From b149f0b10458c8ae991ce005037fed4405a851ef Mon Sep 17 00:00:00 2001 From: dannyKBjj Date: Mon, 6 Jan 2025 17:03:27 +0000 Subject: [PATCH 1/8] In progress --- CHANGELOG.md | 3 +- .../MSFT_IntuneAppProtectionPolicyiOS.psm1 | 102 ++++++++++++++++-- ...FT_IntuneAppProtectionPolicyiOS.schema.mof | 17 +++ 3 files changed, 111 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 347bee63d0..9d734c0705 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,7 +14,6 @@ * MISC * DEFENDER * Added support for the UseBasicParsing paramter for REST calls. - * AADApplication * Added support for Oauth2PermissionScopes. * Fixes comparison issue for permissions. @@ -34,6 +33,8 @@ * DEPENDENCIES * Updated Microsoft.PowerApps.Administration.PowerShell to version 2.0.202. * Updated MSCloudLoginAssistant to version 1.1.31. +* IntuneAppProtectionPolicyiOS + * Fixes [#5589] https://github.com/microsoft/Microsoft365DSC/issues/5589 # 1.24.1211.1 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.psm1 index 72b5ef5b63..372b03e95d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.psm1 @@ -15,7 +15,73 @@ function Get-TargetResource [Parameter()] [System.String] $Description, +#my stuff + [Parameter()] + [System.Boolean] + $AllowWidgetContentSync, + + [Parameter()] + [ValidateSet('block', 'wipe', 'warn', 'blockWhenSettingIsSupported')] + [System.String] + $appActionIfAccountIsClockedOut, + + [Parameter()] + [ValidateSet('block', 'wipe', 'warn', 'blockWhenSettingIsSupported')] + [System.String] + $appActionIfUnableToAuthenticateUser, + + [Parameter()] + [ValidateSet('selectedPublicApps', 'allCoreMicrosoftApps', 'allMicrosoftApps','allApps')] + [System.String] + $appGroupType, + + [Parameter()] + [System.Boolean] + $blockDataIngestionIntoOrganizationDocuments, + + [Parameter()] + [System.String] + $customDialerAppProtocol, + + [Parameter()] + [System.UInt32] + $deployedAppCount, + + [Parameter()] + [ValidateSet('allApps','managedApps','customApp','blocked')] + [System.String] + $dialerRestrictionLevel, + + [Parameter()] + [System.String[]] + $exemptedUniversalLinks, + + [Parameter()] + [System.String] + $gracePeriodToBlockAppsDuringOffClockHours, + + [Parameter()] + [System.Boolean] + $isAssignedisAssigned, + + [Parameter()] + [System.String[]] + $managedUniversalLinks, + + [Parameter()] + [ValidateSet('notConfigured', 'secured', 'low', 'medium', 'high')] + [System.String] + $maximumAllowedDeviceThreatLevel, + + [Parameter()] + [System.String] + $maximumRequiredOsVersion, + + [Parameter()] + [System.String] + $minimumRequiredOsVersion, +#my stuff [Parameter()] [System.String] $PeriodOfflineBeforeAccessCheck, @@ -366,6 +432,24 @@ function Get-TargetResource Identity = $policy.id DisplayName = $policy.DisplayName Description = $policy.Description + + AllowWidgetContentSync = $policy.AllowWidgetContentSync + appActionIfAccountIsClockedOut = $policy.appActionIfAccountIsClockedOut + appActionIfUnableToAuthenticateUser = $policy.appActionIfUnableToAuthenticateUser + appGroupType = $policy.appGroupType + blockDataIngestionIntoOrganizationDocuments = $policy.blockDataIngestionIntoOrganizationDocuments + customDialerAppProtocol = $policy.customDialerAppProtocol + deployedAppCount = $policy.deployedAppCount + #DeploymentSummary = $DeploymentSummaryArray + dialerRestrictionLevel = $policy.dialerRestrictionLevel + exemptedUniversalLinks = $policy.exemptedUniversalLinks + gracePeriodToBlockAppsDuringOffClockHours = $policy.gracePeriodToBlockAppsDuringOffClockHours #duration datatype?! handling as string - https://github.com/microsoftgraph/microsoft-graph-docs-contrib/blob/main/api-reference/beta/resources/intune-mam-iosmanagedappprotection.md + isAssigned = $policy.isAssigned + managedUniversalLinks = $policy.managedUniversalLinks + maximumAllowedDeviceThreatLevel = $policy.maximumAllowedDeviceThreatLevel + maximumRequiredOsVersion = $policy.maximumRequiredOsVersion + minimumRequiredOsVersion = $policy.minimumRequiredOsVersion + PeriodOfflineBeforeAccessCheck = $myPeriodOfflineBeforeAccessCheck PeriodOnlineBeforeAccessCheck = $myPeriodOnlineBeforeAccessCheck AllowedInboundDataTransferSources = [String]$policy.AllowedInboundDataTransferSources @@ -461,6 +545,10 @@ function Set-TargetResource [System.String] $Description, + [Parameter()] + [System.Boolean] + $AllowWidgetContentSync + [Parameter()] [System.String] $PeriodOfflineBeforeAccessCheck, @@ -845,6 +933,10 @@ function Test-TargetResource [System.String] $Description, + [Parameter()] + [System.Boolean] + $AllowWidgetContentSync + [Parameter()] [System.String] $PeriodOfflineBeforeAccessCheck, @@ -966,23 +1058,19 @@ function Test-TargetResource [System.String] $AppDataEncryptionType, - [Parameter()] [System.String] $MinimumWipeOSVersion, - [Parameter()] [System.String] $MinimumWipeAppVersion, - [Parameter()] [ValidateSet('block', 'wipe', 'warn')] [System.String] $AppActionIfDeviceComplianceRequired, - [Parameter()] [ValidateSet('block', 'wipe', 'warn')] [System.String] @@ -992,12 +1080,10 @@ function Test-TargetResource [System.String] $PinRequiredInsteadOfBiometricTimeout, - [Parameter()] [System.Uint32] $AllowedOutboundClipboardSharingExceptionLength, - [Parameter()] [ValidateSet('allow', 'blockOrganizationalData', 'block')] [System.String] @@ -1020,23 +1106,19 @@ function Test-TargetResource [System.String[]] $AllowedIosDeviceModels, - [Parameter()] [ValidateSet('block', 'wipe', 'warn')] [System.String] $AppActionIfIosDeviceModelNotAllowed, - [Parameter()] [System.Boolean] $FilterOpenInToOnlyManagedApps, - [Parameter()] [System.Boolean] $DisableProtectionOfManagedOutboundOpenInData, - [Parameter()] [System.Boolean] $ProtectInboundDataFromUnknownSources, diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.schema.mof index 1801c4dd5f..a1b48d5074 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.schema.mof @@ -4,6 +4,23 @@ class MSFT_IntuneAppProtectionPolicyiOS : OMI_BaseResource [Key, Description("Display name of the iOS App Protection Policy.")] String DisplayName; [Write, Description("Identity of the iOS App Protection Policy.")] String Identity; [Write, Description("Description of the iOS App Protection Policy.")] String Description; + + [Write, Description("Indicates if content sync for widgets is allowed for iOS on App Protection Policies.")] Boolean AllowWidgetContentSync; + [Write, Description("Defines a managed app behavior, either block or warn, if the user is clocked out (non-working time)."), ValueMap{"block","wipe","warn","blockWhenSettingIsSupported"}, Values{"block","wipe","warn","blockWhenSettingIsSupported"}] String appActionIfAccountIsClockedOut; + [Write, Description("If set, it will specify what action to take in the case where the user is unable to checkin because their authentication token is invalid. This happens when the user is deleted or disabled in AAD. ."), ValueMap{"block","wipe","warn","blockWhenSettingIsSupported"}, Values{"block","wipe","warn","blockWhenSettingIsSupported"}] String appActionIfUnableToAuthenticateUser; + [Write, Description("Public Apps selection: group or individual Inherited from targetedManagedAppProtection."), ValueMap{"selectedPublicApps","allCoreMicrosoftApps","allMicrosoftApps","allApps"}, Values{"selectedPublicApps","allCoreMicrosoftApps","allMicrosoftApps","allApps"}] String appGroupType; + [Write, Description("Indicates whether a user can bring data into org documents.")] boolean blockDataIngestionIntoOrganizationDocuments; + [Write, Description("Protocol of a custom dialer app to click-to-open a phone number on iOS, for example, skype:.")] String customDialerAppProtocol; + [Write, Description("Count of apps to which the current policy is deployed.")] UInt32 deployedAppCount; + [Write, Description("The classes of dialer apps that are allowed to click-to-open a phone number."), ValueMap{"allApps","managedApps","customApp","blocked"}, Values{"allApps","managedApps","customApp","blocked"}] String dialerRestrictionLevel; + [Write, Description("A list of custom urls that are allowed to invocate an unmanaged app.")] String ExemptedUniversalLinks[]; + [Write, Description("A grace period before blocking app access during off clock hours.")] String gracePeriodToBlockAppsDuringOffClockHours; + [Write, Description("Indicates if the policy is deployed to any inclusion groups or not.")] Boolean isAssigned; + [Write, Description("A list of custom urls that are allowed to invocate a managed app.")] String managedUniversalLinks[]; + [Write, Description("Maximum allowed device threat level, as reported by the MTD app Inherited from managedAppProtection."), ValueMap{"notConfigured","secured","low","medium","high"}, Values{"notConfigured","secured","low","medium","high"}] String maximumAllowedDeviceThreatLevel; + [Write, Description("Versions bigger than the specified version will block the managed app from accessing company data. Inherited from managedAppProtection.")] String maximumRequiredOsVersion; + [Write, Description("Versions less than the specified version will block the managed app from accessing company data. Inherited from managedAppProtection.")] String minimumRequiredOsVersion; + [Write, Description("The period after which access is checked when the device is not connected to the internet.")] String PeriodOfflineBeforeAccessCheck; [Write, Description("The period after which access is checked when the device is connected to the internet.")] String PeriodOnlineBeforeAccessCheck; [Write, Description("Sources from which data is allowed to be transferred. Possible values are: allApps, managedApps, none."), ValueMap{"allApps","managedApps", "none"}, Values{"allApps","managedApps", "none"}] String AllowedInboundDataTransferSources; From 92ee633dbbb7673d9b4b2f0c3404d42fcc0f9038 Mon Sep 17 00:00:00 2001 From: dannyKBjj Date: Wed, 8 Jan 2025 14:23:16 +0000 Subject: [PATCH 2/8] mostly working --- .../MSFT_IntuneAppProtectionPolicyiOS.psm1 | 280 +++++++++++++++++- ...FT_IntuneAppProtectionPolicyiOS.schema.bak | 89 ++++++ ...FT_IntuneAppProtectionPolicyiOS.schema.mof | 12 +- 3 files changed, 363 insertions(+), 18 deletions(-) create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.schema.bak diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.psm1 index 372b03e95d..563d5739aa 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.psm1 @@ -56,13 +56,13 @@ function Get-TargetResource [System.String[]] $exemptedUniversalLinks, - [Parameter()] - [System.String] - $gracePeriodToBlockAppsDuringOffClockHours, + #[Parameter()] + #[System.String] + #$gracePeriodToBlockAppsDuringOffClockHours, [Parameter()] [System.Boolean] - $isAssignedisAssigned, + $isAssigned, [Parameter()] [System.String[]] @@ -79,7 +79,42 @@ function Get-TargetResource [Parameter()] [System.String] - $minimumRequiredOsVersion, + $maximumWarningOsVersion, + + [Parameter()] + [System.String] + $maximumWipeOsVersion, + + [Parameter()] + [System.String] + $messagingRedirectAppUrlScheme, + + [Parameter()] + [System.String] + $minimumWarningSdkVersion, + + [Parameter()] + [ValidateSet('defenderOverThirdPartyPartner','thirdPartyPartnerOverDefender','unknownFutureValue')] + [System.String] + $mobileThreatDefensePartnerPriority, + + [Parameter()] + [ValidateSet('block','wipe','warn','blockWhenSettingIsSupported')] + [System.String] + $mobileThreatDefenseRemediationAction, + + [Parameter()] + [System.UInt32] + $previousPinBlockCount, + + [Parameter()] + [ValidateSet('anyApp','anyManagedApp','specificApps','blocked')] + [System.String] + $protectedMessagingRedirectAppType, + + [Parameter()] + [System.Boolean] + $ThirdPartyKeyboardsBlocked, #my stuff [Parameter()] @@ -434,21 +469,29 @@ function Get-TargetResource Description = $policy.Description AllowWidgetContentSync = $policy.AllowWidgetContentSync - appActionIfAccountIsClockedOut = $policy.appActionIfAccountIsClockedOut - appActionIfUnableToAuthenticateUser = $policy.appActionIfUnableToAuthenticateUser - appGroupType = $policy.appGroupType + appActionIfAccountIsClockedOut = [string]$policy.appActionIfAccountIsClockedOut + appActionIfUnableToAuthenticateUser = [string]$policy.appActionIfUnableToAuthenticateUser + appGroupType = [string]$policy.appGroupType blockDataIngestionIntoOrganizationDocuments = $policy.blockDataIngestionIntoOrganizationDocuments - customDialerAppProtocol = $policy.customDialerAppProtocol + customDialerAppProtocol = [string]$policy.customDialerAppProtocol deployedAppCount = $policy.deployedAppCount #DeploymentSummary = $DeploymentSummaryArray - dialerRestrictionLevel = $policy.dialerRestrictionLevel + dialerRestrictionLevel = [string]$policy.dialerRestrictionLevel exemptedUniversalLinks = $policy.exemptedUniversalLinks - gracePeriodToBlockAppsDuringOffClockHours = $policy.gracePeriodToBlockAppsDuringOffClockHours #duration datatype?! handling as string - https://github.com/microsoftgraph/microsoft-graph-docs-contrib/blob/main/api-reference/beta/resources/intune-mam-iosmanagedappprotection.md + #gracePeriodToBlockAppsDuringOffClockHours = [string]$policy.gracePeriodToBlockAppsDuringOffClockHours #duration datatype?! handling as string - https://github.com/microsoftgraph/microsoft-graph-docs-contrib/blob/main/api-reference/beta/resources/intune-mam-iosmanagedappprotection.md isAssigned = $policy.isAssigned managedUniversalLinks = $policy.managedUniversalLinks - maximumAllowedDeviceThreatLevel = $policy.maximumAllowedDeviceThreatLevel - maximumRequiredOsVersion = $policy.maximumRequiredOsVersion - minimumRequiredOsVersion = $policy.minimumRequiredOsVersion + maximumAllowedDeviceThreatLevel = [string]$policy.maximumAllowedDeviceThreatLevel + maximumRequiredOsVersion = [string]$policy.maximumRequiredOsVersion + maximumWarningOsVersion = [string]$policy.maximumWarningOsVersion + maximumWipeOsVersion = [string]$policy.maximumWipeOsVersion + messagingRedirectAppUrlScheme = [string]$policy.messagingRedirectAppUrlScheme + minimumWarningSdkVersion = [string]$policy.minimumWarningSdkVersion + mobileThreatDefensePartnerPriority = [string]$policy.mobileThreatDefensePartnerPriority + mobileThreatDefenseRemediationAction = [string]$policy.mobileThreatDefenseRemediationAction + previousPinBlockCount = $policy.previousPinBlockCount + protectedMessagingRedirectAppType = [string]$policy.protectedMessagingRedirectAppType + thirdPartyKeyboardsBlocked = $policy.thirdPartyKeyboardsBlocked PeriodOfflineBeforeAccessCheck = $myPeriodOfflineBeforeAccessCheck PeriodOnlineBeforeAccessCheck = $myPeriodOnlineBeforeAccessCheck @@ -544,11 +587,108 @@ function Set-TargetResource [Parameter()] [System.String] $Description, +#my stuff + [Parameter()] + [System.Boolean] + $AllowWidgetContentSync, + + [Parameter()] + [ValidateSet('block', 'wipe', 'warn', 'blockWhenSettingIsSupported')] + [System.String] + $appActionIfAccountIsClockedOut, + + [Parameter()] + [ValidateSet('block', 'wipe', 'warn', 'blockWhenSettingIsSupported')] + [System.String] + $appActionIfUnableToAuthenticateUser, + + [Parameter()] + [ValidateSet('selectedPublicApps', 'allCoreMicrosoftApps', 'allMicrosoftApps','allApps')] + [System.String] + $appGroupType, + + [Parameter()] + [System.Boolean] + $blockDataIngestionIntoOrganizationDocuments, + + [Parameter()] + [System.String] + $customDialerAppProtocol, + + [Parameter()] + [System.UInt32] + $deployedAppCount, + + [Parameter()] + [ValidateSet('allApps','managedApps','customApp','blocked')] + [System.String] + $dialerRestrictionLevel, + + [Parameter()] + [System.String[]] + $exemptedUniversalLinks, + + #[Parameter()] + #[System.String] + #$gracePeriodToBlockAppsDuringOffClockHours, + + [Parameter()] + [System.Boolean] + $isAssigned, + + [Parameter()] + [System.String[]] + $managedUniversalLinks, + + [Parameter()] + [ValidateSet('notConfigured', 'secured', 'low', 'medium', 'high')] + [System.String] + $maximumAllowedDeviceThreatLevel, + + [Parameter()] + [System.String] + $maximumRequiredOsVersion, + + [Parameter()] + [System.String] + $maximumWarningOsVersion, + + [Parameter()] + [System.String] + $maximumWipeOsVersion, + + [Parameter()] + [System.String] + $messagingRedirectAppUrlScheme, + + [Parameter()] + [System.String] + $minimumWarningSdkVersion, + + [Parameter()] + [ValidateSet('defenderOverThirdPartyPartner','thirdPartyPartnerOverDefender','unknownFutureValue')] + [System.String] + $mobileThreatDefensePartnerPriority, + + [Parameter()] + [ValidateSet('block','wipe','warn','blockWhenSettingIsSupported')] + [System.String] + $mobileThreatDefenseRemediationAction, + + [Parameter()] + [System.UInt32] + $previousPinBlockCount, + + [Parameter()] + [ValidateSet('anyApp','anyManagedApp','specificApps','blocked')] + [System.String] + $protectedMessagingRedirectAppType, [Parameter()] [System.Boolean] - $AllowWidgetContentSync + $ThirdPartyKeyboardsBlocked, +#my stuff [Parameter()] [System.String] $PeriodOfflineBeforeAccessCheck, @@ -873,6 +1013,17 @@ function Set-TargetResource $updateParameters.Remove('Apps') $updateParameters.TargetedAppManagementLevels = $updateParameters.TargetedAppManagementLevels -join ',' + + $arrayTemp = @("minimumWarningSdkVersion","maximumRequiredOsVersion","maximumWarningOsVersion","maximumWipeOsVersion") + Foreach($item in $arrayTemp) + { + + if ($updateParameters.