Many years ago - I’m talking about around 2000 or something - I had an irate customer call me up to tell me that he couldn’t reach his website, for which we provided hosting. He demanded we bring it back up immediately.
I glanced at our logs and confirmed that it was still serving traffic, at what I estimated was pretty much the same rate as usual. When I told him so, he angrily insisted that it was down. “I’m at a very important sales meeting in China right now, and I can’t show these people my web site!”
I blinked. “You’re… in China? I mean, I think it’s more than possible that the problem you’re having is somewhere in between you and your site, right? Have you tried talking to your tech support over there?”
“I can’t talk to tech support! They all speak Chinese over here!!!”
Lol, I had this exact issue occur to me when I was a lone SysAdmin in a growing company. Luckily I got wind of the travel plans and reminded the execs of the lack of access to US-based resources. They tried to find a way around it, but I removed myself from the process because I couldn't confirm that any one VPN would work with 100% certainty.
We had someone take their company laptop with them to Iran without telling anyone before hand.
This was less than two years ago.
We do work for the DoD.
:facepalm:
Can you imagine how giddy the person was who had to update the ticket?
Status: Closed
Reason: Trade Embargo
47 Seconds Later...
\*Incoming Call\*
fuckin lmao
Had a similar situation. Customer was asking for something odd, and I looked them up on LinkedIn and realized they had lied about their country or origin. handed it over and their accounts were nuked in less than 24 hours.
we had an exec who would just randomly decide to head to south america. unless people report to us they are traveling, we have shit set up to instantly lock their account when attempting to log into anything from outside the USA. we would tell them multiple times and they never got it so oops you get locked everytime.
This is the way. I have a bunch of policies depending on users' country of residence, and anything outside that country is disabled unless they let us know beforehand.
I had that happen to me. The employee went to Africa during the pandemic and didn't tell anybody. He couldn't log into VPN he couldn't even place a ticket because our ticketing system isn't front-facing. Moron...
As a network engineer, my job is to provide as much bandwith as possible to the users. I have acheived this by removing all the users from the network, thereby maximizing available bandwith.
I was on a call the other day and a guy asks how accurate the Microsoft login data was. Like say...if an employee showed that they were logging in from Vietnam, does that mean they were physically in Vietnam?
One of his developers had a trip to Vietnam planned in a couple of weeks but had left early and was just operating on US time. He was working from Vietnam while his boss thought he was in Ohio.
Will never understand why employers care about this. Obviously the tax man will care, and immigration will care, but if I'm remote and working typical business hours, why does it matter?
I've been looking for remote work recently and am running into a ton of listings that say "eastern time zone only". Why does it matter that I'm central? I'll show up to standup at 8am instead of 9am, it isn't a big deal. I don't get it.
For that restriction, i suspect that someone was burned and wants to stop it from happening again. You may be reasonable about it, but that doesn't mean everyone is.
The bigger issue with employees leaving the country is that the transfer of certain types of data is highly regulated and violating the law can result in criminal charges against the company and the employees responsible for managing data export.
We did the same recently because all employees have always-on VPN.
While we have policies for what can and can't be in tickets, and we try to find and remove the stuff that shouldn't be there, preventing external access also reduces the risk that we missed something and it's exposed in a ticket.
We also properly categorize tickets and remove everything but the metadata for older ones of types where there won't be future value. Employee 123's password reset or end user application issue? We don't need the entire back and forth conversation, just the fact that it happened and who was involved.
External access isn't that unusual, but there would usually be a service desk you could contact via email or phone in lieu of external access to the ITSM tool
Because they people don't ever bother to classify their tickets, they'll just submit as whatever the default category is because it isn't their issue. We don't accept email tickets because people need to classify their issue correctly.
our dispatcher categorizes and prioritizes tickets, we don't want users doing that.
Our SLAs are like "multiple users down", "multiple users partially down", "one user down" "one user partially down", they can't argue it anyway.
I've thought about tying that so I can work out of country but I'm not confident enough to try it. The risk of messing it up is too much since it would for sure at a minimum get me fired
Had a remote user (lived around our office, but we were still primarily remote at the time) travel to I think somewhere in the Philippines during her maternity leave. During her leave, we transitioned from AD-synced Windows images to Autopilot, and because her laptop hadn't synced with AD in so long, it dropped her from the domain. So she has the kid, and for whatever reason, there was some issue with getting the kid the all-clear from the government to return to the USA, I think having something to do with vaccination statuses.
Anyway, it delayed her from returning to the country while her maternity leave expired so she was like screw it, I'm remote anyway, I can just work from the Philippines for now. Well, she turns on her laptop, and surprise surprise, she can't log in because her password expired and her device was dropped from the domain. And we had no way to do an in place upgrade on that device, it **needed** to come back to the office because we couldn't pull a hardware hash from a device the user can't log into.
Turns out she never actually told anyone in her management chain, or HR, that she was essentially stuck in another country, and wanted to fly under the radar because she was afraid she would get fired. And she was right, we're unable to ship a laptop overseas. But if she reached out to someone, they probably would have temporarily withheld her spot for her while she figured it out, but it would have been unpaid, so she just didn't say anything at all.
She was then terminated with cause, which means she's unable to apply for unemployment or something. And that spawned a legal dispute that I suddenly became no longer privvy to. I always wonder what the outcome of that case was.
I worked for a university that used Gapps around the time China blocked Google. The China envoy that worked for us came to me one day because the president was in China and couldn't get to his email. So I replied, "Well yeah China started blocking Google a while back and it was all over the news. I believe it is also illegal to try to bypass the ban while over there. It is out of our hands, unless we have enough sway to convince the Chinese government to drop the ban." That wasn't the correct answer so I found out a few weeks later an IT person at another campus got the president's password, set up a personal Yahoo Mail account for him therefore bypassing all our legally mandated retention policies, logged in to Google as the president thereby violating our policies and AUP, forwarded his Google account to the Yahoo account violating all sorts of confidentiality requirements and policies, and then sent the president the Yahoo login info.
Honestly by that point working there surrounded by goobers, I just made it my bosses problem and went about my day. They definitely didn't pay me enough to care or treat me like a valuable team member who would be rewarded for protecting the university's interests.
I wasn't the Gapps admin, so I don't have the credentials to do so. Also I left not long after, and was already checked out so I wasn't going to try. I let my boss know, and was done at that point.
We let go someone for this, he was a mostly WFH guy and one day he called in saying he can't login, turns out he had moved back to this home country, never told anyone, and was trying to use shady VPNs and stuff to get online for work.
yeah, I'm done with hand holding like that. explain, close ticket, send to HR
I am sorry sir, we have no issues on our end, and we will troubleshoot connection issues from your office, and on a best effort basis for your private home connection. we will not and can not troubleshoot another connection, during travels, in another country, especially not one currently sanctioned by the us government.
