Corporate laptops exist in a tension between IT's need to secure company data and remote workers' need to be productive. Most restrictions are there for genuine security reasons; some create unnecessary friction for legitimate work. Understanding which is which helps you solve real problems without crossing lines you shouldn't cross.
What IT Departments Are Actually Trying to Protect
Before getting into what you can and can't work around, it's worth understanding the actual threat model behind corporate device restrictions. IT teams aren't restricting your laptop to make your life difficult โ they're managing three specific risks:
Data exfiltration: Preventing company data from leaving the corporate environment through unauthorized channels โ USB drives, personal cloud storage, unauthorized file sharing apps.
Malware entry points: Preventing malicious software from being installed through unvetted software installs, unsigned scripts, or unauthorized USB devices.
Compliance: In regulated industries (finance, healthcare, legal), specific technical controls are required by law or regulation โ encryption standards, audit logging, data retention policies. Deviating from these has legal consequences for the company.
Restrictions that serve these goals are non-negotiable and shouldn't be worked around. Restrictions that create friction without serving these goals are often addressable through legitimate means.
Restrictions You Should Not Work Around (And Why)
Disk encryption (BitLocker / FileVault): Required by most enterprise security policies and many compliance frameworks. Working around it would expose company data if the device is lost or stolen. Don't.
VPN requirements for accessing internal systems: VPN channels your traffic through corporate security infrastructure, enabling monitoring and filtering that protects internal systems. Bypassing the VPN to access internal resources exposes those resources to risk. Don't.
MDM / endpoint management agents: These enable remote wipe in case of theft and enforce security policies. Removing them may expose company data and will certainly violate your employment agreement. Don't.
Data loss prevention (DLP) controls: Policies that prevent uploading company data to personal cloud storage or sending it to personal email exist specifically to protect proprietary information. Working around them likely violates your employment agreement and potentially applicable law. Don't.
Application whitelisting: If IT has restricted which applications can install, there's a reason โ usually to prevent malware vectors. Installing unapproved software may introduce security vulnerabilities you're responsible for. Get IT approval instead.
Restrictions That Are Fine to Work Around
Power settings locked by Group Policy: IT often locks power settings to enforce a corporate standard (e.g., screen lock after 5 minutes for compliance). If the underlying goal is "lock the screen when the user steps away" and you need your screen to stay on while you're actively working, browser-based keep-awake tools are a legitimate solution โ they keep the screen active while you're present and release when you close the browser. This doesn't defeat the screen lock policy for when you actually leave; it just prevents accidental locks during active work sessions.
Browser extensions (within IT policy): Most corporate browser policies allow standard browser extensions from the Chrome Web Store or Edge Add-ons. Installing a grammar checker, ad blocker, password manager, or productivity extension from approved stores is generally fine. If your company has strict extension policies, check before installing.
Using browser-based tools instead of installed applications: If an application you need isn't in IT's approved software list, there's often a browser-based equivalent that works without installation. Browser-based tools use existing browser permissions rather than system-level installation, which is a meaningful security distinction. A browser tab running KeepAwake is categorically different from installing unauthorized software.
Adjusting accessible settings within your user permissions: As a standard user (non-admin), you have legitimate access to settings within your own user profile โ browser preferences, Teams notification settings, accessibility options, your own user power preferences if not domain-locked. Using these is entirely within your rights as an employee.
The Grey Areas
USB devices: Many corporate policies restrict USB devices to prevent data exfiltration. A USB mouse jiggler is a USB device โ whether it's allowed depends on whether your company's policy restricts all USB devices or just storage devices. The only safe approach is to check. Browser-based alternatives remove this ambiguity entirely.
Running scripts: PowerShell scripts in user space, without admin rights, are technically allowed on many corporate systems. But running scripts that simulate input or modify system behavior may conflict with endpoint monitoring policies even when technically executable. The grey area: technically possible, potentially flagged. Browser APIs designed for exactly this purpose (Wake Lock, PiP) are a cleaner alternative.
Personal accounts on corporate devices: Accessing personal email, personal cloud storage, or personal services from a corporate device is usually technically allowed but creates a data co-mingling risk that most IT policies discourage. Keep company data in company systems and personal data on personal devices when possible.
The Practical Principle
The question to ask about any workaround: "Does this touch the actual security controls IT cares about, or does it just adjust a setting that happens to be locked for policy uniformity reasons?" Power settings locked to ensure screen lock compliance, for example, can be addressed by keeping your screen actively awake while you're present โ which satisfies the underlying intent (lock when the user steps away) without defeating the control.
Browser-based tools like KeepAwake specifically exist in this legitimate space: they use standard web APIs, require no installation, make no system changes, and work within the browser's existing permission model. They solve a real remote work problem without touching anything IT has restricted for security reasons.