I don't understand the shock here? Large corporations don't want users installing random apps. I don't see why an NHS laptop, for example, should have Bejewelled installed, or some dodgy app which gives permissions to the user's drives, and uploads files.
Similarly, though admittedly not a problem in the same way with Windows store apps, to Chrome extensions. Those working in secretive environments with naive users shouldn't have something like "Youtube auto-hd" installed, which will feedback every single website they visit to some shady third party analytics company. IMO this is why having even the concept of these apps inside a "secure" (re. enterprise) version of Windows is a massive oversight. I will admit that this is not a problem in the LTSB branch of Windows 10 Enterprise; I had the disabled apps magically re-enable themselves 3 times after "updates" on non-LTSB before switching back over.
Sorry to rant, but in summation, don't be shocked when corporate users want their laptops to be as restricted and purely for work as possible.
I work in finance. Most web sites you could download an exe from are blocked, downloading exes is disabled and running installers is restricted to admin accounts by group policy. If you do get round all that and do it anyway and you're caught, theres a good chance you'll be fired.
One issue is that some classes of users and locations (e.g. Trading floors) are restricted by law concerning the communications systems they can use for work because all communications regarding financial transactions has to be auditable.
On the other hand most of the banks have their own internal software libraries you can install stuff from and you get a bunch of useful utilities by default such as Irfanview, notepad++, Greenshot or similar. Machines for devs are often less locked down.
Any company can install a reporting agent on their desktops and that will collect basic information like what .exe files have been executed.
Once a portable app shows up in the reports you are simply fired by blatant disregard for the rules and procedures you agreed to when signing your contract.
Finance is a heavily regulated environment and you can't get away with things that would be excusable in other places.
> Once a portable app shows up in the reports you are simply fired by blatant disregard for the rules and procedures you agreed to when signing your contract.
That seems to be a rather extreme clause; I doubt that a bank would care if a developer installed something that was not whitelisted. It would be a different story if the developer linked against code whose source was not easily attributable.
If an organisation is locking down their computers, they hopefully have set permissions correctly to prevent users from running untrusted programs, no matter what the source.
In brief, if any of the said applications require Registry entry, it denies that through the permission model that these systems have installed.
If it requires altering some files under some directory, it denies that as well.
Some corporations even restrict such shady websites altogether using an exhaustive list of restricted domains and subdomains, often maintained by a third party, who do this list maintenance full-time for corporates like IBM, TCS, just to name a few.
On top of it, almost all network and device activities are tracked, flash drive ports disabled, etc. to ensure "security".
(Only a handful of underpaid device managers have access to Admin account. Forget the fact that this still doesn't prevent them from doing so at their discretion, or credentials sharing)
> I don't understand the shock here? Large corporations don't want users installing random apps.
Perhaps we should all go back to mainframes and green-screen dumb terminals?
That's why "the shock".
I understand the security issues - they are absolutely valid in today's world.
But the whole reason the PC came about, was because it moved the computing resources from some sacrosanct computing "temple" (complete with acolytes who kept the system running, secure, and managed) to the general office, and allowed the users to customize and control their software and data to allow for a more "agile" flow.
Computer-based spreadsheets, for instance, weren't anything new when VisiCalc appeared on the scene in 1979 (and later on the PC in 1981) - what was new was having such a powerful piece of software available on a machine that was cheap and independent of the "computer room". Users and managers now had direct control of their data and processes, and ultimately this set the stage toward today's reality.
Gone were having to wait (and wait, and wait) for approval to get a particular application installed; gone were having to wait for the budget approval, hardware upgrades or acquisitions, etc - tons of effort, time, planning, etc needed just to get a simple app (if such was even allowed by the mainframe service contract! Maybe that needed renegotiation as well!).
Just go down to ComputerLand, buy a PC and a copy of VisiCalc (or whatever), plop it on a desk, and work. Freedom!
Ever since then, though, there has been this security of the system and data (physical security, data security, backups, viruses, worms, trojans, etc) that has been problematic. Various solutions have been tried, none have been 100% effective. Problems still exist, data gets wiped or lost, employees move on, leaving password-enabled zip files behind nobody knows how to access, data leaves the building, laptops are stolen, viruses and malware abound, cryptolocking happens, and on and on and on...
But people still want their freedom. They want to just download and run a piece of software to make their life and work flow better. They don't want to wait for approval and budgets.
How do you solve this dilemma?
Going back to a locked down system isn't the answer; as tempting as it may seem, it merely moves the problem up the stack, while increasing frustration for the actual users of the systems.
Hence my snarky response - because that was (in a way) considered "ultimate security" - a centralized system, with no smarts at the end nodes. Tightly controlled, regulated, monitored, updated, and secured. Many major companies (most of them gone today) built fortunes on that model. That such few of these companies remain tells you something about how that model faired. Trying to return to it might not be the best thing to do.
What the answer to the problem should be, though, I can't say unfortunately...
Similarly, though admittedly not a problem in the same way with Windows store apps, to Chrome extensions. Those working in secretive environments with naive users shouldn't have something like "Youtube auto-hd" installed, which will feedback every single website they visit to some shady third party analytics company. IMO this is why having even the concept of these apps inside a "secure" (re. enterprise) version of Windows is a massive oversight. I will admit that this is not a problem in the LTSB branch of Windows 10 Enterprise; I had the disabled apps magically re-enable themselves 3 times after "updates" on non-LTSB before switching back over.
Sorry to rant, but in summation, don't be shocked when corporate users want their laptops to be as restricted and purely for work as possible.