We’ve had a handful of users request to work from home, and just recently has this been seriously considered. Currently most of our staff is working from the office on a desktop PC. From COVID lockdowns, some with home PCs have been able to use Citrix to log in to their desktops. We’re now looking into the possibility of buying laptops to serve as the main workstation for some users, letting them take it home and work remotely or bring it back and dock. As IT staff, myself and a few others have discussed what the pros and cons of this are, I’m not here to debate that.
My main question is…is there a way to essentially lock down the laptop unless there is an active VPN connection (preferably with built in tools in a Windows domain environment)? Essentially, if we have a domain-joined machine that a user can take home, is there a way to prevent them from doing anything on that laptop FROM HOME until they are connected to our VPN, short of installing after market software or hardware (firewalls etc)? TIA for you help.
Dont think you’re gonna find a great idea or solution.
What exactly are your concerns for them using the machine?are you trying to prevent them from using the pc as a desktop at home? Infections from regular web browsing? Just trying to get a sense of what you are looking to prevent. Group policy and proper local user rights should be more than enough. Along with your antivirus stuff.
Reconsider the full local lockdown approach as it may create more headaches than it’s worth. Consider doing VPN on the laptop first and then RDP to the office. Focus on training the people that will be working remotely to use the local laptop screen as a dummy terminal only. Provide SAT to all who will work remotely to explain what to look out for and the consequences if they don’t follow protocol. In the end, trust your people to follow through. If they don’t, what are they doing working there anyway (no longer an IT problem).
Set the proxy server with group policy to be your internal proxy server. While the device is not connected to the corpnet via your VPN and thus unable to reach the proxy server the traffic will just drop.
I’ll echo the others and say I think this is a poor idea, though.
I worked somewhere that did this. Disable all cached logins and have either an always on VPN solution or the ability to have some kind of start before log on VPN. The company I worked for that did this used AnyConnect with start before log on enabled. Users could not access their systems until they logged in and they couldn’t log in unless they were connected to the VPN.
Always on vpn, separate domain vs off domain firewall rulesets, etc. And don’t treat an endpoint as magically more privileged when it’s internal or external, lock everything down, authenticate and encrypt everything between client and service. And, for managing them, possibly start looking at AAD/Intune if you’re already in M365 at all.
At which point all offline work becomes impossible unless they get online to start off with, then they figure out how to leave a media player open, or leave it in presentation mode, permanently so it never locks and they never get logged out. Definitely improves security.