Fog Creek Software
Discussion Board




Allowing developers to control their machines?

The office I'm working in has desktops locked down pretty hard - they monitor installed software and report to your manager if you install "unapproved" software. IE's options are unavailable (can't set "reuse existing window" or turn on form autocomplete), and even the desktop color scheme is locked.

While I can guess at the *opinions* about this, can anyone cite articles that I can use in an attempt to get this practice stopped? IMHO, if you're trusting me to write your core business software, you can trust me to manage my own desktop.

Philo

Philo
Wednesday, March 19, 2003

Install VMWare & control your own OS - assuming the box is beefy enough.


Wednesday, March 19, 2003

Locking down a box like that would cause me to look for a new job.

Developers need to be able to run as admin occasionally, depending on the type of software you're developing. However, I do agree with the mantra that developers should run their daily tasks -- including development, testing, and debugging -- as a non-priviledged user.

Brad (dotnetguy.techieswithcats.com)
Wednesday, March 19, 2003

That's par for the course in very heirarchical organizations...

Nat Ersoz
Wednesday, March 19, 2003

Just take in your own laptop and set it up how you like. Don't connect it to their network, just use sneaker net to transfer files.

Matthew Lock
Wednesday, March 19, 2003

Most companies that have that kind of a lock-down policy will also have a "no personal equipment" policy, regardless of whether you connect it to the net or not.

Brad (dotnetguy.techieswithcats.com)
Wednesday, March 19, 2003

How exactly is he supposed to install VMWare?

For the software you write, what software and priviledges do you need that you can't have? This can't just be because you really *love* that autocomplete feature.

dmooney
Wednesday, March 19, 2003

Install VMWare ESX, it needs no OS loaded.  Granted he's going to have to buy it, in which case he may as well buy a laptop for the price...


Wednesday, March 19, 2003

To be honest, the thing that drives me most insane is the "Reuse existing windows" on IE. I keep the address bar on my start bar, and often type a URL in there to go to a site. Now I have to remember to open a new window first (then hit "stop" because their home page takes forever to load).
Granted it's a minor nit, but I just have general issues with having to fight my tools to do my job.

As for software - Ultraedit, Irfanview, Winamp, Dezign (ER Diagramming tool) various and sundry shareware for proof-of-concept stuff...

Philo

Philo
Wednesday, March 19, 2003

Some people, including some developers, have the ability to screw up their computer on a regular basis to the extent where the only remedy is to reinstall the OS from scratch. I can certainly understand why they enforce this practice.

The company I previously worked for enforced this, but allowed for exceptions for developers.

It sounds like it is more of a trust issue in your case. I can understand that you feel patronized for not being trusted to maintain your own computer, but if you need to look to fellow programmers for a reason why you need to be given full control, you probably don't need it.

Big B
Wednesday, March 19, 2003

If you make web apps tell them you need to install Mozilla to ensure maxiumum compatability. Then enjoy customising Mozilla to your hearts content.

Matthew Lock
Wednesday, March 19, 2003

Big B:
"but if you need to look to fellow programmers for a reason why you need to be given full control, you probably don't need it."

In my experience:
a) Being able to show independent documentation that supports your case *always* helps
b) When researching, asking for help from peers is generally more efficient than starting off on your own

Which item are you saying is incorrect?

Philo

Philo
Wednesday, March 19, 2003

Big B,

I think everyone has the ability to screw up machines, developers, admins alike.  But at least if they give you full control and full responsibility (you f*ck it up, you fix it), then they really should have nothing to worry about from a support standpoint.


Wednesday, March 19, 2003

I had this problem at my last company. I made a request to install something every other day or so, and I took care to justify the requests. The admins had to take time out to come over, log in as admin and install the software. When they couldn't make time, I let my boss know that my effectiveness was impaired until the software got installed.

After about a week, they gave me local admin rights on the machine.

Another possibility might be to say you absolutely _must_ have a coding-related tool that only works if you're local admin. Not sure whether they exist though.

Anon this time, sorry
Wednesday, March 19, 2003

Depending on the work you do, it may be possible for you to ask them to give you a local machine account that has admin privledges.  That way you can run as admin when you need to, but the admins do not need to worry about the security implications of someone running as a machine admin all the time.

I run in to this quite often as a VBA developer.  The addins and templates are usually in C:\Prog files and cannot be tested without enhanced access.  It can also be difficult to add controls and write (and test) install scripts without admin rights.

My current client has a website where you can log on and request admin rights for a 2 hour period.

