Survey: How does your organization manage laptops

harryting

Lifetime Supporting Member
Join Date
May 2002
Location
Puget Sound
Posts
2,594
I hope you folks can provide me with some ideas and suggestions on how to manage your programming laptops while still keep in line with your security and compliance requirement.

Please chip in especially if you work in regulated environment in USA.

  1. Keep two or more computers, one for office work and another for control work.
  2. Use one computer but keep control programs on VM
  3. One computer only, put everything on it.

I think it goes without saying that we can't work without local-admin right but that's getting harder and harder to get granted, if one is using an IT issued PC. Using a separate PC doesn't necessary get one away from compliance requirement either. Rather than having IT push out whatever they seems "fit". I want to take a more proactive approach and give them a few options to consider.

Thanks,
 
Use one computer. I put control programs in host (and VMs as needed). IT issued a VM with all company stuff (outlook, VPN, etc). Main comp can never be on company office network, but IT only gets to apply policies to (mess with) VM. To get IT VM to connect to network, we either use VPN, or connect via USB wifi or ethernet dongle.
 
I am my own IT person - easy! LOL A friend of mine works for Caterpillar and they will not allow VMs at all because the IT people cannot get into it. They will not allow VMs.
 
We get one laptop with a docking station and 2 monitors. It's really up to each individual as to how the laptop is configured regarding the use of VM's or not. I personally keep all of my automation software in VM's.

I have ran into so many of our end users where IT departments have them so locked down, they almost cannot do their jobs. At one plant, they were not allowed to even change their own IP address. It seems the thought process is to save people from themselves. My view is to let people do their job. We should be encouraging people to be better at what they do, not inhibiting them. It's hard to get people to be better at networking, for example, if we lock their machines down to the point where they can't learn.

Fortunately, our IT lets us do us.
 
Use one computer. I put control programs in host (and VMs as needed). IT issued a VM with all company stuff (outlook, VPN, etc). Main comp can never be on company office network, but IT only gets to apply policies to (mess with) VM. To get IT VM to connect to network, we either use VPN, or connect via USB wifi or ethernet dongle.

Interesting, that's the opposite of what I would thought. So you have full control including admin right over the host, I assume?


I am my own IT person - easy! LOL A friend of mine works for Caterpillar and they will not allow VMs at all because the IT people cannot get into it. They will not allow VMs.

If they don't allow VM. Does your friend have admin-right? Can S/he change IP address, for example?
 
They have us locked down for configuration with the corporate laptops... ONLY IT-installed software for the masses gets there. For programming, I get to buy whatever I want... within reason! Ne'er the twain shall meet.
 
They have us locked down for configuration with the corporate laptops... ONLY IT-installed software for the masses gets there. For programming, I get to buy whatever I want... within reason! Ne'er the twain shall meet.

To clarify, you use your "own" (non-IT) laptop for control work but you are allowed to put whatever you want on it, correct?
 
Interesting, that's the opposite of what I would thought. So you have full control including admin right over the host, I assume?


100% full control, which is why our team likes it so much. IT literally doesn't even know the laptop exists, they just know that I'm running their VM on SOMETHING. I mean, they probably could know, if they cared. But I don't think they do.

It does mean I have to do a lot of IT tasks on my own: re-imaging if needed, managing software, handling backups. I used to have my own antivirus program, but lately I've just been relying on windows defender. I have a folder on my host that I share with the IT VM for when I need to pass files back and forth (say if someone emails me a PLC project). Sometime drag and drop/copypaste/etc don't work as well as they should between host & VM.
 
For those who use the VM. What do you use and how much hassle it is to change IP when needed?

I use VirtualBox. There are two man configurations regarding networking, as usual, there are advantages and disadvantages.

Bridged vs NAT

[Rockwell centric view coming...]

Bridged maps an adapter directly into the VM. The disadvantage is that you then need to assign both your host and your VM an IP address on the subnet you are talking to. The advantage is that in RSLinx, the Ethernet I/P driver will function properly, discovering devices on the subnet.

