Ok, for these employees, do you also consume audio and video? My biggest concern is that WFH bringing company hardware home is inviting employers the opportunity to monitor employee home-life, recording private conversations, for example. It might be one thing to have that sort of monitoring go on at the work place, but WFH own their office, and pay for it too.
Incidentally, I feel the same way about kids bringing laptops home from school.
The simplest way to treat any employer device at home (and work) is that they should be assumed to be hostile. It could be default settings, best practices of Microsoft for adoption, etc.
How to treat a hostile device in your home network is the same as home automation - isolate it.
- Separate vlaned network that can’t see anything on your home network. Separate SSID.
Don’t like the microphone? Find an adapter that mutes it.
- Create a separate vlan and SSID that can’t see anything on your network. The ideal way to do this is configure a travel router behind your regular router. Then extra nat hop is worth it.
- Bonus points for a vpn at home that your travel router can connect to, making your work setup a little more mobile.
If you're concerned about this isn't the simple answer just to shut down at the end of the day?
While I'm sure there are exceptions, thinking about the IT departments I've worked with in the past and how cost-conscious they were, the last thing any of them would want to do is waste the time and money to record non-work related employee conversations at their home.
Well, what's to say that the PC is actually off? Many "enterprise" laptops nowadays can't have their battery pulled out easily.
My HP laptop needs to have the back panel removed. If I do that, it'll trip the intrusion sensor and wipe the TPM. IT can know about this and ask you why you're taking apart the laptop. If it's windows, and you don't have the BitLocker key, you won't even be able to turn it back on.
Then close it and wrap it in a couple layers of towels or something, stick it in your refrigerator under the leftover pizza, and/or block its access to wifi through your home router config. Physical controls trump whatever secret monitoring you fear it's doing.
> Ok, for these employees, do you also consume audio and video?
Clearly GP's firm doesn't run a webcam and microphone capture on the thin client. They could potentially monitor audio/video I/O from the cloud workstation that the thin client logs into.
I've taped the webcam on my work laptop. If my employer wants me to use a webcam as part of my job, I'll ask them to buy me one with a physical shutter. Thankfully no one gives half a shit about webcams at our workplace.
A couple of reasons. First of all, I kinda need the microphone for work whereas I don't need a webcam. I also live alone, so it's not like I am having that many private conversations at home. However, I do for example spend time naked at home, and I'd prefer that to not be visible to any cameras.
There is thankfully a physical cutoff switch for the microphone whenever the laptop lid is closed in case I need to have a private conversation and ensure that there's no employee-provided microphones nearby.
The interface for the virtual desktop in many circumstances is by way of a simple browser tab.
Due to browser security standards, every time you access your work desktop via web, a warning pops up asking if you want to provide camera/audio/location services.
You can decline to consent and there won't be any problems, other than Teams won't be able to use your webcam/audio for a meeting.
Incidentally, I feel the same way about kids bringing laptops home from school.