Microsoft has recently released Intune for Linux with Ubuntu as the first target platform. Intune is a mobile device management (MDM) software that monitors the endpoint compliance status and uses this information to make access decisions for resources protected by Azure Active Directory.
Intune for linux has a predefined set of policies, but also allows the use of custom compliance scripts, to extend its capabilities. You can refer to the Microsoft documentation for additional information on the functionality.
The scope of this work is to create a custom compliance script that allows to check
- Running processes - this is useful to check that your endpoint protection solution(e.g. Microsoft Defender) is running
- Ubuntu Pro service status - Ubuntu Pro is Canonical comprehensive subscription for open source software security. In order to achieve and maintain an appropriate security posture it is important that the following services are enabled:
- Esm-apps extended security support 23,000+ packages in the Ubuntu Universe repository for 10 years
- Esm-infra extended security support for the 2,300 packages in the Ubuntu Main repository for 10 years
- Livepatch automatically patches the Linux kernel while the system runs, applying the fixes without the need for a system reboot
The scripts are based on the samples provided by Microsoft and extended to add support for Ubuntu Pro service status verification. Ubuntu Pro is available for free for personal use for up to 5 machines (or 50 if you are an Ubuntu community member)
The repository includes the following examples:
- complianceScript.sh - which is going to be used by the intune client to perform the checks
- compliancePolicy.json - the policy definition file that tells Intune what to expect from the aforementioned script and how to determine if the device is compliant or not
The scripts are code samples I used to create a technical demo and are by no means intended for production use.
Please refer to the Microsoft documentation for detailed instructions on how to configure the files in the Intune console and deploy/configure Intune on an Ubuntu Desktop
Understand the potential implications of applying the scripts to your target environment before applying them to your target environment. Please consider testing the solution in a non production tenant/endpoint.