
Ask HN: Is 'company laptop only' a common (remote) policy? - xcq1
The mid-sized company I currently work at is implementing a new security policy. Background: The current infra setup requires all developers to connect to internal systems in order to be able to do any work.<p>Right now the majority of employees have a desktop workstation and for the occasional working from home you were allowed to connect to the internal network from private devices via company VPN (if you satisfied some additional constraints). The new policy requires absolutely everyone to get a company-provided laptop which is the only device you&#x27;re allowed to use VPN on to work from home.<p>In discussion about security vs usability one of the killer arguments of the proponents always has been that &quot;every major (software development) company does it this way&quot;.
Does anyone have any experience if this is true? How is occasional working from home&#x2F;company VPN handled for devs&#x2F;engineers at your place?
======
shoo
personally i quite like to be able to firewall off work from the rest of my
life, having separate computers for work and for personal use is one way that
can help achieve that. easy way to avoid accidentally checking work comms when
you're not being paid to work -- don't use the work machine at all. but i
understand not everyone feels the same way. i like to be able to use my own
choice of peripherals (keyboard, mouse, screen, headphones/speakers) but i
dont particularly care about using a work machine.

what's far more irritating than a work machine is work-related corporate
crapware on the work machine. e.g. mandatory antivirus that bogs down disk io,
security policy settings that restrict your ability to install software, etc
etc.

> How is occasional working from home/company VPN handled for devs/engineers
> at your place?

i offer three data points:

* at small young software-oriented business (headcount 10-20): work provided each employee with a laptop they could use to work from home or from the office on, but people could pretty much do whatever they wanted with those machines, or work using other computers if they chose.

* at large new non-software company (headcount ~10,000): working as a contractor, the company let you remote in from your own machine, and started offering BYOD as an option when you were on site, or to use work-provided hardware on site.

* at huge old non-software financial company (headcount ~50,000): thou shalt follow the company IT and company security policies, thou can work from home using company equipment, although the company configures the equipment to make it very difficult to get any software development work done (because security)

~~~
xcq1
Thanks for your input. Speaking for myself, I've always tried to keep
everything separate though not such a deep level. Sometimes it can be very
practical to just switch to a VM or fire up a different browser in order to
take a look at something.

Up until now I haven't noticed any restrictive bloatware on company machines,
so that's a plus.

------
gargravarr
Company-provided computers are generally bound by policies that restrict user
powers (least-privileged access) and install updates soon after release. I
don't know about you, but I often neglect system updates on my personal
laptops. Whilst I'm also very careful with what I have on my personal laptops,
I would still rather not connect them to the company network.

BYOD is popular but has some caveats - as the company grows, you wind up
needing to secure ways company data can leak. It becomes necessary to plan for
losses. Our computers are all encrypted and are not allowed offsite if they
aren't. We also have remote-wipe capabilities, which is something a typical
user isn't going to let the company install on their personal device.

We mostly allocate users laptops; a few have desktops, and most of those
employees also have laptops to take home. We have allowed BYOD in the past but
are now very firm on what we permit. Most users are happy to have company-
supplied equipment, and I think the separation of work and personal is
beneficial to most people. I like having work only on my work laptop. I only
allow VPN access on a computer-by-computer basis. Admittedly we're a cloud
company, so for most purposes all we need is an internet connection. The VPN
gets used mostly by me to work from home, by employees who need their more
powerful desktops or for me to do tech support remotely. It's not covered by
an SLA but it works well for my purposes.

Sure, a lot of companies trot out the 'everyone does it this way' excuse, but
there's actually a good reason for this - it works.

~~~
xcq1
Thanks for your helpful insight.

Since everyone agrees on this point I now absolutely consider that a fair
argument. I just don't want to believe without a little research first. In
fact I think I learned more than I expected from everyone's responses.

~~~
gargravarr
That's what we're here for, glad I could help!

------
smt88
Yes, it's common. It's more common at more mature companies handling very
sensitive data.

Considering the power of laptops these days, I don't understand what you're
losing in usability.

Either way, it's a good policy, and your users are better off for it.

~~~
xcq1
I don't question the security benefit. I think you're absolutely right that
the users always come first. The production system and its data was never
running inside the company network and is protected additionally.

I feel it'll be a loss of usability since they want to have a one-size-fits-
all laptop. The model I've seen is noisy and a bit heavy. Suddenly having to
carry one every single day irks me a bit. Having to (un)plug monitors and
periphery at home is going to be additional effort (but explicitly allowed).
Not saying it's not worth it (and somewhat complaining on a high level), but
it is a loss of comfort.

~~~
smt88
A few suggestions that might help:

1) Get docks for home and work, so it's just one step to connect peripherals.
It's actually a lot more convenient than having separate machines for work and
home.

2) Find out if you can use a virtual desktop setup, where everything is
running on your work machine, but you can use RDP to control it. A competent
IT dept should be able to set that up in a way that's not less secure.

3) If you're in the US, your company can't force you to carry a heavy laptop
if you have any issues with strength or mobility. If you want to exploit this,
you can ask your doctor for a note saying that you shouldn't carry a laptop
to/from work. This is actually probably true for the many people who have
issues with back pain.

