how do I get my mac onto my corporate network? (complications galore inside)
May 8, 2010 11:27 AM   Subscribe

how do I get my mac onto my corporate network? (complications galore inside)

short version: I am trying to get my work mac pro to share an internet connection with my personal macbook pro sitting right next to it. I can use firewire or usb. os x 10.6. only problem: the mac pro is severely locked down.

long version: I recently started a new job at this relatively large employer that has a very strict computer policy. users cannot install so much as mouse drivers on their work machines. I'm currently writing this on a mac pro that costs more than my car and I am unable to install an ad blocker in safari, though in firefox that thankfully works. I miss ichat, I miss skype, I miss about forty little apps and drivers and tools that I am used to working with.

I am allowed to bring my personal laptop into work but I can't get it onto my corporate network. I also can't just hook it up to the ethernet ports that provide internet at my desk - doing so would instantly raise alarms, I am told. I tried to have my mac pro start internet sharing but the system pref in question has been disabled. I inquired about policies regarding vpn's but the friendly techie told me I would need permission from three management levels above his to just get my iphone onto the corporate wifi, much less the ability to start a vpn.

there are parts of this company for which such a restrictive it policy makes sense. I don't work in any such area. all the firewire and usb ports are wide open. they don't restrict the use of thumb drives.

I'm currently using tethering on my iphone to surf the web from work. this won't work much longer. I also don't think surf sticks are the solution, as mine (a t-mobile model) charges me five bucks for every 24 hours I use it and limits traffic after 2GB/month.

I would like the mac pro to pass along its internet connection to my macbook pro. I will most likely have to use a cable connection. I will most likely have to find a way around the system prefs. terminal is disabled on my machine.

so - am I shit outta luck or is there a way?
posted by krautland to Computers & Internet (25 answers total) 1 user marked this as a favorite
 
As a network admin, I would say "talk to your IT department". It's the company's network, not yours.
posted by Burhanistan at 11:47 AM on May 8, 2010 [2 favorites]


You're basically trying to sneak onto the corporate network? You said connecting it directly would "raise alarms" and that internet sharing requires lots of approvals, right? It sounds like the company doesn't want unauthorized/personal machines on the network--and probably for valid reasons, like network stability, security, etc. Whether you think it's necessary for your job or not is not really relevant.

Burhanistan is right -- if you want this, go through channels; you aren't going to be able to get on without permission (or even if you could, you don't want to, for the sake of your job security, if this company is as strict as it sounds). If you think it's necessary and important for your job to be able to work on your personal machine with all of your tools, apps, drivers (and social networking applications), make that case to the powers that be.

(It sounds, though, like you just want to be able to have chat, etc., at work, and unless that's part of your job, you might have a hard time convincing your company that it's necessary for you to have that functionality while you're on the clock, using their network resources. Also, there might be problems if you want to use software/apps/drivers that are licensed to you for your work projects -- that's kind of a no-no.)
posted by devinemissk at 11:57 AM on May 8, 2010


"there are parts of this company for which such a restrictive it policy makes sense. I don't work in any such area."

Sure you do - you can tell because those restrictions are in place in your area - put there very clearly by management policies and backed by IT money spent on locking things down.

It's also not your decision to make.

Your opinion doesn't dictate what's a good security practice and what isn't - the company likely tried the "let's just tell the users to be careful" method in the past, got burned (which is what happens at every company that tries this) and then spent the time and money on a security build-out.

At the very least, getting caught trying to violate this policy is going to *annoy* someone in IT - which won't help you down the road. (Because even though us IT guys might sympathize, we've got hundreds of users who all think they know more about computers than we do and wouldn't be a security risk. We also happen to report to management, and we have policies to enforce that maybe WE don't even agree with - but it's not our company or decision either)



So - the best way for you to get your personal laptop onto the company network is to convince those above you, starting with your immediate supervisors, that it's to the company's benefit to change their current policies to let that happen.
posted by TravellingDen at 12:39 PM on May 8, 2010


This is maybe a dumb question, but does your company have a "guest" wifi network for visiting clients &c. that doesn't give access to internal servers and whatnot? If you just want to use your own machine for internetting, can you use that? That's what folks do at our company.
posted by Nothing... and like it at 12:42 PM on May 8, 2010


Find out if they have a VPN policy, this may allow you to connect to the network through your notebook, although dollars to donuts you get a citrix interface.
posted by furtive at 12:51 PM on May 8, 2010


I can't tell you how many people I see at work (law department in a fortune 50) who complain about how unfair it is their computer is locked down. These are also the people who think they know better and should be granted exceptions. Invariably, these are also the morons who don't save their documents to their home drive on the server or other proper places and then bitch when their laptop takes a swim in their pool and their super important files are missing with months of work gone. They complain about not being able to install software they think helps that they got from their brother who knows a guy who runs a warez site and seem to have never heard of groups like the BSA. They complain about the internet being filtered, but then complain that the network slows down around lunch time when everyone takes "a few minutes" to "just check a few non-business sites". They complain about free webmail providers being blocked, but don't know anything about safe computing and avoiding viruses.

