I'm sorry, my last comment was unnecessarily snarky. I was coming back to delete it and write a more respectful one but you had already replied.
BLUF: For reasons of security and compliance, licensing, and low levels of computer skills among users, privacy-invading enterprise management tools give IT departments the best and most efficient way to accomplish their goals. IMO if you don't want work looking at personal stuff, then don't do personal stuff on work devices.
In short, this discussion highlights the difference between computer power users (developers in particular) and IT. If you're a dev, you're likely highly motivated to get work done, practice security best practices, and keep your system in a well-running configuration. The average employee (which does include many devs) is not like that. When you think of the things you might want privacy for on your work device, it's probably going to be things like checking the news, listening to music, maybe putting YouTube on in the background. Innocent stuff that a micromanager might not like but is probably better for employee mental health anyway. When IT thinks of what an average user would want privacy for, their experience tells them that it's Facebook, porn, and shady gambling sites that say "you've won $1 million just click notmalware.exe to claim it!!!".
I and most IT departments wouldn't mind if everyone used their work computers for only the former non-work activities. I'd bet that the vast, vast majority of IT guys think that "boss constantly monitors your screen" software is creepy and unethical. 99% of users don't get their computers infected trying to download more RAM because Excel is slow because they have a dozen workbooks open. But there's one user that does, it's hard to identify who it is in advance, and once it happens once management wants it to never happen again.
As far as immediate screen recording or key logging, I can tell you from personal experience that some people cannot do anything outside of their established workflow. That includes clicking the link in the email I sent them, clicking the "download support tool" button, clicking the downloaded file, and clicking "allow access". Walking someone through that series of steps over the phone during COVID was about half an hour of wasted time for both me and them. The next time they needed support though, I could just hop on via the support tool immediately. (Just for clarification, the tool was approved and licensed for us to use; it wasn't just Teamviewer I got the user to install. For administrative reasons though, many of the systems that were our responsibility were not installed by us.)
The creepy micromanaging screen logging stuff that runs constantly is not good. Those capabilities are good and useful in many circumstances, but in the type of stuff I think you're thinking about I agree it's horribly unethical. To be frank, I don't think that OS permissions preventing that from working is the right line of defense against that though. If it gets to the point where management thinks that's even an appropriate solution then management has clearly lost the plot and OS permissions won't help.
Automatically installing software is also difficult. What should IT do if, for example, Docker Desktop changes their licensing terms and now we need to move everyone to Rancher Desktop? What if networking wants to move everyone from some horrible IPSec VPN installed in 2013 to a new and modern Wireguard-based client? What if the helpdesk is inundated with tickets asking how to install the new version of Acrobat since the corporate newsletter announced we now had it? Just install it individually for user after user after user, or install it for everyone at once and be done with it? (Acrobat was the worst. IIRC I had to install three different versions over the course of a year once, and one of those versions required that you completely remove every trace of the old version first or else the new version would fail silently when you tried to start it. And of course Adobe's uninstaller wasn't comprehensive enough. I remember a ~2 week period where three quarters of my tickets were manually removing the old version of Acrobat and installing the new one.)
You said installing software should require the user's explicit consent. Linda in HR is probably going to dismiss the popup asking to install the new VPN because she doesn't know what it means. It's bad enough already with updates. If you don't have automatic silent background installs, that means that the day after the old VPN stops working, Linda and a dozen other people are going to submit tickets saying they can't access the network anymore. You won't have problems: you know what a VPN is, you read the emails from IT detailing that they're upgrading, you know that the new version will be faster. Not everybody is as good with computers as that. Automatically installing new software often means avoiding a bunch of tickets allowing helpdesk to work on actually meaningful things.
Those privacy-invasive tools are critical to IT getting their work done. Now, I absolutely get why people have bad attitudes towards IT. IT is often unfairly biased against users. After all, the only users they interact with most of the time are morons, and that paints an unfair stereotype. Like, for example, the stereotype that those users are morons: it's not the user's job to use a computer, it's the user's job to do whatever their job it, and the computer is a tool to do that. Yeah, users should know a little bit about how to use their tools, but that's a little difficult to enforce. IT guys in general have a terrible attitude towards the people it's part of their jobs to help, and that makes interacting with them unpleasant. And corporate-ordered creepiness is often implemented via IT. IT gets a bad rap and they often deserve part of it.
