Ask HN: How do you deal with unsavory software your work requires you install?

6 points by tbolt 10 months ago

If you are like me and have to install gross “enterprise” software, do you install it on personal machines? If not, how do you keep it isolated?

I imagine the common answer is a physical “work-provided” laptop but I’m curious, does anyone run VMs or another solution?

Edit: what I’m interested in trying is finding a good way to run a macOS VM on an Apple Silicon Mac that doesn’t suffer much performance hit. Open to suggestions, thanks

ryan_lane 10 months ago

You should never use your personal laptop for work. There's lots of reasons:

1. If your company is sued, and your work is involved in the lawsuit, they can take your laptop for an indeterminate amount of time, and everything on your laptop can be included in evidence.

2. Depending on the country you live in (and this is most countries), you may have no expectation of privacy on the laptop used for work. The software they're installing may (and probably does) have full privileges, and can remotely access your data and running apps.

3. Depending on the country you live in (and this is most countries), any work you do on that laptop may belong to your company, even if done outside of working hours, because your laptop is being used as a work laptop.

4. You don't want to be the weak link in your company's security. Work laptops tend to be more locked down, have fewer, more thoroughly vetted applications, and your company is ideally also ensuring the applications (and OS) you're running are patched. If you're owned through a non-work related application, and that is used to escalate privileges into the company, who's liable here? You never want that to be a question.

5. Companies tend to disallow employees from bringing company devices into certain countries. This would also mean you can't bring your own laptop to those countries either.

6. What happens to the company data when you stop working for them? Will they remote wipe your laptop?

odysseus_ithaca 10 months ago

Never install software required for your company/university onto your personal device. Not even with VM or OS running off external drive. source: former university system administrator.

  • Zetobal 10 months ago

    Because of what exactly?

    • odysseus_ithaca 10 months ago

      Due to NDAs I signed, I cannot explain much how it works but if someone installed such software onto their personal device then zero privacy is pretty much expected. A person well-versed in IT admin can block and limit the external access to the device, but the corporation or university will know and flags you for non-compliance.

mindcrash 10 months ago

Never, ever install any business software (except software with a license for personal use like M365) or store any private business content on any personal device, ever.

If you want to know why, check the paperwork you had to sign for the job. I can 100% guarantee that you will find some legalese on IT, security and liability somewhere. In other words: If something goes terribly wrong you could be fired on the spot.

NoZebra120vClip 10 months ago

I've been through 3 machines with my current employer. Ubuntu, Windows, and ChromeOS.

While there has not been much "gross software" to maintain locally, I am in the business of testing untrusted code. At first, VM environments were provided to accommodate this. That became increasingly impractical and inaccessible.

In each of the OSes I've used, I've created a separate user account exclusively for work. I used to log into Slack on my personal account, so I could watch it 24/7; that's no longer necessary, and so work and personal are partitioned chiefly by the user account I'm logged into.

The Chromebook is my newest system and provides the best isolation. Untrusted Linux code can be tested in the VM provided, because what else will I do in there?

I currently have two pain points in ChromeOS: no way to test Windows PowerShell, and my password manager's database is read-only, but the latter is a personal choice of software. It's nothing that will get support from my employer or a fix from Google.

I don't know what you consider gross, but I'm sorry that work is like that sometimes.

082349872349872 10 months ago

I even recommend keeping separate personal and work phones, let alone real boxes. It's not like hardware costs anything these days, anyway.

chunk_waffle 10 months ago

I used to run a Windows VM on my (work provided) Macbook Pro, because the only way to change our AD passwords was through a domain-joined Windows machine. My team had permission to purchase macs but the rest of the org used Windows. I also used a separate Windows VM for customer VPNs, I had snapshots with specific installs I would rollback to for any specific customer's VPN as there was more than once I couldn't install the differing versions of Cisco or something (can't recall the specifics.)

I'm not sure how to accomplish this on Macs with the arm chips now though.

khedoros1 10 months ago

> do you install it on personal machines?

Why would I? Those are my machines, and don't have anything to do with my employer or the work I do for them.

> I imagine the common answer is a physical “work-provided” laptop but I’m curious, does anyone run VMs or another solution?

At a couple places, I've had a Windows partition set up for AD password changes/whatever else I ended up needing a Windows machine for, but did most of my work in the Linux install I put in a second partition. I've also just booted a Linux environment in VMWare Workstation.

  • fuzzfactor 10 months ago

    If you only have one PC, multibooting or choice of HDD's especially external USB3 enclosures can help a lot to keep things separate and/or isolated.

    • khedoros1 9 months ago

      I have several PCs, my personal machines. Those never have anything to do with work.

      Employers have always provided their own hardware, which in turn never have anything to do with my personal uses.

      Sharing hardware muddles that. It's not like my employer's going to pay for upkeep of my personal hardware, or accept when I take my hardware down for maintenance due to something I did on my own time.

      Then again, I've never worked for a startup, or a company that I held any significant equity in. I suppose that the calculus would change in that case.