Options
All Laptop Work Environment
veritas_libertas
Member Posts: 5,746 ■■■■■■■■■■
in Off-Topic
Do any of you have an all laptop environment like I do? This has been experience so far:
Benefits
We support upwards of 7500 laptops company-wide.
Edit: Not asking for help or anything, just curious if anyone else has this kind of environment.
Benefits
- Users can work from home when it becomes necessary.
- Users can take them on travels, or overseas.
- Very rarely do we end up doing physical repairs beyond replacing a laptop, replacing a HDD, or swapping/adding RAM.
- I get a laptop
- They use them from unprotected connections and bring back viruses to our network.
- They drop them.
- Somehow they drop large objects on the keyboards
- Lenovo docking stations leave much to be desired. They do some really weird things...
We support upwards of 7500 laptops company-wide.
Edit: Not asking for help or anything, just curious if anyone else has this kind of environment.
Comments
-
Optionsearweed Member Posts: 5,192 ■■■■■■■■■□As far as the first negative goes maybe you could recommend that your work implement some type of NAP where the Laptops must have updated AV before being allowed to access the regular network.
Basically using all laptops for work leaves the company open to people damaging those laptops.No longer work in IT. Play around with stuff sometimes still and fix stuff for friends and relatives. -
Optionsveritas_libertas Member Posts: 5,746 ■■■■■■■■■■Basically using all laptops for work leaves the company open to people damaging those laptops.
Well, our part of the company works exclusively with government projects so there can be a lot moving going on. In the short time I have worked here I have seen people move from office to another at least three times. Many of users travel overseas, and some FOB (Foward-Operating-Base) hop. For the most part I think laptops work best for what we do. -
Optionsforkvoid Member Posts: 317Laptops drive me nuts, for the reasons you listed. And a lot of people that have them don't need them. They leave them in the docking station, never removing them, but always insist they need a laptop.
On the total opposite end of the spectrum, I'm moving to an all-thin client environment. It will rock.The beginning of knowledge is understanding how little you actually know. -
Optionsshodown Member Posts: 2,271Last few places I have worked over 90 percent of the workers had laptops for business continuity reasons and telecommute. Even when I worked on a large DOD network the unclass portions were laptops. User awareness is key. Also getting good durable machines.Currently Reading
CUCM SRND 9x/10, UCCX SRND 10x, QOS SRND, SIP Trunking Guide, anything contact center related -
Optionssteve_f Member Posts: 97 ■■□□□□□□□□In a large company, health and safety guidlines will mean you have to provide docking stations to all laptop users.
Laptops can have their wifi disabled and their proxy server details locked down so users can't surf the net except when connected to the corporate VPN.
It also makes it easier for people to take data out of the company, and to bring undesirable data in. Port locking/encrypting may be required. -
OptionsPlantwiz Mod Posts: 5,057 ModAnd not picking on you...just adding to the conversation as you were merely inquiring about this matter.
The one point that bugs me is this one:
(and not because of you, just commenting on the netural listing)veritas_libertas wrote: »Benefits- Users can work from home when it becomes necessary.
Why do folks feel they NEED a notebook to work from home? I've not met someone who 'works' from home who doesn't have one or two workstations at home already that could be used (one's usually for the 'kids', but that leaves the 2nd unit).
Or is there a trend of folks not buying items for home use and only using company purchased items (phones, notebooks, etc..) for leasure time use too??
And like veritas_libertas, I'm not looking for a direct reason, but desiring to learn if/how others experiences are with this sort of company product usage?
**note: sometimes it is a 'perk' to be premitted to use phones or notebooks on personal time so long as you are not exceeding limits and such.**Plantwiz
_____
"Grammar and spelling aren't everything, but this is a forum, not a chat room. You have plenty of time to spell out the word "you", and look just a little bit smarter." by Phaideaux
***I'll add you can Capitalize the word 'I' to show a little respect for yourself too.
'i' before 'e' except after 'c'.... weird? - Users can work from home when it becomes necessary.
-
Optionsveritas_libertas Member Posts: 5,746 ■■■■■■■■■■Why do folks feel they NEED a notebook to work from home? I've not met someone who 'works' from home who doesn't have one or two workstations at home already that could be used (one's usually for the 'kids', but that leaves the 2nd unit).
Or is there a trend of folks not buying items for home use and only using company purchased items (phones, notebooks, etc..) for leasure time use too??
And like veritas_libertas, I'm not looking for a direct reason, but desiring to learn if/how others experiences are with this sort of company product usage?
I think the major reason is that laptops have to be encrypted, "whole drive" encrypted. We want to control how the computers that store the information is used. -
Optionsforkvoid Member Posts: 317And not picking on you...just adding to the conversation as you were merely inquiring about this matter.
The one point that bugs me is this one:
(and not because of you, just commenting on the netural listing)veritas_libertas wrote: »Benefits- Users can work from home when it becomes necessary.
