[gorgoiler]

Thanks for responding and writing up more details. I empathise with the frustration of having to follow rules for rules' sake.

Another approach you can try is to conform to their requirements on one machine, but do all your actual work on another.

In the past I've been faced with similar situations where corporate IT required ne to run a "security agent" if I wanted to bring my own device to their network. I ended up bringing a Raspberry Pi which ran their "security agent", but then I did all my work on a laptop that connected through the Pi via NAT.

This was at a high school where I was a teacher. The "agent" did an SSL MITM attack, allowing the school IT to see all my traffic. I'm fine with needing that stuff to keep the kids safe but I objected to the school needing to inspect staff traffic. If they mistrusted me to the level of needing to read my email, what the hell were they doing leaving me in a roomful of children all day?

If you had two spare Pis you could do a three machine shit-sandwich: (1) trusted-pi is all yours and connects to your home network offering strictly controlled minimal internet access to... (2) the security-theatre-pi, running the client's weird spy/monitoring software; and then (3) your personal laptop connects via the security-theatre-pi.

I'd prefer to be direct and up-front with them – it doesn't feel great to have to be duplicitous with people the way I did / suggest you do – but a $50 pi might be able to tick their box and let you get on with the interesting stuff.

[illud_tempus]

> Another approach you can try is to conform to their requirements on one machine, but do all your actual work on another.

That would create a layer of cynicism between me and my work. I don't have that today, and I would rather avoid it.

[jameshart]

But you’re the one describing a piece of software they are asking you to install as a condition of employment as a ‘hostile agent’.

Feels like the layer of cynicism is already there.

[illud_tempus]

Not on my part. Not with the people in the company I usually deal with.

When a new manager I don't know send me an email to install some "agent" from a company I have never heard about, and that company turns out to have terms and conditions from hell (like references to undisclosed terms and conditions they want me to accept) - then I label that thing, in my mind, as a "hostile agent". It's not something that will ever get access to my lan. It's something I don't even want in a VM, because it may know how to escape from a VM.

That's not cynicism. That's risk assessment.

[gorgoiler]

Well said, and good luck with your problem. These workarounds are a flag one is in the wrong place. I recently left the job where I did the two-pis hack.

[Jenda_]

It's interesting that both the school and the job "security agent" ran on Linux on ARM. I would expect these things to be Windows-only, or at least x86-only.