[TriLUG] [Spam] Re: If you had to choose: Windows vs Mac for Linux graphical VM

Sun Jan 4 09:43:17 EST 2026

Yeah that's the thing. There are a zillion projects that could
technically replace AD but none of them are actually *good* (and at the
end of the day you could technically hack it with ansible and ssh certs.
Your don't even *need* all this if you're just looking at the
technology.)

It's really almost this social problem where the UX, training pipeline,
support etc matters as much as the actual technical artifacts. Nominally
RedHat has IPA which is supposed to cover all this but anyone who's
actually used IPA will argue for AD if they need to *do* anything.

-- Stephen

On Sun, Jan 04, 2026 at 09:25:57AM -0500, Aaron Joyner wrote:
> Well, there is KeyCloak... but you did qualify your statement with "nice"
> open source alternative, so I agree.  😉
> 
> On Sun, Jan 4, 2026 at 9:22 AM Stephen Wiley <swiley at swiley.net> wrote:
> 
> > Yup, it mostly comes down to Active Directory. That's Microsoft's last
> > real product and there just isn't any nice open source alternative.
> >
> > -- Stephen
> >
> > On Sun, Jan 04, 2026 at 09:14:10AM -0500, Aaron Joyner wrote:
> > > *Executive summary*:  My suggestion is to try to work somewhere without
> > any
> > > sensitive data, or with enough people who want to use Linux on the
> > > desktop.  Otherwise it's hard to justify the risk and work to the various
> > > corporate bean counters.
> > >
> > > *The longer asjoyner version:*
> > > If it helps soften the blow of having to use Mac or Windows as the base
> > OS,
> > > consider the motivation for why most companies are pushing in that
> > > direction.  It used to be about support cost, which you could often argue
> > > against by saying you'll just accept that you can't call IT for help when
> > > your workstation doesn't work.  Unfortunately, now it's mostly about
> > being
> > > able to install EDR software (Endpoint Detection and Response).  They
> > want
> > > to be able to detect and mitigate malware on the employee's computer, in
> > > order to reduce the risk of compromise from the fact you're (typically)
> > > allowed to browse the open internet (Google Search, Reddit, TriLUG email,
> > > etc) from the same computer that you have access to corporate data, and
> > > possibly customer data.  That solution is less expensive for the company
> > > and less disruptive to your workflow than some of the alternatives, like
> > > segmenting the computers and networks used for those tasks (think "low
> > > side" and "high side" infrastructure, like traditional USGov networks for
> > > classified information).
> > >
> > > Obviously, we all think we're sufficiently careful not to get phished or
> > > otherwise do things that would lead to our workstations being
> > compromised.
> > > You might even be right, depending on the sensitivity of the data you're
> > > working on and thus the level of adversary that might target you.
> > > Realistically, at a company of more than a few hundred people, it's
> > usually
> > > not practical to spend the time to evaluate individual policy exceptions
> > > and then implement the tooling that would enable you to have your
> > corporate
> > > credentials on a device that's not uniformly managed like the rest of the
> > > corporate fleet.  Even if you and your productivity is worth it, do you
> > > trust the corporate IT guy to make, track, and handle your exception case
> > > correctly, without weakening the overall corporate security posture?
> > >
> > > That's the kind of calculus going into these seemingly very broad
> > policies.
> > >
> > > Going a bit further into the details... why not just do all that on
> > Linux,
> > > too? Yes, if your corporate IT crew is using something like
> > > Crowdstrike's Falcon for EDR, then there is a version of Falcon Sensor
> > for
> > > Linux.  It's not that the EDR software vendor isn't doing their part, but
> > > the integration is where it typically falls down.  If you want to enforce
> > > EDR you have to tie that credential acquisition, so when you log in an
> > SSO
