“Active Directory Group Policy can disable the use of USB drives on domain-joined Windows computers, and prevent network access by non-domain joined computers. Macs cannot be joined to an Active Directory network, or be controlled by AD Group Policy.”
Sure, and then (as usual) the question becomes: “How much do I want to restrict my users productivity in the name of security?”
So now you’ve locked down USB drives, have you also locked down email? Access to SSL enabled websites? Disabled writing optical media? Perhaps you should just get rid of those pesky computers altogether.
“As far as whether a “position” requires access to the information, once non-secured computers are allowed onto the network then you’re faced with trying to control who can and cannot use those computers.”
You’re referring to the “network” as a monolithic entity, which it is not. There are devices called “routers” that can efficiently and extremely securely control which devices have access to given network resources. Making sure “employee owned computers” can’t access sensitive information is trivial.
“If you have that kind of information on your network, there is no rationializing allowing employees to access that data from a non-corporate computer as being anything but very bad practice.”
Nor have I said anything that disagrees with that stance. Company provided Macs (perhaps running Windows in a VM) are a different issue.
No, it doesn't. We don't hire people who can't be productive using the computers we provide for them. If they can be productive on a Mac, they can be productive on a Windows based computer if they want to.
We're not going to re-architect the infrastructure to accomodate a handful of whining hardware snobs.