by As organizations adopt diverse operating systems in their modern workplaces, Linux has become a critical component of many IT environments, especially for developers, engineers, and cloud professionals. While Microsoft Intune has long been the go-to solution for managing Windows, macOS, iOS, and Android devices, its capabilities also extend to Linux, enabling unified endpoint management across platforms.
In this blog post, we’ll explore how to enroll Linux devices in Microsoft Intune, configure compliance policies, and ensure security without sacrificing flexibility. Whether you’re an IT admin looking to streamline management or a security professional aiming to enforce standards, this article will walk you through everything you need to know to successfully manage Linux endpoints with Microsoft Intune.
Before we can start enrolling Linux devices in Microsoft Intune, we must meet certain requirements.
Requirements
So what do we need before getting started?
- An active Microsoft 365 subscription with Microsoft Intune active
- A supported Linux Operating System, like Ubuntu Desktop 22.04 LTS, or 24.04 LTS, Red Hat Enterprise Linux version 8 and 9
- The operating system needs to have a GNOME graphical desktop environment
Microsoft Intune – Configuration
Endpoint Security – Conditional Access
With a Conditional Access policy, we will ensure that end users cannot use Microsoft 365 services if their device isn’t compliant. This ensures that only compliant devices have access to corporate data.
Go to Microsoft Entra admin center | Entra ID | Conditional Access | Policies and choose Create new policy. Use the following settings:
- Name: LNX – Block Access on non-compliant devices
- Assignments | Users or agents: Include: All users
- Assignments | Target Resources: Include: All resources | Exclude: Microsoft Intune
- Assignments | Conditions: Device platforms | Linux
- Access controls | Grant: Grant Access | Require device to be marked as compliant
- Enable Policy: On
Choose Create. Your Conditional Access policy is now active.
IMPORTANT: I’ve noticed that I needed to exclude the Microsoft Intune resource in the Conditional Access policy, because I was getting the following error during enrollment of my Linux device.
By enabling this Conditional Access policy, users will be asked to secure their device when logging in from a Linux device. This will initiate the enrollment setup, as described in the next section of this blog post.
Microsoft Entra ID – Dynamic Device Group
First, we need a dynamic group for assigning our compliance policy to our Linux device.
Go to the Microsoft Entra admin center | Groups, then choose New group. Create a group with the following settings and choose Create.
- Group type: Security
- Group Name: LNX – DVC – All Linux Devices
- Group Description: All Linux devices
- Microsoft Entra roles can be assigned to the group: No
- Membership type: Dynamic Device
- Dynamic membership rule: (device.deviceOSType -eq “Linux”)
This dynamic device group will be used for our policy assignment.
Microsoft Intune – Compliance policy
The first thing we are going to create is a compliance policy for our Linux devices. In this policy, we will set a number of requirements that our device must comply with, such as disk encryption, passwords, and a minimum OS version.
Go to Microsoft Intune admin center | Devices | Linux | Compliance and choose Create policy.
As the Profile type, choose Settings catalog and then choose Create.
Give your policy a name and description, and choose Next.
- Name: LNX – Baseline – General
- Description: A general compliance policy for Linux devices
In the Compliance settings screen, I chose the settings (OS version, disk encryption, …) shown below. Add those settings and then choose Next.
We will leave the Actions for noncompliance as they are and choose Next.
Now, let’s assign our newly created Dynamic Device group to our policy and choose Next.
If everything is reviewed, choose Create.
Our policy is created and ready to go!
Prepare your Linux device
For this post, I have set up a virtual machine with Ubuntu 24.04.3 LTS installed. We will use this for our enrolment in Microsoft Intune.
IMPORTANT: Make sure you have already enabled disk encryption during your Linux installation. Because of the compliance requirement, it’s recommended and easier to enable it during installation.
App installation
To deploy a Linux device with Microsoft Intune, we first need to install the required applications on the device, namely:
- Microsoft Edge browser (version 102.x or newer): Used to access organizational resources and initiate the enrollment process. Must be installed before starting enrollment.
- Microsoft Intune App for Linux: This app registers the device with Intune and manages compliance. Installation requires administrator privileges and a reboot.
Microsoft Edge Browser
To install the Microsoft Edge browser, open a terminal and enter the following commands:
Install curl
sudo apt update
sudo apt install curl -y
Import the Microsoft package signing key
curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg
sudo install -o root -g root -m 644 microsoft.gpg /etc/apt/trusted.gpg.d/
Add the Microsoft Edge Repository to the repository list.
sudo sh -c 'echo "deb [arch=amd64] https://packages.microsoft.com/repos/edge stable main" > /etc/apt/sources.list.d/microsoft-edge-stable.list'
sudo rm microsoft.gpg
Update your package list and install Microsoft Edge:
sudo apt update
sudo apt install microsoft-edge-stable
Verify that Microsoft Edge is installed. Open Show apps in the bottom left corner and search for Microsoft Edge.
Once Microsoft Edge has been installed, all we need to do is install the Microsoft Intune app for Linux.
Microsoft Intune app voor Linux
Install the Microsoft package signing key.
curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg
sudo install -o root -g root -m 644 microsoft.gpg /usr/share/keyrings/
rm microsoft.gpg
Add and update the Microsoft Linux Repository to the system repository list.
sudo sh -c 'echo "deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft.gpg] https://packages.microsoft.com/ubuntu/$(lsb_release -rs)/prod $(lsb_release -cs) main" >> /etc/apt/sources.list.d/microsoft-ubuntu-$(lsb_release -cs)-prod.list'
sudo apt update
Install the Microsoft Intune app
sudo apt install intune-portal
Now, Restart your device, and verify that the Microsoft Intune app is installed
Enrollment
The last part is to enroll our Linux device in Microsoft Intune. Open the Microsoft Intune app and choose Sign in, and sign in with your end-user credentials.
After signing in, you’ll get a screen that says, Help us keep your device secure. Choose Register to get started. You’ll be redirected to the Microsoft Intune app, and on the Set up access screen, choose Begin.
Read the What can my organization see or do when I enroll my device screen and choose Begin. Your device will start registering, and once the device is registered, you are ready to go.
Your device is now enrolled in Microsoft Intune, but what are the benefits of this? Once your Linux device has been rolled out in Microsoft Intune, you will only be able to access data via the managed browser, in this case, Microsoft Edge. If you try to log in with Firefox, for example, you will see the message below.
So as long as your device meets the requirements, you’ll have access to your organization’s data on your Linux device.
Microsoft Intune – Result
Once the device has been rolled out, you will see that the Linux device is active under devices in the Microsoft Intune admin center.
Conclusion
Having control over your business data on non-Windows devices is very important. With the enrollment of Linux devices, we also have control of our data on that type of Operating system. The management of Linux devices is quite limited in Microsoft Intune. In addition to compliance policies, you can only deploy (Bash) scripts to your Linux devices.
