My company is implementing this exact thing - and in general for company laptops I'd say it's not really too crazy (freelancers, contactors will most likely be given machines too if they need any level of access to our stuff/code). From what drata told our team - the agent is based on OSQuery, and just reports disk encryption, antivirus, screen lock, installed applications.
Not sure what the other commenters in this thread are going on about but AICPA's soc2 common criteria _do_ require that a bunch of that stuff is configured. The reality we're facing is that unless we actually monitor for those basic security config things, sales/marketing/etc will disable those setting for no reason and promptly leave their laptop in a Starbucks with client user lists or confidential data on it.
For other context - based on our research, compliance automation platforms like drata or secureframe greatly decrease the cost of the actual audit since it makes evidence collection that the proper security controls are in place and are functioning much easier.
From your perspective though I 100% get the concern though from a freelancer - I'd say that they shouldn't want you to be handling their source code on your personal machine anyways and should prob. send you a laptop.
Not sure what the other commenters in this thread are going on about but AICPA's soc2 common criteria _do_ require that a bunch of that stuff is configured. The reality we're facing is that unless we actually monitor for those basic security config things, sales/marketing/etc will disable those setting for no reason and promptly leave their laptop in a Starbucks with client user lists or confidential data on it.
For other context - based on our research, compliance automation platforms like drata or secureframe greatly decrease the cost of the actual audit since it makes evidence collection that the proper security controls are in place and are functioning much easier.
From your perspective though I 100% get the concern though from a freelancer - I'd say that they shouldn't want you to be handling their source code on your personal machine anyways and should prob. send you a laptop.