[curt15]

"Hey can you remove MDM from this Macbook so I can install Linux?"

Is there no MDM for Linux clients? How do the big tech companies with Linux developer machines (Google, Facebook, etc) manage their inventory? Do they roll their own MDM?

[michaelt]

IT departments can mandate tools like ninjaone and kolide, which let them run queries across the fleet of devices, and (as I understand it) basically gives them root-level remote code execution.

The corporate VPN (or equivalent) can then perform 'posture checking' requiring that the tools be installed and working before connecting to the corporate network.

Obviously, 99% of Linux users have root on their device so nothing stops them wiping it and installing something new from scratch. But then they'll fail the posture checks until the device is returned to the approved setup.

[hparadiz]

Kolide admin provides a web UI for osquery so you can query things. It allows remote osquery queries but not remote code execution. You generally pair it with CrowdStrike Falcon.

Kolide does a spot check like "is falcon sensor running" but if the user logs in, has the session token created, and then disables whatever the session token would still be valid.

Also Kolide doesn't actually count as an MDM. Has a bunch of missing features. I recently evaluated it.

[pjmlp]

Failing compliance in many jobs isn't a simple "ooops, sorry".

[hparadiz]

It's a nudge. Like "update your OS". You could also just be logging into a machine after a few weeks away. The software tells you what you need to update before letting you in.