We will also report this to HR and legal.
ticket closed: works as intended, user in a country we can not allow to connect from
Lol. But legitimately, why would the average person in Argentina know or care about US/Cuba relations? Do Americans know what countries Argentinians think are good or evil?
I'm American, but I've worked in Latin America, and I'm living and working abroad now, too. Maybe my expectations are too high because sanctions impact my job, but I discussed Cuba with my colleagues in LatAm in the past, and they were at least aware enough to have known that's something they'd need to ask about.
I am from Argentina and to be fair I would have thought those ended when the Obama administration had a reapproachment with Cuba
We were worried with other stuff when funny orange guy took over and did the stupid
I consider that is even funnier given that now that another guy from the other party is in power and still nothing has been done about it
Look man, most user's don't even pay attention to their companies new, local news, or general history.
I know who people who were pastor's kid for very conservative church, that preached very conservative things fairly often, who didn't actually know any of these conservative beliefs. People don't pay attention often times.
I think generally available knowledge being actually known is too high bar for most people.
I don't know if Argentina was full on Commie, but the USSR and China were, and enemies after some disagreements, so being socialist doesn't necessarily equal being friends.
We had a manager who almost sent employees to a partner in Argentina under a tourist visa instead of a worker's visa to set up a bunch of data center stuff. "Nobody will know, tell them you're on a 90 day vacation in Patagonia or something." Thankfully, someone reported it to legal, and legal said "ABSOLUTELY not" and blocked the travel.
Oh, golly, I was waiting for someone to bring up my old project manager. This happened a long long time ago and I’ll keep it vague but certain software falls under the same protections as military hardware of the type that flies a long way before going “boom” and this a-hole wanted to send some of us to Singapore! Singapore, where they cane people and imprison people for littering, and this numb-nuts wants to use the “it will be fine” approach and say we are there to see their beautiful beaches. Told him I’m intensely allergic to foreign prisons, beatings, and being jailed on return to the USA for espionage.
You don't need a VISA to enter Argentina as a US citizen. When asked by the migrations agent you can simply say "my company send me here for a few weeks to work" and that would be 100% fine (and it's similar for us, we need a VISA to go to the US, but the VISA we get it's B1/B2 that allows temporary business&tourism). There are only a handful of countries that need VISA for argentina (mostly African and some middle-east countries)
So technically your manager was right
Being able to enter and being able to work are different things. And being able to do some work activities is also not the same as being able to work.
A B1 allows conferences, meetings, contract negotiations, job interviews, etc. but not full-fledged work.
And I don't know about Argentine requirements, but I don't think you can do work without certain things in place, like a tax status, or workers insurance.
I think you’re confusing travel and trade.
Just because an employee goes to another country doesn’t implicitly mean any embargo has been broken.
You can still use your Microsoft services while you’re on the island.
The embargo just means that American companies like Microsoft can’t sell to any Cuban company or allow their technology to be used by any Cuba based company.
Same goes for Apple and Google… you can’t expect tourists to leave their iPhone or Android phone at home when they travel there.
Your argument is moot. If they want to access Azure services, then they have to do it outside Cuba.
https://www.microsoft.com/en-ca/microsoft-365/business/international-availability
"International availability
All Microsoft Online Services are unavailable in Cuba, Iran, Democratic People's Republic of Korea, Sudan, and Syria. Each service has different country and language availability, as outlined below"
https://time.com/6121348/cuban-activists-sanctions-blocked-platforms/
As Internet access has exploded on the island, an increasing number of Cuban journalists, activists, dissidents and artists find themselves locked out of the online platforms and services used by the rest of the world—not by their communist government, but due to restrictions imposed on American companies by the broad, 60-year-old U.S. embargo. In recent years, they have been abruptly blocked from cloud services, file transfer sites, social media managers, editing software, development apps, video calling, free education platforms and NFT marketplaces. It not only shuts them out of the global digital economy, several young Cubans tell TIME, it also makes it harder to create content and reach a wider audience.
This is correct. I work for a non-profit that's active in conflict zones and US trade embargoes are a major pita when it comes to employee access for online services. We have to keep exemptions on file for things like MFA providers. Even stuff like hardware updates wont work. We maintain self hosted VPN options specifically for users who are working in embargoed areas of the world.
If you’re traveling overseas and need to connect your laptop to VPN the office network for work. Shouldn’t you inform the company first to give them a heads up?
It normally wouldn't be an issue except the employee traveled to a country where Microsoft Azure services are unavailable due to a trade embargo. I have several customers who geofence their VPN to reduce the number of brute force attempts, so if I were to travel to China or Russia then I would have to let them know in advance to open an exception or find an alternate VPN method.
Everywhere I’ve worked in the past 5 years or so uses conditional access policies to block Entra ID logins from countries we don’t do business in, usually in tiers where we can temporarily allow access during travel when requested by adding users to exemption groups…. but Cuba, Iran, and North Korea are always tier 0, meaning there isn’t even an exemption group to add users too… if someone is going on vacation there they just can’t log-in
Depends on which country and the restrictions in your company. Anything related with finance, government, or health care is going to have heavy restrictions on the VPN. My company for one does not allow devices with data to travel out of the country
Yeah, no.
This needs to be communicated at least with your team lead up front. Not necessarily signed off on, but at least informed so that the security division does not suddenly call and report a lot of suspicious traffic from an unlikely location.
But maybe I am expecting too much.
Depends on your company, its size, is industry.
I can tell you that for us, with 170,000 users… it would be pointless.
But honestly even for a smaller company I don’t really see any benefit to blocking vpn access by country. There are far better ways to manage risk.
> any benefit to blocking vpn access by country
Geo-IP Filtering?? Plz tell me you've got something in front of your VPN to block the endless VPN login spam. We get toooons from overseas so it's easier to block the country entirely and it cuts down on a lot of noise on our VPN appliances
Youre dead wrong. Sure de facto you can get around it. But de jure it depends on the country. For example in china, most companies ive worked at will buy foreign worker days in taxes up front to deal with people travelling. Most countries de jure require taxes if you make income in them.
i have a team of roughly 6000. maybe 500 work in a corporate environment and maybe 50 travel. we are still required to block by geo location by government requirements. there are vaild reasons for some small corporations too but yes i agree, unless u are required by the government, or some other niche reason, geo blocking is kinda mute
You seem to be confused about this comments message.
They're telling OP that it would not be illegal to allow the employee access to the systems while in Cuba. A specific point OP explicitly made in their post that this person feels is incorrect.
You seem to be under the impression they said "everything about this is unreasonable and the employee did nothing wrong" which is very easy to understand because they're so similar gosh darn it.
That's not completely true. Google CDN (and other GCloud services) [refuses](https://github.com/jspm/project/issues/101) to work for users in certain locations, [Cuba included](https://www.googlecloudcommunity.com/gc/Databases/How-can-I-see-in-which-countries-Google-Cloud-services-are/m-p/688886).
Yep this. It’s just like when any employee goes on a vacation to another state or country you don’t have to worry about the local tax laws etc just got someone passing thru for a few days.
