We have quite a handful (about 3 dozen) staff who bring our corporate laptops to
our China branch & they're based there for months. We enable local admin for
them (as sometimes when they're there, they need to install certain softwares as
there's no PC/end-user support there) & we enable their laptops to connect to
hotel/public places' Wifi.
They'll often VPN back to the local head-office here to join our domain for Intranet
services and this is when their PCs are found to have malwares or when they are
back here locally, their PCs were found to have numerous malwares: we never
know what happen that why their PCs' AV signatures are not updated while they're
I'm proposing an apps whitelisting (that some of our critical PCs are mandated to
have) installed as AV is a 'blacklisting' solution while apps whitelistg is more effective
but my colleague supporting apps whitelisting has concern below:
"Not really suitable. Gotta be connected to vpn at least 2 hrs for baseline to complete, n if sth really breaks and they cant initiate vpn back, the whole laptop is as good as totally disconnected from network already. High risk thing to do. Wont be able to remotely change app whitelist settings unless they manage to connect back to vpn network. Main worry is if user hit prob doing vpn. "
Is the limitation/concern above valid & isn't there a way to overcome it?
What other mitigations can we do for this group of users assuming we can't
take away their local admin & still allow them to connect to public/hotel Wifi?
We plan to 'quarantine' their PCs with NAC such that if their AV signatures
& patches are outdated, it has to be brought to Enduser support for update
& scanning first when they're back but if they connects back via VPN (which
we can't block if it's outdated as it'll prevent them from accessing Intranet
for months), this VPN back is still a gap