Create Linux Compliance Policy in Intune for Devices & Users

In this article, you’ll learn how to create Linux compliance policy in Intune and deploy it to users and managed devices. You can create a device compliance policy in Intune for Linux devices, and define the rules and settings that users and managed devices must meet to be compliant.

Microsoft Intune now supports Linux device management for devices running Ubuntu Desktop 22.04 or 20.04 LTS. With the latest announcement done in Ignite 2022 by Microsoft, the general availability of Linux desktop management in Microsoft Intune is now available. This means you can use Microsoft Intune to sign up and register your own Linux device on your company’s network.

End users can enroll supported Linux devices on their own and use the Microsoft Edge browser to access corporate resources online. Refer to the step-by-step guide on enrolling Linux devices in Intune.

In this guide, I’ll show you how to use Intune to set up and assign device compliance policies for Linux devices. As an example, I will show you how to configure a “Require Device Encryption” compliance policy for Linux devices, which checks if the hard disks are encrypted.

Useful Article: How to Duplicate Settings catalog in Microsoft Intune

Custom Compliance for Linux Devices

We know that a lot of device compliance checks are needed to make sure that corporate assets are safe. Using Endpoint Manager’s own compliance policies, IT administrators can create their own Bash scripts to assess the characteristics of Linux endpoints that are most crucial to their firm. Organizations can cover their unique compliance scenarios by creating custom compliance policies.

According to Microsoft, later this fall, a new device configuration solution for Linux in Endpoint Manager will be released. This will be a custom configuration solution that customers can configure with Bash scripts. With this solution, customers can achieve a wide range of scenarios, like deploying Wi-Fi profiles and certificates to Linux desktops. Expect a set of pre-defined scripts that you can use to get started with custom scripting.

Recommended Reading: Generate and Export Intune Device Compliance Report

Enroll the Linux devices into Microsoft Intune

Before you create Linux compliance policy in Intune, you must first enroll the Linux devices in Intune. You can refer to the following guide on how to enroll Linux devices in Intune. After you enroll the Linux devices into Intune, you will notice that

The first release of Linux management in Intune will include the following functionalities:

  • Enrollment of Ubuntu LTS (22.04, 20.04) desktops
  • Conditional Access policies protecting web applications via Microsoft Edge
  • Standard compliance policies
  • Support for Bash scripts for custom compliance policies

You can refer to the below guides for enrolling Windows devices in Intune (Microsoft Endpoint Manager).

Create Linux Compliance Policy in Intune

Let’s look at the steps to create Linux compliance policy in Intune.

  • Sign-in to Microsoft Endpoint Manager admin center.
  • Navigate to Devices > Linux > Compliance policies.
  • To create a new policy, select Create Policy.
Create Linux Compliance Policy in Intune
Create Linux Compliance Policy in Intune

The Platform is Linux and Profile Type is Settings catalog. Click Create.

Create Linux Compliance Policy in Intune
Create Linux Compliance Policy in Intune

On the Basics tab of Create profile, specify the name for the policy such as “Device Encryption Compliance Policy“. Add a brief description for the compliance policy. Click Next to continue.

Device Encryption Compliance Policy for Linux Devices
Device Encryption Compliance Policy for Linux Devices

The Settings Catalog in Intune allows you to choose which settings you want to configure for Windows and Linux devices. Click on Add Settings to browse and search the catalog for the settings you would like to configure for Linux devices.

Also Read: Learn how to Create Intune Settings Catalog Policy

Settings Catalog - Add Settings
Settings Catalog – Add Settings

Configure Device Encryption for Linux devices with Intune

In this section, I will show you how to configure the device encryption for Linux devices with Microsoft Intune. The device encryption checks if the hard drives on Linux devices are encrypted, and based on the checks, it tells you if the device is compliant or non-compliant.

If the Linux device’s hard drive is encrypted, the machine will be compliant; otherwise, the device will not be compliant. On the Settings Picker window, under the Category, select Device Encryption. The Device encryption category has only one setting which is “Require Device Encryption“. Select it and close the Settings picker window.

Require Device Encryption for Linux
Require Device Encryption for Linux

The Require Device Encryption setting specifies whether device-level encryption is required for writable fixed disks on this computer. Turn the slider to “True” thereby enabling this setting, and click Next.

Turn on Require Device Encryption for Linux
Turn on Require Device Encryption for Linux

On the Actions for noncompliance tab, you can specify the sequence of actions on noncompliant devices. This is an optional configuration but useful. You can email the user of the Linux device informing them about the device noncompliance. We also have a Message Template to send emails to users, but currently there are no templates available. I would expect Microsoft to add the templates in upcoming updates. Click Next to continue.

Configure Actions for Non-Compliance
Configure Actions for Non-Compliance

Assign the Linux Device Compliance Policy to Devices and Users

On the Assignments tab, click Add groups to choose the groups or users to whom you want to assign the Linux compliance policy. There are no scope tags option for Linux devices. Click Next.

Assign Linux Device Compliance Policy
Assign Linux Device Compliance Policy

Review the device encryption compliance policy settings that are configured for Linux devices and click on Create. This action will create a new Linux compliance policy in Intune.

Create Linux Compliance Policy in Intune
Create Linux Compliance Policy in Intune

After you create Linux compliance policy in Intune, they appear under Linux > Compliance policies. From this screen, you can edit the policy and make the changes if required.

Create Linux Device Compliance Policy in Intune
Create Linux Device Compliance Policy in Intune

Verify Compliance Policy on Linux Devices

After assigning the compliance policy that checks Linux devices for disk encryption, we will check the device’s status in this step. Launch the Microsoft Intune app on your Linux device and sign-in if required.

The Linux device is displayed as “Compliant” in the screenshot below because it hasn’t received the compliance policy that we assigned. Any new Linux device that you enroll shows as compliant unless you deploy compliance policies.

On Windows, we have an options to manually sync Intune devices but in Linux there is only one way to sync the policies. Click the Refresh option and this will force your Linux device to connect with Intune to get the latest updates, requirements, and communications from your organization.

Check Compliance Policy on Linux Devices
Check Compliance Policy on Linux Devices

After a few seconds, we see the Linux device shows non-compliant. We see the following message: This device doesn’t meet your organization’s device and security requirements. You might not have access to your organization’s resources, such as email, from this device.

The message above is a general message that shows up on all Linux devices that are non-compliant. Click View Issues to see the cause of the non-compliant device.

Check Compliance Policy on Linux Devices
Check Compliance Policy on Linux Devices

When you click the View issues button in the Microsoft Intune app, you can see exactly why the Linux device is not compliant. For example, in our case, we know that the Linux device is not compliant because the hard drives are not encrypted. Encrypting the hard drives on this Linux device will make it compliant.

Check Compliance Policy on Linux Devices
Check Compliance Policy on Linux Devices

One Comment

  1. Great article Prajwal! Is the list of compliance policies supposed to be shown within each device, in the Device compliance tab? (Devices > Linux device in question > Device Compliance)

    Only the built-in shows up for me.
    Thanks a lot!

Leave a Reply

Your email address will not be published. Required fields are marked *