ploegert/new_Broker_Install.sh

## new_Broker_Install.sh
# Install Curl
sudo apt install curl

# Install Microsoft's public key for production pacakges
curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg
sudo install -o root -g root -m 644 microsoft.gpg /usr/share/keyrings
rm microsoft.gpg

# Install the production packages:
sudo sh -c 'echo "deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft.gpg] https://packages.microsoft.com/ubuntu/$(lsb_release -rs)/prod $(lsb_release -cs) main" >> /etc/apt/sources.list.d/microsoft-ubuntu-$(lsb_release -cs)-prod.list'

# Install Signing Key for insiders-fast
curl https://packages.microsoft.com/ubuntu/24.04/prod/dists/insiders-fast/Release.gpg  | gpg --
dearmor > fast-insiders.gpg
sudo install -o root -g root -m 644 fast-insiders.gpg  /usr/share/keyrings

# Install the insiders-fast package repo
sudo sh -c 'echo "deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft.gpg] https://packages.microsoft.com/ubuntu/$(lsb_release -rs)/prod insiders-fast main" >> /etc/apt/sources.list.d/microsoft-ubuntu-$(lsb_release -cs)-insiders-fast.list'

# Install Edge's dev channel repo
sudo sh -c 'echo "deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft.gpg] https://packages.microsoft.com/repos/edge stable main" >> /etc/apt/sources.list.d/microsoft-ubuntu-$(lsb_release -cs)-edge-stable.list'

## Configure Smart Card Provider (YubiKey)
sudo apt install pcscd yubikey-manager
sudo apt install opensc libnss3-tools openssl
mkdir -p $HOME/.pki/nssdb
chmod 700 $HOME/.pki
chmod 700 $HOME/.pki/nssdb
modutil -force -create -dbdir sql:$HOME/.pki/nssdb
modutil -force -dbdir sql:$HOME/.pki/nssdb -add 'SC Module' -libfile /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so

# =================================================
# Product install
sudo apt update

# Install Edge
sudo apt install microsoft-edge-stable

# Install Intune
sudo apt install intune-portal

# instead of restarting the machine like intune asks, just restart the daemons
systemctl --user daemon-reload

# List installed packages & versions
sudo dpkg -l microsoft-identity-broker intune-portal microsoft-edge-stable azure-cli

#  =======================================================
# To support PRMFA (CBA/YubiKey with a PIV), Install Smart Card drivers
# Set up YubiKey
  sudo apt install pcscd yubikey-manager

#Yubikey/Edge Bridge
  sudo apt install opensc libnss3-tools openssl
  mkdir -p $HOME/.pki/nssdb
  chmod 700 $HOME/.pki
  chmod 700 $HOME/.pki/nssdb
  modutil -force -create -dbdir sql:$HOME/.pki/nssdb
  modutil -force -dbdir sql:$HOME/.pki/nssdb -add 'SC Module' -libfile /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so


# ===================================================
# Manual - PWQuality steps
# Intune checks the pam_pwquality configuration for enforcement. Install libpam-pwquality, then make sure that password requirements meet the policy:

#sudo apt install libpam-pwquality

# check that the pam_pwquality line in /etc/pam.d/common-password contains at least the required settings:
#password    requisite           pam_pwquality.so retry=3 dcredit=-1 ocredit=-1 ucredit=-1 lcredit=-1 minlen=12

#sudo nano /etc/pam.d/common-password

#password    requisite      pam_pwquality.so retry=3 minlen=12 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1

## Script to enable PWQUality (ubuntu)
#!/bin/bash
# Enforce Intune password compliance policy via PAM pwquality
# Requirements:
#   - At least 12 characters
#   - At least 1 digit
#   - At least 1 lowercase letter
#   - At least 1 uppercase letter
#   - At least 1 symbol
#
# Intune checks /etc/pam.d/common-password (Ubuntu-style) for compliance.
# See: https://github.com/recolic/microsoft-intune-archlinux/issues/2
set -e

COMMON_PASSWORD="/etc/pam.d/common-password"

echo "Enforcing Intune password compliance policy..."

# Install libpwquality if not present
if ! rpm -q libpwquality &>/dev/null; then
    echo "Installing libpwquality..."
    sudo dnf install -y libpwquality
fi

# Create /etc/pam.d/common-password (Intune checks this file specifically)
echo "Creating $COMMON_PASSWORD..."
sudo tee "$COMMON_PASSWORD" > /dev/null <<'EOF'
# Intune compliance password policy
# minlen=12, dcredit=-1 (1 digit), ucredit=-1 (1 uppercase),
# lcredit=-1 (1 lowercase), ocredit=-1 (1 symbol)
password    required    pam_pwquality.so retry=3 minlen=12 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1
EOF

echo ""
echo "Password policy applied to $COMMON_PASSWORD"
echo ""
echo "Policy summary:"
echo "  - Minimum length: 12 characters"
echo "  - Minimum digits: 1"
echo "  - Minimum lowercase: 1"
echo "  - Minimum uppercase: 1"
echo "  - Minimum symbols: 1"
echo ""
echo "Refresh intune-portal to check compliance."
	# Install Curl
	sudo apt install curl

