Nitemice

Because users are often unpredictable, admins like to restrict how much control and access they have on their devices.  However, when deploying a new set of devices, the significant question of “How much control or freedom should we give the users?”  doesn’t seem to get enough consideration. For some network administrators, and for some end users, this question may seem to have a simple answer, but once you’re considering hundreds of different devices, and/or hundreds of different users, it becomes a big, complex conundrum. It is a matter of serious consequence for your system and network security, as well as device usability and user satisfaction.

So, there are two distinct approaches that can be taken to this issue. For the sake of this comparison, I’ll just be looking at the extremes of each. Of course, as with nearly all things in life, the middle ground is probably going to be the best, but that doesn’t mean you shouldn’t hear about the for and against of each side.

In the red corner, we have those who say that devices should be totally restricted, so that users can do nothing but what is intended. At its most extreme, this means only running the specified, pre-installed applications, within a controlled and contained environment. Nothing can be installed or deleted, settings can’t be changed and often monitoring software is constantly running. In the blue corner, we have those who say that devices should be unhindered and free (like speech) so that every user can do whatever they may need or want to on it. Total administrator control on their device means the ability to install and delete anything they want, change passwords and wallpapers, and edit setting at a whim. It does not mean freedom across the whole network or system.

So, what are the arguments for and against each? Let’s have a look:

Total Lockdown

For

• Diminish distractions – By blocking sites and disabling unauthorised programs, you can stop users from getting distracted or wasting time doing things they shouldn’t or don’t need to be doing.

• Stop users from doing anything destructive – By locking the device down, you potentially stop any malicious users from using the device to attack your system or hack into things they should be in.
• Protect users from themselves – By locking the device down really hard, you can stop users from messing it up through a general lack of understanding. They (usually) can’t delete any important files if they can’t even see them. You may even protect them from malware or adware if it’s locked down thoroughly enough because you will have blocked the functions this software needs to download and run.

Against

• Users waste time trying to achieve the unachievable – Just because you’ve stopped a user from doing something, doesn’t mean they’re not going to try and do it still. Some user may waste more time trying to find a way to achieve what they want than they would have wasted on it, had you just let them do it.

• Stupid, and genuine nagging – As an admin, users will come to you to complain about not being able to do things. Some of these may be things that you don’t want them to do, and thus are blocked. But some may be things that they should be able to do, but have been overlooked or accidentally broken. You now have to work out which is which and deal with both.

• Diminish usability – Locking down a device means disabling things, which inevitably means making the device less useful and usable. You’re giving the user less options on things they can do, and how they can do them. If you locking down the device hard enough, you may even worsen it performance, which will show through slow start-ups and delayed responsiveness.
• Patronises users – Some users may find it plain out insulting that they can’t be trusted with full control over their device. If this starts to happen, you may end up with a fight on your hands that you really don’t want to be having.

Total Local Freedom

For

• Less intervention needed – While users will always need help, with an open system they can usually get what they want or need to do done on their own.

Against

• More time spend fixing things – With a device where the user is free to do whatever, it’s very easy for them to break something because they don’t understand what they’re doing. Clicking on the wrong thing or trying to “sort files” when they don’t know what they’re actually doing can end in tears, and you’ll have to clean up the mess.
• Unsavoury users – Hackers and crackers may take advantage of the freedom on their device to breach your system or network, stealing sensitive data or your bandwidth.
• Users wasting time – Being able to install and run whatever they want, users may not use the devices as they were originally intended. They may instead use it for personal endeavours, while they’re suppose to be working. And even if they don’t do it on purpose, the presence of time-wasting software on their computer may be enough to distract them.

Now while this isn’t a comprehensive list, which accounts for all factors, it does give you a pretty fair idea of the two sides of this debate. Looking at it, the Freedom approach looks pretty bad, with only one positive and three negatives. The Lockdown approach isn’t perfect either though, but is much more evenly weighted with three positives to four negatives. It’s interesting to note that all the advantages of Lockdown are disadvantages of Freedom, but the reverse isn’t true. That’s because users have a habit of only noticing the bad. Therefore they don’t realise things like the amount of trust held in them to have an unlocked system. They only see that it’s slow and annoying when it’s locked down.

Each approach also seems to quite clearly favour one set of people over the other:  Lockdown favours the Admins, while  Freedom favours the Users. Freedom means the users can do whatever the want; Lockdown means the admins have less problems to deal with.

Like I mentioned before, there can be lots of factors that play into deciding to go one way or the other. Some of those factors are:

• Device type – some devices, like iOS devices, can be harder to lock down than others. This means that you have no choice but to give the users more freedom. Also, some devices require more freedom to work properly. Locking them down stops them from operating sensibly.
• Location – If the device remains at work, it makes more sense for it to be locked down because there’s little reason to be doing non-work at work.
• Ownership – If the user owns the device, then they are entitled to do what they like with it. Therefore, it should be more unlocked.

In the end, it all comes down to one very important factor: trust. Yes, it’s much easier and nicer for a NetAdmin to have the device all locked down because then you’re not going to get as much trouble from users breaking things unintentionally, or intentionally. However, if you can trust your users, then this isn’t an concern. If your users are smart, and wary and not hackers, you should be fine giving them a bit of freedom at least. This means that in any situation where you can’t be sure about your users, or you’re sure they are bad, it should be locked down.  For any other situation, you should give them at least a bit of freedom, because really, why shouldn’t they be able to change their wallpaper?

So, that’s all I’ve got to say, what about you? What’s your opinion on restricting user access on PCs and other devices? Do you know any tricks for getting round those restrictions? As always, if you have something to say, like a reply or a suggested blog topic, feel free to tell me in the comments below, or on my Facebook page.

To Infinity and Beyond,

Nitemice