Linux for enterprise desktops

After this last year with Windows 10 and the massive amount of work they have created me with all the broken patches, I am looking for an alternative to windows in my organization. Which distros would you recommend for the least amount of configuration. I am currently testing Linux Mint and am going to look at others. The biggest obstacle is my end users they are barley able to operate Windows 10 or even share/open shared calendars in office 365.

Requirements
office 2016 can run in wine or playonlinux
Google chrome
AD for multiple users on every box
Kerberos
All computers must be encrypted

like to have
GPO’s that will install printers, map network drives, and deploy settings if possible.

For a corprorate environment I would always suggest some Distro with support.

So, basically RHEL or SUSE.
SUSE is maybe a bit friendlier for people coming from Windows due to KDE being preinstalled (that’s purely subjective though).

Not sure if WINE or PoL is a good idea for a corporate environment. For office stuff you can use LibreOffice unless you absolutely need some specific feature that has not been implemented on LO yet.
If you really need MS Office then maybe also look into Crossover, it’s the commercial version of WINE that comes with support.

Can be installed on pretty much any distro (either Chromium which is in basically every distro repository, or Googles repos if you really need the Google stuff).

Office 2016 is going to be tricky… the newest versions of Office are typically poorly supported in WINE. If you can opt for 2013 or 2010, that would be easier. If you could run Office 365, that is another option. All within the MS family. If you are willing to step out of the MS family, then LibreOffice is the obvious recommendation for the traditional approach. Another possibility would be your own G suite, possibly colocated on your own hardware. Last I checked, that is an option.

Google Chrome is not an issue on pretty much any desktop Linux distribution that I’m aware of, but definitely is easy on Ubuntu, Fedora, CentOS, etc. as Google provides deb and rpm repositories natively.

AD integration is possible with SSSD. You have a few options - you can potentially integrate directly with your AD server, or you could set up FreeIPA to mirror parts of your AD forest. The advantage with FreeIPA is that it may offer you some knobs that direct AD doesn’t, like managing SSH keys in addition to, say, user smartcard keys. SSSD also handles Kerberos.

Encryption is totally possible with LUKS, should be easy to set up. This is a distro-agnostic approach, so long as the distro has the integration done - and all the ones you would be looking at do.

I unfortunately don’t know about GPOs, as I have not yet attempted to use them in my environment as our Linux workstation policy is still “in beta” and everyone who joins up sets themselves up, and we’re maintaining a wiki of everything we need to do to make it work. We are just starting to centralize, package our configs into debs/rpms, etc. and look into these sorts of concerns.

Anyway, that all boils down to: Ubuntu LTS, CentOS/SUSE/RHEL/Scientific Linux, or Fedora. Ultimately the reason to pick one over the other boils down to update style and frequency. If you have a technical user base, you might choose Fedora. If you have a completely non-technical user base, an EL family (i.e. aggressively stable) option. And if you have a blend, perhaps Ubuntu LTS.

Whatever your choice you will also want to run a caching proxy for packages / updates, and the strategy is different between deb- and rpm- based distros - but it can be done regardless of your choice.

When you ask for “least amount of configuration,” do you mean on your part or on the part of the potential end user for whom you are provisioning the workstation?

Thank you , On the configuration I mean on my part as I am an army of one for the most part. My end users want a computer handed to them that they don’t have to do anything to at all.

I have gotten chrome installed in the Mint/Ubuntu without any issues office 2016 is proving to be much harder so i may step back down to 2013 as i have that working also through the POL. I will spin up a RHEL and SUSE VM next to see how i like those.

Well, as others mentioned, for an enterprise environment there is RedHat Enterprise Linux, which is the big dog for enterprise that’s been around a long time now (and enterprise is in that name after all). They will sell you support for everything (that’s their business), but I’ve never used their support nor their distro directly myself (closest I’ve come are Fedora and CentOS, which nice enough).