$item -eq "") + { + $updateParameters.Remove($item) #for some reason cmdlet can't handle this being blank, which is annoying as we can't enforce it + } + } + $myApps = Get-IntuneAppProtectionPolicyiOSAppsToHashtable -Parameters $PSBoundParameters $myAssignments = Get-IntuneAppProtectionPolicyiOSAssignmentToHashtable -Parameters $PSBoundParameters @@ -932,11 +1083,108 @@ function Test-TargetResource [Parameter()] [System.String] $Description, +#my stuff + [Parameter()] + [System.Boolean] + $AllowWidgetContentSync, + + [Parameter()] + [ValidateSet('block', 'wipe', 'warn', 'blockWhenSettingIsSupported')] + [System.String] + $appActionIfAccountIsClockedOut, + + [Parameter()] + [ValidateSet('block', 'wipe', 'warn', 'blockWhenSettingIsSupported')] + [System.String] + $appActionIfUnableToAuthenticateUser, + + [Parameter()] + [ValidateSet('selectedPublicApps', 'allCoreMicrosoftApps', 'allMicrosoftApps','allApps')] + [System.String] + $appGroupType, [Parameter()] [System.Boolean] - $AllowWidgetContentSync + $blockDataIngestionIntoOrganizationDocuments, + + [Parameter()] + [System.String] + $customDialerAppProtocol, + + [Parameter()] + [System.UInt32] + $deployedAppCount, + + [Parameter()] + [ValidateSet('allApps','managedApps','customApp','blocked')] + [System.String] + $dialerRestrictionLevel, + [Parameter()] + [System.String[]] + $exemptedUniversalLinks, + + #[Parameter()] + #[System.String] + # $gracePeriodToBlockAppsDuringOffClockHours, + + [Parameter()] + [System.Boolean] + $isAssigned, + + [Parameter()] + [System.String[]] + $managedUniversalLinks, + + [Parameter()] + [ValidateSet('notConfigured', 'secured', 'low', 'medium', 'high')] + [System.String] + $maximumAllowedDeviceThreatLevel, + + [Parameter()] + [System.String] + $maximumRequiredOsVersion, + + [Parameter()] + [System.String] + $maximumWarningOsVersion, + + [Parameter()] + [System.String] + $maximumWipeOsVersion, + + [Parameter()] + [System.String] + $messagingRedirectAppUrlScheme, + + [Parameter()] + [System.String] + $minimumWarningSdkVersion, + + [Parameter()] + [ValidateSet('defenderOverThirdPartyPartner','thirdPartyPartnerOverDefender','unknownFutureValue')] + [System.String] + $mobileThreatDefensePartnerPriority, + + [Parameter()] + [ValidateSet('block','wipe','warn','blockWhenSettingIsSupported')] + [System.String] + $mobileThreatDefenseRemediationAction, + + [Parameter()] + [System.UInt32] + $previousPinBlockCount, + + [Parameter()] + [ValidateSet('anyApp','anyManagedApp','specificApps','blocked')] + [System.String] + $protectedMessagingRedirectAppType, + + [Parameter()] + [System.Boolean] + $ThirdPartyKeyboardsBlocked, + +#my stuff [Parameter()] [System.String] $PeriodOfflineBeforeAccessCheck, diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.schema.bak b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.schema.bak new file mode 100644 index 0000000000..c34afb341c --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.schema.bak @@ -0,0 +1,89 @@ +[ClassVersion("1.0.0.0"), FriendlyName("IntuneAppProtectionPolicyiOS")] +class MSFT_IntuneAppProtectionPolicyiOS : OMI_BaseResource +{ + [Key, Description("Display name of the iOS App Protection Policy.")] String DisplayName; + [Write, Description("Identity of the iOS App Protection Policy.")] String Identity; + [Write, Description("Description of the iOS App Protection Policy.")] String Description; + + [Write, Description("Indicates if content sync for widgets is allowed for iOS on App Protection Policies.")] Boolean AllowWidgetContentSync; + [Write, Description("Defines a managed app behavior, either block or warn, if the user is clocked out (non-working time)."), ValueMap{"block","wipe","warn","blockWhenSettingIsSupported"}, Values{"block","wipe","warn","blockWhenSettingIsSupported"}] String appActionIfAccountIsClockedOut; + [Write, Description("If set, it will specify what action to take in the case where the user is unable to checkin because their authentication token is invalid. This happens when the user is deleted or disabled in AAD. ."), ValueMap{"block","wipe","warn","blockWhenSettingIsSupported"}, Values{"block","wipe","warn","blockWhenSettingIsSupported"}] String appActionIfUnableToAuthenticateUser; + [Write, Description("Public Apps selection: group or individual Inherited from targetedManagedAppProtection."), ValueMap{"selectedPublicApps","allCoreMicrosoftApps","allMicrosoftApps","allApps"}, Values{"selectedPublicApps","allCoreMicrosoftApps","allMicrosoftApps","allApps"}] String appGroupType; + [Write, Description("Indicates whether a user can bring data into org documents.")] boolean blockDataIngestionIntoOrganizationDocuments; + [Write, Description("Protocol of a custom dialer app to click-to-open a phone number on iOS, for example, skype:.")] String customDialerAppProtocol; + [Write, Description("Count of apps to which the current policy is deployed.")] UInt32 deployedAppCount; + [Write, Description("The classes of dialer apps that are allowed to click-to-open a phone number."), ValueMap{"allApps","managedApps","customApp","blocked"}, Values{"allApps","managedApps","customApp","blocked"}] String dialerRestrictionLevel; + [Write, Description("A list of custom urls that are allowed to invocate an unmanaged app.")] String ExemptedUniversalLinks[]; + [Write, Description("A grace period before blocking app access during off clock hours.")] String gracePeriodToBlockAppsDuringOffClockHours; + [Write, Description("Indicates if the policy is deployed to any inclusion groups or not.")] Boolean isAssigned; + [Write, Description("A list of custom urls that are allowed to invocate a managed app.")] String managedUniversalLinks[]; + [Write, Description("Maximum allowed device threat level, as reported by the MTD app Inherited from managedAppProtection."), ValueMap{"notConfigured","secured","low","medium","high"}, Values{"notConfigured","secured","low","medium","high"}] String maximumAllowedDeviceThreatLevel; + [Write, Description("Versions bigger than the specified version will block the managed app from accessing company data. Inherited from managedAppProtection.")] String maximumRequiredOsVersion; + [Write, Description("Versions bigger than the specified version will block the managed app from accessing company data. Inherited from managedAppProtection.")] String maximumWarningOsVersion; + [Write, Description("Versions bigger than the specified version will block the managed app from accessing company data. Inherited from managedAppProtection.")] String maximumWipeOsVersion; + [Write, Description("When a specific app redirection is enforced by protectedMessagingRedirectAppType in an App Protection Policy, this value defines the app url redirect schemes which are allowed to be used.")] String messagingRedirectAppUrlScheme; + [Write, Description("Versions less than the specified version will result in warning message on the managed app from accessing company data.")] String minimumWarningSdkVersion; + [Write, Description("Indicates how to prioritize which Mobile Threat Defense (MTD) partner is enabled for a given platform, when more than one is enabled. An app can only be actively using a single Mobile Threat Defense partner. When NULL, Microsoft Defender will be given preference. Otherwise setting the value to defenderOverThirdPartyPartner or thirdPartyPartnerOverDefender will make explicit which partner to prioritize."), ValueMap{"defenderOverThirdPartyPartner","thirdPartyPartnerOverDefender","unknownFutureValue"}, Values{"defenderOverThirdPartyPartner","thirdPartyPartnerOverDefender","unknownFutureValue"}] String mobileThreatDefensePartnerPriority; + [Write, Description("Determines what action to take if the mobile threat defense threat threshold isn't met. Warn isn't a supported value for this property Inherited from managedAppProtection."), ValueMap{"block","wipe","warn","blockWhenSettingIsSupported"}, Values{"block","wipe","warn","blockWhenSettingIsSupported"}] String mobileThreatDefenseRemediationAction; + [Write, Description("Requires a pin to be unique from the number specified in this property. Inherited from managedAppProtection.")] UInt32 previousPinBlockCount; + [Write, Description("Defines how app messaging redirection is protected by an App Protection Policy. Default is anyApp. Inherited from managedAppProtection."), ValueMap{"anyApp","anyManagedApp","specificApps","blocked"}, Values{"anyApp","anyManagedApp","specificApps","blocked"}] String protectedMessagingRedirectAppType; + [Write, Description("Defines if third party keyboards are allowed while accessing a managed app.")] Boolean thirdPartyKeyboardsBlocked; + + [Write, Description("The period after which access is checked when the device is not connected to the internet.")] String PeriodOfflineBeforeAccessCheck; + [Write, Description("The period after which access is checked when the device is connected to the internet.")] String PeriodOnlineBeforeAccessCheck; + [Write, Description("Sources from which data is allowed to be transferred. Possible values are: allApps, managedApps, none."), ValueMap{"allApps","managedApps", "none"}, Values{"allApps","managedApps", "none"}] String AllowedInboundDataTransferSources; + [Write, Description("Destinations to which data is allowed to be transferred. Possible values are: allApps, managedApps, none."), ValueMap{"allApps","managedApps", "none"}, Values{"allApps","managedApps", "none"}] String AllowedOutboundDataTransferDestinations; + [Write, Description("Indicates whether organizational credentials are required for app use.")] Boolean OrganizationalCredentialsRequired; + [Write, Description("The level to which the clipboard may be shared between apps on the managed device. Possible values are: allApps, managedAppsWithPasteIn, managedApps, blocked."), ValueMap{"allApps","managedAppsWithPasteIn","managedApps", "blocked"}, Values{"allApps","managedAppsWithPasteIn","managedApps", "blocked"}] String AllowedOutboundClipboardSharingLevel; + [Write, Description("Indicates whether the backup of a managed app's data is blocked.")] Boolean DataBackupBlocked; + [Write, Description("Indicates whether device compliance is required.")] Boolean DeviceComplianceRequired; + [Write, Description("Indicates whether internet links should be opened in the managed browser app, or any custom browser specified by CustomBrowserProtocol (for iOS) or CustomBrowserPackageId/CustomBrowserDisplayName (for Android).")] Boolean ManagedBrowserToOpenLinksRequired; + [Write, Description("Indicates whether users may use the Save As menu item to save a copy of protected files.")] Boolean SaveAsBlocked; + [Write, Description("The amount of time an app is allowed to remain disconnected from the internet before all managed data it is wiped.")] String PeriodOfflineBeforeWipeIsEnforced; + [Write, Description("Indicates whether an app-level pin is required.")] Boolean PinRequired; + [Write, description("Indicates whether use of the app pin is required if the device pin is set.")] Boolean DisableAppPinIfDevicePinIsSet; + [Write, Description("Maximum number of incorrect pin retry attempts before the managed app is either blocked or wiped.")] UInt32 MaximumPinRetries; + [Write, Description("Block simple PIN and require complex PIN to be set.")] Boolean SimplePinBlocked; + [Write, Description("Minimum pin length required for an app-level pin if PinRequired is set to True.")] UInt32 MinimumPinLength; + [Write, Description("Character set which may be used for an app-level pin if PinRequired is set to True. Possible values are: numeric, alphanumericAndSymbol."), ValueMap{"numeric","alphanumericAndSymbol"}, Values{"numeric","alphanumericAndSymbol"}] String PinCharacterSet; + [Write, Description("Data storage locations where a user may store managed data.")] String AllowedDataStorageLocations[]; + [Write, Description("Indicates whether contacts can be synced to the user's device.")] Boolean ContactSyncBlocked; + [Write, Description("TimePeriod before the all-level pin must be reset if PinRequired is set to True.")] String PeriodBeforePinReset; + [Write, Description("Indicates whether printing is allowed from managed apps.")] Boolean PrintBlocked; + [Write, Description("Indicates whether use of the fingerprint reader is allowed in place of a pin if PinRequired is set to True.")] Boolean FingerprintBlocked; + [Write, Description("Indicates whether use of the FaceID is allowed in place of a pin if PinRequired is set to True.")] Boolean FaceIdBlocked; + [Write, Description("Indicates in which managed browser(s) that internet links should be opened. When this property is configured, ManagedBrowserToOpenLinksRequired should be true. Possible values are: notConfigured, microsoftEdge."), ValueMap{"notConfigured","microsoftEdge"}, Values{"notConfigured","microsoftEdge"}] String ManagedBrowser; + [Write, Description("Versions less than the specified version will block the managed app from accessing company data.")] String MinimumRequiredAppVersion; + [Write, Description("Versions less than the specified version will result in warning message on the managed app from accessing company data.")] String MinimumWarningAppVersion; + [Write, Description("Versions less than the specified version will block the managed app from accessing company data.")] String MinimumRequiredOSVersion; + [Write, Description("Versions less than the specified version will result in warning message on the managed app from accessing company data.")] String MinimumWarningOSVersion; + [Write, Description("Versions less than the specified version will block the managed app from accessing company data.")] String MinimumRequiredSdkVersion; + [Write, Description("Versions less than or equal to the specified version will wipe the managed app and the associated company data.")] String MinimumWipeOSVersion; + [Write, Description("Versions less than or equal to the specified version will wipe the managed app and the associated company data.")] String MinimumWipeAppVersion; + [Write, Description("Defines a managed app behavior, either block or wipe, when the device is either rooted or jailbroken, if DeviceComplianceRequired is set to true."), ValueMap{"block","wipe","warn"}, Values{"block","wipe","warn"}] String AppActionIfDeviceComplianceRequired; + [Write, Description("Defines a managed app behavior, either block or wipe, based on maximum number of incorrect pin retry attempts."), ValueMap{"block","wipe","warn"}, Values{"block","wipe","warn"}] String AppActionIfMaximumPinRetriesExceeded; + [Write, Description("Timeout in minutes for an app pin instead of non biometrics passcode .")] String PinRequiredInsteadOfBiometricTimeout; + [Write, Description("Specify the number of characters that may be cut or copied from Org data and accounts to any application. This setting overrides the AllowedOutboundClipboardSharingLevel restriction. Default value of '0' means no exception is allowed.")] Uint32 AllowedOutboundClipboardSharingExceptionLength; + [Write, Description("Specify app notification restriction."), ValueMap{"allow","blockOrganizationalData","block"}, Values{"allow","blockOrganizationalData","block"}] String NotificationRestriction; + [Write, Description("The intended app management levels for this policy."), ValueMap{"unspecified","unmanaged","mdm","androidEnterprise"}, Values{"unspecified","unmanaged","mdm","androidEnterprise"}] String TargetedAppManagementLevels[]; + [Write, Description("Require app data to be encrypted."), Values{"useDeviceSettings","afterDeviceRestart","whenDeviceLockedExceptOpenFiles","whenDeviceLocked"}, ValueMap{"useDeviceSettings","afterDeviceRestart","whenDeviceLockedExceptOpenFiles","whenDeviceLocked"}] String AppDataEncryptionType; + [Write, Description("Apps in this list will be exempt from the policy and will be able to receive data from managed apps.")] String ExemptedAppProtocols[]; + [Write, Description("Versions less than the specified version will block the managed app from accessing company data.")] String MinimumWipeSdkVersion; + [Write, Description("Semicolon seperated list of device models allowed, as a string, for the managed app to work.")] String AllowedIosDeviceModels[]; + [Write, Description("Defines a managed app behavior, either block or wipe, if the specified device model is not allowed."), ValueMap{"block","wipe","warn"}, Values{"block","wipe","warn"}] String AppActionIfIosDeviceModelNotAllowed; + [Write, Description("Defines if open-in operation is supported from the managed app to the filesharing locations selected. This setting only applies when AllowedOutboundDataTransferDestinations is set to ManagedApps and DisableProtectionOfManagedOutboundOpenInData is set to False.")] Boolean FilterOpenInToOnlyManagedApps; + [Write, Description("Disable protection of data transferred to other apps through IOS OpenIn option. This setting is only allowed to be True when AllowedOutboundDataTransferDestinations is set to ManagedApps.")] Boolean DisableProtectionOfManagedOutboundOpenInData; + [Write, Description("Protect incoming data from unknown source. This setting is only allowed to be True when AllowedInboundDataTransferSources is set to AllApps.")] Boolean ProtectInboundDataFromUnknownSources; + [Write, Description("A custom browser protocol to open weblink on iOS.")] String CustomBrowserProtocol; + [Write, Description("List of IDs representing the iOS apps controlled by this protection policy.")] String Apps[]; + [Write, Description("List of IDs of the groups assigned to this iOS Protection Policy.")] String Assignments[]; + [Write, Description("List of IDs of the groups that are excluded from this iOS Protection Policy.")] String ExcludedGroups[]; + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Intune Admin."), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("ID of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("ID of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.schema.mof index a1b48d5074..985ab234c7 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.schema.mof @@ -14,12 +14,20 @@ class MSFT_IntuneAppProtectionPolicyiOS : OMI_BaseResource [Write, Description("Count of apps to which the current policy is deployed.")] UInt32 deployedAppCount; [Write, Description("The classes of dialer apps that are allowed to click-to-open a phone number."), ValueMap{"allApps","managedApps","customApp","blocked"}, Values{"allApps","managedApps","customApp","blocked"}] String dialerRestrictionLevel; [Write, Description("A list of custom urls that are allowed to invocate an unmanaged app.")] String ExemptedUniversalLinks[]; - [Write, Description("A grace period before blocking app access during off clock hours.")] String gracePeriodToBlockAppsDuringOffClockHours; + [Write, Description("Indicates if the policy is deployed to any inclusion groups or not.")] Boolean isAssigned; [Write, Description("A list of custom urls that are allowed to invocate a managed app.")] String managedUniversalLinks[]; [Write, Description("Maximum allowed device threat level, as reported by the MTD app Inherited from managedAppProtection."), ValueMap{"notConfigured","secured","low","medium","high"}, Values{"notConfigured","secured","low","medium","high"}] String maximumAllowedDeviceThreatLevel; [Write, Description("Versions bigger than the specified version will block the managed app from accessing company data. Inherited from managedAppProtection.")] String maximumRequiredOsVersion; - [Write, Description("Versions less than the specified version will block the managed app from accessing company data. Inherited from managedAppProtection.")] String minimumRequiredOsVersion; + [Write, Description("Versions bigger than the specified version will block the managed app from accessing company data. Inherited from managedAppProtection.")] String maximumWarningOsVersion; + [Write, Description("Versions bigger than the specified version will block the managed app from accessing company data. Inherited from managedAppProtection.")] String maximumWipeOsVersion; + [Write, Description("When a specific app redirection is enforced by protectedMessagingRedirectAppType in an App Protection Policy, this value defines the app url redirect schemes which are allowed to be used.")] String messagingRedirectAppUrlScheme; + [Write, Description("Versions less than the specified version will result in warning message on the managed app from accessing company data.")] String minimumWarningSdkVersion; + [Write, Description("Indicates how to prioritize which Mobile Threat Defense (MTD) partner is enabled for a given platform, when more than one is enabled. An