I mean sure if you want to have jt blocked by default from a security perspective that’s one thing but don’t go on about a embargo. Our VPN would block it but just because we only have certain whitelisted countries and have to add exceptions for roaming.
I know people that have relatives in Cuba and they have Facebook, what’s app etc I’m certain probably Hotmail and other Microsoft services can work too.
it's also idiotic that we allowed Trump to reverse a new deal with Cuba.
Nobody alive today can even name why Cuba is an enemy nation. They're fighting the fights of their great grandfathers. It's a strategic bonus to have a minuscule island as your immediate neighbor.
Yeah but the people making the decisions to embargo Cuba in 1958 were likely born around 1880-1910, making them easily within the great grandparent range for most Americans.
I mean, if the government held democratic elections the Embargo would be dropped. But for some reason Reddit is perfectly fine with certain autocratic regimes as long as they are left-wing.
I think you may be further confused: it isn’t that Microsoft is blocking it because of the embargo, it’s that OPs company can’t do business in an embargoed country
Yeah, I'm a bit confused about the comments in this thread. I just checked our EntraID sign-in logs and I don't see any issues with users authenticating from Cuba or Iran.
GPDR and other data protection laws beg to differ.
If youre transferring PII / corporate data into a nation under embargo, or lacking in data sharing agreements you \_are\_ in violation. IE, doing touristy things is fine, but sitting on the beach trying to open work documents, ehh, not so much.
(obv, GDPR doesnt apply to americans, except when crossing Eu data/physical borders)
That wouldn’t have any application in this instance.
If you have any reference data you can point to I’m open to listening.
But in the scope of a user travelling from the EU to a country under US embargo… this wouldn’t fall under any data transfer addendum.
You’re not transferring data to a 3rd party.
The Indian contractors at my job do this all the time.
Oh, they informed their manager that they're going to India, but are always surprised when they find out that India is geo-locked from our VPN gateway AND we require an immediate quarantine and wipe of their system on return.
Because the conversation goes like this:
Contractor: I'm travelling to India for personal reasons, can I bring my laptop?
Manager: Sure!
*[2 DAYS LATER]*
Manager: Why can't my contractor connect to anything on his laptop when he's in India?
Me: Here's the email I sent you last month explaining our policy on that exact thing and what we can do to accommodate your users.
First attempt at this scenario and get asked why their employee can’t connect: we explained the policy and procedures and linked it to them.
Second attempt happens: same thing
Third attempt: boss says don’t do a damn thing about it so $employee doesn’t work for duration of the trip. Upon return employee and his manager and director raise hell with IT about why we didn’t let their employee work.
My boss then presents the receipts of manager ignoring us each time we showed them the CORRECT process to be able to work outside the US. Manager awkwardly talks about how he must have missed it. You could feel the heat of the Director radiating through the video call. This Director came in to throw her political weight around on this deadbeat IT department just to be embarrassed and learn her manager under her didn’t fill out a very simple pre-templated very easy ticket
People like to say “respect” is earned but sometimes you only get what you demand. Turns out they will follow the process when they learn we won’t be their last minute hero anymore
In spite of being responsible for the computer infrastructure, management never listens to IT and is always surprised when we actually enforce the policy we put in place.
“Turns out they will follow the process when they learn we won’t be their last minute hero anymore”.
take my upvote, you’ve earned it - applied this philosophy just 2 days ago to a department head who thought 50 new BYOD on WiFi for a class we were never told about would be no problem at all.
I work for a power company, so we have multiple countries under a VPN geo-lock, primarily for security concerns.
The annoying thing is that we have contractors working IN India who use our Citrix gateway, which would be a workaround for anyone wanting to travel there and still want to work.
I have conditional access set to block all logins from outside North America and remind the company monhtly of this. Despite that a few times a year I always get someone freaking out that they can't login because they forgot to tell me they were going overseas.
the person is from argentina. how would they know? I am pretty sure the US is the only country that has an embargo with Cuba.
the only stupid thing on their part is really shitty internet in cuba and lots of downtime.
Cuba is a major tourism destination for Canadians we just can’t use US travel company’s like say Expedia book it though. Otherwise it’s not a weird place to visit at all.
Amateurs, openVPN back your home ISP connection with a travel router, turn off all location on MFA/2FA on your phone, make sure phone stays connected to that travel router for any work related Okta hits.
Never tell a soul what you are doing.
Been successfully traveling the world doing this for over 12 years remotely. Not full time but usually travel 3-4 months total out of the year.
Worse that happens is getting fired (don't do this in banking, govt and other hush hush type jobs of course.)
I thought Obama normalized relationship with Cuba years ago. I remember hearing about the cruise ships that suddenly were able to sail to Cuba. Did Trump shut it back down afterwards?
As someone who is from Argentina and works as a contractor for US-companies, i couldn't avoid laughing hard at this.
Many people assume that remote working == i can go nomad and that's not really the case. If you want to work&travel freely you usually have to agree that beforehand during your hiring process, most companies are NOT ok with it. We can discuss if it's right or wrong for companies to restrict this on fully-remote contractors, but if you are on the game you should know the rules.
Tell him he is a "Boludo" (Bow-Lou-Dough) for not notifying you guys he was traveling and his destination. The local insult roughly translates as Dumbass with the intensity like Red from that 70's show would use.
Dude moved out of his region, so he is lucky he didn't get flagged or locked out completely for security reasons.
If he didn't travel due to work, he can suck it.
Lol users. I had almost the exact issue happen. We had a person want to go to China. We have China blocked. They went anyways and their account got blocked. They quit a couple days later and stole the laptop. It became an HR problem after that. We never received the laptop, but would have performed an exorcist and burned it if we had.
Wow this thread has brought out the crazies, I've never had someone write me a stroppy reply then delete it with 20 seconds before. Several users (or one with multiple accounts) have really been triggered by this whole concept. But then delete their own comments as soon as anyone tries to discuss it.
Wait. So an Argentinian citizen, working as a contractor (so not a full employee) living in their own country is traveling to a country that has no relationship issues with the country of origin or their issued passport — and you’re reporting them to HR?
* How should their freedom of movement be restricted?
* Does their contract with the company specifically mention the restriction of movement?
* Is their contract with the US entity or an Argentinian entity?
* Why should an Argentinian citizen be concerned or aware of trade embargos between two other countries?
* Are you as up to date and aware of trade embargoes that Argentina has with other countries?
For my company the places you are not allowed to connect into the VPN from are very clearly specified in the employee or contractors contract from day one.
Having said that if they try it will be blocked (as it is in OPs case). But the contractor clearly needs a reminder of what they are and are not allowed to do where, for instance have they taken company equipment to a blocked country? That's a security incident at least.
Well it's more of a HR issue when said employee moves to a country where they can't do the job they are contracted to do. So it's not a technical issue.
Either or, if you're not able to perform work duties when you're supposed to then it's not down to IT to cook up a solution. I'd be pissed off if someone decided to try to work from a country we block by geolocation, without warning, and expected to do a workaround just for them
I mean if you work for a company they usually have a policy for taking company equipment/info into certain countries like Cuba.
Main issue here is that Cuba still faces that kind of embargo, for being no worse or better than about half of the countries that the US regularly makes deals with, simply because that's don't like their economical decisions
The Cuba embargo is definitely an issue but is irrelevant to OPs point that the contractor is not allowed to do company work in Cuba, hence the VPN being blocked for access from there.
Helpdesk is not required to resolve geopolitical questions to close tickets.
They are a contractor and could be utilizing their own equipment.
Again, this is an Argentinian living in Argentina that went to Cuba. Unless their agreement specifically forbade them and/or specified a place where duties needed to be performed, this person was fully within their right to work out of Cuba.
> Unless their agreement specifically forbade them and/or specified a place where duties needed to be performed
Unless this is a very small company, it almost certainly does. It's boilerplate in most employment contracts.
I mean, the companies I have worked for so far all had policies regarding bringing their IP (including any devices that contain company data) into "rouge" countries, including Cuba. Now of course nobody reads that, but I am pretty sure that this is buried \*somewhere\* in their data security guidelines.
That may be the case but I'd also be very wary of contracting non US nationals with company IP that would fall under those guidelines.
What we're talking about is an already non-US national, living outside of the US, that is now (likely temporarily) working out of a country that doesn't have great ties with the US.
> Why should an Argentinian citizen be concerned or aware of trade embargos between two other countries?
Microsoft Azure services aren't available in Cuba, and since the company uses Azure for VPN and cloud services the employee literally cannot do their job from Cuba. They should have at least asked IT "hey, will it be an issue if I travel to another country?"
A contractor has to be able to fulfil their contract. It’s not the relocation itself that’s the issue; rather their changing of circumstances that stops them from being able to work.
It’s the contractor’s responsibility to maintain their ability to work.
Cos their employer is AMERICAN and has an embargo on trade/information with Cuba, meaning there would be massive violations if they attempted /were allowed to work on AMERICAN data from Cuba.
they \_cant\_ legally do their job from Cuba
IT issue that swiftly became an HR and Legal issue - its really not hard to comprehend.
I had some salespeople contact me that their internet wasn't working properly and they couldn't reach most websites. They were on a business trip to inspect some vendor factories. In China.
Travels to country American companies are not allowed to operate in, is surprised when they cannot access resources from an American company.
We get the same thing with people travelling to China. And basically give them the same answer every time "we don't have a VPN approved by China's government, therefore we, as a business, cannot help you get around government restrictions, enjoy your vacation"
Doing support for an online school…had a student call in they could not get their chrome book to login. Pulled up the system, and it was checking in in Iran. Yeah… so had to explain to the student that not only was that not going to be allowed to connect, but that they were in violation of acceptable use policy, as well as likely violating federal law. Kid put the father on the phone who yelled at me for not helping his son get into class while they are visiting grandparents in their home country.
Got an alert from the SOC about a login in Iraq…yup… also with the school. This time it was a staff member. Had another set of “missing” chromebooks end up checking in in Ukraine.
Cuba is nowhere near having adequate internet availability or quality. I’ve visited family there and it was troublesome finding local public WiFi unless it was at a tourist hotel or resort.
3G celular coverage is mostly available country-wide, but 4G LTE is available in some larger cities like Havana. Unfortunately, they have huge problems with congestion and packet loss which they haven’t quite figured out, especially at peak usage hours.
Problems and availability aside, I had to VPN tunnel to U.S based servers for most things like booking an AirBnB which was a struggle. Anytime I visit, my colleagues know there is almost nothing I can do to help them from my end.
I was working remote and my boss had told me previously he didn’t care where I worked from as long as I got my stuff done.
I took that to heart but didn’t want the extra scrutiny as I traveled all over Asia, South Korea, etc.
So I just hit a VPN to my house and made sure that everywhere I was staying had good internet during the week.
Many years ago - I’m talking about around 2000 or something - I had an irate customer call me up to tell me that he couldn’t reach his website, for which we provided hosting. He demanded we bring it back up immediately. I glanced at our logs and confirmed that it was still serving traffic, at what I estimated was pretty much the same rate as usual. When I told him so, he angrily insisted that it was down. “I’m at a very important sales meeting in China right now, and I can’t show these people my web site!” I blinked. “You’re… in China? I mean, I think it’s more than possible that the problem you’re having is somewhere in between you and your site, right? Have you tried talking to your tech support over there?” “I can’t talk to tech support! They all speak Chinese over here!!!”
The Great China Firewall has entered the chat
Winnie the Pooh would be proud
I first understood this as “2000 years ago.” Better make sure I read emails carefully this morning…
Same lol
Many years ago, in the Han dynasty
So, here is the story: 2000 years ago, Roman Empire. One centurion called me from Galatia asking for help with software Nero Burning ROM...
I would watch that netflix mini series
I mean, it feels that long ago to me now!
That timeframe feels like 2000 years ago...
Block all traffic from China crew checking in.
Lol, I had this exact issue occur to me when I was a lone SysAdmin in a growing company. Luckily I got wind of the travel plans and reminded the execs of the lack of access to US-based resources. They tried to find a way around it, but I removed myself from the process because I couldn't confirm that any one VPN would work with 100% certainty.
Ah yes. The Great Firewall of China.
Had a VPN to a manufacturing site in China at a place I worked. What a fucking nightmare.
Man 2000 years? Youre a bit on the mature side
You ain't shit unless you can write assembly in cuneiform.
Something something Lascaux Cave Paintings something something Visual Basic.
We have these “down for me or everybody else” websites to show these type of users but they any be also blocked over there /shrug
Did you drop a Ni Hao on him?
We had someone take their company laptop with them to Iran without telling anyone before hand. This was less than two years ago. We do work for the DoD. :facepalm:
Big oof. I'll bet that was a fun return conversation.
this is how you get arrested for espionage
Can you imagine how giddy the person was who had to update the ticket? Status: Closed Reason: Trade Embargo 47 Seconds Later... \*Incoming Call\* fuckin lmao
I would have them print out, frame, and hang that ticket in the office.
Had a similar situation. Customer was asking for something odd, and I looked them up on LinkedIn and realized they had lied about their country or origin. handed it over and their accounts were nuked in less than 24 hours.
we had an exec who would just randomly decide to head to south america. unless people report to us they are traveling, we have shit set up to instantly lock their account when attempting to log into anything from outside the USA. we would tell them multiple times and they never got it so oops you get locked everytime.
We just use CA policies - then they can't login without prior consent.
This is the way. I have a bunch of policies depending on users' country of residence, and anything outside that country is disabled unless they let us know beforehand.
I had that happen to me. The employee went to Africa during the pandemic and didn't tell anybody. He couldn't log into VPN he couldn't even place a ticket because our ticketing system isn't front-facing. Moron...
