• toastal
    link
    fedilink
    arrow-up
    1
    ·
    6 months ago

    Thanks for confirming some of my suspicions about how it all actually operates & the reasons for doing so.

    I really just don’t like this in principle as it is way too easy to accidentally do private stuff out of convenience on a machine which is why I do like I said with BYOD & will be present for all attempts to troubleshoot a device. I don’t really see a conceptual different in my digital desktop vs. my physical one & I wouldn’t let an employer install a camera at my desk just as much or would I think it is cool for a business to have cameras in the bathroom just because they own the rental agreement. It feels like there should be some form of privacy even in these digital scenarios that never happens & it leaves a sour taste in my mouth. Is there a solution to allowing users privacy in their system or is it only considered fully private property?

    • MystikIncarnate@lemmy.ca
      link
      fedilink
      English
      arrow-up
      1
      ·
      6 months ago

      Legally, it’s fully owned by the company.

      My current workplace uses mostly cloud desktops. Basically, even if you’re using a personal system, you install a remote desktop client software (it provides access to another system, it does not allow access to your system), which is used to connect to a server farm of virtual desktop servers. So the work desktop you use kind of overlays itself on your system. Your system is still there, humming away in the background, with it’s only task being to shuffle your input up to the cloud, and bring down the images of your cloud desktop and display them.

      There’s some other features, but that’s the core of it. We use a third party “remote monitoring and management” (RMM) tool to administrate company owned systems. You are perfectly capable of using the remote desktop client on a system that’s not company owned. I like this model, since you can minimize or close the remote desktop at any time, and since we (the IT team) have full access to the remote desktop server farm, we can connect to your remote desktop session and see what you see, but only what’s within the remote window. We can’t escape it to see your computer. So if you have a problem with your work stuff, we have access to that. If you have a problem with your personal computer, we need to use a one-time-use (or ad-hoc) remote connection software like LogMeIn or something similar (specifically the LMI rescue type feature set). Once we disconnect from your personal system after doing whatever troubleshooting you asked for, we lose access to that system.

      The programs change, but they do the same thing in concept. There are a number of company owned laptops and desktops we have our RMM tools on which allow us to dive into a system whenever we want.

      I run a homelab, personally, and when my workplace does not give me the necessary stuff to be productive from home, what I do is build a small virtual system on my home lab, which I remote into when I work (from my desktop), so I can maintain a work/personal division. It’s similar to the cloud system I’m doing at my current job, but the “remote” desktop is a VM on a server in my basement. Other times I’ve been given a laptop, and I’ll set it up in a corner and turn on its built in remote desktop service (to allow remote desktop connections into it), then use the same protocols to connect to my work laptop.

      When I’m done work, I just shut down the remote desktop connection and poof, back to my stuff on my PC.

      With my current job I went another way, I got a KVM switch, which allows me to switch between two physical computers at the push of a button. (KVM is keyboard/video/mouse) When I’m done work now, I push a button and my screens (I have several) and KB/mouse all switch back to my personal desktop. Same idea but different.

      I couldn’t imagine using my personal computer to do work stuff directly. That’s just not kosher in my mind. I have work’s RMM and tools all installed on the system I use for work, and my personal system is entirely free of such things.

      I also want to include a short story. Recently a client started a ticket about our company logo being on their personal computer. I grabbed that ticket up and immediately identified the system, and removed it from our system. I followed up with the user to verify that by removing it from our system, the icon disappeared (indicating our monitor agent was fully uninstalled), they confirmed, and I closed the ticket. I kept thinking it’s grossly inappropriate for our software to be on their personal system, and I wanted to get it fixed ASAP. Not everyone is the same, I’ve known users that want or e remote management tools on their personal systems. I don’t understand it, but I can’t tell them that it can’t be there either (the customer is always right, applies in this context).

      As I hope I’ve demonstrated, neither myself, nor anyone I work with, nor anyone I’ve worked with in the past, would ever take such an opportunity to snoop or spy on them, but I’d rather not have that liability hanging over my company. All it takes is for one person to have the software on there and accuse us of stealing their private data (say, leud pictures) and publically posting that information on the internet, and I’m sure the policy would change. Of course, we wouldn’t do that, but all it would take is the accusation.

      It’s a bad day for us when we see something we shouldn’t, especially if upon seeing it, we’re morally obligated to contact the authorities (in the case of illegal content such as child porn). If course, if something like that is observed by a tech, we must do something about it, but we don’t want to have to get involved in that sort of thing, so we’re pretty careful about it. To put it simply, we’re not looking for anything, and we don’t want to snoop through your stuff, because if we do and we find something we shouldn’t, there’s going to be hell to pay. Not only in the fact that now we need to report it to the police, but also that we need to be able to justify why we were able to see it in the first place. If we can’t justify why we were looking at the content, that’s probably grounds for termination and getting blacklisted from IT, even if it had a positive result (like a pedo being sent to jail).

      Bluntly, it’s not worth the risk, paperwork, or inevitable trouble that we’ll face if we do.

      Keeping a good separation between personal and work minimizes the risk of IT seeing something that shouldn’t, even if it’s not illegal/illicit. Even your personal financial information. I don’t want to know. I had a call recently with a user who couldn’t log into their bank, and through testing, I was on the lookout for errors while they logged in. As soon as login was successful and their accounts were up, I minimized my remote control so I didn’t see more than I absolutely had to, of their bank info. I got them into the accounts. I don’t care what the accounts are, or what is in them. It seems minor, but that is that users personal information which I do not need to know. I solved their login problem with the site, so I’m done.

      I probably have a hundred of other examples, even some where my co-workers had to contact authorities, I’m pretty sure… Every decent IT tech knows that this is a risk and we do what we can to avoid getting caught up in it. We don’t want to have to answer those questions.

      If you ever have IT connect to your computer and your background goes black, there’s a reason. At first it was bandwidth related, and we’ll still say that as the reason, but a large reason why we still do it, even into an age of high speed internet, is because a lot of people put pictures of their family, friends, sometimes even inappropriate content, as their desktop wallpaper. It’s hard to miss when it’s your wallpaper. So if it’s blacked out when we connect, that’s one less possible problem we have to deal with.

      I’ll stop, but if you have questions for a random internet IT guy, please feel free to ask.

      Take care.

      • toastal
        link
        fedilink
        arrow-up
        2
        ·
        6 months ago

        That I could prefer: using a remote VM for the work & being able to opt out of a company provisioned device if possibre. It’s much easier to not pollute a VM & you will want to disable it as soon as you are done anyhow to free up local resources/connections.