From 690d34086fc94dd696134fc19e17029ad7dae962 Mon Sep 17 00:00:00 2001 From: Kajalp1079 Date: Mon, 21 Oct 2024 21:37:26 -0700 Subject: [PATCH 01/16] Microsoft365 DSC for Intune Mobile Threat Defense connector. --- ...SFT_IntuneMobileThreatDefenseConnector.mof | 31 + ...FT_IntuneMobileThreatDefenseConnector.psm1 | 693 ++++++++++++++++++ .../readme.md | 6 + .../settings.json | 32 + .../1-Create.ps1 | 48 ++ .../2-Update.ps1 | 46 ++ .../3-Remove.ps1 | 46 ++ ...tuneMobileThreatDefenseConnector.Tests.ps1 | 289 ++++++++ 8 files changed, 1191 insertions(+) create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/MSFT_IntuneMobileThreatDefenseConnector.mof create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/MSFT_IntuneMobileThreatDefenseConnector.psm1 create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/readme.md create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/settings.json create mode 100644 Modules/Microsoft365DSC/Examples/Resources/IntuneMobileThreatDefenseConnector/1-Create.ps1 create mode 100644 Modules/Microsoft365DSC/Examples/Resources/IntuneMobileThreatDefenseConnector/2-Update.ps1 create mode 100644 Modules/Microsoft365DSC/Examples/Resources/IntuneMobileThreatDefenseConnector/3-Remove.ps1 create mode 100644 Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneMobileThreatDefenseConnector.Tests.ps1 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/MSFT_IntuneMobileThreatDefenseConnector.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/MSFT_IntuneMobileThreatDefenseConnector.mof new file mode 100644 index 0000000000..fb65310c94 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/MSFT_IntuneMobileThreatDefenseConnector.mof @@ -0,0 +1,31 @@ +[ClassVersion("1.0.0.0"), FriendlyName("IntuneMobileThreatDefenseConnector")] +class MSFT_IntuneMobileThreatDefenseConnector : OMI_BaseResource +{ + [Key, Description("The unique identifier for an entity. Read-only.")] String Id; + [Write, Description("The unique identifier for an entity. Read-only.")] String DisplayName; + + [Write, Description("When TRUE, indicates the Mobile Threat Defense partner may collect metadata about installed applications from Intune for IOS devices. When FALSE, indicates the Mobile Threat Defense partner may not collect metadata about installed applications from Intune for IOS devices. Default value is FALSE.")] Boolean AllowPartnerToCollectIosApplicationMetadata; + [Write, Description("When TRUE, indicates the Mobile Threat Defense partner may collect metadata about personally installed applications from Intune for IOS devices. When FALSE, indicates the Mobile Threat Defense partner may not collect metadata about personally installed applications from Intune for IOS devices. Default value is FALSE.")] Boolean AllowPartnerToCollectIosPersonalApplicationMetadata; + [Write, Description("For Android, set whether Intune must receive data from the Mobile Threat Defense partner prior to marking a device compliant.")] Boolean AndroidDeviceBlockedOnMissingPartnerData; + [Write, Description("For Android, set whether data from the Mobile Threat Defense partner should be used during compliance evaluations.")] Boolean AndroidEnabled; + [Write, Description("When TRUE, inidicates that data from the Mobile Threat Defense partner can be used during Mobile Application Management (MAM) evaluations for Android devices. When FALSE, inidicates that data from the Mobile Threat Defense partner should not be used during Mobile Application Management (MAM) evaluations for Android devices. Only one partner per platform may be enabled for Mobile Application Management (MAM) evaluation. Default value is FALSE.")] Boolean AndroidMobileApplicationManagementEnabled; + [Write, Description("For IOS, set whether Intune must receive data from the Mobile Threat Defense partner prior to marking a device compliant.")] Boolean IosDeviceBlockedOnMissingPartnerData; + [Write, Description("For IOS, get or set whether data from the Mobile Threat Defense partner should be used during compliance evaluations.")] Boolean IosEnabled; + [Write, Description("When TRUE, inidicates that data from the Mobile Threat Defense partner can be used during Mobile Application Management (MAM) evaluations for IOS devices. When FALSE, inidicates that data from the Mobile Threat Defense partner should not be used during Mobile Application Management (MAM) evaluations for IOS devices. Only one partner per platform may be enabled for Mobile Application Management (MAM) evaluation. Default value is FALSE.")] Boolean IosMobileApplicationManagementEnabled; + [Write, Description("DateTime of last Heartbeat recieved from the Mobile Threat Defense partner.")] DateTime LastHeartbeatDateTime; + [Write, Description("When TRUE, inidicates that configuration profile management via Microsoft Defender for Endpoint is enabled. When FALSE, inidicates that configuration profile management via Microsoft Defender for Endpoint is disabled. Default value is FALSE.")] Boolean MicrosoftDefenderForEndpointAttachEnabled; + [Write, Description("Partner state of this tenant.")] String PartnerState; + [Write, Description("Get or Set days the per tenant tolerance to unresponsiveness for this partner integration.")] Uint32 PartnerUnresponsivenessThresholdInDays; + [Write, Description("Get or set whether to block devices on the enabled platforms that do not meet the minimum version requirements of the Mobile Threat Defense partner.")] Boolean PartnerUnsupportedOSVersionBlocked; + [Write, Description("When TRUE, inidicates that Intune must receive data from the Mobile Threat Defense partner prior to marking a device compliant for Windows. When FALSE, inidicates that Intune may make a device compliant without receiving data from the Mobile Threat Defense partner for Windows. Default value is FALSE.")] Boolean WindowsDeviceBlockedOnMissingPartnerData; + [Write, Description("When TRUE, inidicates that data from the Mobile Threat Defense partner can be used during compliance evaluations for Windows. When FALSE, inidicates that data from the Mobile Threat Defense partner should not be used during compliance evaluations for Windows. Default value is FALSE.")] Boolean WindowsEnabled; + + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Present", "Absent"}, Values{"Present", "Absent"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/MSFT_IntuneMobileThreatDefenseConnector.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/MSFT_IntuneMobileThreatDefenseConnector.psm1 new file mode 100644 index 0000000000..c4998e3be0 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/MSFT_IntuneMobileThreatDefenseConnector.psm1 @@ -0,0 +1,693 @@ +# https://learn.microsoft.com/en-us/graph/api/resources/intune-onboarding-mobilethreatdefenseconnector?view=graph-rest-1.0 +# https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.devicemanagement.administration/new-mgdevicemanagementmobilethreatdefenseconnector?view=graph-powershell-1.0 + +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region Intune parameters + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.Boolean] + $AllowPartnerToCollectIosApplicationMetadata, + + [Parameter()] + [System.Boolean] + $AllowPartnerToCollectIosPersonalApplicationMetadata, + + [Parameter()] + [System.Boolean] + $AndroidDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $AndroidEnabled, + + [Parameter()] + [System.Boolean] + $AndroidMobileApplicationManagementEnabled, + + [Parameter()] + [System.Boolean] + $IosDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $IosEnabled, + + [Parameter()] + [System.Boolean] + $IosMobileApplicationManagementEnabled, + + [Parameter()] + [System.DateTime] + $LastHeartbeatDateTime, + + [Parameter()] + [System.Boolean] + $MicrosoftDefenderForEndpointAttachEnabled, + + [Parameter()] + [System.String] + $PartnerState, + + [Parameter()] + [System.Int32] + $PartnerUnresponsivenessThresholdInDays, + + [Parameter()] + [System.Boolean] + $PartnerUnsupportedOSVersionBlocked, + + [Parameter()] + [System.Boolean] + $WindowsDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $WindowsEnabled, + + #endregion Intune parameters + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Id -eq $Id} + } + else + { + $instance = Get-MgBetaDeviceManagementMobileThreatDefenseConnector -MobileThreatDefenseConnectorId $Id -ErrorAction Stop + } + + if ($null -eq $instance) + { + Write-Verbose -Message "Could not find MobileThreatDefenseConnector by Id: {$Id}." + if (-Not [string]::IsNullOrEmpty($DisplayName)) + { + # There is no API which searches MobileThreatDefenseConnector by its DisplayName so the below code is commented out. + # $instance = Get-MgBetaDeviceManagementMobileThreatDefenseConnector ` + # -Filter "DisplayName eq '$DisplayName'" ` + + # The DisplayName property is not supported by the any API of this resource, hence hard-coded in below function for convenience. + $connectorId = (Get-MobileThreatDefenseConnectorIdOrDisplayName -DisplayName $DisplayName).Id + $instance = Get-MgBetaDeviceManagementMobileThreatDefenseConnector ` + -MobileThreatDefenseConnectorId $connectorId + -ErrorAction SilentlyContinue + } + + if ($null -eq $instance) + { + Write-Verbose -Message "Could not find MobileThreatDefenseConnector by DisplayName: {$DisplayName}." + return $nullResult + } + } + + if([string]::IsNullOrEmpty($DisplayName)) + { + $DisplayName = (Get-MobileThreatDefenseConnectorIdOrDisplayName -Id $instance.Id).DisplayName + } + + $results = @{ + Id = $instance.Id + DisplayName = $DisplayName + ResponseHeadersVariable = $instance.ResponseHeadersVariable + AllowPartnerToCollectIosApplicationMetadata = $instance.AllowPartnerToCollectIosApplicationMetadata + AllowPartnerToCollectIosPersonalApplicationMetadata = $instance.AllowPartnerToCollectIosPersonalApplicationMetadata + AndroidDeviceBlockedOnMissingPartnerData = $instance.AndroidDeviceBlockedOnMissingPartnerData + AndroidEnabled = $instance.AndroidEnabled + AndroidMobileApplicationManagementEnabled = $instance.AndroidMobileApplicationManagementEnabled + IosDeviceBlockedOnMissingPartnerData = $instance.IosDeviceBlockedOnMissingPartnerData + IosEnabled = $instance.IosEnabled + IosMobileApplicationManagementEnabled = $instance.IosMobileApplicationManagementEnabled + LastHeartbeatDateTime = $instance.LastHeartbeatDateTime + MicrosoftDefenderForEndpointAttachEnabled = $instance.MicrosoftDefenderForEndpointAttachEnabled + PartnerState = $instance.PartnerState.ToString() + PartnerUnresponsivenessThresholdInDays = $instance.PartnerUnresponsivenessThresholdInDays + PartnerUnsupportedOSVersionBlocked = $instance.PartnerUnsupportedOSVersionBlocked + WindowsDeviceBlockedOnMissingPartnerData = $instance.WindowsDeviceBlockedOnMissingPartnerData + WindowsEnabled = $instance.WindowsEnabled + + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApplicationSecret = $ApplicationSecret + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region Intune parameters + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.Boolean] + $AllowPartnerToCollectIosApplicationMetadata, + + [Parameter()] + [System.Boolean] + $AllowPartnerToCollectIosPersonalApplicationMetadata, + + [Parameter()] + [System.Boolean] + $AndroidDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $AndroidEnabled, + + [Parameter()] + [System.Boolean] + $AndroidMobileApplicationManagementEnabled, + + [Parameter()] + [System.Boolean] + $IosDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $IosEnabled, + + [Parameter()] + [System.Boolean] + $IosMobileApplicationManagementEnabled, + + [Parameter()] + [System.DateTime] + $LastHeartbeatDateTime, + + [Parameter()] + [System.Boolean] + $MicrosoftDefenderForEndpointAttachEnabled, + + [Parameter()] + [System.String] + $PartnerState, + + [Parameter()] + [System.Int32] + $PartnerUnresponsivenessThresholdInDays, + + [Parameter()] + [System.Boolean] + $PartnerUnsupportedOSVersionBlocked, + + [Parameter()] + [System.Boolean] + $WindowsDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $WindowsEnabled, + + #endregion Intune parameters + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + $SetParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + # Remove the DisplayName parameter as the Graph API does not support it + $SetParameters.Remove('DisplayName') | Out-Null + $SetParameters.Remove('Id') | Out-Null + $SetParameters.Remove('LastHeartbeatDateTime') | Out-Null + + # CREATE + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + New-MgBetaDeviceManagementMobileThreatDefenseConnector @SetParameters + } + # UPDATE + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Update-MgBetaDeviceManagementMobileThreatDefenseConnector -MobileThreatDefenseConnectorId $Id @SetParameters + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Remove-MgBetaDeviceManagementMobileThreatDefenseConnector -MobileThreatDefenseConnectorId $Id -Confirm:$false + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region Intune parameters + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.Boolean] + $AllowPartnerToCollectIosApplicationMetadata, + + [Parameter()] + [System.Boolean] + $AllowPartnerToCollectIosPersonalApplicationMetadata, + + [Parameter()] + [System.Boolean] + $AndroidDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $AndroidEnabled, + + [Parameter()] + [System.Boolean] + $AndroidMobileApplicationManagementEnabled, + + [Parameter()] + [System.Boolean] + $IosDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $IosEnabled, + + [Parameter()] + [System.Boolean] + $IosMobileApplicationManagementEnabled, + + [Parameter()] + [System.DateTime] + $LastHeartbeatDateTime, + + [Parameter()] + [System.Boolean] + $MicrosoftDefenderForEndpointAttachEnabled, + + [Parameter()] + [System.String] + [ValidateSet('unavailable', 'available', 'enabled', 'unresponsive', 'notSetUp', 'error')] + $PartnerState, + + [Parameter()] + [System.Int32] + $PartnerUnresponsivenessThresholdInDays, + + [Parameter()] + [System.Boolean] + $PartnerUnsupportedOSVersionBlocked, + + [Parameter()] + [System.Boolean] + $WindowsDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $WindowsEnabled, + + #endregion Intune parameters + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:exportedInstances = Get-MgBetaDeviceManagementMobileThreatDefenseConnector -ErrorAction Stop + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + + foreach ($config in $Script:exportedInstances) + { + $displayedKey = $config.Id + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + Id = $config.Id + DisplayName = $config.DisplayName + AllowPartnerToCollectIosApplicationMetadata = $config.AllowPartnerToCollectIosApplicationMetadata + AllowPartnerToCollectIosPersonalApplicationMetadata = $config.AllowPartnerToCollectIosPersonalApplicationMetadata + AndroidDeviceBlockedOnMissingPartnerData = $config.AndroidDeviceBlockedOnMissingPartnerData + AndroidEnabled = $config.AndroidEnabled + AndroidMobileApplicationManagementEnabled = $config.AndroidMobileApplicationManagementEnabled + IosDeviceBlockedOnMissingPartnerData = $config.IosDeviceBlockedOnMissingPartnerData + IosEnabled = $config.IosEnabled + IosMobileApplicationManagementEnabled = $config.IosMobileApplicationManagementEnabled + LastHeartbeatDateTime = $config.LastHeartbeatDateTime + MicrosoftDefenderForEndpointAttachEnabled = $config.MicrosoftDefenderForEndpointAttachEnabled + PartnerState = $config.PartnerState.ToString() + PartnerUnresponsivenessThresholdInDays = $config.PartnerUnresponsivenessThresholdInDays + PartnerUnsupportedOSVersionBlocked = $config.PartnerUnsupportedOSVersionBlocked + WindowsDeviceBlockedOnMissingPartnerData = $config.WindowsDeviceBlockedOnMissingPartnerData + WindowsEnabled = $config.WindowsEnabled + + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApplicationSecret = $ApplicationSecret + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +#region Helper functions + +function Get-MobileThreatDefenseConnectorIdOrDisplayName { + param ( + [Parameter(Mandatory = $false)] + [string]$Id, + + [Parameter(Mandatory = $false)] + [string]$DisplayName + ) + + # Hashtable mapping IDs to Display Names + $IdToDisplayNameMap = @{ + "fc780465-2017-40d4-a0c5-307022471b92" = "Microsoft Defender for Endpoint" + "860d3ab4-8fd1-45f5-89cd-ecf51e4f92e5" = "BETTER Mobile Security" + "d3ddeae8-441f-4681-b80f-aef644f7195a" = "Check Point Harmony Mobile" + "8d0ed095-8191-4bd3-8a41-953b22d51ff7" = "Pradeo" + "1f58d6d2-02cc-4c80-b008-1bfe7396a10a" = "Jamf Trust" + "4873197-ffec-4dfc-9816-db65f34c7cb9" = "Trellix Mobile Security" + "a447eca6-a986-4d3f-9838-5862bf50776c" = "CylancePROTECT Mobile" + "4928f0f6-2660-4f69-b4c5-5170ec921f7b" = "Trend Micro" + "bb13fe25-ce1f-45aa-b278-cabbc6b9072e" = "SentinelOne" + "e6f777f8-e4c2-4a5b-be01-50b5c124bc7f" = "Windows Security Center" + "29ee2d98-e795-475f-a0f8-0802dc3384a9" = "CrowdStrike Falcon for Mobile" + "870b252b-0ef0-4707-8847-50fc571472b3" = "Sophos" + "2c7790de-8b02-4814-85cf-e0c59380dee8" = "Lookout for Work" + "28fd67fd-b179-4629-a8b0-dad420b697c7" = "Symantec Endpoint Protection" + "08a8455c-48dd-45ff-ad82-7211355354f3" = "Zimperium" + } + + # If Id is provided, look up the DisplayName + if($null -ne $Id) + { + $displayName = $IdToDisplayNameMap[$Id] + } + + # If DisplayName is provided, look up the Id + # Create a reverse lookup hashtable for DisplayName to Id + $DisplayNameToIdMap = @{} + foreach ($key in $IdToDisplayNameMap.Keys) { + $DisplayNameToIdMap[$IdToDisplayNameMap[$key]] = $key + } + if (-not [string]::IsNullOrEmpty($DisplayName)) { + $Id = $DisplayNameToIdMap[$DisplayName] + if (-not $Id) { + Write-Host "Internal func: DisplayName '$DisplayName' not found." + return + } + } + + # Create the results tuple + return @{ + Id = $Id + DisplayName = $displayName + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/readme.md new file mode 100644 index 0000000000..7d8e6c6dcd --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/readme.md @@ -0,0 +1,6 @@ + +# IntuneMobileAppsMacOSLobApp + +## Description + +This resouce configures a connection to Mobile Threat Defense partner. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/settings.json new file mode 100644 index 0000000000..e197e32ae5 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/settings.json @@ -0,0 +1,32 @@ +{ + "resourceName": "IntuneMobileThreatDefenseConnector", + "description": "This resouce configures a connection to Mobile Threat Defense partner.", + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "DeviceManagementServiceConfig.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementServiceConfig.ReadWrite.All" + } + ] + }, + "application": { + "read": [ + { + "name": "DeviceManagementServiceConfig.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementServiceConfig.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileThreatDefenseConnector/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileThreatDefenseConnector/1-Create.ps1 new file mode 100644 index 0000000000..aa94970b25 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileThreatDefenseConnector/1-Create.ps1 @@ -0,0 +1,48 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneMobileThreatDefenseConnector "IntuneMobileThreatDefenseConnector-Microsoft Defender for Endpoint" + { + AllowPartnerToCollectIosApplicationMetadata = $False; + AllowPartnerToCollectIosPersonalApplicationMetadata = $False; + AndroidDeviceBlockedOnMissingPartnerData = $False; + AndroidEnabled = $False; + AndroidMobileApplicationManagementEnabled = $False; + DisplayName = "Microsoft Defender for Endpoint"; + Id = "fc780465-2017-40d4-a0c5-307022471b92"; + IosDeviceBlockedOnMissingPartnerData = $False; + IosEnabled = $False; + IosMobileApplicationManagementEnabled = $False; + LastHeartbeatDateTime = "1/1/0001 12:00:00 AM"; + MicrosoftDefenderForEndpointAttachEnabled = $False; + PartnerState = "notSetUp"; + PartnerUnresponsivenessThresholdInDays = 7; + PartnerUnsupportedOSVersionBlocked = $False; + WindowsDeviceBlockedOnMissingPartnerData = $False; + WindowsEnabled = $False; + Ensure = "Present"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileThreatDefenseConnector/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileThreatDefenseConnector/2-Update.ps1 new file mode 100644 index 0000000000..48a671ca3d --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileThreatDefenseConnector/2-Update.ps1 @@ -0,0 +1,46 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneMobileThreatDefenseConnector "IntuneMobileThreatDefenseConnector-Microsoft Defender for Endpoint" + { + AllowPartnerToCollectIosApplicationMetadata = $False; + AllowPartnerToCollectIosPersonalApplicationMetadata = $False; + AndroidDeviceBlockedOnMissingPartnerData = $False; + AndroidEnabled = $True; #drift + AndroidMobileApplicationManagementEnabled = $False; + DisplayName = "Microsoft Defender for Endpoint"; + Id = "fc780465-2017-40d4-a0c5-307022471b92"; + IosDeviceBlockedOnMissingPartnerData = $False; + IosEnabled = $False; + IosMobileApplicationManagementEnabled = $False; + LastHeartbeatDateTime = "1/1/0001 12:00:00 AM"; + MicrosoftDefenderForEndpointAttachEnabled = $False; + PartnerState = "notSetUp"; + PartnerUnresponsivenessThresholdInDays = 7; + PartnerUnsupportedOSVersionBlocked = $False; + WindowsDeviceBlockedOnMissingPartnerData = $False; + WindowsEnabled = $False; + Ensure = "Present"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileThreatDefenseConnector/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileThreatDefenseConnector/3-Remove.ps1 new file mode 100644 index 0000000000..d0f9fec94b --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileThreatDefenseConnector/3-Remove.ps1 @@ -0,0 +1,46 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneMobileThreatDefenseConnector "IntuneMobileThreatDefenseConnector-Microsoft Defender for Endpoint" + { + AllowPartnerToCollectIosApplicationMetadata = $False; + AllowPartnerToCollectIosPersonalApplicationMetadata = $False; + AndroidDeviceBlockedOnMissingPartnerData = $False; + AndroidEnabled = $False; + AndroidMobileApplicationManagementEnabled = $False; + DisplayName = "Microsoft Defender for Endpoint"; + Id = "fc780465-2017-40d4-a0c5-307022471b92"; + IosDeviceBlockedOnMissingPartnerData = $False; + IosEnabled = $False; + IosMobileApplicationManagementEnabled = $False; + LastHeartbeatDateTime = "1/1/0001 12:00:00 AM"; + MicrosoftDefenderForEndpointAttachEnabled = $False; + PartnerState = "notSetUp"; + PartnerUnresponsivenessThresholdInDays = 7; + PartnerUnsupportedOSVersionBlocked = $False; + WindowsDeviceBlockedOnMissingPartnerData = $False; + WindowsEnabled = $False; + Ensure = "Absent"; + } + } +} diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneMobileThreatDefenseConnector.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneMobileThreatDefenseConnector.Tests.ps1 new file mode 100644 index 0000000000..7037a547ee --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneMobileThreatDefenseConnector.Tests.ps1 @@ -0,0 +1,289 @@ +[CmdletBinding()] +param( +) + +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName Get-MgBetaDeviceManagementMobileThreatDefenseConnector -MockWith { + } + Mock -CommandName New-MgBetaDeviceManagementMobileThreatDefenseConnector -MockWith { + } + Mock -CommandName Update-MgBetaDeviceManagementMobileThreatDefenseConnector -MockWith { + } + Mock -CommandName Remove-MgBetaDeviceManagementMobileThreatDefenseConnector -MockWith { + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + + # Test contexts + + Context -Name " 1. The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + AllowPartnerToCollectIosApplicationMetadata = $False; + AllowPartnerToCollectIosPersonalApplicationMetadata = $False; + AndroidDeviceBlockedOnMissingPartnerData = $False; + AndroidEnabled = $False; + AndroidMobileApplicationManagementEnabled = $False; + Id = "2c7790de-8b02-4814-85cf-e0c59380dee8"; + IosDeviceBlockedOnMissingPartnerData = $False; + IosEnabled = $False; + IosMobileApplicationManagementEnabled = $False; + MicrosoftDefenderForEndpointAttachEnabled = $False; + PartnerState = "available"; + PartnerUnresponsivenessThresholdInDays = 0; + PartnerUnsupportedOSVersionBlocked = $False; + WindowsDeviceBlockedOnMissingPartnerData = $False; + WindowsEnabled = $False; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementMobileThreatDefenseConnector -MockWith { + return $null + } + } + + It ' 1.1 Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It ' 1.2 Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It ' 1.3 Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaDeviceManagementMobileThreatDefenseConnector -Exactly 1 + } + } + + Context -Name " 2. The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + AllowPartnerToCollectIosApplicationMetadata = $False; + AllowPartnerToCollectIosPersonalApplicationMetadata = $False; + AndroidDeviceBlockedOnMissingPartnerData = $False; + AndroidEnabled = $False; + AndroidMobileApplicationManagementEnabled = $False; + Id = "2c7790de-8b02-4814-85cf-e0c59380dee8"; + IosDeviceBlockedOnMissingPartnerData = $False; + IosEnabled = $False; + IosMobileApplicationManagementEnabled = $False; + MicrosoftDefenderForEndpointAttachEnabled = $False; + PartnerState = "available"; + PartnerUnresponsivenessThresholdInDays = 0; + PartnerUnsupportedOSVersionBlocked = $False; + WindowsDeviceBlockedOnMissingPartnerData = $False; + WindowsEnabled = $False; + Ensure = 'Absent' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementMobileThreatDefenseConnector -MockWith { + return @{ + AllowPartnerToCollectIosApplicationMetadata = $False; + AllowPartnerToCollectIosPersonalApplicationMetadata = $False; + AndroidDeviceBlockedOnMissingPartnerData = $False; + AndroidEnabled = $False; + AndroidMobileApplicationManagementEnabled = $False; + Id = "2c7790de-8b02-4814-85cf-e0c59380dee8"; + IosDeviceBlockedOnMissingPartnerData = $False; + IosEnabled = $False; + IosMobileApplicationManagementEnabled = $False; + MicrosoftDefenderForEndpointAttachEnabled = $False; + PartnerState = "available"; + PartnerUnresponsivenessThresholdInDays = 0; + PartnerUnsupportedOSVersionBlocked = $False; + WindowsDeviceBlockedOnMissingPartnerData = $False; + WindowsEnabled = $False; + } + } + } + + It ' 2.1 Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It ' 2.2 Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It ' 2.3 Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaDeviceManagementMobileThreatDefenseConnector -Exactly 1 + } + } + + Context -Name " 3. The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + AllowPartnerToCollectIosApplicationMetadata = $False; + AllowPartnerToCollectIosPersonalApplicationMetadata = $False; + AndroidDeviceBlockedOnMissingPartnerData = $False; + AndroidEnabled = $False; + AndroidMobileApplicationManagementEnabled = $False; + Id = "2c7790de-8b02-4814-85cf-e0c59380dee8"; + IosDeviceBlockedOnMissingPartnerData = $False; + IosEnabled = $False; + IosMobileApplicationManagementEnabled = $False; + MicrosoftDefenderForEndpointAttachEnabled = $False; + PartnerState = "available"; + PartnerUnresponsivenessThresholdInDays = 0; + PartnerUnsupportedOSVersionBlocked = $False; + WindowsDeviceBlockedOnMissingPartnerData = $False; + WindowsEnabled = $False; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementMobileThreatDefenseConnector -MockWith { + return @{ + AllowPartnerToCollectIosApplicationMetadata = $False; + AllowPartnerToCollectIosPersonalApplicationMetadata = $False; + AndroidDeviceBlockedOnMissingPartnerData = $False; + AndroidEnabled = $False; + AndroidMobileApplicationManagementEnabled = $False; + Id = "2c7790de-8b02-4814-85cf-e0c59380dee8"; + IosDeviceBlockedOnMissingPartnerData = $False; + IosEnabled = $False; + IosMobileApplicationManagementEnabled = $False; + MicrosoftDefenderForEndpointAttachEnabled = $False; + PartnerState = "available"; + PartnerUnresponsivenessThresholdInDays = 0; + PartnerUnsupportedOSVersionBlocked = $False; + WindowsDeviceBlockedOnMissingPartnerData = $False; + WindowsEnabled = $False; + } + } + } + + It ' 3.0 Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name " 4. The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + AllowPartnerToCollectIosApplicationMetadata = $False; + AllowPartnerToCollectIosPersonalApplicationMetadata = $False; + AndroidDeviceBlockedOnMissingPartnerData = $False; + AndroidEnabled = $False; + AndroidMobileApplicationManagementEnabled = $False; + Id = "2c7790de-8b02-4814-85cf-e0c59380dee8"; + IosDeviceBlockedOnMissingPartnerData = $False; + IosEnabled = $False; + IosMobileApplicationManagementEnabled = $False; + MicrosoftDefenderForEndpointAttachEnabled = $False; + PartnerState = "notSetUp"; #drift + PartnerUnresponsivenessThresholdInDays = 1; #drift + PartnerUnsupportedOSVersionBlocked = $False; + WindowsDeviceBlockedOnMissingPartnerData = $False; + WindowsEnabled = $False; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementMobileThreatDefenseConnector -MockWith { + return @{ + AllowPartnerToCollectIosApplicationMetadata = $False; + AllowPartnerToCollectIosPersonalApplicationMetadata = $False; + AndroidDeviceBlockedOnMissingPartnerData = $False; + AndroidEnabled = $False; + AndroidMobileApplicationManagementEnabled = $False; + Id = "2c7790de-8b02-4814-85cf-e0c59380dee8"; + IosDeviceBlockedOnMissingPartnerData = $False; + IosEnabled = $False; + IosMobileApplicationManagementEnabled = $False; + MicrosoftDefenderForEndpointAttachEnabled = $False; + PartnerState = "available"; + PartnerUnresponsivenessThresholdInDays = 0; + PartnerUnsupportedOSVersionBlocked = $False; + WindowsDeviceBlockedOnMissingPartnerData = $False; + WindowsEnabled = $False; + } + } + } + + It ' 4.1 Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It ' 4.2 Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It ' 4.3 Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaDeviceManagementMobileThreatDefenseConnector -Exactly 1 + } + } + + Context -Name ' 5. ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementMobileThreatDefenseConnector -MockWith { + return @{ + AllowPartnerToCollectIosApplicationMetadata = $False; + AllowPartnerToCollectIosPersonalApplicationMetadata = $False; + AndroidDeviceBlockedOnMissingPartnerData = $False; + AndroidEnabled = $False; + AndroidMobileApplicationManagementEnabled = $False; + Id = "2c7790de-8b02-4814-85cf-e0c59380dee8"; + IosDeviceBlockedOnMissingPartnerData = $False; + IosEnabled = $False; + IosMobileApplicationManagementEnabled = $False; + MicrosoftDefenderForEndpointAttachEnabled = $False; + PartnerState = "available"; + PartnerUnresponsivenessThresholdInDays = 0; + PartnerUnsupportedOSVersionBlocked = $False; + WindowsDeviceBlockedOnMissingPartnerData = $False; + WindowsEnabled = $False; + } + } + } + It ' 5.0 Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope From b2d3e1e0701193d39d1aec3b1c4a7d62033cbd6f Mon Sep 17 00:00:00 2001 From: Kajalp1079 Date: Mon, 21 Oct 2024 21:39:18 -0700 Subject: [PATCH 02/16] add in changelog. --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 046e476c01..f197c9d155 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,8 @@ # UNRELEASED +* IntuneMobileThreatDefenseConnector + * Initial release. * AADAccessReviewDefinition * Initial release. * AADCustomSecurityAttributeDefinition From 70519063c5106844fa2f1ae95fc1628a7f7b0fd4 Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Fri, 25 Oct 2024 14:26:02 +0100 Subject: [PATCH 03/16] Fixed Test-TargetResource --- CHANGELOG.md | 3 +++ .../MSFT_EXOArcConfig/MSFT_EXOArcConfig.psm1 | 12 +++++++----- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5b80025659..badf16c941 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -24,6 +24,9 @@ * Initial release. * AADSocialIdentityProvider * Fixed missing permissions in settings.json +* EXOArcConfig + * Fixed `Test-TargetResource` to correctly check property `ArcTrustedSealers` + when it has an array * EXOMailboxAuditBypassAssociation * Initial release. * EXOTenantAllowBlockListItems diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOArcConfig/MSFT_EXOArcConfig.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOArcConfig/MSFT_EXOArcConfig.psm1 index 3da9fdc728..a79d3e4da8 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOArcConfig/MSFT_EXOArcConfig.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOArcConfig/MSFT_EXOArcConfig.psm1 @@ -256,15 +256,17 @@ function Test-TargetResource Write-Verbose -Message 'Testing configuration of Arc Config settings' $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() - Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" - Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" - - $ValuesToCheck = $PSBoundParameters - + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck # Need to remove Identity as Get-ArcConfig doesn't return Identity $ValuesToCheck.Remove('Identity') | Out-Null + $PSBoundParameters.ArcTrustedSealers = $PSBoundParameters.ArcTrustedSealers -Join ',' + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" + $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` -Source $($MyInvocation.MyCommand.Source) ` -DesiredValues $PSBoundParameters ` From 837499f32d22cf44f274f9fb757782b735c02ebc Mon Sep 17 00:00:00 2001 From: Kajalp1079 Date: Fri, 25 Oct 2024 09:59:51 -0700 Subject: [PATCH 04/16] Addressed comments. --- ...of => MSFT_IntuneMobileThreatDefenseConnector.schema.mof} | 0 .../MSFT_IntuneMobileThreatDefenseConnector/readme.md | 4 ++-- .../MSFT_IntuneMobileThreatDefenseConnector/settings.json | 2 +- .../IntuneMobileThreatDefenseConnector/1-Create.ps1 | 3 +++ .../IntuneMobileThreatDefenseConnector/2-Update.ps1 | 5 +++++ .../IntuneMobileThreatDefenseConnector/3-Remove.ps1 | 5 +++++ 6 files changed, 16 insertions(+), 3 deletions(-) rename Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/{MSFT_IntuneMobileThreatDefenseConnector.mof => MSFT_IntuneMobileThreatDefenseConnector.schema.mof} (100%) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/MSFT_IntuneMobileThreatDefenseConnector.