I wonder if it is possible to configure and use Qubes OS with a specific setup. I would need to configure a Qubes OS workstation and give it to an employee, but that person should not be allowed to make a few changes like:
modify VPN
modify firewall
have admin access to the qubes
being able to make changes to the system
I know Qubes OS is meant to be used by a single user with administrator access at all levels, but I wonder Qubes OS could be used in cybersecurity environments with strict policies.
Maybe it is possible to achieve with a dedicated login in sys-gui, and only give them the qubes they need by configuring the guivm of each qube, and setup a root password on each.
However, they will still be able to configure the qubes, I guess a policy could be modified to prevent sys-gui to modify attributes of a qube.
Design for a Guest qube also comes to mind. Theoretically a disposable full-screen untrusted qube with minimal privileges without having access to qvm-copy/move… and proper policies to reject access to global clipboard and other critical resources. Disallowing user to exit the full-screen mode of the guest qube without powering it off. Upon exit should return to the login screen.