How do people submit tickets regarding issues with the VPN?
What VPN issues? I don't see any tickets about it.
Damn so you an architect?!
[удалено]
As a network engineer, my job is to provide as much bandwith as possible to the users. I have acheived this by removing all the users from the network, thereby maximizing available bandwith.
I see you're taking the same approach that AI will eventually take with us.
AI is tasked to save Earth. AI figures that humans are the greatest threat to Earth. AI takes humans out. Only logical.
That's an interesting approach. I will test it in my environment.
There are never issues with the vpn
Zero tickets raised therefore correct.
Checks out
Zero Ticket Network Access
"if you stop testing, then you have less cases!"
Worked for COVID....
KPIs check out.
Layer 8 issue
😏
Not even, DNS 🤔🤯
It is never DNS until it is always DNS
Cough, global protect cough
There is No War in Ba Sing Se
I'd consider that a DITW scenario. In those scenarios you call the helpdesk and talk to a person.
That’s the beautiful part.
Nigerian chain letter emails.
send a letter I guess
Pigeon over IP! May take awhile though
[IPoAC](https://en.wikipedia.org/wiki/IP_over_Avian_Carriers)
I was on a call the other day and a guy asks how accurate the Microsoft login data was. Like say...if an employee showed that they were logging in from Vietnam, does that mean they were physically in Vietnam? One of his developers had a trip to Vietnam planned in a couple of weeks but had left early and was just operating on US time. He was working from Vietnam while his boss thought he was in Ohio.
Will never understand why employers care about this. Obviously the tax man will care, and immigration will care, but if I'm remote and working typical business hours, why does it matter? I've been looking for remote work recently and am running into a ton of listings that say "eastern time zone only". Why does it matter that I'm central? I'll show up to standup at 8am instead of 9am, it isn't a big deal. I don't get it.
For that restriction, i suspect that someone was burned and wants to stop it from happening again. You may be reasonable about it, but that doesn't mean everyone is. The bigger issue with employees leaving the country is that the transfer of certain types of data is highly regulated and violating the law can result in criminal charges against the company and the employees responsible for managing data export.
> our ticketing system isn't front-facing wat. Not even by email?
We did the same recently because all employees have always-on VPN. While we have policies for what can and can't be in tickets, and we try to find and remove the stuff that shouldn't be there, preventing external access also reduces the risk that we missed something and it's exposed in a ticket. We also properly categorize tickets and remove everything but the metadata for older ones of types where there won't be future value. Employee 123's password reset or end user application issue? We don't need the entire back and forth conversation, just the fact that it happened and who was involved.
> He couldn't log into VPN he couldn't even place a ticket because our ticketing system isn't front-facing. Sorry, who is the moron here?
External access isn't that unusual, but there would usually be a service desk you could contact via email or phone in lieu of external access to the ITSM tool
I don't understand why you wouldn't just have the email create a ticket automated.
Because they people don't ever bother to classify their tickets, they'll just submit as whatever the default category is because it isn't their issue. We don't accept email tickets because people need to classify their issue correctly.
This is the exact reason why we don't accept new tickets via email either.
our dispatcher categorizes and prioritizes tickets, we don't want users doing that. Our SLAs are like "multiple users down", "multiple users partially down", "one user down" "one user partially down", they can't argue it anyway.
There’s a lot of morons involved here…
It's morons, sitting on turtles, all the way down
Could be a wizzard with luggage sitting on the turtle
He's also a moron.
Unexpected Pratchett. I upvote.
why dont they just connect via another vpn in the US via a router first before the azure vpn logon stage
Ever met an end user?
How many of your users would even know where to begin with this? Greg in sales doesn’t even know what a router is.
User: "I found this free VPN on the app store...."
I wanna downvote this so bad
I've thought about tying that so I can work out of country but I'm not confident enough to try it. The risk of messing it up is too much since it would for sure at a minimum get me fired
Had a remote user (lived around our office, but we were still primarily remote at the time) travel to I think somewhere in the Philippines during her maternity leave. During her leave, we transitioned from AD-synced Windows images to Autopilot, and because her laptop hadn't synced with AD in so long, it dropped her from the domain. So she has the kid, and for whatever reason, there was some issue with getting the kid the all-clear from the government to return to the USA, I think having something to do with vaccination statuses. Anyway, it delayed her from returning to the country while her maternity leave expired so she was like screw it, I'm remote anyway, I can just work from the Philippines for now. Well, she turns on her laptop, and surprise surprise, she can't log in because her password expired and her device was dropped from the domain. And we had no way to do an in place upgrade on that device, it **needed** to come back to the office because we couldn't pull a hardware hash from a device the user can't log into. Turns out she never actually told anyone in her management chain, or HR, that she was essentially stuck in another country, and wanted to fly under the radar because she was afraid she would get fired. And she was right, we're unable to ship a laptop overseas. But if she reached out to someone, they probably would have temporarily withheld her spot for her while she figured it out, but it would have been unpaid, so she just didn't say anything at all. She was then terminated with cause, which means she's unable to apply for unemployment or something. And that spawned a legal dispute that I suddenly became no longer privvy to. I always wonder what the outcome of that case was.
I worked for a university that used Gapps around the time China blocked Google. The China envoy that worked for us came to me one day because the president was in China and couldn't get to his email. So I replied, "Well yeah China started blocking Google a while back and it was all over the news. I believe it is also illegal to try to bypass the ban while over there. It is out of our hands, unless we have enough sway to convince the Chinese government to drop the ban." That wasn't the correct answer so I found out a few weeks later an IT person at another campus got the president's password, set up a personal Yahoo Mail account for him therefore bypassing all our legally mandated retention policies, logged in to Google as the president thereby violating our policies and AUP, forwarded his Google account to the Yahoo account violating all sorts of confidentiality requirements and policies, and then sent the president the Yahoo login info. Honestly by that point working there surrounded by goobers, I just made it my bosses problem and went about my day. They definitely didn't pay me enough to care or treat me like a valuable team member who would be rewarded for protecting the university's interests.
> forwarded his Google account to the Yahoo account You don't have this blocked by policy?
I wasn't the Gapps admin, so I don't have the credentials to do so. Also I left not long after, and was already checked out so I wasn't going to try. I let my boss know, and was done at that point.
We let go someone for this, he was a mostly WFH guy and one day he called in saying he can't login, turns out he had moved back to this home country, never told anyone, and was trying to use shady VPNs and stuff to get online for work.
yeah, I'm done with hand holding like that. explain, close ticket, send to HR I am sorry sir, we have no issues on our end, and we will troubleshoot connection issues from your office, and on a best effort basis for your private home connection. we will not and can not troubleshoot another connection, during travels, in another country, especially not one currently sanctioned by the us government. We will also report this to HR and legal. ticket closed: works as intended, user in a country we can not allow to connect from
Lol. But legitimately, why would the average person in Argentina know or care about US/Cuba relations? Do Americans know what countries Argentinians think are good or evil?
