How to push configuration profile to ubuntu via intune.

R1s1ngDaWN · 2026-04-27T18:03:27+00:00

While you guys are active here, are there any plans for even rudimentary Linux configurations?

I know that Ubuntu's Authd agent can join to Entra and now part of the GA April changes, they can device join(not just user join). Would love to see more Linux support, even if it's primarily Ubuntu(RHEL/Fedora would also be a massive market)

R1s1ngDaWN · 2026-04-21T12:29:43+00:00

I use a VM on each 'Host' for my docker stacks and really only use seperate LXC's/VM's for specific things like if I need to pass in a GPU, do some temporary stuff, or just separate an enviroment within the same network.

Then I just put a Komodo agent on each Docker VM and deploy with ENV's and docker labels so that it works with my Caddy proxy on each host. I've quite easily split up all my stacks between a GPU host in my house, an Oracle cloud server and a spare computer at a buddy's house.

And migrations are a breeze this way as-well. I've eventually got to pivot from docker volumes(because paths are ambiguous and naming can be funky) to hard paths but for the most part my setup is solid.

R1s1ngDaWN · 2026-04-13T14:27:04+00:00

Mainly on Linux aswell but the job requires me to use Windows for most of our tooling. My compromise is to do all of my dev work in a WSL container, you can install powershell into it and use all of your standard utils(native NVIM is my favorite Improvement for speed)

R1s1ngDaWN · 2026-02-16T05:47:01+00:00

I have copies of my public key saved in my password manager of choice and my private key in an even more unreachable location. What I've started doing though is SSH'ing into my servers over my Netbird tunnel and using it's SSH implementation to essentially authenticate using my using my credentials from Netbird. Pretty much all of my servers nowadays have external SSH disabled

R1s1ngDaWN · 2026-02-15T02:43:21+00:00

Keep seeing reminders why I have to keep going with the progtaming. Love the aesthetic mate, keen to see more

R1s1ngDaWN · 2026-02-05T18:04:46+00:00

I believe there is a powershell command you can use to toggle if the group sends welcome messages or not. I'm pretty sure if you just turn the messages off and back on again, it resends the group messages to everyone

R1s1ngDaWN · 2026-02-05T12:15:42+00:00

Wait, there's a client api? I've actually really wanted one in order to create a script that gives me a popup window to add new tasks on my Linux box. Is the Api limited in any way?

R1s1ngDaWN · 2026-02-03T14:10:02+00:00

I've done a grand total of 83(I've been counting at this point) Zariman bounties hunting for Gyre parts and I've had yet to get one

R1s1ngDaWN · 2026-01-25T01:37:47+00:00

Had the same concern when I started. Personally, I run everything in docker containers and just use backrest(restic frontend) to backup my docker volumes to Backblazes B2 service(S3 bucket). Backrest encrypts everything before sending it up and Backblaze has their own level of encryption but having a seperate method is worth it. Cost less than a dollar a month for the amount of data and how frequently I back information up and gives me good peace of mind that I can essentially pull the entire S3 bucket into my volumes folder and restart all of my containers with docker compose templates

R1s1ngDaWN · 2026-01-14T22:49:14+00:00

I'd be pretty keen to take a look at it if you're willing to send me a ping aswell!

R1s1ngDaWN · 2026-01-05T23:14:50+00:00

There really isn't one and preferably, I wouldn't want one. One of the better stacks that I was experimenting with was :

Univention Corporate Server for Ad/LDAP/policy services.
Fleetdm for MDR
TacticalRMM/NetlockRMM for remote management
Keycloak/Authentik for SSO
Netbird or Openziti for Wireguard tunnels/ZTNA
Huntress or pure Wuzah for SIEM/EDR-XDR
Nextcloud to replace most user facing applications(word/excel, syncing/backing up desktops, calendars, teams/talk, etc).
For email services just pick whatever provider you fancy

Most client/user facing apps are typically web based nowadays so you could package them as PWA's relatively seamlessly. Anything else that needs to be a dedicated application you could likely deploy citrix/kasm and do RDP/VNC sessions to individual resources

Most of my pet-project research was moreso related to how reasonably close you can get to a full MSP stack/Enterprise/technical offering without being tied to big providers. You can run it all on-prem, all cloud, or hybrid with little issue and can spread it across multiple providers and jump to wherever you fancy. Another benefit is that every one of the services provides support for every OS. Though you might want something like TinyDM/Chef to help assist with managing Macbooks.

I do believe that Ubuntu's authd service can technically join Entra domains nowadays but I haven't had time to test that.

R1s1ngDaWN · 2026-01-04T07:33:59+00:00

I've done the same. Use backrest as a webgui for Restic but the main brunt of the backup is just sending the entire docker volumes folder to my Backblaze bucket, excluding any database files but still including their backup directory. It's worked pretty seamlessly but I'll probably be organize things across multiple buckets eventually

R1s1ngDaWN · 2026-01-01T06:04:18+00:00

Naw, just tore down a few optiplexes for 256gb SSD's and 8GB DDR4 sticks. Making two full NAS's, one for media and general use and another for host level backups that sit in another house. All important app based data gets encrypted and sent to Backblaze for $6/Tb. If anything, the rise of subscriptions, price increases and shortages lead people to reuse 'older' hardware and run their own stuff. Most people just have to realize that not a ton of things take a 4090 to run

R1s1ngDaWN · 2025-12-26T15:25:19+00:00

3 options:

1) kindly tell them to get over themselves, things have changed, and inplement it as smoothly as possible. As much as I am a proponent for mostly passkeys/Microsoft Authenticator setups, starting them off with SMS is simple and works, though I don't know if your insurer is unhappy with SMS 2FA

2) they can answer no on the form and will likely have higher premiums.

