Manage Linux with Microsoft Intune

Hello everyone, this is my first post about managing your Linux device with Microsoft Intune. There are not many options to manage at the moment, but for device compliance this can be a good method to secure your company resources on Linux.

Topics in this post
Prerequisites and overview
Creating a compliance policy for Linux
Creating a Conditional Access policy for Linux devices
Setting up Ubuntu 22.04 LTS on your device
Enrolling the Linux device in Microsoft Intune
More Information
Final Thoughts

Prerequisites and overview

  • Intune license
  • Azure Active Directory P1 of P2 license (for Conditional Access))
  • Linux device or VM with Ubuntu 22.04 (LTS)
  • Global Admin account for the tenant (RBAC roles Intune Administrator and Conditional Access Administrator will also work)

What are the management options at the moment for Linux devices.

  • Compliance policies with the following features
    • Allowed Distributions (OS version)
    • Device Encryption
    • Password policy
  • Compliance policy detection scripts

Creating a compliance policy for Linux

  1. The first important part of this configuration is the compliance policy. We need to configure this in the Microsoft Intune portal. In the portal you select Devices en click on Linux. Here you can click on Compliance Policies. Then you click on Create policy to start the configuration.
  1. Now click on Create on the bottom and give the policy a name. Click on Add Settings to open the Settings catalog. Here you can select multiple options. I will pick Device Encryption and Password Policy. Be sure to check the boxes, to add the settings in the policy. And fill the options like the following screenshot. You can click on Next to proceed in this configuration.
  1. At the next screen I will use the default settings and click on Next.
  1. Here we select a dynamic group with only Linux devices. The dynamic device query for this group is: (device.deviceOSType -eq “Linux”). You can also select All Devices, using a dynamic group gives a better overview of your Linux devices. Click on Next and then on Create to finish the Compliance Policy.

Creating a Conditional Access policy for Linux devices

  1. Configuring the Conditional Access policy can result in denied access from Microsoft services. So, configuring this policy is needed for the actual compliance policy to secure your resources in Microsoft. We need to go to the Microsoft Intune portal to setup this policy. Click on devices and then on Conditional access. Here you can click on New policy to start the configuration.
  1. The following options are configured in this policy.
    • Name: M2C-CA-Linux
    • Assignments
      • Users or workload identities: All users and I excluded my admin account
      • Cloud apps or actions: All Cloud apps
      • Conditions: Device platforms: Yes
        • Include: Linux
        • Exclude: Android, IOS, Windows Phone, Windows, macOS
    • Access controls
      • Grant access: Require multifactor authentication, Require device to be marked as compliant
        • For multiple controls: Require all of the selected controls
      • Session: 0 controls selected
    • Enable policy: On

Setting up Ubuntu 22.04 LTS on your device

  1. First, we download an image from the Ubuntu website.
  1. Now you can create a bootable USB or mount this ISO in Hyper-V or VMWare Workstation to create an Ubuntu VM. I will skip the steps on creating the VM, but you can check this site for the Hyper-V configuration. When you boot up Ubuntu you will see the following screen. You can select the first option to start up the installer of Ubuntu.
  1. After you wait for a bit, you will get to the installation screen of Ubuntu. You can select the right language and then click on Install Ubuntu.
  1. Choose the right keyboard layout. And click on Continue.
  1. Keep the default settings if you want, if you want a clean image you can select Minimal installation. Click on Continue.
  1. The following screen is important, because here we are going to encrypt the system drive to test the Compliance policy. Click on Advanced features to open up a small screen. Here you can click on the option: Use LVM with the new Ununtu installation. Then you can check the option: Encrypt the new Ubuntu installation for security. Then you can click on OK to close the screen and click on Install Now.
Important
Encrypting your system disk at install is the easiest way of using encryption. Encrypting your disk after the installation is going to take more time because you need scripting and could result in data loss on your machine.
  1. At the next screen you need to choose your security key for the encryption, and you can enable a recovery key and place is somewhere safe. In case of losing your key, you can recover the access of the system. If you click on Install Now you will get a popup that some changes are made to the disks. Please click on Continue.
  1. Check your location and click on Continue.
  1. Here you fill in your name and pick a computer name. You can pick your username and password. I will choose a password that is complaint with the Conditional Access policy. So that Microsoft Intune Enrollment with Microsoft services will be available. You can click on Continue when you finished filling in the fields. Now the installation of Ubuntu will run for a while. When the installation finished the machine needs to restart.
Important
When you are creating a conditional access policy with a compliance check. The Microsoft Intune Enrollment will fail if your device is not compliant. There is no information displayed about the compliance check and details of the device.
  1. When you start the machine you will see the screen of the locked disk. You need to use the password that’s created at the encryption part of this post. After you use the correct password you will go to the login screen of Ubuntu. You always need the password for every restart of the machine.

