer their own PC's. The rest are a danger to the computing environment. And you can't show favoritism to the trustworthy 10%. So (where I work) you have no choice but to lock down everybody to protect everyone from the 90%. If we had a different mix of users, it would be different, but you have to play the hand you're dealt, and those are the cards we've got.

I'm not in IT myelf, I'm an end-user (one of the 10%), but I understand the issues that confront IT, and given our user mix, I have no problem with the occasional need to call IT to install something for me. Seeing through the other person's eyes works both ways, you know.

We recently switched from an 'All Users are Power Users' to 'All users have no more permissions than they need to do their job' policy. Currently we are going through the whining phase as users discover they can't always do the things they want to do. So far however, we've only had one situation where the user really had a legitimate need to do the thing that was blocked, and that situation was caused only because of an old piece of software that insisted the user needed full control over c:\windows.

What users fail to understand is that every unique thing they want to install on the company's PCs becomes one more thing that requires support. This holds true even if the unique software is free of malware.

Now we have users running to the boss crying because they can't possibly get any work done without their favorite toy. I've already told the boss that what he should do is tell those people that he'll grant an exception so they can have their toy, as long as they sign an agreement that the cost of any and all IT support the toy requires, or causes anywhere within our network, will be deducted from their paycheck. All of a sudden those people who claim they "need" things like bittorrent and AIM decide that maybe they don't need it so bad after all.

I think we are trying to compare extremes and generalize from there.

In my opinion, the wide core of corporate users do need cookie cutter machines. I too see many IBP's (Indescriminate Button Pushers). At the same time I see many IT policies ready to install tools once they become obsolete. If you are going to tightly control computing resources, you had better have somebody keeping a close eye on trends, rolling out new tools and updates as they reach market maturity rather than when they are nearly dead.

There will also be knowledgable corporate powerusers. These folk should have an opportunity to select their own tools, but also be willing and able to provide most of their own support.

Corporate powerusers should be held accountable to maintain minimum corporate ethics to go hand in hand with this greater freedom. And might I suggest, be required to provide factual feedback to IT about the products they use?

Government agencies don't have Sarbanes-Oxley, but, as a state educational institution, we have amazing state security requirements. Our state ethics policies forbid any personal use of state-owned equipment. FEPRA (assuring privacy of student records)parallels HIPPA. Explaining, and enforcing such requirements doesn't fit with opening up systems. Faculty and staff see IT as the bad guy. I'm looking through these discussions for any ways to adapt.

I'm probably one of the younger ones around here (at the "old" age of 30), but I grew up with the idea that the role of central IT was to provide service and support to ENABLE the end user to do their job.

I would propose the following:
1) all new computers / devices that show up on the network load up into an isolated (ie no internet access) "sandbox" network.
2) all new employees only get access to that sandbox network
3) Quarterly / new hire computer awareness training sessions that all employees are required to participate in twice a year (4 offerings, attend 2). The focus of this training would be to update employees on new threats and general computer security.
Once they've completed their training, then they would get access to the Internet and be reasonably trusted with their equipment.

Instead of beating the end users down into submission, why not build them up so that they know what they're doing?

"Or whatever their list happens to be, and it all works together with no problems."

I am so happy that I am going to be rich. You see, I appear to have discovered cheap space travel. I seem to be on a different planet than you, though I am sure I started on Earth. Oh, rats! It just occurred to me that you might be the one on the different planet.

No problems?

I confess to doubting your word.

I don't quite understand the need for a corporate network. It used to be a good idea but now folks _need_ to get on the internet anyway so you might as well just worry about encrypting data back and forth and go all web apps. Drop the internal network except for external access out to your own web servers. Then only one pc gets infected, not everything on the entire network.
You do that and 'magically,' support costs drop whether people stay up-to-date or not. All their data is in the email or netapps and you reformat their pc. Done.

In any decent company the developer's desktop/laptop machines are completely open. The developers are free to install whatever the want and do all the support themselves. The IT provides the documentation on the typical procedures on the website, licenses and install media, and occasional advice but that's it. The developers themselves are responsible for their machines which are outside the IT scope. This really works best.

I think Joel's take on this is right as well as illustrating one of the fundamental problems.

NT4??? I am sure that the company is running a business critical application, written in house by programmers that were not as experienced (read cheap) as competent staff could have been. Therefore the company is afraid to move forward for fear of breaking an application that is running and do not have any staff capable of updating or fixing the application if it breaks.

The other side is that when IT has a reasonable attitude users are quite good. Some explaining of what malware and appropriate downloads are as well as up to date anti virus and anti malware software and everything flows quite well.

It is possible to run even XP so that the user is not an administrator even with poorly behaved applications like MSAccess just by susing out what the particular directory permissions need to be to allow the users to work with the bad app.

What I hear mostly is that IT doesn't want to deal with the end users. They want to hide in their cubicles and it becomes an us against them mentality on both sides. There is bad communication and end users start trying to break the rules out of spite.

Regards,
Chris

"For example, let's say for any given hardware/software combination each bug particular to that configuration takes 5 man-hours to diagnose and 1 man-hour to correct. If each particular hardware/software combination has 10 bugs particular to it, a new model would cost 60 man hours to de-bug and have it working properly."

Wow, Greg. Where do you buy your hardware and software? I can't imagine a scenario in which every time I buy a new PC I'm going to run into 10 bugs peculiar to that particular system. Nor can I imagine that the bugs I do find on rare occasion are going to require 6 hours each to diagnose and fix.