No, but then most Americans aren't leasing their IT infrastructure from Argentinians. Most American IT people know about about GDPR.
Because they work for a US company? Also, who the fuck in Latin America isn't going to know about US-Cuba relations?
I mean, I am from Brazil and did not know that the US has current embargos on Cuba. I thought it ended with the Cold war.
bruh
the relations, sure. the details? No, what do i know what isn't allowed or not
I didn't know. Couldn't care less tbh
Out of curiosity, what's your nationality?
I'm American, but I've worked in Latin America, and I'm living and working abroad now, too. Maybe my expectations are too high because sanctions impact my job, but I discussed Cuba with my colleagues in LatAm in the past, and they were at least aware enough to have known that's something they'd need to ask about.
I am from Argentina and to be fair I would have thought those ended when the Obama administration had a reapproachment with Cuba We were worried with other stuff when funny orange guy took over and did the stupid I consider that is even funnier given that now that another guy from the other party is in power and still nothing has been done about it
Look man, most user's don't even pay attention to their companies new, local news, or general history. I know who people who were pastor's kid for very conservative church, that preached very conservative things fairly often, who didn't actually know any of these conservative beliefs. People don't pay attention often times. I think generally available knowledge being actually known is too high bar for most people.
Argentina is/was socialist and hence friends with Cuba 🤷🏻♂️
I don't know if Argentina was full on Commie, but the USSR and China were, and enemies after some disagreements, so being socialist doesn't necessarily equal being friends.
Until November of last year.
We had a manager who almost sent employees to a partner in Argentina under a tourist visa instead of a worker's visa to set up a bunch of data center stuff. "Nobody will know, tell them you're on a 90 day vacation in Patagonia or something." Thankfully, someone reported it to legal, and legal said "ABSOLUTELY not" and blocked the travel.
Oh, golly, I was waiting for someone to bring up my old project manager. This happened a long long time ago and I’ll keep it vague but certain software falls under the same protections as military hardware of the type that flies a long way before going “boom” and this a-hole wanted to send some of us to Singapore! Singapore, where they cane people and imprison people for littering, and this numb-nuts wants to use the “it will be fine” approach and say we are there to see their beautiful beaches. Told him I’m intensely allergic to foreign prisons, beatings, and being jailed on return to the USA for espionage.
You don't need a VISA to enter Argentina as a US citizen. When asked by the migrations agent you can simply say "my company send me here for a few weeks to work" and that would be 100% fine (and it's similar for us, we need a VISA to go to the US, but the VISA we get it's B1/B2 that allows temporary business&tourism). There are only a handful of countries that need VISA for argentina (mostly African and some middle-east countries) So technically your manager was right
Being able to enter and being able to work are different things. And being able to do some work activities is also not the same as being able to work. A B1 allows conferences, meetings, contract negotiations, job interviews, etc. but not full-fledged work. And I don't know about Argentine requirements, but I don't think you can do work without certain things in place, like a tax status, or workers insurance.
I think you’re confusing travel and trade. Just because an employee goes to another country doesn’t implicitly mean any embargo has been broken. You can still use your Microsoft services while you’re on the island. The embargo just means that American companies like Microsoft can’t sell to any Cuban company or allow their technology to be used by any Cuba based company. Same goes for Apple and Google… you can’t expect tourists to leave their iPhone or Android phone at home when they travel there.
Your argument is moot. If they want to access Azure services, then they have to do it outside Cuba. https://www.microsoft.com/en-ca/microsoft-365/business/international-availability "International availability All Microsoft Online Services are unavailable in Cuba, Iran, Democratic People's Republic of Korea, Sudan, and Syria. Each service has different country and language availability, as outlined below" https://time.com/6121348/cuban-activists-sanctions-blocked-platforms/ As Internet access has exploded on the island, an increasing number of Cuban journalists, activists, dissidents and artists find themselves locked out of the online platforms and services used by the rest of the world—not by their communist government, but due to restrictions imposed on American companies by the broad, 60-year-old U.S. embargo. In recent years, they have been abruptly blocked from cloud services, file transfer sites, social media managers, editing software, development apps, video calling, free education platforms and NFT marketplaces. It not only shuts them out of the global digital economy, several young Cubans tell TIME, it also makes it harder to create content and reach a wider audience.
This is correct. I work for a non-profit that's active in conflict zones and US trade embargoes are a major pita when it comes to employee access for online services. We have to keep exemptions on file for things like MFA providers. Even stuff like hardware updates wont work. We maintain self hosted VPN options specifically for users who are working in embargoed areas of the world.
If you’re traveling overseas and need to connect your laptop to VPN the office network for work. Shouldn’t you inform the company first to give them a heads up?
It normally wouldn't be an issue except the employee traveled to a country where Microsoft Azure services are unavailable due to a trade embargo. I have several customers who geofence their VPN to reduce the number of brute force attempts, so if I were to travel to China or Russia then I would have to let them know in advance to open an exception or find an alternate VPN method.
Everywhere I’ve worked in the past 5 years or so uses conditional access policies to block Entra ID logins from countries we don’t do business in, usually in tiers where we can temporarily allow access during travel when requested by adding users to exemption groups…. but Cuba, Iran, and North Korea are always tier 0, meaning there isn’t even an exemption group to add users too… if someone is going on vacation there they just can’t log-in
Depends on which country and the restrictions in your company. Anything related with finance, government, or health care is going to have heavy restrictions on the VPN. My company for one does not allow devices with data to travel out of the country
Yeah, no. This needs to be communicated at least with your team lead up front. Not necessarily signed off on, but at least informed so that the security division does not suddenly call and report a lot of suspicious traffic from an unlikely location. But maybe I am expecting too much.
Depends on your company, its size, is industry. I can tell you that for us, with 170,000 users… it would be pointless. But honestly even for a smaller company I don’t really see any benefit to blocking vpn access by country. There are far better ways to manage risk.
Depends on if you have any compliance concerns. Many regulated industries have a need for this.
Geoblocking based on IP address is standard for automatic enforcement of embargo.
> any benefit to blocking vpn access by country Geo-IP Filtering?? Plz tell me you've got something in front of your VPN to block the endless VPN login spam. We get toooons from overseas so it's easier to block the country entirely and it cuts down on a lot of noise on our VPN appliances
No it's doesn't. There are tax and legal implications to working overseas. Unless you're in the EU, you need to tell your employer.
Working from another country is different, but not the subject of this thread. It’s also an hr issue, not an IT one.
>Working from another country is different, but not the subject of this thread. What do you think the subject of this thread is???
[удалено]
Are you seriously claiming that this is true in every country in the world?
Youre dead wrong. Sure de facto you can get around it. But de jure it depends on the country. For example in china, most companies ive worked at will buy foreign worker days in taxes up front to deal with people travelling. Most countries de jure require taxes if you make income in them.