Enrolling the Linux device in Microsoft Intune

  1. The first step for enrollment is to download and install two apps on the system. First, we start with Microsoft Edge. This app can be downloaded by clicking on the following link within Ubuntu. And selecting Linux / Ubuntu as operating system. You will get a .DEB file you can double click on it en select Software Install for installation. Or search for “Download Edge” in Firefox in Ubuntu. The first result will give you the right page. When Edge is installed you can find it in your software list by clicking on the left button icon beneath in your dock.
  1. Now we can configure the Microsoft Intune app. There is no easy app download for install yet, but with some scripting we can install the Microsoft Intune app from Ubuntu. First you need open the terminal by clicking on the button that shows your software on Ubuntu. One the terminal is open, you can the following commands.
  2. Install Curl: The installation of Curl is needed for the next commands to succeed for the enrollment of Microsoft Intune.
$ sudo apt install curl gpg
  1. Install the Microsoft package signing key: This key is needed to install the Microsoft Intune app.
$ curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg

$ sudo install -o root -g root -m 644 microsoft.gpg /usr/share/keyrings/

$ sudo sh -c 'echo "deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft.gpg] https://packages.microsoft.com/ubuntu/22.04/prod jammy main" > /etc/apt/sources.list.d/microsoft-ubuntu-jammy-prod.list'

sudo rm microsoft.gpg
  1. Install the Microsoft Intune app: Once the key is installed the Microsoft Intune app can be installed. First, we update the appslist from Ubuntu.
$ sudo apt update

$ sudo apt install intune-portal
  1. Reboot your device (by clicking on the top richt power button and clicking on restart)
  1. Once Ubuntu has rebooted the Microsoft Intune app becomes available in your software list. This app updates automatically. Please click on the app to open the Microsoft Intune app and start the enrollment.
  1. Now you can sign in with your Microsoft work or school account to start the enrollment. Click on Next the enter your password and handle the MFA request.
  1. The enrollment succeeds, but the Microsoft Intune app states that my device is complaint. Please check the image gallery to see all stages of enrollment. You could see that the device is complaint.
  1. So, now we need to change our password in Ubuntu to be not compliant. Because my password now matches the compliance policy. I need to change the password with less complexity. You can click on the top right and click on Settings to go to the Users tab in this menu. Here you can change your password.
  1. Let’s check in the Microsoft Intune app if my device is complaint. As you can see my device is not complaint. So, this shows that you have some management capabilities for Linux devices. How cool is that!

More Information

Enroll a Linux device in Intune | Microsoft Learn

Download Ubuntu Desktop | Download | Ubuntu

Install Ubuntu desktop | Ubuntu

Check device status in Microsoft Intune app for Linux | Microsoft Learn

Final Thoughts

Managing Linux with Microsoft Intune could bring some good future scenarios. Were you can manage all your Linux based thin clients. Adding apps like the AVD Remote Desktop Client or the Windows 365 app on the devices to login to a desktop. Or if your company has Linux as main OS. You could use apps like Edge and Teams on your devices. The list of apps will get bigger in the future. Hope you enjoy this post and feel free to comment me in the section below.

Leave a reply

Your email address will not be published. Required fields are marked *