Sure, you may not be someone who knows just enough to be dangerous, but for everyone like you, there's a dozen people who need their machines locked down so we don't have spyware, viruses and keyloggers floating around the entire office, let alone the entire company.

If you tried to circumvent any network policies where I worked, I'd be sure to have all records of your actions sent to your boss. People like you make my life harder. It's tough enough dealing with 200 workstations, the servers they connect to and their often times moronic users, I don't want to have to remember about the special software you installed that conflicts with some update that's being pushed out this weekend.

Make a case that the software you want installed should be part of the base configuration and will save everyone time. You cannot tell me that software that would help you would slow other people down who do the same job. This way you'll bring about positive change for everyone with your management's consent and with IT behind you, not against you.

Alternatively, if you want to do whatever you want on your work computer, go work for a company of five, they probably won't have anything centrally managed or configured. This is just one part of the culture of the company you chose to work for, you can always choose again.
posted by Brian Puccio at 1:01 PM on May 8, 2010 [3 favorites]


I'm currently using tethering on my iphone to surf the web from work. this won't work much longer. I also don't think surf sticks are the solution, as mine (a t-mobile model) charges me five bucks for every 24 hours I use it and limits traffic after 2GB/month.

This probably is the best solution if you want Internet access your company would prefer you didn't have, since it's the only way you won't show up on the corporate network violating a bunch of company policies.

You may wish, however, to consider how it's going to look to your boss and colleagues if you're continually on chat, web sites, etc, on your personal laptop.
posted by rodgerd at 1:34 PM on May 8, 2010


You're basically trying to sneak onto the corporate network? You said connecting it directly would "raise alarms" and that internet sharing requires lots of approvals, right?

yes. we have one client who has a problem with intellectual property theft and requires complicated lockdowns on any machines related to his business. I am not at all connected to that and I am not interested in getting my machine onto an internal server where anything might be stored. I just want my macbook pro to have internet in the office.

the issue with network ports seems to be that as soon as you plug in an ethernet cable connected to a not cleared computer the port gets locked. this is third hand knowledge but that's what I've been told.

This is maybe a dumb question, but does your company have a "guest" wifi network for visiting clients &c. that doesn't give access to internal servers and whatnot?

no, that's actually a smart question. we do have a wifi but alas, it's locked down and only management two levels above mine get access codes. argh.

Make a case that the software you want installed should be part of the base configuration and will save everyone time.
dude, I couldn't convince them to install me a damn mouse driver. thanks for your non-help. that rant really helped.

if you're continually on chat, web sites, etc, on your personal laptop.
my web isn't filtered and yes, this is a lot about ichat, skype and the likes, which I often use to especially contact coworkers in my field. it's actually okay for me to spend my time as I please. I'm supposed to come up with ideas yet find myself prevented from using all the tools I usually rely upon.

argh. seriously, people. stop ranting about the merits of what I'm trying to do. I'm looking for a solution, not preaching.
posted by krautland at 3:02 PM on May 8, 2010


Regarding the system prefs, I'm a Mac network administrator, and lets just say there are ways around those restrictions but they are readily noticeable by your IT department. 1) What you need to be keenly away of is they probably have Apple Remote Desktop which offers an incredibly easy way to see anything you're doing on your screen at any given time. This also means it'll be obvious if you're not on the network because your mac pro appears offline. 2) I can run automated scripts to see what you've done to your computer.

In other words, there's a hack for every technology block. But there's also usually a way to see that hack. And with how locked down your job sounds, I would not suggest screwing around to see what you can get away with. Chances are that the methods you desire have already been tried and the IT department knows how to catch em.

the issue with network ports seems to be that as soon as you plug in an ethernet cable connected to a not cleared computer the port gets locked. this is third hand knowledge but that's what I've been told.

Yea, it's probably tied to your system's MAC address. Unauthorized MAC address = no network access.

