Yeah but that's because "getting things done" for many people involves stupid stuff like installing malware-infected warez copies of Photoshop because they can't be bothered getting approval to expense a copy.
I used to think IT departments were dicks, until I worked at Google and went to a tech talk by their WinOps divison (what's called IT in every other firm). They were explaining why they were transitioning Windows users to binary whitelisting - literally not a single EXE runs unless it's whitelisted by IT. I thought wow, how tyrannical, that's surely a Dilbert-esque IT power trip.
And then they told us about all the stupid stuff people did with their Windows desktops. There was literally nothing so ill advised people didn't try it, and even worse, those people were sometimes very senior engineering executives. You might think such people would know better but ... no. Also, engineers aren't any more immune to phishing than anyone else, it turns out.
Isn't the whole drive towards zero-trust network configurations to allow BYO device to work, i.e. to assume that every device will be compromised and plan accordingly? Seems much better (to me) than crippling the desktop environment of your employees and hobbling their productivity.
Just FYI that the Microsofty way to say this is “You have failed to provide sufficient evidence that the GPO policy set as a result of work units executed by my business group were to be dicks”.
Yes, this is for security and management. Pretty important stuff. We don't just set GPOs to be dicks.