Hello everyone, my company (our department is of around 150+ developers/machine learning people/researchers) is currently considering switching from Windows to Gnu+Linux for company devices (as in the machines we use in our daily work) and we are currently in the phase of collecting requirements. I’m not in charge of the process or involved in the decision phase, but as an enthusiast I’m curious about it. We handle data and other sensitive resources, so the environment should remain managed by the IT department (what’s possible to install, VPNs, firewalls, updates and similar). What do companies generally use in this kind of scenario? I’m assuming they generally do some stuff with either Canonical or Red Hat, but are there alternatives? Are there ways to do something that works across distributions by using flatpak or the nix package manager? What are your experiences?
For the domain you are describing
having personal machines maintained by “IT” is not a typical setup. A ML engineer is more IT savy than your average IT department, especially on Linux when they use Linux for work.
An alternative to a centrally mentioned solution can be a reasonable set of rules with allows more freedom for the individual. For example, you could provide every new-joiner with a pre-configured laptop, but they can take over ‘root’ privileges if they want. It’s not so hard to keep a Linux machine secure if the users doesn’t intentionally screw it up. You don’t need IT to run updates, it happens automatically. You don’t need a personal firewall, they are no open ports per default anyway.
IT may want to install an agent that helps detecting security breaches (or misconduct). Or remote-support. Of course, you may require VPN. You may require that sensitive data does not leave the server. You should. A personal device is an attack vector and Linux has security holes all the time, but remote exploits are nowhere as common as in a Windows, Outlook, AD world.
The upside of allowing users to tinker with their machines is that IT only needs to provide a reasonable starting point, not a perfect solution for everyone. If you expect support from IT, you will want to standardize the distribution and maybe some applications or tools, but you don’t need everyone in the company to be on the same version of Solitaire.