I was thinking about this the other day. Windows 11 is starting to roll out on company laptops and I would love it if we had the choice to install Linux. But I think there are some challenges to that.
Most large companies control what employees are allowed to install on their machines for security reasons. We wouldn’t want any spyware or ransomware or any kind of malware getting installed inadvertently. Most places will use software allow lists through applications like the Software Center and use software detection programs to monitor if any non compliant software is installed.
There’s also permission management through group policies on Windows to manage which kind of user can do what on their system.
Finally, I hate to say it, but most companies use the whole Microsoft Office 365 eco system with Microsoft One Drive and SharePoint. I know we can use the web version for some of the apps, but for practicality’s sake, it’s best to have an installed version. And the cloud sync feature of One Drive is also very important for automatically backing up important work. I doubt they would let that go.
I would love to hear if anyone can offer solutions to these problems.
KDE had a policy editor back in v2.0… honesty I never really followed whether those features stuck around. But the simple version is to lock down write access to folders in $HOME, such as .config or similar. Linux already prevents most users from installing programs over the system directories without root, but I’m not sure if you can restrict new programs with +x in $HOME unless you write-lock the whole folder… Someone with more network admin experience probably knows this :)
selinux or alternative is your friend here.
Exactly. I once had a computer with Linux where I had no root access, but was able to install, or at least unzip or build, pretty much whatever I wanted in my $HOME directory. And I wonder if it isn’t possible to installs Snaps or Flatpaks without root permission?
Outlook owa pwa is 99%
The rest of the apps sans access work 99% in wine.
Google docs works great
Run NixOS don’t give em root or nix-shell. They can’t install anything you don’t allow.
Put each users allows softlist into source control. Make the boxes cron and reconfigure on demand.
Tailscale VPN.
Office 365 […] i know we can use the web version
tbf, this isn’t the only software related problem. a lot of companies also use specially developed software that doesn’t have a linux version because everyone in the company is using windows anyways and adding a different release target would likely add costs and consume more development time for those internal tools
I should’ve mentioned I’ve been practically only in IT companies. We never really had speciality software of any kind. In fact I could’ve done all of my work in Linux except for a couple of times where I had to develop in c# and .net wasn’t ported to Linux yet.
But the things I’ve mentioned were what was holding the company back from giving me a Linux machine.
tbf i am the other extreme: i work in a material science lab so we work almost exclusively with specialized/custom software
Oh yeah. That’s even worse because sometimes the machines outlive the computers and software and then you’re stuck maintaining a Windows 95 machine because the software was developed for that OS and the company has since came up with new machines with new software and they don’t support your machine anymore.
Depending on the company you work at you can actually still encounter testing equipment built during WW2 because “it still works”
$previous_job allowed us to pick. One of my coworkers had to replace his laptop, and I convinced him to try out Linux this time. I handed him the bootstrap script and he was back to working by the afternoon.
Our CEO got wind of this and said as a matter of policy everyone is switching to Linux unless they have a good reason (needing excel for financial reports is a good reason). The two new hires who had been setting up their dev environment for over a week at that point were the trigger for this.
keep spreading the good word!
90% of my work is done in WSL anyways… I would much rather have KDE as my DE than Windows 11. Please Microsoft, if you love Linux so much now, port Office to it, and maybe my employer would be ok with it.
Office is a cloud application, didn’t you get memo?😵
we not only allow it, we enforce it. windows not allowed in my company
Same at my company.
My favorite bit was when the Microsoft rep sent a PDF explaining how much the company would save from tech support to the CFO, bypassing the CTO they were communicating with.
And the CFO shared the whole thing publicly for the entire company to laugh at.
deleted by creator
We don’t even have Firefox at work.
Only options are Edge and Chrome.
Blame their DoH for killing FF deployment in the enterprise. Companies don’t like not being in charge of their DNS traffic. DoT is better from corporate POV as that can all be blocked or redirected based on the port, not so much DoH which uses the same port as normal web traffic.
Those are definitely acronyms.
deleted by creator
Wait, are you saying there’s a way to tell Firefox to use a different DNS server than what’s specified in the interface configuration?
BTW, thank you for the explanation, makes sense now!
Exactly that. And it looks just like any other web traffic.
Quite a few things will use their own DNS servers, not the one specified by the system or handed out over DHCP. I know many apps on the fire stick and Roku devices do this. So you have to intercept their traffic and redirect it to control it. If their using DoH then you can’t do that and your pihole is useless against them.
Best you can do is maintain a list of well known DoH servers and block them outright. But that’s a constantly moving losing battle.
Right, it just downed on me that DNS is nothing more than another application layer in the OSI model. Thanks again!