Ran
Wednesday, March 19, 2003

I am in an organization of 250 inside of a company of 10,000 and we run NT4.  I have gone through two PCs in the last 5 years and have *never* had a BSOD.

The secret.  No local admin access.  Nothing is allowed to be installed without permission (no dancing baby screensavers, no SETI@home, etc.).  There are a few scattered developers who have local admin.

So what that proves to me is NT4 is stable; running Winamp3000 and WindowBlinds and BlackBox for Windows and ICQ7000 ... is what gets you hosed.

So either take the blue screens or accept the restrictions.

cheeto
Wednesday, March 19, 2003

Heh. Actually I *have* local admin rights (you can't manage an ASP.Net app without them)

But they still scan for "unauthorized software" and have IE locked down hard. Another factor on the IE issue - can't install the google toolbar, which I find invaluable.

seriously, as things go it's not a major issue, but it's just one more thing that a) hampers my ability to work yet b) accomplishes nothing.

Philo

Philo
Wednesday, March 19, 2003

What type of scans for unauthorized software do they do? Executables? (just create a batch file, rename it to .doc when it's not running.)  If they do registry scans, that's going to be a little tougher, though you could do the same thing.  Get a registry monitor, install the software, export the keys, delete them from the registry and install/remove the registry info using reg files (for inserting the keys, not sure for removal) before/after execution.  Granted that's one hell of a workaround and you might be better off getting your manager to talk to IT & give you more rights ;-)

 
Wednesday, March 19, 2003

As far as I can tell, they can the "Add/Remove Programs" registry tree. I've had a standalone .exe running for a week and nobody seems to have noticed.

So it's easy enough to simply remove the Add/Remove entry; but I'd rather get the policy changed and keep everything above-board.

More silliness: when I got the first report of "unauthorized software" I was asked to remove it. I had to go back and point out that I couldn't because my control panel has no "Add/Remove" applet (another lockdown). The sysadmin said "You can run it from the control line"

Uh, I knew that. But if you're going to advocate that, then just put the freaking applet back, you goon.

Philo

Philo
Wednesday, March 19, 2003

An admin refusing to give you control of your machine! *Shocker*

trollbooth
Wednesday, March 19, 2003

Philo,
        I suspect that the problem is not that he wants to restrict your IE settings but that  any rights he gives you on the domain will apply to every single machine you may wish to log on to. NT4 server appears to have an all or nothing attitude towards domain security.

            You are only noticing this with IE because you will always be using IE when logged on to the network as a user, as opposed to being logged on as local administrator when you can change it.  Many programs such as IE have user based settings; you change IE as local admin but the change doesn't migrate to you logged on to the domain; you can get the admin to come round, log on and change them, but they will apply to him and not to you.

          Other apps such as Word keep user changes in a template, so you can cusomze to your heart's content.

Stephen Jones
Wednesday, March 19, 2003

When they gave me that crap at work I put up servers created a domain and took all my developers out of the corporate domain.

They got all huffy and refused to support my group. Great! It takes less time to do it myself than to beg tech support to fix it.

Eventually went so far as to install DSL and my own firewall so I could get completely off the corporate LAN.

Then I made them pay for VMWare.

The trick is to always have a business case for whatever you want, and escalate, escalate, escalate.

Anonymous Coward
Wednesday, March 19, 2003

Well, I thought that someone should respond to your actual question.

No, I've never seen any article discussing the impacts of company controls on installed software. Particularly not in the area of software developer's productivity or morale.

That said, I think that your best bet to get the policy overturned is to pick a particular piece of software and develop a business case why you (and others) need it installed (pick some software where you can get articles showing the productivity gain). Then, after you've won that battle, pick another piece of software, repeat, repeat, repeat. Hopefully they'll eventually get the idea and change the policy.

Bill Tomlinson
Wednesday, March 19, 2003

Bob Lewis's columns for InfoWorld have several discussions on this topic.  This is one of the best:

http://www.infoworld.com/article/03/01/17/030120opsurvival_1.html

You can scan forward and backward through his archived columns to find several others on desktop lockdown (proponents of which he calls the "Value Prevention Society").  Hope they help.  (If they do, you should send him an e-mail and share your story!)

I feel your pain.  Up till a month ago I had Win98, and though the stability was iffy, I could install anything.  Now I had to take Win2000 to get VS.NET on my machine, and a hundred little frustrations cropped up: Can't put stuff on my desktop, can't change display settings, can't change Start menu, can't add toolbars in the taskbar, can't change IE home page...the list goes on.  I pointed out to the IT guy that I hadn't managed to destroy my PC while it had Win98 on it for a year, but apparently *somebody* in the organization did manage to do this, so now everybody has to suffer.  What a pain.