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/MSFT_IntuneMobileThreatDefenseConnector.schema.mof similarity index 100% rename from Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/MSFT_IntuneMobileThreatDefenseConnector.mof rename to Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/MSFT_IntuneMobileThreatDefenseConnector.schema.mof diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/readme.md index 7d8e6c6dcd..19046bad50 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/readme.md +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/readme.md @@ -1,6 +1,6 @@ -# IntuneMobileAppsMacOSLobApp +# IntuneMobileThreatDefenseConnector ## Description -This resouce configures a connection to Mobile Threat Defense partner. +This resource configures a connection to Mobile Threat Defense partner. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/settings.json index e197e32ae5..448e3e179c 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/settings.json @@ -1,6 +1,6 @@ { "resourceName": "IntuneMobileThreatDefenseConnector", - "description": "This resouce configures a connection to Mobile Threat Defense partner.", + "description": "This resource configures a connection to Mobile Threat Defense partner.", "permissions": { "graph": { "delegated": { diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileThreatDefenseConnector/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileThreatDefenseConnector/1-Create.ps1 index aa94970b25..6243030b1e 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileThreatDefenseConnector/1-Create.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileThreatDefenseConnector/1-Create.ps1 @@ -43,6 +43,9 @@ Configuration Example WindowsDeviceBlockedOnMissingPartnerData = $False; WindowsEnabled = $False; Ensure = "Present"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; } } } diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileThreatDefenseConnector/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileThreatDefenseConnector/2-Update.ps1 index 48a671ca3d..8765456e07 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileThreatDefenseConnector/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileThreatDefenseConnector/2-Update.ps1 @@ -18,7 +18,9 @@ Configuration Example [System.String] $CertificateThumbprint ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost { IntuneMobileThreatDefenseConnector "IntuneMobileThreatDefenseConnector-Microsoft Defender for Endpoint" @@ -41,6 +43,9 @@ Configuration Example WindowsDeviceBlockedOnMissingPartnerData = $False; WindowsEnabled = $False; Ensure = "Present"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; } } } diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileThreatDefenseConnector/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileThreatDefenseConnector/3-Remove.ps1 index d0f9fec94b..c5529f47ca 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileThreatDefenseConnector/3-Remove.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileThreatDefenseConnector/3-Remove.ps1 @@ -18,7 +18,9 @@ Configuration Example [System.String] $CertificateThumbprint ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost { IntuneMobileThreatDefenseConnector "IntuneMobileThreatDefenseConnector-Microsoft Defender for Endpoint" @@ -41,6 +43,9 @@ Configuration Example WindowsDeviceBlockedOnMissingPartnerData = $False; WindowsEnabled = $False; Ensure = "Absent"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; } } } From dae65d28d764759271e3f53070e4550a2183b6be Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Fri, 25 Oct 2024 15:00:07 -0400 Subject: [PATCH 05/16] Nik brought Jason's changes over --- CHANGELOG.md | 2 + ...ntAndroidDeviceOwnerEnrollmentProfile.psm1 | 630 ++++++++++++++++++ ...oidDeviceOwnerEnrollmentProfile.schema.mof | 32 + .../readme.md | 5 + .../settings.json | 32 + .../1-Create.ps1 | 43 ++ .../2-Update.ps1 | 42 ++ .../3-Remove.ps1 | 34 + ...roidDeviceOwnerEnrollmentProfile.Tests.ps1 | 249 +++++++ 9 files changed, 1069 insertions(+) create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.psm1 create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.schema.mof create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/readme.md create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/settings.json create mode 100644 Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/1-Create.ps1 create mode 100644 Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/2-Update.ps1 create mode 100644 Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/3-Remove.ps1 create mode 100644 Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.Tests.ps1 diff --git a/CHANGELOG.md b/CHANGELOG.md index f80906d544..aac448b66e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -40,6 +40,8 @@ selected * Fixed retrieval of resource when it cannot be found by `Id` * Added a few verbose messages +* IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile + * Initial release. * IntuneEndpointDetectionAndResponsePolicyWindows10 * Fixes an issue with `AutoFromConnector` as the Configuration package type. FIXES [#5246](https://github.com/microsoft/Microsoft365DSC/issues/5246) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.psm1 new file mode 100644 index 0000000000..edb51e1362 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.psm1 @@ -0,0 +1,630 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter()] + [System.String] + $Id, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $AccountId, + + [Parameter()] + [System.Boolean] + $ConfigureWifi, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.Int32] + $EnrolledDeviceCount, + + [Parameter()] + [System.String] + [ValidateSet( 'corporateOwnedDedicatedDevice', 'corporateOwnedFullyManaged', 'corporateOwnedWorkProfile', 'corporateOwnedAOSPUserlessDevice', 'corporateOwnedAOSPUserAssociatedDevice')] + $EnrollmentMode, + + [Parameter()] + [ValidateSet( 'default', 'corporateOwnedDedicatedDeviceWithAzureADSharedMode', 'deviceStaging')] + $EnrollmentTokenType, + + [Parameter()] + [System.Int32] + $EnrollmentTokenUsageCount, + + [Parameter()] + [System.Boolean] + $IsTeamsDeviceProfile, + + [Parameter()] + [System.String] + $QrCodeContent, + + [Parameter()] + [System.String] + $QrCodeImage, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $TokenValue, + + [Parameter()] + [System.Boolean] + $WifiHidden, + + [Parameter()] + [System.Management.Automation.PSCredential] + $WifiPassword, + + [Parameter()] + [System.String] + [ValidateSet( 'none', 'wpa', 'wep' )] + $WifiSecurityType, + + [Parameter()] + [System.String] + $WifiSsid, + + [Parameter()] + [System.String] + [ValidateSet('Present', 'Absent')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + Write-Verbose -Message "Checking for the Intune Android Device Owner Enrollment Profile {$DisplayName}" + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + $androidDeviceOwnerEnrollmentProfile = Get-MgAndroidDeviceOwnerEnrollmentProfile ` + -Filter "displayName eq '$DisplayName')" + -ErrorAction SilentlyContinue | Where-Object + + if ($null -eq $androidDeviceOwnerEnrollmentProfile) + { + Write-Verbose -Message "No AndroidDeviceOwnerEnrollmentProfiles with DisplayName {$DisplayName} was found. Search with DisplayName." + $androidDeviceOwnerEnrollmentProfile = Get-MgAndroidDeviceOwnerEnrollmentProfile + -ProfileId $Id + } + + if ($null -eq $androidDeviceOwnerEnrollmentProfile) + { + Write-Verbose -Message "No AndroidDeviceOwnerEnrollmentProfiles with {$Id} was found." + return $nullResult + } + + $results = @{ + Id = $androidDeviceOwnerEnrollmentProfile.Id + DisplayName = $androidDeviceOwnerEnrollmentProfile.DisplayName + AccountId = $androidDeviceOwnerEnrollmentProfile.AccountId + ConfigureWifi = $androidDeviceOwnerEnrollmentProfile.ConfigureWifi + Description = $androidDeviceOwnerEnrollmentProfile.Description + EnrolledDeviceCount = $androidDeviceOwnerEnrollmentProfile.EnrolledDeviceCount + EnrollmentMode = $androidDeviceOwnerEnrollmentProfile.EnrollmentMode + EnrollmentTokenType = $androidDeviceOwnerEnrollmentProfile.EnrollmentTokenType + EnrollmentTokenUsageCount = $androidDeviceOwnerEnrollmentProfile.EnrollmentTokenUsageCount + IsTeamsDeviceProfile = $androidDeviceOwnerEnrollmentProfile.IsTeamsDeviceProfile + QrCodeContent = $androidDeviceOwnerEnrollmentProfile.QrCodeContent + QrCodeImage = $androidDeviceOwnerEnrollmentProfile.QrCodeImage + RoleScopeTagIds = $androidDeviceOwnerEnrollmentProfile.RoleScopeTagIds + TokenValue = $androidDeviceOwnerEnrollmentProfile.TokenValue + WifiHidden = $androidDeviceOwnerEnrollmentProfile.WifiHidden + WifiPassword = $androidDeviceOwnerEnrollmentProfile.WifiPassword + WifiSecurityType = $androidDeviceOwnerEnrollmentProfile.WifiSecurityType + WifiSsid = $androidDeviceOwnerEnrollmentProfile.WifiSsid + + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $Id, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $AccountId, + + [Parameter()] + [System.Boolean] + $ConfigureWifi, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.Int32] + $EnrolledDeviceCount, + + [Parameter()] + [System.String] + [ValidateSet( 'corporateOwnedDedicatedDevice', 'corporateOwnedFullyManaged', 'corporateOwnedWorkProfile', 'corporateOwnedAOSPUserlessDevice', 'corporateOwnedAOSPUserAssociatedDevice')] + $EnrollmentMode, + + [Parameter()] + [ValidateSet( 'default', 'corporateOwnedDedicatedDeviceWithAzureADSharedMode', 'deviceStaging')] + $EnrollmentTokenType, + + [Parameter()] + [System.Int32] + $EnrollmentTokenUsageCount, + + [Parameter()] + [System.Boolean] + $IsTeamsDeviceProfile, + + [Parameter()] + [System.String] + $QrCodeContent, + + [Parameter()] + [System.String] + $QrCodeImage, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $TokenValue, + + [Parameter()] + [System.Boolean] + $WifiHidden, + + [Parameter()] + [System.Management.Automation.PSCredential] + $WifiPassword, + + [Parameter()] + [System.String] + [ValidateSet( 'none', 'wpa', 'wep' )] + $WifiSecurityType, + + [Parameter()] + [System.String] + $WifiSsid, + + [Parameter()] + [System.String] + [ValidateSet('Present', 'Absent')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + $PSBoundParameters.Remove('Ensure') | Out-Null + $PSBoundParameters.Remove('Credential') | Out-Null + $PSBoundParameters.Remove('ApplicationId') | Out-Null + $PSBoundParameters.Remove('ApplicationSecret') | Out-Null + $PSBoundParameters.Remove('TenantId') | Out-Null + $PSBoundParameters.Remove('CertificateThumbprint') | Out-Null + $PSBoundParameters.Remove('ManagedIdentity') | Out-Null + $PSBoundParameters.Remove('AccessTokens') | Out-Null + + $setParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + # CREATE + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Host "Create AndroidDeviceOwnerEnrollmentProfile: $DisplayName with Enrollment Mode: $EnrollmentMode" + + $CreateParameters.remove('Id') | Out-Null + $CreateParameters.remove('Ensure') | Out-Null + $CreateParameters.Remove('Verbose') | Out-Null + + New-MgAndroidDeviceOwnerEnrollmentProfile @CreateParameters + } + # UPDATE + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Host "Update AndroidDeviceOwnerEnrollmentProfile: $DisplayName" + + $UpdateParameters = ([Hashtable]$PSBoundParameters).clone() + $UpdateParameters.Remove('Id') | Out-Null + $UpdateParameters.Remove('Verbose') | Out-Null + + Update-MgAndroidDeviceOwnerEnrollmentProfile -ProfileId $currentInstance.Id @UpdateParameters + Write-Host "Updated AndroidDeviceOwnerEnrollmentProfile: $DisplayName" + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Host "Remove AndroidDeviceOwnerEnrollmentProfile: $DisplayName" + + Remove-MgAndroidDeviceOwnerEnrollmentProfile -ProfileId $currentInstance.Id -Confirm:$false + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter()] + [System.String] + $Id, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $AccountId, + + [Parameter()] + [System.Boolean] + $ConfigureWifi, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.Int32] + $EnrolledDeviceCount, + + [Parameter()] + [System.String] + [ValidateSet( 'corporateOwnedDedicatedDevice', 'corporateOwnedFullyManaged', 'corporateOwnedWorkProfile', 'corporateOwnedAOSPUserlessDevice', 'corporateOwnedAOSPUserAssociatedDevice')] + $EnrollmentMode, + + [Parameter()] + [ValidateSet( 'default', 'corporateOwnedDedicatedDeviceWithAzureADSharedMode', 'deviceStaging')] + $EnrollmentTokenType, + + [Parameter()] + [System.Int32] + $EnrollmentTokenUsageCount, + + [Parameter()] + [System.Boolean] + $IsTeamsDeviceProfile, + + [Parameter()] + [System.String] + $QrCodeContent, + + [Parameter()] + [System.String] + $QrCodeImage, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $TokenValue, + + [Parameter()] + [System.Boolean] + $WifiHidden, + + [Parameter()] + [System.Management.Automation.PSCredential] + $WifiPassword, + + [Parameter()] + [System.String] + [ValidateSet( 'none', 'wpa', 'wep' )] + $WifiSecurityType, + + [Parameter()] + [System.String] + $WifiSsid, + + [Parameter()] + [System.String] + [ValidateSet('Present', 'Absent')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of AndroidDeviceOwnerEnrollmentProfile: {$DisplayName}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) + { + Write-Verbose "An error occured in Get-TargetResource, the enrollmentProfile {$displayName} will not be processed" + throw "An error occured in Get-TargetResource, the enrollmentProfile {$displayName} will not be processed. Refer to the event viewer logs for more information." + } + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + $ValuesToCheck.Remove('Id') | Out-Null + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + + $TestResult = Test-M365DSCParameterState ` + -CurrentValues $CurrentValues + -Source $($MyInvocation.MyCommand.Source) + -DesiredValues $PSBoundParameters + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $TestResult" + + return $TestResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:exportedInstances = Get-MgAndroidDeviceOwnerEnrollmentProfile ` + -ErrorAction Stop + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $Script:exportedInstances) + { + $displayedKey = $config.Id + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + Id = $androidDeviceOwnerEnrollmentProfile.Id + DisplayName = $androidDeviceOwnerEnrollmentProfile.DisplayName + + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results)) + { + Write-Verbose "An error occured in Get-TargetResource, the app {$($params.displayName)} will not be processed." + throw "An error occured in Get-TargetResource, the app {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information." + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.schema.mof new file mode 100644 index 0000000000..3d7838ac00 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.schema.mof @@ -0,0 +1,32 @@ +[ClassVersion("1.0.0.0"), FriendlyName("IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile")] +class MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile : OMI_BaseResource +{ + [Key, Description("Display name for the enrollment profile.")] String DisplayName; + [Write, Description("Unique GUID for the enrollment profile. Read-Only.)] String Id; + + [Write, Description("Intune AccountId GUID the enrollment profile belongs to.")] String AccountId; + [Write, Description("Description for the enrollment profile.")] String Description; + [Write, Description("The enrollment mode of devices that use this enrollment profile."), ValueMap{"corporateOwnedDedicatedDevice", "corporateOwnedFullyManaged", "corporateOwnedWorkProfile", "corporateOwnedAOSPUserlessDevice", "corporateOwnedAOSPUserAssociatedDevice"}] String EnrollmentMode; + [Write, Description("The enrollment token type for an enrollment profile."), ValueMap{"default", "corporateOwnedDedicatedDeviceWithAzureADSharedMode", "deviceStaging"}] String EnrollmentTokenType; + [Write, Description("Value of the most recently created token for this enrollment profile.")] String TokenValue; + [Write, Description("Date time the most recently created token was created.")] String TokenCreationDateTime; + [Write, Description("Date time the most recently created token will expire.")] String TokenExpirationDateTime; + [Write, Description("Total number of Android devices that have enrolled using this enrollment profile.")] Int32 EnrolledDeviceCount; + [Write, Description("Total number of AOSP devices that have enrolled using the current token. Valid values 0 to 20000")] Int32 EnrollmentTokenUsageCount; + [Write, Description("String used to generate a QR code for the token.")] String QrCodeContent; + [Write, Description("String used to generate a QR code for the token.")] String QrCodeImage; + [Write, Description("List of Scope Tags for this Entity instance.")] String RoleScopeTagIds[]; + [Write, Description("Boolean that indicates that the Wi-Fi network should be configured during device provisioning. When set to TRUE, device provisioning will use Wi-Fi related properties to automatically connect to Wi-Fi networks. When set to FALSE or undefined, other Wi-Fi related properties will be ignored. Default value is TRUE. Returned by default.")] Boolean ConfigureWifi; + [Write, Description("String that contains the wi-fi login ssid")] String WifiSsid; + [Write, Description("String that contains the wi-fi login password. The parameter is a PSCredential object."), EmbeddedInstance("MSFT_Credential")] String WifiPassword; + [Write, Description("String that contains the wi-fi security type."), ValueMap{"none", "wpa", "wep"}] String WifiSecurityType; + [Write, Description("Boolean that indicates if hidden wifi networks are enabled")] Boolean WifiHidden; + [Write, Description("Boolean indicating if this profile is an Android AOSP for Teams device profile.")] Boolean IsTeamsDeviceProfile; + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Present"}, Values{"Present"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/readme.md new file mode 100644 index 0000000000..14e5fe1b0d --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/readme.md @@ -0,0 +1,5 @@ +# IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile + +## Description + +Enrollment Profile used to enroll Android Enterprise devices using Google's Cloud Management. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/settings.json new file mode 100644 index 0000000000..8507274e9b --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/settings.json @@ -0,0 +1,32 @@ +{ + "resourceName": "IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile", + "description": "Enrollment Profile used to enroll Android Enterprise devices using Google's Cloud Management.", + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "DeviceManagementConfiguration.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } + ] + }, + "application": { + "read": [ + { + "name": "DeviceManagementConfiguration.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/1-Create.ps1 new file mode 100644 index 0000000000..2a575287cb --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/1-Create.ps1 @@ -0,0 +1,43 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneDeviceManagementAndroidDeviceOwnerEnrollmentProfile 'CreateProfile' + { + Id = "164655f7-1232-4d56-ae8f-b095196a0309" + DisplayName = "Android Owner Enrollment Profile" + Description = "Profile for enrolling Android devices" + TokenExpirationDateTime = "2024-12-31T23:59:59Z" + TokenValue = "your-token-value" + EnrollmentMode = "corporateOwnedWorkProfile" + QrCodeContent = "your-qr-code-content" + WifiSsid = "your-wifi-ssid" + WifiPassword = "your-wifi-password" + WifiSecurityType = "wpa" + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/2-Update.ps1 new file mode 100644 index 0000000000..9e23a25ae7 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/2-Update.ps1 @@ -0,0 +1,42 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneDeviceManagementAndroidDeviceOwnerEnrollmentProfile 'UpdateProfile' + { + Id = "164655f7-1232-4d56-ae8f-b095196a0309" + DisplayName = "Updated Android Owner Enrollment Profile" + Description = "Updated Profile for enrolling Android devices" + TokenExpirationDateTime = "2024-12-31T23:59:59Z" + TokenValue = "your-updated-token-value" + EnrollmentMode = "corporateOwnedWorkProfile" + QrCodeContent = "your-updated-qr-code-content" + WifiSsid = "your-updated-wifi-ssid" + WifiPassword = "your-updated-wifi-password" + WifiSecurityType = "wpa" + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/3-Remove.ps1 new file mode 100644 index 0000000000..9dfde4de40 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/3-Remove.ps1 @@ -0,0 +1,34 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneDeviceManagementAndroidDeviceOwnerEnrollmentProfile 'RemoveProfile' + { + Id = "164655f7-1232-4d56-ae8f-b095196a0309" + DisplayName = "Android Owner Enrollment Profile" + Ensure = "Absent" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.Tests.ps1 new file mode 100644 index 0000000000..e05ab66627 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.Tests.ps1 @@ -0,0 +1,249 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName Get-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -MockWith { + } + Mock -CommandName New-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -MockWith { + } + Mock -CommandName Update-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -MockWith { + } + Mock -CommandName Remove-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -MockWith { + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Id = "164655f7-1232-4d56-ae8f-b095196a0309"; + DisplayName = "Android Owner Enrollment Profile" + Description = "Profile for enrolling Android devices" + TokenExpirationDateTime = "2024-12-31T23:59:59Z" + TokenValue = "your-token-value" + EnrollmentMode = "corporateOwnedWorkProfile" + QrCodeContent = "your-qr-code-content" + WifiSsid = "your-wifi-ssid" + WifiPassword = "your-wifi-password" + WifiSecurityType = "wpa" + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -Exactly 1 + } + } + + Context -Name "The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Id = "164655f7-1232-4d56-ae8f-b095196a0309"; + DisplayName = "Android Owner Enrollment Profile" + Description = "Profile for enrolling Android devices" + TokenExpirationDateTime = "2024-12-31T23:59:59Z" + TokenValue = "your-token-value" + EnrollmentMode = "corporateOwnedWorkProfile" + QrCodeContent = "your-qr-code-content" + WifiSsid = "your-wifi-ssid" + WifiPassword = "your-wifi-password" + WifiSecurityType = "wpa" + Ensure = 'Absent' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -MockWith { + return @{ + Id = "164655f7-1232-4d56-ae8f-b095196a0309"; + DisplayName = "Android Owner Enrollment Profile" + Description = "Profile for enrolling Android devices" + TokenExpirationDateTime = "2024-12-31T23:59:59Z" + TokenValue = "your-token-value" + EnrollmentMode = "corporateOwnedWorkProfile" + QrCodeContent = "your-qr-code-content" + WifiSsid = "your-wifi-ssid" + WifiPassword = "your-wifi-password" + WifiSecurityType = "wpa" + Ensure = 'Present' + } + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the instance from the Set method' { + Should -Invoke -CommandName Remove-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -Exactly 1 + } + } + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Id = "164655f7-1232-4d56-ae8f-b095196a0309"; + DisplayName = "Android Owner Enrollment Profile" + Description = "Profile for enrolling Android devices" + TokenExpirationDateTime = "2024-12-31T23:59:59Z" + TokenValue = "your-token-value" + EnrollmentMode = "corporateOwnedWorkProfile" + QrCodeContent = "your-qr-code-content" + WifiSsid = "your-wifi-ssid" + WifiPassword = "your-wifi-password" + WifiSecurityType = "wpa" + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -MockWith { + return @{ + Id = "164655f7-1232-4d56-ae8f-b095196a0309"; + DisplayName = "Android Owner Enrollment Profile" + Description = "Profile for enrolling Android devices" + TokenExpirationDateTime = "2024-12-31T23:59:59Z" + TokenValue = "your-token-value" + EnrollmentMode = "corporateOwnedWorkProfile" + QrCodeContent = "your-qr-code-content" + WifiSsid = "your-wifi-ssid" + WifiPassword = "your-wifi-password" + WifiSecurityType = "wpa" + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Id = "164655f7-1232-4d56-ae8f-b095196a0309"; + DisplayName = "Android Owner Enrollment Profile" + Description = "Profile for enrolling Android devices" + TokenExpirationDateTime = "2024-12-31T23:59:59Z" + TokenValue = "your-token-value" + EnrollmentMode = "corporateOwnedWorkProfile" + QrCodeContent = "your-qr-code-content" + WifiSsid = "your-wifi-ssid" + WifiPassword = "your-wifi-password" + WifiSecurityType = "wpa" + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -MockWith { + return @{ + Id = "164655f7-1232-4d56-ae8f-b095196a0309"; + DisplayName = "INCORRECT Android Owner Enrollment Profile Name" + Description = "Profile for enrolling Android devices" + TokenExpirationDateTime = "2024-12-31T23:59:59Z" + TokenValue = "your-token-value" + EnrollmentMode = "corporateOwnedWorkProfile" + QrCodeContent = "your-qr-code-content" + WifiSsid = "your-wifi-ssid" + WifiPassword = "your-wifi-password" + WifiSecurityType = "wpa" + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -MockWith { + return @{ + Id = "164655f7-1232-4d56-ae8f-b095196a0309"; + DisplayName = "Android Owner Enrollment Profile" + Description = "Profile for enrolling Android devices" + TokenExpirationDateTime = "2024-12-31T23:59:59Z" + TokenValue = "your-token-value" + EnrollmentMode = "corporateOwnedWorkProfile" + QrCodeContent = "your-qr-code-content" + WifiSsid = "your-wifi-ssid" + WifiPassword = "your-wifi-password" + WifiSecurityType = "wpa" + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope From a715250458c47001f50d1db143d52d88b84877fc Mon Sep 17 00:00:00 2001 From: Kajalp1079 Date: Fri, 25 Oct 2024 14:00:51 -0700 Subject: [PATCH 06/16] fixed UTs. --- ...FT_IntuneMobileThreatDefenseConnector.psm1 | 6 +- ...uneMobileThreatDefenseConnector.schema.mof | 16 +- ...tuneMobileThreatDefenseConnector.Tests.ps1 | 3 + Tests/Unit/Stubs/Microsoft365.psm1 | 238 ++++++++++++++++++ 4 files changed, 252 insertions(+), 11 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/MSFT_IntuneMobileThreatDefenseConnector.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/MSFT_IntuneMobileThreatDefenseConnector.psm1 index c4998e3be0..526a0f0d6e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/MSFT_IntuneMobileThreatDefenseConnector.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/MSFT_IntuneMobileThreatDefenseConnector.psm1 @@ -221,7 +221,7 @@ function Set-TargetResource ( #region Intune parameters - [Parameter()] + [Parameter(Mandatory = $true)] [System.String] $Id, @@ -353,12 +353,12 @@ function Set-TargetResource # UPDATE elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') { - Update-MgBetaDeviceManagementMobileThreatDefenseConnector -MobileThreatDefenseConnectorId $Id @SetParameters + Update-MgBetaDeviceManagementMobileThreatDefenseConnector -MobileThreatDefenseConnectorId $currentInstance.Id @SetParameters } # REMOVE elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') { - Remove-MgBetaDeviceManagementMobileThreatDefenseConnector -MobileThreatDefenseConnectorId $Id -Confirm:$false + Remove-MgBetaDeviceManagementMobileThreatDefenseConnector -MobileThreatDefenseConnectorId $currentInstance.Id -Confirm:$false } } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/MSFT_IntuneMobileThreatDefenseConnector.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/MSFT_IntuneMobileThreatDefenseConnector.schema.mof index fb65310c94..4216aaf3aa 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/MSFT_IntuneMobileThreatDefenseConnector.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/MSFT_IntuneMobileThreatDefenseConnector.schema.mof @@ -1,24 +1,24 @@ [ClassVersion("1.0.0.0"), FriendlyName("IntuneMobileThreatDefenseConnector")] class MSFT_IntuneMobileThreatDefenseConnector : OMI_BaseResource { - [Key, Description("The unique identifier for an entity. Read-only.")] String Id; - [Write, Description("The unique identifier for an entity. Read-only.")] String DisplayName; + [Write, Description("The unique identifier for an entity. Read-only.")] String Id; + [Write, Description("The DisplayName of the Mobile Threat Defense Connector partner. NOTE: Hard coded for convenience, not returned by the Graph API.")] String DisplayName; [Write, Description("When TRUE, indicates the Mobile Threat Defense partner may collect metadata about installed applications from Intune for IOS devices. When FALSE, indicates the Mobile Threat Defense partner may not collect metadata about installed applications from Intune for IOS devices. Default value is FALSE.")] Boolean AllowPartnerToCollectIosApplicationMetadata; [Write, Description("When TRUE, indicates the Mobile Threat Defense partner may collect metadata about personally installed applications from Intune for IOS devices. When FALSE, indicates the Mobile Threat Defense partner may not collect metadata about personally installed applications from Intune for IOS devices. Default value is FALSE.")] Boolean AllowPartnerToCollectIosPersonalApplicationMetadata; [Write, Description("For Android, set whether Intune must receive data from the Mobile Threat Defense partner prior to marking a device compliant.")] Boolean AndroidDeviceBlockedOnMissingPartnerData; [Write, Description("For Android, set whether data from the Mobile Threat Defense partner should be used during compliance evaluations.")] Boolean AndroidEnabled; - [Write, Description("When TRUE, inidicates that data from the Mobile Threat Defense partner can be used during Mobile Application Management (MAM) evaluations for Android devices. When FALSE, inidicates that data from the Mobile Threat Defense partner should not be used during Mobile Application Management (MAM) evaluations for Android devices. Only one partner per platform may be enabled for Mobile Application Management (MAM) evaluation. Default value is FALSE.")] Boolean AndroidMobileApplicationManagementEnabled; + [Write, Description("When TRUE, indicates that data from the Mobile Threat Defense partner can be used during Mobile Application Management (MAM) evaluations for Android devices. When FALSE, indicates that data from the Mobile Threat Defense partner should not be used during Mobile Application Management (MAM) evaluations for Android devices. Only one partner per platform may be enabled for Mobile Application Management (MAM) evaluation. Default value is FALSE.")] Boolean AndroidMobileApplicationManagementEnabled; [Write, Description("For IOS, set whether Intune must receive data from the Mobile Threat Defense partner prior to marking a device compliant.")] Boolean IosDeviceBlockedOnMissingPartnerData; [Write, Description("For IOS, get or set whether data from the Mobile Threat Defense partner should be used during compliance evaluations.")] Boolean IosEnabled; - [Write, Description("When TRUE, inidicates that data from the Mobile Threat Defense partner can be used during Mobile Application Management (MAM) evaluations for IOS devices. When FALSE, inidicates that data from the Mobile Threat Defense partner should not be used during Mobile Application Management (MAM) evaluations for IOS devices. Only one partner per platform may be enabled for Mobile Application Management (MAM) evaluation. Default value is FALSE.")] Boolean IosMobileApplicationManagementEnabled; - [Write, Description("DateTime of last Heartbeat recieved from the Mobile Threat Defense partner.")] DateTime LastHeartbeatDateTime; - [Write, Description("When TRUE, inidicates that configuration profile management via Microsoft Defender for Endpoint is enabled. When FALSE, inidicates that configuration profile management via Microsoft Defender for Endpoint is disabled. Default value is FALSE.")] Boolean MicrosoftDefenderForEndpointAttachEnabled; + [Write, Description("When TRUE, indicates that data from the Mobile Threat Defense partner can be used during Mobile Application Management (MAM) evaluations for IOS devices. When FALSE, indicates that data from the Mobile Threat Defense partner should not be used during Mobile Application Management (MAM) evaluations for IOS devices. Only one partner per platform may be enabled for Mobile Application Management (MAM) evaluation. Default value is FALSE.")] Boolean IosMobileApplicationManagementEnabled; + [Write, Description("DateTime of last Heartbeat received from the Mobile Threat Defense partner.")] DateTime LastHeartbeatDateTime; + [Write, Description("When TRUE, indicates that configuration profile management via Microsoft Defender for Endpoint is enabled. When FALSE, inidicates that configuration profile management via Microsoft Defender for Endpoint is disabled. Default value is FALSE.")] Boolean MicrosoftDefenderForEndpointAttachEnabled; [Write, Description("Partner state of this tenant.")] String PartnerState; [Write, Description("Get or Set days the per tenant tolerance to unresponsiveness for this partner integration.")] Uint32 PartnerUnresponsivenessThresholdInDays; [Write, Description("Get or set whether to block devices on the enabled platforms that do not meet the minimum version requirements of the Mobile Threat Defense partner.")] Boolean PartnerUnsupportedOSVersionBlocked; - [Write, Description("When TRUE, inidicates that Intune must receive data from the Mobile Threat Defense partner prior to marking a device compliant for Windows. When FALSE, inidicates that Intune may make a device compliant without receiving data from the Mobile Threat Defense partner for Windows. Default value is FALSE.")] Boolean WindowsDeviceBlockedOnMissingPartnerData; - [Write, Description("When TRUE, inidicates that data from the Mobile Threat Defense partner can be used during compliance evaluations for Windows. When FALSE, inidicates that data from the Mobile Threat Defense partner should not be used during compliance evaluations for Windows. Default value is FALSE.")] Boolean WindowsEnabled; + [Write, Description("When TRUE, indicates that Intune must receive data from the Mobile Threat Defense partner prior to marking a device compliant for Windows. When FALSE, indicates that Intune may make a device compliant without receiving data from the Mobile Threat Defense partner for Windows. Default value is FALSE.")] Boolean WindowsDeviceBlockedOnMissingPartnerData; + [Write, Description("When TRUE, indicates that data from the Mobile Threat Defense partner can be used during compliance evaluations for Windows. When FALSE, it indicates that data from the Mobile Threat Defense partner should not be used during compliance evaluations for Windows. Default value is FALSE.")] Boolean WindowsEnabled; [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Present", "Absent"}, Values{"Present", "Absent"}] string Ensure; [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneMobileThreatDefenseConnector.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneMobileThreatDefenseConnector.Tests.ps1 index 7037a547ee..673cd17260 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneMobileThreatDefenseConnector.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneMobileThreatDefenseConnector.Tests.ps1 @@ -35,10 +35,13 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Mock -CommandName Get-MgBetaDeviceManagementMobileThreatDefenseConnector -MockWith { } + Mock -CommandName New-MgBetaDeviceManagementMobileThreatDefenseConnector -MockWith { } + Mock -CommandName Update-MgBetaDeviceManagementMobileThreatDefenseConnector -MockWith { } + Mock -CommandName Remove-MgBetaDeviceManagementMobileThreatDefenseConnector -MockWith { } diff --git a/Tests/Unit/Stubs/Microsoft365.psm1 b/Tests/Unit/Stubs/Microsoft365.psm1 index 7d0f828598..31e56bcd68 100644 --- a/Tests/Unit/Stubs/Microsoft365.psm1 +++ b/Tests/Unit/Stubs/Microsoft365.psm1 @@ -27277,7 +27277,245 @@ function Update-MgBetaRoleManagement $DeviceManagement ) } + +function Get-MgBetaDeviceManagementMobileThreatDefenseConnector +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $MobileThreatDefenseConnectorId, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.Boolean] + $AllowPartnerToCollectIosApplicationMetadata, + + [Parameter()] + [System.Boolean] + $AllowPartnerToCollectIosPersonalApplicationMetadata, + + [Parameter()] + [System.Boolean] + $AndroidDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $AndroidEnabled, + + [Parameter()] + [System.Boolean] + $AndroidMobileApplicationManagementEnabled, + + [Parameter()] + [System.Boolean] + $IosDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $IosEnabled, + + [Parameter()] + [System.Boolean] + $IosMobileApplicationManagementEnabled, + + [Parameter()] + [System.DateTime] + $LastHeartbeatDateTime, + + [Parameter()] + [System.Boolean] + $MicrosoftDefenderForEndpointAttachEnabled, + + [Parameter()] + [System.String] + $PartnerState, + + [Parameter()] + [System.Int32] + $PartnerUnresponsivenessThresholdInDays, + + [Parameter()] + [System.Boolean] + $PartnerUnsupportedOSVersionBlocked, + + [Parameter()] + [System.Boolean] + $WindowsDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $WindowsEnabled + ) +} + +function New-MgBetaDeviceManagementMobileThreatDefenseConnector +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $MobileThreatDefenseConnectorId, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.Boolean] + $AllowPartnerToCollectIosApplicationMetadata, + + [Parameter()] + [System.Boolean] + $AllowPartnerToCollectIosPersonalApplicationMetadata, + + [Parameter()] + [System.Boolean] + $AndroidDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $AndroidEnabled, + + [Parameter()] + [System.Boolean] + $AndroidMobileApplicationManagementEnabled, + + [Parameter()] + [System.Boolean] + $IosDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $IosEnabled, + + [Parameter()] + [System.Boolean] + $IosMobileApplicationManagementEnabled, + + [Parameter()] + [System.DateTime] + $LastHeartbeatDateTime, + + [Parameter()] + [System.Boolean] + $MicrosoftDefenderForEndpointAttachEnabled, + + [Parameter()] + [System.String] + $PartnerState, + + [Parameter()] + [System.Int32] + $PartnerUnresponsivenessThresholdInDays, + + [Parameter()] + [System.Boolean] + $PartnerUnsupportedOSVersionBlocked, + + [Parameter()] + [System.Boolean] + $WindowsDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $WindowsEnabled + ) +} + +function Update-MgBetaDeviceManagementMobileThreatDefenseConnector +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $MobileThreatDefenseConnectorId, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.Boolean] + $AllowPartnerToCollectIosApplicationMetadata, + + [Parameter()] + [System.Boolean] + $AllowPartnerToCollectIosPersonalApplicationMetadata, + + [Parameter()] + [System.Boolean] + $AndroidDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $AndroidEnabled, + + [Parameter()] + [System.Boolean] + $AndroidMobileApplicationManagementEnabled, + + [Parameter()] + [System.Boolean] + $IosDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $IosEnabled, + + [Parameter()] + [System.Boolean] + $IosMobileApplicationManagementEnabled, + + [Parameter()] + [System.DateTime] + $LastHeartbeatDateTime, + + [Parameter()] + [System.Boolean] + $MicrosoftDefenderForEndpointAttachEnabled, + + [Parameter()] + [System.String] + $PartnerState, + + [Parameter()] + [System.Int32] + $PartnerUnresponsivenessThresholdInDays, + + [Parameter()] + [System.Boolean] + $PartnerUnsupportedOSVersionBlocked, + + [Parameter()] + [System.Boolean] + $WindowsDeviceBlockedOnMissingPartnerData, + + [Parameter()] + [System.Boolean] + $WindowsEnabled + ) +} + +function Remove-MgBetaDeviceManagementMobileThreatDefenseConnector +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $MobileThreatDefenseConnectorId, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + #endregion + #region Microsoft.Graph.Beta.Identity.DirectoryManagement function Get-MgBetaDevice { From b1fe68d5b2ac4ef14766a60feca2afa41cdfdf8d Mon Sep 17 00:00:00 2001 From: Kajalp1079 Date: Fri, 25 Oct 2024 14:26:53 -0700 Subject: [PATCH 07/16] Made Id as key param. --- .../MSFT_IntuneMobileThreatDefenseConnector.psm1 | 4 ++-- .../MSFT_IntuneMobileThreatDefenseConnector.schema.mof | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/MSFT_IntuneMobileThreatDefenseConnector.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/MSFT_IntuneMobileThreatDefenseConnector.psm1 index 526a0f0d6e..2eac6e4eca 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/MSFT_IntuneMobileThreatDefenseConnector.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/MSFT_IntuneMobileThreatDefenseConnector.psm1 @@ -9,7 +9,7 @@ function Get-TargetResource ( #region Intune parameters - [Parameter()] + [Parameter(Mandatory = $true)] [System.String] $Id, @@ -370,7 +370,7 @@ function Test-TargetResource ( #region Intune parameters - [Parameter()] + [Parameter(Mandatory = $true)] [System.String] $Id, diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/MSFT_IntuneMobileThreatDefenseConnector.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/MSFT_IntuneMobileThreatDefenseConnector.schema.mof index 4216aaf3aa..0930cf9803 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/MSFT_IntuneMobileThreatDefenseConnector.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileThreatDefenseConnector/MSFT_IntuneMobileThreatDefenseConnector.schema.mof @@ -1,7 +1,7 @@ [ClassVersion("1.0.0.0"), FriendlyName("IntuneMobileThreatDefenseConnector")] class MSFT_IntuneMobileThreatDefenseConnector : OMI_BaseResource { - [Write, Description("The unique identifier for an entity. Read-only.")] String Id; + [Key, Description("The unique identifier for an entity. Read-only.")] String Id; [Write, Description("The DisplayName of the Mobile Threat Defense Connector partner. NOTE: Hard coded for convenience, not returned by the Graph API.")] String DisplayName; [Write, Description("When TRUE, indicates the Mobile Threat Defense partner may collect metadata about installed applications from Intune for IOS devices. When FALSE, indicates the Mobile Threat Defense partner may not collect metadata about installed applications from Intune for IOS devices. Default value is FALSE.")] Boolean AllowPartnerToCollectIosApplicationMetadata; From df2e59da174b6ad99d663bf268fd3b0d82e82f41 Mon Sep 17 00:00:00 2001 From: Kajalp1079 Date: Fri, 25 Oct 2024 15:30:58 -0700 Subject: [PATCH 08/16] Fixed last UT, it needed missing datetime param. --- .../Microsoft365DSC.IntuneMobileThreatDefenseConnector.Tests.ps1 | 1 + 1 file changed, 1 insertion(+) diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneMobileThreatDefenseConnector.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneMobileThreatDefenseConnector.Tests.ps1 index 673cd17260..a86d42c03d 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneMobileThreatDefenseConnector.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneMobileThreatDefenseConnector.Tests.ps1 @@ -278,6 +278,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { PartnerUnsupportedOSVersionBlocked = $False; WindowsDeviceBlockedOnMissingPartnerData = $False; WindowsEnabled = $False; + LastHeartbeatDateTime = "1/1/0001 12:00:00 AM"; } } } From 5be0a1c5a92b3533da2927e83d220c9e1a55cea1 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Sat, 26 Oct 2024 00:56:08 +0000 Subject: [PATCH 09/16] Updated Resources and Cmdlet documentation pages --- .../IntuneMobileThreatDefenseConnector.md | 227 ++++++++++++++++++ 1 file changed, 227 insertions(+) create mode 100644 docs/docs/resources/intune/IntuneMobileThreatDefenseConnector.md diff --git a/docs/docs/resources/intune/IntuneMobileThreatDefenseConnector.md b/docs/docs/resources/intune/IntuneMobileThreatDefenseConnector.md new file mode 100644 index 0000000000..66dee65b7e --- /dev/null +++ b/docs/docs/resources/intune/IntuneMobileThreatDefenseConnector.md @@ -0,0 +1,227 @@ +# IntuneMobileThreatDefenseConnector + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Id** | Key | String | The unique identifier for an entity. Read-only. | | +| **DisplayName** | Write | String | The DisplayName of the Mobile Threat Defense Connector partner. NOTE: Hard coded for convenience, not returned by the Graph API. | | +| **AllowPartnerToCollectIosApplicationMetadata** | Write | Boolean | When TRUE, indicates the Mobile Threat Defense partner may collect metadata about installed applications from Intune for IOS devices. When FALSE, indicates the Mobile Threat Defense partner may not collect metadata about installed applications from Intune for IOS devices. Default value is FALSE. | | +| **AllowPartnerToCollectIosPersonalApplicationMetadata** | Write | Boolean | When TRUE, indicates the Mobile Threat Defense partner may collect metadata about personally installed applications from Intune for IOS devices. When FALSE, indicates the Mobile Threat Defense partner may not collect metadata about personally installed applications from Intune for IOS devices. Default value is FALSE. | | +| **AndroidDeviceBlockedOnMissingPartnerData** | Write | Boolean | For Android, set whether Intune must receive data from the Mobile Threat Defense partner prior to marking a device compliant. | | +| **AndroidEnabled** | Write | Boolean | For Android, set whether data from the Mobile Threat Defense partner should be used during compliance evaluations. | | +| **AndroidMobileApplicationManagementEnabled** | Write | Boolean | When TRUE, indicates that data from the Mobile Threat Defense partner can be used during Mobile Application Management (MAM) evaluations for Android devices. When FALSE, indicates that data from the Mobile Threat Defense partner should not be used during Mobile Application Management (MAM) evaluations for Android devices. Only one partner per platform may be enabled for Mobile Application Management (MAM) evaluation. Default value is FALSE. | | +| **IosDeviceBlockedOnMissingPartnerData** | Write | Boolean | For IOS, set whether Intune must receive data from the Mobile Threat Defense partner prior to marking a device compliant. | | +| **IosEnabled** | Write | Boolean | For IOS, get or set whether data from the Mobile Threat Defense partner should be used during compliance evaluations. | | +| **IosMobileApplicationManagementEnabled** | Write | Boolean | When TRUE, indicates that data from the Mobile Threat Defense partner can be used during Mobile Application Management (MAM) evaluations for IOS devices. When FALSE, indicates that data from the Mobile Threat Defense partner should not be used during Mobile Application Management (MAM) evaluations for IOS devices. Only one partner per platform may be enabled for Mobile Application Management (MAM) evaluation. Default value is FALSE. | | +| **LastHeartbeatDateTime** | Write | DateTime | DateTime of last Heartbeat received from the Mobile Threat Defense partner. | | +| **MicrosoftDefenderForEndpointAttachEnabled** | Write | Boolean | When TRUE, indicates that configuration profile management via Microsoft Defender for Endpoint is enabled. When FALSE, inidicates that configuration profile management via Microsoft Defender for Endpoint is disabled. Default value is FALSE. | | +| **PartnerState** | Write | String | Partner state of this tenant. | | +| **PartnerUnresponsivenessThresholdInDays** | Write | UInt32 | Get or Set days the per tenant tolerance to unresponsiveness for this partner integration. | | +| **PartnerUnsupportedOSVersionBlocked** | Write | Boolean | Get or set whether to block devices on the enabled platforms that do not meet the minimum version requirements of the Mobile Threat Defense partner. | | +| **WindowsDeviceBlockedOnMissingPartnerData** | Write | Boolean | When TRUE, indicates that Intune must receive data from the Mobile Threat Defense partner prior to marking a device compliant for Windows. When FALSE, indicates that Intune may make a device compliant without receiving data from the Mobile Threat Defense partner for Windows. Default value is FALSE. | | +| **WindowsEnabled** | Write | Boolean | When TRUE, indicates that data from the Mobile Threat Defense partner can be used during compliance evaluations for Windows. When FALSE, it indicates that data from the Mobile Threat Defense partner should not be used during compliance evaluations for Windows. Default value is FALSE. | | +| **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + + +## Description + +This resource configures a connection to Mobile Threat Defense partner. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - DeviceManagementServiceConfig.Read.All + +- **Update** + + - DeviceManagementServiceConfig.ReadWrite.All + +#### Application permissions + +- **Read** + + - DeviceManagementServiceConfig.Read.All + +- **Update** + + - DeviceManagementServiceConfig.