cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Microsoft Endpoint Manager adds management and compliance checks for Linux desktop
By
Ileana_Wu
Published Nov 02 2021 08:00 AM 58.8K Views
Ileana_Wu
Microsoft
‎Nov 02 2021 08:00 AM

Microsoft Endpoint Manager adds management and compliance checks for Linux desktop

‎Nov 02 2021 08:00 AM

Microsoft Endpoint Manager is adding Linux workstations to its unified endpoint management solution, with preview functionality to be released in early 2022.

Customers can currently manage their Windows, Mac, iOS, and Android devices with Microsoft Endpoint Manager. However, they are either leaving Linux workstations unmanaged or are managing them with a different solution. Organizations need to ensure their Linux devices are compliant and secure, and IT administrators need to mitigate compliance issues and deploy software and updates to all types of devices, including Linux. By adding Linux support, organizations will be able to use the same unified solution they use to manage other endpoints to manage Linux desktops and ensure these endpoints are compliant so they can apply the same protection policies and configurations for secure access to company resources.

Unified cloud management for Linux

Adding Linux support to Microsoft Endpoint Manager means that apps and endpoint controls are brought together in one cloud-based endpoint management system and enables organizations to apply policies and device configurations in the same way across the supported platforms for added security and compliance.

To help move customers closer to a Zero Trust security model and cover their entire digital estate, Endpoint Manage will be able to empower IT administrators to apply the management controls such as deliver policies such as Wi-Fi profiles and certificates as well as password policies in a standard way across all their cloud managed endpoints.

With the wide variety of operating systems or distributions (distros) for Linux, we are also introducing the ability for organizations to customize scripts so IT administrators can simplify their workflows and perform a wide range of actions based on the nuances of the different distros. We are starting with support for Ubuntu and are planning support for Redhat, CentOS and Fedora. An additional capability that will be inherent to Endpoint Manager cloud management for Linux is to ensure that the device antivirus software is enabled.

Custom compliance for Windows

With these types of device checks soon to be available for Linux, organizations can ensure that the device meets the organization’s compliance policies and standards. We recognize the importance of tailoring the compliance checks to the need of our diverse customers as endpoint compliance plays a critical role in your zero trust story.

Today, we are pleased to announce the plan to release customizable compliance capabilities and we are starting with customizable compliance for Windows devices. Microsoft Intune provides many built-in device compliance settings on Windows, such as ensuring BitLocker and Windows Defender Firewall are enabled as well as using the risk score provided by Defender for Endpoint to determine compliance. However, customers often want to evaluate compliance using additional settings on the device not included in the built-in set. Custom compliance for Windows allows you to write a PowerShell script to detect almost any setting, such as BIOS version, and report that back to Intune’s device compliance engine. You then can provide a JSON definition file for each custom compliance setting that includes remediation messages, which help your users know how to get compliant again.

Create a PowerShell script to detect custom settings on Windows, which can be used to calculate complianceCreate a PowerShell script to detect custom settings on Windows, which can be used to calculate compliance

We are constantly developing ways for Administrators to perform tasks in a consistent way across platforms. We are rolling out customized compliance checks for Windows first. In a future release, we plan to provide similar flexibility for Linux as evidence of our commitment to improving the productivity for administrators and simplifying their workflows.

Conditional access to web applications through Microsoft Edge

One of the outcomes of cloud management is to determine if the endpoint is compliant. Endpoint Manager help organizations determine the device posture and sends those signals to Azure Active Directory. If the device is determined by Endpoint Manager to be compliant, conditional access configurations can be applied. Conditional Access takes device compliance signals and combines them with other signals, such as user identity risk, to help secure access to apps and resources through adaptive access policies.

Now with Endpoint Manager, IT administrators can set Azure Active Directory Conditional Access policies targeted at Linux devices, in the same way it does for other Windows, mobile and mac endpoints, to ensure that only compliant Linux workstations will have access to corporate resources such as Microsoft 365 apps.

The integration between Microsoft Endpoint Manager, Azure Active Directory, and Microsoft Edge will enable secure access to Microsoft 365 web applications. Conditional Access will ensure that the user is compliant before they are able to access corporate web applications.

Let’s review the user experience for enrollment. It uses conditional access configuration applied through Endpoint Manager to enable Linux users to securely access the Microsoft Teams web application using Microsoft Edge. If a user tries to access Microsoft Teams from the Edge browser without first securing the device, they are not able to sign in.

