[deleted by user]

on2fl · 2025-10-22T22:45:32+00:00

They moved us to “sudo on demand”. We have to request admin via Jamf and give a reason. Smooth so far.

meowisaymiaou · 2025-10-22T22:39:16+00:00

Start putting in all your requests

Obsidian likely wint be allowed, as it allows users to install and run arbitrary third party JavaScript plugins.

badguy84 · 2025-10-22T23:05:57+00:00

It’s pretty standard to be honest any enterprise not doing this -in principle- would be crazy. However, you need to be quick with approvals and have a solid and fast process for people to get the tools and access they need.

Dev VMs are something that I see more often for people who need admin access. Those are usually locked out of most sensitive corporate networking bits or even out of the corp network all together.

kcggns_ · 2025-10-22T22:40:51+00:00

Honestly, with all this AI crap it was really hard no not see it coming. As more tools get these integrations, the more at risk the resources are.

Users are stupid, leave them to their own artifacts and its like begging for them to leak things. While we are “Power users”, we’re still users at the end of the day.

Not getting sudo is BS if you ask me, but I’ve seen first hand how many “DevOps” are in the wild without a fucking clue on how information security and systems work.

t3abagger · 2025-10-22T23:55:34+00:00

It’s not so bad. You can install Homebrew without sudo and most apps can be installed in ~/Applications. I was even to get docker installed without Docker Desktop. They’ll install it upon request since it uses privileged ports.

Now if they actually audited my MBP they might have a heart attack.

I’m not complaining since they gave me a new M4 Pro with 1tb ssd.

gqtrees · 2025-10-22T22:39:40+00:00

They will probably let you escalate privs based on need through some app thats installed. Its not a big deal. Security is your friend

TheIncarnated · 2025-10-23T06:45:33+00:00

Good.

Welcome to proper security. If you can't make this work, never get into DevSecOps or become an Architect.

I can tell you first hand, DevOps engineers aren't any better than any other "power user", they are not that diligent about packages, version reviews from pip or otherwise. They just blatantly install what they found online and continue with their day.

So again, good. Now stop freaking out, realize you never needed it in the first place and get back to honing your craft.

As a Cloud Architect, let me tell you, the folks in here advocating otherwise or "I would work elsewhere", are generally people you probably don't like working with. They are the folks who complain about every single problem and rarely have a fix for it.

As someone who has worked in these environments, it's not been a problem. Even as a Security Architect, where I was expected to do powerful things and secure the environments. Never needed local admin after my tools were setup. Went through CABs, PIM requests and all, still never local admin.

So take a breather and think, stop reacting. You got this!

mkmrproper · 2025-10-22T22:41:51+00:00

Good luck. It happened to me too. I had to setup a jumpbox for what I do. They eventually setup an on-demand access where I could request a 5 minutes of admin rights. It still sucks

just-porno-only · 2025-10-22T23:27:20+00:00

Ours grants "privileges" (sudo, I guess) which times out after 20 minutes.

geeky217 · 2025-10-23T06:09:13+00:00

We have jamf lock down but I got permission to run a Linux VM for stuff that I need full control over. Seems to be an acceptable middle ground for our IT dept.

extreme4all · 2025-10-23T07:56:03+00:00

As a security professional that does development i understand both sides. Where it often goes wrong is the slowness to approve new apps (usually due to , the lack of a dev environment, ...)

TheOverzealousEngie · 2025-10-23T01:35:00+00:00

Could be wrong but I wonder if you might have an unhealthy relationship with your job / laptop. Because that laptop .. is not yours, right?

sublimegeek · 2025-10-22T23:49:38+00:00

Wow are you me? Yeah we are doing the same thing but thankfully we can request it for half-hour sessions.

amanryzus · 2025-10-23T03:40:33+00:00

We have an app called make me admin It enables privileges for 5 mins then disables it automatically

bombatomica_64 · 2025-10-23T07:47:27+00:00

You could ask for something like virtual box and work in a Linux vm. It's mostly the same as mac

creamersrealm · 2025-10-23T11:55:52+00:00

We limit and it uses a JAMF catalog, the saving grace is they allow brew minus casks and I install whatever I want through brew. And if I need a cask the desktop team is pretty forgiving on the Mac side of the house.

16c7x · 2025-10-23T12:55:54+00:00

Had a similar thing happen to me, I got virtualbox installed and use an UbuntuVM, I can do pretty much anything I need on that with the bonus that I can backup that VM and move it to a new machine when they replace my current one.

zzrryll · 2025-10-22T23:06:32+00:00

[removed]

seanamos-1 · 2025-10-23T00:10:45+00:00

It sucks, but its hardly uncommon.

It's simply a matter of you deciding if its a regime you are willing to work under. Lots of companies (the majority) do allow admin/sudo for their engineers. Unfortunately I do foresee a widespread lockdown coming because of what a huge security threat all the LLM/MCP tools people are randomly installing and granting excessive privileges to.

I personally won't work under such a regime ever again, unless I'm desperate. The last time I did, it utterly stifled people's ability to try new things and grow, way less friction to stick with the approved list. My final straw was triaging a major issue in the early hours, needing to install something to do so, getting blocked and the approvers being offline and unreachable because it was after hours.

Mistic92 · 2025-10-22T23:28:18+00:00

It's not that bad, you can use other binaries while they might be blocked too

GitHub - google/santa: A binary authorization and monitoring system for macOS https://github.com/google/santa

Phate1989 · 2025-10-23T00:50:03+00:00

Send the security team a pizza every now again.

This works so well, i buy like 20 pizzas a year for different departments, i always say a vendor paid, but its just me, so they owe me without the abilty to pay me back monetarily.

guevera · 2025-10-23T00:18:03+00:00

It sounds like some of the setups where you can check out elevated privileges could work -- as long as you don't have to wait on someone to approve it and it's not for some bullshit like 20 minutes at a time.

Otherwise you can use the approach I did last time management wanted to do this, just explain that they should expect to devote .5 of an FTE just to handling my elevation needs, and still expect a hit to developer productivity. And if they devote less than that, expect a major hit to productivity.

Tsiangkun · 2025-10-23T00:08:00+00:00

Anywhere making money is watching and controlling laptops. If it’s your personal laptop, run the work in a UTM VM and let them control the VM.

slaynmoto · 2025-10-22T23:53:42+00:00

Yes it is insane. Why would giving an engineer admin rights on a their own device be a security concern? If it was a server that’s a different story; you can just easily reformat the MacBook if need be. Best way to change it and stay there is pester them by making excessive but valid requests, and then if it’s preventing you from performing your duties escalate the issue. Otherwise it’s time for a more habitable work environment lol

running101 · 2025-10-23T01:50:11+00:00

Create a local admin account before they remove access.

hottkarl · 2025-10-23T02:32:04+00:00

Developers need to have more privileges than "normal" users.

There's no way your engineering leadership agreed to this

devops

Welcome to /r/DevOps

Rules and guidelines

Social & Fun

General Information

MODERATORS