Applications; Portable vs. Installed
-
@jmoore said in Applications; Portable vs. Installed:
dropbox etc.. - we have strict regulations and can get in lots of trouble if financial or documents with personal information pass to others in this unsecured way. At least the government tells us this is not secure enough for them and the school has to abide by these rules for funding.
Sure, but they don't need a Dropbox app to do that. If users are going to steal data, you need to fire the thieves when they get caught, and use what security restrictions you can to limit the egress of data. The dropbox app is neither here nor there in this picture because they can just upload through any tool that already exists to the same place.
Again, the portable app here is a red herring. Anything a user can do with a portable app that they download, they can do without it. The functionality of uploading to Dropbox is an issue, the Dropbox app is not. Just like how restricting installation wasn't actually addressing any real issue, this isn't either. For the security here, we'd have to focus on the goal, not get distracted by one limited tool someone might use.
-
@scottalanmiller said in Applications; Portable vs. Installed:
because he has demonstrated that he has no concept of how applications work by thinking he was restricting "binary execution" when he was actually restricting installation, which is conceptually a different thing.
I'm sure he knows the difference, I was just explaining it badly which is on me.
-
@jmoore said in Applications; Portable vs. Installed:
email - also another regulation is that we have to have a standardized email platform that everything goes through for proper audits. We can't have users using an unknown client to send/receive that cant be monitored. I was told this a long time ago by our financial aid people, so probably another state regulation.
Once again, this is a network thing, not related to a portable app. The availability of apps has no means of being a factor here. I guarantee that any requirement like this is being violated by the way that this is stated. No audit requirement will be fulfillable by the end point, it's at the server. So someone here is confused about how email works and is thinking that the tool used to display and compose email is where audits can happen. It is not.
-
@jmoore said in Applications; Portable vs. Installed:
rogue apps - a while back we had a user use a "registry cleaner" because computer was running slow. it was actually malware.
Sure, but if you have any modicum of security, malware has extremely little power. It sounds great to restrict potentially malicious apps, but you can't while still having the computer be generally useful. The power of a user to work, is the power of a user to do damage to at least themselves. You have to choose.
You don't need portable apps for this to be a problem. So much so that almost no one has this as an attack vector. This is very much a 2002 approach. It can still work, but because of modern security it's all but useless. That's why MS Office, email, websites and such are the primary attack vectors now.
-
I understand what your saying. I know ultimately its the fault of the users that decide to do this but its just not how it is handled here and I have no control over that. IT management chooses to do it this way and ask me to enforce it as best I can.
-
@gjacobse said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
One thing I found about portable apps is occasionally a smarter user will install these. Yeah, it gets around our permissions in Ad because they do not modify the registry. so I do not like them for that reason. I can't have users installing whatever they want.
Something else you can do to make chocolatey easier to install in multiple places is use an xml file with the apps you want for yourself or for departments. I made one for myself but I really don't use it, however I have one for a few different departments here because they some specific things and its hard to remember the install names on each. So I just carry them around on a flash drive.
I'm curious on how you set this up,.. I know I have just been using a simple batch file once the core is installed.
<?xml version="1.0" encoding="utf-8"?> <packages> <package id="googlechrome" /> <package id="firefoxesr" /> <package id="flashplayerplugin" /> <package id="adobereader" /> <package id="jre8" /> <package id="7zip.install" /> <package id="vlc" /> <package id="powershell" /> <package id="silverlight" /> <package id="quicktime" /> <package id="irfanview" /> <package id="treesizefree" /> <package id="windirstat" /> <package id="crystaldiskinfo" /> </packages> </xml>
this file is called staff.config
Then i just use:choco install d:\packages.config –y
-
@jmoore said in Applications; Portable vs. Installed:
general updates - this kind of goes back to #1 but anyone running portable apps wont get updated and so wont be secure if it goes on for long enough.
