Hacker News

Ask HN: Is 'company laptop only' a common (remote) policy?

The mid-sized company I currently work at is implementing a new security policy. Background: The current infra setup requires all developers to connect to internal systems in order to be able to do any work.

Right now the majority of employees have a desktop workstation and for the occasional working from home you were allowed to connect to the internal network from private devices via company VPN (if you satisfied some additional constraints). The new policy requires absolutely everyone to get a company-provided laptop which is the only device you're allowed to use VPN on to work from home.

In discussion about security vs usability one of the killer arguments of the proponents always has been that "every major (software development) company does it this way". Does anyone have any experience if this is true? How is occasional working from home/company VPN handled for devs/engineers at your place?

14 pointsxcq1 posted 4 months ago29 Comments
shoo said 4 months ago:

personally i quite like to be able to firewall off work from the rest of my life, having separate computers for work and for personal use is one way that can help achieve that. easy way to avoid accidentally checking work comms when you're not being paid to work -- don't use the work machine at all. but i understand not everyone feels the same way. i like to be able to use my own choice of peripherals (keyboard, mouse, screen, headphones/speakers) but i dont particularly care about using a work machine.

what's far more irritating than a work machine is work-related corporate crapware on the work machine. e.g. mandatory antivirus that bogs down disk io, security policy settings that restrict your ability to install software, etc etc.

> How is occasional working from home/company VPN handled for devs/engineers at your place?

i offer three data points:

* at small young software-oriented business (headcount 10-20): work provided each employee with a laptop they could use to work from home or from the office on, but people could pretty much do whatever they wanted with those machines, or work using other computers if they chose.

* at large new non-software company (headcount ~10,000): working as a contractor, the company let you remote in from your own machine, and started offering BYOD as an option when you were on site, or to use work-provided hardware on site.

* at huge old non-software financial company (headcount ~50,000): thou shalt follow the company IT and company security policies, thou can work from home using company equipment, although the company configures the equipment to make it very difficult to get any software development work done (because security)

xcq1 said 4 months ago:

Thanks for your input. Speaking for myself, I've always tried to keep everything separate though not such a deep level. Sometimes it can be very practical to just switch to a VM or fire up a different browser in order to take a look at something.

Up until now I haven't noticed any restrictive bloatware on company machines, so that's a plus.

gargravarr said 4 months ago:

Company-provided computers are generally bound by policies that restrict user powers (least-privileged access) and install updates soon after release. I don't know about you, but I often neglect system updates on my personal laptops. Whilst I'm also very careful with what I have on my personal laptops, I would still rather not connect them to the company network.

BYOD is popular but has some caveats - as the company grows, you wind up needing to secure ways company data can leak. It becomes necessary to plan for losses. Our computers are all encrypted and are not allowed offsite if they aren't. We also have remote-wipe capabilities, which is something a typical user isn't going to let the company install on their personal device.

We mostly allocate users laptops; a few have desktops, and most of those employees also have laptops to take home. We have allowed BYOD in the past but are now very firm on what we permit. Most users are happy to have company-supplied equipment, and I think the separation of work and personal is beneficial to most people. I like having work only on my work laptop. I only allow VPN access on a computer-by-computer basis. Admittedly we're a cloud company, so for most purposes all we need is an internet connection. The VPN gets used mostly by me to work from home, by employees who need their more powerful desktops or for me to do tech support remotely. It's not covered by an SLA but it works well for my purposes.

Sure, a lot of companies trot out the 'everyone does it this way' excuse, but there's actually a good reason for this - it works.

xcq1 said 4 months ago:

Thanks for your helpful insight.

Since everyone agrees on this point I now absolutely consider that a fair argument. I just don't want to believe without a little research first. In fact I think I learned more than I expected from everyone's responses.

gargravarr said 4 months ago:

That's what we're here for, glad I could help!

smt88 said 4 months ago:

Yes, it's common. It's more common at more mature companies handling very sensitive data.

Considering the power of laptops these days, I don't understand what you're losing in usability.

Either way, it's a good policy, and your users are better off for it.

xcq1 said 4 months ago:

I don't question the security benefit. I think you're absolutely right that the users always come first. The production system and its data was never running inside the company network and is protected additionally.

I feel it'll be a loss of usability since they want to have a one-size-fits-all laptop. The model I've seen is noisy and a bit heavy. Suddenly having to carry one every single day irks me a bit. Having to (un)plug monitors and periphery at home is going to be additional effort (but explicitly allowed). Not saying it's not worth it (and somewhat complaining on a high level), but it is a loss of comfort.

smt88 said 4 months ago:

A few suggestions that might help:

1) Get docks for home and work, so it's just one step to connect peripherals. It's actually a lot more convenient than having separate machines for work and home.

2) Find out if you can use a virtual desktop setup, where everything is running on your work machine, but you can use RDP to control it. A competent IT dept should be able to set that up in a way that's not less secure.

3) If you're in the US, your company can't force you to carry a heavy laptop if you have any issues with strength or mobility. If you want to exploit this, you can ask your doctor for a note saying that you shouldn't carry a laptop to/from work. This is actually probably true for the many people who have issues with back pain.

xcq1 said 4 months ago:

1) Thanks, docks at work are provided, but I'll check whether they will also provide one for working at home.

2) This is more or less the way it's already done. The plan now is to replace every desktop PC with only one laptop per employee company-wide. Which is why I was asking if this is such a common practice, especially since the company tries hard to come off as modern and hip in other regards.