If that's your experience, you've got problems bigger than incompetent end-users. (And no, I don't mean that as a personal dig.)

How soon we forget even recent history! The PC revolution was initiated by the productive workers who bought Apple IIs and VisiCalc out office equipment funds to get around an IT priesthood that was responsive only to a handful at the top of the organization. I remember a book by John Nevison taking the approach that it was easier to learn to program than to teach IT what you wanted. Networks bring back a priesthood, again, not dedicated to service, but to limiting the range of responses they need to give to people they can control. Thus we limit working style and solutions to those that can be imagined and supported by those who are not facing the problems.

Central corporate IT should keep its fingers and rules completely out of the despised end-user’s machines (beyond perhaps providing group rates on a minimal office software package). Groups of end-users should be funded to hire (and empowered to fire) their own support staff. A work group newly responsible for its own PCs and laptops might need one support person for every ten or twenty workers the first month or so. I’d expect that to decline rapidly to groups of two hundred or even a multiple of that. A company with a tech savvy work force might finally outsource the whole support effort for end users.

There is certainly a budget element to this approach -- but there is also a budget element to many other "nicities" that the company may also be offering (free snacks, corp discounts, etc.). I think Dave P's parenthetical comment nailed it, have a policy that states how many hours of free consulting/diagnosing the company will give before restoring to a standard image. This would immediately limit the budget amounts given by Greg ... but then, I don't really believe that these things are as linear as he suggests (which again brings up the issue of IT believability).

While I was IT Director at a private school, I fought the idea of opening up the faculty Tablet PCs to them as local administrator for years before finally giving in. I don't regret it for a second. 90% or better of them either don't install anything or are cautious about what they install. Some still came to us for help or advice.

It was a major win in terms of perception of the department's willingness to help them do their jobs. And, it didn't increase our workload one iota.

We did have several key pieces of the equation handled well, however. We pushed out service packs and security patches. We ensured that antivirus was installed, functional, and updated daily. We declared right up front that we would try to help repair a munged system, but that we would not devote hours and hours to it. Once our support time crossed a certain threshold, we would refresh the image to a clean new one. We also automated backups of user's My Documents to the network. All of these pieces together made it not only feasible, but a very positive experience for all.

Tom, I like your idea of a "wild" and "controlled" set of partitions.

How about this twist:

Say you use Virtual PC to support these two areas? That way they could be used simultaneously and IT could control the degree to which they can communicate & share things like storage and network access.

We've been bought by a huge company that is planning on locking-down even our software development platforms -- however, we're also planning on using Virtual PC to let us developers have a "wild" machine at the same time the "tame" machine is hooked to "The Borg" network. So we’re going to be “god” on our “wild” virtual machines, while we manage our email and administrivia on the “tame” virtual machines.

Tom, I like your idea of a "wild" and "controlled" set of partitions.

How about this twist:

Say you use Virtual PC to support these two areas? That way they could be used simultaneously and IT could control the degree to which they can communicate & share things like storage and network access.

We've been bought by a huge company that is planning on locking-down even our software development platforms -- however, we're also planning on using Virtual PC to let us developers have a "wild" machine at the same time the "tame" machine is hooked to "The Borg" network. So we're going to be "god" on our "wild" virtual machines, while we manage our email and administrivia on the "tame" virtual machines.

"NT4??? I am sure that the company is running a business critical application, written in house by programmers that were not as experienced (read cheap) as competent staff could have been. Therefore the company is afraid to move forward for fear of breaking an application that is running and do not have any staff capable of updating or fixing the application if it breaks."

Well, that's only partially true. The reason we are still on NT4 is because our previous set of executives did not consider it a priority, and thought it was too risky versus the benefit, despite our best explanations. (After completing our assessment no applications were found to be dependent on NT.) Hence the budget and the project were never approved. We now have a completely new set of executives that have made the migration to AD our highest priority project. That migration is currently underway.

MarkP makes an interesting point.

Years ago, I supported a network of Windows 3.x systems. When I went to a system of uniform software images the support situation drastically improved.

The install image was NOT the be-all and end-all and was never treated or understood as such. It was a foundation upon which we added specialty software, as required. Many systems only needed the basic image, which was already quite fully featured.

The reason I mention this is that in those days, it wasn't even possible to lock down the local systems (at least not without esoteric 3rd party software). Only the network was secure.

Yet the system worked amazingly well. I never had to outright ban anything. The understanding was, if it wasn't business necessary, and seemed to be causing problems (or was just suspicious), that piece was the first to go. If troubleshooting couldn't get a solid lead in 20-30 minutes, then the system got reinitialized to the baseline.

In my experience, if you work with and listen to your clients, the vast majority will reciprocate. Even restrictions will typically be respected, so long as they don't think you're being lazy or have a hidden agenda.

However, for certain security related items, sometimes that has to be imposed. The reality is that security always comes at a certain price of ease of use and flexibility. Done well it's not much of a problem. Done poorly and you may have a mass revolt on your hands!

I'll take what Matt in Tallahassee says and go one step further:

I would be willing to compromise-- to users have a more open, 'portal' PC, when there's a corporate culture/policy that creates/enforces an expectation that users will use their PCs carefully, and has an understanding that "self-inflicted injury" (e.g. spyware) is not considered a valid support emergency.