Discovered that for the first time in 30 years my university has contracted with JamF to restrict how much control I have over my university provided laptop. I have always had little faith in our IT department as they have little competence in managing anything Apple, but this was the last straw for me. One of my colleagues was actually unable to upgrade to Mojave because it created issues with some university functions. (Fortunately I got my laptop upgraded before the restriction was employed.). In any event I will either return to my old laptop or purchase my own and deploy the one the university gave me to my lab. They claim that the necessity to do this was 1) to protect users from poor security habits, and 2) to protect FERPA protected data that would be stored on our computers. I sort of get #1, but if many of us choose to purchase our own computers then the purpose is defeated. Alas, if our IT department wee more forthcoming we could easily work with them.
This sounds like another instance of Mojave’s overzealous automation security overreach…
First of all I follow your frustration. I prefer myself also to have full control over my work laptop.
But are you allowed to use your own computers to the network?
And remember the IT department may be doing this based on a new requirements that have hit them.
So they may not think it is fun either but their hands are tied.
I have been working for so many years with IT departments who control what do on enterprise laptops and what to access when we use internet.
For people who have high level of comfort using technology, this is very limiting to their productivity (I always felt I can be 3x more productive). But on the other hand, those power users who - really really - know what they are doing are very few. And the issues they face from ignorance is higher than the benefits of allowing power users to work freely. Imagine user downloading and installing any software which can be either pirated or infected with malware that spreads across the network.
I learned to look to the other side, and say if I am the IT person, I am giving freedom to everyone doing anything?
I have to stand on the other side of this first.
→ Be glad you are not having to work at a national research lab.
→ Your complaint is unjustified. The computer is technically not yours.
This answer to the problem goes around the issue above but does not certify against the issues below.
-
We have instituted DUO recently. We had a (deviously clever) student install a key-hack on-line to a computer, break in to an instructor’s Google account, and wipe everything (not to mention changing grades in a course for everyone). We have Windows XP systems that we must keep off-line b/c our IT demands the outdated OS is a potential security loop-hole. Although I recognize the frustrations, I have no sympathy with anyone who rails against an IT department that demands blanket approaches to security issues. Again, you only have to work at a national research lab to realize you are in heaven by comparison. When you would skirt the security protocols and damage yourself or others, YOU not your university will pay the consequences. Think … lost data … YOU pay for the recovery. Think … virus infection … YOU pay the recovery.
-
AFAIK, when you would be found to have violated a FERPA regulation in some way, YOU, not your university, will pay the consequences. Think … a student gets hold of your computer and posts the course grades … YOU not your university will be in jail.
See my comments immediately above.
This is the real message. The direct frustration you express is that they will not work with YOU (and it is their fault this is happening). Consider that they may be saying the same thing in reverse while looking at you.
Perhaps it is time to take a box of donuts and go visit the IT department for a good sit down and chat over breakfast.
In summary, I empathize with your concerns. I can be as frustrated at our IT department as you are. OTOH, I see too much finger pointing on issues such as this on both sides. I have long since learned that, when faced with frustration, finding paths for dialog is an important first step.
–
JJW
I work for a college and happily our IT group is very happy to let me manage my college issued MacBook Pro or bring in my personal one. Since most of the staff do not have Mac experience, they sometimes call to ask questions. Security is at the server level for email, shared drives, and our database programs. Shared drives and our database programs are accessed through Citrix.
Research does show that people are happier in the workplace with more technology choice. So IT should never discount how important this is to productivity and morale.
I understand the frustration of being a hamstrung power user in a work environment. However, I have noticed in my office that most employees couldn’t care less what they get for a computer and couldn’t even tell you what restrictions are in place. Those are the users IT needs to keep on lockdown, which, unfortunately, pulls us more tech-savvy users down with them.
I have been part of the IT department in the past but JJW is correct. Try working with them instead of working around their rules. IT departments don’t just make rules because they can, there are often very good reasons for them.
Be thankful that you aren’t told that your more efficient on a windows based PC and have your Mac swapped for a windows based machine. (Happened to me).
