Intune in Fedora 37

This is how I managed to enroll my Fedora 37 machine in Intune when my work laptop died, with partial success (Edge crashes when syncing my work profile at this point, so I’m guessing some things are missing).

Note: This is completely unsupported, and you’re likely to get into trouble if you don’t know what you are doing/don’t have permission to mess with your managed machines/don’t follow the security policies. All my work machines use full disk encryption, biometrics or physical tokens, so I didn’t break any rules. Your mileage may vary.

The starting point was this gist, which is old but had enough hints to get me started:

• abhijangda/intune-fedora-36.md

I started by getting the following Ubuntu packages from here:

# ls -1 *.deb
intune-portal_1.2302.11_amd64.deb
microsoft-identity-broker_1.4.1_amd64.deb
msalsdk-dbusclient_1.0.1_amd64.deb

I then installed a few additional Fedora packages:

sudo dnf install alien sdbus-cpp java-11-openjdk libpam-pwquality

You then need to convert the .rpms with sudo alien --scripts -r and install them with sudo rpm -ivh.

Some require --force due to pathnames, and the resulting files will mostly go into /opt/microsoft/identity-broker and /opt/microsoft/intune.

Set java to use OpenJDK 11, and add a link that the identity-broker seems to require on Fedora:

sudo alternatives --config java
cd /usr/lib/jvm
sudo ln -s java-11-openjdk-11.0.18.0.10-1.fc37.x86_64 java-11-openjdk-amd64

Unlike the gist above, I did not need to patch CLASSPATH in microsoft-identity-device-broker or add any weird funky .jar files (that might be a security compromise).

To comply with the password policies, the following article had a decent summary of how it’s done in Ubuntu:

• How to Enable and Enforce Secure Password Policies on Ubuntu

In the end, creating this file (which does not actually seem to be used by Fedora, although I do have PAM enabled for other reasons) made the device “compliant”:

# cat /etc/pam.d/common-password
password         requisite        pam_pwquality.so retry=3 minlen=12 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root

Restarting the identity device broker and hitting Refresh in Intune then updated the password policy check on the server side:

sudo systemctl restart microsoft-identity-device-broker

This was the coup de grace, and was essentially a matter of hardcoding os.version in the java command line:

# cat /opt/microsoft/identity-broker/bin/microsoft-identity-device-broker | grep os.version
eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS -Dos.version=Ubuntu $MICROSOFT_IDENTITY_DEVICE_BROKER_OPTS -classpath "\"$CLASSPATH\"" com.microsoft.identity.broker.service.DeviceBrokerService "$APP_ARGS"