Merge pull request #6782 from MicrosoftDocs/main

v-dihans · web-flow · commit f4e8ad392fca · 2022-02-11T11:45:09.000-07:00
Publish 02/11/2022, 10:30 AM
diff --git a/memdocs/intune/fundamentals/whats-new.md b/memdocs/intune/fundamentals/whats-new.md
@@ -7,7 +7,7 @@ keywords:
 author: Erikre
 ms.author: erikre
 manager: dougeby
-ms.date: 02/07/2022
+ms.date: 02/11/2022
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: fundamentals
@@ -62,6 +62,16 @@ You can use RSS to be notified when this page is updated. For more information,
 
 ## Week of February 7, 2022
 
+### Device security
+
+#### Microsoft Tunnel support for Red Hat Enterprise Linux 8.5<!-- 13182253  -->
+
+You can now use Red Hat Enterprise Linux (RHEL) 8.5 with [Microsoft Tunnel](../protect/microsoft-tunnel-overview.md).
+
+To support RHEL 8.5, we’ve also updated the [readiness tool](../protect/microsoft-tunnel-prerequisites.md#run-the-readiness-tool) (mst-readiness) with a new check for the presence of the ip_tables module in the Linux kernel. By default, RHEL 8.5 doesn’t load the ip_tables module.
+
+For Linux servers that don't load the module, we've provided [instructions](../protect/microsoft-tunnel-prerequisites.md#manually-load-ip_tables) to load them immediately, and to configure the Linux server to automatically load them at boot.
+
 ### App management
 
 #### Advanced logging setting in Company Portal app<!-- 12859998  -->
diff --git a/memdocs/intune/protect/microsoft-tunnel-configure.md b/memdocs/intune/protect/microsoft-tunnel-configure.md
@@ -168,7 +168,7 @@ Before installing Microsoft Tunnel Gateway on a Linux server, configure your ten
 
 7. After the installation script finishes, you can navigate in Microsoft Endpoint Manager admin center to the **Microsoft Tunnel Gateway** tab to view high-level status for the tunnel. You can also open the **Health status** tab to confirm that the server is online.
 
-8. If you’re using RHEL 8.4, be sure to restart the Tunnel Gateway server by entering `mst-cli server restart` before you attempt to connect clients to it.
+8. If you’re using RHEL 8.4 or 8.5, be sure to restart the Tunnel Gateway server by entering `mst-cli server restart` before you attempt to connect clients to it.
 
 ## Deploy the Microsoft Tunnel client app
 
diff --git a/memdocs/intune/protect/microsoft-tunnel-overview.md b/memdocs/intune/protect/microsoft-tunnel-overview.md
@@ -102,7 +102,7 @@ The Microsoft Tunnel Gateway runs in containers that run on Linux servers.
 **Components**:  
 - **A** – Microsoft Intune.
 - **B**- Azure Active Directory (AD).
-- **C** – Linux server with Podman (Red Hat Enterprise Linux 8.4) or Docker CE (all other Linux distributions).
+- **C** – Linux server with Podman or Docker CE (See the [Linux server](../protect/microsoft-tunnel-prerequisites.md#linux-server) requirements for details about which versions require Podman or Docker) 
   - **C.1** - Microsoft Tunnel Gateway.
   - **C.2** – Management Agent.
   - **C.3** – Authentication plugin – Authorization plugin, which authenticates with Azure AD.
diff --git a/memdocs/intune/protect/microsoft-tunnel-prerequisites.md b/memdocs/intune/protect/microsoft-tunnel-prerequisites.md
@@ -5,7 +5,7 @@ keywords:
 author: brenduns
 ms.author: brenduns
 manager: dougeby
-ms.date: 01/28/2022
+ms.date: 02/11/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: protect
@@ -34,7 +34,7 @@ At a high level, you’ll need the following to use the Microsoft Tunnel:
 - An Azure subscription.
 - An Intune subscription.
 - A Linux server that runs containers. This server can be on-premises or in the cloud:
-  - Podman for Red Hat Enterprise Linux (RHEL) 8.4
+  - Podman for Red Hat Enterprise Linux (RHEL) 8.4 and 8.5  (See the [Linux server](#linux-server) requirements.)
   - Docker for all other Linux distributions
 - A Transport Layer Security (TLS) certificate for the Linux server to secure connections from devices to the Tunnel Gateway server.
 - Devices that run Android or iOS/iPadOS.
@@ -49,13 +49,17 @@ The following sections detail the prerequisites for the Microsoft Tunnel, and pr
 
 Set up a Linux based virtual machine or a physical server on which Microsoft Tunnel Gateway will install.
 
