That's the point I want to convey is that while there are tools like MSI on Windows, many years after Linux had dpkg, it's not the same thing. On Linux the package manager rules the filsystem and keeps a complete database of which package owns which file. There are no exceptions, not on the parts of the filesystem where the package manager rules. Even the operating system itself and all patches is handled by the package manager.

That's first and foremost a cultural difference, not a technical. Sure, there's nothing to prevent a Linux vendor to write "install scripts" that copy files willy-nilly across the file system, and many vendors have done this but always with disastrous results and since Linux people hate it, those products are either repackaged or stored in a separate directory far away from other files.

This means installing software at scale (any number of systems), or the question how to cleanly uninstall software it not a question you should ever ask in a Linux environment. The questions you should ask are different in a Linux environment. That is why the tools look different.

Tools like gsettings are culturally alien to the unix world. Instead, home directories are seeded with dotfiles. And dotfiles are kept in version control. Yes, that means that unix people can't answer the quesion how to lock the proxy settings so the user is unable to change them. Instead, should a sensitive system require it, they would instead manage by policy and disallow any traffic outside said proxy.

Firefox has /usr/lib/firefox/distribution/policies.json which lets the sysadmin lock down what users can do with the browser. Example: If you wanted to block all extensions except for a whitelist, you could control that via that file.

There's a bazillion tools that let you manage files like that across thousands of servers/desktops but the hot one right now in enterprises is Ansible (which would make it trivial to push out an update to such a configuration).

Chrome has a similar file: /etc/opt/chrome/policies/managed/lockdown.json

"Ah yes, but what stops the user from downloading the portable version of a browser and using that?"

You can mount all user directories with +noexec. Also, Apparmor lets you control which applications can make network connections if you want to get really fine-grained.

Other applications have similar policy files. For example, Visual Studio Code has /etc/code/policy.json which—for example—would let your company lock down which extensions are allowed to be used/installed.

> Group Policies also allow you to enforce things like browser configuration (proxy, homepage, search engine etc.) wallpapers, screen locks etc.

Unix has always be about treating users like adults. The administration tools are more about the whole system and the hardware. You can always provide default or sample config, or prevent anything in HOME for being executed, but enforcing wallpapers is silly. But you can still do it by patching the software.