Most of the cost (to the government) for Windows is "support" (in a very general sense) and that cost isn't disappearing with Linux.

Especially since it is easier to find badly underpaid (and not particularly competent) Windows sysadmins than it is to find badly underpaid Linux admins.

> Imagine what can happen if the French and other governments would start pouring all the money into developing that further in the open

You'd get a clusterfuck of a consensus spec, then they'd all get pissed off and develop their own incompatible versions anyway?

Have you seen international projects without strong, centralized leadership?

They'll start pulling Linux in a direction that suites them, which will potentially be at odds with the preferences of open source software enthusiasts.

Why haven’t they done it yet? I just think they’re incentivized enough for it.

> Isn't it about time someone developed one?

Honest question: Why? If you want a Windows-like environment, run Windows.

I get this all the time when people ask about a Linux equivalent for something, and aren't really satistied when it doesn't work or look the same. Linux isn't a clone of Windows. Linux comes from an older heritage, and has a unique culture. You are in for a hard time if you want to use Linux like you would use Windows. That's a suboptimal experience, at best.

That said, of course Linux should be easy to manage. But Windows is from a single corporate entity, of course their management tools will be different. It used to be unix admins that laughed about people using Windows as servers. The culture around Linux is one of scriptabiliy where even the user interface, the basic shell, is one where every command is inherently a script. That's why management on Linux looks like Ansible and OpenSSH, not like Remote Desktop and Group Policies.

You could write something like Group Policies for Linux of course, but it wouldn't be a complete solution so people would just continue using Ansible, OpenSSH, and the respective package managers.

Well AD is just a really opinionated LDAP/Kerberos setup, so you’d think that there would be something that Linux could do.

But when you’re talking about enterprise management of thousands of devices, you need some kind of consistent security policy management. That requires running OS software that accepts remote policy management, which is a very specialized configuration and not just “vanilla Linux”.

You can get really far with LDAP, but I’ve only used it for remote accounts, file shares, and sudoer config. I’m sure there are more policy configurations that would be possible with a more advanced tool.

I suspect the RHEL world has something to offer here, but I’d love to see a more general and commonly supported solution developed. It would make Linux more of an option for enterprise managed endpoints.

But, I agree with you - for an enterprise customer, this really needs to be some kind of paid/supported product. I wouldn’t want the French government to rely on some scripts that worked on my small cluster.

Group policy is an annoying pain. Yes, there aren't many better options out there, but it's not as if group policy is _good_.

Convenience comes as a result of mass market adoption, for products for which convenience was not already the main selling factor. Look at cars; they were kind of difficult to drive and maintain 60 years ago, now they're super convenient to drive and maintain as you essentially just press buttons and look at screens to get all needed information about the car and drive it.

It's probably something like "inception -> adoption -> convenience". For Windows it was the same, was it not? It wasn't absolutely convenient to use, it was just better (in terms of usability and features for the average consumer), and convenience came after (Windows XP, Windows 7). Sadly the functionality degraded, and now all that is left is convenience.

lol "liberty" as if you are fighting to free slaves or something.

Europe doesn't want to depend on US infrastructure, that's the only reason to do this.

Nobody cares about Linux "freedom" or open source.

> Most workplaces don't have strict bans on personal mobile devices

If you're talking about select work apps on your mobile device, sure, but that's limited attack surface.

If you're talking about employers who let unmanaged mobile devices hop on their internal network... I've never seen that. Maybe at a hypothetically perfect zero-trust shop?

Putting it in the hands on the GNOME foundation will just result in a lot of new soon-to-be-mandatory APIs and numerous configuration variables with only one allowed value.

Group policy just sets registry keys. That's nothing you can't do any other way. The important bit is the inertia of 30 years of Windows subsystems and integration with Active Directory and 3rd party Windows ecosystem software all being written to expose internal config and look to registry keys for the settings.

For the first part, Group Policy (GPO) can set the screen to lock after 2 minutes of inactivity, say, which works because there are Windows subsystems built to look for a reg key for their config, and policy templates exposing that config in the GUI management tools. Or group policy configures which security group can "logon as a service" which works because Windows has system-wide and domain-wide pervasive Access Control Lists (ACLs). GPO configures that Background Intelligent Transfer Service (BITS) should limit its bandwidth use, which works because Windows Updates use BITS. Or sets the machine-wide SSL cipher order, because Windows software uses system-wide schannel not OpenSSL.

Or GPO sets what your default printer will be and that's only useful because decades of 3rd party Windows software was written to use the standard Windows printer dialog, or User Documents path, or whatever.