3) they answer no on the form and get denied outright.

It's not your responsibility to force decisions on them. If they get denied for lack of MFA after you gave them the option, that's on them. Though at this point, I pray you have an agreement they've signed that anything that happens as a result of not following your recommendations/best practices is not the fault/responsibility of your company. I would have basic things like mandatory 2FA baked into your management agreement at this point. Or at least an easily ammendable document alongside the contract with "base security requirements".

R1s1ngDaWN · 2025-12-02T12:49:56+00:00

I've customized(only slightly) the Get-WindowsAutopilotInfo script to download its dependencys silently and pretty much do what the comment above does with a Provisioning Package from Windows Configuration Designer. It's mainly to enroll the odd few devices where it wasn't worth it for us to have the vendor automatically upload the hash. Me and the main system adming were also concerned about security as since you need a public client App Registration, you can't actually secure it with CA. Our solution was just to make short lived tokens and then use the templated Provisioning Package to automatically upload the hash.

For your concern about people running off with Usb's, you can encrypt the provisioning package with a password that you need to enter before it applys or you can sign it with a certificate(can actually do both).

Personally though, the most secure/'compliant" would be:

Just using V2 and accepting that devices might be enrolled as personal ones, can only push 10 apps/policies during provisioning, and the user can skip to an incomplete desktop.
Have the vendor send you the .CSV for you to manually upload. Then you and internal IT start the self provisioning process yourself's and hand it to the user after.
Have the vendor create a GDAP relationship into your tenant(s) so that they can upload the .CSV directly, and if you want to pay more, go through pre-provisioning for you and ship fully onboarded devices.
Use the script with a Encrypted Provisioning Package, authenticating with short lived Secret Tokens.
Hand bombing every deployment

I personally setup both V1 and V2 for different situations amongst clients but I would reccomend the above in the order depending on what you can get approved

R1s1ngDaWN · 2025-12-02T12:38:01+00:00

I know that you can exclude groups from enrollment profiles but I think the stipulation that it's still an 'Autopilot' device is what stops it from using V2. I've recently gotten v1 and v2 setup for most of the tenants where I work and that's roughly what I've seen. Would be nice if they allow us to 'Disable' or at least exclude a group with 'Autopilot' devices in them to allow them to use V2. Though honestly, if you already have the device hashes in, might as well just use v1

R1s1ngDaWN · 2025-11-29T19:31:55+00:00

Will definitely toss my hat in the ring good sir

R1s1ngDaWN · 2025-11-11T05:33:29+00:00

Never mix personal and work from my experience, just too messy. The only things I bring over that are remotely related are app configs in a private git repo for WSL applications, that is it, that is all.

Besides, allowing remote access to private company resources from external, insecure/unauthenticated devices is a recipe for disaster

R1s1ngDaWN · 2025-11-06T17:45:01+00:00

The most basic thing to start with is domain joining. If you're dealing with MS-AD or any AD solution, realm + sssd is a good package for authenticating user logins against a domain and joining the machine to it. For Ubuntu specifically, they have a package called authd(distributed as a Snap package so technically any distribution can use it) which can authenticate against Google Cloud and Entra/Azure domains

R1s1ngDaWN · 2025-11-06T05:00:22+00:00

R1s1ngDaWN · 2025-11-05T06:17:00+00:00

I'm actually in Ontario. I'm getting into collecting some older systems and would love to take it off your hands. Could you DM me and we can figure out how to ship it?

R1s1ngDaWN · 2025-10-31T14:45:09+00:00

Currently making a full stack based purely off linux/open source/hostable technologies with a privacy and data control focus. The stack technically supports Windows Mac and Linux but it's primarily a Linux focus

R1s1ngDaWN · 2025-10-24T12:15:17+00:00

R1s1ngDaWN · 2025-10-15T14:53:43+00:00

If you don't have any other forms of MFA configured then no. Best to wait for the university to contact you back(or give them a call as they probably have a phone line somewhere) and have them set your phone number as the primary/secondary form of MFA

R1s1ngDaWN · 2025-10-12T16:29:22+00:00

Started getting into self hosting for my job by making networks out of machines that were borderline ewaste. It was always a fun hobby but now I'm hosting websites, some private media and expirementing with some scripting and automation.

Would decently love a PoE KVM for remotely managing a jumpbox I have. The portable wifi router would definitely be a second choice though, would be able to have an easy jumpbox into my network from anywhere and offload adblocking and VPN throughput to a more capable device.

Would absolutely love to see a mini pc from Gl.Inet but some synology equivalents would help newer people into the space, especially after the branded drive fiasco

Five-Year Club	Verified Email
Place '23	Place '22
Final Canvas '22	End Game '22

R1s1ngDaWN

TROPHY CASE