All Laptop Work Environment

veritas_libertas · July 2010

Do any of you have an all laptop environment like I do? This has been experience so far:

Benefits

Users can work from home when it becomes necessary.
Users can take them on travels, or overseas.
Very rarely do we end up doing physical repairs beyond replacing a laptop, replacing a HDD, or swapping/adding RAM.
I get a laptop

Negatives

They use them from unprotected connections and bring back viruses to our network.
They drop them.
Somehow they drop large objects on the keyboards
Lenovo docking stations leave much to be desired. They do some really weird things...

We support upwards of 7500 laptops company-wide.

Edit: Not asking for help or anything, just curious if anyone else has this kind of environment.

earweed · July 2010

As far as the first negative goes maybe you could recommend that your work implement some type of NAP where the Laptops must have updated AV before being allowed to access the regular network.
Basically using all laptops for work leaves the company open to people damaging those laptops.

veritas_libertas · July 2010

earweed wrote: »

Basically using all laptops for work leaves the company open to people damaging those laptops.

Well, our part of the company works exclusively with government projects so there can be a lot moving going on. In the short time I have worked here I have seen people move from office to another at least three times. Many of users travel overseas, and some FOB (Foward-Operating-Base) hop. For the most part I think laptops work best for what we do.

forkvoid · July 2010

Laptops drive me nuts, for the reasons you listed. And a lot of people that have them don't need them. They leave them in the docking station, never removing them, but always insist they need a laptop.

On the total opposite end of the spectrum, I'm moving to an all-thin client environment. It will rock.

shodown · July 2010

Last few places I have worked over 90 percent of the workers had laptops for business continuity reasons and telecommute. Even when I worked on a large DOD network the unclass portions were laptops. User awareness is key. Also getting good durable machines.

steve_f · July 2010

In a large company, health and safety guidlines will mean you have to provide docking stations to all laptop users.

Laptops can have their wifi disabled and their proxy server details locked down so users can't surf the net except when connected to the corporate VPN.

It also makes it easier for people to take data out of the company, and to bring undesirable data in. Port locking/encrypting may be required.

Plantwiz · July 2010

And not picking on you...just adding to the conversation as you were merely inquiring about this matter.

The one point that bugs me is this one:
(and not because of you, just commenting on the netural listing)

veritas_libertas wrote: »

Benefits
Users can work from home when it becomes necessary.

Why do folks feel they NEED a notebook to work from home? I've not met someone who 'works' from home who doesn't have one or two workstations at home already that could be used (one's usually for the 'kids', but that leaves the 2nd unit).

Or is there a trend of folks not buying items for home use and only using company purchased items (phones, notebooks, etc..) for leasure time use too??

And like veritas_libertas, I'm not looking for a direct reason, but desiring to learn if/how others experiences are with this sort of company product usage?

**note: sometimes it is a 'perk' to be premitted to use phones or notebooks on personal time so long as you are not exceeding limits and such.**

veritas_libertas · July 2010

Plantwiz wrote: »

Why do folks feel they NEED a notebook to work from home? I've not met someone who 'works' from home who doesn't have one or two workstations at home already that could be used (one's usually for the 'kids', but that leaves the 2nd unit).

Or is there a trend of folks not buying items for home use and only using company purchased items (phones, notebooks, etc..) for leasure time use too??

And like veritas_libertas, I'm not looking for a direct reason, but desiring to learn if/how others experiences are with this sort of company product usage?

I think the major reason is that laptops have to be encrypted, "whole drive" encrypted. We want to control how the computers that store the information is used.

forkvoid · July 2010

Plantwiz wrote: »

And not picking on you...just adding to the conversation as you were merely inquiring about this matter.

The one point that bugs me is this one:
(and not because of you, just commenting on the netural listing)

veritas_libertas wrote: »

Benefits
Users can work from home when it becomes necessary.

Why do folks feel they NEED a notebook to work from home? I've not met someone who 'works' from home who doesn't have one or two workstations at home already that could be used (one's usually for the 'kids', but that leaves the 2nd unit).

Or is there a trend of folks not buying items for home use and only using company purchased items (phones, notebooks, etc..) for leasure time use too??

And like veritas_libertas, I'm not looking for a direct reason, but desiring to learn if/how others experiences are with this sort of company product usage?