But regardless, not using those tools is like managing a fleet of servers by SSHing into each one individually. Even if you have failproof processes where you never forget a step, it just doesn't scale. IT has management breathing down their neck constantly, along with half a dozen other teams all with their own concerns and problems: networking keeps moving switchports to different VLANs and forgetting that they need to update the routes to the printers; security says they need this AV tool installed to hit a certification management wants to put on the homepage; management found out last week about a guy who's done nothing but manage his fantasy football team for the past three months and thinks the solution is to watch everyone's screen at work. I'm not claiming IT is unique in this regard to be clear: devs with too many project managers have the same sorts of complaints. But fundamentally when IT does something stupid to your computer, there's a very good chance that it's been caused by something akin to someone in a completely different department doing something insecure and now IT has to prevent that from happening again. Centralized tools that allow you to control computers remotely, install software automatically, and change settings as a super-superuser are required for managing a fleet of devices operated by people who want to get things done.
My personal policy is that work-owned equipment is for work stuff only and I will never use it for personal stuff. If I want to listen to music or whatever, I'll use my own device. This avoids every problem with employee privacy on work devices. If I could wave a magic wand and make every person follow that perfectly then none of this would even be a controversy. But people do want to do personal things on work computers, and IT departments have things they need to get done across entire fleets, and the intersection of those things causes problems.
> If it gets to the point where management thinks that's even an appropriate solution then management has clearly lost the plot and OS permissions won't help.
I generally agree, but it helps everyone—IT especially—to just say "Apple won't let us do that"; rather than having to say, "it's possible but I won't do that".
> Now, I absolutely get why people have bad attitudes towards IT. IT is often unfairly biased against users. After all, the only users they interact with most of the time are morons, and that paints an unfair stereotype. Like, for example, the stereotype that those users are morons: it's not the user's job to use a computer, it's the user's job to do whatever their job it, and the computer is a tool to do that. Yeah, users should know a little bit about how to use their tools, but that's a little difficult to enforce.
The big part of people's bad attitude towards IT is that, from user perspective, they're noticeable only when they suddenly make it more difficult or impossible for the user to actually do their job. And they do it often enough that they're seen as an outside force that's at best annoying, at worst dreaded.
Now sure, the typical user may not know the other side of the coin, and in many cases the annoyances are legitimate from the POV of safety and effectiveness of the company as a whole. But then, occasionally IT seems to not see the costs either.
I'm biased here, but I have this negative bias towards IT despite being rather experienced and savvy computer user, because I've been on the receiving side of changes that make it hard for software devs to do their work, in companies that make money selling software.
My favorite example is Windows Defender "realtime protection" - a functionality that adds a noticeable cost to individual I/O operations (writes) on any file except those on one of several exclusion lists (excluding by location in the filesystem, excluding by the process making the I/O call, etc.). This feature has really bad interaction with typical software dev work - version control, building software, running tests, and other things a dev does constantly, tend to do a lot of tiny I/O operations, and they all suffer the penalty. This can easily make all your actual work activities take 2-3x longer - or more, when you account for the disproportional distraction it causes[0].
Now, the corporate IT decides the endpoint machines are not allowed to add additional exclusions to the list, even if otherwise the user has local administrative rights. The list is fixed, contains mostly system stuff, and all your dev tooling and source code is not on it. I wonder if anyone tried to calculate the total cost of this one decision - money lost by software releases being effectively delayed 2x, and in associated extra salaries for one of the most expensive employees in any tech company? Is it worth it, relative to whatever this decision saves? Is it worth sticking to it, and ignoring tickets from software dev begging for help, and/or replying to them that the company will reimburse them for a laptop cooling pad?
--
[0] - https://xkcd.com/303/. Or, when single `git add` of a file takes 2 seconds instead of near-instant, that slowly makes you avoid touching it. `git commit` taking 1 minute instead of few seconds (for executing post-commit hooks) is the difference between being in the flow and browsing HN. Etc.
BLUF: For reasons of security and compliance, licensing, and low levels of computer skills among users, privacy-invading enterprise management tools give IT departments the best and most efficient way to accomplish their goals. IMO if you don't want work looking at personal stuff, then don't do personal stuff on work devices.
In short, this discussion highlights the difference between computer power users (developers in particular) and IT. If you're a dev, you're likely highly motivated to get work done, practice security best practices, and keep your system in a well-running configuration. The average employee (which does include many devs) is not like that. When you think of the things you might want privacy for on your work device, it's probably going to be things like checking the news, listening to music, maybe putting YouTube on in the background. Innocent stuff that a micromanager might not like but is probably better for employee mental health anyway. When IT thinks of what an average user would want privacy for, their experience tells them that it's Facebook, porn, and shady gambling sites that say "you've won $1 million just click notmalware.exe to claim it!!!".