Why do folks feel they NEED a notebook to work from home? I've not met someone who 'works' from home who doesn't have one or two workstations at home already that could be used (one's usually for the 'kids', but that leaves the 2nd unit).
Or is there a trend of folks not buying items for home use and only using company purchased items (phones, notebooks, etc..) for leasure time use too??
And like veritas_libertas, I'm not looking for a direct reason, but desiring to learn if/how others experiences are with this sort of company product usage?
**note: sometimes it is a 'perk' to be premitted to use phones or notebooks on personal time so long as you are not exceeding limits and such.**
I've noticed this as well. Many of my clients are buying laptops for their staff so "they can work from home". But then I have to go to their houses to make get them connected to their own wireless... and lo and behold, there sits a brand new desktop in their home office.The beginning of knowledge is understanding how little you actually know. - Users can work from home when it becomes necessary.
-
Optionsapena7 Member Posts: 351Why do folks feel they NEED a notebook to work from home? I've not met someone who 'works' from home who doesn't have one or two workstations at home already that could be used (one's usually for the 'kids', but that leaves the 2nd unit).
Because personal desktops and laptops are outside the scope of the duties performed by a typical IT support department. Companies find it easier to issue laptops to employees rather than have them use their own personal systems. I think the reason for this is that company-issued laptops are usually locked down and you can't install your preferred Internet browser, anti-virus, or CoD game. By limiting which applications are installed, it's MUCH easier and faster for the IT folks to troubleshoot software issues that arise. Besides, what happens when you're troubleshooting someone's personal laptop and the hard drive conveniently dies? Is the company going to replace a hard drive for someone's personal laptop out-of-pocket? Veritas made another good point about whole disk encryption. It's pretty much standard practice if workstations are going to be used outside the walls of the office.
So that's my theory - standardization and liability.Usus magister est optimus -
Optionsforkvoid Member Posts: 317Because personal desktops and laptops are outside the scope of the duties performed by a typical IT support department. Companies find it easier to issue laptops to employees rather than have them use their own personal systems. I think the reason for this is that company-issued laptops are usually locked down and you can't install your preferred Internet browser, anti-virus, or CoD game. By limiting which applications are installed, it's MUCH easier and faster for the IT folks to troubleshoot software issues that arise. Besides, what happens when you're troubleshooting someone's personal laptop and the hard drive conveniently dies? Is the company going to replace a hard drive for someone's personal laptop out-of-pocket? Veritas made another good point about whole disk encryption. It's pretty much standard practice if workstations are going to be used outside the walls of the office.
So that's my theory - standardization and liability.
VPN and Citrix/Terminal Services pretty much solves it. All work is done on company servers. If you can't connect to the VPN or launch Citrix/RDP, you find yourself a tech outside of the company.The beginning of knowledge is understanding how little you actually know. -
OptionsPlantwiz Mod Posts: 5,057 Modveritas_libertas wrote: »I think the major reason is that laptops have to be encrypted, "whole drive" encrypted. We want to control how the computers that store the information is used.
Ok I buy that, but if users are merely hitting the work server through the portal? Everything they 'need' is on the server.
And apena7 makes a good comment about HDD failure.
I'm thinking with trends leaning toward cloud computing...who will be owning 'what' in the near future?
Last year, I read a report in June (maybe May) that Desktops and Notebooks were dying out. Netbooks or other Portable Digital devices will replace all this bulk.
And aside from the problems with screen size...I could get onboard with the thought that maybe, dual/trio screens will go away and/or maybe we'll dock our even smaller phones into what will be our 'workstations'
I think we are a ways out from all this becoming 'mainstream' but I think we'll see more turn away from desktops to replace with portable devices that can dock.
So, maybe down the road, HDD failure will be mute. Everything you need that is 'custom' will be in the clouds. We'll go back to our Terminal days (minus the monochome crt) and back to a boot device/disk (maybe USB key rather then a FDD)??
But I have more to think about now....
that HDD dying and who is responsible...(my money is on the end-user not the company) but it posses and interesting questionPlantwiz
_____
"Grammar and spelling aren't everything, but this is a forum, not a chat room. You have plenty of time to spell out the word "you", and look just a little bit smarter." by Phaideaux
***I'll add you can Capitalize the word 'I' to show a little respect for yourself too.
'i' before 'e' except after 'c'.... weird? -
Optionsdynamik Banned Posts: 12,312 ■■■■■■■■■□VPN and Citrix/Terminal Services pretty much solves it. All work is done on company servers. If you can't connect to the VPN or launch Citrix/RDP, you find yourself a tech outside of the company.
I'm going say Apena7 is dead on and strongly disagree with that statement. I would only allow company equipment to establish any sort of connection back to the organization.
A VPN connection puts that machine on the corporate network. Do you think home users are as diligent about updates, anti-x, software installation, etc. as the organization? Even if you segregate them off, only allow minimum access, and throw an IPS inline, you're still giving a potentially dangerous machine access to some services.
What about Citrix/TS/etc.? Their machine isn't on the network in that scenario. If someone's machine is compromised, an attacker could be watching the users every movement, key logging, and so on.
