Block Linux enrollment into Microsoft Intune with Conditional Access

Microsoft recently released the option to be able to enroll and manage devices running Linux (Ubuntu at this time) in Microsoft Intune.

If you want to start playing around with this new feature, I highly recommend checking out Paul Winstanley (SCCMentor) article on it here:

No Enrollment restrictions for Linux

As with any new release there might be some things that is not in place from day 1 and one of those things were Enrollment restrictions. As for the other platforms we can manage with Intune we have the capability for being able to block certain platforms to enroll into Intune. Since we don’t have any options for Linux at this time how can we make sure that we don’t get any unwanted Ubuntu devices enrolled ?

the only option I can think of to block unwanted Linux enrollment is to block it with Conditional Access.

Conditional Access policy

Caution: As with any Conditional Access Policy that might have some direct impact on your environment, run it in a Report-only mode first and evaluate the impact before enabling it.

In this example we are creating a Conditional Access policy for all users (remember to exclude any breakglass or recovery user/accounts per your organizations standard practice)

Cloud apps or actions -> Select apps -> Microsoft Intune Enrollment

Conditions -> Device platforms -> Linux

Grant -> Block Access

When searching for a specific app, if you search for Intune you will find 4 different apps the only one we need
for this specific purpose is the “Microsoft Intune Enrollment” app.

Again, configure your policy to report-only until you have verified that the policy does not cause any unforeseen consequences

On the actual device

On the devices (when the policy is enabled) that tries to enroll with the Intune portal app it will look like this:

logs

In the Sign-in logs we can find have a look at the actual attempts to enroll our device and see what the policy did. Go to:

Conditional Access > Sign-in logs -> User sign-ins (non-interactive)

Find the application with the name “Microsoft Intune Company Portal for Linux”

Here you can see the status “Failure” which means that the device was blocked as per the policy.

If you select the actual event, you can then go to “Conditional Access” and click on “Show details” and you will get a full rundown on how it evaluated the policy on that specific device.

That’s it for this time, Don’t forget to follow me on twitter @timmyitdotcom


  1. Great stuff.
    Would there be a any advantage of targeting Intune enrollment over all cloud apps?

    1. Targeting all apps could be problematic in larger environments where you might have other Linux instances doing other things related to Azure or any other cloud service. Targeting only the Intune Enrollment app would at least stop them from enrolling and only that.

Leave a Reply