[_y5hn]

This is more related to how organizations work. That larger organizations tend to need to streamline more in order to scale up number of employees, and do more to maintain acceptable security simply because there's that many more people on board.

If policy is install whatever you want, and if you get hacked, you're fired! This just won't stand in court. So policy is that IT department is responsible for installations, IT department gets the blame. Infrastructure is sort of "outsourced" within the company.

If you were accountable for those younger first-timers running I2P and Tor within security perimeter, what would you do?

[AmericanChopper]

Lower down the tread I mentioned vendor due diligence, specifically because I’ve done so many vendor security reviews. But there’s more to it than that. You might also need to be threat modelling it, legal will need to review the ToS and privacy policy. You probably need to figure out the impact on other services too. If you’re in a regulated organisation, there could be any number of other things you have to do, and on going compliance costs. If you work in a bank, and somebody wants to install Gentoo, you’d have to figure out how to run anti-virus on it, how to centralise patches for it, how to install endpoint DLP, make sure it has the correct web proxy configuration... the costs can easily stack up.

[closeparen]

Yes, you need to do all those things, and it is expensive. The organization's choice not to pay those costs to provide an environment suitable for engineering work (not every single one someone could ask for, but one) reflects its views towards engineering.

It may be correct for them. But for you, as a candidate, it's a good indicator that you'd be happier in the kind of company where engineering has the power to get that done.

Between jamfcloud, osquery, munki, etc. there are plenty of companies and tools out there catering to IT departments that take this seriously.

[AmericanChopper]

This has no impact at all on an organisations ability to provide an environment suitable for engineering. If they have an engineering practice, then you could be sure they’ve invested resources into making sure they do have a suitable engineering environment. The issue at hand relates entirely to personal preferences. The problem is that an individual can not necessarily use whatever tools they prefer, not that they don’t have suitable tools available.