Microsoft Endpoint Manager supported Linux endpoints required to access Microsoft 365 apps through the Edge browserMicrosoft Endpoint Manager supported Linux endpoints required to access Microsoft 365 apps through the Edge browser

The user is not blocked but rather guided through the process to download Microsoft Intune for Linux. This enrollment allows the organization to apply the configuration that optimizes user productivity, such as access to specific company applications. The enrollment process automatically registers the user with Azure Active Directory so that risk and app-based Conditional Access policies can be tied specifically to the Linux endpoint.

Automatic enrollment registers users in Azure Active Directory for Conditional AccessAutomatic enrollment registers users in Azure Active Directory for Conditional Access

The final stage of the enrollment process is the compliance evaluation, which verifies that the device distribution and other elements meet company policies. Once compliance issues have been resolved, the user will have full access to the relevant corporate resources.

Linux device enrollment in Microsoft Intune completedLinux device enrollment in Microsoft Intune completed

Preview in early 2022

We plan to roll out a preview of the custom compliance for Windows capability in the November release of Endpoint Manager and the ability to manage Linux workstations, including conditional access early in 2022. We hope customers will be fast to try these features and provide us with feedback. When we roll out each of these capabilities for general availability, we intend to offer them as an advanced endpoint management add-on at a price above the existing licensing options that include Microsoft Endpoint Manager or Microsoft Intune. More information will be forthcoming when we finalize our pricing plans. (Update April 6, 2022:  When we launch custom compliance for Windows, we no longer plan to offer it as an add-on to Endpoint Manager but will be included in the Microsoft 365 and EMS E3/E5 license plans for Microsoft Intune). 

 

This week, please join us to learn more about Endpoint Manager at Microsoft Ignite 2021. We’re also offering an on-demand technical session about to help you learn more about Linux management in Endpoint Manager.

You can also let us know about your Endpoint Manager experience through comments on this blog post or reach out to @IntuneSuppTeam on Twitter. Tweet your feedback about Microsoft Endpoint using the hashtag #MEMpowered. If you’re interested in ongoing developments on Endpoint Manager, we invite you to follow the Microsoft Endpoint Manager Blog and @MSIntune on Twitter.

21 Comments
Tomas KROTIL
Copper Contributor
‎Nov 02 2021 01:58 PM
‎Nov 02 2021 01:58 PM

Linux on desktop support? What about ChromeOS? The penetration of ChromeOS devices is much larger

uptocloudlimited
Copper Contributor
‎Nov 03 2021 05:51 AM
‎Nov 03 2021 05:51 AM

Impressive, nice!

0 Likes
Like
ON
Brass Contributor
‎Nov 03 2021 09:05 AM
‎Nov 03 2021 09:05 AM

I feel sad that you won't offer a way to check compliancy every hour for example, and just rely on the classical Intune timers (probably every 8 hours), unlike what is possible to do with SCCM...or JamfPro for Macs.

0 Likes
Like
bdam55
Iron Contributor
‎Nov 04 2021 08:42 AM
‎Nov 04 2021 08:42 AM

>enable Linux users to securely access the Microsoft Teams web application using Microsoft Edge

 

So does that _only_ secure access to Teams via MS Edge? Which is to say that other browsers would not be secured? Or that the security lies in Teams, not Edge? In other words: what happens when someone on Linux uses Chrome/Firefox/bespoke browser of their choosing?

0 Likes
Like
ON
Brass Contributor
‎Nov 04 2021 10:13 AM
‎Nov 04 2021 10:13 AM

@bdam55 : this was probably a simple example for illustration purposes.  As you can see in the screenshot, there is a .deb file on the desktop, which is most likely the Company Portal app, acting as an identity broker and token manager, just like it is on Apple Macs. And a 2nd part not presented here, the Edge for Linux browser talking to the broker (to fetch the AAD DeviceID for example), and send it during the MS authentication phase.

 

As for the browser things : while Edge for Linux is most likely released with a MS plugin, that can interact with Company Portal, I don't know how this will be handled in Chrome and Firefox on Linux.  Firefox 91 added some code to SSO with your Work or School Account on Windows OS, so I guess someone at Mozilla will have to port that feature to Linux as well (maybe it will even work out of the box, who knows...).

0 Likes
Like
365vCloud
Brass Contributor
‎Dec 06 2021 05:34 AM
‎Dec 06 2021 05:34 AM

that's great!