For the second part, Active Directory is a tree-shaped organization tool; in this screenshot[5] that I quickly Googled, see the tree on the left has a folder named "Sydney" and below that "Sydney Users", this customizable structure lets business IT people organise the company computer accounts, user accounts, and security groups by whatever hierarchy makes sense to their needs - e.g. by country, office, team, department, building floor, etc.

Then Group Policy overlays on that structure and is composable, e.g. in this basic screenshot of the group policy manamement GUI[6] it's showing at the bottom a list of all group policy configurations that have been made in a domain such as "Block PowerShell", and higher up it shows the policy "PsExec Allow" has been linked inside the "ADPRO Computers" folder. So users and computers in that folder in AD, will get those policies applied.

In screenshot[7] you can see a basic example showing corporate computers getting machine-wide settings, corporate users getting user-level MS Office config, and Executives get settings that nobody else gets.

If you apply more than one GPO to a folder, the users/computers will get the all the policies combined.

You can filter GPOs on a case-by-case basis to build patterns like "apply this machine-wide policy to all computers in the Sydney folder which are members of the WarehouseComputer security group" or "apply these logon-settings to employees in New York who are members of Finance and logging onto a laptop".

3rd party programs can release XML files which plug into the GPO management, and the programs were written to expect to be configured by registry keys so they can pick up those settings; there are templates for configuring FireFox[1], Chrome[2] Adobe Acrobat[3], Word, Excel, Office[4], VMWare Horizon, Lenovo Dock Manager, Zoom, RealVNC, LibreOffice, Citrix, FoxIT Reader, and so on. The more enterprisey a tool is, the more likely it will plug into that ecosystem.

Then all kinds of 3rd party reporting and auditing tools look there to see if your company is compliant with this or that; the whole thing is integrated with Windows' domain-wide ACLs so you can give some admins permissions to view or edit just their regional subset of this.

As usual the lockin is not that they do something amazing that nothing else can do, the lockin is that Windows domains have been around in this format for 30 years since NT4 and Windows 2000, and it has huge inertia, familiarity, is deeply embedded in a lot of companies, you can easily and cheaply hire lots of people who know how to use and manage it, you can send screenshots of it to auditors and they understand it, you can buy 3rd party auditing software that will send you a management friendly report with green ticks saying almost everything is fine but you should change this setting for security...

[Yes of course you can build your own custom replacement for every single thing, just like you can build your own custom replacement for any software].

[1] https://support.mozilla.org/en-US/kb/customizing-firefox-usi...

[2] https://support.google.com/chrome/a/answer/187202?hl=en

[3] https://www.adobe.com/devnet-docs/acrobatetk/tools/DesktopDe...

[4] https://www.microsoft.com/en-us/download/details.aspx?id=490...

[5] https://www.windows-active-directory.com/wp-content/uploads/...

[6] https://activedirectorypro.com/wp-content/uploads/2022/09/gp...

[7] https://www.varonis.com/hs-fs/hubfs/blog%20posts/Group%20Pol...

Fuse membership and inheritance-based object (in the sense of 'any computing thing or person') ontology with configurability?

The insight in AD+GPO wasn't in either thing, but in the +. Each would be far less useful without the other.

Doesn't the Azure team own Intune/Entra now? Read: less inclined to give a fuck about artificially protecting Windows desktop.

I've no idea what current internal Microsoft org divisions are.

> Ask me a decade ago what an enterprise should do, and my answer would be straightforward: AD, GPO, Exchange.

That was also the answer two decades ago. But if AD and GPO are now dead, what killed them and what are the options? Is the problem mobile and BYOD?

I’ve been primarily on Macs since that time where endpoint management isn’t much, so there are fewer knobs to fiddle with. In some ways it’s nice in that admins can’t screw around too much with my system. In other ways, I’m sure Macs feel limiting for those in charge of enterprise security. However, most endpoint management feels like it’s written for Windows with Macs as an afterthought for checklist security. Knowing that, I’m happy there are fewer places for dodgy software to be able to interface with the OS.

(Edit: added quote to top)

What about offline, to my knowledge Entra and Intune do not work without actual internet connection?

> managing group policy sanely is still a challenge I've found - it's very resistant to configuration as code

Imho, this was historically (and continues to be) Microsoft's Achilles heel.

Large parts of the company reflexively wrote features / tooling as manual-first, code-second (or never).

In hindsight, what was missing was a Gates-level memo circa 2000 similar to Amazon's API one: all teams are required to build their configurators to be programmatically exposed.

Unfortunately, I don't think Ballmer was enough of a technologist (and was likely too distracted) to intuit that path not taken.