~~~
xcq1
1) Thanks, docks at work are provided, but I'll check whether they will also
provide one for working at home.

2) This is more or less the way it's already done. The plan now is to
_replace_ every desktop PC with _only one laptop_ per employee company-wide.
Which is why I was asking if this is such a common practice, especially since
the company tries hard to come off as modern and hip in other regards.

3) Very good point, I'll look into that. I'm not in the US, but similar
regulations probably apply here.

~~~
smt88
For the RDP solution, can't you just log in from a home computer?

To be clear, I'm not just talking about logging into a VPN. I'm talking about
streaming the display output from a work machine. No programs or data from
your work machine would be running at home.

~~~
xcq1
Yes, that is precisely what I do right now. But I need to log into the VPN
since the RDP server is only available inside the company network and not in
the public internet. Unless you're talking about in my home wifi to avoid the
dock.

------
codingdave
I've been remote for a long time, and this is completely normal. Not
universal, but normal enough that I wouldn't complain about it.

I even strive to keep it more separate than that. I have both my work and
personal laptop KVMed to the same monitor/mouse/keyboard, and I'll switch over
to the personal one for most general web browsing. I use Slack to send
links/files to myself if there really is a need to share something between the
two, because of course we aren't allowed to put USB drives in the work system
either.

It feels extreme when you start working this way, but you get used to it, and
I've even grown to appreciate the complete wall between work and home.

~~~
xcq1
Do you mean 100% remote or only occasionally?

If it's the former, I'd understand, if it's the latter that sounds like a lot
of additional effort.

~~~
codingdave
100% remote. And I agree, my setup would be a huge pain for occasional stints
at home.

------
Trias11
I have friend who ZeroTier-ed over corp VPN (read: bypassed it completely) and
installed necessary VPN accessing local thingies on his personal laptop.

The reason being (in his own words) - "it takes too much time and hassles to
sign up to Corp VPN BS. And then it logs you off, timeouts, enforces stupid
policies, etc...". His ZeroTier setup is more reliable and I suspect as secure
as his startup VPN.

His faces (and realizes) potential risk of: "How come you were sign-ed up to
our Corp network when our VPN provider was down?????".

No one (at his startup) knows about what he does and the reason is - he does
lots of moonlighting and it's very convenient for him to:

1\. Use single machine for work and off-work activities.

2\. To protect himself against potential of his Corp to claim rights to his
own projects.

He is vigilante-type of guy, in other words "don't tell me what i cannot do".

That said his corp and his corp's customers are super happy with his work and
support.

------
x38iq84n
Yes, it's very common to only allow corporate laptops provisioned with a
standard image, certificates etc. If you need to remote in then you must have
a corporate laptop.

From a security standpoint it is risky and amateurish to allow VPN from an
unknown device under someone else's management.

~~~
xcq1
They weren't entirely unmanaged devices as they had to fulfill additional
criteria.

------
Spooky23
It's a no-brainer decision from a security point of view.

The only exception that I would consider would be allowing for remote virtual
desktop or virtual app access. Even that has risks that needs to be
considered.

Remember that with BYO, unless you're providing stipends for employees to buy
equipment with string attached, you're not dealing with just your employee --
you're potentially thinking about the employee's extended circle of
associates. The employee's kid, parent, drunk roommate, etc all have access.

~~~
xcq1
The VPN access works over remote desktop. Should've probably made that clearer
from the start.

I don't know if this is specific to here, but you'd have to toggle the VPN
explicitly on and off and with another password, separate from your user
account. Along with the usual drill to have another password to access the
machine and lock it when you're away. I agree it ultimately comes down to
trust however.

------
cwt
The only time I've used my personal computer for remote work was when it was
freelance/independent contractor work. The companies I've worked remote for
have all provided a computer for remote work. The main reason is usually
information security. The companies need to know that sensitive data is not
being stored on my personal computer - I shouldn't have access to it if I'm
not working for them.

------
sethammons
We have a company provided Mac and connect over VPN and have duo for two
factor for everything. We are able to install anything we want/need, but there
is some monitoring software that reports on what we have running. You can get
a call from security, "why are you running x?" But as developers, they know we
are going to install a myriad of things.

------
bristleworm
I think it's a very common policy. Company deployed hardware is the only way
to ensure security and control the software installed on the machines.

------
JSeymourATL
Company Risk/Liability trumps usability.

If we need to nuke your machine from space, much easier it’s corporate
property.

> [https://www.cfodailynews.com/how-a-single-stolen-laptop-
> cost...](https://www.cfodailynews.com/how-a-single-stolen-laptop-cost-this-
> firm-2-5m-are-you-at-risk/)

------
HelloNurse
The new policy is normal, the old one is insane.

Expecting you to work on a personal device is irresponsible, not only beyond
cheap.

~~~
xcq1
I should clarify, it was not expected, it was a possibility. If you wanted to
get a laptop instead, this was no problem. Several colleagues already have
some, although in varying quality.

------
nullwasamistake
It's normal. I get email on other devices but we're expected to use company
hardware for real "work".

I wouldn't put company stuff on my own PC even if they demanded it. Corporate
laptops are usually filled with official spyware

------
anbop
Company hardware only is a very common policy at all companies larger than
very tiny.

