[TriLUG] If you had to choose: Windows vs Mac for Linux graphical VM

Stephen Wiley via TriLUG trilug at trilug.org
Sun Jan 4 09:22:20 EST 2026 

Yup, it mostly comes down to Active Directory. That's Microsoft's last
real product and there just isn't any nice open source alternative.

-- Stephen

On Sun, Jan 04, 2026 at 09:14:10AM -0500, Aaron Joyner wrote:
> *Executive summary*:  My suggestion is to try to work somewhere without any
> sensitive data, or with enough people who want to use Linux on the
> desktop.  Otherwise it's hard to justify the risk and work to the various
> corporate bean counters.
> 
> *The longer asjoyner version:*
> If it helps soften the blow of having to use Mac or Windows as the base OS,
> consider the motivation for why most companies are pushing in that
> direction.  It used to be about support cost, which you could often argue
> against by saying you'll just accept that you can't call IT for help when
> your workstation doesn't work.  Unfortunately, now it's mostly about being
> able to install EDR software (Endpoint Detection and Response).  They want
> to be able to detect and mitigate malware on the employee's computer, in
> order to reduce the risk of compromise from the fact you're (typically)
> allowed to browse the open internet (Google Search, Reddit, TriLUG email,
> etc) from the same computer that you have access to corporate data, and
> possibly customer data.  That solution is less expensive for the company
> and less disruptive to your workflow than some of the alternatives, like
> segmenting the computers and networks used for those tasks (think "low
> side" and "high side" infrastructure, like traditional USGov networks for
> classified information).
> 
> Obviously, we all think we're sufficiently careful not to get phished or
> otherwise do things that would lead to our workstations being compromised.
> You might even be right, depending on the sensitivity of the data you're
> working on and thus the level of adversary that might target you.
> Realistically, at a company of more than a few hundred people, it's usually
> not practical to spend the time to evaluate individual policy exceptions
> and then implement the tooling that would enable you to have your corporate
> credentials on a device that's not uniformly managed like the rest of the
> corporate fleet.  Even if you and your productivity is worth it, do you
> trust the corporate IT guy to make, track, and handle your exception case
> correctly, without weakening the overall corporate security posture?
> 
> That's the kind of calculus going into these seemingly very broad policies.
> 
> Going a bit further into the details... why not just do all that on Linux,
> too? Yes, if your corporate IT crew is using something like
> Crowdstrike's Falcon for EDR, then there is a version of Falcon Sensor for
> Linux.  It's not that the EDR software vendor isn't doing their part, but
> the integration is where it typically falls down.  If you want to enforce
> EDR you have to tie that credential acquisition, so when you log in an SSO
> provider (eg. Okta) part of the authorization challenge is that you're on a
> managed workstation that's up to date, using something like Okta Verify.
> Unfortunately, that's not yet available for Linux
> <https://support.okta.com/help/s/article/okta-fast-pass-on-linux-desktops?language=en_US>.
> Satya continues to surprise me, and thus Microsoft Defender is available
> for Linux so integrating with the largest SSO provider (ActiveDirectory /
> EntraID) is actually possible for Linux Workstations.  Even in that case,
> managing the extra glue and integration to ensure you've defined a proper
> workstation configuration for Linux (and its wide variety of distributions
> and variation) requires a certain critical mass of users who want to run a
> Linux desktop, before IT can reasonably justify the overhead.
> 
> Happy new year,
> Aaron S. Joyner
> 
> On Sun, Jan 4, 2026 at 8:39 AM Stephen Wiley via TriLUG <trilug at trilug.org>
> wrote:
> 
> > OSX has an X server and very nice VTE. If your company doesn't go out of
> > its way to install malware like McAffe and Tanium it will probably
> > perform better too. I would go with that.
> >
> > My issue in that kind of setup has always been that you have to use
> > Outlook and Safari for all of the corporate infrastructure which means
> > tolerating the borderline unusable non-free WM. Everything else you do
> > works in tmux. I don't think there's really any way around that in most
> > contemporary corporate environments. It's just one of those large scale
> > coordination problems you run into in places like that.
> >
> > IMO these days they're almost paying you more to absorb stupidity like
> > that then to produce technical solutions.
> >
> > -- Stephen
> >
> > On Sat, Jan 03, 2026 at 07:05:10PM -0500, Ed Blackman via TriLUG wrote:
> > > My company is forcing me to give up my Linux development laptop for
> > either a Windows 11 or Mac laptop.  I don't want to give up my Linux
> > development environment, so I'm trying to figure out which would allow me
> > to run a full screen Linux graphical desktop (presumably as a VM?) and
> > ignore the underlying OS as much as possible.  But the last time I used
> > Windows it was Windows 7, and I've never used a Mac, so I don't know what's
> > possible currently.
> > >
> > > I'll need to use the underlying OS to turn my VPN on and off, and maybe
> > a couple of other functions, but I'm explicitly not interested in switching
> > to using WSL2 or the Mac shell environment within a mostly Windows or Mac
> > environment.
> > >
> > > I don't do anything requiring a GPU: I run terminal vim to write Python
> > and Go code and run Firefox.  If it matters, I'd strongly prefer to run
> > Debian trixie with XFCE or LXQt.
> > >
> > > Please let me know if you do something similar and can tell me about
> > Windows or Mac, especially if you have experience with both.
> > >
> > > --
> > > Ed Blackman
> > >
> > > --
> > > This message was sent to: Stephen Wiley <swiley at swiley.net>
> > > To unsubscribe, send a blank message to trilug-leave at trilug.org from
> > that address.
> > > TriLUG mailing list : https://www.trilug.org/mailman/listinfo/trilug
> > > Unsubscribe or edit options on the web        :
> > https://www.trilug.org/mailman/options/trilug/swiley%40swiley.net
> > > Welcome to TriLUG: https://trilug.org/welcome
> >
> > --
> > This message was sent to: Aaron S. Joyner <aaron at joyner.ws>
> > To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> > address.
> > TriLUG mailing list : https://www.trilug.org/mailman/listinfo/trilug
> > Unsubscribe or edit options on the web  :
> > https://www.trilug.org/mailman/options/trilug/aaron%40joyner.ws
> > Welcome to TriLUG: https://trilug.org/welcome

More information about the TriLUG mailing list