And regarding the ranting, it sounds like people working on the IT side of things are trying to give you the cold, hard reality that this is a Bad Idea. Look back on AskMeFi's history and most posts asking similar questions go the same way.
posted by jmd82 at 3:11 PM on May 8, 2010 [1 favorite]


Could you buy a router, clone your work computer's MAC address to the router, and hook the router up to the wall port? If all they're checking is the authorized MAC address on the network this might fly. Then you plug your work computer and laptop into the router. Probably best to not use a wireless router so they don't get concerned about a new, unknown wireless network.
posted by 6550 at 3:24 PM on May 8, 2010


Could you buy a router, clone your work computer's MAC address to the router, and hook the router up to the wall port? If all they're checking is the authorized MAC address on the network this might fly. Then you plug your work computer and laptop into the router. Probably best to not use a wireless router so they don't get concerned about a new, unknown wireless network.

Which, unless you set up the ports forwarding correctly, essentially takes the workstation off of the network. NATing breaks certain other apps as well. And the day IT finds the router under the desk will be an interesting one.

The correct way to do what you want to do, is to talk to your IT department and/or supervisor and have them set it up in accordance with their standards. If they will not, then you are sadly out of luck.
posted by Pogo_Fuzzybutt at 3:56 PM on May 8, 2010


I'm looking for a solution, not preaching.

Buy a 3G card or one of the 3G to wifi mobile hotspots. If you actually need this access to do your work, your manager will let you expense it. You might also find another nearby employee who might be willing to share the cost of the mobile hotspot and airtime, if they've got the same frustrations.

I'm going to be stunningly blunt with you, for a second though. Because I work in IT, I've been on the other side of this, and I know how this usually plays out.

If you successfully put your personal machine on the corporate network, you will have committed a fireable offense. and there is approximately a 99.99% chance that someone in IT is going to notice it, possibly immediately, possibly a month down the road. But rest assured, at some point, a sysadmin is going to get an alert that an unauthorized machine (with an unrecognised hardware/mac address) is on the network (and which port it's plugged into). Very shortly thereafter, you're going to have a very uncomfortable conversation.

If you weren't a new employee, who's at least two levels below that required for wifi, you'd probably get a warning for this. But since you're new, and at a fairly low level, there's a very good chance you'd find yourself out of a job.

I'm not kidding.
posted by toxic at 5:04 PM on May 8, 2010


I don't want to be piling on, but this is an excellent way to find yourself with no job.

It's not your place to judge the company's IT policy, particularly as a new hire in a non-IT job. If you legitimately need certain apps to do the job you've been hired for, talk to your boss and the IT department.
posted by jjb at 5:32 PM on May 8, 2010


Unauthorized MAC address = no network access

Sometimes, this is policed using 802.1x, so you could be SOL even if you do clone a valid MAC.

But more importantly... a machine with a cloned MAC address will still set off very loud alarm bells when you put an unauthorized protocol onto the network (possibly even louder, because it suggests a compromised machine, rather than merely an unauthorized one). If corporate machines on your network segment aren't supposed to have skype or iChat installed, and your machine starts spitting out XMPP or the Skype protocol (or an iChat Bonjour announcement), it will probably get spotted, someone will investigate and find your cloned MAC, and you're absolutely going to get fired. It's a lot harder to claim ignorance (or stupidity) when you're actively taking steps to get around restrictions (i.e. cloning/spoofing your mac address).

[The way to have your traffic escape detection for the longest is to encrypt and tunnel ALL of it to a remote machine running something SSL-based (like OpenVPN) on a "reasonable" port... like 443 (https). Your traffic won't look exactly like SSL-wrapped web traffic, but it won't stand out in a crowd. If you can do outbound SSH to off-network machines, that might be an option, too. You'll still eventually get caught. ]
posted by toxic at 6:08 PM on May 8, 2010


I think the $45/month for a 3G aircard (I've used Cricket, they aren't bad -- I think Verizon is better but they have a minimum contract period and cost a bit more IIRC) is a pretty decent investment, relative to the potential costs of getting fired. I've also worked in IT support, and I agree with what everyone said re: "breaking corporate policy = fast train to firing." Depending on how uptight your company is, using your personal machine/connection on company time might still be a fireable offense, but it won't be nearly so bad (or as easily spotted) as shenanigans on the network.
posted by Alterscape at 8:12 PM on May 8, 2010


Krautland, don't do this without getting authorization through the proper channels. If you work at a big company, there will be a process for getting the applications you need certified and approved if you can provide a reasonable business case for why you need them to perform your job. Ask your immediate supervisor how to get new applications approved; if s/he doesn't know the procedure, s/he should be able to point you to someone who does.