Nah, companies can just disable DOH if they want using GPOs.
https://github.com/mozilla/policy-templates/blob/v5.8/docs/index.md
I don’t have windows allowed on my job, thanks god
The build team will not allow a single line of Windows code to infect their pipelines
But they’ll use Azure devops 🧠
I’m glad that I’ve never had to rely on windows at work. It’s been linux all the way even when it still had a lot of rough edges.
It was still way ahead of WfW or 95 though.
It’s simple, cost. Supporting multiple DE’s is expensive. And provides little or no benefit to the company.
It may work at a small company with tech savvy users (like the ones commenting here). But ultimately at a normal large business, is nothing but a hassle that at best makes a few employees happy.
Cisco now supports developers running Linux feiw
Yes because developers don’t call tech support when they’ve accidentally deleted the Outlook icon from their desktop.
I work for a large company that issues Windows laptops or MacBooks to employees depending on the work requirements. Most developers I know there use Macs, and I’ve only heard of 1-2 cases where programmers needed to get a Windows machine because they were working on a particular project.
So this is def YMMV territory.
Those few employees are probably going to all be developers, and despite there being a bunch of mathematics and engineering involved, being a developer is very much a creative process. Similarly, I wouldn’t begrudge a digital artist for wanting to use a Mac to do their work.
If a developer is asking for a thing, they’re not asking for it because they’ve suddenly developed a nervous tic. There’s typically a reason behind it. Maybe its because they want to learn that thing to stay relevant, or explore it’s feasibility, or maybe it’s to support another project.
I used to get the old “we don’t support thing because nobody uses thing” a lot. The problem with that thinking is that unless support for whatever thing immaculates out of nowhere it’ll just never happen. And that’s a tough sell for a developer who needs to stay relevant.
I remember in like 2019 I asked for my company to host git repos on the corporate network, and I got a hard no. Same line, there wasn’t a need, nobody uses git. I was astounded. I thought my request was pretty benign and would just sail right through because by that point it was almost an industry standard to use git. I vented about it to some devs in another department and learned that they had a system with local admin attached to the corporate network that somehow IT didn’t know about. They were using that to host their repos.
I guess what I’m trying to say is that if keeping employees happy is too expensive, then you gotta at least be aware of the potential costs of unhappy employees.
My last employer had several thousand employees. Some of the IT guys knew Linux, but it wasn’t anywhere in the organization. I managed to convince them to let me install Linux on my desktop. They said sure, with the provision that I was not allowed to have a single issue. If I had an issue, they’d format it back. It was a fantastic last 8-9 years at work, as far as computer use went.
My usual reply to said employees is “if you know how to install and configure a Linux distro, you probably also know how to solve your own problems”. Everything else is pretty much deployed over AD, so if you can get to the point where you need admin creds to hook to the DCs, then do whatever you like.
Eventually, all of them failed to even get close to being a part of the AD DC and that is where the story ended.
learned that they had a system with local admin attached to the corporate network that somehow IT didn’t know about. They were using that to host their repos.
That’s called shadow IT and is a huge security risk.
We do know about stuff like this… we just decide to turn a blind eye about it since we know who is using it and why they’re using it.
But if things get out of hand and we notice weird things happening, then yes, we will act on it and will “know about it”.
Our software is officially supported on Windows and Linux. For some reason our chief product uses a Mac, so we support that unofficially. It can be quite a hassle to keep our code compatible on those platforms and Build Bot often gets angry when I open a pull request, but boy is it nice to be able to use whatever OS I like for development!
My current employer is a first for me:
- engineering essentially have to use Macs. Windows is accepted but not supported
- all products are built and hosted on Linux, both cloud and on-prem
Workstations/laptops at my current job in order of popularity: nixos, arch, macos. Windows is around 2%.
I work with data management / data brokering at a university. I am not allowed to have a Linux machine. I have to use a virtual environment.
It’s funny working at a company that doesn’t allow Linux on a workstation, but is also actively developing and deploying tons of Linux-based products…
I think the real reason is that their MDM cant lock down a Linux machine the way it locks down a Windows or Mac machine…
We added a second disk and installed Linux on an encrypted partition. BIOS was not locked so we could dual boot.
When we return the machines we remove the disk.
My employer allows Linux - only a customized version of Fedora that’s preconfigured to handle our environment, including certificates (802.1x, browser client certs, etc) with automated renewal, endpoint management software, deployment of settings using Chef, etc.
We have a few internal apps built using React Native though, which is only available on Windows and MacOS. There’s been some Github repos trying to port React Native to Linux but nothing that’s production-quality yet.
My solution is to host a virtual machine with my dev workstation, and use Windows or Mac for business admin stuff like email, slack, etc.
I’ve had Linux 3 jobs in a row so I’ve been lucky that way, it usually helps to match production so that’s a good argument for it.