Survey: How does your organization manage laptops

James Mcquade · Mar 26, 2020

We used to have around 10-15 laptops.
then, maintenance started making lots of changes, downloaded a program into the plc that had recipes for other materials, and so on.
as they died, we didn't replace them.
now there are only 1 or 2. all other access for maintenance is through the restricted access, toggle bits, change timers, counters, and force bits program. the main guys that made the changes are no longer here.

the main is/it guys ( that's me and another) do the wonderware apps, SQL, plc programming, mmi programming, web pages.

life is a lot easier now that those that have left don't make changes.

james

mk42 · Mar 26, 2020

dmroeder said:
[Rockwell centric view coming...]

The mapping works out pretty much the same in the Siemens world. Bridged lets you do network scanning/browsing, and changing device names. NAT might work if the HW is set up, and you know all the IPs; also it's better for getting to the internet if needed.

harryting · Mar 26, 2020

dmroeder said:
I use VirtualBox. There are two man configurations regarding networking, as usual, there are advantages and disadvantages.

Bridged vs NAT
.

I'm beginning to see the advantage of MK42's setup where the "official" IT image is on a VM. However, that could be a hard sell to our IT.

If we push for the more traditional of host being IT and Controls on VM, we still need some local-admin ability to change IT and connect to USB on the VM, doesn't it?

sigh, nothing is simple.

Lare · Mar 26, 2020

harryting said:
For those who use the VM. What do you use and how much hassle it is to change IP when needed?

I connect USB to ethernet adapter directly to VM, no need to hassle with NAT or bridged settings on VM.

Downside is that not all USB to ethernet aapdaters work well. (It needed to be USB2.0 compabtible at least before, as USB3.0 wasn't supported by VM.

mk42 · Mar 26, 2020

harryting said:
I'm beginning to see the advantage of MK42's setup where the "official" IT image is on a VM. However, that could be a hard sell to our IT.

The key thing for our IT team is that the host PC is NEVER allowed on the company office network, only the guest network. The VM is encrypted, so the data is secure in place. There is really minimal IT risk.

That said, you need an IT team that lets you know what they need to get to a "yes", vs just saying no because it's less work for them.

harryting said:
If we push for the more traditional of host being IT and Controls on VM, we still need some local-admin ability to change IT and connect to USB on the VM, doesn't it?

sigh, nothing is simple.

Pretty much, yes.

Dayvieboy · Mar 26, 2020

I went to jog a 1e-11 ultra high vacuum pump one time during commissioning and the off button did not work. I then found that the Ignition SCADA Gateway was forced to to do a reboot for a windows update and it said "2% complete please wait..." when I got to it 5 minutes later.
.
I also was working on a Citect SCADA system and saw a window pop up that said
"Virus found deleting Citect" the freaking IT department rolled out forced virus updates with NO exceptions. They deleted the SCADA system!!!
.
When IT causes equipment damage & shut down production for a few shifts and then management gets involved.
.
We now have 3 major sets of different rules.
1 for typical computer users & 2 different sets of rules for engineering.
.
Virus updates are forced on normal PC's (sometimes with no warning)
On Engineering updates are downloaded & you get to decide when to reboot (delay up to 2 weeks)
.
On machine controlling PC's updates are never forced but tested on a new VM, after proven to be stable they are cycled in. (This requires $ 30,000 in spare licenses)
.
Engineers get a special build of Trend micro that allow you to white list programs like Rockwell Studio 5000 to avoid constant scanning from eating up your CPU usage.
Or white list a utility you may need to run.
.
All files e-mailed are intercepted, IT will scan and approve them, sometimes takes a day.
.
All USB drives are blocked from working.
You must request an exception that takes a day,
for the request to go through & be approved.
You must provide, PC Name, User Name, USB brand, USB Serial #, Files to be moved.
You get a 24 hour exemption after you download a Trend-micro exception file.
If you have an issue with the PC, USB, User, or File...
you will need to start the process all over

Super Koop · Mar 27, 2020

Most of the time, the IT department does not generate the corporate income.
Ours even uses an application, incompatible with WiFi + Ethernet communications at the same time (we have learned to disable it).

We keep the Office apps and the Rockwell Licenses on the base machine.
The programming software we keep in VM's with multiple versions (much love to the Factory Talk versions).

Occasionally we'll run into older software and the lack of "serial" ports issue. But it still better than "olden-times" when serial ports and interupts were our primary issue.

Now if we could just make sure it arrives or starts with Ethernet capable devices.

dogleg43 · Mar 27, 2020

Dayvieboy said:
I went to jog a 1e-11 ultra high vacuum pump one time during commissioning and the off button did not work. I then found that the Ignition SCADA Gateway was forced to to do a reboot for a windows update and it said "2% complete please wait..." when I got to it 5 minutes later.
.
I also was working on a Citect SCADA system and saw a window pop up that said
"Virus found deleting Citect" the freaking IT department rolled out forced virus updates with NO exceptions. They deleted the SCADA system!!!
.
When IT causes equipment damage & shut down production for a few shifts and then management gets involved.
.
We now have 3 major sets of different rules.
1 for typical computer users & 2 different sets of rules for engineering.
.
Virus updates are forced on normal PC's (sometimes with no warning)
On Engineering updates are downloaded & you get to decide when to reboot (delay up to 2 weeks)
.
On machine controlling PC's updates are never forced but tested on a new VM, after proven to be stable they are cycled in. (This requires $ 30,000 in spare licenses)
.
Engineers get a special build of Trend micro that allow you to white list programs like Rockwell Studio 5000 to avoid constant scanning from eating up your CPU usage.
Or white list a utility you may need to run.
.
All files e-mailed are intercepted, IT will scan and approve them, sometimes takes a day.
.
All USB drives are blocked from working.
You must request an exception that takes a day,
for the request to go through & be approved.
You must provide, PC Name, User Name, USB brand, USB Serial #, Files to be moved.
You get a 24 hour exemption after you download a Trend-micro exception file.
If you have an issue with the PC, USB, User, or File...
you will need to start the process all over

I was working for a system integrator at a factory and needed to take my laptop in and out every day. This required a pass signed by about 10 people at the factory.

Finally got all the forms signed to get the pass & went to another office to get it (the plastic pass). They didn’t have any of these, but no problem I thought. I’ll just show the guard the paper approval granting me a pass to remove my computer. No dice, I had to have the actual pass. Ughhhh, bureaucracy!!!

PreLC · Mar 28, 2020

I have multiple computers, one for programming: with full admin access and remote desktop enabled, another one for the remoting into my full-admin computer.
The company IT manages the PC I use to remote in with, the other PC is just managed by me.

padees · Mar 28, 2020

Programming laptop at work is off limits to IT.

They do drool a bit when they see it tho. LOL!

Survey: How does your organization manage laptops

James Mcquade

Member

mk42

Lifetime Supporting Member

harryting

Lifetime Supporting Member

Lare

Member

mk42

Lifetime Supporting Member

Dayvieboy

Lifetime Supporting Member

Super Koop

Member

dogleg43

Member

PreLC

Member

padees

Member

Similar Topics