|
Proteus Jones posted:Hold on, this just registered. Yes. They leave it at the office and then when they unexpectedly are working remotely, complain there is no way to have remote access in case they 'forget' it Idk how you forget the thing at your desk, but here we are. I told them that we won't be setting it up for them, and to take it up with their manager if they don't want to take a vacation day today.
|
#
?
Apr 16, 2018 14:55
|
|
|
|
| # ? Jun 11, 2024 06:39 |
|
|
Proteus Jones posted:Hold on, this just registered. We had to have this talk with several users not too long ago. Thankfully it's really easy when you lay it out exactly like in your post.
|
|
#
?
Apr 16, 2018 14:56
|
|
|
We have users who keep "forgetting" their laptop at home, so we need a pile of spares because gently caress you if you think they're gonna drive back home and get it.
|
|
#
?
Apr 16, 2018 14:58
|
|
|
Proteus Jones posted:Hold on, this just registered. We got people who have a desktop and laptop. They use the laptop to remote into their desktop. Then we have users who have 2 laptops and a desktop. They work in multiple offices, but refuse to carry the laptops with them. They'll use the laptop or desktop at one office and remote into their main laptop back at HQ. This becomes more prevalent the higher up in the chain. To be fair, this practice has started to die down since IT has changed a few internal processes.
|
|
#
?
Apr 16, 2018 15:00
|
|
|
Proteus Jones posted:Hold on, this just registered. There was a push at my previous employer for this, by the IT Manager. This extended all the way down to floor workers, to the point where we were locking laptops down to tables instead of just getting regular desktop PCs. His justification was that it standardized PC support, but I'm sure we wasted money by getting $1200 laptops for every user as opposed to a $700 tower PC when the user's only task was data entry.
|
|
#
?
Apr 16, 2018 15:00
|
|
|
GreenNight posted:We have users who keep "forgetting" their laptop at home, so we need a pile of spares because gently caress you if you think they're gonna drive back home and get it. Every single time someone 'forgets' their laptop at home we give them a spare and report it to their manager. After the third time, I sit down with their manager and discuss before issuing them a spare. the embarrassment has gone a long way in getting people to not forget
|
|
#
?
Apr 16, 2018 15:06
|
|
|
I just wish my boss wasn't such a yes man who agrees to everything the users want. Bunch of spoiled children we have working here now.
|
|
#
?
Apr 16, 2018 15:07
|
|
|
GreenNight posted:I just wish my boss wasn't such a yes man who agrees to everything the users want. Bunch of spoiled children we have working here now. This is exactly what I'm dealing with now. the old IT Director was a super good boss and nice guy, but when it came to the rest of the company he said yes to everything and never put his foot down. Now, the company is wanting to cut expenses hardcore and when I start cutting personal printers, gotomypc, and other frivolous crap people are super upset.
|
|
#
?
Apr 16, 2018 15:12
|
|
|
People are requesting docking stations and monitors for home and getting them. Like what the gently caress? They don't work from home, they're at the office all day. It's not my money, but then don't bitch about why we're over budget.
|
|
#
?
Apr 16, 2018 15:14
|
|
|
GreenNight posted:People are requesting docking stations and monitors for home and getting them. Like what the gently caress? They don't work from home, they're at the office all day. This is why I have been fighting with our "accounting" management for some time about how things are applied to budget. Just because something is a tech item does not mean it comes out of the IT budget. If a department wants something like docking stations at home, that comes out of their budget, not IT's.
|
|
#
?
Apr 16, 2018 15:33
|
|
|
Internet Explorer posted:If a department wants something like docking stations at home, that comes out of their budget, not IT's. I stomped my feet and bitched about this so hard earlier this year and was lucky enough to get my way. You get a specific set of equipment based on your role, as dictated by the equipment policy. If you want something else, you request it to IT, IT tells you the cost, and it comes out of your budget. The end. Our requests for superfluous equipment have dropped to almost 0
|
|
#
?
Apr 16, 2018 15:43
|
|
|
Yeah we aren't so lucky. Management has dictated that it's all under IT budget.
|
|
#
?
Apr 16, 2018 15:54
|
|
|
GreenNight posted:Yeah we aren't so lucky. Management has dictated that it's all under IT budget. Just get yourself a sweet home set up on the companies dime then. Gotta get the gravy man.
|
|
#
?
