[TriLUG] If you had to choose: Windows vs Mac for Linux graphical VM

Aaron Joyner via TriLUG trilug at trilug.org
Sun Jan 4 09:14:10 EST 2026 

*Executive summary*:  My suggestion is to try to work somewhere without any
sensitive data, or with enough people who want to use Linux on the
desktop.  Otherwise it's hard to justify the risk and work to the various
corporate bean counters.

*The longer asjoyner version:*
If it helps soften the blow of having to use Mac or Windows as the base OS,
consider the motivation for why most companies are pushing in that
direction.  It used to be about support cost, which you could often argue
against by saying you'll just accept that you can't call IT for help when
your workstation doesn't work.  Unfortunately, now it's mostly about being
able to install EDR software (Endpoint Detection and Response).  They want
to be able to detect and mitigate malware on the employee's computer, in
order to reduce the risk of compromise from the fact you're (typically)
allowed to browse the open internet (Google Search, Reddit, TriLUG email,
etc) from the same computer that you have access to corporate data, and
possibly customer data.  That solution is less expensive for the company
and less disruptive to your workflow than some of the alternatives, like
segmenting the computers and networks used for those tasks (think "low
side" and "high side" infrastructure, like traditional USGov networks for
classified information).

Obviously, we all think we're sufficiently careful not to get phished or
otherwise do things that would lead to our workstations being compromised.
You might even be right, depending on the sensitivity of the data you're
working on and thus the level of adversary that might target you.
Realistically, at a company of more than a few hundred people, it's usually
not practical to spend the time to evaluate individual policy exceptions
and then implement the tooling that would enable you to have your corporate
credentials on a device that's not uniformly managed like the rest of the
corporate fleet.  Even if you and your productivity is worth it, do you
trust the corporate IT guy to make, track, and handle your exception case
correctly, without weakening the overall corporate security posture?

That's the kind of calculus going into these seemingly very broad policies.

Going a bit further into the details... why not just do all that on Linux,
too? Yes, if your corporate IT crew is using something like
Crowdstrike's Falcon for EDR, then there is a version of Falcon Sensor for
Linux.  It's not that the EDR software vendor isn't doing their part, but
the integration is where it typically falls down.  If you want to enforce
EDR you have to tie that credential acquisition, so when you log in an SSO
provider (eg. Okta) part of the authorization challenge is that you're on a
managed workstation that's up to date, using something like Okta Verify.
Unfortunately, that's not yet available for Linux
<https://support.okta.com/help/s/article/okta-fast-pass-on-linux-desktops?language=en_US>.
Satya continues to surprise me, and thus Microsoft Defender is available
for Linux so integrating with the largest SSO provider (ActiveDirectory /
EntraID) is actually possible for Linux Workstations.  Even in that case,
managing the extra glue and integration to ensure you've defined a proper
workstation configuration for Linux (and its wide variety of distributions
and variation) requires a certain critical mass of users who want to run a
Linux desktop, before IT can reasonably justify the overhead.

Happy new year,
Aaron S. Joyner

On Sun, Jan 4, 2026 at 8:39 AM Stephen Wiley via TriLUG <trilug at trilug.org>
wrote:

> OSX has an X server and very nice VTE. If your company doesn't go out of
> its way to install malware like McAffe and Tanium it will probably
> perform better too. I would go with that.
>
> My issue in that kind of setup has always been that you have to use
> Outlook and Safari for all of the corporate infrastructure which means
> tolerating the borderline unusable non-free WM. Everything else you do
> works in tmux. I don't think there's really any way around that in most
> contemporary corporate environments. It's just one of those large scale
> coordination problems you run into in places like that.
>
> IMO these days they're almost paying you more to absorb stupidity like
> that then to produce technical solutions.
>
> -- Stephen
>
> On Sat, Jan 03, 2026 at 07:05:10PM -0500, Ed Blackman via TriLUG wrote:
> > My company is forcing me to give up my Linux development laptop for
> either a Windows 11 or Mac laptop.  I don't want to give up my Linux
> development environment, so I'm trying to figure out which would allow me
> to run a full screen Linux graphical desktop (presumably as a VM?) and
> ignore the underlying OS as much as possible.  But the last time I used
> Windows it was Windows 7, and I've never used a Mac, so I don't know what's
> possible currently.
> >
> > I'll need to use the underlying OS to turn my VPN on and off, and maybe
> a couple of other functions, but I'm explicitly not interested in switching
> to using WSL2 or the Mac shell environment within a mostly Windows or Mac
> environment.
> >
> > I don't do anything requiring a GPU: I run terminal vim to write Python
> and Go code and run Firefox.  If it matters, I'd strongly prefer to run
> Debian trixie with XFCE or LXQt.
> >
> > Please let me know if you do something similar and can tell me about
> Windows or Mac, especially if you have experience with both.
> >
> > --
> > Ed Blackman
> >
> > --
> > This message was sent to: Stephen Wiley <swiley at swiley.net>
> > To unsubscribe, send a blank message to trilug-leave at trilug.org from
> that address.
> > TriLUG mailing list : https://www.trilug.org/mailman/listinfo/trilug
> > Unsubscribe or edit options on the web        :
> https://www.trilug.org/mailman/options/trilug/swiley%40swiley.net
> > Welcome to TriLUG: https://trilug.org/welcome
>
> --
> This message was sent to: Aaron S. Joyner <aaron at joyner.ws>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : https://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web  :
> https://www.trilug.org/mailman/options/trilug/aaron%40joyner.ws
> Welcome to TriLUG: https://trilug.org/welcome

More information about the TriLUG mailing list