To be honest, it is less about the restrictions and more about trust. I have been in discussions with an IT guy that has told me one thing, then had to back track when he found out that what had told me was not true. I have come to believe that even though it is his duty to interface with me, what is happening is above his pay grade. Further, our IT people know so little about Macs (in spite of what they say) that I never let them install anything. I generally win those battles, but this is a new complication.
I could probably learn to look at it from their perspective if they learned to communicate. They have been so covert about this, and fed me information that turned out to simply be not true. Guess it is a trust thing.
Yeah, that’s unfortunately normal, IT always do that.
This is devolving into philosophical rants on “us versus them” battles.
To bring this back to the realm of MPU, the concerns that you have to address are how the security lock down will effect your ability to do your job. I might guess this:
- The inability to update to Mojave should cause no problems in the short term. This restriction will likely be resolved well before it causes concern (IT folks want the most secure software on their machines).
- The inability to manually install updates to software that you require may cause problems, but they should not be show-stoppers. A trip to the IT department to ask for override permissions and/or to leave the computer for the day should fix anything here.
–
JJW
They’ve decided to control what it under their power to control. (shrug). Some companies that are especially security conscious won’t even permit outside personal tech (eg no cameraphones allowed at the NSA … or YMCA changing rooms).
With my university what they allow me to do on my university machines has to do with what they are capable of supporting. Since pretty much everyone in our IT department have expertise on Windows, while no one is a Mac expert, it can result in our being a bit hamstrung.
They do tend to be honest about it. They can’t really claim that the restrictions are for security as more than half of our faculty are adjunct, which means the university doesn’t provide them with computers at all, so they’re all using their own machines. If it was a security issue, they’d have to provide university computers for our part-time faculty to use.
I don’t use my university issued Macbook as the “new” one they gave me last year was a 2012 (why they have a stockpile of unused 6 year old Macbooks is an interesting question) and too heavy to carry around, so it’s just an unused a spare computer. I also prefer to not have my employer have access to my work in so far as I can help it. I do use the university assigned iMac in my office. IT has been willing to let me install my own software, like Screencast, on it so long as I promised not to ask for any support. My one objection is the anti-virus software that runs constantly and, I believe, slows the machine down to a crawl.
Given that almost half the faculty and students at my university use Macs, it would be nice if there was someone in IT who used them.
Honestly, with that attitude I understand why they are hesitant to work with you. Maybe the communication problem is on your end.
Some responses are starting to get a little testy so perhaps it is time to shut this conversation down. My thanks to those of you provided insight to a different point of view. Cheers!
I’m a bit late to the topic, but I’ll comment anyway 
I manage the (relatively) nascent IT security office within a university IT department and this touches on things that I have to deal with on a daily basis. Devices used by university employees contain data over which the university has custodianship and which is often privacy impacting (or even monetarily valuable). The loss of a device or its misuse/mismanagement can lead to a privacy breach, something that turns into bunches of no good for everyone involved.
We (IT) have to use various controls in order to prevent loss or unintended exposure of institutional data, some of which are (frankly) pains in the backside, and this invariably leads to dissatisfaction and complaints. I have found that resolving such conflict works best when communication happens openly and freely.
One way to deal with such situations is to forego a given control if the party who is unwilling to be subjected to it can formally accept the risks that the control is supposed to mitigate. Sometimes this isn’t possible, but when it is, it puts the user in the position of being answerable for the loss or exposure of institutional data. That often has one of two effects:
- The person decides that they’re unwilling to accept the risk and will then accept the control as necessary.
- The person is willing to accept the risk.
In either case, controls (security or otherwise) work best when they are minimally disruptive. Once any control reaches a threshold of inconvenience, people will begin to find ways to work around it in such ways that the desired effect of the control will be diminished.
That’s life. Get used to it. In a private environment you can do whatever you want with your stuff. In a large organization there will be restrictions. A lot of companies were still running on Windows XP when that was long overdue. But if it ain’t broken, don’t fix it.