-- **Linux distribution** - The following are supported:
+- **Supported Linux distributions** - The following table details which versions of Linux are supported for the Tunnel server, and the container they require: 
+  
+  |Distributon version    | Container requirements   | Considerations     |
+  |-----------------------|--------------------------|--------------------|
+  | CentOS 7.4+           | Docker CE                | CentOS 8+ isn’t supported |
+  | Red Hat (RHEL) 7.4+   | Docker CE                |                    |
+  | Red Hat (RHEL) 8.4    | Podman 3.0               |                    |
+  | Red Hat (RHEL) 8.5    | Podman 3.0               | This version of RHEL doesn't automatically load the *ip_tables* module into the Linux kernel. When you use this version, plan to [manually load the ip_tables](#manually-load-ip_tables) before Tunnel is installed.|
+  | Ubuntu 18.04           | Docker CE               |                    |
+  | Ubuntu 20.04           | Docker CE               |                    |
 
-  - CentOS 7.4+(CentOS 8+ isn’t supported)
-  - Red Hat (RHEL) 7.4+
-  - Red Hat (RHEL) 8.4
-  - Ubuntu 18.04
-  - Ubuntu 20.04
 
 - **Size the Linux server**: Use the following guidance to meet your expected use:
 
@@ -72,17 +76,21 @@ Set up a Linux based virtual machine or a physical server on which Microsoft Tun
 
 - **CPU**: 64-bit AMD/Intel processor.
 
-- **Install Docker CE or Podman**: Install Podman version 3.0 on RHEL 8.4. For all other versions of RHEL or other Linux distributions, install Docker version 19.03 CE or later.
-  Microsoft Tunnel requires Docker (or Podman on RHEL 8.4) on the Linux server to provide support for containers. Containers provide a consistent execution environment, health monitoring and proactive remediation, and a clean upgrade experience.
+- **Install Docker CE or Podman**: Depending on the version of Linux you use for your Tunnel server, you'll need to install one of the following on the Linux server:
+  - Docker version 19.03 CE or later
+  - Podman version 3.0
+  
+
+  Microsoft Tunnel requires Docker or Podman on the Linux server to provide support for containers. Containers provide a consistent execution environment, health monitoring and proactive remediation, and a clean upgrade experience.
 
   For information about installing and configuring Docker or Podman, see:
 
   - [Install Docker Engine on CentOS or Red Hat Enterprise Linux 7]( https://docs.docker.com/engine/install/centos/)
     > [!NOTE]
-    > The preceding link directs you to the CentOS download and installation instructions. Use those same instructions for RHEL 7. The version installed on RHEL 7 by default is too old to support Microsoft Tunnel Gateway. Red Hat Enterprise Linux 8 does not support Docker. For RHEL 8.4, install and use Podman instead.
+    > The preceding link directs you to the CentOS download and installation instructions. Use those same instructions for RHEL 7.4. The version installed on RHEL 7.4 by default is too old to support Microsoft Tunnel Gateway.
   - [Install Docker Engine on Ubuntu](https://docs.docker.com/engine/install/ubuntu/)
-  - [Install Podman on Red Hat Enterprise Linux 8.4 (scroll down to RHEL8)](https://podman.io/getting-started/installation).  
-    Podman is the container solution used on RHEL 8.4, and *podman* is part of a module called "container-tools". In this context, a module is a set of RPM packages that represent a component and are usually installed together. A typical module contains packages with an application, packages with the application-specific dependency libraries, packages
+  - [Install Podman on Red Hat Enterprise Linux 8.4 and 8.5 (scroll down to RHEL8)](https://podman.io/getting-started/installation)  
+    These versions of RHEL don't support Docker. Instead, these versions use Podman, and *podman* is part of a module called "container-tools". In this context, a module is a set of RPM packages that represent a component and are usually installed together. A typical module contains packages with an application, packages with the application-specific dependency libraries, packages
 with documentation for the application, and packages with helper utilities. For more information, see [Introduction to modules](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_managing_and_removing_user-space_components/introduction-to-modules_using-appstream) in the Red Hat documentation.
 
 - **Transport Layer Security (TLS) certificate**: The Linux server requires a trusted TLS certificate to secure the connection between devices and the Tunnel Gateway server. You’ll add the TLS certificate, including the full trusted certificate chain, to the server during installation of the Tunnel Gateway.
@@ -184,7 +192,7 @@ You can use a proxy server with Microsoft Tunnel. The following considerations c
 
 ### Configure an outbound proxy for Podman
 
-The following details can help you configure an internal proxy when using RHEL 8.4, and Podman:
+The following details can help you configure an internal proxy when using Podmam:
 
 - Authenticated proxies aren't supported.
 
