Ask HN: Is 'company laptop only' a common (remote) policy?

personally i quite like to be able to firewall off work from the rest of my life, having separate computers for work and for personal use is one way that can help achieve that. easy way to avoid accidentally checking work comms when you&#x27;re not being paid to work -- don&#x27;t use the work machine at all. but i understand not everyone feels the same way. i like to be able to use my own choice of peripherals (keyboard, mouse, screen, headphones&#x2F;speakers) but i dont particularly care about using a work machine.<p>what&#x27;s far more irritating than a work machine is work-related corporate crapware on the work machine. e.g. mandatory antivirus that bogs down disk io, security policy settings that restrict your ability to install software, etc etc.<p>&gt; How is occasional working from home&#x2F;company VPN handled for devs&#x2F;engineers at your place?<p>i offer three data points:<p>* at small young software-oriented business (headcount 10-20): work provided each employee with a laptop they could use to work from home or from the office on, but people could pretty much do whatever they wanted with those machines, or work using other computers if they chose.<p>* at large new non-software company (headcount ~10,000): working as a contractor, the company let you remote in from your own machine, and started offering BYOD as an option when you were on site, or to use work-provided hardware on site.<p>* at huge old non-software financial company (headcount ~50,000): thou shalt follow the company IT and company security policies, thou can work from home using company equipment, although the company configures the equipment to make it very difficult to get any software development work done (because security)

Company-provided computers are generally bound by policies that restrict user powers (least-privileged access) and install updates soon after release. I don&#x27;t know about you, but I often neglect system updates on my personal laptops. Whilst I&#x27;m also very careful with what I have on my personal laptops, I would still rather not connect them to the company network.<p>BYOD is popular but has some caveats - as the company grows, you wind up needing to secure ways company data can leak. It becomes necessary to plan for losses. Our computers are all encrypted and are not allowed offsite if they aren&#x27;t. We also have remote-wipe capabilities, which is something a typical user isn&#x27;t going to let the company install on their personal device.<p>We mostly allocate users laptops; a few have desktops, and most of those employees also have laptops to take home. We have allowed BYOD in the past but are now very firm on what we permit. Most users are happy to have company-supplied equipment, and I think the separation of work and personal is beneficial to most people. I like having work only on my work laptop. I only allow VPN access on a computer-by-computer basis. Admittedly we&#x27;re a cloud company, so for most purposes all we need is an internet connection. The VPN gets used mostly by me to work from home, by employees who need their more powerful desktops or for me to do tech support remotely. It&#x27;s not covered by an SLA but it works well for my purposes.<p>Sure, a lot of companies trot out the &#x27;everyone does it this way&#x27; excuse, but there&#x27;s actually a good reason for this - it works.

Yes, it&#x27;s common. It&#x27;s more common at more mature companies handling very sensitive data.<p>Considering the power of laptops these days, I don&#x27;t understand what you&#x27;re losing in usability.<p>Either way, it&#x27;s a good policy, and your users are better off for it.

I&#x27;ve been remote for a long time, and this is completely normal. Not universal, but normal enough that I wouldn&#x27;t complain about it.<p>I even strive to keep it more separate than that. I have both my work and personal laptop KVMed to the same monitor&#x2F;mouse&#x2F;keyboard, and I&#x27;ll switch over to the personal one for most general web browsing. I use Slack to send links&#x2F;files to myself if there really is a need to share something between the two, because of course we aren&#x27;t allowed to put USB drives in the work system either.<p>It feels extreme when you start working this way, but you get used to it, and I&#x27;ve even grown to appreciate the complete wall between work and home.

I have friend who ZeroTier-ed over corp VPN (read: bypassed it completely) and installed necessary VPN accessing local thingies on his personal laptop.<p>The reason being (in his own words) - &quot;it takes too much time and hassles to sign up to Corp VPN BS. And then it logs you off, timeouts, enforces stupid policies, etc...&quot;. His ZeroTier setup is more reliable and I suspect as secure as his startup VPN.<p>His faces (and realizes) potential risk of: &quot;How come you were sign-ed up to our Corp network when our VPN provider was down?????&quot;.<p>No one (at his startup) knows about what he does and the reason is - he does lots of moonlighting and it&#x27;s very convenient for him to:<p>1. Use single machine for work and off-work activities.<p>2. To protect himself against potential of his Corp to claim rights to his own projects.<p>He is vigilante-type of guy, in other words &quot;don&#x27;t tell me what i cannot do&quot;.<p>That said his corp and his corp&#x27;s customers are super happy with his work and support.

Yes, it&#x27;s very common to only allow corporate laptops provisioned with a standard image, certificates etc. If you need to remote in then you must have a corporate laptop.<p>From a security standpoint it is risky and amateurish to allow VPN from an unknown device under someone else&#x27;s management.

It&#x27;s a no-brainer decision from a security point of view.<p>The only exception that I would consider would be allowing for remote virtual desktop or virtual app access. Even that has risks that needs to be considered.<p>Remember that with BYO, unless you&#x27;re providing stipends for employees to buy equipment with string attached, you&#x27;re not dealing with just your employee -- you&#x27;re potentially thinking about the employee&#x27;s extended circle of associates. The employee&#x27;s kid, parent, drunk roommate, etc all have access.

The only time I&#x27;ve used my personal computer for remote work was when it was freelance&#x2F;independent contractor work. The companies I&#x27;ve worked remote for have all provided a computer for remote work. The main reason is usually information security. The companies need to know that sensitive data is not being stored on my personal computer - I shouldn&#x27;t have access to it if I&#x27;m not working for them.

We have a company provided Mac and connect over VPN and have duo for two factor for everything. We are able to install anything we want&#x2F;need, but there is some monitoring software that reports on what we have running. You can get a call from security, &quot;why are you running x?&quot; But as developers, they know we are going to install a myriad of things.

I think it&#x27;s a very common policy. Company deployed hardware is the only way to ensure security and control the software installed on the machines.

Company Risk&#x2F;Liability trumps usability.<p>If we need to nuke your machine from space, much easier it’s corporate property.<p>&gt; <a href="https:&#x2F;&#x2F;www.cfodailynews.com&#x2F;how-a-single-stolen-laptop-cost-this-firm-2-5m-are-you-at-risk&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.cfodailynews.com&#x2F;how-a-single-stolen-laptop-cost...</a>

The new policy is normal, the old one is insane.<p>Expecting you to work on a personal device is irresponsible, not only beyond cheap.

It&#x27;s normal. I get email on other devices but we&#x27;re expected to use company hardware for real &quot;work&quot;.<p>I wouldn&#x27;t put company stuff on my own PC even if they demanded it. Corporate laptops are usually filled with official spyware

Company hardware only is a very common policy at all companies larger than very tiny.