Imagine what can happen if the French and other governments would start pouring all the money into developing that further in the open, rather than just giving it all to Microsoft instead?

> Linux still doesn't have anywhere near as nice and cohesive as Group Policy, Active Directory etc.

Isn't it about time someone developed one?

The foundations are there; you can imagine an organization deploying laptops with, say, Ansible, and not giving users root on them. LDAP sort of matches the old capabilities of AD, but not completely. There's even a "SAMBA as fake domain controller" mode.

Ironically what it needs is a product or service which organizations can pay to take the problem off their hands. But then people get stuck in never paying for anything in the open source world.

> Linux still doesn't have anywhere near as nice and cohesive as Group Policy, Active Directory etc.

Enterprise environments use a number of tools like Powerbroker, UCS, Centrify/Delinea etc to bind linux machines to active directory and manage identity and access through active directory. This is for mixed environments with both Windows and Linux machines.

For pure linux environments, there are a number of tools like FreeIPA/IdM, Samba AD/DC (for A/D like management), and OpenText's eDirectory for the current version of Novell's eDirectory counterpart to A/D. They all provide centralized user/host/policy/access management.

Since Entra+Intune are the recent MS products, cloud-based equivalents are Jumpcloud+Fleet, Okta PAM, FreeIPA/IdM.

Yes, liberty comes at a cost. It seems that convenience is no longer the main motivator for many people.

> Linux still doesn't have anywhere near as nice and cohesive as Group Policy, Active Directory etc.

I take your word for it (I know of Kerberos and LDAP and Netscape and Sun trying to make such palatable, but clearly haven't followed that in the last quarter-century).

That assumes however the server to be currently MS Windows. For government agencies, I'd rather expect some Mainframe to be (and remain) in place. Surely IBM (or here rather Groupe Bull) has user authentication/authorization figured out (more than half a century ago, methinks).

The primitives are there and they're solid, beyond that it's "just" architecture and integration work. Hopefully the French government will be rational with this (I believe the time and financial constraints will for it to be, we're broke and we lack time) and they won't fall into the trap of trying to internalize every bit of the platform.

A good example of that would be what happened with Docker. Off the top of my head cgroups, namespaces, seccomp, overlays and capabilities had been around for a while before it got rolled up in a nice utility in 2013 and opensourced in 2015. Hence the containerization movement. Solaris zones and FreeBSD jails were nice but they always were let's say a bit too bearded.

Personal computers were used in office environments long before the technologies to make them administer-able as if they were a mainframe. Before blindly jumping in and reproducing those technologies, better to ask why they emerged in the first place.

Most workplaces don't have strict bans on personal mobile devices, and some of the ones that do, don't have the kind of physical perimeter defense that can detect people getting lazy about whether or not they carry their personal mobile devices into the workplace. That makes perimeter defense into security theater anyway. We need a rethink about what we are guarding against and how we're doing it.

I've never understood the management thing. People manage fleets of Linux machines all the time. What does group policy do that e.g. nix or ansible don't?

It does, it's called FreeIPA (or RedHat IdM). The only GPO parts it doesn't do are those that are not related to policy in the IAM sense (i.e. configuring some application related thing). There's other systems for that, just like on Windows you practically never run GPO without anything else. On top of that, you can pay RedHat or Canonical to host it all for you on any cloud or non-cloud.

> Linux still doesn't have anywhere near as nice and cohesive as Group Policy, Active Directory etc.

I am sure that's something the Gnome Foundation could figure out if they had a grant to do so.

Must be the only nice and cohesive parts left. Perhaps they have not figured out how to put ads on AI on it because it doesn't have many users.

No non-US government should host anything on azure, or any other US-owned cloud. Thats security and sovereignity 101, or more like 100. Reality with hostile US being as it is.

What you list are no showstoppers, and since its a well known topic I cant imagine why some EU-funded effort in say 2 billions over next 3-5 years shouldnt reaolve it once and for all, for entire world. Well invested money.

This is actually a good time to disrupt that, as Microsoft’s attention is not on windows and Active Directory is slowly moving to Entra, although big enterprises are mostly hybrid.

Some places are using Okta for many of those functions too. Trump’s instinctive parasitic slumlord behavior may be enough for the sleepy Europeans to get their shit together.

that's the catch with gp/ad. for a lot of orgs the hard part is intune/entra now. swapping the desktop is easy. replacing identity and device management is the real migration

Group Policy and Active Directory are dead, for all intents and purposes.

It's now Intune (via OMA-DM), and Entra. Both of those products are about as bad as you might imagine the "cloud" versions of GP & AD might be.

They are better, in ways -- no longer having to care and feed for domain controllers is nice, and there's no longer an overhead for additive policy processing, so endpoints only get a single set of policy and log on much quicker -- but for the most part, enterprise management of Windows devices is in a worse place than it was ten years ago.

Try to figure out how long it will take an online Intune device to discover a new policy: As far as I can tell the answer is "eventually". There are bandaids for this, because of how infuriating it is, of course, but all time guarantees are basically gone.

Ask me a decade ago what an enterprise should do, and my answer would be straightforward: AD, GPO, Exchange.

The answer now is not simple.

Even the old companies have moved away from that nonsense. Huge waste of resources.

Honestly as wide spread as it is, managing group policy sanely is still a challenge I've found - it's very resistant to configuration as code.

Linux has a lot of the pieces but is principally lacking a solid distribution system - in particular a big missing component is the network-based SELinux policy distribution system which you can see some hooks in for the concept of a "policy server" which never eventuated.

SELinux would be a lot more viable if it had a solid way to federate and distribute policy and has some nice features in that regard (i.e. the notion that networked systems can exchange policy tags to preserve tagging across network connections).