'Rogue' users rile IT professionals

They cling to Corel's WordPerfect word processor, Lotus' 1-2-3 spreadsheet or an esoteric messaging client such as Pegasus Mail long after their employers have standardized on something else, usually the Microsoft desktop. They are "rogue" application users, and they are the bane of a network administrator's existence, according to most - but surprisingly not all - IT professionals.

"The problem, in a nutshell, is not that rogue users want to use their rogue applications, the problem is that they want support from me for them," says Jeremy Collins, a systems specialist with a Texas insurance company, summarizing the views of many administrators.

Maintaining unauthorized applications can cost an IT department dearly in terms of staff time, ad hoc training and distractions away from more pressing business matters, say critics of the rogues. In addition, rogue applications cause a slew of interoperability and security issues that their users may not know about.

According to Collins, honesty may not be the best policy when it comes to dealing with these users.

"It has to be made clear that you do not support anything other than the standard," he says. "It's also necessary to lie to the users to maintain this: You may know how to support WordPerfect and probably 90% of the other rogue applications, but never let on. If the users find out you do know, they will expect support."

Most network administrators can cite a favorite rogue story or two, even if they do not consider the practice a significant issue in their shops.

"One we get all the time is people downloading Outlook [Microsoft's e-mail client]," says Andrew Bell, network manager at Milltronics, in Peterborough, Ontario. "The default install for Outlook hoses the [company's standard] GroupWise client."

Fixing the problem the first time took hours and still takes 20 minutes a pop now, he adds.

As for antirogue measures, Bell's company sticks to the basics.

"We find that a combination of regular software audits and policy [reinforcement] is quite effective," he says. "We also make it very easy to purchase and install the standard applications - site licenses, configuration scripts, Novell Application Launcher, a 'restore your laptop' CD, etc. Users will normally take the path of least resistance - so I make it as easy as possible to access and use standard software."

Other administrators report having had success "locking down" user desktops using the likes of ZENworks from Novell and Full Control from Bardon Data Systems in Albany, Calif.

Then there is the benign neglect method.

"If they use any unapproved software and then have a problem, they go to the bottom of the list - and stay there - until all problems are fixed on computers from users who follow company policy," says Walter Fletcher, IS manager at Lipscom & Pitts Insurance in Memphis. "This means it could take a while . . . or we give them a slow 486/66 [PC] as a loaner - ouch!"

The risk of breeding security breaches is cited often by network managers who oppose rogue users.

"Our mail system does have virus checking, our rogues do not," says Ray Pasley, supervisor of network services at Kansas City Power & Light Co.

While the flow of proprietary information out of the utility company can be monitored using the administration functions found in Microsoft Exchange, those controls are useless if rogue users deploy unauthorized e-mail clients, Pasley says.

"Rogue clients of any type need to be known before they can be set up to be monitored by external security," he adds. "[With rogues] there is a much better chance for long-term leakage prior to discovery."

While in the minority, there are administrators who see rogue users as more of a mixed blessing than a menace.

"I do have a few rogue users, but I have never felt they were a problem," says David Byrkit, e-mail administrator at ITT Avionics in Clifton, N.J. He nonetheless discourages the practice by promising support only for Outlook.

Byrkit is among those administrators who see a positive aspect to the rogue phenomenon.

"I have one rogue user who often warns me of problems with our e-mail before anyone else notifies me and sometimes updates me on what is going on outside of my little ITT Avionics world," he says. "I consider him a positive user and kid him that when I retire he will be stuck running the e-mail system."

Another expert encourages an even more liberal stance.

"Any company that doesn't allow rogues to exist has a real problem," says Joel Snyder, senior partner with Opus One, a consulting firm in Tucson, Ariz. "They need to be tolerated and supported."

Doing so requires network managers to take to heart that old adage about the customer being right, Snyder adds. "The IT staff is there to support the organization, not to control the organization," he says.

Zero tolerance of unauthorized applications, however, is the far more common philosophy among network managers. "If we didn't install it, we don't support it," says Jerry Fain, IT manager at Winter, Wyman & Co. in Waltham, Mass.

Fain is among those administrators who fear the slippery slope that can result from turning a blind eye to rogue applications.

"The next thing you know," he says, "users are bringing in their machines from home and asking us to make them Y2K compliant."