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneMobileThreatDefenseConnector "IntuneMobileThreatDefenseConnector-Microsoft Defender for Endpoint" + { + AllowPartnerToCollectIosApplicationMetadata = $False; + AllowPartnerToCollectIosPersonalApplicationMetadata = $False; + AndroidDeviceBlockedOnMissingPartnerData = $False; + AndroidEnabled = $False; + AndroidMobileApplicationManagementEnabled = $False; + DisplayName = "Microsoft Defender for Endpoint"; + Id = "fc780465-2017-40d4-a0c5-307022471b92"; + IosDeviceBlockedOnMissingPartnerData = $False; + IosEnabled = $False; + IosMobileApplicationManagementEnabled = $False; + LastHeartbeatDateTime = "1/1/0001 12:00:00 AM"; + MicrosoftDefenderForEndpointAttachEnabled = $False; + PartnerState = "notSetUp"; + PartnerUnresponsivenessThresholdInDays = 7; + PartnerUnsupportedOSVersionBlocked = $False; + WindowsDeviceBlockedOnMissingPartnerData = $False; + WindowsEnabled = $False; + Ensure = "Present"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneMobileThreatDefenseConnector "IntuneMobileThreatDefenseConnector-Microsoft Defender for Endpoint" + { + AllowPartnerToCollectIosApplicationMetadata = $False; + AllowPartnerToCollectIosPersonalApplicationMetadata = $False; + AndroidDeviceBlockedOnMissingPartnerData = $False; + AndroidEnabled = $True; #drift + AndroidMobileApplicationManagementEnabled = $False; + DisplayName = "Microsoft Defender for Endpoint"; + Id = "fc780465-2017-40d4-a0c5-307022471b92"; + IosDeviceBlockedOnMissingPartnerData = $False; + IosEnabled = $False; + IosMobileApplicationManagementEnabled = $False; + LastHeartbeatDateTime = "1/1/0001 12:00:00 AM"; + MicrosoftDefenderForEndpointAttachEnabled = $False; + PartnerState = "notSetUp"; + PartnerUnresponsivenessThresholdInDays = 7; + PartnerUnsupportedOSVersionBlocked = $False; + WindowsDeviceBlockedOnMissingPartnerData = $False; + WindowsEnabled = $False; + Ensure = "Present"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneMobileThreatDefenseConnector "IntuneMobileThreatDefenseConnector-Microsoft Defender for Endpoint" + { + AllowPartnerToCollectIosApplicationMetadata = $False; + AllowPartnerToCollectIosPersonalApplicationMetadata = $False; + AndroidDeviceBlockedOnMissingPartnerData = $False; + AndroidEnabled = $False; + AndroidMobileApplicationManagementEnabled = $False; + DisplayName = "Microsoft Defender for Endpoint"; + Id = "fc780465-2017-40d4-a0c5-307022471b92"; + IosDeviceBlockedOnMissingPartnerData = $False; + IosEnabled = $False; + IosMobileApplicationManagementEnabled = $False; + LastHeartbeatDateTime = "1/1/0001 12:00:00 AM"; + MicrosoftDefenderForEndpointAttachEnabled = $False; + PartnerState = "notSetUp"; + PartnerUnresponsivenessThresholdInDays = 7; + PartnerUnsupportedOSVersionBlocked = $False; + WindowsDeviceBlockedOnMissingPartnerData = $False; + WindowsEnabled = $False; + Ensure = "Absent"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + From e1fa7197482b095cdb1691dbb414e6c7583f5006 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Sat, 26 Oct 2024 00:58:22 +0000 Subject: [PATCH 10/16] Updated Schema Definition --- Modules/Microsoft365DSC/SchemaDefinition.json | 855 ++++++++++++++++++ 1 file changed, 855 insertions(+) diff --git a/Modules/Microsoft365DSC/SchemaDefinition.json b/Modules/Microsoft365DSC/SchemaDefinition.json index b2b2fdcd64..c022e6c25c 100644 --- a/Modules/Microsoft365DSC/SchemaDefinition.json +++ b/Modules/Microsoft365DSC/SchemaDefinition.json @@ -37754,6 +37754,136 @@ } ] }, + { + "ClassName": "MSFT_IntuneMobileThreatDefenseConnector", + "Parameters": [ + { + "CIMType": "String", + "Name": "Id", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowPartnerToCollectIosApplicationMetadata", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowPartnerToCollectIosPersonalApplicationMetadata", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AndroidDeviceBlockedOnMissingPartnerData", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AndroidEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AndroidMobileApplicationManagementEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IosDeviceBlockedOnMissingPartnerData", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IosEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IosMobileApplicationManagementEnabled", + "Option": "Write" + }, + { + "CIMType": "DateTime", + "Name": "LastHeartbeatDateTime", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "MicrosoftDefenderForEndpointAttachEnabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PartnerState", + "Option": "Write" + }, + { + "CIMType": "Uint32", + "Name": "PartnerUnresponsivenessThresholdInDays", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "PartnerUnsupportedOSVersionBlocked", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "WindowsDeviceBlockedOnMissingPartnerData", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "WindowsEnabled", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_DeviceManagementConfigurationPolicyItems", "Parameters": [ @@ -38039,6 +38169,731 @@ } ] }, + { + "ClassName": "MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineDefenderForEndpoint", + "Parameters": [ + { + "CIMType": "String", + "Name": "DeviceInstall_Classes_Deny", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "DeviceInstall_Classes_Deny_List", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DeviceInstall_Classes_Deny_Retroactive", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "EncryptionMethodWithXts_Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "EncryptionMethodWithXtsOsDropDown_Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "EncryptionMethodWithXtsFdvDropDown_Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "EncryptionMethodWithXtsRdvDropDown_Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "FDVRecoveryUsage_Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "FDVActiveDirectoryBackup_Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "FDVHideRecoveryPage_Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "FDVRecoveryPasswordUsageDropDown_Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "FDVRequireActiveDirectoryBackup_Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "FDVAllowDRA_Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "FDVActiveDirectoryBackupDropDown_Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "FDVRecoveryKeyUsageDropDown_Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "FDVDenyWriteAccess_Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "FDVEncryptionType_Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "FDVEncryptionTypeDropDown_Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "EnablePreBootPinExceptionOnDECapableDevice_Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "EnhancedPIN_Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "OSRecoveryUsage_Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "OSRequireActiveDirectoryBackup_Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "OSActiveDirectoryBackup_Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "OSRecoveryPasswordUsageDropDown_Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "OSHideRecoveryPage_Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "OSAllowDRA_Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "OSRecoveryKeyUsageDropDown_Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "OSActiveDirectoryBackupDropDown_Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "EnablePrebootInputProtectorsOnSlates_Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "OSEncryptionType_Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "OSEncryptionTypeDropDown_Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ConfigureAdvancedStartup_Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ConfigureTPMStartupKeyUsageDropDown_Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ConfigureTPMPINKeyUsageDropDown_Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ConfigureTPMUsageDropDown_Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ConfigureNonTPMStartupKeyUsage_Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ConfigurePINUsageDropDown_Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RDVConfigureBDE", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RDVAllowBDE_Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RDVEncryptionType_Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RDVEncryptionTypeDropDown_Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RDVDisableBDE_Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RDVDenyWriteAccess_Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RDVCrossOrg", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "EnableSmartScreen", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "EnableSmartScreenDropdown", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DisableSafetyFilterOverrideForAppRepUnknown", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Disable_Managing_Safety_Filter_IE9", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "IE9SafetyFilterOptions", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AllowWarningForOtherDiskEncryption", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AllowStandardUserEncryption", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ConfigureRecoveryPasswordRotation", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RequireDeviceEncryption", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AllowArchiveScanning", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AllowBehaviorMonitoring", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AllowCloudProtection", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AllowEmailScanning", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AllowFullScanRemovableDriveScanning", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AllowOnAccessProtection", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AllowRealtimeMonitoring", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AllowScanningNetworkFiles", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AllowIOAVProtection", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AllowScriptScanning", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AllowUserUIAccess", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "BlockExecutionOfPotentiallyObfuscatedScripts", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "BlockExecutionOfPotentiallyObfuscatedScripts_ASROnlyPerRuleExclusions", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "BlockWin32APICallsFromOfficeMacros", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "BlockWin32APICallsFromOfficeMacros_ASROnlyPerRuleExclusions", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion_ASROnlyPerRuleExclusions", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "BlockOfficeCommunicationAppFromCreatingChildProcesses", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "BlockOfficeCommunicationAppFromCreatingChildProcesses_ASROnlyPerRuleExclusions", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "BlockAllOfficeApplicationsFromCreatingChildProcesses", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "BlockAllOfficeApplicationsFromCreatingChildProcesses_ASROnlyPerRuleExclusions", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "BlockAdobeReaderFromCreatingChildProcesses", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "BlockAdobeReaderFromCreatingChildProcesses_ASROnlyPerRuleExclusions", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem_ASROnlyPerRuleExclusions", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent_ASROnlyPerRuleExclusions", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "BlockWebshellCreationForServers", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "BlockWebshellCreationForServers_ASROnlyPerRuleExclusions", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "BlockUntrustedUnsignedProcessesThatRunFromUSB", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "BlockUntrustedUnsignedProcessesThatRunFromUSB_ASROnlyPerRuleExclusions", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "BlockPersistenceThroughWMIEventSubscription", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "BlockUseOfCopiedOrImpersonatedSystemTools", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "BlockUseOfCopiedOrImpersonatedSystemTools_ASROnlyPerRuleExclusions", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "BlockAbuseOfExploitedVulnerableSignedDrivers", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "BlockAbuseOfExploitedVulnerableSignedDrivers_ASROnlyPerRuleExclusions", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "BlockProcessCreationsFromPSExecAndWMICommands", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "BlockProcessCreationsFromPSExecAndWMICommands_ASROnlyPerRuleExclusions", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "BlockOfficeApplicationsFromCreatingExecutableContent", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "BlockOfficeApplicationsFromCreatingExecutableContent_ASROnlyPerRuleExclusions", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses_ASROnlyPerRuleExclusions", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "BlockRebootingMachineInSafeMode", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "BlockRebootingMachineInSafeMode_ASROnlyPerRuleExclusions", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "UseAdvancedProtectionAgainstRansomware", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "UseAdvancedProtectionAgainstRansomware_ASROnlyPerRuleExclusions", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "BlockExecutableContentFromEmailClientAndWebmail", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "BlockExecutableContentFromEmailClientAndWebmail_ASROnlyPerRuleExclusions", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CheckForSignaturesBeforeRunningScan", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CloudBlockLevel", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "CloudExtendedTimeout", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DisableLocalAdminMerge", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "EnableNetworkProtection", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "HideExclusionsFromLocalAdmins", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "HideExclusionsFromLocalUsers", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "OobeEnableRtpAndSigUpdate", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PUAProtection", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RealTimeScanDirection", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ScanParameter", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "ScheduleQuickScanTime", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ScheduleScanDay", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "ScheduleScanTime", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "SignatureUpdateInterval", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SubmitSamplesConsent", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "LsaCfgFlags", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DeviceEnumerationPolicy", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SmartScreenEnabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SmartScreenPuaEnabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SmartScreenDnsRequestsEnabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "NewSmartScreenLibraryEnabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SmartScreenForTrustedDownloadsEnabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PreventSmartScreenPromptOverride", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PreventSmartScreenPromptOverrideForFiles", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineDefenderForEndpoint", + "Parameters": [ + { + "CIMType": "String", + "Name": "DisableSafetyFilterOverrideForAppRepUnknown", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneSecurityBaselineDefenderForEndpoint", + "Parameters": [ + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String[]", + "Name": "RoleScopeTagIds", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineDefenderForEndpoint", + "Name": "DeviceSettings", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineDefenderForEndpoint", + "Name": "UserSettings", + "Option": "Write" + }, + { + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise", "Parameters": [ From 7502d38d389ac74130052ceccb40eca7c3a15178 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Sat, 26 Oct 2024 00:59:11 +0000 Subject: [PATCH 11/16] Updated {Create} Intune Integration Tests --- ...M365DSCIntegration.INTUNE.Create.Tests.ps1 | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 index 62159f4140..6d0984debe 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 @@ -2598,6 +2598,30 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + IntuneMobileThreatDefenseConnector 'IntuneMobileThreatDefenseConnector-Microsoft Defender for Endpoint' + { + AllowPartnerToCollectIosApplicationMetadata = $False; + AllowPartnerToCollectIosPersonalApplicationMetadata = $False; + AndroidDeviceBlockedOnMissingPartnerData = $False; + AndroidEnabled = $False; + AndroidMobileApplicationManagementEnabled = $False; + DisplayName = "Microsoft Defender for Endpoint"; + Id = "fc780465-2017-40d4-a0c5-307022471b92"; + IosDeviceBlockedOnMissingPartnerData = $False; + IosEnabled = $False; + IosMobileApplicationManagementEnabled = $False; + LastHeartbeatDateTime = "1/1/0001 12:00:00 AM"; + MicrosoftDefenderForEndpointAttachEnabled = $False; + PartnerState = "notSetUp"; + PartnerUnresponsivenessThresholdInDays = 7; + PartnerUnsupportedOSVersionBlocked = $False; + WindowsDeviceBlockedOnMissingPartnerData = $False; + WindowsEnabled = $False; + Ensure = "Present"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } IntunePolicySets 'Example' { Assignments = @( From 5a3cc53039d0c2c5e1a20e882f027aa7d177310f Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Sat, 26 Oct 2024 09:56:53 -0400 Subject: [PATCH 12/16] IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile - Initial Release --- ...uneDeviceManagementComplianceSettings.psm1 | 1 + ...ntAndroidDeviceOwnerEnrollmentProfile.psm1 | 186 ++++++------ ...oidDeviceOwnerEnrollmentProfile.schema.mof | 13 +- .../1-Create.ps1 | 34 ++- .../2-Update.ps1 | 34 ++- .../3-Remove.ps1 | 26 +- ...roidDeviceOwnerEnrollmentProfile.Tests.ps1 | 36 ++- Tests/Unit/Stubs/Microsoft365.psm1 | 281 ++++++++++++++++++ 8 files changed, 464 insertions(+), 147 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementComplianceSettings/MSFT_IntuneDeviceManagementComplianceSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementComplianceSettings/MSFT_IntuneDeviceManagementComplianceSettings.psm1 index cf73c2b59a..8fc3e91fd8 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementComplianceSettings/MSFT_IntuneDeviceManagementComplianceSettings.