[jve]

> Are these Linux machines going to authenticate against the Azure Active Directory... Are they using Intune, if so what's the replacement strategy where?

This comes up all the time when we talk about Linux in corporate deployment. As I have only experience in MS word regarding governance, let me ask this:

- Is there really no tools for Linux world that allows managing loads of Linux machines in an easy manner as it is in MS word (applying GPO policies)? A tool that can be easily set up and managed and doesn't have to always resort to scripting?

- If there is, why people are not using them?

I'm kind of aware some things are that allow managing Linux machines via Windows AD GPO, but that depends on MS domain there.

Seems like a ripe for a startup to provide open source tool(s) with, say, paid support for the enterprises.

[Propelloni]

That's depends what you want to do. If you want an all-in-one solution you'd go with the solution of your distribution vendor, e.g. Red Hat IPA/Satellite, SUSE Manager, or Ubuntu Landscape. Linux just plays nicer with ADS than MS Windows with any Linux solution, so most fall back to ADS in mixed environments.

If you only want Identity, Policies and Audit trails over several different Linux distributions, FreeIPA is your weapon of choice. It is clicky and requires no scripting. Just like ADS it is a bit of a pain to get into, but easier to run than OpenLDAP ;) If you want OpenID, too, connect FreeIPA and Keycloak, but you will need to dive onto the CLI. For configuration management connect Saltstack, here you have to edit rules files.

[preisschild]

> Is there really no tools for Linux world that allows managing loads of Linux machines in an easy manner as it is in MS word

You can create fedora-based container images with your specific programs and configs included in the rootfs. The newly created container image will then be used as the rootfs for machines when they upgrade.

See https://universal-blue.org/

[sirjaz]

Funny thing is that Ubuntu, Suse, and RedHat support gpos now: https://ubuntu.com/blog/new-active-directory-integration-fea...

[fock]

and then most of the places I know happily allow employees admin access for "just that piece of software they need" and simultaneously push for "zero-trust". There's no point in it at all and you can just as well use saltstack to rollout apparmor-policies on your locked-down linux (and suddenly the same people wanting GPOs tell you that linux is untenable because of usage restrictions)

[msgodel]

As someone who's career has involved managing large numbers of deployed Linux and BSD machines: what's wrong with scripting? It's expressive, debugable, repeatable, easy to communicate about verbally and on wikis. If you want something that's more constrained there are tools like puppet and ansible.

I guess this is another one of those "smalltalk people" vs "unix people" talking past eachother because they have shared vocabulary with different implications kind of situations.

[jve]

Scripting is error prone and requires more skilled admins. Not so great if one wants to deploy Linux as a Desktop OS.

[bigfatkitten]

I’ve done it with Puppet, mostly dropping config files around the place.

Everything was more work than it would’ve been under Windows, from endpoint configuration enforcement through to things like authentication and PKI.

[ChocolateGod]

> - Is there really no tools for Linux world that allows managing loads of Linux machines in an easy manner as it is in MS word (applying GPO policies)? A tool that can be easily set up and managed and doesn't have to always resort to scripting?

Nope, there's no unification in configuration formats (yml, ini etc), locations (/var, /etc, /usr, /opt/etc) or registries (dconf, gconf).

Yes, standards exist, but they are rarely followed to the letter.

[trelane]

If it exists, I expect it would be in Red Hat Enterprise Linux or Ubuntu. Most of us don't use those, though, so I don't expect the knowledge is common.

[powgpu]

well for server is nix, but not sure about desktop.

[ChocolateGod]

I'd say using Nix is bordering on using scripting. Someone still has to write the method that extracts your Nix configuration into a file.