In this article, you’ll learn how to create Linux compliance policy in Intune and deploy it to users and managed devices. You can create a device compliance policy in Intune for Linux devices, and define the rules and settings that users and managed devices must meet to be compliant.
Microsoft Intune now supports Linux device management for devices running Ubuntu Desktop 22.04 or 20.04 LTS. With the latest announcement done in Ignite 2022 by Microsoft, the general availability of Linux desktop management in Microsoft Intune is now available. This means you can use Microsoft Intune to sign up and register your own Linux device on your company’s network.
End users can enroll supported Linux devices on their own and use the Microsoft Edge browser to access corporate resources online. Refer to the step-by-step guide on enrolling Linux devices in Intune.
In this guide, I’ll show you how to use Intune to set up and assign device compliance policies for Linux devices. As an example, I will show you how to configure a “Require Device Encryption” compliance policy for Linux devices, which checks if the hard disks are encrypted.
Useful Article: How to Duplicate Settings catalog in Microsoft Intune
Custom Compliance for Linux Devices
We know that a lot of device compliance checks are needed to make sure that corporate assets are safe. Using Endpoint Manager’s own compliance policies, IT administrators can create their own Bash scripts to assess the characteristics of Linux endpoints that are most crucial to their firm. Organizations can cover their unique compliance scenarios by creating custom compliance policies.
According to Microsoft, later this fall, a new device configuration solution for Linux in Endpoint Manager will be released. This will be a custom configuration solution that customers can configure with Bash scripts. With this solution, customers can achieve a wide range of scenarios, like deploying Wi-Fi profiles and certificates to Linux desktops. Expect a set of pre-defined scripts that you can use to get started with custom scripting.
Recommended Reading: Generate and Export Intune Device Compliance Report
Enroll the Linux devices into Microsoft Intune
Before you create Linux compliance policy in Intune, you must first enroll the Linux devices in Intune. You can refer to the following guide on how to enroll Linux devices in Intune. After you enroll the Linux devices into Intune, you will notice that
The first release of Linux management in Intune will include the following functionalities:
- Enrollment of Ubuntu LTS (22.04, 20.04) desktops
- Conditional Access policies protecting web applications via Microsoft Edge
- Standard compliance policies
- Support for Bash scripts for custom compliance policies
You can refer to the below guides for enrolling Windows devices in Intune (Microsoft Endpoint Manager).
Create Linux Compliance Policy in Intune
Let’s look at the steps to create Linux compliance policy in Intune.
- Sign-in to Microsoft Endpoint Manager admin center.
- Navigate to Devices > Linux > Compliance policies.
- To create a new policy, select Create Policy.
The Platform is Linux and Profile Type is Settings catalog. Click Create.
On the Basics tab of Create profile, specify the name for the policy such as “Device Encryption Compliance Policy“. Add a brief description for the compliance policy. Click Next to continue.
The Settings Catalog in Intune allows you to choose which settings you want to configure for Windows and Linux devices. Click on Add Settings to browse and search the catalog for the settings you would like to configure for Linux devices.
Also Read: Learn how to Create Intune Settings Catalog Policy
Configure Device Encryption for Linux devices with Intune
In this section, I will show you how to configure the device encryption for Linux devices with Microsoft Intune. The device encryption checks if the hard drives on Linux devices are encrypted, and based on the checks, it tells you if the device is compliant or non-compliant.
If the Linux device’s hard drive is encrypted, the machine will be compliant; otherwise, the device will not be compliant. On the Settings Picker window, under the Category, select Device Encryption. The Device encryption category has only one setting which is “Require Device Encryption“. Select it and close the Settings picker window.
The Require Device Encryption setting specifies whether device-level encryption is required for writable fixed disks on this computer. Turn the slider to “True” thereby enabling this setting, and click Next.
On the Actions for noncompliance tab, you can specify the sequence of actions on noncompliant devices. This is an optional configuration but useful. You can email the user of the Linux device informing them about the device noncompliance. We also have a Message Template to send emails to users, but currently there are no templates available. I would expect Microsoft to add the templates in upcoming updates. Click Next to continue.
Assign the Linux Device Compliance Policy to Devices and Users
On the Assignments tab, click Add groups to choose the groups or users to whom you want to assign the Linux compliance policy. There are no scope tags option for Linux devices. Click Next.
Review the device encryption compliance policy settings that are configured for Linux devices and click on Create. This action will create a new Linux compliance policy in Intune.
After you create Linux compliance policy in Intune, they appear under Linux > Compliance policies. From this screen, you can edit the policy and make the changes if required.
Verify Compliance Policy on Linux Devices
After assigning the compliance policy that checks Linux devices for disk encryption, we will check the device’s status in this step. Launch the Microsoft Intune app on your Linux device and sign-in if required.
The Linux device is displayed as “Compliant” in the screenshot below because it hasn’t received the compliance policy that we assigned. Any new Linux device that you enroll shows as compliant unless you deploy compliance policies.
On Windows, we have an options to manually sync Intune devices but in Linux there is only one way to sync the policies. Click the Refresh option and this will force your Linux device to connect with Intune to get the latest updates, requirements, and communications from your organization.
After a few seconds, we see the Linux device shows non-compliant. We see the following message: This device doesn’t meet your organization’s device and security requirements. You might not have access to your organization’s resources, such as email, from this device.
The message above is a general message that shows up on all Linux devices that are non-compliant. Click View Issues to see the cause of the non-compliant device.
When you click the View issues button in the Microsoft Intune app, you can see exactly why the Linux device is not compliant. For example, in our case, we know that the Linux device is not compliant because the hard drives are not encrypted. Encrypting the hard drives on this Linux device will make it compliant.
Great article Prajwal! Is the list of compliance policies supposed to be shown within each device, in the Device compliance tab? (Devices > Linux device in question > Device Compliance)
Only the built-in shows up for me.
Thanks a lot!