Nothing makes portable apps not get updates. You don't control them if the end users is the one using them, but they can certainly get updates. And in a typical firm, they probably get more updates, not fewer. But bottom line, it's not IT's concern because it's not part of the managed platform. And it's not something you control.
All of these concerns go back to my "power and control" statement. All of these valid complaints go to the same baseline... HR issues with end users breaking rules, not doing their jobs, or acting badly. None of it is an IT concern or something that can be solved with technology. Why is IT trying to enforce things HR is allowing? Why is one system admin deciding unilaterally that he's in charge of employee's and their jobs and that HR and their managers are not? And if he feels this way, why has he not addressed limiting the ability to run binaries?
-
@scottalanmiller said in Applications; Portable vs. Installed:
Nothing makes portable apps not get updates. You don't control them if the end users is the one using them, but they can certainly get updates.
Oh I know they can get updates. I am just saying they won't because I put chocolatey in my images and I run updates by my script every day. So that is the concern.
-
@jmoore said in Applications; Portable vs. Installed:
I understand what your saying. I know ultimately its the fault of the users that decide to do this but its just not how it is handled here and I have no control over that. IT management chooses to do it this way and ask me to enforce it as best I can.
No, you have no control. But you do have control over how you look at it and present it or talk about it. It's very, very important that you understand that it's hubris and confusion of an impotent admin who is attempting to flex his muscles (and failing) to try to show employees that he's their "master" and they must bow powerlessly before him, while defying HR and management, while also completely misunderstanding computing and failing to in any way do what he set out to do.
When you don't about it, don't say "you understand" because you shouldn't, his desires clearly don't align with the rules, and his actions show that he didn't understand computing basics. He is acting irrationally, from all signs (and history of how they work there), so it is very, very important that you avoid acting like he's rational or making sense. You need to distance yourself from what is just him being on a illogical power trip and present it as "my system admin isn't very competent and in acting emotionally he does X because he doesn't really understand how things work."
There is a huge gap between accepting when a rule affects you and you must follow it, and presenting a rule as something you agree with and understand.
-
@scottalanmiller said in Applications; Portable vs. Installed:
But bottom line, it's not IT's concern because it's not part of the managed platform. And it's not something you control.
yes this is why it is frustrating lol. I am asked to control it as best I can.
-
@jmoore said in Applications; Portable vs. Installed:
and ask me to enforce it as best I can.
Because they don't know how, presumably
-
@scottalanmiller said in Applications; Portable vs. Installed:
HR issues with end users breaking rules, not doing their jobs, or acting badly.
I agree totally but HR does not deal with them properly, if at all. I have never seen repercussions from someone doing these things. Basically we are paid so bad here , they don't get rid of people unless something truly outrageous happens and that is pretty rare. People almost always leave on their on first. We have a high turnover rate.
-
@scottalanmiller said in Applications; Portable vs. Installed:
Why is IT trying to enforce things HR is allowing? Why is one system admin deciding unilaterally that he's in charge of employee's and their jobs and that HR and their managers are not? And if he feels this way, why has he not addressed limiting the ability to run binaries?
Unfortunately I can't answer any of that.
-
@scottalanmiller said in Applications; Portable vs. Installed:
No, you have no control. But you do have control over how you look at it and present it or talk about it. It's very, very important that you understand that it's hubris and confusion of an impotent admin who is attempting to flex his muscles (and failing) to try to show employees that he's their "master" and they must bow powerlessly before him, while defying HR and management, while also completely misunderstanding computing and failing to in any way do what he set out to do.
I get what your saying and am learning how to properly look at things. That is why these discussions are good!
-
@jmoore said in Applications; Portable vs. Installed:
@gjacobse said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
One thing I found about portable apps is occasionally a smarter user will install these. Yeah, it gets around our permissions in Ad because they do not modify the registry. so I do not like them for that reason. I can't have users installing whatever they want.
Something else you can do to make chocolatey easier to install in multiple places is use an xml file with the apps you want for yourself or for departments. I made one for myself but I really don't use it, however I have one for a few different departments here because they some specific things and its hard to remember the install names on each. So I just carry them around on a flash drive.
