Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP: Linux Intune policy application #365

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

WIP: Linux Intune policy application #365

wants to merge 3 commits into from

Conversation

dmulder
Copy link
Collaborator

@dmulder dmulder commented Feb 12, 2025
edited
Loading

Fixes #60

Summary of Changes

Himmelblau now fetches and applies Linux Intune policies when they are configured in Microsoft's Intune portal. This update introduces two new policy implementations for Linux devices:

  • Script Policy: Scripts from Intune are decoded, written to disk, and scheduled to run via cron.

  • Linux Compliance Policy: Validates system configuration against policy settings such as allowed Linux distributions, required device encryption, and password policy minimum length (which applies to the Hello PIN length).

Important Notes:

  • While Himmelblau will enforce these Intune policies on Linux devices, the compliance flag cannot yet be set in the Entra Admin portal for the device object.
  • Explicit policy assignment by device is not available at this time; however, policies can be assigned by user, group, or to all devices.
  • When Intune policy application is enabled, devices which fail to comply with Intune policy will be prohibited from authenticating users.

Current Limitations:

  • The following compliance policies are not yet implemented. Enforcing these policies will cause authentication to fail:
    • Password policies (note that Minimum Length is implemented):
      • Minimum digits
      • Minimum Lowercase
      • Minimum Uppercase
      • Minimum Symbols
    • Custom Compliance

@dmulder dmulder changed the title Intune policy application WIP: Intune policy application Feb 12, 2025
@dmulder dmulder force-pushed the dmulder/intune-policies branch 2 times, most recently from 9e4afd4 to f051932 Compare February 12, 2025 21:11
@dmulder dmulder changed the title WIP: Intune policy application WIP: Linux Intune policy application Feb 12, 2025
@dmulder dmulder force-pushed the dmulder/intune-policies branch 2 times, most recently from d5520e9 to 80726d2 Compare February 13, 2025 20:19
@dmulder
Re-enable Intune policy and add scripts and compliance policies
873dcb5 
Signed-off-by: David Mulder <[email protected]>
@dmulder
Disable Chromium policy
7430ac4 
This is technically applying `Windows` Chrome/
Chromium policy. Disabling until MS provides
admx policy for Linux.

Signed-off-by: David Mulder <[email protected]>
@dmulder
Correct the README regarding Intune policy compliance
ec19a7d 
Signed-off-by: David Mulder <[email protected]>
@dmulder dmulder force-pushed the dmulder/intune-policies branch from 80726d2 to ec19a7d Compare February 18, 2025 22:54
@dmulder
Copy link
Collaborator Author

dmulder commented Feb 19, 2025

These patches are being held until version 1.0 and will not ship in version 0.9.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Intune Policy application
1 participant
@dmulder