Microsoft Intune in an isolated, rootless Linux container — headless by default, with seamless Entra ID SSO in your host browser.
📖 Documentation · Quickstart · Architecture · Roadmap
Intune's Linux agent and the Microsoft identity broker are desktop apps that
make broad changes to a host. intune-container runs them in a dedicated,
rootless container — built from unprivileged user namespaces, with no host
root and no sudo — so your host stays clean. A tiny native-messaging bridge
then lets your everyday browser use the container's enrollment to sign in to
Teams, Outlook, and other M365 apps. Works on any Wayland compositor (niri,
Hyprland, Sway, GNOME, KDE) and X11.
Install the latest AppImage to ~/.local/bin:
curl -fsSL https://raw.githubusercontent.com/magicabdel/intune-container/master/install.sh | shPrefer a package or building yourself? Grab the .deb/.rpm from the
releases, or
build from source (needs Rust, Node.js + npm, and WebKitGTK/GTK):
just install # builds + installs `intune-container` (GUI + CLI in one binary)Run it with no subcommand to open the graphical interface (the default) and click Enroll this device. Set-up, the portal, Edge, browser SSO, live health and backups are all there; closing the window keeps it running in your tray:
intune-container # opens the GUIThe same binary is the command-line tool when given a subcommand:
intune-container enroll # set up + enroll your device (opens the portal)
intune-container start # (optional) run headless + seamless Teams/M365 SSODaily CLI use: edge · status · doctor · stop. Full walkthrough in the
Quickstart.
The default container image is publicly hosted and ready to go (it already includes everything for headless SSO) — there's nothing to build, and no container engine is needed: the image is pulled with a built-in OCI client.
Requirements: a Linux host with unprivileged user namespaces enabled, a
/etc/subuid+/etc/subgidrange for your user,newuidmap/newgidmap(theuidmap/shadowpackage), and cgroup v2. Nosudo,systemd-nspawn,machinectl,nsenter, Docker, or Podman. Building from source needs Rust +just, and Node.js + npm — the interface is a TypeScript / React / Emotion app (infrontend/) that Tauri bundles into the binary at compile time. At runtime the GUI needs WebKitGTK 4.1, and — for the system tray —libayatana-appindicator(libappindicator-gtk3on some distros); without it the GUI still runs as a plain window (no tray).
A tray-resident Tauri desktop app. The Console shows the container's state,
the few actions you actually use (start/stop, open the portal, open Edge), the
signed-in identity, and live health checks — the same data doctor and
sso-test report. Other tabs give you an in-app Shell (a real terminal
inside the container), Backup/restore, Logs, and Destroy. From the
tray: single-click for a quick panel, double-click for the full window, and a
status-tinted icon that tracks the container (grey = stopped, teal = running,
amber = display attached).
The preview above is an illustrative render with placeholder data — the real interface shows your own status and account.
A single crate produces a single intune-container binary that is both the
graphical interface (default) and the command-line tool:
| Part | Role |
|---|---|
src/lib.rs (library) |
All logic — container lifecycle, enroll, SSO, backups, health checks — exposed as Rust functions in ops. |
src/runtime.rs |
The rootless runtime: user namespaces, setns, a delegated cgroup scope, pivot_root — no host root. |
src/main.rs (binary) |
clap dispatch: no subcommand → GUI; any subcommand → CLI. |
src/gui.rs |
The Tauri shell: window, tray, and typed commands that call ops. |
frontend/ |
The interface itself — TypeScript + React + Emotion (Vite), bundled into the binary. |
Both the GUI and CLI call the same ops functions in-process — neither
shells out, and neither needs elevated privilege.
- Rootless — boots the container's
systemdinside an unprivileged user namespace; no host root, nosudo, nosystemd-nspawn/machinectl/nsenter. - Headless by default — no window into your screen; the real display is forwarded only for the interactive portal and Edge flows.
- Seamless host-browser SSO — Teams/Outlook/M365 sign in automatically via the container's enrollment (no Python, no proxy daemon, no host bus).
- Compositor-agnostic — auto-detects Wayland, abstract X11, and Xauthority; no hardcoded socket names.
- One-command enroll — provision, boot, and open the portal in one step.
- Enrollment backup/restore — survive container rebuilds without re-enrolling.
- Microsoft Edge in the container, with display/GPU passthrough during GUI sessions.
- Live health checks (
doctor) — registration, container, network, broker, keyring, and the compliance agent, surfaced right in the interface. - Graphical interface (default) — a tray-resident Tauri app: Console, in-app Shell, Backup/restore, Logs, and Destroy tabs, with a status-tinted tray icon and quick actions. Closing the window keeps it in the tray.
- One binary, two faces — a single
intune-containerexecutable is both the GUI (no subcommand) and the CLI (any subcommand), sharing one library.
- Private network namespace — the container currently shares the host network; a private netns with userspace egress (and LAN/localhost blocked) would close the main isolation gap (see the Roadmap).
- Live display attach — attach the host display to an already-running headless container without a restart.
| Compositor | Status | Notes |
|---|---|---|
| Niri | ✅ | Abstract X11 sockets auto-detected |
| Hyprland | ✅ | Standard XWayland |
| Sway | ✅ | Standard XWayland |
| GNOME | ✅ | Mutter Xauthority auto-detected |
| KDE | ✅ | Standard Xauthority |
This project stands on the shoulders of two excellent projects:
- frostyard/intuneme — the original
systemd-nspawn-based Intune manager that inspired this container approach (and the base OCI image). - siemens/linux-entra-sso — the browser extension and native-messaging protocol that make host SSO work; this project ships a compatible native-messaging host. Install the extension from its releases.
This is a personal, educational tool for running Microsoft Intune in an isolated container — for example, to keep corporate device management off your personal Linux machine. It is not intended to bypass, defeat, or misrepresent your organization's device-management or compliance controls, and it does not modify or weaken Intune or Entra ID themselves.
You are responsible for using it in line with your employer's acceptable-use and security policies and your Microsoft licensing terms. If you're unsure whether this is permitted in your environment, check with your IT/security team first. Provided as-is, with no warranty.
Source is MIT. It automates Microsoft proprietary software
(intune-portal, microsoft-edge, the identity broker) and integrates with
linux-entra-sso (MPL-2.0); those have their own terms and require a valid
Intune / Microsoft 365 subscription.
