At our company we've implemented a new security policy for our engineers. The engineers use their laptop as a Swiss army knife, the develop code install software and read their company mail on the device.
In the days where the domain account of the engineer was also a local admin, our engineers where happy and content with the policy. Due to mal- and ransomware we started a proof of concept where we changed to a local named admin account to do the programming and installing, and a domain account to access e-mail, ERPand office via Citrix.
In my opinion this is an acceptable solution, this is our normal 'modus operandi' at the IT department, if we need to install something we use the 'runs as...' command.
But you guessed it: Our engineers are not happy with the new policy. So what do you recommend? Have you encountered the same issues and how did you resolve those?
Why would your devs be writing and testing code on their personal systems? They should be doing this in a dev environment. How would you control versioning, test, release if everyone's doing their own thing?