Microsoft Endpoint Manager is adding Linux workstations to its unified endpoint management solution, with preview functionality to be released in early 2022.
Customers can currently manage their Windows, Mac, iOS, and Android devices with Microsoft Endpoint Manager. However, they are either leaving Linux workstations unmanaged or are managing them with a different solution. Organizations need to ensure their Linux devices are compliant and secure, and IT administrators need to mitigate compliance issues and deploy software and updates to all types of devices, including Linux. By adding Linux support, organizations will be able to use the same unified solution they use to manage other endpoints to manage Linux desktops and ensure these endpoints are compliant so they can apply the same protection policies and configurations for secure access to company resources.
Unified cloud management for Linux
Adding Linux support to Microsoft Endpoint Manager means that apps and endpoint controls are brought together in one cloud-based endpoint management system and enables organizations to apply policies and device configurations in the same way across the supported platforms for added security and compliance.
To help move customers closer to a Zero Trust security model and cover their entire digital estate, Endpoint Manage will be able to empower IT administrators to apply the management controls such as deliver policies such as Wi-Fi profiles and certificates as well as password policies in a standard way across all their cloud managed endpoints.
With the wide variety of operating systems or distributions (distros) for Linux, we are also introducing the ability for organizations to customize scripts so IT administrators can simplify their workflows and perform a wide range of actions based on the nuances of the different distros. We are starting with support for Ubuntu and are planning support for Redhat, CentOS and Fedora. An additional capability that will be inherent to Endpoint Manager cloud management for Linux is to ensure that the device antivirus software is enabled.
Custom compliance for Windows
With these types of device checks soon to be available for Linux, organizations can ensure that the device meets the organization’s compliance policies and standards. We recognize the importance of tailoring the compliance checks to the need of our diverse customers as endpoint compliance plays a critical role in your zero trust story.
Today, we are pleased to announce the plan to release customizable compliance capabilities and we are starting with customizable compliance for Windows devices. Microsoft Intune provides many built-in device compliance settings on Windows, such as ensuring BitLocker and Windows Defender Firewall are enabled as well as using the risk score provided by Defender for Endpoint to determine compliance. However, customers often want to evaluate compliance using additional settings on the device not included in the built-in set. Custom compliance for Windows allows you to write a PowerShell script to detect almost any setting, such as BIOS version, and report that back to Intune’s device compliance engine. You then can provide a JSON definition file for each custom compliance setting that includes remediation messages, which help your users know how to get compliant again.
Create a PowerShell script to detect custom settings on Windows, which can be used to calculate compliance
We are constantly developing ways for Administrators to perform tasks in a consistent way across platforms. We are rolling out customized compliance checks for Windows first. In a future release, we plan to provide similar flexibility for Linux as evidence of our commitment to improving the productivity for administrators and simplifying their workflows.
Conditional access to web applications through Microsoft Edge
One of the outcomes of cloud management is to determine if the endpoint is compliant. Endpoint Manager help organizations determine the device posture and sends those signals to Azure Active Directory. If the device is determined by Endpoint Manager to be compliant, conditional access configurations can be applied. Conditional Access takes device compliance signals and combines them with other signals, such as user identity risk, to help secure access to apps and resources through adaptive access policies.
Now with Endpoint Manager, IT administrators can set Azure Active Directory Conditional Access policies targeted at Linux devices, in the same way it does for other Windows, mobile and mac endpoints, to ensure that only compliant Linux workstations will have access to corporate resources such as Microsoft 365 apps.
The integration between Microsoft Endpoint Manager, Azure Active Directory, and Microsoft Edge will enable secure access to Microsoft 365 web applications. Conditional Access will ensure that the user is compliant before they are able to access corporate web applications.
Let’s review the user experience for enrollment. It uses conditional access configuration applied through Endpoint Manager to enable Linux users to securely access the Microsoft Teams web application using Microsoft Edge. If a user tries to access Microsoft Teams from the Edge browser without first securing the device, they are not able to sign in.
Microsoft Endpoint Manager supported Linux endpoints required to access Microsoft 365 apps through the Edge browser
The user is not blocked but rather guided through the process to download Microsoft Intune for Linux. This enrollment allows the organization to apply the configuration that optimizes user productivity, such as access to specific company applications. The enrollment process automatically registers the user with Azure Active Directory so that risk and app-based Conditional Access policies can be tied specifically to the Linux endpoint.
Automatic enrollment registers users in Azure Active Directory for Conditional Access
The final stage of the enrollment process is the compliance evaluation, which verifies that the device distribution and other elements meet company policies. Once compliance issues have been resolved, the user will have full access to the relevant corporate resources.
Linux device enrollment in Microsoft Intune completed
Preview in early 2022
We plan to roll out a preview of the custom compliance for Windows capability in the November release of Endpoint Manager and the ability to manage Linux workstations, including conditional access early in 2022. We hope customers will be fast to try these features and provide us with feedback. When we roll out each of these capabilities for general availability, we intend to offer them as an advanced endpoint management add-on at a price above the existing licensing options that include Microsoft Endpoint Manager or Microsoft Intune. More information will be forthcoming when we finalize our pricing plans. (Update April 6, 2022: When we launch custom compliance for Windows, we no longer plan to offer it as an add-on to Endpoint Manager but will be included in the Microsoft 365 and EMS E3/E5 license plans for Microsoft Intune).
You can also let us know about your Endpoint Manager experience through comments on this blog post or reach out to @IntuneSuppTeam on Twitter. Tweet your feedback about Microsoft Endpoint using the hashtag #MEMpowered. If you’re interested in ongoing developments on Endpoint Manager, we invite you to follow the Microsoft Endpoint Manager Blog and @MSIntune on Twitter.