@@ -296,19 +304,22 @@ The Microsoft Tunnel Gateway permissions group grants the following permissions:
 
 ## Run the readiness tool
 
-Before you start a server install, we recommend you download and run the **mst-readiness** tool. The tool is a script that runs on your Linux server and does the following actions:
+Before you start a server install, we recommend you download and run the most recent version of the **mst-readiness** tool. The tool is a script that runs on your Linux server and does the following actions:
 
-- Confirms that your network configuration allows Microsoft Tunnel to access the required Microsoft endpoints.  
 - Validates that the Azure Active Directory (Azure AD) account you use to install Microsoft Tunnel has the required roles to complete enrollment.
 
+- Confirms that your network configuration allows Microsoft Tunnel to access the required Microsoft endpoints.
+
+- Checks for the presence of the ip_tables module on the Linux server. This check was added to the script on February 11 2022, when support for RHEL 8.5 was added. RHEL 8.5 doesn’t load the ip_tables module by default. If they are missing after the Linux server installs, you must [manually load the ip_tables module](#manually-load-ip_tables).
+
 > [!IMPORTANT]
 > The readiness tool doesn't validate inbound ports, which is a common misconfiguration. After the readiness tool runs, review the [firewall prerequisites](#firewall) and manually validate your firewalls pass inbound traffic.
 
 The mst-readiness tool has a dependency on **jq**, a command-line JSON processor. Before you run the readiness tool, ensure **jq** is installed. For information about how to get and install **jq**, see the documentation for the version of Linux that you use.
 
 To use the readiness tool:
 
-1. Get the readiness tool by using one of the following methods:
+1. Get the most recent version of the readiness tool by using one of the following methods:
    - Download the tool directly by using a web browser.  Go to https://aka.ms/microsofttunnelready to download a file named **mst-readiness**.
    - Sign in to [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Tenant administration** > **Microsoft Tunnel Gateway**, select the **Servers** tab, select **Create** to open the *Create a server* pane, and then select **Download readiness tool**.  
    - Use a Linux command to get the readiness tool directly. For example, you can use **wget** or **curl** to open the link https://aka.ms/microsofttunnelready.
@@ -333,6 +344,28 @@ To use the readiness tool:
 
 For more information about this tool, see [Reference for mst-cli](../protect/microsoft-tunnel-reference.md#mst-cli-command-line-tool-for-microsoft-tunnel-gateway) in the reference article for Microsoft Tunnel article.
 
+### Manually load ip_tables
+
+While most Linux distributions automatically load the ip_tables module, some distributions might not. For example, REHL 8.5 doesn't load the ip_tables by default.
+
+To check for the presence of this module, run the most recent version of mst-readiness tool on the Linux server. The check for ip_tables was added to the readiness tools script on February 11 2022.
+
+If the module isn’t present, the tool stops on the ip_tables module check. In this scenario, you can run the following commands to manually load the module.
+
+**Manually load the ip_tables module**:
+
+In the context of sudo, run the following commands on your Linux server:
+
+1. Validate the presence of ip_tables on the server: `lsmod |grep ip_tables`
+
+2. If ip_tables isn't present, run the following to load the module into the kernel immediately, without a restart: `/sbin/modprobe ip_tables`
+
+3. Rerun the validation to confirm the tables are now loaded: `lsmod |grep ip_tables`
+
+**Configure Linux to load ip_tables at boot**:
+
+In the context of sudo, run the following command on your Linux server to create a config file that will load the ip_tables into kernel during boot time: `echo ip_tables > /etc/modules-load.d/mstunnel_iptables.conf`
+
 ## Next steps
 
 [Configure Microsoft Tunnel](microsoft-tunnel-configure.md)
diff --git a/memdocs/intune/protect/microsoft-tunnel-reference.md b/memdocs/intune/protect/microsoft-tunnel-reference.md
@@ -5,7 +5,7 @@ keywords:
 author: brenduns
 ms.author: brenduns
 manager: dougeby
-ms.date: 10/19/2021
+ms.date: 02/11/2022
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: protect
@@ -202,7 +202,7 @@ Following are environment variables you might want to configure when you install
 The following are common commands for Docker that can be of use if you must investigate problems on a tunnel server.
 
 > [!NOTE]
-> Most Linux distributions use Docker. However, *Red Hat Enterprise Linux (RHEL) 8.4* are not supported to use Docker. Instead, RHEL 8.4 use Podman.
+> Most Linux distributions use Docker. However, some like *Red Hat Enterprise Linux (RHEL) 8.4* do not support Docker. Instead, these distributions use Podman. See [Linxu servers](../protect/microsoft-tunnel-prerequisites.md#linux-server) in the prerequisites for more details about supported distributions and the Docker or Podman requirements of each.
 >
 > The references and command lines that are written for Docker can be used with Podman by replacing *docker* with *podman*.
 
