I've been tasked with managing Conditional Access Policies specifically for Linux devices, particularly Ubuntu. My understanding is that typically, you would create a policy that applies to all users, requiring them to use compliant devices. However, since Linux management is limited in Intune (especially without paying), I'm considering another approach.
I'm thinking of implementing:
1) A policy that blocks all users from signing in using Linux, except those in a specific group called Linux_CA_Allowed.
2) A policy that requires either a compliant device or multifactor authentication for users in the Linux_CA_Allowed group.
Is this a good strategy? What's the best way to manage this?
3 Answers
Don’t forget to create a compliance policy specifically for Linux devices. If you’re not going to enforce compliance across all devices, it’s almost pointless to require it for just some, since there will always be loopholes.
I’d suggest going for a policy that targets all users with a requirement for compliant devices, but make sure to exclude your specific group. Then, set up a second policy just for your Linux_CA_Allowed group, allowing access with multifactor authentication but without the compliant device requirement.
While I haven't personally done it, there are ways to register an Ubuntu device with Entra. You might want to check out the links on OIDC authentication for Ubuntu. However, the management aspect with Intune is pretty tough. Ideally, you want to strictly limit who can access your O365 infrastructure via Linux since it’s such a small percentage of your workforce.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures