Massimiliano Gori
                
                
              
              on 5 April 2023
            
Ubuntu compliance monitoring with Microsoft Intune
In recent years, data science, AI and software development have become a key focus area for organisations operating in every sector of the economy. This creates a pressing need to adopt Linux desktops in the enterprise, as research clearly shows a growing number of data scientists and developers prefer operating systems like Ubuntu. These needs, however, are often at odds with the familiar tools used by sysadmins, forcing many organisations to face a tradeoff between developer productivity and security.
We have been working hard to democratise Linux adoption since our first release in 2004; security and compliance are key parts of Canonical’s value proposition for Ubuntu Desktop. In April 2022, we released ADsys, an agent that brings feature parity between Ubuntu and Windows devices on Active Directory Domain Services. The general availability of Microsoft Intune for Ubuntu, announced in October 2022, is another major stepping stone that enables IT administrators to use the same familiar tools and processes they are currently using to manage their Windows endpoints to manage Ubuntu Desktops.
Intune for Linux brings device enrollment, compliance reporting and conditional access to Ubuntu 20.04 LTS and 22.04 LTS and it is a key component to enable a zero trust security model for organisations that have shifted to a cloud-first IT administration model.
In the video below I provide an overview of Intune for Ubuntu, demonstrate how to enrol a device and how default and custom compliance policies can be used to restrict access to an Azure AD protected application.
What is Microsoft Intune?
Microsoft Intune is the most popular cloud-based unified endpoint management (UEM) solution in the enterprise, counting over 135 million managed devices as of 2021. While initially designed as a management solution for mobile devices, over the years Intune has evolved to become a comprehensive cross-platform tool to perform all sorts of management activities, from installed application lifecycle management to zero trust conditional access.
While the available features vary depending on the operating system, Intune offers a central place to manage and report on the compliance status of your Windows, Mac, Ubuntu, Android and iOS devices. Intune consists of a machine agent, which in the case of Ubuntu is delivered as a deb package, as well as a cloud console which is accessible from the Azure Admin Centre. Ubuntu devices and compliance policies can be found in a dedicated Linux section of the web UI.
Currently, Intune is offered as part of the Microsoft 365 enterprise subscription or as part of the Enterprise mobility + Security solutions. For further details, you can refer to the dedicated Microsoft Intune product page.
Custom compliance monitoring
As of April 2022, Intune includes a series of predefined compliance rules that can be simply enabled at the touch of a button for common properties like password complexity, OS version and disk encryption. All of these policies include user friendly messages for the desktop clients, as well as links to help users understand what needs to be changed to become compliant. We are working with Microsoft to expand the set of default policies and further simplify the administrator experience.
It is important to note however that every organisation’s IT environment is different. Therefore, administrators need the tool to adapt to the unique requirements of their organisation. Intune for Linux supports custom compliance policies, meaning that the tool can be extended to report on all properties the OS is able to report on. In the demo video above we provide an example of using custom compliance to check running processes, or the status of the Livepatch, esm-apps and esm-infra security features of Ubuntu Pro.
You can find more information about compliance policies in the Microsoft documentation and custom compliance code samples in the dedicated Github repository. In the coming months, we will expand our documentation to include a comprehensive set of discovery scripts that enable you to report on a wide variety of properties, including device certificates and Apparmor profiles.
Conditional access for Ubuntu devices
All zero trust security frameworks, including NIST 800-207 and NCSC, agree that device identity and device posture are very important signals that must be considered not only at the point of authentication, but also during the lifetime of a session to determine its risk level.
The tight-knit integration between Intune, Azure AD and the Edge browser means that the information on device compliance can be used in real time to determine the risk level of a user session for Azure AD protected resources. Ubuntu support allows security teams to configure and enforce fine grained, custom, enterprise applications access policies that can be applied consistently across their entire end user computing landscape.
IT administrators and security teams relying on Microsoft security tools are now able to treat Ubuntu Desktops as a first class citizen in their infrastructure, as they won’t have to compromise anymore between stronger security and compliance and developer productivity.
If you have any questions about using Microsoft Intune for Ubuntu in your organisation, contact our team.
Get in touch with the Desktop team