@@ -246,3 +246,13 @@ The following are common Linux commands you might use with a tunnel server.
 - `curl <URL>` – Checks access to a website. For example: `curl https://microsoft.com`
 
 - `./<filename>` -  Run a script.
+
+### Manually load ip_tables
+
+Use the following commands to check for, and manually load if necessary, ip_tables in the Linux server kernel. Use the sudo context:
+
+- Validate the presence of ip_tables on the server: `lsmod |grep ip_tables`
+
+- Create a config file that will load the ip_tables into kernel when the server boots: `echo ip_tables > /etc/modules-load.d/mstunnel_iptables.conf`
+
+- To load ip_tables into the kernel immediately: `/sbin/modprobe ip_tables`
diff --git a/memdocs/intune/protect/microsoft-tunnel-upgrade.md b/memdocs/intune/protect/microsoft-tunnel-upgrade.md
@@ -5,7 +5,7 @@ keywords:
 author: brenduns
 ms.author: brenduns
 manager: dougeby
-ms.date: 04/26/2021
+ms.date: 02/11/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: protect
@@ -155,6 +155,10 @@ Image hash values:
 Changes in this release:
 
 - Minor bug fixes
+- A new version of the *mst-readiness* tool is available for download. We recommend using the updated script, which now checks the Linux server build for the presence of the *ip_tables* module. While most Linux distributions load this module be default, some versions, like RHEL 8.5, do not.
+
+  For more information including where to download the tool, see [Run the readiness tool](../protect/Microsoft-tunnel-prerequisites.md#run-the-readiness-tool).  
+
 
 
 ### October 25, 2021
@@ -169,7 +173,7 @@ Changes in this release:
 
 - Added ability to get a client network trace
 - Added ability to enabled resource access tracking
-- Added support for Podman when using Red Hat Enterprise Linux 8.4
+- Added support for Podman when using [some versions](../protect/microsoft-tunnel-prerequisites.md#linux-server) of Red Hat Enterprise Linux
 - Minor bug fixes
 
 ### September 7, 2021
diff --git a/memdocs/intune/protect/quickstart-set-password-length-android.md b/memdocs/intune/protect/quickstart-set-password-length-android.md
@@ -1,14 +1,14 @@
 ---
 # required metadata
 
-title: Quickstart - Password compliance policy for Android devices
+title: Quickstart - Password compliance policy for Android Enterprise devices
 titleSuffix: Microsoft Intune
-description: In this quickstart, you will use Microsoft Intune to set the length of the password required for Android devices.
+description: In this quickstart, you will use Microsoft Intune to set the length of the password required for Android Enterprise devices.
 keywords:
 author: Erikre
 ms.author: erikre
 manager: dougeby
-ms.date: 12/16/2021
+ms.date: 02/11/2022
 ms.topic: quickstart
 ms.service: microsoft-intune
 ms.subservice: protect
@@ -31,9 +31,9 @@ ms.collection:
 ms.custom: intune-azure
 ---
 
-# Quickstart: Create a password compliance policy for Android devices
+# Quickstart: Create a password compliance policy for Android Enterprise devices
 
-In this quickstart, you'll use Microsoft Intune to require your workforce's Android users to enter a password of a specific length before access is granted to information on their Android devices.
+In this quickstart, you'll use Microsoft Intune to require your workforce's Android users to enter a password of a specific length before access is granted to information on their Android Enterprise devices.
 
 An Intune device compliance policy specifies the rules and settings that devices must meet to be considered compliant. You can use compliance policies with Conditional Access to allow or block access to company resources. You can also get device reports and take actions for non-compliance.
 
@@ -48,7 +48,7 @@ Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.co
 
 ## Create a device compliance policy
 
-Create a device compliance policy to require your workforce's Android users to enter a password of a specific length before access is granted to information on their Android devices.
+Create a device compliance policy to require your workforce's Android users to enter a password of a specific length before access is granted to information on their Android Enterprise devices.
 
 1. Sign in to [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **Compliance Policies** > **Create Policy**.
 
@@ -76,7 +76,7 @@ When no longer needed, delete the policy. To do so, select the compliance policy
 
 ## Next steps
 
-In this quickstart, you used Intune to create a compliance policy for your workforce's Android devices to require a password of at least six characters in length. For more information about creating compliance policies, see [Get started with device compliance policies in Intune](device-compliance-get-started.md).
+In this quickstart, you used Intune to create a compliance policy for your workforce's Android Enterprise devices to require a password of at least six characters in length. For more information about creating compliance policies, see [Get started with device compliance policies in Intune](device-compliance-get-started.md).
 
 To follow this series of Intune quickstarts, continue to the next quickstart.
 
