Installing Microsoft Intune on Ubuntu 24.04 LTS
Unable to register first, but solved the problem
I just received my new work computer - a ThinkPad T14s Gen 5. It's a wonderful machine by the way, with 2880x1800 OLED display and everything. Our company policy requires us to install Microsoft Intune. I put in the latest Xubuntu which resulted in my system effectively having Ubuntu 24.04.1 LTS.
Installing Intune
I found a blog post by Jaap de Goeij about installing Intune on Ubuntu 24.04, so I followed that first. In short, the steps are as follows.
First make sure your /etc/apt/sources.list.d/ubuntu.sources
has the following contents:
Types: deb
URIs: http://archive.ubuntu.com/ubuntu
Suites: noble noble-updates noble-backports
Components: main restricted universe multiverse
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
Types: deb
URIs: http://security.ubuntu.com/ubuntu/
Suites: noble-security
Components: main restricted universe multiverse
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
Types: deb
URIs: http://nl.archive.ubuntu.com/ubuntu/
Suites: mantic
Components: main restricted universe multiverse
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
Types: deb
URIs: http://security.ubuntu.com/ubuntu/
Suites: mantic-security
Components: main restricted universe multiverse
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
Convert Microsoft's signing key to gpg format and install everything:
curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg
sudo install -o root -g root -m 644 microsoft.gpg /usr/share/keyrings/
sudo sh -c 'echo "deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft.gpg] https://packages.microsoft.com/ubuntu/22.04/prod jammy main" > /etc/apt/sources.list.d/microsoft-ubuntu-jammy-prod.list'
sudo rm microsoft.gpg
sudo apt update
sudo apt install intune-portal
I didn't have to hold the microsoft-identity-broker package eventually, version 2.0.1 worked. I'm also not sure if Edge is needed at all. In de Goeij's blog post, before installing intune-portal, there are separate instructions to install some dependencies: sudo apt install openjdk-11-jre libicu72 libjavascriptcoregtk-4.0-18 libwebkit2gtk-4.0-37
. Now, why would you need to install dependenices manually, shouldn't the package manager handle those? Turns out the first package on the list is actually critical.
Problem with registering the device
My problem was that when I launched Intune and signed in, instead of getting a "Register" button, I only had a button saying "Get the app". Clicking that resulted in a blank white page doing nothing.
Checking out the systemd logs with journalctl -xe
I could see that microsoft-identity-broker had failed:
microsoft-identity-broker[24051]: I/IdentityBrokerService: [2024-09-02 15:06:43 - thread_id: 1, correlation_id: UNSET - ] Starting DB>
microsoft-identity-broker[24051]: SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
microsoft-identity-broker[24051]: SLF4J: Defaulting to no-operation (NOP) logger implementation
microsoft-identity-broker[24051]: SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
microsoft-identity-broker[24051]: Exception in thread "main" java.lang.ExceptionInInitializerError
microsoft-identity-broker[24051]: at java.base/javax.crypto.KeyAgreement.getInstance(KeyAgreement.java:187)
microsoft-identity-broker[24051]: at org.freedesktop.secret.TransportEncryption.generateSessionKey(TransportEncryption.java:1>
microsoft-identity-broker[24051]: at org.freedesktop.secret.simple.SimpleCollection.init(SimpleCollection.java:282)
microsoft-identity-broker[24051]: at org.freedesktop.secret.simple.SimpleCollection.<init>(SimpleCollection.java:57)
microsoft-identity-broker[24051]: at com.microsoft.identity.broker.storage.KeyringNameValueStorage.<init>(KeyringNameValueSto>
microsoft-identity-broker[24051]: at com.microsoft.identity.broker.storage.KeyringNameValueStorage.defaultKeyring(KeyringName>
microsoft-identity-broker[24051]: at com.microsoft.identity.broker.crypto.KeyringKeyLoader.<init>(KeyringKeyLoader.java:74)
microsoft-identity-broker[24051]: at com.microsoft.identity.broker.crypto.LinuxRegularUserStorageEncryptionManager.<init>(Lin>
microsoft-identity-broker[24051]: at com.microsoft.identity.broker.platform.LinuxBrokerPlatformComponents.getStorageEncryptio>
microsoft-identity-broker[24051]: at com.microsoft.identity.broker.platform.LinuxBrokerPlatformComponents.getStorageSupplier(>
microsoft-identity-broker[24051]: at com.microsoft.identity.common.java.eststelemetry.EstsTelemetry.setUp(EstsTelemetry.java:>