	# Install Microsoft's public key for production pacakges
	curl https://packages.microsoft.com/keys/microsoft.asc \| gpg --dearmor > microsoft.gpg
	sudo install -o root -g root -m 644 microsoft.gpg /usr/share/keyrings
	rm microsoft.gpg

	# Install the production packages:
	sudo sh -c 'echo "deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft.gpg] https://packages.microsoft.com/ubuntu/$(lsb_release -rs)/prod $(lsb_release -cs) main" >> /etc/apt/sources.list.d/microsoft-ubuntu-$(lsb_release -cs)-prod.list'

	# Install Signing Key for insiders-fast
	curl https://packages.microsoft.com/ubuntu/24.04/prod/dists/insiders-fast/Release.gpg \| gpg --
	dearmor > fast-insiders.gpg
	sudo install -o root -g root -m 644 fast-insiders.gpg /usr/share/keyrings

	# Install the insiders-fast package repo
	sudo sh -c 'echo "deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft.gpg] https://packages.microsoft.com/ubuntu/$(lsb_release -rs)/prod insiders-fast main" >> /etc/apt/sources.list.d/microsoft-ubuntu-$(lsb_release -cs)-insiders-fast.list'

	# Install Edge's dev channel repo
	sudo sh -c 'echo "deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft.gpg] https://packages.microsoft.com/repos/edge stable main" >> /etc/apt/sources.list.d/microsoft-ubuntu-$(lsb_release -cs)-edge-stable.list'

	## Configure Smart Card Provider (YubiKey)
	sudo apt install pcscd yubikey-manager
	sudo apt install opensc libnss3-tools openssl
	mkdir -p $HOME/.pki/nssdb
	chmod 700 $HOME/.pki
	chmod 700 $HOME/.pki/nssdb
	modutil -force -create -dbdir sql:$HOME/.pki/nssdb
	modutil -force -dbdir sql:$HOME/.pki/nssdb -add 'SC Module' -libfile /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so

	# =================================================
	# Product install
	sudo apt update

	# Install Edge
	sudo apt install microsoft-edge-stable

	# Install Intune
	sudo apt install intune-portal

	# instead of restarting the machine like intune asks, just restart the daemons
	systemctl --user daemon-reload

	# List installed packages & versions
	sudo dpkg -l microsoft-identity-broker intune-portal microsoft-edge-stable azure-cli

	# =======================================================
	# To support PRMFA (CBA/YubiKey with a PIV), Install Smart Card drivers
	# Set up YubiKey
	sudo apt install pcscd yubikey-manager

	#Yubikey/Edge Bridge
	sudo apt install opensc libnss3-tools openssl
	mkdir -p $HOME/.pki/nssdb
	chmod 700 $HOME/.pki
	chmod 700 $HOME/.pki/nssdb
	modutil -force -create -dbdir sql:$HOME/.pki/nssdb
	modutil -force -dbdir sql:$HOME/.pki/nssdb -add 'SC Module' -libfile /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so


	# ===================================================
	# Manual - PWQuality steps
	# Intune checks the pam_pwquality configuration for enforcement. Install libpam-pwquality, then make sure that password requirements meet the policy:

	#sudo apt install libpam-pwquality

	# check that the pam_pwquality line in /etc/pam.d/common-password contains at least the required settings:
	#password requisite pam_pwquality.so retry=3 dcredit=-1 ocredit=-1 ucredit=-1 lcredit=-1 minlen=12

	#sudo nano /etc/pam.d/common-password

	#password requisite pam_pwquality.so retry=3 minlen=12 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1

	## Script to enable PWQUality (ubuntu)
	#!/bin/bash
	# Enforce Intune password compliance policy via PAM pwquality
	# Requirements:
	# - At least 12 characters
	# - At least 1 digit
	# - At least 1 lowercase letter
	# - At least 1 uppercase letter
	# - At least 1 symbol
	#
	# Intune checks /etc/pam.d/common-password (Ubuntu-style) for compliance.
	# See: https://github.com/recolic/microsoft-intune-archlinux/issues/2
	set -e

	COMMON_PASSWORD="/etc/pam.d/common-password"

	echo "Enforcing Intune password compliance policy..."

	# Install libpwquality if not present
	if ! rpm -q libpwquality &>/dev/null; then
	echo "Installing libpwquality..."
	sudo dnf install -y libpwquality
	fi

	# Create /etc/pam.d/common-password (Intune checks this file specifically)
	echo "Creating $COMMON_PASSWORD..."
	sudo tee "$COMMON_PASSWORD" > /dev/null <<'EOF'
	# Intune compliance password policy
	# minlen=12, dcredit=-1 (1 digit), ucredit=-1 (1 uppercase),
	# lcredit=-1 (1 lowercase), ocredit=-1 (1 symbol)
	password required pam_pwquality.so retry=3 minlen=12 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1
	EOF

	echo ""
	echo "Password policy applied to $COMMON_PASSWORD"
	echo ""
	echo "Policy summary:"
	echo " - Minimum length: 12 characters"
	echo " - Minimum digits: 1"
	echo " - Minimum lowercase: 1"
	echo " - Minimum uppercase: 1"
	echo " - Minimum symbols: 1"
	echo ""
	echo "Refresh intune-portal to check compliance."
No results found