As Torvalds pointed out in 2019, is that while some major hardware vendors do sell Linux PCs – Dell, for example, with Ubuntu – none of them make it easy. There are also great specialist Linux PC vendors, such as System76, Germany’s TUXEDO Computers, and the UK-based Star Labs, but they tend to market to people who are already into Linux, not disgruntled Windows users. No, one big reason why Linux hasn’t taken off is that there are no major PC OEMs strongly backing it. To Torvalds, Chromebooks “are the path toward the desktop.”
I’ve managed Linux desktop fleets in enterprise-like environments. I’ll modify your list a bit:
And as you have guessed, on Windows this requires a bit of point and click in SCCM to do decently.
On Linux, you’ll wanna start by getting a few really good sysadmins to write a bunch of Puppet for a year or so.
(If we include remote desktop capabilities in the discussion, I’ll do my yearly Wayland-rant.)
The other thing you’ll need is for compliance and risk management frameworks (e.g. CMMC, ISO27001, CIS, etc.) to fully embrace Linux controls and environments. As of right now, it’s a patchwork full of holes and if you need to demonstrate compliance, it’s likely to be a lot more challenging running Linux workstations.
that’s the difficult part of SecureBoot: you need to set up MOK and somehow sign the bootloader, kernel, modules with it.
but against small scale intrusions even the MS signed things could work
You need to have secure boot in order to have the disk decrypt without user input, otherwise the chain is untrusted. You can (and probably should) load your own keys into the firmware and sign everything yourself. MS has nothing to do with it, except that BitLocker is much better than anything any Linux distro has to offer today.
You need to have the disk decrypt without user input, and you can’t have the secret with the user. (As the user is untrusted - could be someone stealing the laptop.) The normal Linux user mantra of ”I own the machine” does not apply here. In this threat model, the corporation owns the machine, and in particular any information on it.
As for sudo, this is why we have polkit. (Yes, technically root, but you get my point)
And as for number 7 - this is why most Windows fleets use ”Software Center” or similar. No reason you can’t do the same on Linux, just that no one has done it yet. (I mean, you can, with pull requests into a puppet repo, but that’s not very user friendly)
Hate RHEL all you want, but first take a look at what distros have any kind of commercial support at all from software vendors. This is the complete list: RHEL, sometimes Rocky, sometimes Ubuntu. Go ask your vendor about Fedora Silverblue and see what happens. The primary reason to run Linux like this is usually to use a specific (and probably very expensive) software that works best on Linux, so distro choice is usually very limited to what that software vendor supports. (And when they say Linux, they are really saying ”the oldest still supported RHEL.)
Basically, corporate requirements go completely against the requirements of enthusiasts and power users. You don’t need Secure Boot to protect your machine from thieves, but a corporation needs Secure Boot to protect the machine from you.
It’s a piece of software with closed source code. I am aware that people can hide (and have done so many times) a backdoor or a mistake in source code so that it’ll be harder to find than many problems in binaries without source provided.
Still harder to audit.
Smart cards?
I know.
Sigh. Okay.