microsoft-identity-broker[24051]: at com.microsoft.identity.broker4j.broker.ipc.AuthSdkOperation.<init>(AuthSdkOperation.java>
microsoft-identity-broker[24051]: at com.microsoft.identity.broker.client.LinuxBrokerServiceOperation.<init>(LinuxBrokerServi>
microsoft-identity-broker[24051]: at com.microsoft.identity.broker.dbus.services.impl.BrokerDBusV1Impl.<init>(BrokerDBusV1Imp>
microsoft-identity-broker[24051]: at com.microsoft.identity.broker.dbus.services.BrokerDBusV1Service.<init>(BrokerDBusV1Servi>
microsoft-identity-broker[24051]: at com.microsoft.identity.broker.service.IdentityBrokerService.main(IdentityBrokerService.j>
microsoft-identity-broker[24051]: Caused by: java.lang.SecurityException: Can not initialize cryptographic mechanism
microsoft-identity-broker[24051]: at java.base/javax.crypto.JceSecurity.<clinit>(JceSecurity.java:117)
microsoft-identity-broker[24051]: ... 16 more
microsoft-identity-broker[24051]: Caused by: java.lang.SecurityException: Couldn't parse jurisdiction policy files in: unlimited
microsoft-identity-broker[24051]: at java.base/javax.crypto.JceSecurity.setupJurisdictionPolicies(JceSecurity.java:358)
microsoft-identity-broker[24051]: at java.base/javax.crypto.JceSecurity$1.run(JceSecurity.java:108)
microsoft-identity-broker[24051]: at java.base/javax.crypto.JceSecurity$1.run(JceSecurity.java:105)
microsoft-identity-broker[24051]: at java.base/java.security.AccessController.doPrivileged(Native Method)
microsoft-identity-broker[24051]: at java.base/javax.crypto.JceSecurity.<clinit>(JceSecurity.java:104)
microsoft-identity-broker[24051]: ... 16 more
This pointed me to figure out what's wrong with my Java installation. The unlimited policies have been the default for quite long already.
Turns out that the microsoft-identity-broker depends on default-jre package. On Ubuntu 24.04, default-jre installs OpenJDK 21.
In file /lib/systemd/user/microsoft-identity-broker.service
(and /lib/systemd/system/microsoft-identity-device-broker.service
) Java home path is set as follows:
# Point to JDK 11 until the Linux Broker is upgraded to JDK 17.
Environment="JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64"
Therefore, the OpenJDK 21 installed by default-jre does not work. One solution is to do the following:
rm -rf ~/.cache/intune-portal
sudo apt install openjdk-11-jre
sudo apt purge openjdk-21-jre-headless
sudo update-alternatives --config java (select Java 11)
logout, login, and try running intune-portal again
This will make sure you are running the correct Java version when starting up intune-portal. This is also apparently why in de Goeij's blog post they advice you to install openjdk-11-jre. However, I had openjdk-11-jre already installed. So, I'm not sure if the update alternatives was the key or just reinstalling Java.
However, another possibility is to simply edit the files /lib/systemd/user/microsoft-identity-broker.service
and /lib/systemd/system/microsoft-identity-device-broker.service
and make the JAVA_HOME
point to the correct location. I'm using Java packages downloaded directly from Oracle and just extract them somewhere. I then link /opt/current_jdk
to that somewhere. My /etc/alternatives/java
points to /opt/current_jdk/bin/java
. This seems to work for me with jdk-21.0.4.
Satisfying default-jre with your own Java version in Ubuntu
To lessen the chances of bumping into this kind of problem in the future, I wanted my manually installed Java binaries to satisfy the default-jre dependency. On a Gentoo/Portage system it's trivial to use the package.provided file to tell the package manager the system has a package somehow installed.
With Ubuntu/apt it's apparently not possible. However, it is easy to create a dummy package to achieve the same effect. First, install equivs and create a dummy package file:
sudo apt install equivs
equivs-control default-jre-dummy
Edit the just created file default-jre-dummy and make its contents like so:
Section: misc
Priority: optional
Standards-Version: 3.9.2
Package: default-jre-dummy
Maintainer: Dummy Nobody
Provides: default-jre
Description: Dummy package to satisfy default-jre dependency
This package provides the default-jre dependency without actually installing any JRE.
Finally, build and install the package:
equivs-build default-jre-dummy
sudo dpkg -i default-jre-dummy_1.0_all.deb
Now it is possible to uninstall default-jre, OpenJDK 11, OpenJDK 21 and others installed via apt, without uninstalling intune-portal. If you also set the JAVA_HOME
correctly to the service files, you're all set and Intune runs using your manually installed Java binary.