none
Developer Machines - Non Domain joined RRS feed

  • Question

  • We have developers who needs admin access on their machines so for now we have been putting them off the domain. Issue is SCCM cant track it and we cant patch the machines as per the process. If we keep them in domain and give them admin access, then they will install non-prod apps and i think that can be a security risk as if one machine is effected then being on domain will be risky.

    Please advice best practices for this requirement. What can i suggest to clients which will be okay by their security team as well.

    Friday, November 8, 2019 8:34 AM

All replies

  • Hi,

     

    You're right.

    Sometimes developers really need to install things or change something in the system to test out some idea.

     

    If you  have conflicting requirements of high security and developer freedom. Putting them off the domain and let them update themselves, since Windows 10 install updates automatically.

     

    If that is possible,  developers should have 2 machines.

    An 'administration' machine, which can connect to the Internet (via a proxy) for doing email etc. All users are strictly locked down, and there's strict device and access control.

    An 'engineering' machine. This has full admin access, and the user can do whatever they like.

     

    You could either have real desktop machines which are maintained by IT, but got the rights, or they are allowed to have virtual machines of all sorts that they completely managed by their own.

     

    Best Regards,

    Farena


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, November 11, 2019 6:43 AM
  • Hi,

     

    Was your issue solved?

     

    If the reply helped you, please remember to mark it as an answer.

     

    If no, please reply and tell us the current situation in order to provide further help.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 15, 2019 9:26 AM
  • No, thats an option but still wondering what are the other best options to represent to client as they are not interested in buying more hardware for users to keep 2 machines.

    If we just give one machine, is there any software that can track the users who are logged in the machine.

    Saturday, November 16, 2019 11:01 AM
  • Hi,

     

    Here are some posts with the similar question with yours, just for your reference, you can try the method mentioned in them:

     

    https://security.stackexchange.com/questions/189632/is-it-common-to-allow-local-desktop-admin-access-and-rights-for-developers-in-or

    Note: This is a third-party link and we do not have any guarantees on this website. And Microsoft does not make any guarantees about the content.

     

    Hope above information can help you.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, November 18, 2019 6:39 AM