3) Very good point, I'll look into that. I'm not in the US, but similar regulations probably apply here.

smt88 said 4 months ago:

For the RDP solution, can't you just log in from a home computer?

To be clear, I'm not just talking about logging into a VPN. I'm talking about streaming the display output from a work machine. No programs or data from your work machine would be running at home.

xcq1 said 4 months ago:

Yes, that is precisely what I do right now. But I need to log into the VPN since the RDP server is only available inside the company network and not in the public internet. Unless you're talking about in my home wifi to avoid the dock.

codingdave said 4 months ago:

I've been remote for a long time, and this is completely normal. Not universal, but normal enough that I wouldn't complain about it.

I even strive to keep it more separate than that. I have both my work and personal laptop KVMed to the same monitor/mouse/keyboard, and I'll switch over to the personal one for most general web browsing. I use Slack to send links/files to myself if there really is a need to share something between the two, because of course we aren't allowed to put USB drives in the work system either.

It feels extreme when you start working this way, but you get used to it, and I've even grown to appreciate the complete wall between work and home.

xcq1 said 4 months ago:

Do you mean 100% remote or only occasionally?

If it's the former, I'd understand, if it's the latter that sounds like a lot of additional effort.

codingdave said 4 months ago:

100% remote. And I agree, my setup would be a huge pain for occasional stints at home.

tedmiston said 4 months ago:

Do you have any particular KVM switch recommendations?

Trias11 said 4 months ago:

I have friend who ZeroTier-ed over corp VPN (read: bypassed it completely) and installed necessary VPN accessing local thingies on his personal laptop.

The reason being (in his own words) - "it takes too much time and hassles to sign up to Corp VPN BS. And then it logs you off, timeouts, enforces stupid policies, etc...". His ZeroTier setup is more reliable and I suspect as secure as his startup VPN.

His faces (and realizes) potential risk of: "How come you were sign-ed up to our Corp network when our VPN provider was down?????".

No one (at his startup) knows about what he does and the reason is - he does lots of moonlighting and it's very convenient for him to:

1. Use single machine for work and off-work activities.

2. To protect himself against potential of his Corp to claim rights to his own projects.

He is vigilante-type of guy, in other words "don't tell me what i cannot do".

That said his corp and his corp's customers are super happy with his work and support.

x38iq84n said 4 months ago:

Yes, it's very common to only allow corporate laptops provisioned with a standard image, certificates etc. If you need to remote in then you must have a corporate laptop.

From a security standpoint it is risky and amateurish to allow VPN from an unknown device under someone else's management.

xcq1 said 4 months ago:

They weren't entirely unmanaged devices as they had to fulfill additional criteria.

Spooky23 said 4 months ago:

It's a no-brainer decision from a security point of view.

The only exception that I would consider would be allowing for remote virtual desktop or virtual app access. Even that has risks that needs to be considered.

Remember that with BYO, unless you're providing stipends for employees to buy equipment with string attached, you're not dealing with just your employee -- you're potentially thinking about the employee's extended circle of associates. The employee's kid, parent, drunk roommate, etc all have access.

xcq1 said 4 months ago:

The VPN access works over remote desktop. Should've probably made that clearer from the start.

I don't know if this is specific to here, but you'd have to toggle the VPN explicitly on and off and with another password, separate from your user account. Along with the usual drill to have another password to access the machine and lock it when you're away. I agree it ultimately comes down to trust however.

cwt said 4 months ago:

The only time I've used my personal computer for remote work was when it was freelance/independent contractor work. The companies I've worked remote for have all provided a computer for remote work. The main reason is usually information security. The companies need to know that sensitive data is not being stored on my personal computer - I shouldn't have access to it if I'm not working for them.

sethammons said 4 months ago:

We have a company provided Mac and connect over VPN and have duo for two factor for everything. We are able to install anything we want/need, but there is some monitoring software that reports on what we have running. You can get a call from security, "why are you running x?" But as developers, they know we are going to install a myriad of things.

bristleworm said 4 months ago:

I think it's a very common policy. Company deployed hardware is the only way to ensure security and control the software installed on the machines.

JSeymourATL said 4 months ago:

Company Risk/Liability trumps usability.

If we need to nuke your machine from space, much easier it’s corporate property.

> https://www.cfodailynews.com/how-a-single-stolen-laptop-cost...

HelloNurse said 4 months ago:

The new policy is normal, the old one is insane.

Expecting you to work on a personal device is irresponsible, not only beyond cheap.

xcq1 said 4 months ago:

I should clarify, it was not expected, it was a possibility. If you wanted to get a laptop instead, this was no problem. Several colleagues already have some, although in varying quality.

nullwasamistake said 4 months ago:

It's normal. I get email on other devices but we're expected to use company hardware for real "work".

I wouldn't put company stuff on my own PC even if they demanded it. Corporate laptops are usually filled with official spyware

anbop said 4 months ago:

Company hardware only is a very common policy at all companies larger than very tiny.

fyftggfki said 4 months ago:

these emails desserve more junk polytech-agral4@listes.upmc.fr polytech-ei-se4@listes.upmc.fr polytech-main4@listes.upmc.fr polytech-mtx4@listes.upmc.fr polytech-rob4@listes.upmc.fr polytech-st4@listes.upmc.fr polytech-ei-2I4@listes.upmc.fr