Devices are completely locked down users do not have admin rights and must make a request for anything to be installed or executed. They cant even use a USB without getting approval. Software must come from our internal software repo and we run updates so often that known mac haters beg for macs to escape the win11 hell we've created. Its awful and I feel gross helping manage such a user hostile environment. Yesterday our update tool shutdown someones computer in the middle of a important action. It prompted him 3 times with 15min intervals then shut down his pc. He was going berserk as he lost a lot of progress.
Most of this is because of the strict compliance requirements our security team enforces on us. But some of it is done because we dont know how to implement the stuff in a way that is strict but lenient. Mac is way better because we dont have as much invasive tooling that supports it.
Totally standard / "normal" at BigCo (fortune 500, banks, etc.).
At MegaCorp, there is a never ending arms race between security/compliance teams locking things down, adding approval and surveillance checks, and everyone else just trying to do their job.
Usually there are workarounds and backdoors available to people in the know. If you kick up a fuss, you'll be seen as "difficult". A key part of the job is finding tricks to get things done _despite_ all of the rules / checks in place trying to protect you from yourself.
It is hard for IT departments to continue to allow that freedom as the company grows and compliance requirements creep in. I am in the weird position of being responsible for Risk & Compliance while also directing the IT policy for personal machines. I've managed to hold on and grant everyone local admin access, but I get a LOT of push back every year from auditors and customers running their own audits. I'm hoping that continues, but it's probably 50/50.
Previous employer issued Macs with all sorts of Jamf spyware stuff on them but I could more or less install things as needed via brew (both internal-vended "taps" or whatever the term is) and "normal" end-user stuff without issue (it was often expected you'd do so).
Worth noting this absolutely impacted usability and stability to a massive degree. The machine ran far hotter to the touch than my personal (equivalent model) MBP, and would make it maybe a month of uptime before it failed to wake from sleep/kernel panic'd/locked up the desktop.
Most other typical desktop software was "vended" via internal software "store" thing (managed browsers, etc), but I could, and did, install various extensions on Firefox (internal Wikis even encouraged using Tampermoney (or whatever the successor is called now) like UBO/Sideberry etc.
Current employer issued machine is a Windows laptop with no admin and basically locked-down.
Even getting something like Docker installed/WSL configured is a whole episode in frustration.
The huge positive is this Enterprise-whatever version of Windows has minimal slop--no CoPilot things or ads in the start menu/lockscreen, but I can't even change the desktop wallpaper. Also, the CPU idles at basically 40% utilization with the various agent things/endpoint security running. For any sort of local development, I largely "sidestep" things by running whatever I need in containers/WSL, so it's really not a huge problem. There's minimal Windows-specific use outside of Teams/Outlook whatever.
At $DAY_JOB our Windows laptops are locked down and supported.
Linux & macOS people have zero support (outside hardware, corp VPN) and the password to the local admin account (thankfully Jamf does not reset sudoers file)
As more developers/operators opt for Linux or macOS I'm surprised support hasn't been expanded.
Exactly how we started down this path.
We were an open macOS shop acquired by major locked down Windows using corporation. Started with nothing, slowly Jamf -> Intune -> Intense Corporate MDM Controls.
Out of habit (and corporate experience) I default to ~/.local/ where possible in case lockdown happens at some point in the future.
Small company, < 50 people, industrial automation.
Machine not locked down at all, I could install OS/2 and nobody would care.
Sounds like it's time for some malicious compliance. I have been enjoying the freedom I get on my machines ever since I left Fortune 500 but even there I had enough permissions to install the software required to do my job. You might not get some conveniences back but I hope that after a few days of "I'm waiting for IT to let me do my job" standup reports they'll reassess.
This is basically a requirement for certain types of security certifications and for liability CYA reasons in the context of evolving laws about stuff like data breaches.
This is standard, especially when the size of the company grows. Actually, Microsoft might be a rare exception.
Extensions are full of malware of various sorts, so it makes sense that they take them away. Allow list vs. block list makes sense as a block list is impractical to maintain.
Only thing you can do is complain to management and prove with real #s how this is impacting productivity.
But if you're a webdev, it's super unlikely today that you need local admin and cannot work within an allow list of applications. If you're a driver dev, sure I can see how it might be a blocker.
Never worked for a place that locked down and one of my jobs is in healthcare tech.
Enjoy being crippled and use the time to be mediocre and just collect checks.