The advantage of NAT is that you leave the VM's adapter set to DHCP, so you only have to assign your host an IP address. The VM will automatically map to the devices that the host can see. For example. you host is talking to devices on a 192.16.1.x subnet. VirtualBox, when you adpater is set for DHCP will have some IP address like 10.0.2.15 or something like that. You ping a device like 192.168.1.10 from you VM, it will so the mapping automagically. The downside is that the Ethernet I/P driver will not work, you have to use the Ethernet Devices driver, So you have to type the IP addresses in manually.

I work for an OEM, where our PLC's are typically configured as 192.168.1.10, so using NAT is what works best for me. Even so, I can put multiple common IP addresses in the Ethernet IP devices driver, allowing me to leave my VM alone and assign only my host an IP address.

The most efficient configuration depends a bit on what network configurations you are commonly connecting to...
 
To clarify, you use your "own" (non-IT) laptop for control work but you are allowed to put whatever you want on it, correct?


Basically, yes, but within limits. For configuration control, we only install system-specific packages and utilities. There are specific requirements for the systems we buy. We don't get carte blanche for "whatever you want". In years past, I have seen laptops with games, music and video players, etc. installed. Not anymore.
 
Last edited:
We control our own kit, we buy what we want and configure it as we wish, so thats not very helpful to you.

We have supplied laptops to customers for control work. Usually a quote is beefed up to cover the charge and it's installed with software they need (which they also supply), it keeps IT well out of the loop for them I guess.
 
Before my last position I worked closely with the IT Dept. and they supplied me with a laptop with local admin rights so could configure almost anything I wanted providing it was not logged onto my works domain. I could get to any PLC, HMI but not the Scada systems using the local account, using the domain I could remotely access the Scada systems with passwords that gave me pretty good access to drill down. We had a good relationship (difficult at first but after a disastrous network card replacement by IT who replaced a system with two cards with one) They realised that my knowledge combined with theirs was the way to go. As I mentioned, I actually had two laptops one was not configured by IT but I was allowed to connect to the network (they knew when I was using it). To ensure that the laptop was compatible, it was ordered as per their standard but with a legacy com port as were many others so in an emergency there would be one around, the PC was backed up every week, all my PLC & other files were backed up every week to the servers and every month I created an image and stored it on a portable drive and a copy on the site servers. Most site users had laptops/desktops where everything was nobbled i.e. USB drives/CD's etc. and the move was to thin clients. This was an unusual arrangement as IT do not generally like engineers but it worked like a dream.
So if you can get IT on-board then it is worth it, ensure you regularly take an image and have some sort of file backup procedure and naming convention.
I have not had to do a restore for some years and not sure what some licencing systems will do i.e. requiring CPU Ser No's etc. but had no problems in the past.
 
I am my own IT person - easy! LOL A friend of mine works for Caterpillar and they will not allow VMs at all because the IT people cannot get into it. They will not allow VMs.

I did a lot of contracting work for a large GM plant whose electricians could be a real ornery bunch. One day the IT staff locked down down the plant floor computers so much that maintenance could barely do their jobs. The next day when IT showed up for work the ends had been cut off of all of their desktop mice (mouses??).

IT decided to restore some of the functionality to maintenance’s computers the following day. It was GREAT!!
 

Similar Topics

I am interested in how many of you use IO-Link. I would like to know what the application is Your view of the availability of products. Ease of...
Replies
4
Views
2,099
1732 ArmorBlock I/O has been around for quite a while and seems like a great way to distribute I/O. On a recent job, where I spec'd out...
Replies
6
Views
2,764
Hello, #1 What HMI feature do you consider a must in an HMI? #2 What feature would you like to see in an HMI? #3 What is the most important...
Replies
18
Views
4,247
Hi everyone, long-time reader of the forum, first-time poster. I have a customer that we've built a number of machines for that would like to do...
Replies
8
Views
3,319
Hi all. This thread and many more before that mentions the differences for support polices for various PLC brands. Some brands provide free...
Replies
24
Views
6,394
Back
Top Bottom