**note: sometimes it is a 'perk' to be premitted to use phones or notebooks on personal time so long as you are not exceeding limits and such.**

I've noticed this as well. Many of my clients are buying laptops for their staff so "they can work from home". But then I have to go to their houses to make get them connected to their own wireless... and lo and behold, there sits a brand new desktop in their home office.

apena7 · July 2010

Plantwiz wrote: »

Why do folks feel they NEED a notebook to work from home? I've not met someone who 'works' from home who doesn't have one or two workstations at home already that could be used (one's usually for the 'kids', but that leaves the 2nd unit).

Because personal desktops and laptops are outside the scope of the duties performed by a typical IT support department. Companies find it easier to issue laptops to employees rather than have them use their own personal systems. I think the reason for this is that company-issued laptops are usually locked down and you can't install your preferred Internet browser, anti-virus, or CoD game. By limiting which applications are installed, it's MUCH easier and faster for the IT folks to troubleshoot software issues that arise. Besides, what happens when you're troubleshooting someone's personal laptop and the hard drive conveniently dies? Is the company going to replace a hard drive for someone's personal laptop out-of-pocket? Veritas made another good point about whole disk encryption. It's pretty much standard practice if workstations are going to be used outside the walls of the office.

So that's my theory - standardization and liability.

forkvoid · July 2010

apena7 wrote: »

Because personal desktops and laptops are outside the scope of the duties performed by a typical IT support department. Companies find it easier to issue laptops to employees rather than have them use their own personal systems. I think the reason for this is that company-issued laptops are usually locked down and you can't install your preferred Internet browser, anti-virus, or CoD game. By limiting which applications are installed, it's MUCH easier and faster for the IT folks to troubleshoot software issues that arise. Besides, what happens when you're troubleshooting someone's personal laptop and the hard drive conveniently dies? Is the company going to replace a hard drive for someone's personal laptop out-of-pocket? Veritas made another good point about whole disk encryption. It's pretty much standard practice if workstations are going to be used outside the walls of the office.

So that's my theory - standardization and liability.

VPN and Citrix/Terminal Services pretty much solves it. All work is done on company servers. If you can't connect to the VPN or launch Citrix/RDP, you find yourself a tech outside of the company.

Plantwiz · July 2010

veritas_libertas wrote: »

I think the major reason is that laptops have to be encrypted, "whole drive" encrypted. We want to control how the computers that store the information is used.

Ok I buy that, but if users are merely hitting the work server through the portal? Everything they 'need' is on the server.

And apena7 makes a good comment about HDD failure.

I'm thinking with trends leaning toward cloud computing...who will be owning 'what' in the near future?

Last year, I read a report in June (maybe May) that Desktops and Notebooks were dying out. Netbooks or other Portable Digital devices will replace all this bulk.

And aside from the problems with screen size...I could get onboard with the thought that maybe, dual/trio screens will go away and/or maybe we'll dock our even smaller phones into what will be our 'workstations'

I think we are a ways out from all this becoming 'mainstream' but I think we'll see more turn away from desktops to replace with portable devices that can dock.

So, maybe down the road, HDD failure will be mute. Everything you need that is 'custom' will be in the clouds. We'll go back to our Terminal days (minus the monochome crt) and back to a boot device/disk (maybe USB key rather then a FDD)??

But I have more to think about now....
that HDD dying and who is responsible...(my money is on the end-user not the company) but it posses and interesting question

dynamik · July 2010

forkvoid wrote: »

VPN and Citrix/Terminal Services pretty much solves it. All work is done on company servers. If you can't connect to the VPN or launch Citrix/RDP, you find yourself a tech outside of the company.

I'm going say Apena7 is dead on and strongly disagree with that statement. I would only allow company equipment to establish any sort of connection back to the organization.

A VPN connection puts that machine on the corporate network. Do you think home users are as diligent about updates, anti-x, software installation, etc. as the organization? Even if you segregate them off, only allow minimum access, and throw an IPS inline, you're still giving a potentially dangerous machine access to some services.

What about Citrix/TS/etc.? Their machine isn't on the network in that scenario. If someone's machine is compromised, an attacker could be watching the users every movement, key logging, and so on.

What about physical security? Do you think it's easier to steal a device from a home or a corporation? Has the home user been cautious and encrypted the disk like the organization should? Does the computer lock after a period of inactivity? That's easy with GPOs. What happens if they just wander off for an hour at a library, coffee shop, etc.? It takes a matter of seconds to compromise a machine with a U3 USB drive.

forkvoid · July 2010

dynamik wrote: »

I'm going say Apena7 is dead on and strongly disagree with that statement. I would only allow company equipment to establish any sort of connection back to the organization.