Kyralessa
Wednesday, March 19, 2003

It might be a licence issue as well as they are responsible for unlicenced software on those machines.

You ~are~ using all that various sundry proof of concept shareware doodats within the limits set by their various licences aren't you? You are not letting any go over their eval limit?

And what's the business case for needing Winamp on your dev machine?

Incidentally I certainly support developers having some control of their machines myself, its the norm for devs to have this right on machines I manage if they want it.

But I understand the concerns of management too. In a big company of course, 'concerns' have a way of snowballing into a big deal until they reach some VP's desk who commands their minions "Lock all desktops down" in a booming voice, and that's that.

I'd say having a seperate network for dev machines where the devs can do what they want is a good idea if the budget can carry the weight. Unless things have changed recently this is how things were setup for the W2K network at microsoft - the NT and Exchange devs had their own "NT DEV" forest where they could do what they wanted - as long as they fixed it afterwards.

Robert Moir
Wednesday, March 19, 2003

<<
And what's the business case for needing Winamp on your dev machine?
>>

I'm more productive when tuning out the office chatter by listening to MP3s (Yes, legally ripped MP3s)

  
Wednesday, March 19, 2003

Heh. Someone beat me to the case for Winamp. [grin]

"You ~are~ using all that various sundry proof of concept shareware doodats within the limits set by their various licences aren't you? You are not letting any go over their eval limit?"

Actually, yes - I'm *very* sensitive to licensing requirements on business machines (my home machine, well... [ahem]). Generally I download shareware, see if it's what I need. If it isn't, it's gone. If it is, I petition management to buy a license.

For *tools* I would also like the leeway to buy a copy myself and use that if it makes my life easier. Note that I would never do this with anything that may commit the client to purchasing licenses to get one of my deliverables working (or even to just maintain it). For example I might like to personally use Ultraedit to work on text files, but I would never deliver a presentation in Flash unless Flash was an agreed-upon format.

Philo

Philo
Wednesday, March 19, 2003

"Actually, yes - I'm *very* sensitive to licensing requirements on business machines (my home machine, well... [ahem]). Generally I download shareware, see if it's what I need. If it isn't, it's gone. If it is, I petition management to buy a license."

Cool. Even though *you* are good with this, is it a company concern because I'm certain that not everyone is as careful as you? Is there some sort of perception by the PHBs that this could be a problem if they didn't behave in the heavy handed manner you told us about?

Robert Moir
Wednesday, March 19, 2003

Actually, most companies disallow this kind of stuff because they don't control the licensing. The machine is their property, and they are the ones who end up responsible for rogue software, not the person who installed it.

Unfortunately, it's usually easier to get freeware/public domain stuff approved because there's no potential license issue.

My wife was using a legit copy of HomeSite at work and they nixed it (a lot of others were too), so in order to make the IT people happy, they had to buy legit copies for them, even though they already had them, just so it was a controlled license situation. Go figure.

Brad (dotnetguy.techieswithcats.com)
Wednesday, March 19, 2003

Arbitrary rules governing what developers can and can't do seems to be the hallmark of big companies. The only real solution is to leave the company.

That's probably why little start-ups can come up with new products so quickly. (MS in the late 70s/Early 80s, Netscape, Napster, Viaweb etc. )

To quote Paul Graham again when his start-up was bought by Yahoo

"I've been on both sides, and I know. When Viaweb was bought by Yahoo, I suddenly found myself working for a big company, and it was like trying to run through waist-deep water."...

..."But they (Yahoo ) were still only about a tenth as productive as a small startup. No big company can do much better than that. "

http://www.paulgraham.com/road.html

Matthew Lock
Wednesday, March 19, 2003

When I have the opportunity to assist in setting up a development team, be it in a corporate environment or in a commercial software developer, I have a sort of check list I take them though. The goal is to both protect the company from legal issues while maintaining the productivity of the developers.

1. Pull your developers off your domain. You may setup a separate domain and trust it if you like, but standalone PC’s are just as good (and cheaper to maintain). These both allow the developers to build the software productively while keeping your developer’s hands out of the proverbial cookie jar. They need complete access, you need good security, and this is the best way to achieve that.

2. Put the head of your development team in charge of managing the team’s software. This gives you central control over your licenses (protecting your back side) while at the same time ensuring that the software your developers need is adequately provided. No one in your organization knows more about what software your developers need than the developer’s manager (because this person typically has both managerial and developer experience).

3. Keep your IT separate from your Development, both conceptually and physically. Although they both working with “computers”, they have completely difference mindsets. Not keeping these two dragons apart will cause in-fighting that will hurt your productivity tremendously.

4. Build a default PC environment for your developers. This should include every tool that your developers need (IDE, Compilers, Editors, Controls, etc. etc. etc.). Once you have this, image it (Ghost works well for this). This way when your developer craps his PC, you can get him up and running right away. It is the best way to ensure uptime without requiring your IT staff to fix some developers mess. It also simplifies adding someone to the team as you can build them a workstation in an hour. NOTE: This must be done in connection with Rule 5, not in place of!

5. Backup, backup, backup. While Ghost will get you up and running quickly, it doesn’t save all of your custom settings. Because these settings can take days to recover, backup is the best bet. You should only use Ghost when there is no other option.

As for installing shareware and the like, sorry. You are out of luck there. It is just plain a bad idea from a legal and support point of view. However, I do recommend that the team keep a separate PC with the default configuration running someplace. This PC would be open to anything being installed. This way you can test it and just Ghost the PC back when you are done. But allowing this with every PC is very dangerous. We all laugh at those BSA commercials, but they are no joke. Shit can hit the fan if you are not *very* careful.

Marc
Thursday, March 20, 2003

Oh, and if you think you have it bad, this was posted to a mailing list I read:

---------
Is there an ftp site I can get the KBase from?  I just found out while I don't have web access (lowly contractor), I do have ftp access from my windows desktop.  SO, if someone knows of an ftp link, that'd be awesome! Thanks!
---------

OUCH!

Marc
Thursday, March 20, 2003

[And what's the business case for needing Winamp on your dev machine?]


I have a better question - what is the business case for not having winamp on my machine? I mean is listening to music all of a sudden a bad thing? Gimme a break.

Ian Stallings
Thursday, March 20, 2003

I just thought of an analogy to the developers locking down their machines thing - it would be like hiring a dozen carpenters for a job then issuing them each a standard toolbox with a standard toolset. No tool belts allowed.

You'll see them all day long reaching for a pencil or tape measure in their belt, then remembering they have to go to the toolbox for it. They look for their leatherman, then remember they have to go to the toolbox for a pair of pliers or a screwdriver. Etc, etc.

In fact, this would be an interesting experiment - have two teams of carpenters build the same project; one with their own tools, the other team with a standard "best guess" toolbox.

Philo

Philo
Thursday, March 20, 2003

Actually, this thread has made me realize that, should I ever have a company of my own with development staff, I'll probably just buy every staff member their own computer and *give* it to them, making them responsible for whatever's on there.  And similarly, give them expense reimbursement for any software they have to buy in order to do their job.  As long as the upgrade cycle for equipment and software is shorter than the staff turnover cycle, I'll spend the same amount of money, and have (presumably) zero liability for the machines' contents, since they're not mine.  :)

Phillip J. Eby
Thursday, March 20, 2003

Ownership is a very good idea.  The difference in care given to corporate owned laptops and personal laptops bears this out.  I would make it a 50/50 split however.  And whenever the engineer feels they need a hardware upgrade, they can pony up the 50% of the new purchase and take the old purchase home if they like, or use it at work, etc.  Hmm, I really like this.  Might suggest we take a look at it.

Nat Ersoz
Thursday, March 20, 2003

Another thing ownership gives you - it prevents that nasty habit of playing "trickle down the machines" whenever new hardware hits the floor.
I was at a gov't agency where any new computer went to the department head, then his machine went to the assistant dept. head, etc, etc, etc - down to the guys who actually did work. Getting a new machine generally blew an entire Saturday for the IT staff.

I figured it was a management/gov't thing until I went to work for a boutique IT place. They told me that if I was hired full time I'd get a company laptop. I later found out that the senior developer would get the new laptop, and I would get his. No thanks.

The most bureaucratic place I've ever worked did the "we'll buy you a laptop, you pay us back half over time" thing. Yeah, sometimes people who had been there longer griped a bit, but I think intellectually we all knew that's simply the way computer stuff works...

Philo

Philo
Thursday, March 20, 2003

And it took me a year to persuade my boss we needed to "trickle down" the machines (me gettiing first choice of course).

Actually it wouldn't be necessary if it wasn't for the bureaucratic inertia in large organizations. What got trickle down started was the fact that the secretary and the boss couldn't do the job because they only had 32MB of RAM on otherwise perfectly good Pentium II's. They would put out a tender for the RAM according to regulations, and receive one valid for a week, which is about the most you can guarantee RAM prices for. It would take three weeks to get it approved by which time the price had changed. So they ordered complete machines instead!