I and most IT departments wouldn't mind if everyone used their work computers for only the former non-work activities. I'd bet that the vast, vast majority of IT guys think that "boss constantly monitors your screen" software is creepy and unethical. 99% of users don't get their computers infected trying to download more RAM because Excel is slow because they have a dozen workbooks open. But there's one user that does, it's hard to identify who it is in advance, and once it happens once management wants it to never happen again.
As far as immediate screen recording or key logging, I can tell you from personal experience that some people cannot do anything outside of their established workflow. That includes clicking the link in the email I sent them, clicking the "download support tool" button, clicking the downloaded file, and clicking "allow access". Walking someone through that series of steps over the phone during COVID was about half an hour of wasted time for both me and them. The next time they needed support though, I could just hop on via the support tool immediately. (Just for clarification, the tool was approved and licensed for us to use; it wasn't just Teamviewer I got the user to install. For administrative reasons though, many of the systems that were our responsibility were not installed by us.)
The creepy micromanaging screen logging stuff that runs constantly is not good. Those capabilities are good and useful in many circumstances, but in the type of stuff I think you're thinking about I agree it's horribly unethical. To be frank, I don't think that OS permissions preventing that from working is the right line of defense against that though. If it gets to the point where management thinks that's even an appropriate solution then management has clearly lost the plot and OS permissions won't help.
Automatically installing software is also difficult. What should IT do if, for example, Docker Desktop changes their licensing terms and now we need to move everyone to Rancher Desktop? What if networking wants to move everyone from some horrible IPSec VPN installed in 2013 to a new and modern Wireguard-based client? What if the helpdesk is inundated with tickets asking how to install the new version of Acrobat since the corporate newsletter announced we now had it? Just install it individually for user after user after user, or install it for everyone at once and be done with it? (Acrobat was the worst. IIRC I had to install three different versions over the course of a year once, and one of those versions required that you completely remove every trace of the old version first or else the new version would fail silently when you tried to start it. And of course Adobe's uninstaller wasn't comprehensive enough. I remember a ~2 week period where three quarters of my tickets were manually removing the old version of Acrobat and installing the new one.)
You said installing software should require the user's explicit consent. Linda in HR is probably going to dismiss the popup asking to install the new VPN because she doesn't know what it means. It's bad enough already with updates. If you don't have automatic silent background installs, that means that the day after the old VPN stops working, Linda and a dozen other people are going to submit tickets saying they can't access the network anymore. You won't have problems: you know what a VPN is, you read the emails from IT detailing that they're upgrading, you know that the new version will be faster. Not everybody is as good with computers as that. Automatically installing new software often means avoiding a bunch of tickets allowing helpdesk to work on actually meaningful things.
Those privacy-invasive tools are critical to IT getting their work done. Now, I absolutely get why people have bad attitudes towards IT. IT is often unfairly biased against users. After all, the only users they interact with most of the time are morons, and that paints an unfair stereotype. Like, for example, the stereotype that those users are morons: it's not the user's job to use a computer, it's the user's job to do whatever their job it, and the computer is a tool to do that. Yeah, users should know a little bit about how to use their tools, but that's a little difficult to enforce. IT guys in general have a terrible attitude towards the people it's part of their jobs to help, and that makes interacting with them unpleasant. And corporate-ordered creepiness is often implemented via IT. IT gets a bad rap and they often deserve part of it.
But regardless, not using those tools is like managing a fleet of servers by SSHing into each one individually. Even if you have failproof processes where you never forget a step, it just doesn't scale. IT has management breathing down their neck constantly, along with half a dozen other teams all with their own concerns and problems: networking keeps moving switchports to different VLANs and forgetting that they need to update the routes to the printers; security says they need this AV tool installed to hit a certification management wants to put on the homepage; management found out last week about a guy who's done nothing but manage his fantasy football team for the past three months and thinks the solution is to watch everyone's screen at work. I'm not claiming IT is unique in this regard to be clear: devs with too many project managers have the same sorts of complaints. But fundamentally when IT does something stupid to your computer, there's a very good chance that it's been caused by something akin to someone in a completely different department doing something insecure and now IT has to prevent that from happening again. Centralized tools that allow you to control computers remotely, install software automatically, and change settings as a super-superuser are required for managing a fleet of devices operated by people who want to get things done.
My personal policy is that work-owned equipment is for work stuff only and I will never use it for personal stuff. If I want to listen to music or whatever, I'll use my own device. This avoids every problem with employee privacy on work devices. If I could wave a magic wand and make every person follow that perfectly then none of this would even be a controversy. But people do want to do personal things on work computers, and IT departments have things they need to get done across entire fleets, and the intersection of those things causes problems.