Most companies I’ve worked at where employees had a Microsoft work computers. They were under heavy control, even with admin privileges. I was wondering, for a corporate environment, how employees’Linux desktops could be kept under control in a similar way. What would be an open source or Linux based alternative to the following:

  • policy control
  • Software Center with software allow lists
  • controlled OS updates
  • zscaler
  • software detection tool to detect what’s been installed and determine if any unallowed software is present
  • antivirus
  • VPN

I can think of a few things, like a company having it’s own software repos, or using an atomic distribution. There’s already open source VPN solutions if course. But for everything else I don’t really know what could be used or what setup we could have.

  • Skull giver@popplesburger.hilciferous.nl
    0·
    5 months ago

    I don’t know any good Linux based centralised policy control the way Windows and MacOS can be managed. There are a few browser settings, but that’s about it, I think. Otherwise, you manage desktops like you manage servers.

    Software center control can be implemented by hosting a local repository with permitted software and denying the ability to add different repositories. Same with OS updates. It’s important to stay on top of updates, though, because partially updating packages can break stuff.

    There are tools out there that will report installed software and certain types of unexpected configurations. They’re mostly oriented around servers as far as I know, but I think they can be used for desktops. Their effectiveness is usually very distro-specific, though.

    For AV you can run Clam or Microsoft Endpoint Security. The latter is much better for a corporate environment, I believe.

    For VPN/RDP there are myriad of options. OpenVPN is pretty popular on Windows and is Linux native. Wireguard is a bit faster on Linux. RDP works well through Reminna, though you’ll need to write some scripts if you want a Citric-like VPN+RDP setup.

    Unfortunately, there’s no way to enforce policies like “only signed executables” or “don’t execute downloaded files”. Best you can do is hope the user won’t figure out how to set the execute bit before AV catches the virus.

    • gaael@lemmy.world
      0·
      5 months ago

      For the execution, can’t you configure the fstab with noexec on partitions where the user has write permissions and give the user read-only permissions on the root partition ?

      I think this would be fine for most jobs, the exception being software development where you usually need to execute stuff to test your programs.

      • Skull giver@popplesburger.hilciferous.nl
        0·
        5 months ago

        That could solve the issue, but there are quite a few writeable locations that updaters and other pieces of software expect to be executable, but are also writeable by nornal users (/tmp for instance).

        You could probably work around all this with SELinux?