I'm curious on how you set this up,.. I know I have just been using a simple batch file once the core is installed.
<?xml version="1.0" encoding="utf-8"?> <packages> <package id="googlechrome" /> <package id="firefoxesr" /> <package id="flashplayerplugin" /> <package id="adobereader" /> <package id="jre8" /> <package id="7zip.install" /> <package id="vlc" /> <package id="powershell" /> <package id="silverlight" /> <package id="quicktime" /> <package id="irfanview" /> <package id="treesizefree" /> <package id="windirstat" /> <package id="crystaldiskinfo" /> </packages> </xml>
this file is called staff.config
Then i just use:choco install d:\packages.config –y
I'll have to give that a try on my next build. neat way to address the install.
-
@scottalanmiller said in Applications; Portable vs. Installed:
There is a huge gap between accepting when a rule affects you and you must follow it, and presenting a rule as something you agree with and understand.
Understood.
-
@jmoore said in Applications; Portable vs. Installed:
I agree totally but HR does not deal with them properly, if at all.
That's incorrect. Whoever HR deals with them is how HR deals with them. What is "proper" is defined by HR. If HR doesn't "deal" with them at all, then the issue does not exist. Full stop. IT has nothing to do with defining what is proper. If HR approved or allows it, then it is IT attempting to undermine HR's decisions and IT that has gone rogue.
If HR wasn't doing what was wanted, then management above them have the duty to step in. They've not, so we have to assume HR is doing what is wanted and that IT alone is now the malicious actor trying to violate company policy.
There is never a connection from "HR did X, so IT has to make up for it by doing Y". As an IT pro, that thought should never enter your head. This is what we call "AJ Syndrome", where someone in IT decided that "the CEO is a fool and I should seize control of the company by force, to protect them from themselves." It's never a good idea.
-
@scottalanmiller said in Applications; Portable vs. Installed:
@jmoore said in Applications; Portable vs. Installed:
and ask me to enforce it as best I can.
Because they don't know how, presumably
Quite possible. I figured out I can use wmic to do this so I made it a script and run it every few weeks.
-
@jmoore said in Applications; Portable vs. Installed:
@scottalanmiller said in Applications; Portable vs. Installed:
Why is IT trying to enforce things HR is allowing? Why is one system admin deciding unilaterally that he's in charge of employee's and their jobs and that HR and their managers are not? And if he feels this way, why has he not addressed limiting the ability to run binaries?
Unfortunately I can't answer any of that.
I can. Because IT is the rogue security risk. Sure, not stealing data. But breaking the rule and going off on their own to try to get control that they were not granted. If any other user did this, IT would demand action against them. Right?
Imagine if any end user sensed IT doing this and starting trying to hack passwords or otherwise gain control of systems to "protect the company from IT"? Sounds bad, right? But that's what IT is doing in reverse.
-
@jmoore said in Applications; Portable vs. Installed:
I have never seen repercussions from someone doing these things. Basically we are paid so bad here , they don't get rid of people unless something truly outrageous happens and that is pretty rare. People almost always leave on their on first. We have a high turnover rate.
Right, so you even have some logic as to why these things are allowed - because it's perceived as part of the compensation package to have this freedom. So if IT is trying to interfere with HR's agreements with payroll and the employee, we've got a serious breach in the IT department.
If this was my company, and IT was attempting to sabotage employee relationships by attempting to seize HR's job and deciding unilaterally that the business wasn't allowed to make decisions and only a system admin in the middle of the IT stack was to run the company, you can bet we'd not look on it well.
From a CEO / owner perspective, this is a huge security risk having a system admin that is willing to act this way, as you can imagine. Put yourself in the CEO's shoes... you task HR with keeping employees happy, and one lone rogue actor in IT decides that he doesn't appreciate the CEO and HR's decisions and takes it on himself to punish employees. OMG!!!