How to enroll Arch Linux in Microsoft Intune

Microsoft Intune does not officially support any Linux distribution, except for Ubuntu. So we have to hack a little to get our Arch Linux systems registered with a company Intune setup.

Requirements:

We need a couple of things before we can enroll.

We need the Intune Portal application and we need to convince it that we are running Ubuntu.

Setup:

Recolic on Github created some PKGBUILDs that install some of the dependencies of Intune not available in the Arch repo or the AUR.

I created some AUR packages based on those, so you can install all you need from the AUR, by installing intune-portal-bin from the AUR. Some of it's dependencies are also from AUR, so be aware of that when installing.

If you have yay installed, you can install all the required packages with:

yay -S intune-portal-bin

There are messages in the output saying that you need to enable a couple of services and a timer. Follow those instructions and reboot. The agents might not work at this point, so you can probably ignore those.

Enrolling:

Now all the required software is installed and the packages have made changes to your /etc/os-release file so it can be used to enroll.

To enroll, simply open your application menu and run "Microsoft Intune". After you log in, a window presenting some stats from your device will appear. At this step, your company can see your device in their Intune setup.

My company did not have any Linux policies set up, so my device got the "Compliant" checkbox right away.

Caveat:

For some reason, when I log in, the information is synced and all. But the intune-agent.service still says it's not logged in, so it can't do regular check-ins. This seems to be caused by keyring issues, as I'm not using a Gnome desktop and the .deb list gnome-keyring as a dependency indicating that it likely only works for Gnome. Maybe we just need to used the Portal once in a while to keep compliance. For now.

The auto-check-in works fine on Ubuntu (with Gnome) though, so it seems to be keyring related.

However, a user told me that if you enable the Automatic D-Bus Activation of Kwallet you can get it working.

Conclusion:

Enrolling Arch Linux is pretty easy, but you need the right software installed and you need to "spoof" the /etc/os-release file for now, because only Ubuntu will be recognized. The Microsoft Intune has said that they are looking into how to support more distributions in the Intune backend.

Bonus - Microsoft Defender Advanced Threat Protection for Endpoints

As an added bonus, the company will likely need to prove that it's security on the endpoints is up to snuff, which will most likely be done with Microsoft Defender Advanced Threat Protection for Endpoints.

Luckily though, there's already AUR packages for that. Getting it connected should be easy enough following Microsofts own documentation on this, except for the installation steps, as the AUR package already takes care of that. This part I have not tested yet though, as it seems my company does not provide the Endpoint Onboarding stuff at this time.