Microsoft Intune on IGEL App Portal – Custom Compliance Scripts for Entra Conditional Access with IGEL OS

The Microsoft Intune Agent is now available in the IGEL App Portal, joining the Microsoft Edge app and the IGEL AVD app. The Intune Conditional Access app enables Entra conditional access capabilities with IGEL OS 12 to control access to Azure Virtual Desktop and Windows 365. It provides visibility of IGEL OS devices within the Intune console giving admins a single place to track assets and apply security checks and policies. Read the digital bouncer blog to learn more about the benefits of this integration.  In this blog I describe how to create a script which will query IGEL OS for its management servers unique ID.

The endless compliance opportunities – tech area!

The tight integration between IGEL OS, Microsoft Intune, IGEL AVD App and Microsoft Authentication Library (MSAL) ensures control of your IGEL OS devices using the IGEL Universal Management Suite (UMS), while letting Microsoft Entra and Intune custom compliance scripts to validate that the IGEL OS device that are used to access is actually managed by your organization.
As an example, you can create a compliance script that checks the devices assigned UMS certificate has a certain sha256 fingerprint, here is how that can look:

#!/bin/sh
logger “Starting compliance discovery script”
logger ” – Checking UMS fingerprint”
estcacertfile=”/wfs/ca-certs/tls/ums_ca.pem”
ums_fingerprint_sha256=$(openssl x509 -in ${estcacertfile} -noout -fingerprint -sha256 | cut -d ‘=’ -f2)
printf ‘{“ums_fingerprint_sha256″:”%s”}\n’ “$ums_fingerprint_sha256”
logger “Ending compliance script”

What the above script does when being executed on the device by Microsoft Intune, is to set a variable estcacertfile pointing at the UMS Certificate, then it creates a new variable, ums_fingerprint_sha256 that will have the value of the openssl command result when checking the sha265 fingerprint of the certificate And this is how the compliance policy – compliance setting in Intune admin portal looks:

{
“Rules”:[
{
“SettingName”:”ums_fingerprint_sha256″,
“Operator”:”IsEquals”,
“DataType”:”String”,
“Operand”:”80:20:EF:F6:61:DA:7E:54:23:FE:FF:74:CC:41:66:47:62:6E:E3:4C:36:14:17:4A:1B:17:81:AF:6D:81:BF:20″,
“MoreInfoUrl”:”https://www.igel.com”,
“RemediationStrings”:[
{
“Language”: “en_US”,
“Title”: “Enrolled to a wrong UMS”,
“Description”: “Please ensure that your IGEL OS is managed by the correct UMS.”
},
{
“Language”: “de_DE”,
“Title”: “Von einer falschen UMS verwaltet”,
“Description”: “Bitte stellen Sie sicher, dass Ihr IGEL-Betriebssystem von der richtigen UMS verwaltet wird.”
}
] }
] }

The script that runs on IGEL OS, will report back ums_fingerprint_sha256 which is the result of the script, and Intune will then validate that ums_fingerprint_sha256 matches the sha256 fingerprint of the actual known certificate: -80:20:EF:F6:61:DA:7E:54:23:FE:FF:74:CC:41:66:47:62:6E:E3:4C:36:14:17:4A:1B:17:81:AF:6D:81:BF:20

This means that we know that:
1. Device has to be enrolled in the company Intune (A trusted user needs to enroll the device)
2. The device has to be managed by the company UMS (We determine that it is not a random Intune enrolled device, it is a device that is managed by the company UMS)

So, what more can we do with compliance scripts? As you probably understand now, the command we run on IGEL OS to get the sha256 fingerprint, is a local binary openssl. We can take results of any command, or multiple commands, for instance we can use the IGEL OS get command to read out ANY configuration of the IGEL OS device, as an example get sessions.xlock0.options.autolock would result in true if use of the IGEL OS screensaver is activated. We can check for system variables and can check if certain processes are running with pgrep, or not etc. There are endless possibilities on what to look for to define as a compliant IGEL OS endpoint!

The compliance policy scripts extend the very limited built in compliance evaluations with Microsoft Intune for Linux.

Stay tuned for further tech articles on Microsoft integrations and apps with IGEL OS.