Skip to content

Commit

Permalink
Merge pull request microsoft#4727 from FabienTschanz/fix/app-configur…
Browse files Browse the repository at this point in the history 
…ation-device

Fix App Configuration Device Assignments and MOF Compilation
  • Loading branch information
@NikCharlebois
NikCharlebois authored Jun 5, 2024
2 parents 2710258 + 535cf70 commit ed4a690
Show file tree
Hide file tree
Showing 6 changed files with 142 additions and 65 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,14 @@

* AADEntitlementManagementRoleAssignment
* Initial Release.
* IntuneAppConfigurationDevicePolicy
* Add assignment group display name and fix compilation
FIXES [#4724](https://github.com/microsoft/Microsoft365DSC/issues/4724)
* M365DSCResourceGenerator
* Add support for generating Intune settings catalog policies
* M365DSCDRGUtil
* Add multiple commands for Intune policies that use the settings catalog
* Improve comparison of Intune assignments in `Compare-M365DSCIntunePolicyAssignment`

# 1.24.529.1

Expand Down
93 changes: 62 additions & 31 deletions ...rces/MSFT_IntuneAppConfigurationDevicePolicy/MSFT_IntuneAppConfigurationDevicePolicy.psm1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -180,6 +180,26 @@ function Get-TargetResource
}
#endregion

$platform = 'android'
if ($null -ne $getValue.AdditionalProperties.encodedSettingXml -or $null -ne $getValue.AdditionalProperties.settings)
{
$platform = 'ios'
}

$targetedApps = @()
foreach ($targetedApp in $getValue.TargetedMobileApps)
{
$app = Get-MgBetaDeviceAppManagementMobileApp -MobileAppId $targetedApp
if ($platform -eq 'android')
{
$targetedApps += $app.AdditionalProperties.packageId
}
else
{
$targetedApps += $app.AdditionalProperties.bundleId
}
}

$results = @{
#region resource generator code
ConnectedAppsEnabled = $getValue.AdditionalProperties.connectedAppsEnabled
Expand All @@ -192,7 +212,7 @@ function Get-TargetResource
Description = $getValue.Description
DisplayName = $getValue.DisplayName
RoleScopeTagIds = $getValue.RoleScopeTagIds
TargetedMobileApps = $getValue.TargetedMobileApps
TargetedMobileApps = $targetedApps
Id = $getValue.Id
Ensure = 'Present'
Credential = $Credential
Expand All @@ -204,17 +224,11 @@ function Get-TargetResource
#endregion
}
$assignmentsValues = Get-MgBetaDeviceAppManagementMobileAppConfigurationAssignment -ManagedDeviceMobileAppConfigurationId $Id

$assignmentResult = @()
foreach ($assignmentEntry in $AssignmentsValues)
if ($assignmentsValues.Count -gt 0)
{
$assignmentValue = @{
dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type'
deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType)
{$assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString()})
deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId
groupId = $assignmentEntry.Target.AdditionalProperties.groupId
}
$assignmentResult += $assignmentValue
$assignmentResult += ConvertFrom-IntunePolicyAssignment -Assignments $assignmentsValues -IncludeDeviceFilter $true
}
$results.Add('Assignments', $assignmentResult)

Expand Down Expand Up @@ -348,6 +362,23 @@ function Set-TargetResource
$platform = 'ios'
}

$mobileApps = Get-MgBetaDeviceAppManagementMobileApp -All
$targetedApps = @()
foreach ($targetedApp in $TargetedMobileApps)
{
$app = $mobileApps | Where-Object -FilterScript {
($platform -eq 'android' -and $_.AdditionalProperties.packageId -eq $targetedApp -and $_.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.androidManagedStoreApp') -or `
($platform -eq 'ios' -and $_.AdditionalProperties.bundleId -eq $targetedApp)
}

if ($null -eq $app)
{
throw "Could not find a mobile app with packageId or bundleId {$targetedApp}"
}
$targetedApps += $app.Id
}
$BoundParameters.TargetedMobileApps = $targetedApps

if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent')
{
Write-Verbose -Message "Creating an Intune App Configuration Device Policy with DisplayName {$DisplayName}"
Expand Down Expand Up @@ -382,9 +413,10 @@ function Set-TargetResource
$assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment
}

if ($policy.id)
if ($policy.Id)
{
Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $policy.id `
Update-DeviceConfigurationPolicyAssignment `
-DeviceConfigurationPolicyId "$($policy.Id)/microsoft.graph.managedDeviceMobileAppConfiguration" `
-Targets $assignmentsHash `
-Repository 'deviceAppManagement/mobileAppConfigurations'
}
Expand Down Expand Up @@ -420,20 +452,21 @@ function Set-TargetResource
Update-MgBetaDeviceAppManagementMobileAppConfiguration `
-ManagedDeviceMobileAppConfigurationId $currentInstance.Id `
-BodyParameter $UpdateParameters