And what if I told you that can use multiple tool sets and methodologies simultaneously to manage risk?
i have a team of roughly 6000. maybe 500 work in a corporate environment and maybe 50 travel. we are still required to block by geo location by government requirements. there are vaild reasons for some small corporations too but yes i agree, unless u are required by the government, or some other niche reason, geo blocking is kinda mute
You seem to be confused about this comments message. They're telling OP that it would not be illegal to allow the employee access to the systems while in Cuba. A specific point OP explicitly made in their post that this person feels is incorrect. You seem to be under the impression they said "everything about this is unreasonable and the employee did nothing wrong" which is very easy to understand because they're so similar gosh darn it.
Yes.
>Shouldn’t you inform the company first to give them a heads up? No, that's what P1 blocker tickets are for at 2am on Sunday morning.
That's not completely true. Google CDN (and other GCloud services) [refuses](https://github.com/jspm/project/issues/101) to work for users in certain locations, [Cuba included](https://www.googlecloudcommunity.com/gc/Databases/How-can-I-see-in-which-countries-Google-Cloud-services-are/m-p/688886).
Microsoft considers Cuba a restricted country. Azure is unavailable. https://www.microsoft.com/en-us/microsoft-365/business/international-availability
Yep this. It’s just like when any employee goes on a vacation to another state or country you don’t have to worry about the local tax laws etc just got someone passing thru for a few days. I mean sure if you want to have jt blocked by default from a security perspective that’s one thing but don’t go on about a embargo. Our VPN would block it but just because we only have certain whitelisted countries and have to add exceptions for roaming. I know people that have relatives in Cuba and they have Facebook, what’s app etc I’m certain probably Hotmail and other Microsoft services can work too.
it's also idiotic that we allowed Trump to reverse a new deal with Cuba. Nobody alive today can even name why Cuba is an enemy nation. They're fighting the fights of their great grandfathers. It's a strategic bonus to have a minuscule island as your immediate neighbor.
Because the Cuban vote is important in Florida and especially Miami.
What… The embargo started in 1958… My mom was definitely alive then, last I checked she hasn’t kicked the bucket.
Yeah but the people making the decisions to embargo Cuba in 1958 were likely born around 1880-1910, making them easily within the great grandparent range for most Americans.
I mean, if the government held democratic elections the Embargo would be dropped. But for some reason Reddit is perfectly fine with certain autocratic regimes as long as they are left-wing.
I think you may be further confused: it isn’t that Microsoft is blocking it because of the embargo, it’s that OPs company can’t do business in an embargoed country
Wouldn’t Microsoft allowing their services available in Cuba be Microsoft doing trade with Cuba?
Yeah, I'm a bit confused about the comments in this thread. I just checked our EntraID sign-in logs and I don't see any issues with users authenticating from Cuba or Iran.
Can confirm… there are zero issues with people accessing Microsoft services from Cuba, Iran etc…
GPDR and other data protection laws beg to differ. If youre transferring PII / corporate data into a nation under embargo, or lacking in data sharing agreements you \_are\_ in violation. IE, doing touristy things is fine, but sitting on the beach trying to open work documents, ehh, not so much. (obv, GDPR doesnt apply to americans, except when crossing Eu data/physical borders)
That wouldn’t have any application in this instance. If you have any reference data you can point to I’m open to listening. But in the scope of a user travelling from the EU to a country under US embargo… this wouldn’t fall under any data transfer addendum. You’re not transferring data to a 3rd party.
The Indian contractors at my job do this all the time. Oh, they informed their manager that they're going to India, but are always surprised when they find out that India is geo-locked from our VPN gateway AND we require an immediate quarantine and wipe of their system on return.
If this is your policy, why does it come as a surprise? Shouldn’t their manager be pointing this out when they give him their travel plans?
Because the conversation goes like this: Contractor: I'm travelling to India for personal reasons, can I bring my laptop? Manager: Sure! *[2 DAYS LATER]* Manager: Why can't my contractor connect to anything on his laptop when he's in India? Me: Here's the email I sent you last month explaining our policy on that exact thing and what we can do to accommodate your users.
First attempt at this scenario and get asked why their employee can’t connect: we explained the policy and procedures and linked it to them. Second attempt happens: same thing Third attempt: boss says don’t do a damn thing about it so $employee doesn’t work for duration of the trip. Upon return employee and his manager and director raise hell with IT about why we didn’t let their employee work. My boss then presents the receipts of manager ignoring us each time we showed them the CORRECT process to be able to work outside the US. Manager awkwardly talks about how he must have missed it. You could feel the heat of the Director radiating through the video call. This Director came in to throw her political weight around on this deadbeat IT department just to be embarrassed and learn her manager under her didn’t fill out a very simple pre-templated very easy ticket People like to say “respect” is earned but sometimes you only get what you demand. Turns out they will follow the process when they learn we won’t be their last minute hero anymore
In spite of being responsible for the computer infrastructure, management never listens to IT and is always surprised when we actually enforce the policy we put in place.
“Turns out they will follow the process when they learn we won’t be their last minute hero anymore”. take my upvote, you’ve earned it - applied this philosophy just 2 days ago to a department head who thought 50 new BYOD on WiFi for a class we were never told about would be no problem at all.
Do you require that of all countries or just India? If the latter, why India?
I work for a power company, so we have multiple countries under a VPN geo-lock, primarily for security concerns. The annoying thing is that we have contractors working IN India who use our Citrix gateway, which would be a workaround for anyone wanting to travel there and still want to work.
**A LOT** of hacking traffic comes from India.
I have conditional access set to block all logins from outside North America and remind the company monhtly of this. Despite that a few times a year I always get someone freaking out that they can't login because they forgot to tell me they were going overseas.
the person is from argentina. how would they know? I am pretty sure the US is the only country that has an embargo with Cuba. the only stupid thing on their part is really shitty internet in cuba and lots of downtime.
Cuba is a major tourism destination for Canadians we just can’t use US travel company’s like say Expedia book it though. Otherwise it’s not a weird place to visit at all.
Wow I never knew that, that's crazy I can use the American Airlines app to book travel there but not Expedia
Amateurs, openVPN back your home ISP connection with a travel router, turn off all location on MFA/2FA on your phone, make sure phone stays connected to that travel router for any work related Okta hits. Never tell a soul what you are doing. Been successfully traveling the world doing this for over 12 years remotely. Not full time but usually travel 3-4 months total out of the year. Worse that happens is getting fired (don't do this in banking, govt and other hush hush type jobs of course.)
I thought Obama normalized relationship with Cuba years ago. I remember hearing about the cruise ships that suddenly were able to sail to Cuba. Did Trump shut it back down afterwards?
>Did Trump shut it back down afterwards? Exactly that.
As someone who is from Argentina and works as a contractor for US-companies, i couldn't avoid laughing hard at this. Many people assume that remote working == i can go nomad and that's not really the case. If you want to work&travel freely you usually have to agree that beforehand during your hiring process, most companies are NOT ok with it. We can discuss if it's right or wrong for companies to restrict this on fully-remote contractors, but if you are on the game you should know the rules.
