It's a fact that users don't always adhere to policy when it comes to downloading their pet applications. How much freedom do you allow? Derek Schauland discusses the challenge of policing the network for rogue software and deciding what controls to put in place.
There are so many applications for PCs and mobile phones now, and, in some cases, they require less and less privilege to install. Recently in my organization, I have been working on an inventory of applications — those that should be allowed (mission-critical and business-related apps) to run on domain-connected machines and those that are unnecessary to perform any job functions.
Keeping unlicensed applications off the network is the underlying goal of this exercise, but determining what is OK and who should be allowed to install it is proving quite the difficult task. Some of the applications on the network require only local admin privileges, which trumps any policy restrictions you might have in place. Ideally, policy and controls should be enough, but users tend to ignore written policies and find workarounds to installing their rogue apps.
For me thus far, determining what I should care about is the hardest part. iTunes isn't needed for anyone to perform their job, but it isn't hurting much either. Keeping it off the network would help free up storage space, but as for the application itself, it doesn't cause much alarm. Other applications aren't so easy to qualify.
Another gray area is when applications have been legally purchased by individuals but aren't licensed for the company. There are occasions where I have purchased an application because I know it will help me do my job better and it's legally licensed to me, but I shouldn't use it on my work PC because my company doesn't actually own the license. Just keeping track of my own licenses is a challenge.
For now, I am planning to lead by example and clean up any applications that are not licensed to the organization. I can run them on my laptop and bring that along to the office if necessary. Using tools like Microsoft's Software Restriction Policies to prevent applications already in the environment seems to work very well in testing. I managed to lock out IE on a test machine; I'm not sure if I will turn it back on or not. Disabling applications at installation seems like the best way to handle these things, but local admin privileges get in the way.
I am getting there, one setting and one application at a time, and eventually I will have the problem solved, but I am guessing there are others out there in a similar situation.
I'm still on the fence about closing off all access to applications that are not needed to perform work tasks. Once I have inventoried everything and sorted out the licenses, I hope the number of applications on the network will seem more manageable. Then, I'll consider the best ways to prevent applications from getting out of hand in the future. Because license management is such a large part of an administrator's (or IT manager's) duties, I thought it might be helpful to see how others are doing it.