> > > provider (eg. Okta) part of the authorization challenge is that you're
> > on a
> > > managed workstation that's up to date, using something like Okta Verify.
> > > Unfortunately, that's not yet available for Linux
> > > <
> > https://support.okta.com/help/s/article/okta-fast-pass-on-linux-desktops?language=en_US
> > >.
> > > Satya continues to surprise me, and thus Microsoft Defender is available
> > > for Linux so integrating with the largest SSO provider (ActiveDirectory /
> > > EntraID) is actually possible for Linux Workstations.  Even in that case,
> > > managing the extra glue and integration to ensure you've defined a proper
> > > workstation configuration for Linux (and its wide variety of
> > distributions
> > > and variation) requires a certain critical mass of users who want to run
> > a
> > > Linux desktop, before IT can reasonably justify the overhead.
> > >
> > > Happy new year,
> > > Aaron S. Joyner
> > >
> > > On Sun, Jan 4, 2026 at 8:39 AM Stephen Wiley via TriLUG <
> > trilug at trilug.org>
> > > wrote:
> > >
> > > > OSX has an X server and very nice VTE. If your company doesn't go out
> > of
> > > > its way to install malware like McAffe and Tanium it will probably
> > > > perform better too. I would go with that.
> > > >
> > > > My issue in that kind of setup has always been that you have to use
> > > > Outlook and Safari for all of the corporate infrastructure which means
> > > > tolerating the borderline unusable non-free WM. Everything else you do
> > > > works in tmux. I don't think there's really any way around that in most
> > > > contemporary corporate environments. It's just one of those large scale
> > > > coordination problems you run into in places like that.
> > > >
> > > > IMO these days they're almost paying you more to absorb stupidity like
> > > > that then to produce technical solutions.
> > > >
> > > > -- Stephen
> > > >
> > > > On Sat, Jan 03, 2026 at 07:05:10PM -0500, Ed Blackman via TriLUG wrote:
> > > > > My company is forcing me to give up my Linux development laptop for
> > > > either a Windows 11 or Mac laptop.  I don't want to give up my Linux
> > > > development environment, so I'm trying to figure out which would allow
> > me
> > > > to run a full screen Linux graphical desktop (presumably as a VM?) and
> > > > ignore the underlying OS as much as possible.  But the last time I used
> > > > Windows it was Windows 7, and I've never used a Mac, so I don't know
> > what's
> > > > possible currently.
> > > > >
> > > > > I'll need to use the underlying OS to turn my VPN on and off, and
> > maybe
> > > > a couple of other functions, but I'm explicitly not interested in
> > switching
> > > > to using WSL2 or the Mac shell environment within a mostly Windows or
> > Mac
> > > > environment.
> > > > >
> > > > > I don't do anything requiring a GPU: I run terminal vim to write
> > Python
> > > > and Go code and run Firefox.  If it matters, I'd strongly prefer to run
> > > > Debian trixie with XFCE or LXQt.
> > > > >
> > > > > Please let me know if you do something similar and can tell me about
> > > > Windows or Mac, especially if you have experience with both.
> > > > >
> > > > > --
> > > > > Ed Blackman
> > > > >
> > > > > --
> > > > > This message was sent to: Stephen Wiley <swiley at swiley.net>
> > > > > To unsubscribe, send a blank message to trilug-leave at trilug.org from
> > > > that address.
> > > > > TriLUG mailing list : https://www.trilug.org/mailman/listinfo/trilug
> > > > > Unsubscribe or edit options on the web        :
> > > > https://www.trilug.org/mailman/options/trilug/swiley%40swiley.net
> > > > > Welcome to TriLUG: https://trilug.org/welcome
> > > >
> > > > --
> > > > This message was sent to: Aaron S. Joyner <aaron at joyner.ws>
> > > > To unsubscribe, send a blank message to trilug-leave at trilug.org from
> > that
> > > > address.
> > > > TriLUG mailing list : https://www.trilug.org/mailman/listinfo/trilug
> > > > Unsubscribe or edit options on the web  :
> > > > https://www.trilug.org/mailman/options/trilug/aaron%40joyner.ws
> > > > Welcome to TriLUG: https://trilug.org/welcome
> >
> >