Taking it to the next level: Linux for a corporate work laptop

A scene from Mr Robot S01E01 where Elliott rhetorically asks himself "An executive? Running Linux?"

Over the past month and a half, I upped my game a little more to try yet another experiment in my Linux journey - perhaps the boldest of all of mine to date. This was the challenge: yank out Windows from my work computer and use solely a GNU/Linux OS to do all my work-related tasks at my job for a month.

Fast-forward to today and I've not only aced the experiment, but continued it as well indefinitely with no signs of stopping. And let's say that I've learned a lot with it. In short, as far as my job is concerned, Linux is ready for the corporate desktop world, and as a matter of fact, does a much better job at it with this hardware.

This post outlines some of the steps I took to convert my standard "casual home use" installation into a fully-powered corporte workstation OS, and some caveats and tips for anyone wanting to try something like it.

Some Background: work environment, hardware, etc

Before we begin, a warning: this project might not be for everyone. Unfortunately, the IT corporate environment nowadays varies quite a lot from company to company and your conditions might not be so welcoming to a Linux machine to perform the same as a Windows one. Software used in the office, network availability and even the conditions of the hardware will all affect how well this task is performed. Thus, I'll share some background information about my work environment which will probably justify how this was achievable in the first place.

Job overview

My job would probably be described as "managerial" instead of a specialist or analyst role, which makes me less likely to face specific types of software, and instead focus mainly on the "big three" of Office: Word, PowerPoint and Excel. I use this point to my advantage, given that I don't have then to worry about the shaky compatibility of Linux with some notoriously bad software out there, and can even use the webapp version of Office365 (which my company uses heavily) with success as well.

I have a hybrid work schedule, which means that though I'm bound to commute, I can work a few days per week at home. This helped me familirize with the feel of my work environment on Linux over the years, preparing me for the big jump.

Work environment

My office has non-fixed hot-desk stations equipped with a dock and peripherals (monitor, keyboard and mouse). Each worker docks their laptop to it and spends the day in there, cleaning up at the end of the day. The docks (sourced from more than one brand) connect to the machine via a USB-C thunderbolt cable, which charges and connects the peripherals.

Support for the DisplayLink protocol that connects to the monitor under the hood is shaky in Linux (proprietary driver blob and all) and success is mixed. However, I've found that at least one model of dock here works quite well with it. As long as I use that one, my experience is equal to that of Windows (two displays, seamless connection, etc). If those are taken, I have to provide myself an HDMI cable and connect the monitor externally myself (or just work with my laptop's display).

My office does not offer cabled connections to any work posts, and instead we use WiFi. There are two SSIDs, one corporate network and a guest one. The admin network requires a particular certificate in the machine for authentication a-la 802.1X, but the guest one is just a WPA2 password-protected 802.11ac (i.e. 5GHz) network. Even with Windows, I was able to connect to the guest wifi (there was no MAC filtering), and it was the same for Linux.

There are lots of external contractors that work in the office, and thus the capacity of the guest WiFi is quite large (unlike, say, a tiny network just for hospitality of guests of meetings).

Hardware

Finally, my work-issued laptop is a very Linux-friendly Thinkpad Carbon X1. It uses an NVMe SSD for storage and has 8GB RAM which is soldered so I, sadly, can't increase it.

There's another very special thing about this laptop: the BIOS came unlocked. Mistake or intentional, this became a very handy back door: I can change boot settings, disable secure boot and even lock the BIOS back with my own password. Because of this, I previously experimented booting off a USB drive with it and working a few short sessions.

Needless to say, this thing alone is the only reason why I was able to run this experiment at all, and you'd have to be very lucky to have this case on your own work machine as well.

And now that the context is explained, let's go in-depth with my software stack of choice for this.

Choice of Distribution

It's no secret that I really love Debian Linux, and when it came to choosing which OS to install on this workhorse, I gave literally zero second thoughts. I was feeling particularly adventurous this time, though, so I also chose to run the Unstable distribution, too.

One question that remains, though: kzimmermann, if you also like non-systemd distros, then why didn't you install Devuan instead? Quick answer is that at that point (February-March 2024), the Devuan Ceres (unstable) release was not at a very usable state due to some conflicts with Debian's policies (usr-merge conflicts, 64-bit time transition, etc). I wanted to remain practical even at the cost of resources, which is why I went with Debian instead.

Additional software and configuration

In order to make the full use of the hardware, I decided to make the the configuration of the OS a little more compatible with my work, even if at expense of resource usage. Here's a summary.

Install Chromium

Cue the loud booing from the audience.

We all know it sucks and destroys the web, but the reality is this: if you want Office365 webapps to work correctly and without any issue, this is the browser to use. It's the one that Edge was based on, and it's the only one (so far) that can work completley without a hitch with the dreadful MS Teams.

Firefox also works with most of Office365, but MS Teams video calls are shaky. Voice calls are OK, but video didn't work. And since calling and conferencing are an integral part of my job, this was an unfortunate no-no.

It's a fair tradeoff in my opinion, since the alternative would be to try to fit desktop apps with wine and limited success. By putting everything on the web, you only need one shitty browser instead of a slew of proprietary programs.

I in particular just installed regular chromium from the repos, but if you want to minimize the impact, there's also the famous ungoogled-chromium project to try. I haven't tested it to see if it works as nicely as plain chromium.

Install a sound server like pulseaudio

I never had thought I'd need anything more complex than ALSA to play sound, but having to use a dock and HDMI (plus the many other embedded microphones of this laptop - why?) made it challenging to streamline everything with the simple, yet straightforward ALSA. Thus I decided to try pulseaudio.

pulseaudio meme where there's no sound in the cartoon

For all of its notority and memable issues, I found out that pulseaudio worked well enough in my multi-input and output working environment. Since my Debian installs are quite minimal (no DE, minimal graphical applications, etc), it was not installed. Getting it to work was easy: just install pulseaudio and reboot. The moment it comes back, all your sound is managed through it now.

While you're at it, install the utilities pamix and pavucontrol as well so you can fine-tune the volume and input-output of each of the devices as well. This proved very handy when using the dock's 3.5mm jack or the HDMI cables during meetings.

And if you don't like Pulseaudio, don't take my word for it - I hear that Pipewire is another promising and more modern alternative. I just used what worked for me.

Enable hibernation and decent power management

The S3 ACPI state a.k.a suspend to RAM is a nice feature to have in a laptop and quick to deploy. However, I soon found that putting the laptop to sleep at the end of the day and resuming it in the next morning would leave me with very little battery left, when sometimes I had to already attend meetings and do other things.

I needed something a little more economical in the long run, even if it wasn't as fast. The answer came in as Hibernation to disk (the S4 state).

Even though both sleep and hibernation capabilities are enabled by default in Debian (via the systemctl command), for hibernation to work in a practical manner you need a lot more swap space than the default 980 MB that comes with the installation. Luckily, I was able to resize that partition even though it was encrypted thanks to this procedure I tried before.

After increasing the swap to about 6~7 GB, at the end of the day all I have to do is then:

# systemctl hibernate

And the laptop hibernates in about 20 seconds. Yes, this is an eternity compared to the immediate suspend command, but seeing that I only do it once after the work is over, it seems like a feasible compromise. Plus the screen locks correctly when I turn it back on.

Finally, to top the talks of power management, I found a very nifty package that allows me to extend greatly the laptop's battery across the day: tlp. I'm not sure if it's optimized for or exclusive to ThinkPads, but it's super easy to setup and works well by default in mine. It's available from the unstable repos, so installation is easy:

# apt install tlp
# systemctl enable tlp.service

If you're not satisfied with tlp, you can install linux-cpupower and toggle the governors manually for performance and powersave, as well as fiddle with the maximum and minimum frequencies allowed.

Stealth tips to remain undetected

I reckon that not every IT department might be happy with what I did. While I tend to think that it shouldn't matter what software stack I use as long as I'm delivering (many contractors in my place use Mac, for example), this might be an issue depending on who's monitoring it on the other side. Thus, our next step is to be able to cover our tracks while working in premises, using the office's infrastructure.

Using the network stealthily

Besides always connecting to the guest wifi (like the contractors of my office), I take two additional steps to conceal myself of that use: change my MAC address before connecting and lock my DNS servers to ones of my choice afterwards.

There was a time that I used macchanger to spoof my MAC address to something of my choice, but modern Linux systems can use the more modern ip utility to set this in a native manner. For starters, get a MAC address to spoof. You can take the OUI of a real device and then add three random bytes to the end of it to get a convincing, yet fake address.

