alt Hacker NewsWell AD is just a really opinionated LDAP/Kerberos setup, so you’d think that there would be something that Linux could do.
But when you’re talking about enterprise management of thousands of devices, you need some kind of consistent security policy management. That requires running OS software that accepts remote policy management, which is a very specialized configuration and not just “vanilla Linux”.
You can get really far with LDAP, but I’ve only used it for remote accounts, file shares, and sudoer config. I’m sure there are more policy configurations that would be possible with a more advanced tool.
I suspect the RHEL world has something to offer here, but I’d love to see a more general and commonly supported solution developed. It would make Linux more of an option for enterprise managed endpoints.
But, I agree with you - for an enterprise customer, this really needs to be some kind of paid/supported product. I wouldn’t want the French government to rely on some scripts that worked on my small cluster.
Replies
> That requires running OS software that accepts remote policy management
Every Linux system that supports SSH potentially "accepts" remote management! The challenge is just putting it into a framework.
Windows uses Group Policy (which isn't particularly secure for many reasons) while Linux uses configuration files (e.g. udev, AppArmor, stuff in /etc like fstab) in conjunction with file permissions. However, you can go way farther by compiling your own kernel that has certain functionality removed (e.g. USB mass storage).
Managing lots of configuration files/scripts across many thousands of servers, desktops, devices, etc is a long-solved problem. Most enterprises use Ansible or similar.
In almost every way, managing many thousands of Linux desktops is much simpler and more straightforward than Windows. If you're using Ansible playbooks, you can keep everything nice and tidy in a single place and everything you'd ever want to customize is managed via a plaintext file you can modify with your editor of choice.
You can organize them however you want or even use a GUI to change stuff (if you pay for Ansible Enterprise or whatever it's called... Or use one of the FOSS alternatives).
Managing Linux desktops at scale really isn't much different than managing Linux servers at scale.