What about physical security? Do you think it's easier to steal a device from a home or a corporation? Has the home user been cautious and encrypted the disk like the organization should? Does the computer lock after a period of inactivity? That's easy with GPOs. What happens if they just wander off for an hour at a library, coffee shop, etc.? It takes a matter of seconds to compromise a machine with a U3 USB drive. -
Optionsforkvoid Member Posts: 317I'm going say Apena7 is dead on and strongly disagree with that statement. I would only allow company equipment to establish any sort of connection back to the organization.
A VPN connection puts that machine on the corporate network. Do you think home users are as diligent about updates, anti-x, software installation, etc. as the organization? Even if you segregate them off, only allow minimum access, and throw an IPS inline, you're still giving a potentially dangerous machine access to some services.
What about Citrix/TS/etc.? Their machine isn't on the network in that scenario. If someone's machine is compromised, an attacker could be watching the users every movement, key logging, and so on.
What about physical security? Do you think it's easier to steal a device from a home or a corporation? Has the home user been cautious and encrypted the disk like the organization should? Does the computer lock after a period of inactivity? That's easy with GPOs. What happens if they just wander off for an hour at a library, coffee shop, etc.? It takes a matter of seconds to compromise a machine with a U3 USB drive.
You make very good points. It seems I did not think my scenario through entirely. I stand (very much) corrected.The beginning of knowledge is understanding how little you actually know. -
Optionsdynamik Banned Posts: 12,312 ■■■■■■■■■□You make very good points. It seems I did not think my scenario through entirely. I stand (very much) corrected.
No worries, I wasn't trying to rag on you or anything. As always, it comes down to risk. If it's an extremely small organization that doesn't work with any sensitive data, maybe Log-me-in would be sufficient for remote access. With larger organizations and/or organizations that work with sensitive information, having just a single user do something stupid/careless could have detrimental consequences. -
Optionsveritas_libertas Member Posts: 5,746 ■■■■■■■■■■What about physical security? Do you think it's easier to steal a device from a home or a corporation? Has the home user been cautious and encrypted the disk like the organization should? Does the computer lock after a period of inactivity? That's easy with GPOs. What happens if they just wander off for an hour at a library, coffee shop, etc.? It takes a matter of seconds to compromise a machine with a U3 USB drive.
Agreed, this is why we will be moving over to full encryption for all devices both internal (HDD) and external (USB devices). Government regulations more than corporate concerns have driven this move. The cool part is that a coworker and I are the points of contact for Whole-Drive Encryption. I also got to head up the latest upgrade and create the policies for the software. I never thought that I would get this kind security experience in a Desktop Support role -
Optionsdynamik Banned Posts: 12,312 ■■■■■■■■■□What are you using for encryption on that many laptops? Pointsec or PGP?
-
Optionsveritas_libertas Member Posts: 5,746 ■■■■■■■■■■What are you using for encryption on that many laptops? Pointsec or PGP?
Pointsec now called Checkpoint Endpoint Encryption. Yikes, tongue twister... -
Optionsdynamik Banned Posts: 12,312 ■■■■■■■■■□veritas_libertas wrote: »Pointsec now called Checkpoint Endpoint Encryption. Yikes, tongue twister...
Awesome, I was going to slap you if you said Truecrypt*.
How do you like it?
*I love TrueCrypt and use it personally, but you run into manageability issues when working with a large number of devices. -
Optionsveritas_libertas Member Posts: 5,746 ■■■■■■■■■■Awesome, I was going to slap you if you said Truecrypt*.
How do you like it?
*I love TrueCrypt and use it personally, but you run into manageability issues when working with a large number of devices.
LOL, yeah you can't exactly centrally manage TrueCrypt
Since we got the new version I like it. The old version could be flakey, and would corrupt the SYSTEM file at times. The new version works good and since we are using it with the Integrated Windows feature we don't have to worry about SSO (Single Sign-On) problems.
The only other problem we will be having is with the 7.4 and our new Corei5 laptops that don't play well with Endpoint 7.4. Well testing it we found out that there is a 30 second delay between the Endpoint boot-up and the Windows boot-up. We have been forced to down-grade to Endpoint 6.3 until a patch is made for it this month. -
OptionsBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□I am going to rollout Mcafee's disk encryption product later this year.
http://www.mcafee.com/us/enterprise/products/data_protection/data_encryption/endpoint_encryption.html -
Optionszerglings Member Posts: 295 ■■■□□□□□□□McAfee bought SafeBoot. That's what we use for our laptops.:study: Life+
-
OptionsPash Member Posts: 1,600 ■■■■■□□□□□McAfee bought SafeBoot. That's what we use for our laptops.
Same here.
This is the problem with laptop only environment's though. I used to have a nightmare rolling out packages that required a reboot midway through to laptops in the environments. You cant just flag pre-boot authentication off when you are rolling out apps, which always seemed inconvenient to me.
Cheers,
PashDevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.