Getting started with compliance for Linux devices

This week is about a totally different platform as the last few months. This week is all about Linux devices. A few years ago, I wrote this post about supporting the unsupported platforms. This post will describe a solution that will address the biggest part of that challenge, as it will enable the compliance of Linux devices. All powered by the enrollment in Microsoft Intune. That enables organizations to require Linux devices to be compliant and enable users to be productive. Even on Linux devices. Besides that, it’s good to keep in mind that, at this point in time, it’s really only about device compliance. Configuring Linux devices is not part of the currently available functionalities. This post will describe the minor details about the support for Linux devices, followed with the steps for configuring device compliance policies for Linux devices. This post will end with installing the Microsoft Intune app on a Linux device and enrolling that device into Microsoft Intune.

Note: Keep in mind that, at the moment of writing, only device compliance is supported for Linux devices.

Describing the minor details

Before getting started with compliance for Linux devices in Microsoft Intune, it’s important to be familiar with the current details of that setup. Besides that, support for Linux devices thicks another box in building a zero-trust security model. Another platform that can be supported by using Microsoft Intune in combination with Conditional Access. That makes sure that it’s possible to require a compliant Linux device. The following important details should be familiar, before getting started.

  • The enrollment of Linux devices is currently supported on devices running Ubuntu Desktop 22.04 or 20.04 LTS (and using a GNOME graphical desktop environment that is automatically included on those Linux distributions).
  • The Linux version of the Microsoft Intune app is used for the registration in Azure AD and the enrollment in Microsoft Intune. That app can be installed and updated by using a package on one of the supported Linux distributions.
  • The Linux version of the Microsoft Edge browser is required for access to corporate sites and resources. That browser is needed to actually get passed Conditional Access and to make sure that device compliance can be used.

Note: Keep in mind that, at the moment of writing, device configurations are not supported for Linux devices.

Configuring a device compliance policy

When looking at getting started with the device compliance of Linux devices, it all starts with a device compliance policy. Even though it’s not technically required, the creation of the device compliance policy is the best place to start. The device compliance enables organizations to require specific settings to be in place, to be compliant. For Linux devices that compliance policy is based on the Settings Catalog for the different available settings. Those available settings are in the areas of Allowed Distributions, Custom Compliance, Device Encryption and Password Policy. The following nine steps walk through the configuration of a device compliance policy for Linux devices.

  1. Open the Microsoft Endpoint Manager admin center portal navigate to Endpoint security Device compliance
  2. On the Compliance policies | Policies blade, click Create Policy
  3. On the Create a policy page, select Linux as value with Platform and click Create
  1. On the Basics page, provide a valid name for the device compliance policy and click Next
  2. On the Compliance settings page, which is based on the Settings Catalog, as shown below in Figure 1, configure the required device compliance settings by going through the following actions and click Next
  • Click Add settings and choose the required settings by going through the following in Settings picker
    • Select Allowed Distributions as category to enable the Allowed Distros setting that will enable the configuration of a maximum OS version and a minimum OS version
    • Select Custom Compliance as category to enable the Require Custom Compliance setting that will enable the configuration of a POSIX-compliant shell script to check for any custom settings
    • Select Device Encryption as category to enable the Require Device Encryption setting that will enable the configuration of the device encryption
    • Select Password Policy as category to enable the Minimum Digits, Minimum Length, Minimum Lowercase, Minimum Symbols, and Minimum Upercase settings that will enable the configuration of the different password requirements
  1. On the Actions for noncompliance page, configure the require actions for non-compliance and click Next
  2. On the Scope tags page, configure the applicable scope tags and click Next
  3. On the Assignments page, configure the required assignment and click Next
  4. On the Review + create page, review the configuration and click Create

Note: Keep in mind that the custom compliance provides an organization with a lot of flexibility to check on many different properties that are available on any supported Linux device.

Installing the Microsoft Intune app

When looking at the enrollment of a supported Linux device, it doesn’t require anything particular to be configured in Microsoft Intune. It does, however, start with the installation of the Microsoft Intune app. On Linux devices that installation process can be cut into three relatively simple steps. Those steps are, 1) installing cURL, 2) installing the Microsoft package signing key, and 3) actually installing the Microsoft Intune app.

Step 1: Installing cURL (if needed)

The installation of the Microsoft Intune app starts with the installation of cURL. That’s a command tool for downloading or transferring data, which is needed to download the Microsoft key information. The following command will install cURL.

sudo apt install curl

Step 2: Installing the Microsoft package signing key

Once cURL is installed on the Linux device, the Microsoft package signing key can be downloaded and installed. The following commands will download the key, install the key, and eventually remove the downloaded key again.

curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg
sudo install -o root -g root -m 644 microsoft.gpg /usr/share/keyrings/
sudo sh -c 'echo "deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft.gpg] https://packages.microsoft.com/ubuntu/22.04/prod jammy main" > /etc/apt/sources.list.d/microsoft-ubuntu-jammy-prod.list'
sudo rm microsoft.gpg

Step 3: Installing the Microsoft Intune app

Once the Microsoft package signing key is installed on the Linux device, the Microsoft Intune app can be installed. The following commands will update the list of packages from the Internet and actually install the Microsoft Intune app.

sudo apt update
sudo apt install intune-portal

Important: Once the Microsoft Intune app is installed, reboot the Linux device to finalize the installation.

Enrolling supported Linux devices

Once the Microsoft Intune app is successfully installed on a supported Linux device, the actual enrollment process can be started. Luckily, that enrollment process is pretty straight forward. The following five steps walk through that process.

  1. Open the Microsoft Intune app
  2. On the Intune Agent page, click Sign in and sign-in with a work or school account
  3. On the Set up access page, click Begin to start the registration process
  4. On the What can my organization see or do when I enroll my device page, review the information and click Begin to start the registration of the Linux device
  5. Wait a few minutes while the device will be enrolled and registered within the environment. Once successfully enrolled, the compliance of the device will be checked and will eventually be shown (as shown in Figure 2).

After the successful enrollment of the Linux device – and the device is compliant with the company policy – the user will be able to access company data, by using the Microsoft Edge browser. Figure 3 provides an overview of successfully accessing Microsoft Teams. At this moment, no other apps will provide that access to company data. Figure 4 provides an overview of unsuccessfully accessing Microsoft Teams, by using Mozilla Firefox (the default browser on most Linux devices).

Note: This experience assumes that Conditional Access policies are in place that require a compliant device.

More information

For more information about compliance for Linux devices, by using Microsoft Intune, refer to the following docs.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.