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementComplianceSettings/MSFT_IntuneDeviceManagementComplianceSettings.psm1 @@ -225,6 +225,7 @@ function Test-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion + $ValuesToCheck = $PSBoundParameters Write-Verbose -Message "Testing configuration of Intune Device Management Compliance Settings" $CurrentValues = Get-TargetResource @PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.psm1 index edb51e1362..b895ea034d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.psm1 @@ -61,6 +61,14 @@ function Get-TargetResource [System.String] $TokenValue, + [Parameter()] + [System.String] + $TokenCreationDateTime, + + [Parameter()] + [System.String] + $TokenExpirationDateTime, + [Parameter()] [System.Boolean] $WifiHidden, @@ -128,15 +136,18 @@ function Get-TargetResource $nullResult.Ensure = 'Absent' try { - $androidDeviceOwnerEnrollmentProfile = Get-MgAndroidDeviceOwnerEnrollmentProfile ` - -Filter "displayName eq '$DisplayName')" - -ErrorAction SilentlyContinue | Where-Object - + if (-not [System.String]::IsNullOrEmpty($Id)) + { + Write-Verbose -Message "Trying to retrieve profile by Id" + $androidDeviceOwnerEnrollmentProfile = Get-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile ` + -AndroidDeviceOwnerEnrollmentProfileId $Id + } if ($null -eq $androidDeviceOwnerEnrollmentProfile) { - Write-Verbose -Message "No AndroidDeviceOwnerEnrollmentProfiles with DisplayName {$DisplayName} was found. Search with DisplayName." - $androidDeviceOwnerEnrollmentProfile = Get-MgAndroidDeviceOwnerEnrollmentProfile - -ProfileId $Id + Write-Verbose -Message "Trying to retrieve profile by DisplayName" + $androidDeviceOwnerEnrollmentProfile = Get-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile ` + -Filter "displayName eq '$DisplayName'" ` + -ErrorAction SilentlyContinue } if ($null -eq $androidDeviceOwnerEnrollmentProfile) @@ -146,32 +157,34 @@ function Get-TargetResource } $results = @{ - Id = $androidDeviceOwnerEnrollmentProfile.Id - DisplayName = $androidDeviceOwnerEnrollmentProfile.DisplayName - AccountId = $androidDeviceOwnerEnrollmentProfile.AccountId - ConfigureWifi = $androidDeviceOwnerEnrollmentProfile.ConfigureWifi - Description = $androidDeviceOwnerEnrollmentProfile.Description - EnrolledDeviceCount = $androidDeviceOwnerEnrollmentProfile.EnrolledDeviceCount - EnrollmentMode = $androidDeviceOwnerEnrollmentProfile.EnrollmentMode - EnrollmentTokenType = $androidDeviceOwnerEnrollmentProfile.EnrollmentTokenType + Id = $androidDeviceOwnerEnrollmentProfile.Id + DisplayName = $androidDeviceOwnerEnrollmentProfile.DisplayName + AccountId = $androidDeviceOwnerEnrollmentProfile.AccountId + ConfigureWifi = $androidDeviceOwnerEnrollmentProfile.ConfigureWifi + Description = $androidDeviceOwnerEnrollmentProfile.Description + EnrolledDeviceCount = $androidDeviceOwnerEnrollmentProfile.EnrolledDeviceCount + EnrollmentMode = $androidDeviceOwnerEnrollmentProfile.EnrollmentMode.ToString() + EnrollmentTokenType = $androidDeviceOwnerEnrollmentProfile.EnrollmentTokenType.ToString() EnrollmentTokenUsageCount = $androidDeviceOwnerEnrollmentProfile.EnrollmentTokenUsageCount - IsTeamsDeviceProfile = $androidDeviceOwnerEnrollmentProfile.IsTeamsDeviceProfile - QrCodeContent = $androidDeviceOwnerEnrollmentProfile.QrCodeContent - QrCodeImage = $androidDeviceOwnerEnrollmentProfile.QrCodeImage - RoleScopeTagIds = $androidDeviceOwnerEnrollmentProfile.RoleScopeTagIds - TokenValue = $androidDeviceOwnerEnrollmentProfile.TokenValue - WifiHidden = $androidDeviceOwnerEnrollmentProfile.WifiHidden - WifiPassword = $androidDeviceOwnerEnrollmentProfile.WifiPassword - WifiSecurityType = $androidDeviceOwnerEnrollmentProfile.WifiSecurityType - WifiSsid = $androidDeviceOwnerEnrollmentProfile.WifiSsid - - Ensure = 'Present' - Credential = $Credential - ApplicationId = $ApplicationId - TenantId = $TenantId - CertificateThumbprint = $CertificateThumbprint - ManagedIdentity = $ManagedIdentity.IsPresent - AccessTokens = $AccessTokens + IsTeamsDeviceProfile = $androidDeviceOwnerEnrollmentProfile.IsTeamsDeviceProfile + QrCodeContent = $androidDeviceOwnerEnrollmentProfile.QrCodeContent + QrCodeImage = $androidDeviceOwnerEnrollmentProfile.QrCodeImage + RoleScopeTagIds = $androidDeviceOwnerEnrollmentProfile.RoleScopeTagIds + TokenCreationDateTime = $androidDeviceOwnerEnrollmentProfile.TokenCreationDateTime.ToString() + TokenExpirationDateTime = $androidDeviceOwnerEnrollmentProfile.TokenExpirationDateTime.ToString() + TokenValue = $androidDeviceOwnerEnrollmentProfile.TokenValue + WifiHidden = $androidDeviceOwnerEnrollmentProfile.WifiHidden + WifiPassword = $androidDeviceOwnerEnrollmentProfile.WifiPassword + WifiSecurityType = $androidDeviceOwnerEnrollmentProfile.WifiSecurityType.ToString() + WifiSsid = $androidDeviceOwnerEnrollmentProfile.WifiSsid + + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens } return [System.Collections.Hashtable] $results } @@ -250,6 +263,14 @@ function Set-TargetResource [System.String] $TokenValue, + [Parameter()] + [System.String] + $TokenCreationDateTime, + + [Parameter()] + [System.String] + $TokenExpirationDateTime, + [Parameter()] [System.Boolean] $WifiHidden, @@ -310,46 +331,30 @@ function Set-TargetResource #endregion $currentInstance = Get-TargetResource @PSBoundParameters - $PSBoundParameters.Remove('Ensure') | Out-Null - $PSBoundParameters.Remove('Credential') | Out-Null - $PSBoundParameters.Remove('ApplicationId') | Out-Null - $PSBoundParameters.Remove('ApplicationSecret') | Out-Null - $PSBoundParameters.Remove('TenantId') | Out-Null - $PSBoundParameters.Remove('CertificateThumbprint') | Out-Null - $PSBoundParameters.Remove('ManagedIdentity') | Out-Null - $PSBoundParameters.Remove('AccessTokens') | Out-Null - $setParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters # CREATE if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') { - Write-Host "Create AndroidDeviceOwnerEnrollmentProfile: $DisplayName with Enrollment Mode: $EnrollmentMode" - - $CreateParameters.remove('Id') | Out-Null - $CreateParameters.remove('Ensure') | Out-Null - $CreateParameters.Remove('Verbose') | Out-Null + Write-Verbose -Message "Create AndroidDeviceOwnerEnrollmentProfile: $DisplayName with Enrollment Mode: $EnrollmentMode" - New-MgAndroidDeviceOwnerEnrollmentProfile @CreateParameters + $setParameters.remove('Id') | Out-Null + $setParameters.remove('Ensure') | Out-Null + $setParameters.Remove('Verbose') | Out-Null + $response = New-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile @setParameters } # UPDATE elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') { - Write-Host "Update AndroidDeviceOwnerEnrollmentProfile: $DisplayName" - - $UpdateParameters = ([Hashtable]$PSBoundParameters).clone() - $UpdateParameters.Remove('Id') | Out-Null - $UpdateParameters.Remove('Verbose') | Out-Null - - Update-MgAndroidDeviceOwnerEnrollmentProfile -ProfileId $currentInstance.Id @UpdateParameters - Write-Host "Updated AndroidDeviceOwnerEnrollmentProfile: $DisplayName" + Write-Verbose -Message "Updating AndroidDeviceOwnerEnrollmentProfile: $DisplayName" + Remove-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -AndroidDeviceOwnerEnrollmentProfileId $currentInstance.Id -Confirm:$false + $response = New-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile @setParameters } # REMOVE elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') { - Write-Host "Remove AndroidDeviceOwnerEnrollmentProfile: $DisplayName" - - Remove-MgAndroidDeviceOwnerEnrollmentProfile -ProfileId $currentInstance.Id -Confirm:$false + Write-Verbose -Message "Removing AndroidDeviceOwnerEnrollmentProfile: $DisplayName" + Remove-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -AndroidDeviceOwnerEnrollmentProfileId $currentInstance.Id -Confirm:$false } } @@ -416,6 +421,14 @@ function Test-TargetResource [System.String] $TokenValue, + [Parameter()] + [System.String] + $TokenCreationDateTime, + + [Parameter()] + [System.String] + $TokenExpirationDateTime, + [Parameter()] [System.Boolean] $WifiHidden, @@ -477,29 +490,16 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of AndroidDeviceOwnerEnrollmentProfile: {$DisplayName}" + $ValuesToCheck = $PSBoundParameters + $ValuesToCheck.Remove('WifiPassword') | Out-Null $CurrentValues = Get-TargetResource @PSBoundParameters - if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) - { - Write-Verbose "An error occured in Get-TargetResource, the enrollmentProfile {$displayName} will not be processed" - throw "An error occured in Get-TargetResource, the enrollmentProfile {$displayName} will not be processed. Refer to the event viewer logs for more information." - } - $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() - $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck - $ValuesToCheck.Remove('Id') | Out-Null - Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" - if ($CurrentValues.Ensure -ne $Ensure) - { - Write-Verbose -Message "Test-TargetResource returned $false" - return $false - } - $TestResult = Test-M365DSCParameterState ` - -CurrentValues $CurrentValues - -Source $($MyInvocation.MyCommand.Source) - -DesiredValues $PSBoundParameters + -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` -ValuesToCheck $ValuesToCheck.Keys Write-Verbose -Message "Test-TargetResource returned $TestResult" @@ -560,8 +560,7 @@ function Export-TargetResource try { $Script:ExportMode = $true - [array] $Script:exportedInstances = Get-MgAndroidDeviceOwnerEnrollmentProfile ` - -ErrorAction Stop + [array] $Script:exportedInstances = Get-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -ErrorAction Stop $i = 1 $dscContent = '' @@ -575,30 +574,29 @@ function Export-TargetResource } foreach ($config in $Script:exportedInstances) { - $displayedKey = $config.Id + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + $displayedKey = $config.DisplayName Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline $params = @{ - Id = $androidDeviceOwnerEnrollmentProfile.Id - DisplayName = $androidDeviceOwnerEnrollmentProfile.DisplayName - - Ensure = 'Present' - Credential = $Credential - ApplicationId = $ApplicationId - TenantId = $TenantId - CertificateThumbprint = $CertificateThumbprint - ManagedIdentity = $ManagedIdentity.IsPresent - AccessTokens = $AccessTokens + Id = $config.Id + DisplayName = $config.DisplayName + + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens } $Results = Get-TargetResource @Params $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` -Results $Results - if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results)) - { - Write-Verbose "An error occured in Get-TargetResource, the app {$($params.displayName)} will not be processed." - throw "An error occured in Get-TargetResource, the app {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information." - } $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` -ConnectionMode $ConnectionMode ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.schema.mof index 3d7838ac00..15f16affc3 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.schema.mof @@ -1,8 +1,15 @@ +[ClassVersion("1.0.0.0")] +class MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfileQRImage +{ + [Write, Description("Indicates the content mime type.")] String type; + [Write, Description("The byte array that contains the actual content.")] String value; +}; + [ClassVersion("1.0.0.0"), FriendlyName("IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile")] class MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile : OMI_BaseResource { [Key, Description("Display name for the enrollment profile.")] String DisplayName; - [Write, Description("Unique GUID for the enrollment profile. Read-Only.)] String Id; + [Write, Description("Unique GUID for the enrollment profile. Read-Only.")] String Id; [Write, Description("Intune AccountId GUID the enrollment profile belongs to.")] String AccountId; [Write, Description("Description for the enrollment profile.")] String Description; @@ -11,8 +18,8 @@ class MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile : OMI_BaseRe [Write, Description("Value of the most recently created token for this enrollment profile.")] String TokenValue; [Write, Description("Date time the most recently created token was created.")] String TokenCreationDateTime; [Write, Description("Date time the most recently created token will expire.")] String TokenExpirationDateTime; - [Write, Description("Total number of Android devices that have enrolled using this enrollment profile.")] Int32 EnrolledDeviceCount; - [Write, Description("Total number of AOSP devices that have enrolled using the current token. Valid values 0 to 20000")] Int32 EnrollmentTokenUsageCount; + [Write, Description("Total number of Android devices that have enrolled using this enrollment profile.")] UInt32 EnrolledDeviceCount; + [Write, Description("Total number of AOSP devices that have enrolled using the current token. Valid values 0 to 20000")] UInt32 EnrollmentTokenUsageCount; [Write, Description("String used to generate a QR code for the token.")] String QrCodeContent; [Write, Description("String used to generate a QR code for the token.")] String QrCodeImage; [Write, Description("List of Scope Tags for this Entity instance.")] String RoleScopeTagIds[]; diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/1-Create.ps1 index 2a575287cb..a5095ed687 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/1-Create.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/1-Create.ps1 @@ -22,22 +22,26 @@ Configuration Example Import-DscResource -ModuleName Microsoft365DSC node localhost { - IntuneDeviceManagementAndroidDeviceOwnerEnrollmentProfile 'CreateProfile' + IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile "IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile-MyTestEnrollmentProfile" { - Id = "164655f7-1232-4d56-ae8f-b095196a0309" - DisplayName = "Android Owner Enrollment Profile" - Description = "Profile for enrolling Android devices" - TokenExpirationDateTime = "2024-12-31T23:59:59Z" - TokenValue = "your-token-value" - EnrollmentMode = "corporateOwnedWorkProfile" - QrCodeContent = "your-qr-code-content" - WifiSsid = "your-wifi-ssid" - WifiPassword = "your-wifi-password" - WifiSecurityType = "wpa" - Ensure = "Present" - ApplicationId = $ApplicationId - TenantId = $TenantId - CertificateThumbprint = $CertificateThumbprint; + AccountId = "8d2ac1fd-0ac9-4047-af2f-f1e6323c9a34e"; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + ConfigureWifi = $True; + Description = "This is my enrollment profile"; + DisplayName = "MyTestEnrollmentProfile"; + EnrolledDeviceCount = 0; + EnrollmentMode = "corporateOwnedDedicatedDevice"; + EnrollmentTokenType = "default"; + EnrollmentTokenUsageCount = 0; + Ensure = "Present"; + IsTeamsDeviceProfile = $False; + RoleScopeTagIds = @("0"); + TenantId = $TenantId; + TokenCreationDateTime = "10/26/2024 1:02:29 AM"; + TokenExpirationDateTime = "10/31/2024 3:59:59 AM"; + WifiHidden = $False; + WifiSecurityType = "none"; } } } diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/2-Update.ps1 index 9e23a25ae7..c3fe6117bf 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/2-Update.ps1 @@ -21,22 +21,26 @@ Configuration Example Import-DscResource -ModuleName Microsoft365DSC node localhost { - IntuneDeviceManagementAndroidDeviceOwnerEnrollmentProfile 'UpdateProfile' + IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile "IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile-MyTestEnrollmentProfile" { - Id = "164655f7-1232-4d56-ae8f-b095196a0309" - DisplayName = "Updated Android Owner Enrollment Profile" - Description = "Updated Profile for enrolling Android devices" - TokenExpirationDateTime = "2024-12-31T23:59:59Z" - TokenValue = "your-updated-token-value" - EnrollmentMode = "corporateOwnedWorkProfile" - QrCodeContent = "your-updated-qr-code-content" - WifiSsid = "your-updated-wifi-ssid" - WifiPassword = "your-updated-wifi-password" - WifiSecurityType = "wpa" - Ensure = "Present" - ApplicationId = $ApplicationId - TenantId = $TenantId - CertificateThumbprint = $CertificateThumbprint; + AccountId = "8d2ac1fd-0ac9-4047-af2f-f1e6323c9a34e"; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + ConfigureWifi = $True; + Description = "This is my enrollment profile"; + DisplayName = "MyTestEnrollmentProfile"; + EnrolledDeviceCount = 0; + EnrollmentMode = "corporateOwnedDedicatedDevice"; + EnrollmentTokenType = "default"; + EnrollmentTokenUsageCount = 0; + Ensure = "Present"; + IsTeamsDeviceProfile = $False; + RoleScopeTagIds = @("0"); + TenantId = $TenantId; + TokenCreationDateTime = "10/26/2024 1:02:29 AM"; + TokenExpirationDateTime = "10/31/2024 3:59:59 AM"; + WifiHidden = $True; #Drift + WifiSecurityType = "none"; } } } diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/3-Remove.ps1 index 9dfde4de40..6bc56f61c7 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/3-Remove.