[heraldgeezer]

That is all well and good but how do you:

- Ensure the machines are up-to-date and users are not just indefinitely postponing OS updates?

- Same as above but with programs/software

- How do you ensure correct settings configuration in terms of security? Say default browser, extensions, program access etc?

- Re-image or reinstall the OS when there are issues or PC handover to another employee? Manually with a USB stick?

This kind of control exists and is needed for Linux and MacOS too. RMM is not a Windows only thing...

The critics here see Intune but what if they used another RMM and they compromised another cloud RMM account? Same issue.

Also, here there is no "arguing". They order the software from our portal and it gets pushed into Company Portal via Intune...

Write down a list you say... idk what to say. You have only worked for small startups I gather? Nothing wrong with that but please recognize that these types of limits and programs are not deployed for fun or to ruin your day.

[rcxdude]

I hear zero-trust is a trendy buzzword at the moment, so let's apply the basic idea here: having a hard shell and a soft and chewy center is not a security posture that works, in practice. You need to harden at every level. RMM uber-admin credentials are the ultimate soft center: you compromise those, you can kill the entire IT infrastructure. The only alternative is to distribute access: have multiple smaller IT teams that adminster small parts of the system, with more 'central' roles providing services but not having full control of most machines. It's not a fun option, but it might also work a lot better if each team can actually adjust policies for the environment they're working in as opposed to trying to have one completely unified policy for an entire multi-thousand employee company. And, for critical systems, I would seriously consider the wisdom of having a remote 'wipe and reformat' button at all.

At a bare minimum, your backup systems should have a completely disjoint set of credentials to your main systems, stored and controlled differently, ideally by a seperate team, if you have the resources.

(And the arguing becomes a problem when IT ceases to consider their job to be solving problems for users within some constraints, and just starts to consider their job to be enforcing those constraints. This also mixes badly with incompetence, which tends to turn everything into a tedious tick-box exercise that neither improves security nor solves user's problems. It's not a good time to have an IT department that can't resist any new security checkbox a vendor offers but can't figure out how to work any of their fancy tools to make life even the slightest bit smoother for their users)

[heraldgeezer]

Can you like I did name a company or technology that works like this?

Companies use M365 or Gsuite. Go.

I can type words too but they dont mean anything.

"Make it good zero trust wowo"

[rcxdude]

Everyone doing it doesn't make it a good idea. The big tech companies and governments are I think a little more paranoid about rouge admins, so they do at least try to limit the blast radius of any given credential, but almost no-one else has that level of maturity, which creates this pretty big chasm in the resiliance of IT organisations as you go from small to large.

(There's also a certain irony about IT complaining that a change to improve security would mean they can't do their job as easily)

[heraldgeezer]

I think you do not understand what a massive undertaking even securing a tenant in GSuite or Office 365 can be. Plus networking. Plus end user computing.

On top of this you want companies and governments to make their own tools?

You have a vision... of something zero trust. Now make it and implement it. Oh, not so easy?

S3 buckets used to be open by default. Office 365 had MFA as optional for a looooong time. So things are improving.

[rcxdude]

Doesn't need to be their own tools. It's organizational and cultural, not a case of no-one makes the tools to enable it.