As an aside, I'm the DBA who supports the IS Security group at my company. They're the nicest set of guys I've ever worked with, but they absolutely do not fuck around when it comes to potential security breaches, which is what you're trying to do. You would get caught if you did this at my company and if you were a new or low-level employee (sounds like you're both), you'd get fired and my company would fight any unemployment claim you made. Your company's security policies may be ill-advised and overly-restrictive, but it's a terrible idea to disregard them if you would like to keep your job.
posted by Maisie at 8:21 PM on May 8, 2010 [1 favorite]


I should have made it clear that I'm assuming that if you could get the applications you need on your work machine, you would no longer care about having your personal machine at the office. If that assumption is wrong (for example, if you want your personal machine at work so that you can do non-work things with it), then my advice is an even more empathic ABORT ABORT ABORT!
posted by Maisie at 8:26 PM on May 8, 2010


(Or, you know, emphatic. Jesus.)
posted by Maisie at 1:49 AM on May 9, 2010


they probably have Apple Remote Desktop
you are correct. they do use this.

thanks, odinsdream. sadly no terminal and ifconfig either.

I should have made it clear that I'm assuming that if you could get the applications you need on your work machine, you would no longer care about having your personal machine at the office.

correct. the funny part is that none of the apps and tools I am talking about are a problem to them. I discussed ichat, skype, glims, ad block, transmit, canon dpp, bbedit, adobe camera raw, secrets, dropbox, gmail notifier,scrivener and vlc. no objections. the only issue is that they don't want to spend the time installing all that. I can't even import my camera raw files on this machine because cs4 and the canon 7D don't gel out of the box. my current workflow is to download them onto my mbp, convert them there, put them onto a stick and getting them onto my mac pro. in a word: it's slowing me down.

I just had them install final cut pro on my machine. it took two weeks to get it, two seconds of which were spent on convincing the ceo to purchase me a license.
posted by krautland at 5:39 AM on May 9, 2010


if you want your personal machine at work so that you can do non-work things with it
I'm a creative. I can go and play pool during work hours. my coworker one office down just spent an hour discussing youporn with the boss. seriously, nobody on my floor cares. it's just a big company with a far away IT department that uses a one-size fits all approach and that already has a restrictive policy in place for every wish you might have.

I'm a german in germany but they are outgermaning even me.
posted by krautland at 5:42 AM on May 9, 2010 [1 favorite]


Ah! I'm in the US and assumed you were as well. Your company probably operates similarly to mine with respect to caring about their security rules, but scratch the unemployment claim part if it's not applicable to your situation.

Anyway, I really understand your frustration. We're not even allowed to have iTunes or AIM, for heaven's sake, so I know where you're coming from. It's good news that the only issue is that your IT department doesn't have time to do the installations, not that they're opposed to the applications. In that case, I suggest that you talk to your IT support person. Ask if, in light of the apparent backlog, s/he thinks you should put in a request for IT to do the installations or if you should ask for whatever the Mac-equivalent of local admin is to do them yourself. Good luck and let us know what you end up doing.
posted by Maisie at 8:17 AM on May 9, 2010


correct. the funny part is that none of the apps and tools I am talking about are a problem to them. I discussed ichat, skype, glims, ad block, transmit, canon dpp, bbedit, adobe camera raw, secrets, dropbox, gmail notifier,scrivener and vlc. no objections. the only issue is that they don't want to spend the time installing all that.

FYI, this would require your IT department to create an entire group policy just for your mac. Mac server works by managing system preferences and allowed programs by either computer group of user group (well, you can use both, but eh). The catch is that with Mac server, you can only belong to one mac group at a time when you log in. If you happen to belong to two groups, you'll be prompted for which group to log in with. The issue is that with all the security settings already set up for your designated group, they'd have to be recreated just for you. Not only that, but to make the allowed programs manifest to work properly, it ideal to update those settings from your workstation. If IT said "ok!" this would set a precedent where they could quickly have 100s of random user and group policies.

I don't present this as an argument for or against your IT department's decision, but rather to be aware that creating a new policy for you on a mac server isn't as easy as one might think.
posted by jmd82 at 8:32 AM on May 11, 2010


You could set your Macbook Pro's MAC address to your Mac Pro's MAC address and plug it in probably.
posted by floam at 10:05 PM on May 11, 2010


Note: that'd mean no longer plugging in your Mac Pro or bad things would happen.
posted by floam at 10:06 PM on May 11, 2010


You could set your Macbook Pro's MAC address to your Mac Pro's MAC address and plug it in probably.

While this would actually probably get your macbook pro on the network, it also means that if the Mac Server is handing policies by computer (which uses MAC addresses for identification), your macbook pro would suddenly have the same restrictions as your work's mac pro.
posted by jmd82 at 8:08 AM on May 12, 2010


« Older Create a mini 'classmates.com'   |   Don't tell me what to do! Newer »
This thread is closed to new comments.