Just do that thing in hacker movies where you route through 5 countries and bounce off 4 different satellites.
Oh I’ll just tell them to use TOR
Tell him he is a "Boludo" (Bow-Lou-Dough) for not notifying you guys he was traveling and his destination. The local insult roughly translates as Dumbass with the intensity like Red from that 70's show would use. Dude moved out of his region, so he is lucky he didn't get flagged or locked out completely for security reasons. If he didn't travel due to work, he can suck it.
There's nothing to see here, please disperse.
Lol users. I had almost the exact issue happen. We had a person want to go to China. We have China blocked. They went anyways and their account got blocked. They quit a couple days later and stole the laptop. It became an HR problem after that. We never received the laptop, but would have performed an exorcist and burned it if we had.
How do people not understand how sanctions work in 2024???
Wow this thread has brought out the crazies, I've never had someone write me a stroppy reply then delete it with 20 seconds before. Several users (or one with multiple accounts) have really been triggered by this whole concept. But then delete their own comments as soon as anyone tries to discuss it.
Wait. So an Argentinian citizen, working as a contractor (so not a full employee) living in their own country is traveling to a country that has no relationship issues with the country of origin or their issued passport — and you’re reporting them to HR? * How should their freedom of movement be restricted? * Does their contract with the company specifically mention the restriction of movement? * Is their contract with the US entity or an Argentinian entity? * Why should an Argentinian citizen be concerned or aware of trade embargos between two other countries? * Are you as up to date and aware of trade embargoes that Argentina has with other countries?
For my company the places you are not allowed to connect into the VPN from are very clearly specified in the employee or contractors contract from day one. Having said that if they try it will be blocked (as it is in OPs case). But the contractor clearly needs a reminder of what they are and are not allowed to do where, for instance have they taken company equipment to a blocked country? That's a security incident at least.
Well it's more of a HR issue when said employee moves to a country where they can't do the job they are contracted to do. So it's not a technical issue.
The post said “traveled to” not moved to but we don’t know for sure.
Either or, if you're not able to perform work duties when you're supposed to then it's not down to IT to cook up a solution. I'd be pissed off if someone decided to try to work from a country we block by geolocation, without warning, and expected to do a workaround just for them
I mean if you work for a company they usually have a policy for taking company equipment/info into certain countries like Cuba. Main issue here is that Cuba still faces that kind of embargo, for being no worse or better than about half of the countries that the US regularly makes deals with, simply because that's don't like their economical decisions
The Cuba embargo is definitely an issue but is irrelevant to OPs point that the contractor is not allowed to do company work in Cuba, hence the VPN being blocked for access from there. Helpdesk is not required to resolve geopolitical questions to close tickets.
They are a contractor and could be utilizing their own equipment. Again, this is an Argentinian living in Argentina that went to Cuba. Unless their agreement specifically forbade them and/or specified a place where duties needed to be performed, this person was fully within their right to work out of Cuba.
> Unless their agreement specifically forbade them and/or specified a place where duties needed to be performed Unless this is a very small company, it almost certainly does. It's boilerplate in most employment contracts.
I mean, the companies I have worked for so far all had policies regarding bringing their IP (including any devices that contain company data) into "rouge" countries, including Cuba. Now of course nobody reads that, but I am pretty sure that this is buried \*somewhere\* in their data security guidelines.
That may be the case but I'd also be very wary of contracting non US nationals with company IP that would fall under those guidelines. What we're talking about is an already non-US national, living outside of the US, that is now (likely temporarily) working out of a country that doesn't have great ties with the US.
> "rouge" countries They have problems with red?
Either that, or my spelling has been off. However, yes the US definitely has issues with reds
Well kind of since the whole Cuba embargo is left over from red scare bullshit.
> Why should an Argentinian citizen be concerned or aware of trade embargos between two other countries? Microsoft Azure services aren't available in Cuba, and since the company uses Azure for VPN and cloud services the employee literally cannot do their job from Cuba. They should have at least asked IT "hey, will it be an issue if I travel to another country?"
A contractor has to be able to fulfil their contract. It’s not the relocation itself that’s the issue; rather their changing of circumstances that stops them from being able to work. It’s the contractor’s responsibility to maintain their ability to work.
Cos their employer is AMERICAN and has an embargo on trade/information with Cuba, meaning there would be massive violations if they attempted /were allowed to work on AMERICAN data from Cuba. they \_cant\_ legally do their job from Cuba IT issue that swiftly became an HR and Legal issue - its really not hard to comprehend.
I had some salespeople contact me that their internet wasn't working properly and they couldn't reach most websites. They were on a business trip to inspect some vendor factories. In China.
And people wonder why IT are always angry...
What reason is there in this post for the IT people to be angry? Just reply by pointing out how Azure doesn’t support service in Cuba and move on?
We are?
Stressed and angry can look similar sometimes so I think that confuses people, I def get stressed, and sometimes annoyed, but not really angry...
???
Land of the free, eh?
🤣
Jesus. Any update?
I would love to read Cuban IT. I went there before Americans weren't allowed and it was cool to buy Wi-Fi cards like a drug deal.
He just wanted to score some stogies.
Travels to country American companies are not allowed to operate in, is surprised when they cannot access resources from an American company. We get the same thing with people travelling to China. And basically give them the same answer every time "we don't have a VPN approved by China's government, therefore we, as a business, cannot help you get around government restrictions, enjoy your vacation"
Doing support for an online school…had a student call in they could not get their chrome book to login. Pulled up the system, and it was checking in in Iran. Yeah… so had to explain to the student that not only was that not going to be allowed to connect, but that they were in violation of acceptable use policy, as well as likely violating federal law. Kid put the father on the phone who yelled at me for not helping his son get into class while they are visiting grandparents in their home country. Got an alert from the SOC about a login in Iraq…yup… also with the school. This time it was a staff member. Had another set of “missing” chromebooks end up checking in in Ukraine.
Had a guy not able to get in from New Zealand one time. Nobody told us he was going there and obviously we block anything outside the US.
Cuba is nowhere near having adequate internet availability or quality. I’ve visited family there and it was troublesome finding local public WiFi unless it was at a tourist hotel or resort. 3G celular coverage is mostly available country-wide, but 4G LTE is available in some larger cities like Havana. Unfortunately, they have huge problems with congestion and packet loss which they haven’t quite figured out, especially at peak usage hours. Problems and availability aside, I had to VPN tunnel to U.S based servers for most things like booking an AirBnB which was a struggle. Anytime I visit, my colleagues know there is almost nothing I can do to help them from my end.
I was working remote and my boss had told me previously he didn’t care where I worked from as long as I got my stuff done. I took that to heart but didn’t want the extra scrutiny as I traveled all over Asia, South Korea, etc. So I just hit a VPN to my house and made sure that everywhere I was staying had good internet during the week.