app can only be actively using a single Mobile Threat Defense partner. When NULL, Microsoft Defender will be given preference. Otherwise setting the value to defenderOverThirdPartyPartner or thirdPartyPartnerOverDefender will make explicit which partner to prioritize."), ValueMap{"defenderOverThirdPartyPartner","thirdPartyPartnerOverDefender","unknownFutureValue"}, Values{"defenderOverThirdPartyPartner","thirdPartyPartnerOverDefender","unknownFutureValue"}] String mobileThreatDefensePartnerPriority; + [Write, Description("Determines what action to take if the mobile threat defense threat threshold isn't met. Warn isn't a supported value for this property Inherited from managedAppProtection."), ValueMap{"block","wipe","warn","blockWhenSettingIsSupported"}, Values{"block","wipe","warn","blockWhenSettingIsSupported"}] String mobileThreatDefenseRemediationAction; + [Write, Description("Requires a pin to be unique from the number specified in this property. Inherited from managedAppProtection.")] UInt32 previousPinBlockCount; + [Write, Description("Defines how app messaging redirection is protected by an App Protection Policy. Default is anyApp. Inherited from managedAppProtection."), ValueMap{"anyApp","anyManagedApp","specificApps","blocked"}, Values{"anyApp","anyManagedApp","specificApps","blocked"}] String protectedMessagingRedirectAppType; + [Write, Description("Defines if third party keyboards are allowed while accessing a managed app.")] Boolean thirdPartyKeyboardsBlocked; [Write, Description("The period after which access is checked when the device is not connected to the internet.")] String PeriodOfflineBeforeAccessCheck; [Write, Description("The period after which access is checked when the device is connected to the internet.")] String PeriodOnlineBeforeAccessCheck; From 71ff5220b1f69659d3c085bedc686cdf12627ec9 Mon Sep 17 00:00:00 2001 From: dannyKBjj Date: Wed, 8 Jan 2025 16:01:27 +0000 Subject: [PATCH 3/8] progress 8-jan --- .../MSFT_IntuneAppProtectionPolicyiOS.psm1 | 38 ++++++++++++++----- ..._IntuneAppProtectionPolicyiOS.schema.bak2} | 2 +- ...FT_IntuneAppProtectionPolicyiOS.schema.mof | 2 +- 3 files changed, 30 insertions(+), 12 deletions(-) rename Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/{MSFT_IntuneAppProtectionPolicyiOS.schema.bak => MSFT_IntuneAppProtectionPolicyiOS.schema.bak2} (99%) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.psm1 index 563d5739aa..e420e230a3 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.psm1 @@ -56,9 +56,9 @@ function Get-TargetResource [System.String[]] $exemptedUniversalLinks, - #[Parameter()] - #[System.String] - #$gracePeriodToBlockAppsDuringOffClockHours, + [Parameter()] + [System.String] + $gracePeriodToBlockAppsDuringOffClockHours, [Parameter()] [System.Boolean] @@ -463,6 +463,12 @@ function Get-TargetResource $myPinRequiredInsteadOfBiometricTimeout = $policy.PinRequiredInsteadOfBiometricTimeout.toString() } + $myGracePeriodToBlockAppsDuringOffClockHours = $policy.gracePeriodToBlockAppsDuringOffClockHours + if ($null -ne $policy.gracePeriodToBlockAppsDuringOffClockHours) + { + $myGracePeriodToBlockAppsDuringOffClockHours = $policy.gracePeriodToBlockAppsDuringOffClockHours.toString() + } + return @{ Identity = $policy.id DisplayName = $policy.DisplayName @@ -478,7 +484,7 @@ function Get-TargetResource #DeploymentSummary = $DeploymentSummaryArray dialerRestrictionLevel = [string]$policy.dialerRestrictionLevel exemptedUniversalLinks = $policy.exemptedUniversalLinks - #gracePeriodToBlockAppsDuringOffClockHours = [string]$policy.gracePeriodToBlockAppsDuringOffClockHours #duration datatype?! handling as string - https://github.com/microsoftgraph/microsoft-graph-docs-contrib/blob/main/api-reference/beta/resources/intune-mam-iosmanagedappprotection.md + gracePeriodToBlockAppsDuringOffClockHours = $myGracePeriodToBlockAppsDuringOffClockHours isAssigned = $policy.isAssigned managedUniversalLinks = $policy.managedUniversalLinks maximumAllowedDeviceThreatLevel = [string]$policy.maximumAllowedDeviceThreatLevel @@ -628,9 +634,9 @@ function Set-TargetResource [System.String[]] $exemptedUniversalLinks, - #[Parameter()] - #[System.String] - #$gracePeriodToBlockAppsDuringOffClockHours, + [Parameter()] + [System.String] + $gracePeriodToBlockAppsDuringOffClockHours, [Parameter()] [System.Boolean] @@ -970,6 +976,7 @@ function Set-TargetResource 'PeriodOfflineBeforeWipeIsEnforced' 'PeriodBeforePinReset' 'PinRequiredInsteadOfBiometricTimeout' + 'gracePeriodToBlockAppsDuringOffClockHours' ) foreach ($duration in $durationParameters) { @@ -997,6 +1004,16 @@ function Set-TargetResource } $createParameters.ExemptedAppProtocols = $myExemptedAppProtocols + $arrayTemp = @("minimumWarningSdkVersion","maximumRequiredOsVersion","maximumWarningOsVersion","maximumWipeOsVersion") + Foreach($item in $arrayTemp) + { + + if ($createParameters.$item -eq "") + { + $createParameters.Remove($item) #for some reason cmdlet can't handle this being blank, which is annoying as we can't enforce it + } + } + $policy = New-MgBetaDeviceAppManagementiOSManagedAppProtection -BodyParameter $createParameters Update-IntuneAppProtectionPolicyiOSApp -IosManagedAppProtectionId $policy.id -Apps $myApps @@ -1033,6 +1050,7 @@ function Set-TargetResource 'PeriodOfflineBeforeWipeIsEnforced' 'PeriodBeforePinReset' 'PinRequiredInsteadOfBiometricTimeout' + 'gracePeriodToBlockAppsDuringOffClockHours' ) foreach ($duration in $durationParameters) { @@ -1124,9 +1142,9 @@ function Test-TargetResource [System.String[]] $exemptedUniversalLinks, - #[Parameter()] - #[System.String] - # $gracePeriodToBlockAppsDuringOffClockHours, + [Parameter()] + [System.String] + $gracePeriodToBlockAppsDuringOffClockHours, [Parameter()] [System.Boolean] diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.schema.bak b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.schema.bak2 similarity index 99% rename from Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.schema.bak rename to Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.schema.bak2 index c34afb341c..985ab234c7 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.schema.bak +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.schema.bak2 @@ -14,7 +14,7 @@ class MSFT_IntuneAppProtectionPolicyiOS : OMI_BaseResource [Write, Description("Count of apps to which the current policy is deployed.")] UInt32 deployedAppCount; [Write, Description("The classes of dialer apps that are allowed to click-to-open a phone number."), ValueMap{"allApps","managedApps","customApp","blocked"}, Values{"allApps","managedApps","customApp","blocked"}] String dialerRestrictionLevel; [Write, Description("A list of custom urls that are allowed to invocate an unmanaged app.")] String ExemptedUniversalLinks[]; - [Write, Description("A grace period before blocking app access during off clock hours.")] String gracePeriodToBlockAppsDuringOffClockHours; + [Write, Description("Indicates if the policy is deployed to any inclusion groups or not.")] Boolean isAssigned; [Write, Description("A list of custom urls that are allowed to invocate a managed app.")] String managedUniversalLinks[]; [Write, Description("Maximum allowed device threat level, as reported by the MTD app Inherited from managedAppProtection."), ValueMap{"notConfigured","secured","low","medium","high"}, Values{"notConfigured","secured","low","medium","high"}] String maximumAllowedDeviceThreatLevel; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.schema.mof index 985ab234c7..c34afb341c 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.schema.mof @@ -14,7 +14,7 @@ class MSFT_IntuneAppProtectionPolicyiOS : OMI_BaseResource [Write, Description("Count of apps to which the current policy is deployed.")] UInt32 deployedAppCount; [Write, Description("The classes of dialer apps that are allowed to click-to-open a phone number."), ValueMap{"allApps","managedApps","customApp","blocked"}, Values{"allApps","managedApps","customApp","blocked"}] String dialerRestrictionLevel; [Write, Description("A list of custom urls that are allowed to invocate an unmanaged app.")] String ExemptedUniversalLinks[]; - + [Write, Description("A grace period before blocking app access during off clock hours.")] String gracePeriodToBlockAppsDuringOffClockHours; [Write, Description("Indicates if the policy is deployed to any inclusion groups or not.")] Boolean isAssigned; [Write, Description("A list of custom urls that are allowed to invocate a managed app.")] String managedUniversalLinks[]; [Write, Description("Maximum allowed device threat level, as reported by the MTD app Inherited from managedAppProtection."), ValueMap{"notConfigured","secured","low","medium","high"}, Values{"notConfigured","secured","low","medium","high"}] String maximumAllowedDeviceThreatLevel; From 1f9ed073dc14aba272a94abd222d101d0123ed60 Mon Sep 17 00:00:00 2001 From: dannyKBjj Date: Wed, 8 Jan 2025 17:56:25 +0000 Subject: [PATCH 4/8] First Draft - fixes 5589 Adds support for all missing properties documented here: https://github.com/microsoftgraph/microsoft-graph-docs-contrib/blob/main/api-reference/beta/resources/intune-mam-iosmanagedappprotection.md Fixes issue #5589 --- .../MSFT_IntuneAppProtectionPolicyiOS.psm1 | 15 ++++ ...T_IntuneAppProtectionPolicyiOS.schema.bak2 | 89 ------------------- ...FT_IntuneAppProtectionPolicyiOS.schema.mof | 1 + 3 files changed, 16 insertions(+), 89 deletions(-) delete mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.schema.bak2 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.psm1 index e420e230a3..a9e0279c27 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.psm1 @@ -16,6 +16,11 @@ function Get-TargetResource [System.String] $Description, #my stuff + + [Parameter()] + [System.String[]] + $AllowedDataIngestionLocations, + [Parameter()] [System.Boolean] $AllowWidgetContentSync, @@ -474,6 +479,7 @@ function Get-TargetResource DisplayName = $policy.DisplayName Description = $policy.Description + AllowedDataIngestionLocations = [String[]]$policy.AllowedDataIngestionLocations AllowWidgetContentSync = $policy.AllowWidgetContentSync appActionIfAccountIsClockedOut = [string]$policy.appActionIfAccountIsClockedOut appActionIfUnableToAuthenticateUser = [string]$policy.appActionIfUnableToAuthenticateUser @@ -594,6 +600,10 @@ function Set-TargetResource [System.String] $Description, #my stuff + [Parameter()] + [System.String[]] + $AllowedDataIngestionLocations, + [Parameter()] [System.Boolean] $AllowWidgetContentSync, @@ -1102,6 +1112,11 @@ function Test-TargetResource [System.String] $Description, #my stuff + + [Parameter()] + [System.String[]] + $AllowedDataIngestionLocations, + [Parameter()] [System.Boolean] $AllowWidgetContentSync, diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.schema.bak2 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.schema.bak2 deleted file mode 100644 index 985ab234c7..0000000000 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.schema.bak2 +++ /dev/null @@ -1,89 +0,0 @@ -[ClassVersion("1.0.0.0"), FriendlyName("IntuneAppProtectionPolicyiOS")] -class MSFT_IntuneAppProtectionPolicyiOS : OMI_BaseResource -{ - [Key, Description("Display name of the iOS App Protection Policy.")] String DisplayName; - [Write, Description("Identity of the iOS App Protection Policy.")] String Identity; - [Write, Description("Description of the iOS App Protection Policy.")] String Description; - - [Write, Description("Indicates if content sync for widgets is allowed for iOS on App Protection Policies.")] Boolean AllowWidgetContentSync; - [Write, Description("Defines a managed app behavior, either block or warn, if the user is clocked out (non-working time)."), ValueMap{"block","wipe","warn","blockWhenSettingIsSupported"}, Values{"block","wipe","warn","blockWhenSettingIsSupported"}] String appActionIfAccountIsClockedOut; - [Write, Description("If set, it will specify what action to take in the case where the user is unable to checkin because their authentication token is invalid. This happens when the user is deleted or disabled in AAD. ."), ValueMap{"block","wipe","warn","blockWhenSettingIsSupported"}, Values{"block","wipe","warn","blockWhenSettingIsSupported"}] String appActionIfUnableToAuthenticateUser; - [Write, Description("Public Apps selection: group or individual Inherited from targetedManagedAppProtection."), ValueMap{"selectedPublicApps","allCoreMicrosoftApps","allMicrosoftApps","allApps"}, Values{"selectedPublicApps","allCoreMicrosoftApps","allMicrosoftApps","allApps"}] String appGroupType; - [Write, Description("Indicates whether a user can bring data into org documents.")] boolean blockDataIngestionIntoOrganizationDocuments; - [Write, Description("Protocol of a custom dialer app to click-to-open a phone number on iOS, for example, skype:.")] String customDialerAppProtocol; - [Write, Description("Count of apps to which the current policy is deployed.")] UInt32 deployedAppCount; - [Write, Description("The classes of dialer apps that are allowed to click-to-open a phone number."), ValueMap{"allApps","managedApps","customApp","blocked"}, Values{"allApps","managedApps","customApp","blocked"}] String dialerRestrictionLevel; - [Write, Description("A list of custom urls that are allowed to invocate an unmanaged app.")] String ExemptedUniversalLinks[]; - - [Write, Description("Indicates if the policy is deployed to any inclusion groups or not.")] Boolean isAssigned; - [Write, Description("A list of custom urls that are allowed to invocate a managed app.")] String managedUniversalLinks[]; - [Write, Description("Maximum allowed device threat level, as reported by the MTD app Inherited from managedAppProtection."), ValueMap{"notConfigured","secured","low","medium","high"}, Values{"notConfigured","secured","low","medium","high"}] String maximumAllowedDeviceThreatLevel; - [Write, Description("Versions bigger than the specified version will block the managed app from accessing company data. Inherited from managedAppProtection.")] String maximumRequiredOsVersion; - [Write, Description("Versions bigger than the specified version will block the managed app from accessing company data. Inherited from managedAppProtection.")] String maximumWarningOsVersion; - [Write, Description("Versions bigger than the specified version will block the managed app from accessing company data. Inherited from managedAppProtection.")] String maximumWipeOsVersion; - [Write, Description("When a specific app redirection is enforced by protectedMessagingRedirectAppType in an App Protection Policy, this value defines the app url redirect schemes which are allowed to be used.")] String messagingRedirectAppUrlScheme; - [Write, Description("Versions less than the specified version will result in warning message on the managed app from accessing company data.")] String minimumWarningSdkVersion; - [Write, Description("Indicates how to prioritize which Mobile Threat Defense (MTD) partner is enabled for a given platform, when more than one is enabled. An app can only be actively using a single Mobile Threat Defense partner. When NULL, Microsoft Defender will be given preference. Otherwise setting the value to defenderOverThirdPartyPartner or thirdPartyPartnerOverDefender will make explicit which partner to prioritize."), ValueMap{"defenderOverThirdPartyPartner","thirdPartyPartnerOverDefender","unknownFutureValue"}, Values{"defenderOverThirdPartyPartner","thirdPartyPartnerOverDefender","unknownFutureValue"}] String mobileThreatDefensePartnerPriority; - [Write, Description("Determines what action to take if the mobile threat defense threat threshold isn't met. Warn isn't a supported value for this property Inherited from managedAppProtection."), ValueMap{"block","wipe","warn","blockWhenSettingIsSupported"}, Values{"block","wipe","warn","blockWhenSettingIsSupported"}] String mobileThreatDefenseRemediationAction; - [Write, Description("Requires a pin to be unique from the number specified in this property. Inherited from managedAppProtection.")] UInt32 previousPinBlockCount; - [Write, Description("Defines how app messaging redirection is protected by an App Protection Policy. Default is anyApp. Inherited from managedAppProtection."), ValueMap{"anyApp","anyManagedApp","specificApps","blocked"}, Values{"anyApp","anyManagedApp","specificApps","blocked"}] String protectedMessagingRedirectAppType; - [Write, Description("Defines if third party keyboards are allowed while accessing a managed app.")] Boolean thirdPartyKeyboardsBlocked; - - [Write, Description("The period after which access is checked when the device is not connected to the internet.")] String PeriodOfflineBeforeAccessCheck; - [Write, Description("The period after which access is checked when the device is connected to the internet.")] String PeriodOnlineBeforeAccessCheck; - [Write, Description("Sources from which data is allowed to be transferred. Possible values are: allApps, managedApps, none."), ValueMap{"allApps","managedApps", "none"}, Values{"allApps","managedApps", "none"}] String AllowedInboundDataTransferSources; - [Write, Description("Destinations to which data is allowed to be transferred. Possible values are: allApps, managedApps, none."), ValueMap{"allApps","managedApps", "none"}, Values{"allApps","managedApps", "none"}] String AllowedOutboundDataTransferDestinations; - [Write, Description("Indicates whether organizational credentials are required for app use.")] Boolean OrganizationalCredentialsRequired; - [Write, Description("The level to which the clipboard may be shared between apps on the managed device. Possible values are: allApps, managedAppsWithPasteIn, managedApps, blocked."), ValueMap{"allApps","managedAppsWithPasteIn","managedApps", "blocked"}, Values{"allApps","managedAppsWithPasteIn","managedApps", "blocked"}] String AllowedOutboundClipboardSharingLevel; - [Write, Description("Indicates whether the backup of a managed app's data is blocked.")] Boolean DataBackupBlocked; - [Write, Description("Indicates whether device compliance is required.")] Boolean DeviceComplianceRequired; - [Write, Description("Indicates whether internet links should be opened in the managed browser app, or any custom browser specified by CustomBrowserProtocol (for iOS) or CustomBrowserPackageId/CustomBrowserDisplayName (for Android).")] Boolean ManagedBrowserToOpenLinksRequired; - [Write, Description("Indicates whether users may use the Save As menu item to save a copy of protected files.")] Boolean SaveAsBlocked; - [Write, Description("The amount of time an app is allowed to remain disconnected from the internet before all managed data it is wiped.")] String PeriodOfflineBeforeWipeIsEnforced; - [Write, Description("Indicates whether an app-level pin is required.")] Boolean PinRequired; - [Write, description("Indicates whether use of the app pin is required if the device pin is set.")] Boolean DisableAppPinIfDevicePinIsSet; - [Write, Description("Maximum number of incorrect pin retry attempts before the managed app is either blocked or wiped.")] UInt32 MaximumPinRetries; - [Write, Description("Block simple PIN and require complex PIN to be set.")] Boolean SimplePinBlocked; - [Write, Description("Minimum pin length required for an app-level pin if PinRequired is set to True.")] UInt32 MinimumPinLength; - [Write, Description("Character set which may be used for an app-level pin if PinRequired is set to True. Possible values are: numeric, alphanumericAndSymbol."), ValueMap{"numeric","alphanumericAndSymbol"}, Values{"numeric","alphanumericAndSymbol"}] String PinCharacterSet; - [Write, Description("Data storage locations where a user may store managed data.")] String AllowedDataStorageLocations[]; - [Write, Description("Indicates whether contacts can be synced to the user's device.")] Boolean ContactSyncBlocked; - [Write, Description("TimePeriod before the all-level pin must be reset if PinRequired is set to True.")] String PeriodBeforePinReset; - [Write, Description("Indicates whether printing is allowed from managed apps.")] Boolean PrintBlocked; - [Write, Description("Indicates whether use of the fingerprint reader is allowed in place of a pin if PinRequired is set to True.")] Boolean FingerprintBlocked; - [Write, Description("Indicates whether use of the FaceID is allowed in place of a pin if PinRequired is set to True.")] Boolean FaceIdBlocked; - [Write, Description("Indicates in which managed browser(s) that internet links should be opened. When this property is configured, ManagedBrowserToOpenLinksRequired should be true. Possible values are: notConfigured, microsoftEdge."), ValueMap{"notConfigured","microsoftEdge"}, Values{"notConfigured","microsoftEdge"}] String ManagedBrowser; - [Write, Description("Versions less than the specified version will block the managed app from accessing company data.")] String MinimumRequiredAppVersion; - [Write, Description("Versions less than the specified version will result in warning message on the managed app from accessing company data.")] String MinimumWarningAppVersion; - [Write, Description("Versions less than the specified version will block the managed app from accessing company data.")] String MinimumRequiredOSVersion; - [Write, Description("Versions less than the specified version will result in warning message on the managed app from accessing company data.")] String MinimumWarningOSVersion; - [Write, Description("Versions less than the specified version will block the managed app from accessing company data.")] String MinimumRequiredSdkVersion; - [Write, Description("Versions less than or equal to the specified version will wipe the managed app and the associated company data.")] String MinimumWipeOSVersion; - [Write, Description("Versions less than or equal to the specified version will wipe the managed app and the associated company data.")] String MinimumWipeAppVersion; - [Write, Description("Defines a managed app behavior, either block or wipe, when the device is either rooted or jailbroken, if DeviceComplianceRequired is set to true."), ValueMap{"block","wipe","warn"}, Values{"block","wipe","warn"}] String AppActionIfDeviceComplianceRequired; - [Write, Description("Defines a managed app behavior, either block or wipe, based on maximum number of incorrect pin retry attempts."), ValueMap{"block","wipe","warn"}, Values{"block","wipe","warn"}] String AppActionIfMaximumPinRetriesExceeded; - [Write, Description("Timeout in minutes for an app pin instead of non biometrics passcode .")] String PinRequiredInsteadOfBiometricTimeout; - [Write, Description("Specify the number of characters that may be cut or copied from Org data and accounts to any application. This setting overrides the AllowedOutboundClipboardSharingLevel restriction. Default value of '0' means no exception is allowed.")] Uint32 AllowedOutboundClipboardSharingExceptionLength; - [Write, Description("Specify app notification restriction."), ValueMap{"allow","blockOrganizationalData","block"}, Values{"allow","blockOrganizationalData","block"}] String NotificationRestriction; - [Write, Description("The intended app management levels for this policy."), ValueMap{"unspecified","unmanaged","mdm","androidEnterprise"}, Values{"unspecified","unmanaged","mdm","androidEnterprise"}] String TargetedAppManagementLevels[]; - [Write, Description("Require app data to be encrypted."), Values{"useDeviceSettings","afterDeviceRestart","whenDeviceLockedExceptOpenFiles","whenDeviceLocked"}, ValueMap{"useDeviceSettings","afterDeviceRestart","whenDeviceLockedExceptOpenFiles","whenDeviceLocked"}] String AppDataEncryptionType; - [Write, Description("Apps in this list will be exempt from the policy and will be able to receive data from managed apps.")] String ExemptedAppProtocols[]; - [Write, Description("Versions less than the specified version will block the managed app from accessing company data.")] String MinimumWipeSdkVersion; - [Write, Description("Semicolon seperated list of device models allowed, as a string, for the managed app to work.")] String AllowedIosDeviceModels[]; - [Write, Description("Defines a managed app behavior, either block or wipe, if the specified device model is not allowed."), ValueMap{"block","wipe","warn"}, Values{"block","wipe","warn"}] String AppActionIfIosDeviceModelNotAllowed; - [Write, Description("Defines if open-in operation is supported from the managed app to the filesharing locations selected. This setting only applies when AllowedOutboundDataTransferDestinations is set to ManagedApps and DisableProtectionOfManagedOutboundOpenInData is set to False.")] Boolean FilterOpenInToOnlyManagedApps; - [Write, Description("Disable protection of data transferred to other apps through IOS OpenIn option. This setting is only allowed to be True when AllowedOutboundDataTransferDestinations is set to ManagedApps.")] Boolean DisableProtectionOfManagedOutboundOpenInData; - [Write, Description("Protect incoming data from unknown source. This setting is only allowed to be True when AllowedInboundDataTransferSources is set to AllApps.")] Boolean ProtectInboundDataFromUnknownSources; - [Write, Description("A custom browser protocol to open weblink on iOS.")] String CustomBrowserProtocol; - [Write, Description("List of IDs representing the iOS apps controlled by this protection policy.")] String Apps[]; - [Write, Description("List of IDs of the groups assigned to this iOS Protection Policy.")] String Assignments[]; - [Write, Description("List of IDs of the groups that are excluded from this iOS Protection Policy.")] String ExcludedGroups[]; - [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; - [Write, Description("Credentials of the Intune Admin."), EmbeddedInstance("MSFT_Credential")] string Credential; - [Write, Description("ID of the Azure Active Directory application to authenticate with.")] String ApplicationId; - [Write, Description("ID of the Azure Active Directory tenant used for authentication.")] String TenantId; - [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; - [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; - [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; - [Write, Description("Access token used for authentication.")] String AccessTokens[]; -}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.schema.mof index c34afb341c..eafd2d8f62 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.schema.mof @@ -5,6 +5,7 @@ class MSFT_IntuneAppProtectionPolicyiOS : OMI_BaseResource [Write, Description("Identity of the iOS App Protection Policy.")] String Identity; [Write, Description("Description of the iOS App Protection Policy.")] String Description; + [Write, Description("Data storage locations where a user may store managed data. Inherited from managedAppProtection.")] String AllowedDataIngestionLocations[]; [Write, Description("Indicates if content sync for widgets is allowed for iOS on App Protection Policies.")] Boolean AllowWidgetContentSync; [Write, Description("Defines a managed app behavior, either block or warn, if the user is clocked out (non-working time)."), ValueMap{"block","wipe","warn","blockWhenSettingIsSupported"}, Values{"block","wipe","warn","blockWhenSettingIsSupported"}] String appActionIfAccountIsClockedOut; [Write, Description("If set, it will specify what action to take in the case where the user is unable to checkin because their authentication token is invalid. This happens when the user is deleted or disabled in AAD. ."), ValueMap{"block","wipe","warn","blockWhenSettingIsSupported"}, Values{"block","wipe","warn","blockWhenSettingIsSupported"}] String appActionIfUnableToAuthenticateUser; From 29bb9f686ff3c5cf040fab24c8304f782d3ec6c9 Mon Sep 17 00:00:00 2001 From: dannyKBjj Date: Thu, 9 Jan 2025 14:47:29 +0000 Subject: [PATCH 5/8] Fix for issue #5589 Added support for missing properties that are documented here: https://github.com/microsoftgraph/microsoft-graph-docs-contrib/blob/main/api-reference/beta/resources/intune-mam-iosmanagedappprotection.md --- ...FT_IntuneAppProtectionPolicyiOS.schema.mof | 2 +- ...DSC.IntuneAppProtectionPolicyiOS.Tests.ps1 | 806 +++++++++++------- 2 files changed, 516 insertions(+), 292 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.schema.mof index eafd2d8f62..8c3bc4006f 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.schema.mof @@ -67,7 +67,7 @@ class MSFT_IntuneAppProtectionPolicyiOS : OMI_BaseResource [Write, Description("Specify the number of characters that may be cut or copied from Org data and accounts to any application. This setting overrides the AllowedOutboundClipboardSharingLevel restriction. Default value of '0' means no exception is allowed.")] Uint32 AllowedOutboundClipboardSharingExceptionLength; [Write, Description("Specify app notification restriction."), ValueMap{"allow","blockOrganizationalData","block"}, Values{"allow","blockOrganizationalData","block"}] String NotificationRestriction; [Write, Description("The intended app management levels for this policy."), ValueMap{"unspecified","unmanaged","mdm","androidEnterprise"}, Values{"unspecified","unmanaged","mdm","androidEnterprise"}] String TargetedAppManagementLevels[]; - [Write, Description("Require app data to be encrypted."), Values{"useDeviceSettings","afterDeviceRestart","whenDeviceLockedExceptOpenFiles","whenDeviceLocked"}, ValueMap{"useDeviceSettings","afterDeviceRestart","whenDeviceLockedExceptOpenFiles","whenDeviceLocked"}] String AppDataEncryptionType; + [Write, Description("Require app data to be encrypted."), Values{"useDeviceSettings","afterDeviceRestart","whenDeviceLockedExceptOpenFiles","whenDeviceLocked"}, ValueMap{"useDeviceSettings","afterDeviceRestart","whenDeviceLockedExceptOpenFiles","whenDeviceLocked"}] String AppDataEncryptionType; [Write, Description("Apps in this list will be exempt from the policy and will be able to receive data from managed apps.")] String ExemptedAppProtocols[]; [Write, Description("Versions less than the specified version will block the managed app from accessing company data.")] String MinimumWipeSdkVersion; [Write, Description("Semicolon seperated list of device models allowed, as a string, for the managed app to work.")] String AllowedIosDeviceModels[]; diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAppProtectionPolicyiOS.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAppProtectionPolicyiOS.Tests.ps1 index f9816cfe26..c8a6855a52 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAppProtectionPolicyiOS.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAppProtectionPolicyiOS.Tests.ps1 @@ -77,45 +77,73 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Context -Name "When the Policy doesn't already exist" -Fixture { BeforeAll { $testParams = @{ - AllowedDataStorageLocations = @('sharePoint') - AllowedInboundDataTransferSources = 'managedApps' - AllowedOutboundClipboardSharingLevel = 'managedAppsWithPasteIn' - AllowedOutboundDataTransferDestinations = 'managedApps' - AppDataEncryptionType = 'whenDeviceLocked' - Apps = @('com.cisco.jabberimintune.ios', 'com.pervasent.boardpapers.ios', 'com.sharefile.mobile.intune.ios') - Assignments = @('6ee86c9f-2b3c-471d-ad38-ff4673ed723e') - ContactSyncBlocked = $False - DataBackupBlocked = $False - Description = '' - DeviceComplianceRequired = $True - DisplayName = 'DSC Policy' - Ensure = 'Present' - ExcludedGroups = @('3eacc231-d77b-4efb-bb5f-310f68bd6198') - FaceIdBlocked = $False - FingerprintBlocked = $False - Credential = $Credential - ManagedBrowser = 'microsoftEdge' - MinimumRequiredAppVersion = '0.2' - MinimumRequiredOSVersion = '0.2' - MinimumRequiredSdkVersion = '0.1' - MinimumWarningAppVersion = '0.1' - MinimumWarningOSVersion = '0.1' - ManagedBrowserToOpenLinksRequired = $True - MaximumPinRetries = 5 - MinimumPinLength = 4 - OrganizationalCredentialsRequired = $False - PeriodBeforePinReset = '90.00:00:00' - PeriodOfflineBeforeAccessCheck = '12:00:00' - PeriodOfflineBeforeWipeIsEnforced = '90.00:00:00' - PeriodOnlineBeforeAccessCheck = '00:30:00' - PinCharacterSet = 'alphanumericAndSymbol' - PinRequired = $True - DisableAppPinIfDevicePinIsSet = $False - PrintBlocked = $False - SaveAsBlocked = $True - SimplePinBlocked = $False - Identity = '12345-12345-12345-12345-12345' - TargetedAppManagementLevels = @('unmanaged') + AllowedDataIngestionLocations = @("oneDriveForBusiness","sharePoint","camera"); + AllowedOutboundClipboardSharingExceptionLength = 0; + AllowWidgetContentSync = $True; + AppActionIfDeviceComplianceRequired = "wipe"; + AppActionIfIosDeviceModelNotAllowed = "block"; + appActionIfUnableToAuthenticateUser = "block"; + appGroupType = "selectedPublicApps"; + blockDataIngestionIntoOrganizationDocuments = $True; + CustomBrowserProtocol = "access://open?url=http"; + customDialerAppProtocol = "skype"; + deployedAppCount = 3; + dialerRestrictionLevel = "allApps"; + DisableProtectionOfManagedOutboundOpenInData = $False; + exemptedUniversalLinks = @("http://facetime.apple.com","http://maps.apple.com","https://facetime.apple.com","https://maps.apple.com"); + FilterOpenInToOnlyManagedApps = $False; + isAssigned = $True; + managedUniversalLinks = @("http://*.appsplatform.us/*","http://*.onedrive.com/*","http://*.powerapps.cn/*"); + maximumAllowedDeviceThreatLevel = "low"; + maximumRequiredOsVersion = "1"; + maximumWarningOsVersion = "1"; + maximumWipeOsVersion = "1"; + messagingRedirectAppUrlScheme = "https://www.fakesite.com"; + mobileThreatDefenseRemediationAction = "block"; + NotificationRestriction = "blockOrganizationalData"; + previousPinBlockCount = 0; + protectedMessagingRedirectAppType = "anyApp"; + ProtectInboundDataFromUnknownSources = $False; + thirdPartyKeyboardsBlocked = $True; + AllowedDataStorageLocations = @('sharePoint') + AllowedInboundDataTransferSources = 'managedApps' + AllowedOutboundClipboardSharingLevel = 'managedAppsWithPasteIn' + AllowedOutboundDataTransferDestinations = 'managedApps' + AppDataEncryptionType = 'whenDeviceLocked' + Apps = @('com.cisco.jabberimintune.ios', 'com.pervasent.boardpapers.ios', 'com.sharefile.mobile.intune.ios') + Assignments = @('6ee86c9f-2b3c-471d-ad38-ff4673ed723e') + ContactSyncBlocked = $False + DataBackupBlocked = $False + Description = '' + DeviceComplianceRequired = $True + DisplayName = 'DSC Policy' + Ensure = 'Present' + ExcludedGroups = @('3eacc231-d77b-4efb-bb5f-310f68bd6198') + FaceIdBlocked = $False + FingerprintBlocked = $False + Credential = $Credential + ManagedBrowser = 'microsoftEdge' + MinimumRequiredAppVersion = '0.2' + MinimumRequiredOSVersion = '0.2' + MinimumRequiredSdkVersion = '0.1' + MinimumWarningAppVersion = '0.1' + MinimumWarningOSVersion = '0.1' + ManagedBrowserToOpenLinksRequired = $True + MaximumPinRetries = 5 + MinimumPinLength = 4 + OrganizationalCredentialsRequired = $False + PeriodBeforePinReset = '90.00:00:00' + PeriodOfflineBeforeAccessCheck = '12:00:00' + PeriodOfflineBeforeWipeIsEnforced = '90.00:00:00' + PeriodOnlineBeforeAccessCheck = '00:30:00' + PinCharacterSet = 'alphanumericAndSymbol' + PinRequired = $True + DisableAppPinIfDevicePinIsSet = $False + PrintBlocked = $False + SaveAsBlocked = $True + SimplePinBlocked = $False + Identity = '12345-12345-12345-12345-12345' + TargetedAppManagementLevels = @('unmanaged') } Mock -CommandName Get-MgBetaDeviceAppManagementiosManagedAppProtection -MockWith { return $null @@ -139,84 +167,140 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Context -Name 'When the policy already exists and is NOT in the Desired State' -Fixture { BeforeAll { $testParams = @{ - AllowedDataStorageLocations = @('sharePoint') - AllowedInboundDataTransferSources = 'managedApps' - AllowedOutboundClipboardSharingLevel = 'managedAppsWithPasteIn' - AllowedOutboundDataTransferDestinations = 'managedApps' - AppDataEncryptionType = 'whenDeviceLocked' - Apps = @('com.cisco.jabberimintune.ios', 'com.pervasent.boardpapers.ios', 'com.sharefile.mobile.intune.ios') - Assignments = @('6ee86c9f-2b3c-471d-ad38-ff4673ed723e') - ContactSyncBlocked = $False - DataBackupBlocked = $False - Description = '' - DeviceComplianceRequired = $True - DisplayName = 'DSC Policy' - Ensure = 'Present' - ExcludedGroups = @('3eacc231-d77b-4efb-bb5f-310f68bd6198') - FaceIdBlocked = $False - FingerprintBlocked = $False - Credential = $Credential - ManagedBrowser = 'microsoftEdge' - MinimumRequiredAppVersion = '0.2' - MinimumRequiredOSVersion = '0.2' - MinimumRequiredSdkVersion = '0.1' - MinimumWarningAppVersion = '0.1' - MinimumWarningOSVersion = '0.1' - ManagedBrowserToOpenLinksRequired = $False; #Drift - MaximumPinRetries = 5 - MinimumPinLength = 4 - OrganizationalCredentialsRequired = $False - PeriodBeforePinReset = '90.00:00:00' - PeriodOfflineBeforeAccessCheck = '12:00:00' - PeriodOfflineBeforeWipeIsEnforced = '90.00:00:00' - PeriodOnlineBeforeAccessCheck = '00:30:00' - PinCharacterSet = 'alphanumericAndSymbol' - PinRequired = $True - DisableAppPinIfDevicePinIsSet = $False - PrintBlocked = $False - SaveAsBlocked = $True - SimplePinBlocked = $False - Identity = '12345-12345-12345-12345-12345' - TargetedAppManagementLevels = @('unmanaged') + AllowedDataIngestionLocations = @("oneDriveForBusiness","sharePoint","camera"); + AllowedOutboundClipboardSharingExceptionLength = 0; + AllowWidgetContentSync = $True; + AppActionIfDeviceComplianceRequired = "wipe"; + AppActionIfIosDeviceModelNotAllowed = "block"; + appActionIfUnableToAuthenticateUser = "block"; + appGroupType = "selectedPublicApps"; + blockDataIngestionIntoOrganizationDocuments = $True; + CustomBrowserProtocol = "access://open?url=http"; + customDialerAppProtocol = "skype"; + deployedAppCount = 3; + dialerRestrictionLevel = "allApps"; + DisableProtectionOfManagedOutboundOpenInData = $False; + exemptedUniversalLinks = @("http://facetime.apple.com","http://maps.apple.com","https://facetime.apple.com","https://maps.apple.com"); + FilterOpenInToOnlyManagedApps = $False; + isAssigned = $True; + managedUniversalLinks = @("http://*.appsplatform.us/*","http://*.onedrive.com/*","http://*.powerapps.cn/*"); + maximumAllowedDeviceThreatLevel = "low"; + maximumRequiredOsVersion = "1"; + maximumWarningOsVersion = "1"; + maximumWipeOsVersion = "1"; + messagingRedirectAppUrlScheme = "https://www.fakesite.com"; + mobileThreatDefenseRemediationAction = "block"; + NotificationRestriction = "blockOrganizationalData"; + previousPinBlockCount = 0; + protectedMessagingRedirectAppType = "anyApp"; + ProtectInboundDataFromUnknownSources = $False; + thirdPartyKeyboardsBlocked = $True; + AllowedDataStorageLocations = @('sharePoint') + AllowedInboundDataTransferSources = 'managedApps' + AllowedOutboundClipboardSharingLevel = 'managedAppsWithPasteIn' + AllowedOutboundDataTransferDestinations = 'managedApps' + AppDataEncryptionType = 'whenDeviceLocked' + Apps = @('com.cisco.jabberimintune.ios', 'com.pervasent.boardpapers.ios', 'com.sharefile.mobile.intune.ios') + Assignments = @('6ee86c9f-2b3c-471d-ad38-ff4673ed723e') + ContactSyncBlocked = $False + DataBackupBlocked = $False + Description = '' + DeviceComplianceRequired = $True + DisplayName = 'DSC Policy' + Ensure = 'Present' + ExcludedGroups = @('3eacc231-d77b-4efb-bb5f-310f68bd6198') + FaceIdBlocked = $False + FingerprintBlocked = $False + Credential = $Credential + ManagedBrowser = 'microsoftEdge' + MinimumRequiredAppVersion = '0.2' + MinimumRequiredOSVersion = '0.2' + MinimumRequiredSdkVersion = '0.1' + MinimumWarningAppVersion = '0.1' + MinimumWarningOSVersion = '0.1' + ManagedBrowserToOpenLinksRequired = $False; #Drift + MaximumPinRetries = 5 + MinimumPinLength = 4 + OrganizationalCredentialsRequired = $False + PeriodBeforePinReset = '90.00:00:00' + PeriodOfflineBeforeAccessCheck = '12:00:00' + PeriodOfflineBeforeWipeIsEnforced = '90.00:00:00' + PeriodOnlineBeforeAccessCheck = '00:30:00' + PinCharacterSet = 'alphanumericAndSymbol' + PinRequired = $True + DisableAppPinIfDevicePinIsSet = $False + PrintBlocked = $False + SaveAsBlocked = $True + SimplePinBlocked = $False + Identity = '12345-12345-12345-12345-12345' + TargetedAppManagementLevels = @('unmanaged') } Mock -CommandName Get-MgBetaDeviceAppManagementiosManagedAppProtection -MockWith { return @{ '@odata.type' = '#microsoft.graph.iosManagedAppProtection' - AllowedDataStorageLocations = @('sharePoint') - AllowedInboundDataTransferSources = 'managedApps' - AllowedOutboundClipboardSharingLevel = 'managedAppsWithPasteIn' - AllowedOutboundDataTransferDestinations = 'managedApps' - AppDataEncryptionType = 'whenDeviceLocked' - ContactSyncBlocked = $False - DataBackupBlocked = $False - Description = '' - DeviceComplianceRequired = $True - DisplayName = 'DSC Policy' - FaceIdBlocked = $False - FingerprintBlocked = $False - ManagedBrowser = 'microsoftEdge' - MinimumRequiredAppVersion = '0.2' - MinimumRequiredOSVersion = '0.2' - MinimumRequiredSdkVersion = '0.1' - MinimumWarningAppVersion = '0.1' - MinimumWarningOSVersion = '0.1' - ManagedBrowserToOpenLinksRequired = $True - MaximumPinRetries = 5 - MinimumPinLength = 4 - OrganizationalCredentialsRequired = $False - PeriodBeforePinReset = '90.00:00:00' - PeriodOfflineBeforeAccessCheck = '12:00:00' - PeriodOfflineBeforeWipeIsEnforced = '90.00:00:00' - PeriodOnlineBeforeAccessCheck = '00:30:00' - PinCharacterSet = 'alphanumericAndSymbol' - PinRequired = $True - DisableAppPinIfDevicePinIsSet = $False - PrintBlocked = $False - SaveAsBlocked = $True - SimplePinBlocked = $False - id = '12345-12345-12345-12345-12345' - TargetedAppManagementLevels = 'unmanaged' + AllowedDataIngestionLocations = @("oneDriveForBusiness","sharePoint","camera"); + AllowedOutboundClipboardSharingExceptionLength = 0; + AllowWidgetContentSync = $True; + AppActionIfDeviceComplianceRequired = "wipe"; + AppActionIfIosDeviceModelNotAllowed = "block"; + appActionIfUnableToAuthenticateUser = "block"; + appGroupType = "selectedPublicApps"; + blockDataIngestionIntoOrganizationDocuments = $True; + CustomBrowserProtocol = "access://open?url=http"; + customDialerAppProtocol = "skype"; + deployedAppCount = 3; + dialerRestrictionLevel = "allApps"; + DisableProtectionOfManagedOutboundOpenInData = $False; + exemptedUniversalLinks = @("http://facetime.apple.com","http://maps.apple.com","https://facetime.apple.com","https://maps.apple.com"); + FilterOpenInToOnlyManagedApps = $False; + isAssigned = $True; + managedUniversalLinks = @("http://*.appsplatform.us/*","http://*.onedrive.com/*","http://*.powerapps.cn/*"); + maximumAllowedDeviceThreatLevel = "low"; + maximumRequiredOsVersion = "1"; + maximumWarningOsVersion = "1"; + maximumWipeOsVersion = "1"; + messagingRedirectAppUrlScheme = "https://www.fakesite.com"; + mobileThreatDefenseRemediationAction = "block"; + NotificationRestriction = "blockOrganizationalData"; + previousPinBlockCount = 0; + protectedMessagingRedirectAppType = "anyApp"; + ProtectInboundDataFromUnknownSources = $False; + thirdPartyKeyboardsBlocked = $True; + AllowedDataStorageLocations = @('sharePoint') + AllowedInboundDataTransferSources = 'managedApps' + AllowedOutboundClipboardSharingLevel = 'managedAppsWithPasteIn' + AllowedOutboundDataTransferDestinations = 'managedApps' + AppDataEncryptionType = 'whenDeviceLocked' + ContactSyncBlocked = $False + DataBackupBlocked = $False + Description = '' + DeviceComplianceRequired = $True + DisplayName = 'DSC Policy' + FaceIdBlocked = $False + FingerprintBlocked = $False + ManagedBrowser = 'microsoftEdge' + MinimumRequiredAppVersion = '0.2' + MinimumRequiredOSVersion = '0.2' + MinimumRequiredSdkVersion = '0.1' + MinimumWarningAppVersion = '0.1' + MinimumWarningOSVersion = '0.1' + ManagedBrowserToOpenLinksRequired = $True + MaximumPinRetries = 5 + MinimumPinLength = 4 + OrganizationalCredentialsRequired = $False + PeriodBeforePinReset = '90.00:00:00' + PeriodOfflineBeforeAccessCheck = '12:00:00' + PeriodOfflineBeforeWipeIsEnforced = '90.00:00:00' + PeriodOnlineBeforeAccessCheck = '00:30:00' + PinCharacterSet = 'alphanumericAndSymbol' + PinRequired = $True + DisableAppPinIfDevicePinIsSet = $False + PrintBlocked = $False + SaveAsBlocked = $True + SimplePinBlocked = $False + id = '12345-12345-12345-12345-12345' + TargetedAppManagementLevels = 'unmanaged' } } Mock -CommandName Get-MgBetaDeviceAppManagementiosManagedAppProtectionApp -MockWith { @@ -286,82 +370,138 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Context -Name 'When the policy already exists and IS in the Desired State' -Fixture { BeforeAll { $testParams = @{ - AllowedDataStorageLocations = @('sharePoint') - AllowedInboundDataTransferSources = 'managedApps' - AllowedOutboundClipboardSharingLevel = 'managedAppsWithPasteIn' - AllowedOutboundDataTransferDestinations = 'managedApps' - AppDataEncryptionType = 'whenDeviceLocked' - Apps = @('com.cisco.jabberimintune.ios', 'com.pervasent.boardpapers.ios', 'com.sharefile.mobile.intune.ios') - ContactSyncBlocked = $False - DataBackupBlocked = $False - Description = '' - DeviceComplianceRequired = $True - DisplayName = 'DSC Policy' - Ensure = 'Present' - FaceIdBlocked = $False - FingerprintBlocked = $False - Credential = $Credential - ManagedBrowser = 'microsoftEdge' - MinimumRequiredAppVersion = '0.2' - MinimumRequiredOsVersion = '0.2' - MinimumRequiredSdkVersion = '0.1' - MinimumWarningAppVersion = '0.1' - MinimumWarningOsVersion = '0.1' - ManagedBrowserToOpenLinksRequired = $True - MaximumPinRetries = 5 - MinimumPinLength = 4 - OrganizationalCredentialsRequired = $False - PeriodBeforePinReset = '90.00:00:00' - PeriodOfflineBeforeAccessCheck = '12:00:00' - PeriodOfflineBeforeWipeIsEnforced = '90.00:00:00' - PeriodOnlineBeforeAccessCheck = '00:30:00' - PinCharacterSet = 'alphanumericAndSymbol' - PinRequired = $True - DisableAppPinIfDevicePinIsSet = $False - PrintBlocked = $False - SaveAsBlocked = $True - SimplePinBlocked = $False - Identity = '12345-12345-12345-12345-12345' - TargetedAppManagementLevels = @('unmanaged') + AllowedDataIngestionLocations = @("oneDriveForBusiness","sharePoint","camera"); + AllowedOutboundClipboardSharingExceptionLength = 0; + AllowWidgetContentSync = $True; + AppActionIfDeviceComplianceRequired = "wipe"; + AppActionIfIosDeviceModelNotAllowed = "block"; + appActionIfUnableToAuthenticateUser = "block"; + appGroupType = "selectedPublicApps"; + blockDataIngestionIntoOrganizationDocuments = $True; + CustomBrowserProtocol = "access://open?url=http"; + customDialerAppProtocol = "skype"; + deployedAppCount = 3; + dialerRestrictionLevel = "allApps"; + DisableProtectionOfManagedOutboundOpenInData = $False; + exemptedUniversalLinks = @("http://facetime.apple.com","http://maps.apple.com","https://facetime.apple.com","https://maps.apple.com"); + FilterOpenInToOnlyManagedApps = $False; + isAssigned = $True; + managedUniversalLinks = @("http://*.appsplatform.us/*","http://*.onedrive.com/*","http://*.powerapps.cn/*"); + maximumAllowedDeviceThreatLevel = "low"; + maximumRequiredOsVersion = "1"; + maximumWarningOsVersion = "1"; + maximumWipeOsVersion = "1"; + messagingRedirectAppUrlScheme = "https://www.fakesite.com"; + mobileThreatDefenseRemediationAction = "block"; + NotificationRestriction = "blockOrganizationalData"; + previousPinBlockCount = 0; + protectedMessagingRedirectAppType = "anyApp"; + ProtectInboundDataFromUnknownSources = $False; + thirdPartyKeyboardsBlocked = $True; + AllowedDataStorageLocations = @('sharePoint') + AllowedInboundDataTransferSources = 'managedApps' + AllowedOutboundClipboardSharingLevel = 'managedAppsWithPasteIn' + AllowedOutboundDataTransferDestinations = 'managedApps' + AppDataEncryptionType = 'whenDeviceLocked' + Apps = @('com.cisco.jabberimintune.ios', 'com.pervasent.boardpapers.ios', 'com.sharefile.mobile.intune.ios') + ContactSyncBlocked = $False + DataBackupBlocked = $False + Description = '' + DeviceComplianceRequired = $True + DisplayName = 'DSC Policy' + Ensure = 'Present' + FaceIdBlocked = $False + FingerprintBlocked = $False + Credential = $Credential + ManagedBrowser = 'microsoftEdge' + MinimumRequiredAppVersion = '0.2' + MinimumRequiredOsVersion = '0.2' + MinimumRequiredSdkVersion = '0.1' + MinimumWarningAppVersion = '0.1' + MinimumWarningOsVersion = '0.1' + ManagedBrowserToOpenLinksRequired = $True + MaximumPinRetries = 5 + MinimumPinLength = 4 + OrganizationalCredentialsRequired = $False + PeriodBeforePinReset = '90.00:00:00' + PeriodOfflineBeforeAccessCheck = '12:00:00' + PeriodOfflineBeforeWipeIsEnforced = '90.00:00:00' + PeriodOnlineBeforeAccessCheck = '00:30:00' + PinCharacterSet = 'alphanumericAndSymbol' + PinRequired = $True + DisableAppPinIfDevicePinIsSet = $False + PrintBlocked = $False + SaveAsBlocked = $True + SimplePinBlocked = $False + Identity = '12345-12345-12345-12345-12345' + TargetedAppManagementLevels = @('unmanaged') } Mock -CommandName Get-MgBetaDeviceAppManagementiosManagedAppProtection -MockWith { return @{ '@odata.type' = '#microsoft.graph.iosManagedAppProtection' - AllowedDataStorageLocations = @('sharePoint') - AllowedInboundDataTransferSources = 'managedApps' - AllowedOutboundClipboardSharingLevel = 'managedAppsWithPasteIn' - AllowedOutboundDataTransferDestinations = 'managedApps' - AppDataEncryptionType = 'whenDeviceLocked' - ContactSyncBlocked = $False - DataBackupBlocked = $False - Description = '' - DeviceComplianceRequired = $True - DisplayName = 'DSC Policy' - FaceIdBlocked = $False - FingerprintBlocked = $False - ManagedBrowser = 'microsoftEdge' - MinimumRequiredAppVersion = '0.2' - MinimumRequiredOsVersion = '0.2' - MinimumRequiredSdkVersion = '0.1' - MinimumWarningAppVersion = '0.1' - MinimumWarningOsVersion = '0.1' - ManagedBrowserToOpenLinksRequired = $True - MaximumPinRetries = 5 - MinimumPinLength = 4 - OrganizationalCredentialsRequired = $False - PeriodBeforePinReset = '90.00:00:00' - PeriodOfflineBeforeAccessCheck = '12:00:00' - PeriodOfflineBeforeWipeIsEnforced = '90.00:00:00' - PeriodOnlineBeforeAccessCheck = '00:30:00' - PinCharacterSet = 'alphanumericAndSymbol' - PinRequired = $True - DisableAppPinIfDevicePinIsSet = $False - PrintBlocked = $False - SaveAsBlocked = $True - SimplePinBlocked = $False - id = '12345-12345-12345-12345-12345' - TargetedAppManagementLevels = 'unmanaged' + AllowedDataIngestionLocations = @("oneDriveForBusiness","sharePoint","camera"); + AllowedOutboundClipboardSharingExceptionLength = 0; + AllowWidgetContentSync = $True; + AppActionIfDeviceComplianceRequired = "wipe"; + AppActionIfIosDeviceModelNotAllowed = "block"; + appActionIfUnableToAuthenticateUser = "block"; + appGroupType = "selectedPublicApps"; + blockDataIngestionIntoOrganizationDocuments = $True; + CustomBrowserProtocol = "access://open?url=http"; + customDialerAppProtocol = "skype"; + deployedAppCount = 3; + dialerRestrictionLevel = "allApps"; + DisableProtectionOfManagedOutboundOpenInData = $False; + exemptedUniversalLinks = @("http://facetime.apple.com","http://maps.apple.com","https://facetime.apple.com","https://maps.apple.com"); + FilterOpenInToOnlyManagedApps = $False; + isAssigned = $True; + managedUniversalLinks = @("http://*.appsplatform.us/*","http://*.onedrive.com/*","http://*.powerapps.cn/*"); + maximumAllowedDeviceThreatLevel = "low"; + maximumRequiredOsVersion = "1"; + maximumWarningOsVersion = "1"; + maximumWipeOsVersion = "1"; + messagingRedirectAppUrlScheme = "https://www.fakesite.com"; + mobileThreatDefenseRemediationAction = "block"; + NotificationRestriction = "blockOrganizationalData"; + previousPinBlockCount = 0; + protectedMessagingRedirectAppType = "anyApp"; + ProtectInboundDataFromUnknownSources = $False; + thirdPartyKeyboardsBlocked = $True; + AllowedDataStorageLocations = @('sharePoint') + AllowedInboundDataTransferSources = 'managedApps' + AllowedOutboundClipboardSharingLevel = 'managedAppsWithPasteIn' + AllowedOutboundDataTransferDestinations = 'managedApps' + AppDataEncryptionType = 'whenDeviceLocked' + ContactSyncBlocked = $False + DataBackupBlocked = $False + Description = '' + DeviceComplianceRequired = $True + DisplayName = 'DSC Policy' + FaceIdBlocked = $False + FingerprintBlocked = $False + ManagedBrowser = 'microsoftEdge' + MinimumRequiredAppVersion = '0.2' + MinimumRequiredOsVersion = '0.2' + MinimumRequiredSdkVersion = '0.1' + MinimumWarningAppVersion = '0.1' + MinimumWarningOsVersion = '0.1' + ManagedBrowserToOpenLinksRequired = $True + MaximumPinRetries = 5 + MinimumPinLength = 4 + OrganizationalCredentialsRequired = $False + PeriodBeforePinReset = '90.00:00:00' + PeriodOfflineBeforeAccessCheck = '12:00:00' + PeriodOfflineBeforeWipeIsEnforced = '90.00:00:00' + PeriodOnlineBeforeAccessCheck = '00:30:00' + PinCharacterSet = 'alphanumericAndSymbol' + PinRequired = $True + DisableAppPinIfDevicePinIsSet = $False + PrintBlocked = $False + SaveAsBlocked = $True + SimplePinBlocked = $False + id = '12345-12345-12345-12345-12345' + TargetedAppManagementLevels = 'unmanaged' } } Mock -CommandName Get-MgBetaDeviceAppManagementiosManagedAppProtectionApp -MockWith { @@ -422,84 +562,140 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Context -Name 'When the policy exists and it SHOULD NOT' -Fixture { BeforeAll { $testParams = @{ - AllowedDataStorageLocations = @('sharePoint') - AllowedInboundDataTransferSources = 'managedApps' - AllowedOutboundClipboardSharingLevel = 'managedAppsWithPasteIn' - AllowedOutboundDataTransferDestinations = 'managedApps' - AppDataEncryptionType = 'whenDeviceLocked' - Apps = @('com.cisco.jabberimintune.ios', 'com.pervasent.boardpapers.ios', 'com.sharefile.mobile.intune.ios') - Assignments = @('6ee86c9f-2b3c-471d-ad38-ff4673ed723e') - ContactSyncBlocked = $False - DataBackupBlocked = $False - Description = '' - DeviceComplianceRequired = $True - DisplayName = 'DSC Policy' - Ensure = 'Absent' - ExcludedGroups = @('3eacc231-d77b-4efb-bb5f-310f68bd6198') - FaceIdBlocked = $False - FingerprintBlocked = $False - Credential = $Credential - ManagedBrowser = 'microsoftEdge' - MinimumRequiredAppVersion = '0.2' - MinimumRequiredOSVersion = '0.2' - MinimumRequiredSdkVersion = '0.1' - MinimumWarningAppVersion = '0.1' - MinimumWarningOSVersion = '0.1' - ManagedBrowserToOpenLinksRequired = $True - MaximumPinRetries = 5 - MinimumPinLength = 4 - OrganizationalCredentialsRequired = $False - PeriodBeforePinReset = '90.00:00:00' - PeriodOfflineBeforeAccessCheck = '12:00:00' - PeriodOfflineBeforeWipeIsEnforced = '90.00:00:00' - PeriodOnlineBeforeAccessCheck = '00:30:00' - PinCharacterSet = 'alphanumericAndSymbol' - PinRequired = $True - DisableAppPinIfDevicePinIsSet = $False - PrintBlocked = $False - SaveAsBlocked = $True - SimplePinBlocked = $False - Identity = '12345-12345-12345-12345-12345' - TargetedAppManagementLevels = @('unmanaged') + AllowedDataIngestionLocations = @("oneDriveForBusiness","sharePoint","camera"); + AllowedOutboundClipboardSharingExceptionLength = 0; + AllowWidgetContentSync = $True; + AppActionIfDeviceComplianceRequired = "wipe"; + AppActionIfIosDeviceModelNotAllowed = "block"; + appActionIfUnableToAuthenticateUser = "block"; + appGroupType = "selectedPublicApps"; + blockDataIngestionIntoOrganizationDocuments = $True; + CustomBrowserProtocol = "access://open?url=http"; + customDialerAppProtocol = "skype"; + deployedAppCount = 3; + dialerRestrictionLevel = "allApps"; + DisableProtectionOfManagedOutboundOpenInData = $False; + exemptedUniversalLinks = @("http://facetime.apple.com","http://maps.apple.com","https://facetime.apple.com","https://maps.apple.com"); + FilterOpenInToOnlyManagedApps = $False; + isAssigned = $True; + managedUniversalLinks = @("http://*.appsplatform.us/*","http://*.onedrive.com/*","http://*.powerapps.cn/*"); + maximumAllowedDeviceThreatLevel = "low"; + maximumRequiredOsVersion = "1"; + maximumWarningOsVersion = "1"; + maximumWipeOsVersion = "1"; + messagingRedirectAppUrlScheme = "https://www.fakesite.com"; + mobileThreatDefenseRemediationAction = "block"; + NotificationRestriction = "blockOrganizationalData"; + previousPinBlockCount = 0; + protectedMessagingRedirectAppType = "anyApp"; + ProtectInboundDataFromUnknownSources = $False; + thirdPartyKeyboardsBlocked = $True; + AllowedDataStorageLocations = @('sharePoint') + AllowedInboundDataTransferSources = 'managedApps' + AllowedOutboundClipboardSharingLevel = 'managedAppsWithPasteIn' + AllowedOutboundDataTransferDestinations = 'managedApps' + AppDataEncryptionType = 'whenDeviceLocked' + Apps = @('com.cisco.jabberimintune.ios', 'com.pervasent.boardpapers.ios', 'com.sharefile.mobile.intune.ios') + Assignments = @('6ee86c9f-2b3c-471d-ad38-ff4673ed723e') + ContactSyncBlocked = $False + DataBackupBlocked = $False + Description = '' + DeviceComplianceRequired = $True + DisplayName = 'DSC Policy' + Ensure = 'Absent' + ExcludedGroups = @('3eacc231-d77b-4efb-bb5f-310f68bd6198') + FaceIdBlocked = $False + FingerprintBlocked = $False + Credential = $Credential + ManagedBrowser = 'microsoftEdge' + MinimumRequiredAppVersion = '0.2' + MinimumRequiredOSVersion = '0.2' + MinimumRequiredSdkVersion = '0.1' + MinimumWarningAppVersion = '0.1' + MinimumWarningOSVersion = '0.1' + ManagedBrowserToOpenLinksRequired = $True + MaximumPinRetries = 5 + MinimumPinLength = 4 + OrganizationalCredentialsRequired = $False + PeriodBeforePinReset = '90.00:00:00' + PeriodOfflineBeforeAccessCheck = '12:00:00' + PeriodOfflineBeforeWipeIsEnforced = '90.00:00:00' + PeriodOnlineBeforeAccessCheck = '00:30:00' + PinCharacterSet = 'alphanumericAndSymbol' + PinRequired = $True + DisableAppPinIfDevicePinIsSet = $False + PrintBlocked = $False + SaveAsBlocked = $True + SimplePinBlocked = $False + Identity = '12345-12345-12345-12345-12345' + TargetedAppManagementLevels = @('unmanaged') } Mock -CommandName Get-MgBetaDeviceAppManagementiosManagedAppProtection -MockWith { return @{ - '@odata.type' = '#microsoft.graph.iosManagedAppProtection' - AllowedDataStorageLocations = @('sharePoint') - AllowedInboundDataTransferSources = 'managedApps' - AllowedOutboundClipboardSharingLevel = 'managedAppsWithPasteIn' - AllowedOutboundDataTransferDestinations = 'managedApps' - AppDataEncryptionType = 'whenDeviceLocked' - ContactSyncBlocked = $False - DataBackupBlocked = $False - Description = '' - DeviceComplianceRequired = $True - DisplayName = 'DSC Policy' - FaceIdBlocked = $False - FingerprintBlocked = $False - ManagedBrowser = 'microsoftEdge' - MinimumRequiredAppVersion = '0.2' - MinimumRequiredOSVersion = '0.2' - MinimumRequiredSdkVersion = '0.1' - MinimumWarningAppVersion = '0.1' - MinimumWarningOSVersion = '0.1' - ManagedBrowserToOpenLinksRequired = $True - MaximumPinRetries = 5 - MinimumPinLength = 4 - OrganizationalCredentialsRequired = $False - PeriodBeforePinReset = '90.00:00:00' - PeriodOfflineBeforeAccessCheck = '12:00:00' - PeriodOfflineBeforeWipeIsEnforced = '90.00:00:00' - PeriodOnlineBeforeAccessCheck = '00:30:00' - PinCharacterSet = 'alphanumericAndSymbol' - PinRequired = $True - DisableAppPinIfDevicePinIsSet = $False - PrintBlocked = $False - SaveAsBlocked = $True - SimplePinBlocked = $False - id = '12345-12345-12345-12345-12345' - TargetedAppManagementLevels = 'unmanaged' + '@odata.type' = '#microsoft.graph.iosManagedAppProtection' + AllowedDataIngestionLocations = @("oneDriveForBusiness","sharePoint","camera"); + AllowedOutboundClipboardSharingExceptionLength = 0; + AllowWidgetContentSync = $True; + AppActionIfDeviceComplianceRequired = "wipe"; + AppActionIfIosDeviceModelNotAllowed = "block"; + appActionIfUnableToAuthenticateUser = "block"; + appGroupType = "selectedPublicApps"; + blockDataIngestionIntoOrganizationDocuments = $True; + CustomBrowserProtocol = "access://open?url=http"; + customDialerAppProtocol = "skype"; + deployedAppCount = 3; + dialerRestrictionLevel = "allApps"; + DisableProtectionOfManagedOutboundOpenInData = $False; + exemptedUniversalLinks = @("http://facetime.apple.com","http://maps.apple.com","https://facetime.apple.com","https://maps.apple.com"); + FilterOpenInToOnlyManagedApps = $False; + isAssigned = $True; + managedUniversalLinks = @("http://*.appsplatform.us/*","http://*.onedrive.com/*","http://*.powerapps.cn/*"); + maximumAllowedDeviceThreatLevel = "low"; + maximumRequiredOsVersion = "1"; + maximumWarningOsVersion = "1"; + maximumWipeOsVersion = "1"; + messagingRedirectAppUrlScheme = "https://www.fakesite.com"; + mobileThreatDefenseRemediationAction = "block"; + NotificationRestriction = "blockOrganizationalData"; + previousPinBlockCount = 0; + protectedMessagingRedirectAppType = "anyApp"; + ProtectInboundDataFromUnknownSources = $False; + thirdPartyKeyboardsBlocked = $True; + AllowedDataStorageLocations = @('sharePoint') + AllowedInboundDataTransferSources = 'managedApps' + AllowedOutboundClipboardSharingLevel = 'managedAppsWithPasteIn' + AllowedOutboundDataTransferDestinations = 'managedApps' + AppDataEncryptionType = 'whenDeviceLocked' + ContactSyncBlocked = $False + DataBackupBlocked = $False + Description = '' + DeviceComplianceRequired = $True + DisplayName = 'DSC Policy' + FaceIdBlocked = $False + FingerprintBlocked = $False + ManagedBrowser = 'microsoftEdge' + MinimumRequiredAppVersion = '0.2' + MinimumRequiredOSVersion = '0.2' + MinimumRequiredSdkVersion = '0.1' + MinimumWarningAppVersion = '0.1' + MinimumWarningOSVersion = '0.1' + ManagedBrowserToOpenLinksRequired = $True + MaximumPinRetries = 5 + MinimumPinLength = 4 + OrganizationalCredentialsRequired = $False + PeriodBeforePinReset = '90.00:00:00' + PeriodOfflineBeforeAccessCheck = '12:00:00' + PeriodOfflineBeforeWipeIsEnforced = '90.00:00:00' + PeriodOnlineBeforeAccessCheck = '00:30:00' + PinCharacterSet = 'alphanumericAndSymbol' + PinRequired = $True + DisableAppPinIfDevicePinIsSet = $False + PrintBlocked = $False + SaveAsBlocked = $True + SimplePinBlocked = $False + id = '12345-12345-12345-12345-12345' + TargetedAppManagementLevels = 'unmanaged' } } Mock -CommandName Get-MgBetaDeviceAppManagementiosManagedAppProtectionApp -MockWith { @@ -577,40 +773,68 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Mock -CommandName Get-MgBetaDeviceAppManagementiosManagedAppProtection -MockWith { return @{ '@odata.type' = '#microsoft.graph.iosManagedAppProtection' - AllowedDataStorageLocations = @('sharePoint') - AllowedInboundDataTransferSources = 'managedApps' - AllowedOutboundClipboardSharingLevel = 'managedAppsWithPasteIn' - AllowedOutboundDataTransferDestinations = 'managedApps' - AppDataEncryptionType = 'whenDeviceLocked' - ContactSyncBlocked = $False - DataBackupBlocked = $False - Description = '' - DeviceComplianceRequired = $True - DisplayName = 'DSC Policy' - FaceIdBlocked = $False - FingerprintBlocked = $False - ManagedBrowser = 'microsoftEdge' - MinimumRequiredAppVersion = '0.2' - MinimumRequiredOSVersion = '0.2' - MinimumRequiredSdkVersion = '0.1' - MinimumWarningAppVersion = '0.1' - MinimumWarningOSVersion = '0.1' - ManagedBrowserToOpenLinksRequired = $True - MaximumPinRetries = 5 - MinimumPinLength = 4 - OrganizationalCredentialsRequired = $False - PeriodBeforePinReset = '90.00:00:00' - PeriodOfflineBeforeAccessCheck = '12:00:00' - PeriodOfflineBeforeWipeIsEnforced = '90.00:00:00' - PeriodOnlineBeforeAccessCheck = '00:30:00' - PinCharacterSet = 'alphanumericAndSymbol' - PinRequired = $True - DisableAppPinIfDevicePinIsSet = $False - PrintBlocked = $False - SaveAsBlocked = $True - SimplePinBlocked = $False - id = '12345-12345-12345-12345-12345' - TargetedAppManagementLevels = 'unmanaged' + AllowedDataIngestionLocations = @("oneDriveForBusiness","sharePoint","camera"); + AllowedOutboundClipboardSharingExceptionLength = 0; + AllowWidgetContentSync = $True; + AppActionIfDeviceComplianceRequired = "wipe"; + AppActionIfIosDeviceModelNotAllowed = "block"; + appActionIfUnableToAuthenticateUser = "block"; + appGroupType = "selectedPublicApps"; + blockDataIngestionIntoOrganizationDocuments = $True; + CustomBrowserProtocol = "access://open?url=http"; + customDialerAppProtocol = "skype"; + deployedAppCount = 3; + dialerRestrictionLevel = "allApps"; + DisableProtectionOfManagedOutboundOpenInData = $False; + exemptedUniversalLinks = @("http://facetime.apple.com","http://maps.apple.com","https://facetime.apple.com","https://maps.apple.com"); + FilterOpenInToOnlyManagedApps = $False; + isAssigned = $True; + managedUniversalLinks = @("http://*.appsplatform.us/*","http://*.onedrive.com/*","http://*.powerapps.cn/*"); + maximumAllowedDeviceThreatLevel = "low"; + maximumRequiredOsVersion = "1"; + maximumWarningOsVersion = "1"; + maximumWipeOsVersion = "1"; + messagingRedirectAppUrlScheme = "https://www.fakesite.com"; + mobileThreatDefenseRemediationAction = "block"; + NotificationRestriction = "blockOrganizationalData"; + previousPinBlockCount = 0; + protectedMessagingRedirectAppType = "anyApp"; + ProtectInboundDataFromUnknownSources = $False; + thirdPartyKeyboardsBlocked = $True; + AllowedDataStorageLocations = @('sharePoint') + AllowedInboundDataTransferSources = 'managedApps' + AllowedOutboundClipboardSharingLevel = 'managedAppsWithPasteIn' + AllowedOutboundDataTransferDestinations = 'managedApps' + AppDataEncryptionType = 'whenDeviceLocked' + ContactSyncBlocked = $False + DataBackupBlocked = $False + Description = '' + DeviceComplianceRequired = $True + DisplayName = 'DSC Policy' + FaceIdBlocked = $False + FingerprintBlocked = $False + ManagedBrowser = 'microsoftEdge' + MinimumRequiredAppVersion = '0.2' + MinimumRequiredOSVersion = '0.2' + MinimumRequiredSdkVersion = '0.1' + MinimumWarningAppVersion = '0.1' + MinimumWarningOSVersion = '0.1' + ManagedBrowserToOpenLinksRequired = $True + MaximumPinRetries = 5 + MinimumPinLength = 4 + OrganizationalCredentialsRequired = $False + PeriodBeforePinReset = '90.00:00:00' + PeriodOfflineBeforeAccessCheck = '12:00:00' + PeriodOfflineBeforeWipeIsEnforced = '90.00:00:00' + PeriodOnlineBeforeAccessCheck = '00:30:00' + PinCharacterSet = 'alphanumericAndSymbol' + PinRequired = $True + DisableAppPinIfDevicePinIsSet = $False + PrintBlocked = $False + SaveAsBlocked = $True + SimplePinBlocked = $False + id = '12345-12345-12345-12345-12345' + TargetedAppManagementLevels = 'unmanaged' } } Mock -CommandName Get-MgBetaDeviceAppManagementiosManagedAppProtectionApp -MockWith { From 22649b3e1a7559c21027af76ccf8ca8b11e4d43e Mon Sep 17 00:00:00 2001 From: dannyKBjj Date: Fri, 17 Jan 2025 11:53:29 +0000 Subject: [PATCH 6/8] Requested changes have been made. https://github.com/microsoft/Microsoft365DSC/pull/5617 --- CHANGELOG.md | 2 - .../MSFT_IntuneAppProtectionPolicyiOS.psm1 | 188 ++++++------ ...FT_IntuneAppProtectionPolicyiOS.schema.mof | 42 ++- ...DSC.IntuneAppProtectionPolicyiOS.Tests.ps1 | 288 +++++++++--------- 4 files changed, 251 insertions(+), 269 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1a2450bf5c..10a9d48c4b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -44,8 +44,6 @@ * DEPENDENCIES * Updated Microsoft.PowerApps.Administration.PowerShell to version 2.0.202. * Updated MSCloudLoginAssistant to version 1.1.31. -* IntuneAppProtectionPolicyiOS - * Fixes [#5589] https://github.com/microsoft/Microsoft365DSC/issues/5589 # 1.24.1211.1 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.psm1 index a9e0279c27..63b5398693 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.psm1 @@ -15,7 +15,6 @@ function Get-TargetResource [Parameter()] [System.String] $Description, -#my stuff [Parameter()] [System.String[]] @@ -28,100 +27,99 @@ function Get-TargetResource [Parameter()] [ValidateSet('block', 'wipe', 'warn', 'blockWhenSettingIsSupported')] [System.String] - $appActionIfAccountIsClockedOut, + $AppActionIfAccountIsClockedOut, [Parameter()] [ValidateSet('block', 'wipe', 'warn', 'blockWhenSettingIsSupported')] [System.String] - $appActionIfUnableToAuthenticateUser, + $AppActionIfUnableToAuthenticateUser, [Parameter()] [ValidateSet('selectedPublicApps', 'allCoreMicrosoftApps', 'allMicrosoftApps','allApps')] [System.String] - $appGroupType, + $AppGroupType, [Parameter()] [System.Boolean] - $blockDataIngestionIntoOrganizationDocuments, + $BlockDataIngestionIntoOrganizationDocuments, [Parameter()] [System.String] - $customDialerAppProtocol, + $CustomDialerAppProtocol, [Parameter()] [System.UInt32] - $deployedAppCount, + $DeployedAppCount, [Parameter()] [ValidateSet('allApps','managedApps','customApp','blocked')] [System.String] - $dialerRestrictionLevel, + $DialerRestrictionLevel, [Parameter()] [System.String[]] - $exemptedUniversalLinks, + $ExemptedUniversalLinks, [Parameter()] [System.String] - $gracePeriodToBlockAppsDuringOffClockHours, + $GracePeriodToBlockAppsDuringOffClockHours, [Parameter()] [System.Boolean] - $isAssigned, + $IsAssigned, [Parameter()] [System.String[]] - $managedUniversalLinks, + $ManagedUniversalLinks, [Parameter()] [ValidateSet('notConfigured', 'secured', 'low', 'medium', 'high')] [System.String] - $maximumAllowedDeviceThreatLevel, + $MaximumAllowedDeviceThreatLevel, [Parameter()] [System.String] - $maximumRequiredOsVersion, + $MaximumRequiredOsVersion, [Parameter()] [System.String] - $maximumWarningOsVersion, + $MaximumWarningOsVersion, [Parameter()] [System.String] - $maximumWipeOsVersion, + $MaximumWipeOsVersion, [Parameter()] [System.String] - $messagingRedirectAppUrlScheme, + $MessagingRedirectAppUrlScheme, [Parameter()] [System.String] - $minimumWarningSdkVersion, + $MinimumWarningSdkVersion, [Parameter()] [ValidateSet('defenderOverThirdPartyPartner','thirdPartyPartnerOverDefender','unknownFutureValue')] [System.String] - $mobileThreatDefensePartnerPriority, + $MobileThreatDefensePartnerPriority, [Parameter()] [ValidateSet('block','wipe','warn','blockWhenSettingIsSupported')] [System.String] - $mobileThreatDefenseRemediationAction, + $MobileThreatDefenseRemediationAction, [Parameter()] [System.UInt32] - $previousPinBlockCount, + $PreviousPinBlockCount, [Parameter()] [ValidateSet('anyApp','anyManagedApp','specificApps','blocked')] [System.String] - $protectedMessagingRedirectAppType, + $ProtectedMessagingRedirectAppType, [Parameter()] [System.Boolean] $ThirdPartyKeyboardsBlocked, -#my stuff [Parameter()] [System.String] $PeriodOfflineBeforeAccessCheck, @@ -425,7 +423,6 @@ function Get-TargetResource { $assignmentsArray += $assignmentValue } - if ($policyAssignment.target.'@odata.type' -eq '#microsoft.graph.exclusionGroupAssignmentTarget') { $exclusionArray += $assignmentValue @@ -478,33 +475,30 @@ function Get-TargetResource Identity = $policy.id DisplayName = $policy.DisplayName Description = $policy.Description - AllowedDataIngestionLocations = [String[]]$policy.AllowedDataIngestionLocations AllowWidgetContentSync = $policy.AllowWidgetContentSync - appActionIfAccountIsClockedOut = [string]$policy.appActionIfAccountIsClockedOut - appActionIfUnableToAuthenticateUser = [string]$policy.appActionIfUnableToAuthenticateUser - appGroupType = [string]$policy.appGroupType - blockDataIngestionIntoOrganizationDocuments = $policy.blockDataIngestionIntoOrganizationDocuments - customDialerAppProtocol = [string]$policy.customDialerAppProtocol - deployedAppCount = $policy.deployedAppCount - #DeploymentSummary = $DeploymentSummaryArray - dialerRestrictionLevel = [string]$policy.dialerRestrictionLevel - exemptedUniversalLinks = $policy.exemptedUniversalLinks - gracePeriodToBlockAppsDuringOffClockHours = $myGracePeriodToBlockAppsDuringOffClockHours - isAssigned = $policy.isAssigned - managedUniversalLinks = $policy.managedUniversalLinks - maximumAllowedDeviceThreatLevel = [string]$policy.maximumAllowedDeviceThreatLevel - maximumRequiredOsVersion = [string]$policy.maximumRequiredOsVersion - maximumWarningOsVersion = [string]$policy.maximumWarningOsVersion - maximumWipeOsVersion = [string]$policy.maximumWipeOsVersion - messagingRedirectAppUrlScheme = [string]$policy.messagingRedirectAppUrlScheme - minimumWarningSdkVersion = [string]$policy.minimumWarningSdkVersion - mobileThreatDefensePartnerPriority = [string]$policy.mobileThreatDefensePartnerPriority - mobileThreatDefenseRemediationAction = [string]$policy.mobileThreatDefenseRemediationAction - previousPinBlockCount = $policy.previousPinBlockCount - protectedMessagingRedirectAppType = [string]$policy.protectedMessagingRedirectAppType + AppActionIfAccountIsClockedOut = [string]$policy.appActionIfAccountIsClockedOut + AppActionIfUnableToAuthenticateUser = [string]$policy.appActionIfUnableToAuthenticateUser + AppGroupType = [string]$policy.appGroupType + BlockDataIngestionIntoOrganizationDocuments = $policy.blockDataIngestionIntoOrganizationDocuments + CustomDialerAppProtocol = [string]$policy.customDialerAppProtocol + DeployedAppCount = $policy.deployedAppCount + DialerRestrictionLevel = [string]$policy.dialerRestrictionLevel + ExemptedUniversalLinks = $policy.exemptedUniversalLinks + GracePeriodToBlockAppsDuringOffClockHours = $myGracePeriodToBlockAppsDuringOffClockHours + IsAssigned = $policy.isAssigned + ManagedUniversalLinks = $policy.managedUniversalLinks + MaximumAllowedDeviceThreatLevel = [string]$policy.maximumAllowedDeviceThreatLevel + MaximumRequiredOsVersion = [string]$policy.maximumRequiredOsVersion + MaximumWarningOsVersion = [string]$policy.maximumWarningOsVersion + MaximumWipeOsVersion = [string]$policy.maximumWipeOsVersion + MessagingRedirectAppUrlScheme = [string]$policy.messagingRedirectAppUrlScheme + MinimumWarningSdkVersion = [string]$policy.minimumWarningSdkVersion + MobileThreatDefensePartnerPriority = [string]$policy.mobileThreatDefensePartnerPriority + MobileThreatDefenseRemediationAction = [string]$policy.mobileThreatDefenseRemediationAction + PreviousPinBlockCount = $policy.previousPinBlockCount + ProtectedMessagingRedirectAppType = [string]$policy.protectedMessagingRedirectAppType thirdPartyKeyboardsBlocked = $policy.thirdPartyKeyboardsBlocked - PeriodOfflineBeforeAccessCheck = $myPeriodOfflineBeforeAccessCheck PeriodOnlineBeforeAccessCheck = $myPeriodOnlineBeforeAccessCheck AllowedInboundDataTransferSources = [String]$policy.AllowedInboundDataTransferSources @@ -599,7 +593,7 @@ function Set-TargetResource [Parameter()] [System.String] $Description, -#my stuff + [Parameter()] [System.String[]] $AllowedDataIngestionLocations, @@ -611,100 +605,99 @@ function Set-TargetResource [Parameter()] [ValidateSet('block', 'wipe', 'warn', 'blockWhenSettingIsSupported')] [System.String] - $appActionIfAccountIsClockedOut, + $AppActionIfAccountIsClockedOut, [Parameter()] [ValidateSet('block', 'wipe', 'warn', 'blockWhenSettingIsSupported')] [System.String] - $appActionIfUnableToAuthenticateUser, + $AppActionIfUnableToAuthenticateUser, [Parameter()] [ValidateSet('selectedPublicApps', 'allCoreMicrosoftApps', 'allMicrosoftApps','allApps')] [System.String] - $appGroupType, + $AppGroupType, [Parameter()] [System.Boolean] - $blockDataIngestionIntoOrganizationDocuments, + $BlockDataIngestionIntoOrganizationDocuments, [Parameter()] [System.String] - $customDialerAppProtocol, + $CustomDialerAppProtocol, [Parameter()] [System.UInt32] - $deployedAppCount, + $DeployedAppCount, [Parameter()] [ValidateSet('allApps','managedApps','customApp','blocked')] [System.String] - $dialerRestrictionLevel, + $DialerRestrictionLevel, [Parameter()] [System.String[]] - $exemptedUniversalLinks, + $ExemptedUniversalLinks, [Parameter()] [System.String] - $gracePeriodToBlockAppsDuringOffClockHours, + $GracePeriodToBlockAppsDuringOffClockHours, [Parameter()] [System.Boolean] - $isAssigned, + $IsAssigned, [Parameter()] [System.String[]] - $managedUniversalLinks, + $ManagedUniversalLinks, [Parameter()] [ValidateSet('notConfigured', 'secured', 'low', 'medium', 'high')] [System.String] - $maximumAllowedDeviceThreatLevel, + $MaximumAllowedDeviceThreatLevel, [Parameter()] [System.String] - $maximumRequiredOsVersion, + $MaximumRequiredOsVersion, [Parameter()] [System.String] - $maximumWarningOsVersion, + $MaximumWarningOsVersion, [Parameter()] [System.String] - $maximumWipeOsVersion, + $MaximumWipeOsVersion, [Parameter()] [System.String] - $messagingRedirectAppUrlScheme, + $MessagingRedirectAppUrlScheme, [Parameter()] [System.String] - $minimumWarningSdkVersion, + $MinimumWarningSdkVersion, [Parameter()] [ValidateSet('defenderOverThirdPartyPartner','thirdPartyPartnerOverDefender','unknownFutureValue')] [System.String] - $mobileThreatDefensePartnerPriority, + $MobileThreatDefensePartnerPriority, [Parameter()] [ValidateSet('block','wipe','warn','blockWhenSettingIsSupported')] [System.String] - $mobileThreatDefenseRemediationAction, + $MobileThreatDefenseRemediationAction, [Parameter()] [System.UInt32] - $previousPinBlockCount, + $PreviousPinBlockCount, [Parameter()] [ValidateSet('anyApp','anyManagedApp','specificApps','blocked')] [System.String] - $protectedMessagingRedirectAppType, + $ProtectedMessagingRedirectAppType, [Parameter()] [System.Boolean] $ThirdPartyKeyboardsBlocked, -#my stuff [Parameter()] [System.String] $PeriodOfflineBeforeAccessCheck, @@ -986,7 +979,7 @@ function Set-TargetResource 'PeriodOfflineBeforeWipeIsEnforced' 'PeriodBeforePinReset' 'PinRequiredInsteadOfBiometricTimeout' - 'gracePeriodToBlockAppsDuringOffClockHours' + 'GracePeriodToBlockAppsDuringOffClockHours' ) foreach ($duration in $durationParameters) { @@ -1017,7 +1010,6 @@ function Set-TargetResource $arrayTemp = @("minimumWarningSdkVersion","maximumRequiredOsVersion","maximumWarningOsVersion","maximumWipeOsVersion") Foreach($item in $arrayTemp) { - if ($createParameters.