Stephen Jones
Thursday, March 20, 2003

I've had to deal with these type of Net Nazis in the past.

I was responsible for a small development group working on a project that was critical to the company's survival. The IT folks took it upon themselves to lock down our machines and and lo and behold when we tried to build one of the DLL's in VB 6.0, it failed because we didn't have permissions to register DLL's on our system.

I about blew a gasket right there..No, I did blow a gasket because the 2 guys running IT liked to brag about how they really controlled everything in the company.

I picked up the phone and called the company president at 3:00 AM in the morning and explained to him that if he expected us to meet this very important deadline, then he had better call the idiots in IT and tell them to get in and give us permissions.

The president of the company was just as pissed as I was and from that day on, we never had any problems with IT. They were not so politely reminded that their job is to assist the people that are actually earning $$$ for the company, not to get in the way because of some adolescent ego trip.

Mark Hoffman
Thursday, March 20, 2003

Much of the "net Nazi" syndrome arises because an overly strict IT policy, while costing untiold manhours to the company as a whole, actually saves the IT department time and money.

So a company that blocks .docs will save on the time needed to clean up from unknown viruses. Of course it may mean that the Personnel department loses over half of all its job applications and has to spend a fortune on recruiting agencies, but that doesn't show up in the IT budget.

My favourite was the local steel company that, in order to stop a repeat of Chernobyl, went round every machine and took out all the floppy drives r! My contact there happened to have been on vacation in Inida when the email addresses were given out, and it took them two mohths to give him a new one, so during that time we had to wait unitl a colleague who had a cubilcle in a distant corner, and thus whose machine had gone unnoticed by the screwdriver brigade, was taking his afternoon nap, whereupon he would type everything out again and transfer it to floppy.

Stephen Jones
Thursday, March 20, 2003

Ok, it is now official; Mark Hoffman is my new hero.

Calling the CEO at 3:00 AM? You kick ass my friend.

Marc
Thursday, March 20, 2003

Two of my own favorites from sysadmin encounters:
The first was an admin that spent most of his time perfecting one particular server. The server ran no apps and served no users, since that would ruin the "perfection".
The second was an admin that refused for months to install needed functionality since it would require a reboot and thereby ruin his "uptime".

Just me (Sir to you)
Friday, March 21, 2003

"I have a better question - what is the business case for not having winamp on my machine? I mean is listening to music all of a sudden a bad thing? Gimme a break. "

Ian - that whooshing noise was my point going just over your head. Try reading my post again, ALL of it this time, not just cherry picking bits you think you can argue about.

Any PHB from a company who locks things down as tight as we've seen discussed here is either going to say "Yes, listening to music is a bad thing, you should be working not playing music" or they are going to say "You already have Microsoft Media Player (Or Quicktime for your Apple users reading this), so use that".

It's inclusion on a list of serious work related software would pollute the whole list if it was shown to a PHB like that. Their eyes would keep coming back to the one thing they _could_ just about justify objecting to and they'll seize it like a life raft to keep their dream of a tightly controlled desktop afloat.

I personally wouldn't stop dev or sysadmin people from installing whatever they liked on their machines - with the "you breakum you fixum" caveat - but you ain't going to get far in changing policy to allow you to install software by citing WinAmp as a need. Give _ME_ a break.

Robert Moir
Friday, March 21, 2003

Actually, thinking about the question of not letting people install anything because of punitive and restrictive licensing policy, combined with draconian semi-SS like inspections by the BSA and its minions, has anybody thought that another factor in favour of outsourcing is that in many other countries they're still pleased to get the large checks you send for the software you do pay for?

Stephen Jones
Friday, March 21, 2003

Robert, Maybe you thought my "Gimme a Break" was pointed toward you but it really just a sigh I let out like "geez" or "come on". I didn't mean to offend you for christ's sake. Why all the guff?

Ian Stallings
Friday, March 21, 2003

Bad day I guess. My apologies, Ian.

Robert Moir
Friday, March 21, 2003

This might be a solution to one of your problems.  Have you tried "Dave's Quick Search Taskbar Toolbar Deskbar"?  You'll never use the googlebar again once you've tried it.

http://notesbydave.com/toolbar/doc.htm

Joel mentioned it which is how I found out about it

http://www.joelonsoftware.com/news/20020718.html

I couldn't live without it.

Gregg Tavares
Saturday, March 22, 2003

*  Recent Topics

*  Fog Creek Home