Intune in Fedora 37

This is how I managed to enroll my 37 machine in Intune when my work laptop died, with partial success ( crashes when syncing my work profile at this point, so I’m guessing some things are missing).

Note: This is completely unsupported, and you’re likely to get into trouble if you don’t know what you are doing/don’t have permission to mess with your managed machines/don’t follow the security policies. All my work machines use full disk encryption, biometrics or physical tokens, so I didn’t break any rules. Your mileage may vary.

The starting point was this gist, which is old but had enough hints to get me started:

Required Packages

I started by getting the following packages from here:

# ls -1 *.deb

I then installed a few additional packages:

sudo dnf install alien sdbus-cpp java-11-openjdk libpam-pwquality

You then need to convert the .rpms with sudo alien --scripts -r and install them with sudo rpm -ivh.

Some require --force due to pathnames, and the resulting files will mostly go into /opt/microsoft/identity-broker and /opt/microsoft/intune.

Patching Java

Set java to use OpenJDK 11, and add a link that the identity-broker seems to require on :

sudo alternatives --config java
cd /usr/lib/jvm
sudo ln -s java-11-openjdk- java-11-openjdk-amd64

Unlike the gist above, I did not need to patch CLASSPATH in microsoft-identity-device-broker or add any weird funky .jar files (that might be a security compromise).

Password Policy Compliance

To comply with the password policies, the following article had a decent summary of how it’s done in :

In the end, creating this file (which does not actually seem to be used by , although I do have PAM enabled for other reasons) made the device “compliant”:

# cat /etc/pam.d/common-password
password         requisite retry=3 minlen=12 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root

Restarting the identity device broker and hitting Refresh in Intune then updated the password policy check on the server side:

sudo systemctl restart microsoft-identity-device-broker

Unupported Operating System

This was the coup de grace, and was essentially a matter of hardcoding os.version in the java command line:

# cat /opt/microsoft/identity-broker/bin/microsoft-identity-device-broker | grep os.version

This page is referenced in: