Last week, I asked Windows Client UPDATE readers who have user-support responsibilities how they handle controlling their mobile users' ability to install applications on company-owned computers. I seem to have touched a nerve: I received a number of responses, ranging from barely suppressed rage to suggestions for software to control user-installation capabilities. (And, of course, a few readers asked what the problem is in letting users install unapproved applications!)
One of the most common responses I received is that administrators lock down user access to company-owned computers completely, never giving laptop-computer users sufficient privileges to install applications or services. However, almost every message I received that recommended locking down also mentioned that users complain that they can't attach their laptops to printers outside the office. A year or so ago, I wrote about this particular problem; I'd been hearing from users who needed to add printers while they were at client sites but couldn't because their systems were locked down. Reader opinion at that time was to let users install printers and very little else. Obviously, if a laptop user's job requires the ability to print anywhere, you need to find a way to accommodate that need.
Some readers treated the concern about installing unapproved software with flexibility; if a user does something to his or her system that causes a problem, the IT staff will devote a small amount of time to fix it. If IT can't solve the problem, the IT staff wipes everything from the computer and reinstalls the base corporate image. Most of the readers who provided this response said that this strategy usually works; few users want to rebuild their desktop and reconfigure their applications for their personal preferences more than once or twice. (Think of this strategy as aversion therapy for your corporate users.) I really like this solution; to a certain extent, it moves the responsibility for the computer to the computer user, making it harder to blame IT for computer problems. I've worked with users who needed complete access to their laptop-computer resources and who installed applications and utilities that broke those laptops on a regular basis. Maintaining a zero-tolerance approach to supporting those users significantly reduced the support headaches this group of users caused. (This zero-tolerance policy usually meant that if the computer was delivered to our IT department in the same state it was when our staff delivered it, we'd fix the machine; if the problem was caused by something the user installed, we would reinstall only the base image.) One set of readers responded primarily to the issue of user-installed applications that suck up network bandwidth. These readers suggested solutions that range from port blocking at the firewall to installing applications that log, track, and stop what IT policy identifies as inappropriate Internet traffic. Such a policy tends to bring visions of big-brother software to mind, but as I've learned more about what really goes on in large corporate enterprises, I've become far less resistant to the idea of a company using those types of applications— within reason. I've just seen too many users spending a significant part of their workday surfing the Internet for what I would diplomatically describe as non-business-related content.
The last group of email messages I received was from vendors who make products that extend group and system policies. I heard from only one reader who was using such a product, but apparently at least a half- dozen solutions are available that can fine-tune the use of policies to control the way users interact with their computers. I think this category of software has potential for solving the problem of users installing unapproved applications, so I'll be contacting these vendors for copies of their software for review. I'll let you know what my reviews turn up.