Hello everyone, my company (our department is of around 150+ developers/machine learning people/researchers) is currently considering switching from Windows to Gnu+Linux for company devices (as in the machines we use in our daily work) and we are currently in the phase of collecting requirements. I’m not in charge of the process or involved in the decision phase, but as an enthusiast I’m curious about it. We handle data and other sensitive resources, so the environment should remain managed by the IT department (what’s possible to install, VPNs, firewalls, updates and similar). What do companies generally use in this kind of scenario? I’m assuming they generally do some stuff with either Canonical or Red Hat, but are there alternatives? Are there ways to do something that works across distributions by using flatpak or the nix package manager? What are your experiences?
If you aren’t letting people install packages and customize the environment, you don’t need Linux for desktops. Give them a locked down Mac, instead. You can do it on Linux, but it defeats the purpose. You’re devs would hate it.
You’re thinking as if it was Windows. In enterprise environments, companies control a set of proxy repositories and whitelist/blacklist packages.
If you’re a dev and need a specific package (or set of packages) that aren’t listed, then you can request it through a ticket.
What do companies gain from a full Linux environment?
- Better integration with services (if it’s already a linux/unix shop).
- Cost reduction from licenses (although an increase in training/in-house expertise costs)
- Machines will run supported as long as the silicon stays welded.
- Better security if implemented right.
(A big issue of Windows is that for running secure you need to cut a lot of it, which generates shadow IT).
However if not done right, there’s a long list of head-aches, including some software that’s no longer compatible and has no real professional linux option (design suites, SCADA/ICS, CAD software, etc).
Even if there’s a similar tool, it’s highly possible that there are trade-offs that will require a lot of investment.
In most cases this gets solved in two ways:
- Designers get a Mac so they can stop whinning and IT churns a solution to integrate all the outdated stuff running on that OS with the rest of enterprise services.
- Windows stuff that doesn’t require a beffy computer gets deployed on a VM with RBAC integrated with the company’s IDP.
In enterprise environments, companies control a set of proxy repositories and whitelist/blacklist packages. If you’re a dev and need a specific package (or set of packages) that aren’t listed, then you can request it through a ticket.
That’s fine for Windows desktops, Mac desktops, and Linux servers… but the advantage of a Linux Desktop is allowing a dev to customize the desktop and packages to what is most efficient for their use. Sure, you can do this to a Linux Desktop, but who would want to work on that? If you take that advantage away from a Linux desktop user, they would benefit more from software compatibility that comes with Windows or Mac. A locked down Linux Desktop has the same problems of limiting the dev from customizing it to match their most productive workflow, combined with no native MS Office apps, no Adobe apps, and more. That’s a double whammy to your user.
the advantage of a Linux Desktop is allowing a dev to customize the desktop and packages
Again, who says they can’t? A Linux repository works as a catalog of software (packages) where you can pick and choose what to install.
Distribution != Desktop: As an IT overlord, I can dictate what distro you use, but you can pick your poison desktop as long as it is compliant.
combined with no native MS Office apps
Use Office 365 like everyone else or just a proper solution that doesn’t have finicky WYSIWYG.
no Adobe apps
How many need Adobe apps in a company? Then you provide an alternative for those few.
There are numerous ways to approach this.
Canonical:
- Cheap finance-wise
- Low upfront cost skill-wise
- Medium ongoing cost skill-wise
- Occasionally breaks without being touched
RedHat:
- Medium cost finance-wise
- Low upfront cost skill-wise
- Medium ongoing cost skill-wise
- RedHat is not what it used to be. Has QA been sacked?
And, of course, my favourite 😁
Gentoo:
- Cheap finance-wise
- High upfront cost skill-wise
- Medium ongoing cost skill-wise
- Only breaks when multiple warnings are ignored
From my experience, though - you’ll probably end up on Ubuntu. Because everyone knows it, right?
Yep, Ubuntu was mentioned as an example in a few meetings and I think they will end up doing that. And it’s fine, give me literally anything other than Windows and I will be happy, however I’m a spoiled kid, so I also don’t really want Ubuntu.
The disappointing thing about Ubuntu is that the Ubuntu in everyone’s minds is very different from Ubuntu that’s actually getting installed. Snap is atrocious on desktop. Random inconsistencies across a fleet on a few hundred identical desktops. A dodgy campaign to onboard everyone onto Ubuntu Pro (I don’t mind them charging for a service, but the way they do it is disgusting.). Incredibly inflexible if you want more than just the barebones desktop.
Every day there’s something annoying popping up.
so the environment should remain managed by the IT department
For the domain you are describing
developers, machine learning people, researchers, Linux
having personal machines maintained by “IT” is not a typical setup. A ML engineer is more IT savy than your average IT department, especially on Linux when they use Linux for work.
An alternative to a centrally mentioned solution can be a reasonable set of rules with allows more freedom for the individual. For example, you could provide every new-joiner with a pre-configured laptop, but they can take over ‘root’ privileges if they want. It’s not so hard to keep a Linux machine secure if the users doesn’t intentionally screw it up. You don’t need IT to run updates, it happens automatically. You don’t need a personal firewall, they are no open ports per default anyway.
IT may want to install an agent that helps detecting security breaches (or misconduct). Or remote-support. Of course, you may require VPN. You may require that sensitive data does not leave the server. You should. A personal device is an attack vector and Linux has security holes all the time, but remote exploits are nowhere as common as in a Windows, Outlook, AD world.
The upside of allowing users to tinker with their machines is that IT only needs to provide a reasonable starting point, not a perfect solution for everyone. If you expect support from IT, you will want to standardize the distribution and maybe some applications or tools, but you don’t need everyone in the company to be on the same version of Solitaire.
I’d recommend openSUSE here. If Enterprise support is needed (which I am sure is true) than SLE Desktop will work out better.
OpenSUSE can also be considered.
YaST has so many awesome funktions
Btw if Enterprise support is needed SLE Desktop is probably better than OpenSUSE