$assignmentsHash = @()
foreach ($assignment in $Assignments)
{
$assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment
$assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $assignment
}
Update-DeviceConfigurationPolicyAssignment `
-DeviceConfigurationPolicyId $currentInstance.id `
-DeviceConfigurationPolicyId "$($currentInstance.Id)/microsoft.graph.managedDeviceMobileAppConfiguration" `
-Targets $assignmentsHash `
-Repository 'deviceAppManagement/mobileAppConfigurations'
#endregion
}
elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present')
{
Write-Verbose -Message "Removing the Intune App Configuration Device Policy with Id {$($currentInstance.Id)}"
Write-Verbose -Message "Removing the Intune App Configuration Device Policy with Id {$($currentInstance.Id)}"
#region resource generator code
Remove-MgBetaDeviceAppManagementMobileAppConfiguration -ManagedDeviceMobileAppConfigurationId $currentInstance.Id
#endregion
Expand Down Expand Up @@ -552,7 +585,7 @@ function Test-TargetResource
Write-Verbose -Message "Testing configuration of the Intune App Configuration Device Policy with Id {$Id} and DisplayName {$DisplayName}"

$CurrentValues = Get-TargetResource @PSBoundParameters
$ValuesToCheck = ([Hashtable]$PSBoundParameters).clone()
$ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone()

if ($CurrentValues.Ensure -ne $Ensure)
{
Expand All @@ -566,29 +599,27 @@ function Test-TargetResource
{
$source = $PSBoundParameters.$key
$target = $CurrentValues.$key
if ($source.getType().Name -like '*CimInstance*')
if ($source.GetType().Name -like '*CimInstance*')
{
$source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source

$testResult = Compare-M365DSCComplexObject `
-Source ($source) `
-Target ($target)

if (-Not $testResult)
if ($key -eq "Assignments")
{
$testResult = $false
break
$testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target
}
else
{
$testResult = Compare-M365DSCComplexObject -Source ($source) -Target ($target)
}

if (-not $testResult) { break }

$ValuesToCheck.Remove($key) | Out-Null
}
}

$ValuesToCheck.remove('Id') | Out-Null
$ValuesToCheck.Remove('Credential') | Out-Null
$ValuesToCheck.Remove('ApplicationId') | Out-Null
$ValuesToCheck.Remove('TenantId') | Out-Null
$ValuesToCheck.Remove('ApplicationSecret') | Out-Null
$ValuesToCheck.Remove('Id') | Out-Null
$ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck

Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)"
Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)"
Expand All @@ -614,7 +645,7 @@ function Export-TargetResource
(
[Parameter()]
[System.String]
$Filter,
$Filter,

[Parameter()]
[System.Management.Automation.PSCredential]
Expand Down Expand Up @@ -721,7 +752,7 @@ function Export-TargetResource
{
$complexTypeStringResult = Get-M365DSCDRGComplexTypeToString `
-ComplexObject $Results.Settings `
-CIMInstanceName 'MicrosoftGraphappConfigurationSettingItem1'
-CIMInstanceName 'MicrosoftGraphappConfigurationSettingItem'
if (-Not [String]::IsNullOrWhiteSpace($complexTypeStringResult))
{
$Results.Settings = $complexTypeStringResult
Expand Down
33 changes: 25 additions & 8 deletions Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1275,29 +1275,46 @@ function Compare-M365DSCIntunePolicyAssignment
$Target
)

$testResult = $source.count -eq $target.count
$testResult = $Source.Count -eq $Target.Count
if ($testResult)
{
foreach ($assignment in $source)
foreach ($assignment in $Source)
{
if ($assignment.dataType -like '*GroupAssignmentTarget')
if ($assignment.dataType -like '*groupAssignmentTarget')
{
$testResult = $null -ne ($target | Where-Object {$_.dataType -eq $assignment.DataType -and $_.groupId -eq $assignment.groupId})
#Using assignment groupDisplayName only if the groupId is not found in the directory otherwise groupId should be the key
$assignmentTarget = $Target | Where-Object -FilterScript { $_.dataType -eq $assignment.DataType -and $_.groupId -eq $assignment.groupId }
$testResult = $null -ne $assignmentTarget
# Using assignment groupDisplayName only if the groupId is not found in the directory otherwise groupId should be the key
if (-not $testResult)
{
$groupNotFound = $null -eq (Get-MgGroup -GroupId ($assignment.groupId) -ErrorAction SilentlyContinue)
}
if (-not $testResult -and $groupNotFound)
{
$testResult = $null -ne ($target | Where-Object {$_.dataType -eq $assignment.DataType -and $_.groupDisplayName -eq $assignment.groupDisplayName})
$assignmentTarget = $Target | Where-Object -FilterScript { $_.dataType -eq $assignment.DataType -and $_.groupDisplayName -eq $assignment.groupDisplayName }
$testResult = $null -ne $assignmentTarget
}