The Wireshark project has a very nice OUI exploring tool. By looking up "Apple," for example, you could use one of its OUIs 7C:50:49 and tack a random suffix to produce the spoofed MAC address 7C:50:49:15:97:AC. To change your WiFi NIC's MAC address to it, then, the commands are:

# ip link set dev wlan0 down
# ip link set dev wlan0 address 7C:50:49:15:97:AC
# ip link set dev wlan0 up

Remember to run this every time you reboot the computer, though, because the MAC address is hardcoded in the device and will reset the moment you power it off.

Next step is to lock your DNS so that once you are connected to the corporate network. Though you might not exactly know about it, when you use the DHCP protocol you get more than just an internal IP address assigned to your host. Things like the default gateway of the network (that is: where do you reach to "exit" the network for the internet) and the "preferred" nameservers of the place are also assigned to your host, but you don't have to use them.

By choosing a DNS server after connecting, you can keep using your DNS servers instead of the ones your work's network issues you, and thus can prevent them from watching your queries. Start by getting the address of a DNS server you trust. The OpenNIC project is a good start. Once you have an address, edit /etc/resolv.conf and add it as the first line:

nameserver 94.247.43.254
...

And voila. You are now invisible to the workplace's DNS. Just remember to do this every time you reconnect (it resets it to their servers).

Finally, if you're still worried that someone might complain about the name "Linux" appearing into the access logs of your online systems, one last tip: change the browser's User-Agent string. There's a nice Firefox addon that gives you full control of which UA to spoof, even allowing cross-browser spoofing. It's also available for Chromium.

Be able to back out if needed

Backup plans are always needed, and they not always need to be software-based. As a last resort, I always keep a screwdriver handy in my bag alongside the original Windows drive that came in. If things go sour, 5 minutes and a reboot is all it takes for me to come back in "standard" mode. Hardware-hacker style.

Pet peeves

Not everything about my plan is perfect, of course, and Linux being Linux, there will always be a little something that doesn't work quite perfectly, though most are passable. Here's a list of things that still don't work well:

Clickshare, a wireless screensharing device used at some meeting rooms in my office, doesn't work. There are some people who claim that it's possible to make it work under Ubuntu, but it's a proprietary thing that's too hackish for my taste. HDMI cable, please!
SSH'ing through the guest wifi sometimes doesn't work from my laptop. This is a really weird thing because it always works from my phone (connected to the same network) when I use termux, so I wonder what causes this. DNS settings, perhaps? The native Linux SSH stack being different from the Android-via-Termux one that upsets the corporate firewall? And sometimes it works perfectly, without a hitch, so it's super weird. This prevents me from accessing files at home or syncing my git repositories, for example. As a workaround, I can tether my phone to my laptop and SSH works transparently again.
Not all docks in the office work. Depending on the brand and model of the dock (ex: Lenovo), the DisplayLink feature doesn't work, and I'll have to connect directly the HDMI cable to the laptop.
I have not even dared trying to set up printing in this office. For once, you have to connect to the corporate network to see the printers - instant no. Workaround is to print via USB or the age-old technique of reaching out to a co-worker with "hey, can you print this to me?"

Conclusion

It's 2024, all my corporate infrastructure lives in the so-called cloud, and some corporate heads even encourage the BYOD trend to cut down on equipment cost. Why shouldn't I be able to work with my own software stack on top of the hardware, if it allows me to do so and I'm more efficient that way? And efficient it is. The battery lasts a lot longer under Debian and the computer doesn't heat up nearly as much.

Working with Linux in the office or at home is perfectly doable for generic office managerial-ish tasks, as long as you do a very small amount of tweaking to it. And you can take some precautions to make sure you remain stealthy if you need, which are skills that can translate to other environments too, like a sketchy café or airport lounge wifi.

There are dozens of contractors, and even some core staff, in my place that bring in their Windows or Mac machines and work transparently there. Linux isn't and shouldn't be considered an exception, a handicap, or even a threat to it.

Do you work with Linux 100% of your time? How is your experience with it? Did anybody from your IT department complain? Let me know on Mastodon!

This post is number #53 of my #100DaysToOffload project.

Last updated on 05/09/24