Microsoft is preparing to release a long-awaited tool that would let IT administrators remotely manage Linux as well as Windows machines -- saying a general availability (GA) release will land in Q3.
Yet early releases will be bare bones and limited in functionality, The Stack can confirm.
Microsoft promised in November 2021 to start building the ability to manage Linux systems via remote device management service Intune (part of Microsoft Endpoint Manager) by early 2022.
It has been conducting a limited private preview (with just three customers) and plans to skip the public preview stage and go straight to general availability (GA) within Q3 of this year, according to a recent Q&A with the Microsoft team leading the project -- which has attracted a significant amount of attention.
Follow The Stack on LinkedIn
Impatient admins currently using a plethora of tools to manage heterogeneous fleets (or simply leaving Linux boxes unmanaged) will get support for Ubuntu first (20.04 then 22.04). Microsoft also aims to include support for other Linux distributions in future, with Red Hat to follow next, then other open source distros.
In the recent community Q&A the Microsoft Endpoint Manager team took some important questions on how Intune for Linux will work and what's happening behind the scenes on the project.
Listening in, The Stack got the distinct impression that early releases will be extremely limited in functionality and based around basic compliance controls; they will not, for example, include the ability to remotely add or remove software; nor will the GA release include the ability to lock or wipe a lost or stolen device.)
Endpoint Manager for Linux coming soon, but...
Intune lets IT administrators remotely control how an organisation’s devices (laptops, mobiles, tablets) are used, and configure specific policies to control applications. It can be used to set password and PIN requirements, create a VPN connection, set up threat protection, patch endpoints and more.
As part of the Microsoft Endoint Manager for Linux plans, users will be able to set Azure AD Conditional Access policies targeted at Linux devices the same way they do for other Windows, mobile and Mac endpoints; so only compliant Linux workstations get access to corporate resources such as M365 apps.
So how will Intune for Linux enroll supported open source distros? realmd and SMB? Standalone software? When *is* GA? Why will we have to use Edge? These were among the first questions in the recent Microsoft Q&A...
How will enrolment work? realmd? SMB?
Redmond's Jamie Silvestri, lead programme manager on the project, said: "Similar to some of our other platforms there, there will be an agent that you install that will walk you through the enrollment process. You will sign in with your corporate credentials to that agent; it will perform both enrollment of the device in Intune and will also AAD register the device with Azure Active Directory, and then compliance policies will come down to that agent which will then evaluate the device and report back on those compliance policies."
He added: "It's much lighter weight than some of the other program than some of the others [out there, which are] built into the operating systems and a lot of that enrollment process is really operating system driven; with Linux it is our own agent and we can streamline it a little bit more than some of the others."
His colleague Ileana Wu added: "Our initial release, which is in private preview, is centred around compliance -- so admins can define password complexity requirements... whether or not a device [sic] needs to be encrypted before it accesses corporate resources. That's the limited functionality we have in preview today" she said, adding on the Q&A (available in its original video form here)" we're also adding support for custom compliance scripting via bash scripts so we hope that unlocks a lot of scenarios for our customers."
Critically and potentially offputtingly for some, she added that "all of our access like conditional access gating will happen through Microsoft Edge, so if people want to use Microsoft 365 apps that all have to happen to the web browser at this point... [for] enabling secure access to things like Teams or Outlook... that does have to happen through Edge today" -- Silvestri explained that "just like on all of our platforms, we inform Intune of compliance state, which sends a signal to AAD that is based on a unique identifier... because Edge has incorporated a new identity library that can support this, today Edge is the only way to do this. We are investigating other browsers but there's no timeline on that; we understand that that's an important feature is something we'd like to do..."
Microsoft Endpoint Manager for Linux: What's in the roadmap?
Microsoft has no plans for Ansible, Chef, Puppet etc. integration, Silvestri confirmed, saying in response to that question "we're not trying to replace those Linux management tools... but I'd very interested in the type of integrations [customers would] like to see with those with those management and configuration tool sets."
Device lifecycle management is also not on the roadmap ("we're very focused on compliance, more compliance, and configuration") and "it's not something we have right now"/"no short-term plans for..." were common answers to a lot of questions; users anticipating some full-fat, all-singing, single-pane-of-glass remote access management tool that does everything you want on it on every OS look set to be disabused of that notion soon.
That said, as Silvestri added in response to a question on USB management "part of the reason we wanted to add custom config support was to allow admins to create a script to lock things like that down if they chose to, and have the compliance capability to then evaluate and ensure that that is still in place on a regular basis."
As Ileana Wu noted when news of Endpoint Manager for Linux capabilities first emerged, the idea was to let admins “write a PowerShell script to detect almost any setting, such as BIOS version, and report that back to Intune’s device compliance engine. You then can provide a JSON definition file for each custom compliance setting that includes remediation messages, which help your users know how to get compliant again" and similar customisable compliance check capabilities look set to be available on Ubuntu in the near future.