Ubuntu also does enterprise with support and a bunch of solutions to pay for provided by Canonical (the company that heads it). I never had to use their support myself, even when I was heading up tech for a small company that used a mixed environment of Ubuntu and OS X, but for what you are describing you’d want it. The distro itself is easy to use, though they kinda got away from the Windows feel in the ‘vanilla’ version for a while (not sure if they changed back) but using one of the other supported versions is very easy.

As for Office 2016, why? Is there actually a special need for specifically MS Office (something it does that nothing else actually does) or is there just a need for some Office software? If the latter, there are a lot of options, usually built into the distro by default, which I personally find a lot more intuitive and easy to use for most purposes.

If it’s necessary, I believe there was some talk at some point of Microsoft actually making a Native Linux version soon, but not sure where that went. Aside from that, there’s now a web version of MS Office which will just run in any browser, and thus will run on Linux that way. That may be better anyway since then you don’t have to actually install it on any device or worry about it crashing or anything else, as long as you have reliable internet connections. Otherwise, there are the options others mentioned above.

AD and Kerberos I believe can be basically implemented through various ways, but you can also get other Directory Services that do what you are looking for (Red Hat Directory Server, for instance).

I’ve yet to come across a distro that couldn’t do encryption, and most have a simple check box during installation to encrypt at least part of the system (like the user’s home folder). Ubuntu, RedHat, etc certainly can do that easy.

There are equivalents to GPOs in linux, though it’s a different system. I haven’t done this myself yet, but I can think of a few ways of getting the equivalent based on things I know about how configurations work, but I’m sure there are more definitive and standard methods than I’m thinking of. All that stuff isn’t too difficult though, you’ll just need to do a bit of learning about it as the admin, but there’s not really all the “hidden features” trickery like Windows has.

Djindy The reason for office 2016 is our finance and reporting software uses several plugins that don’t work well with the older versions. The web version is missing many features. Other than that the majority of other users would be able to use the open office, web based office or whatever is built in to the software.

Thank you all for your input! I believe i have enough suggestions to get the testing started.

I have not used Linux for such a long time but the way Windows is headed it does not seem like its going to be feasible in my environment for much longer.

But isn’t the reporting software the first concern then? Does the integration with MS Office even work in WINE?

OK makes total sense. I understand your concern, but if you’re rolling this out to a lot of users I don’t think there’s a great way to avoid it to some degree. I would consider a package (rpm/deb) that sets everything up, served from something on your LAN, so that you can even have it update through the automatic mechanism on the workstations.

Another method (and you can combine these methods how you see fit, of course), is that many Linux distros have mechanisms to set up custom deployments. In the Red Hat family, to give one example, it’s called Kickstart. You can then even set up an OS install image based on Kickstart, with your configuration, as a PXE boot served over TFTP and have pretty easy mass provisioning of your bare metal workstations.

There are tools you can use for headless/background mass administration of your machine pool (Ansible, Puppet), as well as typical headed options like VNC/RDP. But that’s jumping ahead a bit, since you’re still on distro selection.

Good luck!

mihawk90 I am not sure at this point I will have to do multiple tests once i settle on a distro. I will post and let you know.

I don’t believe Linux is the answer for your problems. Changing to Linux would just make more work for you. As your clients will call about every little thing. I’m not sure what version of Windows 10 you’re using. You could try creating an image yourself, windows provides tools for this “SHB”. I then would setup a company update server, so that you can control your updates.

If you do go down the Linux route I sincerely hope you research Ansible and make playbooks for your users software sets.
It will make your life a lot easier while you roll out new installs.

Switching to Linux because of the windows update woes is like buying a new car because a tire went flat IMO.

If I were in your position I would be looking into WSUS and only pushing tested updates. It’s a bit of maintenance but once you get into the habit it’s not that much work.

In my experience getting Linux to play with active directory can be done but is a bear to set up initially. I haven’t had too much trouble with it beyond the initial setup.