A VPN connection puts that machine on the corporate network. Do you think home users are as diligent about updates, anti-x, software installation, etc. as the organization? Even if you segregate them off, only allow minimum access, and throw an IPS inline, you're still giving a potentially dangerous machine access to some services.

What about Citrix/TS/etc.? Their machine isn't on the network in that scenario. If someone's machine is compromised, an attacker could be watching the users every movement, key logging, and so on.

What about physical security? Do you think it's easier to steal a device from a home or a corporation? Has the home user been cautious and encrypted the disk like the organization should? Does the computer lock after a period of inactivity? That's easy with GPOs. What happens if they just wander off for an hour at a library, coffee shop, etc.? It takes a matter of seconds to compromise a machine with a U3 USB drive.

You make very good points. It seems I did not think my scenario through entirely. I stand (very much) corrected.

dynamik · July 2010

forkvoid wrote: »

You make very good points. It seems I did not think my scenario through entirely. I stand (very much) corrected.

No worries, I wasn't trying to rag on you or anything. As always, it comes down to risk. If it's an extremely small organization that doesn't work with any sensitive data, maybe Log-me-in would be sufficient for remote access. With larger organizations and/or organizations that work with sensitive information, having just a single user do something stupid/careless could have detrimental consequences.

veritas_libertas · July 2010

dynamik wrote: »

What about physical security? Do you think it's easier to steal a device from a home or a corporation? Has the home user been cautious and encrypted the disk like the organization should? Does the computer lock after a period of inactivity? That's easy with GPOs. What happens if they just wander off for an hour at a library, coffee shop, etc.? It takes a matter of seconds to compromise a machine with a U3 USB drive.

Agreed, this is why we will be moving over to full encryption for all devices both internal (HDD) and external (USB devices). Government regulations more than corporate concerns have driven this move. The cool part is that a coworker and I are the points of contact for Whole-Drive Encryption. I also got to head up the latest upgrade and create the policies for the software. I never thought that I would get this kind security experience in a Desktop Support role

dynamik · July 2010

What are you using for encryption on that many laptops? Pointsec or PGP?

veritas_libertas · July 2010

dynamik wrote: »

What are you using for encryption on that many laptops? Pointsec or PGP?

Pointsec now called Checkpoint Endpoint Encryption. Yikes, tongue twister...

dynamik · July 2010

veritas_libertas wrote: »

Pointsec now called Checkpoint Endpoint Encryption. Yikes, tongue twister...

Awesome, I was going to slap you if you said Truecrypt*.

How do you like it?

*I love TrueCrypt and use it personally, but you run into manageability issues when working with a large number of devices.

veritas_libertas · July 2010

dynamik wrote: »

Awesome, I was going to slap you if you said Truecrypt*.

How do you like it?

*I love TrueCrypt and use it personally, but you run into manageability issues when working with a large number of devices.

LOL, yeah you can't exactly centrally manage TrueCrypt

Since we got the new version I like it. The old version could be flakey, and would corrupt the SYSTEM file at times. The new version works good and since we are using it with the Integrated Windows feature we don't have to worry about SSO (Single Sign-On) problems.

The only other problem we will be having is with the 7.4 and our new Corei5 laptops that don't play well with Endpoint 7.4. Well testing it we found out that there is a 30 second delay between the Endpoint boot-up and the Windows boot-up. We have been forced to down-grade to Endpoint 6.3 until a patch is made for it this month.

Bl8ckr0uter · July 2010

I am going to rollout Mcafee's disk encryption product later this year.

http://www.mcafee.com/us/enterprise/products/data_protection/data_encryption/endpoint_encryption.html

zerglings · July 2010

McAfee bought SafeBoot. That's what we use for our laptops.

Pash · July 2010

zerglings wrote: »

McAfee bought SafeBoot. That's what we use for our laptops.

Same here.

This is the problem with laptop only environment's though. I used to have a nightmare rolling out packages that required a reboot midway through to laptops in the environments. You cant just flag pre-boot authentication off when you are rolling out apps, which always seemed inconvenient to me.

Cheers,

Pash

All Laptop Work Environment

Comments