$item -eq "") { $createParameters.Remove($item) #for some reason cmdlet can't handle this being blank, which is annoying as we can't enforce it @@ -1040,11 +1032,9 @@ function Set-TargetResource $updateParameters.Remove('Apps') $updateParameters.TargetedAppManagementLevels = $updateParameters.TargetedAppManagementLevels -join ',' - $arrayTemp = @("minimumWarningSdkVersion","maximumRequiredOsVersion","maximumWarningOsVersion","maximumWipeOsVersion") Foreach($item in $arrayTemp) { - if ($updateParameters.$item -eq "") { $updateParameters.Remove($item) #for some reason cmdlet can't handle this being blank, which is annoying as we can't enforce it @@ -1060,7 +1050,7 @@ function Set-TargetResource 'PeriodOfflineBeforeWipeIsEnforced' 'PeriodBeforePinReset' 'PinRequiredInsteadOfBiometricTimeout' - 'gracePeriodToBlockAppsDuringOffClockHours' + 'GracePeriodToBlockAppsDuringOffClockHours' ) foreach ($duration in $durationParameters) { @@ -1080,7 +1070,6 @@ function Set-TargetResource $updateParameters.ExemptedAppProtocols = $myExemptedAppProtocols Update-MgBetaDeviceAppManagementiOSManagedAppProtection -IosManagedAppProtectionId $Identity -BodyParameter $updateParameters - Update-IntuneAppProtectionPolicyiOSApp -IosManagedAppProtectionId $Identity -Apps $myApps Write-Verbose -Message "Updating policy assignments: $myassignments" @@ -1111,7 +1100,6 @@ function Test-TargetResource [Parameter()] [System.String] $Description, -#my stuff [Parameter()] [System.String[]] @@ -1124,100 +1112,99 @@ function Test-TargetResource [Parameter()] [ValidateSet('block', 'wipe', 'warn', 'blockWhenSettingIsSupported')] [System.String] - $appActionIfAccountIsClockedOut, + $AppActionIfAccountIsClockedOut, [Parameter()] [ValidateSet('block', 'wipe', 'warn', 'blockWhenSettingIsSupported')] [System.String] - $appActionIfUnableToAuthenticateUser, + $AppActionIfUnableToAuthenticateUser, [Parameter()] [ValidateSet('selectedPublicApps', 'allCoreMicrosoftApps', 'allMicrosoftApps','allApps')] [System.String] - $appGroupType, + $AppGroupType, [Parameter()] [System.Boolean] - $blockDataIngestionIntoOrganizationDocuments, + $BlockDataIngestionIntoOrganizationDocuments, [Parameter()] [System.String] - $customDialerAppProtocol, + $CustomDialerAppProtocol, [Parameter()] [System.UInt32] - $deployedAppCount, + $DeployedAppCount, [Parameter()] [ValidateSet('allApps','managedApps','customApp','blocked')] [System.String] - $dialerRestrictionLevel, + $DialerRestrictionLevel, [Parameter()] [System.String[]] - $exemptedUniversalLinks, + $ExemptedUniversalLinks, [Parameter()] [System.String] - $gracePeriodToBlockAppsDuringOffClockHours, + $GracePeriodToBlockAppsDuringOffClockHours, [Parameter()] [System.Boolean] - $isAssigned, + $IsAssigned, [Parameter()] [System.String[]] - $managedUniversalLinks, + $ManagedUniversalLinks, [Parameter()] [ValidateSet('notConfigured', 'secured', 'low', 'medium', 'high')] [System.String] - $maximumAllowedDeviceThreatLevel, + $MaximumAllowedDeviceThreatLevel, [Parameter()] [System.String] - $maximumRequiredOsVersion, + $MaximumRequiredOsVersion, [Parameter()] [System.String] - $maximumWarningOsVersion, + $MaximumWarningOsVersion, [Parameter()] [System.String] - $maximumWipeOsVersion, + $MaximumWipeOsVersion, [Parameter()] [System.String] - $messagingRedirectAppUrlScheme, + $MessagingRedirectAppUrlScheme, [Parameter()] [System.String] - $minimumWarningSdkVersion, + $MinimumWarningSdkVersion, [Parameter()] [ValidateSet('defenderOverThirdPartyPartner','thirdPartyPartnerOverDefender','unknownFutureValue')] [System.String] - $mobileThreatDefensePartnerPriority, + $MobileThreatDefensePartnerPriority, [Parameter()] [ValidateSet('block','wipe','warn','blockWhenSettingIsSupported')] [System.String] - $mobileThreatDefenseRemediationAction, + $MobileThreatDefenseRemediationAction, [Parameter()] [System.UInt32] - $previousPinBlockCount, + $PreviousPinBlockCount, [Parameter()] [ValidateSet('anyApp','anyManagedApp','specificApps','blocked')] [System.String] - $protectedMessagingRedirectAppType, + $ProtectedMessagingRedirectAppType, [Parameter()] [System.Boolean] $ThirdPartyKeyboardsBlocked, -#my stuff [Parameter()] [System.String] $PeriodOfflineBeforeAccessCheck, @@ -1472,7 +1459,6 @@ function Test-TargetResource Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() - $ValuesToCheck.Remove('Identity') $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.schema.mof index 8c3bc4006f..c480543983 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.schema.mof @@ -4,32 +4,30 @@ class MSFT_IntuneAppProtectionPolicyiOS : OMI_BaseResource [Key, Description("Display name of the iOS App Protection Policy.")] String DisplayName; [Write, Description("Identity of the iOS App Protection Policy.")] String Identity; [Write, Description("Description of the iOS App Protection Policy.")] String Description; - [Write, Description("Data storage locations where a user may store managed data. Inherited from managedAppProtection.")] String AllowedDataIngestionLocations[]; [Write, Description("Indicates if content sync for widgets is allowed for iOS on App Protection Policies.")] Boolean AllowWidgetContentSync; - [Write, Description("Defines a managed app behavior, either block or warn, if the user is clocked out (non-working time)."), ValueMap{"block","wipe","warn","blockWhenSettingIsSupported"}, Values{"block","wipe","warn","blockWhenSettingIsSupported"}] String appActionIfAccountIsClockedOut; - [Write, Description("If set, it will specify what action to take in the case where the user is unable to checkin because their authentication token is invalid. This happens when the user is deleted or disabled in AAD. ."), ValueMap{"block","wipe","warn","blockWhenSettingIsSupported"}, Values{"block","wipe","warn","blockWhenSettingIsSupported"}] String appActionIfUnableToAuthenticateUser; - [Write, Description("Public Apps selection: group or individual Inherited from targetedManagedAppProtection."), ValueMap{"selectedPublicApps","allCoreMicrosoftApps","allMicrosoftApps","allApps"}, Values{"selectedPublicApps","allCoreMicrosoftApps","allMicrosoftApps","allApps"}] String appGroupType; - [Write, Description("Indicates whether a user can bring data into org documents.")] boolean blockDataIngestionIntoOrganizationDocuments; - [Write, Description("Protocol of a custom dialer app to click-to-open a phone number on iOS, for example, skype:.")] String customDialerAppProtocol; - [Write, Description("Count of apps to which the current policy is deployed.")] UInt32 deployedAppCount; - [Write, Description("The classes of dialer apps that are allowed to click-to-open a phone number."), ValueMap{"allApps","managedApps","customApp","blocked"}, Values{"allApps","managedApps","customApp","blocked"}] String dialerRestrictionLevel; + [Write, Description("Defines a managed app behavior, either block or warn, if the user is clocked out (non-working time)."), ValueMap{"block","wipe","warn","blockWhenSettingIsSupported"}, Values{"block","wipe","warn","blockWhenSettingIsSupported"}] String AppActionIfAccountIsClockedOut; + [Write, Description("If set, it will specify what action to take in the case where the user is unable to checkin because their authentication token is invalid. This happens when the user is deleted or disabled in AAD. ."), ValueMap{"block","wipe","warn","blockWhenSettingIsSupported"}, Values{"block","wipe","warn","blockWhenSettingIsSupported"}] String AppActionIfUnableToAuthenticateUser; + [Write, Description("Public Apps selection: group or individual Inherited from targetedManagedAppProtection."), ValueMap{"selectedPublicApps","allCoreMicrosoftApps","allMicrosoftApps","allApps"}, Values{"selectedPublicApps","allCoreMicrosoftApps","allMicrosoftApps","allApps"}] String AppGroupType; + [Write, Description("Indicates whether a user can bring data into org documents.")] boolean BlockDataIngestionIntoOrganizationDocuments; + [Write, Description("Protocol of a custom dialer app to click-to-open a phone number on iOS, for example, skype:.")] String CustomDialerAppProtocol; + [Write, Description("Count of apps to which the current policy is deployed.")] UInt32 DeployedAppCount; + [Write, Description("The classes of dialer apps that are allowed to click-to-open a phone number."), ValueMap{"allApps","managedApps","customApp","blocked"}, Values{"allApps","managedApps","customApp","blocked"}] String DialerRestrictionLevel; [Write, Description("A list of custom urls that are allowed to invocate an unmanaged app.")] String ExemptedUniversalLinks[]; - [Write, Description("A grace period before blocking app access during off clock hours.")] String gracePeriodToBlockAppsDuringOffClockHours; - [Write, Description("Indicates if the policy is deployed to any inclusion groups or not.")] Boolean isAssigned; + [Write, Description("A grace period before blocking app access during off clock hours.")] String GracePeriodToBlockAppsDuringOffClockHours; + [Write, Description("Indicates if the policy is deployed to any inclusion groups or not.")] Boolean IsAssigned; [Write, Description("A list of custom urls that are allowed to invocate a managed app.")] String managedUniversalLinks[]; - [Write, Description("Maximum allowed device threat level, as reported by the MTD app Inherited from managedAppProtection."), ValueMap{"notConfigured","secured","low","medium","high"}, Values{"notConfigured","secured","low","medium","high"}] String maximumAllowedDeviceThreatLevel; - [Write, Description("Versions bigger than the specified version will block the managed app from accessing company data. Inherited from managedAppProtection.")] String maximumRequiredOsVersion; - [Write, Description("Versions bigger than the specified version will block the managed app from accessing company data. Inherited from managedAppProtection.")] String maximumWarningOsVersion; - [Write, Description("Versions bigger than the specified version will block the managed app from accessing company data. Inherited from managedAppProtection.")] String maximumWipeOsVersion; - [Write, Description("When a specific app redirection is enforced by protectedMessagingRedirectAppType in an App Protection Policy, this value defines the app url redirect schemes which are allowed to be used.")] String messagingRedirectAppUrlScheme; - [Write, Description("Versions less than the specified version will result in warning message on the managed app from accessing company data.")] String minimumWarningSdkVersion; - [Write, Description("Indicates how to prioritize which Mobile Threat Defense (MTD) partner is enabled for a given platform, when more than one is enabled. An app can only be actively using a single Mobile Threat Defense partner. When NULL, Microsoft Defender will be given preference. Otherwise setting the value to defenderOverThirdPartyPartner or thirdPartyPartnerOverDefender will make explicit which partner to prioritize."), ValueMap{"defenderOverThirdPartyPartner","thirdPartyPartnerOverDefender","unknownFutureValue"}, Values{"defenderOverThirdPartyPartner","thirdPartyPartnerOverDefender","unknownFutureValue"}] String mobileThreatDefensePartnerPriority; - [Write, Description("Determines what action to take if the mobile threat defense threat threshold isn't met. Warn isn't a supported value for this property Inherited from managedAppProtection."), ValueMap{"block","wipe","warn","blockWhenSettingIsSupported"}, Values{"block","wipe","warn","blockWhenSettingIsSupported"}] String mobileThreatDefenseRemediationAction; - [Write, Description("Requires a pin to be unique from the number specified in this property. Inherited from managedAppProtection.")] UInt32 previousPinBlockCount; - [Write, Description("Defines how app messaging redirection is protected by an App Protection Policy. Default is anyApp. Inherited from managedAppProtection."), ValueMap{"anyApp","anyManagedApp","specificApps","blocked"}, Values{"anyApp","anyManagedApp","specificApps","blocked"}] String protectedMessagingRedirectAppType; - [Write, Description("Defines if third party keyboards are allowed while accessing a managed app.")] Boolean thirdPartyKeyboardsBlocked; - + [Write, Description("Maximum allowed device threat level, as reported by the MTD app Inherited from managedAppProtection."), ValueMap{"notConfigured","secured","low","medium","high"}, Values{"notConfigured","secured","low","medium","high"}] String MaximumAllowedDeviceThreatLevel; + [Write, Description("Versions bigger than the specified version will block the managed app from accessing company data. Inherited from managedAppProtection.")] String MaximumRequiredOsVersion; + [Write, Description("Versions bigger than the specified version will block the managed app from accessing company data. Inherited from managedAppProtection.")] String MaximumWarningOsVersion; + [Write, Description("Versions bigger than the specified version will block the managed app from accessing company data. Inherited from managedAppProtection.")] String MaximumWipeOsVersion; + [Write, Description("When a specific app redirection is enforced by protectedMessagingRedirectAppType in an App Protection Policy, this value defines the app url redirect schemes which are allowed to be used.")] String MessagingRedirectAppUrlScheme; + [Write, Description("Versions less than the specified version will result in warning message on the managed app from accessing company data.")] String MinimumWarningSdkVersion; + [Write, Description("Indicates how to prioritize which Mobile Threat Defense (MTD) partner is enabled for a given platform, when more than one is enabled. An app can only be actively using a single Mobile Threat Defense partner. When NULL, Microsoft Defender will be given preference. Otherwise setting the value to defenderOverThirdPartyPartner or thirdPartyPartnerOverDefender will make explicit which partner to prioritize."), ValueMap{"defenderOverThirdPartyPartner","thirdPartyPartnerOverDefender","unknownFutureValue"}, Values{"defenderOverThirdPartyPartner","thirdPartyPartnerOverDefender","unknownFutureValue"}] String MobileThreatDefensePartnerPriority; + [Write, Description("Determines what action to take if the mobile threat defense threat threshold isn't met. Warn isn't a supported value for this property Inherited from managedAppProtection."), ValueMap{"block","wipe","warn","blockWhenSettingIsSupported"}, Values{"block","wipe","warn","blockWhenSettingIsSupported"}] String MobileThreatDefenseRemediationAction; + [Write, Description("Requires a pin to be unique from the number specified in this property. Inherited from managedAppProtection.")] UInt32 PreviousPinBlockCount; + [Write, Description("Defines how app messaging redirection is protected by an App Protection Policy. Default is anyApp. Inherited from managedAppProtection."), ValueMap{"anyApp","anyManagedApp","specificApps","blocked"}, Values{"anyApp","anyManagedApp","specificApps","blocked"}] String ProtectedMessagingRedirectAppType; + [Write, Description("Defines if third party keyboards are allowed while accessing a managed app.")] Boolean ThirdPartyKeyboardsBlocked; [Write, Description("The period after which access is checked when the device is not connected to the internet.")] String PeriodOfflineBeforeAccessCheck; [Write, Description("The period after which access is checked when the device is connected to the internet.")] String PeriodOnlineBeforeAccessCheck; [Write, Description("Sources from which data is allowed to be transferred. Possible values are: allApps, managedApps, none."), ValueMap{"allApps","managedApps", "none"}, Values{"allApps","managedApps", "none"}] String AllowedInboundDataTransferSources; diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAppProtectionPolicyiOS.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAppProtectionPolicyiOS.Tests.ps1 index c8a6855a52..90e6e2a2d3 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAppProtectionPolicyiOS.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAppProtectionPolicyiOS.Tests.ps1 @@ -82,29 +82,29 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { AllowWidgetContentSync = $True; AppActionIfDeviceComplianceRequired = "wipe"; AppActionIfIosDeviceModelNotAllowed = "block"; - appActionIfUnableToAuthenticateUser = "block"; - appGroupType = "selectedPublicApps"; - blockDataIngestionIntoOrganizationDocuments = $True; + AppActionIfUnableToAuthenticateUser = "block"; + AppGroupType = "selectedPublicApps"; + BlockDataIngestionIntoOrganizationDocuments = $True; CustomBrowserProtocol = "access://open?url=http"; - customDialerAppProtocol = "skype"; - deployedAppCount = 3; - dialerRestrictionLevel = "allApps"; + CustomDialerAppProtocol = "skype"; + DeployedAppCount = 3; + DialerRestrictionLevel = "allApps"; DisableProtectionOfManagedOutboundOpenInData = $False; - exemptedUniversalLinks = @("http://facetime.apple.com","http://maps.apple.com","https://facetime.apple.com","https://maps.apple.com"); + ExemptedUniversalLinks = @("http://facetime.apple.com","http://maps.apple.com","https://facetime.apple.com","https://maps.apple.com"); FilterOpenInToOnlyManagedApps = $False; - isAssigned = $True; - managedUniversalLinks = @("http://*.appsplatform.us/*","http://*.onedrive.com/*","http://*.powerapps.cn/*"); - maximumAllowedDeviceThreatLevel = "low"; - maximumRequiredOsVersion = "1"; - maximumWarningOsVersion = "1"; - maximumWipeOsVersion = "1"; - messagingRedirectAppUrlScheme = "https://www.fakesite.com"; - mobileThreatDefenseRemediationAction = "block"; + IsAssigned = $True; + ManagedUniversalLinks = @("http://*.appsplatform.us/*","http://*.onedrive.com/*","http://*.powerapps.cn/*"); + MaximumAllowedDeviceThreatLevel = "low"; + MaximumRequiredOsVersion = "1"; + MaximumWarningOsVersion = "1"; + MaximumWipeOsVersion = "1"; + MessagingRedirectAppUrlScheme = "https://www.fakesite.com"; + MobileThreatDefenseRemediationAction = "block"; NotificationRestriction = "blockOrganizationalData"; - previousPinBlockCount = 0; - protectedMessagingRedirectAppType = "anyApp"; + PreviousPinBlockCount = 0; + ProtectedMessagingRedirectAppType = "anyApp"; ProtectInboundDataFromUnknownSources = $False; - thirdPartyKeyboardsBlocked = $True; + ThirdPartyKeyboardsBlocked = $True; AllowedDataStorageLocations = @('sharePoint') AllowedInboundDataTransferSources = 'managedApps' AllowedOutboundClipboardSharingLevel = 'managedAppsWithPasteIn' @@ -172,29 +172,29 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { AllowWidgetContentSync = $True; AppActionIfDeviceComplianceRequired = "wipe"; AppActionIfIosDeviceModelNotAllowed = "block"; - appActionIfUnableToAuthenticateUser = "block"; - appGroupType = "selectedPublicApps"; - blockDataIngestionIntoOrganizationDocuments = $True; + AppActionIfUnableToAuthenticateUser = "block"; + AppGroupType = "selectedPublicApps"; + BlockDataIngestionIntoOrganizationDocuments = $True; CustomBrowserProtocol = "access://open?url=http"; - customDialerAppProtocol = "skype"; - deployedAppCount = 3; - dialerRestrictionLevel = "allApps"; + CustomDialerAppProtocol = "skype"; + DeployedAppCount = 3; + DialerRestrictionLevel = "allApps"; DisableProtectionOfManagedOutboundOpenInData = $False; - exemptedUniversalLinks = @("http://facetime.apple.com","http://maps.apple.com","https://facetime.apple.com","https://maps.apple.com"); + ExemptedUniversalLinks = @("http://facetime.apple.com","http://maps.apple.com","https://facetime.apple.com","https://maps.apple.com"); FilterOpenInToOnlyManagedApps = $False; - isAssigned = $True; - managedUniversalLinks = @("http://*.appsplatform.us/*","http://*.onedrive.com/*","http://*.powerapps.cn/*"); - maximumAllowedDeviceThreatLevel = "low"; - maximumRequiredOsVersion = "1"; - maximumWarningOsVersion = "1"; - maximumWipeOsVersion = "1"; - messagingRedirectAppUrlScheme = "https://www.fakesite.com"; - mobileThreatDefenseRemediationAction = "block"; + IsAssigned = $True; + ManagedUniversalLinks = @("http://*.appsplatform.us/*","http://*.onedrive.com/*","http://*.powerapps.cn/*"); + MaximumAllowedDeviceThreatLevel = "low"; + MaximumRequiredOsVersion = "1"; + MaximumWarningOsVersion = "1"; + MaximumWipeOsVersion = "1"; + MessagingRedirectAppUrlScheme = "https://www.fakesite.com"; + MobileThreatDefenseRemediationAction = "block"; NotificationRestriction = "blockOrganizationalData"; - previousPinBlockCount = 0; - protectedMessagingRedirectAppType = "anyApp"; + PreviousPinBlockCount = 0; + ProtectedMessagingRedirectAppType = "anyApp"; ProtectInboundDataFromUnknownSources = $False; - thirdPartyKeyboardsBlocked = $True; + ThirdPartyKeyboardsBlocked = $True; AllowedDataStorageLocations = @('sharePoint') AllowedInboundDataTransferSources = 'managedApps' AllowedOutboundClipboardSharingLevel = 'managedAppsWithPasteIn' @@ -244,29 +244,29 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { AllowWidgetContentSync = $True; AppActionIfDeviceComplianceRequired = "wipe"; AppActionIfIosDeviceModelNotAllowed = "block"; - appActionIfUnableToAuthenticateUser = "block"; - appGroupType = "selectedPublicApps"; - blockDataIngestionIntoOrganizationDocuments = $True; + AppActionIfUnableToAuthenticateUser = "block"; + AppGroupType = "selectedPublicApps"; + BlockDataIngestionIntoOrganizationDocuments = $True; CustomBrowserProtocol = "access://open?url=http"; - customDialerAppProtocol = "skype"; - deployedAppCount = 3; - dialerRestrictionLevel = "allApps"; + CustomDialerAppProtocol = "skype"; + DeployedAppCount = 3; + DialerRestrictionLevel = "allApps"; DisableProtectionOfManagedOutboundOpenInData = $False; - exemptedUniversalLinks = @("http://facetime.apple.com","http://maps.apple.com","https://facetime.apple.com","https://maps.apple.com"); + ExemptedUniversalLinks = @("http://facetime.apple.com","http://maps.apple.com","https://facetime.apple.com","https://maps.apple.com"); FilterOpenInToOnlyManagedApps = $False; - isAssigned = $True; - managedUniversalLinks = @("http://*.appsplatform.us/*","http://*.onedrive.com/*","http://*.powerapps.cn/*"); - maximumAllowedDeviceThreatLevel = "low"; - maximumRequiredOsVersion = "1"; - maximumWarningOsVersion = "1"; - maximumWipeOsVersion = "1"; - messagingRedirectAppUrlScheme = "https://www.fakesite.com"; - mobileThreatDefenseRemediationAction = "block"; + IsAssigned = $True; + ManagedUniversalLinks = @("http://*.appsplatform.us/*","http://*.onedrive.com/*","http://*.powerapps.cn/*"); + MaximumAllowedDeviceThreatLevel = "low"; + MaximumRequiredOsVersion = "1"; + MaximumWarningOsVersion = "1"; + MaximumWipeOsVersion = "1"; + MessagingRedirectAppUrlScheme = "https://www.fakesite.com"; + MobileThreatDefenseRemediationAction = "block"; NotificationRestriction = "blockOrganizationalData"; - previousPinBlockCount = 0; - protectedMessagingRedirectAppType = "anyApp"; + PreviousPinBlockCount = 0; + ProtectedMessagingRedirectAppType = "anyApp"; ProtectInboundDataFromUnknownSources = $False; - thirdPartyKeyboardsBlocked = $True; + ThirdPartyKeyboardsBlocked = $True; AllowedDataStorageLocations = @('sharePoint') AllowedInboundDataTransferSources = 'managedApps' AllowedOutboundClipboardSharingLevel = 'managedAppsWithPasteIn' @@ -375,29 +375,29 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { AllowWidgetContentSync = $True; AppActionIfDeviceComplianceRequired = "wipe"; AppActionIfIosDeviceModelNotAllowed = "block"; - appActionIfUnableToAuthenticateUser = "block"; - appGroupType = "selectedPublicApps"; - blockDataIngestionIntoOrganizationDocuments = $True; + AppActionIfUnableToAuthenticateUser = "block"; + AppGroupType = "selectedPublicApps"; + BlockDataIngestionIntoOrganizationDocuments = $True; CustomBrowserProtocol = "access://open?url=http"; - customDialerAppProtocol = "skype"; - deployedAppCount = 3; - dialerRestrictionLevel = "allApps"; + CustomDialerAppProtocol = "skype"; + DeployedAppCount = 3; + DialerRestrictionLevel = "allApps"; DisableProtectionOfManagedOutboundOpenInData = $False; - exemptedUniversalLinks = @("http://facetime.apple.com","http://maps.apple.com","https://facetime.apple.com","https://maps.apple.com"); + ExemptedUniversalLinks = @("http://facetime.apple.com","http://maps.apple.com","https://facetime.apple.com","https://maps.apple.com"); FilterOpenInToOnlyManagedApps = $False; - isAssigned = $True; - managedUniversalLinks = @("http://*.appsplatform.us/*","http://*.onedrive.com/*","http://*.powerapps.cn/*"); - maximumAllowedDeviceThreatLevel = "low"; - maximumRequiredOsVersion = "1"; - maximumWarningOsVersion = "1"; - maximumWipeOsVersion = "1"; - messagingRedirectAppUrlScheme = "https://www.fakesite.com"; - mobileThreatDefenseRemediationAction = "block"; + IsAssigned = $True; + ManagedUniversalLinks = @("http://*.appsplatform.us/*","http://*.onedrive.com/*","http://*.powerapps.cn/*"); + MaximumAllowedDeviceThreatLevel = "low"; + MaximumRequiredOsVersion = "1"; + MaximumWarningOsVersion = "1"; + MaximumWipeOsVersion = "1"; + MessagingRedirectAppUrlScheme = "https://www.fakesite.com"; + MobileThreatDefenseRemediationAction = "block"; NotificationRestriction = "blockOrganizationalData"; - previousPinBlockCount = 0; - protectedMessagingRedirectAppType = "anyApp"; + PreviousPinBlockCount = 0; + ProtectedMessagingRedirectAppType = "anyApp"; ProtectInboundDataFromUnknownSources = $False; - thirdPartyKeyboardsBlocked = $True; + ThirdPartyKeyboardsBlocked = $True; AllowedDataStorageLocations = @('sharePoint') AllowedInboundDataTransferSources = 'managedApps' AllowedOutboundClipboardSharingLevel = 'managedAppsWithPasteIn' @@ -445,29 +445,29 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { AllowWidgetContentSync = $True; AppActionIfDeviceComplianceRequired = "wipe"; AppActionIfIosDeviceModelNotAllowed = "block"; - appActionIfUnableToAuthenticateUser = "block"; - appGroupType = "selectedPublicApps"; - blockDataIngestionIntoOrganizationDocuments = $True; + AppActionIfUnableToAuthenticateUser = "block"; + AppGroupType = "selectedPublicApps"; + BlockDataIngestionIntoOrganizationDocuments = $True; CustomBrowserProtocol = "access://open?url=http"; - customDialerAppProtocol = "skype"; - deployedAppCount = 3; - dialerRestrictionLevel = "allApps"; + CustomDialerAppProtocol = "skype"; + DeployedAppCount = 3; + DialerRestrictionLevel = "allApps"; DisableProtectionOfManagedOutboundOpenInData = $False; - exemptedUniversalLinks = @("http://facetime.apple.com","http://maps.apple.com","https://facetime.apple.com","https://maps.apple.com"); + ExemptedUniversalLinks = @("http://facetime.apple.com","http://maps.apple.com","https://facetime.apple.com","https://maps.apple.com"); FilterOpenInToOnlyManagedApps = $False; - isAssigned = $True; - managedUniversalLinks = @("http://*.appsplatform.us/*","http://*.onedrive.com/*","http://*.powerapps.cn/*"); - maximumAllowedDeviceThreatLevel = "low"; - maximumRequiredOsVersion = "1"; - maximumWarningOsVersion = "1"; - maximumWipeOsVersion = "1"; - messagingRedirectAppUrlScheme = "https://www.fakesite.com"; - mobileThreatDefenseRemediationAction = "block"; + IsAssigned = $True; + ManagedUniversalLinks = @("http://*.appsplatform.us/*","http://*.onedrive.com/*","http://*.powerapps.cn/*"); + MaximumAllowedDeviceThreatLevel = "low"; + MaximumRequiredOsVersion = "1"; + MaximumWarningOsVersion = "1"; + MaximumWipeOsVersion = "1"; + MessagingRedirectAppUrlScheme = "https://www.fakesite.com"; + MobileThreatDefenseRemediationAction = "block"; NotificationRestriction = "blockOrganizationalData"; - previousPinBlockCount = 0; - protectedMessagingRedirectAppType = "anyApp"; + PreviousPinBlockCount = 0; + ProtectedMessagingRedirectAppType = "anyApp"; ProtectInboundDataFromUnknownSources = $False; - thirdPartyKeyboardsBlocked = $True; + ThirdPartyKeyboardsBlocked = $True; AllowedDataStorageLocations = @('sharePoint') AllowedInboundDataTransferSources = 'managedApps' AllowedOutboundClipboardSharingLevel = 'managedAppsWithPasteIn' @@ -567,29 +567,29 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { AllowWidgetContentSync = $True; AppActionIfDeviceComplianceRequired = "wipe"; AppActionIfIosDeviceModelNotAllowed = "block"; - appActionIfUnableToAuthenticateUser = "block"; - appGroupType = "selectedPublicApps"; - blockDataIngestionIntoOrganizationDocuments = $True; + AppActionIfUnableToAuthenticateUser = "block"; + AppGroupType = "selectedPublicApps"; + BlockDataIngestionIntoOrganizationDocuments = $True; CustomBrowserProtocol = "access://open?url=http"; - customDialerAppProtocol = "skype"; - deployedAppCount = 3; - dialerRestrictionLevel = "allApps"; + CustomDialerAppProtocol = "skype"; + DeployedAppCount = 3; + DialerRestrictionLevel = "allApps"; DisableProtectionOfManagedOutboundOpenInData = $False; - exemptedUniversalLinks = @("http://facetime.apple.com","http://maps.apple.com","https://facetime.apple.com","https://maps.apple.com"); + ExemptedUniversalLinks = @("http://facetime.apple.com","http://maps.apple.com","https://facetime.apple.com","https://maps.apple.com"); FilterOpenInToOnlyManagedApps = $False; - isAssigned = $True; - managedUniversalLinks = @("http://*.appsplatform.us/*","http://*.onedrive.com/*","http://*.powerapps.cn/*"); - maximumAllowedDeviceThreatLevel = "low"; - maximumRequiredOsVersion = "1"; - maximumWarningOsVersion = "1"; - maximumWipeOsVersion = "1"; - messagingRedirectAppUrlScheme = "https://www.fakesite.com"; - mobileThreatDefenseRemediationAction = "block"; + IsAssigned = $True; + ManagedUniversalLinks = @("http://*.appsplatform.us/*","http://*.onedrive.com/*","http://*.powerapps.cn/*"); + MaximumAllowedDeviceThreatLevel = "low"; + MaximumRequiredOsVersion = "1"; + MaximumWarningOsVersion = "1"; + MaximumWipeOsVersion = "1"; + MessagingRedirectAppUrlScheme = "https://www.fakesite.com"; + MobileThreatDefenseRemediationAction = "block"; NotificationRestriction = "blockOrganizationalData"; - previousPinBlockCount = 0; - protectedMessagingRedirectAppType = "anyApp"; + PreviousPinBlockCount = 0; + ProtectedMessagingRedirectAppType = "anyApp"; ProtectInboundDataFromUnknownSources = $False; - thirdPartyKeyboardsBlocked = $True; + ThirdPartyKeyboardsBlocked = $True; AllowedDataStorageLocations = @('sharePoint') AllowedInboundDataTransferSources = 'managedApps' AllowedOutboundClipboardSharingLevel = 'managedAppsWithPasteIn' @@ -639,29 +639,29 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { AllowWidgetContentSync = $True; AppActionIfDeviceComplianceRequired = "wipe"; AppActionIfIosDeviceModelNotAllowed = "block"; - appActionIfUnableToAuthenticateUser = "block"; - appGroupType = "selectedPublicApps"; - blockDataIngestionIntoOrganizationDocuments = $True; + AppActionIfUnableToAuthenticateUser = "block"; + AppGroupType = "selectedPublicApps"; + BlockDataIngestionIntoOrganizationDocuments = $True; CustomBrowserProtocol = "access://open?url=http"; - customDialerAppProtocol = "skype"; - deployedAppCount = 3; - dialerRestrictionLevel = "allApps"; + CustomDialerAppProtocol = "skype"; + DeployedAppCount = 3; + DialerRestrictionLevel = "allApps"; DisableProtectionOfManagedOutboundOpenInData = $False; - exemptedUniversalLinks = @("http://facetime.apple.com","http://maps.apple.com","https://facetime.apple.com","https://maps.apple.com"); + ExemptedUniversalLinks = @("http://facetime.apple.com","http://maps.apple.com","https://facetime.apple.com","https://maps.apple.com"); FilterOpenInToOnlyManagedApps = $False; - isAssigned = $True; - managedUniversalLinks = @("http://*.appsplatform.us/*","http://*.onedrive.com/*","http://*.powerapps.cn/*"); - maximumAllowedDeviceThreatLevel = "low"; - maximumRequiredOsVersion = "1"; - maximumWarningOsVersion = "1"; - maximumWipeOsVersion = "1"; - messagingRedirectAppUrlScheme = "https://www.fakesite.com"; - mobileThreatDefenseRemediationAction = "block"; + IsAssigned = $True; + ManagedUniversalLinks = @("http://*.appsplatform.us/*","http://*.onedrive.com/*","http://*.powerapps.cn/*"); + MaximumAllowedDeviceThreatLevel = "low"; + MaximumRequiredOsVersion = "1"; + MaximumWarningOsVersion = "1"; + MaximumWipeOsVersion = "1"; + MessagingRedirectAppUrlScheme = "https://www.fakesite.com"; + MobileThreatDefenseRemediationAction = "block"; NotificationRestriction = "blockOrganizationalData"; - previousPinBlockCount = 0; - protectedMessagingRedirectAppType = "anyApp"; + PreviousPinBlockCount = 0; + ProtectedMessagingRedirectAppType = "anyApp"; ProtectInboundDataFromUnknownSources = $False; - thirdPartyKeyboardsBlocked = $True; + ThirdPartyKeyboardsBlocked = $True; AllowedDataStorageLocations = @('sharePoint') AllowedInboundDataTransferSources = 'managedApps' AllowedOutboundClipboardSharingLevel = 'managedAppsWithPasteIn' @@ -778,29 +778,29 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { AllowWidgetContentSync = $True; AppActionIfDeviceComplianceRequired = "wipe"; AppActionIfIosDeviceModelNotAllowed = "block"; - appActionIfUnableToAuthenticateUser = "block"; - appGroupType = "selectedPublicApps"; - blockDataIngestionIntoOrganizationDocuments = $True; + AppActionIfUnableToAuthenticateUser = "block"; + AppGroupType = "selectedPublicApps"; + BlockDataIngestionIntoOrganizationDocuments = $True; CustomBrowserProtocol = "access://open?url=http"; - customDialerAppProtocol = "skype"; - deployedAppCount = 3; - dialerRestrictionLevel = "allApps"; + CustomDialerAppProtocol = "skype"; + DeployedAppCount = 3; + DialerRestrictionLevel = "allApps"; DisableProtectionOfManagedOutboundOpenInData = $False; - exemptedUniversalLinks = @("http://facetime.apple.com","http://maps.apple.com","https://facetime.apple.com","https://maps.apple.com"); + ExemptedUniversalLinks = @("http://facetime.apple.com","http://maps.apple.com","https://facetime.apple.com","https://maps.apple.com"); FilterOpenInToOnlyManagedApps = $False; - isAssigned = $True; - managedUniversalLinks = @("http://*.appsplatform.us/*","http://*.onedrive.com/*","http://*.powerapps.cn/*"); - maximumAllowedDeviceThreatLevel = "low"; - maximumRequiredOsVersion = "1"; - maximumWarningOsVersion = "1"; - maximumWipeOsVersion = "1"; - messagingRedirectAppUrlScheme = "https://www.fakesite.com"; - mobileThreatDefenseRemediationAction = "block"; + IsAssigned = $True; + ManagedUniversalLinks = @("http://*.appsplatform.us/*","http://*.onedrive.com/*","http://*.powerapps.cn/*"); + MaximumAllowedDeviceThreatLevel = "low"; + MaximumRequiredOsVersion = "1"; + MaximumWarningOsVersion = "1"; + MaximumWipeOsVersion = "1"; + MessagingRedirectAppUrlScheme = "https://www.fakesite.com"; + MobileThreatDefenseRemediationAction = "block"; NotificationRestriction = "blockOrganizationalData"; - previousPinBlockCount = 0; - protectedMessagingRedirectAppType = "anyApp"; + PreviousPinBlockCount = 0; + ProtectedMessagingRedirectAppType = "anyApp"; ProtectInboundDataFromUnknownSources = $False; - thirdPartyKeyboardsBlocked = $True; + ThirdPartyKeyboardsBlocked = $True; AllowedDataStorageLocations = @('sharePoint') AllowedInboundDataTransferSources = 'managedApps' AllowedOutboundClipboardSharingLevel = 'managedAppsWithPasteIn' From 3c1cbc6cf3dc325863d8a63bdfa37760f899d33e Mon Sep 17 00:00:00 2001 From: dannyKBjj Date: Fri, 17 Jan 2025 13:31:07 +0000 Subject: [PATCH 7/8] removed some lines --- .../MSFT_IntuneAppProtectionPolicyiOS.psm1 | 2 -- 1 file changed, 2 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.psm1 index 63b5398693..d00981d45f 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.psm1 @@ -1017,9 +1017,7 @@ function Set-TargetResource } $policy = New-MgBetaDeviceAppManagementiOSManagedAppProtection -BodyParameter $createParameters - Update-IntuneAppProtectionPolicyiOSApp -IosManagedAppProtectionId $policy.id -Apps $myApps - Write-Verbose -Message 'Updating policy assignments' Update-IntuneAppProtectionPolicyiOSAssignment -IosManagedAppProtectionId $policy.id -Assignments $myAssignments } From 2760a5d679ae7c8e2fa12250e78223aa140d251b Mon Sep 17 00:00:00 2001 From: Yorick Kuijs Date: Fri, 17 Jan 2025 14:34:48 +0100 Subject: [PATCH 8/8] Fix duplicate entry in CHANGELOG.md --- CHANGELOG.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 10a9d48c4b..56405bc9bf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,8 +16,6 @@ * DefenderDeviceAuthenticatedScanDefinition * Fixed the Data Type export. * MISC - * DEFENDER - * Added support for the UseBasicParsing paramter for REST calls. * Added check to `New-M365DSCReportFromConfiguration` to make sure Windows Remoting is enabled, which is required to convert the DSC config. * Defender