0 Likes
Like
torvalds86
Copper Contributor
‎Dec 14 2021 12:02 AM
‎Dec 14 2021 12:02 AM

This is absolutely stunning and I can't wait to try it out!
However, MSFT Edge is mandatory for intune to work?
I have nothing against MSFT Edge on Linux, it's great, but many Linux users prefer FF or Chrome...

ON
Brass Contributor
‎Dec 14 2021 02:32 AM
‎Dec 14 2021 02:32 AM

@torvalds86  "mandatory for intune to work?" lacks a bit of precision. It is not Intune which requires this.  If you want to need to auth to some MS web services (example : MS Teams), secured by your own conditional access policies applied to your Intune-enrolled devices, then you must use a browser, that is smart enough to talk to a local identity broker.

0 Likes
Like
torvalds86
Copper Contributor
‎Dec 14 2021 10:12 AM
‎Dec 14 2021 10:12 AM

@ON , I think you missed my point...
Of course, I need to use a web browser...
The question was, can I use any browser or explicitly Edge for Linux...

0 Likes
Like
MEM_Stuff
Brass Contributor
‎Jan 19 2022 08:23 AM
‎Jan 19 2022 08:23 AM

It's Early 2022. How Can we get my Corp on a Preview of this please?

banholzer
Copper Contributor
‎Feb 24 2022 11:32 PM
‎Feb 24 2022 11:32 PM

So February is almost over - when can we expect the preview? My enterprise is really demanding this for more than 2k Linux Desktops.

mmantovani
Copper Contributor
‎Mar 16 2022 10:01 AM
‎Mar 16 2022 10:01 AM

When will this feature be released? It's Early 2022... 

davehp
Copper Contributor
‎Mar 16 2022 01:22 PM
‎Mar 16 2022 01:22 PM

I'm looking forward to trying this as well.  When does Early 2022 end?

🦗🦗🦗

salihzett
Iron Contributor
‎Mar 23 2022 01:33 PM
‎Mar 23 2022 01:33 PM

Early 2022 means in MS Intune support language, "maybe in Summer 2024". Sorry but that is my experience. (still waiting for KFM OneDrive for macOS)

Chad Simmons
Iron Contributor
‎May 10 2022 01:27 PM
‎May 10 2022 01:27 PM

Piling on the ETA question... "early 2022" has certainly passed.  May we have an update that we can share with customers for when Custom Compliance should be available?

Mark_Smith__007
Copper Contributor
‎Jun 29 2022 08:23 AM
‎Jun 29 2022 08:23 AM

Looking forward to seeing the list of supported Linux versions 

AOphagen
Copper Contributor
‎Aug 08 2022 02:19 AM
‎Aug 08 2022 02:19 AM

When and for which Linuxoids will this feature finally come? We have been waiting since 2021 and are in limbo on this topic now.

0 Likes
Like
banholzer
Copper Contributor
‎Aug 10 2022 06:00 AM
‎Aug 10 2022 06:00 AM

What I heard from other businesses is that there is a closed beta running for selected customers currently and canonical also seems closely aligned to what happens at Microsoft. 


>> seems to me like there will be a GA release soon and I hope Ubuntu will be supported from the first day on.

0 Likes
Like
Sebastian_Rottmann
Copper Contributor
‎Aug 29 2022 05:50 AM
‎Aug 29 2022 05:50 AM

https://docs.microsoft.com/en-us/azure/active-directory/authentication/fido2-compatibility

so the intune for linux support ist bound to edge for linux and FIDO2 support is bound to chrome for linux.

 

should we choose which security feature we select or is FIDO2 support also coming to edge?

0 Likes
Like
jnitterauer
Copper Contributor
‎Sep 07 2022 07:57 AM
‎Sep 07 2022 07:57 AM

Any update on this? Would be great to have but its way past early 2022 and no updates on inclusion in Endpoint Manager.

 

Thanks!

0 Likes
Like
ON
Brass Contributor
‎Sep 08 2022 02:45 AM
‎Sep 08 2022 02:45 AM

My opinion :

- the MacOS Intune capabilities can be considered as a beta version, compared to Windows platform.

- the Linux Intune capabilities in the current closed beta, can be considered as a pre-alpha version, compared to...MacOS platform.

 

I think you should not dream about a realistic viable Linux MDM, before at least 6 months/1 year.

0 Likes
Like
Version history
Last update:
‎Apr 06 2022 01:32 PM
Updated by: