megacorp; laptops have much enterprise security & surveillance bloatware installed. whirrr, such cpu fan, very compliance. by default no one has local admin rights for their work laptop. developers are approved local admin rights upon request.
once blessed with local admin rights, developers manually invoke a utility to grant themselves temporary admin permission for a limited time period each time they wish to sudo. this sounds worse than it is in practice, provided one doesn't need to sudo continually.
At my current employer they have mobile device management and corporate "security" software installed. It appears to do full network monitoring / event capture. Performance on the machine is terrible due to all the resulting overhead. Recently several devs have complained and had it disabled. We all do have sudo.
Regardless: as a software employer, I'd currently treat any contributor device as loaded with malware, under surveillance, potentially hostile, and with the possibility that it will reside on competitor networks in future.
Ultimately most of the contributions I'm looking for are plaintext and reviewable -- none of the above properties should be blockers, so the way to maximize contributions is to allow for all of them.
I would add to that, if yes does the company allow and test for passwordless sudo? Reason being that passwordless sudo + ssh multiplexing makes bypassing 2FA/MFA via phishing a breeze.
My current work laptop is self managed, so yes. My previous was a locked down Mac and I don't think I had full admin. Before that I did have root on both my desktop and laptop.
once blessed with local admin rights, developers manually invoke a utility to grant themselves temporary admin permission for a limited time period each time they wish to sudo. this sounds worse than it is in practice, provided one doesn't need to sudo continually.