Apr 16, 2018 18:22
|
|
|
Nerdrock posted:drat, y'all talking up JAMF makes me sad our school district can't afford it. Seems I should put all the Deploystudio / Munki bullshit I've wrangled somewhere in my linkedin with a big (DID JAMFLIKE STUFF BUT WITHOUT PAYING FOR JAMF). How much is JAMF? I’m assuming schools get a educational discount.
|
|
#
?
Apr 16, 2018 18:35
|
|
|
Tab8715 posted:How much is JAMF? They do. I can't recall off the top of my head, but I do remember that it was somewhere between double and triple the cost of the MDM we use (lightspeed) for our iOS devices
|
|
#
?
Apr 16, 2018 18:50
|
|
|
Tab8715 posted:How much is JAMF? for us it's about 70k, for about 600 mac workstations. Honestly check with their sales team, that'll be more accurate and I don't believe JAMF charges on a per-endpoint basis. It's pricy, but worth it especially if you've a dedicated resource. But it takes a lot of babying and a lot of work, like SCCM and, honestly, pretty much any MDM.
|
|
#
?
Apr 16, 2018 18:57
|
|
Cat Army
|
How the hell does MDM require more or even equal babysitting as SCCM? That’s insane? Or what am I missing?
|
|
#
?
Apr 16, 2018 19:17
|
|
|
Tab8715 posted:How the hell does MDM require more or even equal babysitting as SCCM? Jamf has poo poo for more than just being an MDM. it does system imaging and some other stuff too, I guess. though Apple's putting the axe to imaging flat out pretty soon, so that'll be real interesting.
|
|
#
?
Apr 16, 2018 19:27
|
|
|
Nerdrock posted:Jamf has poo poo for more than just being an MDM. it does system imaging and some other stuff too, I guess. You'll need a headcount just to build / maintain all the installer packages you'll need to keep around.
|
|
#
?
Apr 16, 2018 19:46
|
|
|
NeuralSpark posted:You'll need a headcount just to build / maintain all the installer packages you'll need to keep around. Yeah. At the end of the day, it seems that maintaining all the computer stuff for a JAMF environment is close to the same amount of work (at least for my district) as doing it yourself. Munki keeps our poo poo installed, and AutoPkg keeps stuff updated. I haven't had to fuss with firefox updates, flash updates, office updates, etc in quite a while. I do remember seeing a couple of snazzy tools in JAMF that would have made life a little easier, but it didn't seem worth the price to us.
|
|
#
?
Apr 16, 2018 20:07
|
|
|
I am working on explaining to our users what the corporate side of the network is for. It is not for you to plug a switch into so you can run N+1 lovely old systems you've squirreled away or pulled out of our IT trash bin. It is not for you to run a raspberry pi with some nginx webserver on for other engineers to access It is not for you to plug customer service gear into for 'testing' I love and hate working for engineering companies.
|
|
#
?
Apr 16, 2018 20:08
|
|
|
DigitalMocking posted:I am working on explaining to our users what the corporate side of the network is for. And it's not for Joe the janitor to connect his chromebook to so he can watch netflix on slow days. No, i don't care that you already told him he could.
|
|
#
?
Apr 16, 2018 20:19
|
|
|
I think it's time for you to look at port security
|
|
#
?
Apr 16, 2018 20:19
|
|
|
^^^ like, whatever man ^^^ Sounds like it's time for port security!
|
|
#
?
Apr 16, 2018 20:19
|
|
|
The Iron Rose posted:I don't believe JAMF charges on a per-endpoint basis. You do have to have a license per machine. When your renewal comes up, they have to login and send them a report that has a count of enrolled machines. Then you figure out how many more licenses you need to buy.
|
|
#
?
Apr 16, 2018 20:36
|
|
|
AlternateAccount posted:You do have to have a license per machine. Ahh. Yeah I double checked and we snuck in a perpetual licensing agreement right before they changed it. So maybe my 70 grand figure is a bit off. My analysis of time spent, however, is not. I'm the lead SCCM gal in my office, and a colleague of mine is the lead JAMF person, and he's easily spent dozens of hours more than I have getting his scripts and packages and policies just right.
|
|
#
?
Apr 16, 2018 21:49
|
|
|
Thanks Ants posted:I think it's time for you to look at port security I would like to introduce you to a small list I keep, it's called "technical debt". (yes, I agree with you. I have been told we cannot put port security in place until we have a set of policies in place around technology.)
|
|
#
?
