This is how I managed to enroll my Fedora 37 machine in Intune when my work laptop died, with partial success (Edge crashes when syncing my work profile at this point, so I’m guessing some things are missing).
Note: This is completely unsupported, and you’re likely to get into trouble if you don’t know what you are doing/don’t have permission to mess with your managed machines/don’t follow the security policies. All my work machines use full disk encryption, biometrics or physical tokens, so I didn’t break any rules. Your mileage may vary.
The starting point was this
gist, which is old but had enough hints to get me started:
I started by getting the following Ubuntu packages from here:
# ls -1 *.deb intune-portal_1.2302.11_amd64.deb microsoft-identity-broker_1.4.1_amd64.deb msalsdk-dbusclient_1.0.1_amd64.deb
I then installed a few additional Fedora packages:
sudo dnf install alien sdbus-cpp java-11-openjdk libpam-pwquality
You then need to convert the
sudo alien --scripts -r and install them with
sudo rpm -ivh.
--force due to pathnames, and the resulting files will mostly go into
java to use OpenJDK 11, and add a link that the
identity-broker seems to require on Fedora:
sudo alternatives --config java cd /usr/lib/jvm sudo ln -s java-11-openjdk-126.96.36.199.10-1.fc37.x86_64 java-11-openjdk-amd64
gist above, I did not need to patch
microsoft-identity-device-broker or add any weird funky
.jar files (that might be a security compromise).
Password Policy Compliance
To comply with the password policies, the following article had a decent summary of how it’s done in Ubuntu:
In the end, creating this file (which does not actually seem to be used by Fedora, although I do have
PAM enabled for other reasons) made the device “compliant”:
# cat /etc/pam.d/common-password password requisite pam_pwquality.so retry=3 minlen=12 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root
Restarting the identity device broker and hitting
Refresh in Intune then updated the password policy check on the server side:
sudo systemctl restart microsoft-identity-device-broker
Unupported Operating System
This was the coup de grace, and was essentially a matter of hardcoding
os.version in the
java command line:
# cat /opt/microsoft/identity-broker/bin/microsoft-identity-device-broker | grep os.version eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS -Dos.version=Ubuntu $MICROSOFT_IDENTITY_DEVICE_BROKER_OPTS -classpath "\"$CLASSPATH\"" com.microsoft.identity.broker.service.DeviceBrokerService "$APP_ARGS"