Users having the freedom to fully use their computers even in an Enterprise. I’ve been thinking long and hard about this topic. Long ago when I began working in corporate IT I was taught that users can’t be trusted. They can’t possibly know what is good for their computer, and we must approve everything they do. We must basically suck all the fun out of the thing they use for perhaps 90% of their day. It used to make sense to me because I was always mostly a Windows guy at work while at home I was mostly a Mac and Linux guy. Where I always would get bent out of shape was when we would take Windows shortcomings and imagine the Macs had the same shortcoming. I’ll explain what I mean. Some of our users need admin rights of their machines. Because Windows, prior to UAC in Vista, was completely unsafe to run as an admin we made folks create a secondary account for admin reasons on their machine. Somehow on the Macs the same rule was in place even though OS X effectively had a better version of UAC before UAC even existed.
So now that UAC is in the picture IT still doesn’t want users to be admins. Now it’s because users might break something and how would IT support them? I think it’s worth saying that there are several types of users even if most IT departments refuse to acknowledge this. There are users who don’t want to mess with their machine. They just want to do their job. There are users who love to install things related to their jobs. There are users who would want to use their work machines for personal stuff. Many other users fall somewhere in one of those categories. So what’s the fear? The fear is they will do something and it will make the machine not work and IT will have to step in. I welcome other suggestions about why users can’t be admins.
If we automate the rebuilding of a workstation, have an enterprise backup solution like CrashPlan, and we put in place systems like Parity Bit9 for reputation based execution control then what’s there to be afraid of? I have been looking a lot at the processes at places I do work. I started making a tool for users to repair many issues themselves called CPRs. It’s meant to be loaded in a system like Absolute Manage where you would ideally manage your computer systems. Just because users should have freedom to use their computer as they need doesn’t mean we shouldn’t use tools like AbMan to manage them to provide the core tools the users need. For the computer itself I’ve been working on moving my image creation model to a “thin image” where you would take a computer and simply install a single package and it would then join our management system and start configuring the machine. Just that step will incredibly simplify issuing a new computer to a user.
My next steps will be to handle what a user does when their machine is broken. Where I am looking to instill change, there is no backup strategy at all. This creates a massive problem and causes IT to constantly be involved in replacing or re-imaging machines. Having a backup strategy is really important IMHO. Even if you don’t want a full system backup like CrashPlan at least get something like Box.com for Enterprise so your users put the “important” stuff there. Once you know you don’t have to worry about a user’s local data the options for self-help open way up. On a new Mac, for instance, they could boot to recovery mode and let the OS re-install. If needed IT could step them through it but in a perfect world every user has access to some sort of help portal via their iPad. I’m a strong believer in issuing an iPad to every user with an employee handbook on it. Isn’t the iPad the perfect example of what I’m talking about here? A user can get an iPad, enroll it in an MDM solution and have their employee handbook pushed to them. If the iPad crashes they can ultimately wipe it out and re-enroll it in MDM. You really shouldn’t need IT as long as the user has been issued a username/password and you have a self-enrollment portal.
So I know this may be a bit of a rant, but if I’m determined to make a Mac or PC be just as deployable with as little IT involvement as an iPad. Hope that doesn’t sound crazy. It’s my goal, and even if I never get there on both platforms it’ll still mean reduced IT workload as I implement these ideas even in part.