Apr 16, 2018 22:16
|
|
|
Did someone say 802.1x? I thought I heard someone say 802.1x. At old job we had 802.1x enabled and it was a huge pain in the rear end. It would've been fine if we had succeeded in getting ISE setup as part of phase 2, but alas, we were trapped in NPS hell forever.
|
|
#
?
Apr 16, 2018 23:18
|
|
|
We run clearpass and while it certainly requires some care and feeding, it's a pretty nice product all around. 57 branch locations and 1200 or so devices, for reference.
|
|
#
?
Apr 16, 2018 23:28
|
|
|
Our team is in charge of software distribution for the company, and we've been dealing with one team that cannot follow standard procedure to save their lives and insist on 6 hours of status meetings per week. Today they sent a request to install a program on every device (Including BYOD) in the company. Download the file onto my machine, antivirus pops. Turns out they used some shareware tool to make the MSI that just filled it full of trojans. They don't get to make requests anymore. 
|
|
#
?
Apr 17, 2018 00:50
|
|
|
So is the work that they do which requires them to distribute software being delegated to another team?
|
|
#
?
Apr 17, 2018 01:13
|
|
|
That has yet to be worked out. As of now Security has dictated that not compromising or entire company trumps all other priorities.
|
|
#
?
Apr 17, 2018 01:16
|
|
|
Wrath of the Bitch King posted:Did someone say 802.1x? I thought I heard someone say 802.1x. One way to ease into this is to get everyone on 802.1x with the fallback being what they use today. Don't start applying policies or security or anything until everyone authenticates quickly and seamlessly. I found Microsoft's service to be solid, and freeradius to be a joke. The only people who had trouble were of course Linux users.
|
|
#
?
Apr 17, 2018 01:18
|
|
|
H110Hawk posted:One way to ease into this is to get everyone on 802.1x with the fallback being what they use today. Don't start applying policies or security or anything until everyone authenticates quickly and seamlessly. Yeah we've had zero issues with MS 802.1x but we're all windows as are all our clients. Took a bit of hammering to initially get configured because a lot of us were doing it for the first time, but once we worked out a few things it was gravy.
|
|
#
?
Apr 17, 2018 01:35
|
|
|
At my old place of work we used Radiator and it was an absolute treat and far, far better than the "enterprise" software like clearpass/ise/etc. unless you hate configuration files. With automation as well the open-source options are even better as well, ISE has it's own proprietary clustering/redundancy/database/api model and it makes it a nightmare to do anything custom on unless you love writing really slow API calls. I have one script that takes 3 hours to run because there's no way to ask for a certain API result in bulk. On 802.1x - it can work but really you need to have 802.1x with macauth bypass, which also means you need to maintain a large list of allowed hardware, someone to make the policy, etc.
|
|
#
?
Apr 17, 2018 01:38
|
|
|
I'm not a network expert by any means, but since we implemented 802.1x it's been a massive pain in the dick for us. Since we're a school district with macs, tons of dumbshits every day let their laptop's battery die completely. No CMOS battery in apple laptops. So : the clock goes back to 1970, and 802.1x shits itself. Every day we get calls, and have to walk another handful of teachers plugging into ethernet because "oh you never gave me an ethernet dongle" (yes we did).
|
|
#
?
Apr 17, 2018 03:05
|
|
|
That's why you really need an effective policy engine alongside an enrollment system, like ISE. Issue a cert and follow the guidelines and you can connect. Cisco has some *real* loving problems with a lot of their products but I dig ISE and it's capabilities. It definitely requires effort to put it in place the right way, though.
|
|
#
?
Apr 17, 2018 03:49
|
|
|
We just de-implimented 802.1x from our test site because it's such a bitch. We're about 125macs and 250sih PCs. PCs are fine. Macs are a bitch. The macs will get the jamf package for it, work once, then not work. I found a really extensive write up on how to fix it but fuckkkkk. Can I just get NAP instead pleasseeee
|
|
#
?
Apr 17, 2018 15:40
|
|
|
Nerdrock posted:though Apple's putting the axe to imaging flat out pretty soon, so that'll be real interesting. What? I hadn’t heard about this. Does Apple just not give any fucks about professional environments?
|
|
#
?
Apr 17, 2018 15:57
|
|
|
|
| # ? Jun 11, 2024 06:39 |
|
|
We’re demoing Forescout right now. Not my project so I don’t know how it’s going, but we’re going to give it a shot. It’s my understanding ClearPass is a better solution but for political reasons we can’t use it. I can tell you I didn’t care for some of the agentless scanning requirements
|
|
#
?
Apr 17, 2018 16:01
|
|