if ($testResult)
{
$isFilterIdSpecified = $assignment.deviceAndAppManagementAssignmentFilterType -ne 'none'
$testResult = $assignment.deviceAndAppManagementAssignmentFilterType -eq $assignmentTarget.deviceAndAppManagementAssignmentFilterType
if ($testResult -and $isFilterIdSpecified)
{
$testResult = $assignment.deviceAndAppManagementAssignmentFilterId -eq $assignmentTarget.deviceAndAppManagementAssignmentFilterId
}
}

if ($testResult)
{
$testResult = $assignment.collectionId -eq $assignmentTarget.collectionId
}
}
else
{
$testResult = $null -ne ($target | Where-Object {$_.dataType -eq $assignment.DataType})
$testResult = $null -ne ($Target | Where-Object -FilterScript { $_.dataType -eq $assignment.DataType })
}
if (-Not $testResult) { break }
if (-not $testResult) { break }
}
}

Expand Down
1 change: 1 addition & 0 deletions ...Microsoft365DSC.IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.Tests.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -208,6 +208,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
(New-CimInstance -ClassName MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicyAssignments -Property @{
DataType = '#microsoft.graph.exclusionGroupAssignmentTarget'
groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d'
deviceAndAppManagementAssignmentFilterType = 'none'
} -ClientOnly)
)
BackupDirectory = '1'
Expand Down
44 changes: 44 additions & 0 deletions Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAppConfigurationDevicePolicy.Tests.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,9 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
Mock -CommandName Get-MgBetaDeviceAppManagementMobileAppConfigurationAssignment -MockWith {
}

Mock -CommandName Get-MgBetaDeviceAppManagementMobileApp -MockWith {
}

}
# Test contexts
Context -Name "The IntuneAppConfigurationDevicePolicy should exist but it DOES NOT" -Fixture {
Expand All @@ -82,6 +85,16 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
Credential = $Credential;
}

Mock -CommandName Get-MgBetaDeviceAppManagementMobileApp -MockWith {
return @{
Id = "FakeStringValue"
AdditionalProperties = @{
packageId = "FakeStringValue"
'@odata.type' = "#microsoft.graph.androidManagedStoreApp"
}
}
}

Mock -CommandName Get-MgBetaDeviceAppManagementMobileAppConfiguration -MockWith {
return $null
}
Expand Down Expand Up @@ -120,6 +133,16 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
Credential = $Credential;
}

Mock -CommandName Get-MgBetaDeviceAppManagementMobileApp -MockWith {
return @{
Id = "FakeStringValue"
AdditionalProperties = @{
packageId = "FakeStringValue"
'@odata.type' = "#microsoft.graph.androidManagedStoreApp"
}
}
}

Mock -CommandName Get-MgBetaDeviceAppManagementMobileAppConfiguration -MockWith {
return @{
AdditionalProperties = @{
Expand Down Expand Up @@ -183,6 +206,16 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
Credential = $Credential;
}

Mock -CommandName Get-MgBetaDeviceAppManagementMobileApp -MockWith {
return @{
Id = "FakeStringValue"
AdditionalProperties = @{
packageId = "FakeStringValue"
'@odata.type' = "#microsoft.graph.androidManagedStoreApp"
}
}
}

Mock -CommandName Get-MgBetaDeviceAppManagementMobileAppConfiguration -MockWith {
return @{
AdditionalProperties = @{
Expand Down Expand Up @@ -219,6 +252,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
Context -Name "The IntuneAppConfigurationDevicePolicy exists and values are NOT in the desired state" -Fixture {
BeforeAll {
$testParams = @{
Assignments = @()
ConnectedAppsEnabled = $True
description = "FakeStringValue"
displayName = "FakeStringValue"
Expand All @@ -238,6 +272,16 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
Credential = $Credential;
}

Mock -CommandName Get-MgBetaDeviceAppManagementMobileApp -MockWith {
return @{
Id = "FakeStringValue"
AdditionalProperties = @{
packageId = "FakeStringValue"
'@odata.type' = "#microsoft.graph.androidManagedStoreApp"
}
}
}

Mock -CommandName Get-MgBetaDeviceAppManagementMobileAppConfiguration -MockWith {
return @{
AdditionalProperties = @{
Expand Down
Loading

0 comments on commit ed4a690

Please sign in to comment.