Skip to main content
Himmelblau supports Microsoft Intune device management for Linux. After enrolling a device, Himmelblau downloads and enforces compliance policies, and marks the device as compliant in Intune so it can satisfy Azure Conditional Access requirements.

How it works

  1. When a user logs in for the first time, Himmelblau enrolls the device with Intune as part of the Entra ID device join process.
  2. The himmelblaud-tasks daemon periodically downloads compliance policies from Intune.
  3. Policies are evaluated locally. If the device meets all requirements, it is reported as compliant.
  4. Conditional Access policies in Entra ID that require a compliant device are satisfied by enrolled Himmelblau devices.

Enabling policy enforcement

Policy enforcement is enabled by default. The apply_policy option controls it:
/etc/himmelblau/himmelblau.conf
[global]
apply_policy = true   # default — enforce Intune policies
Set apply_policy = false to disable policy enforcement (the device will still enroll, but policies won’t be applied or checked during authentication).
Policy enforcement only applies to non-OIDC authentication flows. OIDC-based authentication (when oidc_issuer_url is set) is not affected by this setting.

Supported policy types

The following Intune policy extension types are handled by Himmelblau:
Policy typeDescription
Compliance extensionsStandard Intune device compliance rules (OS version, encryption, etc.)
Custom compliance scriptsPowerShell/shell scripts that return compliance data
Chromium policy extensionsBrowser policy enforcement for Chromium-based browsers
Scripts extensionsGeneral shell script execution as policy
Policy processing is handled by the himmelblaud-tasks daemon. Check its logs for policy evaluation details: 
journalctl -u himmelblaud-tasks --no-pager

Conditional Access integration

Once enrolled and marked compliant, the device satisfies Conditional Access policies requiring:
  • Require compliant device — Himmelblau reports compliance status to Intune
  • Require hybrid joined device — satisfied by join_type = join (the default)
If your tenant has Conditional Access policies that require compliant devices, ensure apply_policy = true and that the device has enrolled successfully before those policies take effect. Users may be blocked from logging in if the device is not yet enrolled.

Verifying enrollment

After a user logs in for the first time, check that the device appears in Intune:
  1. Go to intune.microsoft.com
  2. Navigate to DevicesAll devices
  3. Find your Linux host by name — it should show as Managed with a compliance state
You can also check the daemon logs: 
journalctl -u himmelblaud -u himmelblaud-tasks --no-pager | grep -i intune

Troubleshooting

Device not appearing in Intune after login
  • Check that join_type = join is set (registration alone may not trigger full enrollment)
  • Review journalctl -u himmelblaud-tasks for enrollment errors
  • Ensure network access to Intune endpoints (*.manage.microsoft.com)
Device showing as non-compliant
  • Check journalctl -u himmelblaud-tasks for specific policy failures
  • Verify apply_policy = true in config
  • Custom compliance scripts may require specific tools to be installed on the Linux host

Build docs developers (and LLMs) love

Get started for freeTalk to us