IT departments can mandate tools like ninjaone and kolide, which let them run queries across the fleet of devices, and (as I understand it) basically gives them root-level remote code execution.
replyThe corporate VPN (or equivalent) can then perform 'posture checking' requiring that the tools be installed and working before connecting to the corporate network.
Obviously, 99% of Linux users have root on their device so nothing stops them wiping it and installing something new from scratch. But then they'll fail the posture checks until the device is returned to the approved setup.
Kolide admin provides a web UI for osquery so you can query things. It allows remote osquery queries but not remote code execution. You generally pair it with CrowdStrike Falcon.
replyKolide does a spot check like "is falcon sensor running" but if the user logs in, has the session token created, and then disables whatever the session token would still be valid.
Also Kolide doesn't actually count as an MDM. Has a bunch of missing features. I recently evaluated it.