_edge , 9 months ago

so the environment should remain managed by the IT department

For the domain you are describing

developers, machine learning people, researchers, Linux

having personal machines maintained by “IT” is not a typical setup. A ML engineer is more IT savy than your average IT department, especially on Linux when they use Linux for work.

An alternative to a centrally mentioned solution can be a reasonable set of rules with allows more freedom for the individual. For example, you could provide every new-joiner with a pre-configured laptop, but they can take over ‘root’ privileges if they want. It’s not so hard to keep a Linux machine secure if the users doesn’t intentionally screw it up. You don’t need IT to run updates, it happens automatically. You don’t need a personal firewall, they are no open ports per default anyway.

IT may want to install an agent that helps detecting security breaches (or misconduct). Or remote-support. Of course, you may require VPN. You may require that sensitive data does not leave the server. You should. A personal device is an attack vector and Linux has security holes all the time, but remote exploits are nowhere as common as in a Windows, Outlook, AD world.

The upside of allowing users to tinker with their machines is that IT only needs to provide a reasonable starting point, not a perfect solution for everyone. If you expect support from IT, you will want to standardize the distribution and maybe some applications or tools, but you don’t need everyone in the company to be on the same version of Solitaire.