no, all that would be blocked. Their BYOD would in essence be a dumb terminal with a VPN connection.
Yes but as OP has said a few times they block all that. Its a nice idea and might work till people in NJ say hey does my yahoo who weather in LA where the vpn egress point is.
Ok - missed that part on your post.
I guess it depends on your staff and policies. Most users I know would be severely upset if they can’t have some personal use of their own device and listen to music during some tasks for example. You will probably find exceptions piling up.
Yea he wasn’t too clear in his wording, but what he’s proposing also isn’t practical.
No worries.
And yeah, we definitely expect some blow back from users if/when this is put into place. I think part of ownership thinking is that if they are hampered by not being able to watch YT or browse Reddit etc while working, then “tough shit”. I’m all for staff working from home (half my staff does), but we have people in other departments that it just does not make sense for reasons I won’t dive into here.
Technically *I* don’t even want it as I’m sometimes WFH and it would suck to have all this blocked.
I guess the question is, is the added layer of security/trackability worth the pain in the ass. The idea is that now any threat actor would have to come through our firewall which is pretty tight versus through the users home firewall. On top that the logging etc. we can control.
What you’re trying to do isn’t practical. If you have the budget, doing something like a VDI solution and no VPN makes more sense.
To my mind, if you are only exposing thin client services and you have good controls on those, you are not adding anything by taking over the desktop. If your only exposure is RDP then any exploit can only come through that vector. Just adding user support issues and disgruntled employees for low gain IMHO.