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/3-Remove.ps1 @@ -21,14 +21,26 @@ Configuration Example Import-DscResource -ModuleName Microsoft365DSC node localhost { - IntuneDeviceManagementAndroidDeviceOwnerEnrollmentProfile 'RemoveProfile' + IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile "IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile-MyTestEnrollmentProfile" { - Id = "164655f7-1232-4d56-ae8f-b095196a0309" - DisplayName = "Android Owner Enrollment Profile" - Ensure = "Absent" - ApplicationId = $ApplicationId - TenantId = $TenantId - CertificateThumbprint = $CertificateThumbprint; + AccountId = "8d2ac1fd-0ac9-4047-af2f-f1e6323c9a34e"; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + ConfigureWifi = $True; + Description = "This is my enrollment profile"; + DisplayName = "MyTestEnrollmentProfile"; + EnrolledDeviceCount = 0; + EnrollmentMode = "corporateOwnedDedicatedDevice"; + EnrollmentTokenType = "default"; + EnrollmentTokenUsageCount = 0; + Ensure = "Absent"; + IsTeamsDeviceProfile = $False; + RoleScopeTagIds = @("0"); + TenantId = $TenantId; + TokenCreationDateTime = "10/26/2024 1:02:29 AM"; + TokenExpirationDateTime = "10/31/2024 3:59:59 AM"; + WifiHidden = $False; + WifiSecurityType = "none"; } } } diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.Tests.ps1 index e05ab66627..d8ff6fcab9 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.Tests.ps1 @@ -35,18 +35,15 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { return "Credentials" } - Mock -CommandName Get-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -MockWith { - } Mock -CommandName New-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -MockWith { } - Mock -CommandName Update-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -MockWith { - } Mock -CommandName Remove-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -MockWith { } # Mock Write-Host to hide output during the tests Mock -CommandName Write-Host -MockWith { } + $userName = "Whatever" $Script:exportedInstances =$null $Script:ExportMode = $false } @@ -62,7 +59,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { EnrollmentMode = "corporateOwnedWorkProfile" QrCodeContent = "your-qr-code-content" WifiSsid = "your-wifi-ssid" - WifiPassword = "your-wifi-password" + WifiPassword = New-Object System.Management.Automation.PSCredential ($userName, (ConvertTo-SecureString "your-wifi-password" -AsPlainText -Force)) WifiSecurityType = "wpa" Ensure = 'Present' Credential = $Credential; @@ -96,7 +93,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { EnrollmentMode = "corporateOwnedWorkProfile" QrCodeContent = "your-qr-code-content" WifiSsid = "your-wifi-ssid" - WifiPassword = "your-wifi-password" + WifiPassword = New-Object System.Management.Automation.PSCredential ($userName, (ConvertTo-SecureString "your-wifi-password" -AsPlainText -Force)) WifiSecurityType = "wpa" Ensure = 'Absent' Credential = $Credential; @@ -106,10 +103,12 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { return @{ Id = "164655f7-1232-4d56-ae8f-b095196a0309"; DisplayName = "Android Owner Enrollment Profile" - Description = "Profile for enrolling Android devices" + Description = "Profile for enrolling Android" TokenExpirationDateTime = "2024-12-31T23:59:59Z" + TokenCreationDateTime = "2024-12-31T23:59:59Z" TokenValue = "your-token-value" EnrollmentMode = "corporateOwnedWorkProfile" + EnrollmentTokenType = 'TokenType' QrCodeContent = "your-qr-code-content" WifiSsid = "your-wifi-ssid" WifiPassword = "your-wifi-password" @@ -126,6 +125,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } It 'Should remove the instance from the Set method' { + Set-TargetResource @testParams Should -Invoke -CommandName Remove-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -Exactly 1 } } @@ -141,7 +141,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { EnrollmentMode = "corporateOwnedWorkProfile" QrCodeContent = "your-qr-code-content" WifiSsid = "your-wifi-ssid" - WifiPassword = "your-wifi-password" + WifiPassword = New-Object System.Management.Automation.PSCredential ($userName, (ConvertTo-SecureString "your-wifi-password" -AsPlainText -Force)) WifiSecurityType = "wpa" Ensure = 'Present' Credential = $Credential; @@ -153,12 +153,15 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { DisplayName = "Android Owner Enrollment Profile" Description = "Profile for enrolling Android devices" TokenExpirationDateTime = "2024-12-31T23:59:59Z" + TokenCreationDateTime = "2024-12-31T23:59:59Z" TokenValue = "your-token-value" EnrollmentMode = "corporateOwnedWorkProfile" + EnrollmentTokenType = 'TokenType' QrCodeContent = "your-qr-code-content" WifiSsid = "your-wifi-ssid" WifiPassword = "your-wifi-password" WifiSecurityType = "wpa" + Ensure = 'Present' } } } @@ -173,13 +176,13 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $testParams = @{ Id = "164655f7-1232-4d56-ae8f-b095196a0309"; DisplayName = "Android Owner Enrollment Profile" - Description = "Profile for enrolling Android devices" + Description = "Profile for enrolling Android" # Drift TokenExpirationDateTime = "2024-12-31T23:59:59Z" TokenValue = "your-token-value" EnrollmentMode = "corporateOwnedWorkProfile" QrCodeContent = "your-qr-code-content" WifiSsid = "your-wifi-ssid" - WifiPassword = "your-wifi-password" + WifiPassword = New-Object System.Management.Automation.PSCredential ($userName, (ConvertTo-SecureString "your-wifi-password" -AsPlainText -Force)) WifiSecurityType = "wpa" Ensure = 'Present' Credential = $Credential; @@ -188,15 +191,18 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Mock -CommandName Get-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -MockWith { return @{ Id = "164655f7-1232-4d56-ae8f-b095196a0309"; - DisplayName = "INCORRECT Android Owner Enrollment Profile Name" + DisplayName = "Android Owner Enrollment Profile" Description = "Profile for enrolling Android devices" TokenExpirationDateTime = "2024-12-31T23:59:59Z" + TokenCreationDateTime = "2024-12-31T23:59:59Z" TokenValue = "your-token-value" EnrollmentMode = "corporateOwnedWorkProfile" + EnrollmentTokenType = 'TokenType' QrCodeContent = "your-qr-code-content" WifiSsid = "your-wifi-ssid" WifiPassword = "your-wifi-password" WifiSecurityType = "wpa" + Ensure = 'Present' } } } @@ -211,7 +217,8 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { It 'Should call the Set method' { Set-TargetResource @testParams - Should -Invoke -CommandName Update-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -Exactly 1 + Should -Invoke -CommandName Remove-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -Exactly 1 + Should -Invoke -CommandName New-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile -Exactly 1 } } @@ -227,14 +234,17 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { return @{ Id = "164655f7-1232-4d56-ae8f-b095196a0309"; DisplayName = "Android Owner Enrollment Profile" - Description = "Profile for enrolling Android devices" + Description = "Profile for enrolling Android" TokenExpirationDateTime = "2024-12-31T23:59:59Z" + TokenCreationDateTime = "2024-12-31T23:59:59Z" TokenValue = "your-token-value" EnrollmentMode = "corporateOwnedWorkProfile" + EnrollmentTokenType = 'TokenType' QrCodeContent = "your-qr-code-content" WifiSsid = "your-wifi-ssid" WifiPassword = "your-wifi-password" WifiSecurityType = "wpa" + Ensure = 'Present' } } } diff --git a/Tests/Unit/Stubs/Microsoft365.psm1 b/Tests/Unit/Stubs/Microsoft365.psm1 index 2885031d7b..ea4fd3ba72 100644 --- a/Tests/Unit/Stubs/Microsoft365.psm1 +++ b/Tests/Unit/Stubs/Microsoft365.psm1 @@ -99806,3 +99806,284 @@ function Update-MgBetaPolicyHomeRealmDiscoveryPolicy #endregion +#region Microsoft.Graph.Authentication +function Get-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String] + $AndroidDeviceOwnerEnrollmentProfileId, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $CountVariable, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function New-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $WifiSecurityType, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $WifiSsid, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.DateTime] + $LastModifiedDateTime, + + [Parameter()] + [System.DateTime] + $CreatedDateTime, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ConfigureWifi, + + [Parameter()] + [System.String] + $TokenValue, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.DateTime] + $TokenCreationDateTime, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $WifiHidden, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.String] + $WifiPassword, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [PSObject] + $EnrollmentMode, + + [Parameter()] + [PSObject] + $QrCodeImage, + + [Parameter()] + [System.String] + $AccountId, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.DateTime] + $TokenExpirationDateTime, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Int32] + $EnrolledDeviceCount, + + [Parameter()] + [PSObject] + $EnrollmentTokenType, + + [Parameter()] + [System.String] + $QrCodeContent, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Int32] + $EnrollmentTokenUsageCount, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $IsTeamsDeviceProfile, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function Remove-MgBetaDeviceManagementAndroidDeviceOwnerEnrollmentProfile +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PassThru, + + [Parameter()] + [System.String] + $IfMatch, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String] + $AndroidDeviceOwnerEnrollmentProfileId, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break + ) +} +#endregion From 67c13d2f3ad41cd6173c79a83012ca3e089ab6a4 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Sat, 26 Oct 2024 10:10:55 -0400 Subject: [PATCH 13/16] Update MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.schema.mof --- ...eviceManagmentAndroidDeviceOwnerEnrollmentProfile.schema.mof | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.schema.mof index 15f16affc3..22fe3fc6f1 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile/MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.schema.mof @@ -29,7 +29,7 @@ class MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile : OMI_BaseRe [Write, Description("String that contains the wi-fi security type."), ValueMap{"none", "wpa", "wep"}] String WifiSecurityType; [Write, Description("Boolean that indicates if hidden wifi networks are enabled")] Boolean WifiHidden; [Write, Description("Boolean indicating if this profile is an Android AOSP for Teams device profile.")] Boolean IsTeamsDeviceProfile; - [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Present"}, Values{"Present"}] string Ensure; + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Present", "Absent"}, Values{"Present", "Absent"}] string Ensure; [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; From dfe352e6634f9195eda462b43f9cbaad201bf9ee Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Sat, 26 Oct 2024 14:38:12 +0000 Subject: [PATCH 14/16] Updated Resources and Cmdlet documentation pages --- ...mentAndroidDeviceOwnerEnrollmentProfile.md | 223 ++++++++++++++++++ 1 file changed, 223 insertions(+) create mode 100644 docs/docs/resources/intune/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.md diff --git a/docs/docs/resources/intune/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.md b/docs/docs/resources/intune/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.md new file mode 100644 index 0000000000..5418d04e0f --- /dev/null +++ b/docs/docs/resources/intune/IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile.md @@ -0,0 +1,223 @@ +# IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **DisplayName** | Key | String | Display name for the enrollment profile. | | +| **Id** | Write | String | Unique GUID for the enrollment profile. Read-Only. | | +| **AccountId** | Write | String | Intune AccountId GUID the enrollment profile belongs to. | | +| **Description** | Write | String | Description for the enrollment profile. | | +| **EnrollmentMode** | Write | String | The enrollment mode of devices that use this enrollment profile. | `corporateOwnedDedicatedDevice`, `corporateOwnedFullyManaged`, `corporateOwnedWorkProfile`, `corporateOwnedAOSPUserlessDevice`, `corporateOwnedAOSPUserAssociatedDevice` | +| **EnrollmentTokenType** | Write | String | The enrollment token type for an enrollment profile. | `default`, `corporateOwnedDedicatedDeviceWithAzureADSharedMode`, `deviceStaging` | +| **TokenValue** | Write | String | Value of the most recently created token for this enrollment profile. | | +| **TokenCreationDateTime** | Write | String | Date time the most recently created token was created. | | +| **TokenExpirationDateTime** | Write | String | Date time the most recently created token will expire. | | +| **EnrolledDeviceCount** | Write | UInt32 | Total number of Android devices that have enrolled using this enrollment profile. | | +| **EnrollmentTokenUsageCount** | Write | UInt32 | Total number of AOSP devices that have enrolled using the current token. Valid values 0 to 20000 | | +| **QrCodeContent** | Write | String | String used to generate a QR code for the token. | | +| **QrCodeImage** | Write | String | String used to generate a QR code for the token. | | +| **RoleScopeTagIds** | Write | StringArray[] | List of Scope Tags for this Entity instance. | | +| **ConfigureWifi** | Write | Boolean | Boolean that indicates that the Wi-Fi network should be configured during device provisioning. When set to TRUE, device provisioning will use Wi-Fi related properties to automatically connect to Wi-Fi networks. When set to FALSE or undefined, other Wi-Fi related properties will be ignored. Default value is TRUE. Returned by default. | | +| **WifiSsid** | Write | String | String that contains the wi-fi login ssid | | +| **WifiPassword** | Write | PSCredential | String that contains the wi-fi login password. The parameter is a PSCredential object. | | +| **WifiSecurityType** | Write | String | String that contains the wi-fi security type. | `none`, `wpa`, `wep` | +| **WifiHidden** | Write | Boolean | Boolean that indicates if hidden wifi networks are enabled | | +| **IsTeamsDeviceProfile** | Write | Boolean | Boolean indicating if this profile is an Android AOSP for Teams device profile. | | +| **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfileQRImage + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **type** | Write | String | Indicates the content mime type. | | +| **value** | Write | String | The byte array that contains the actual content. | | + +## Description + +Enrollment Profile used to enroll Android Enterprise devices using Google's Cloud Management. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - DeviceManagementConfiguration.Read.All + +- **Update** + + - DeviceManagementConfiguration.ReadWrite.All + +#### Application permissions + +- **Read** + + - DeviceManagementConfiguration.Read.All + +- **Update** + + - DeviceManagementConfiguration.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile "IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile-MyTestEnrollmentProfile" + { + AccountId = "8d2ac1fd-0ac9-4047-af2f-f1e6323c9a34e"; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + ConfigureWifi = $True; + Description = "This is my enrollment profile"; + DisplayName = "MyTestEnrollmentProfile"; + EnrolledDeviceCount = 0; + EnrollmentMode = "corporateOwnedDedicatedDevice"; + EnrollmentTokenType = "default"; + EnrollmentTokenUsageCount = 0; + Ensure = "Present"; + IsTeamsDeviceProfile = $False; + RoleScopeTagIds = @("0"); + TenantId = $TenantId; + TokenCreationDateTime = "10/26/2024 1:02:29 AM"; + TokenExpirationDateTime = "10/31/2024 3:59:59 AM"; + WifiHidden = $False; + WifiSecurityType = "none"; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile "IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile-MyTestEnrollmentProfile" + { + AccountId = "8d2ac1fd-0ac9-4047-af2f-f1e6323c9a34e"; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + ConfigureWifi = $True; + Description = "This is my enrollment profile"; + DisplayName = "MyTestEnrollmentProfile"; + EnrolledDeviceCount = 0; + EnrollmentMode = "corporateOwnedDedicatedDevice"; + EnrollmentTokenType = "default"; + EnrollmentTokenUsageCount = 0; + Ensure = "Present"; + IsTeamsDeviceProfile = $False; + RoleScopeTagIds = @("0"); + TenantId = $TenantId; + TokenCreationDateTime = "10/26/2024 1:02:29 AM"; + TokenExpirationDateTime = "10/31/2024 3:59:59 AM"; + WifiHidden = $True; #Drift + WifiSecurityType = "none"; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile "IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile-MyTestEnrollmentProfile" + { + AccountId = "8d2ac1fd-0ac9-4047-af2f-f1e6323c9a34e"; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + ConfigureWifi = $True; + Description = "This is my enrollment profile"; + DisplayName = "MyTestEnrollmentProfile"; + EnrolledDeviceCount = 0; + EnrollmentMode = "corporateOwnedDedicatedDevice"; + EnrollmentTokenType = "default"; + EnrollmentTokenUsageCount = 0; + Ensure = "Absent"; + IsTeamsDeviceProfile = $False; + RoleScopeTagIds = @("0"); + TenantId = $TenantId; + TokenCreationDateTime = "10/26/2024 1:02:29 AM"; + TokenExpirationDateTime = "10/31/2024 3:59:59 AM"; + WifiHidden = $False; + WifiSecurityType = "none"; + } + } +} +``` + From 5ec7483412c797972160b0d9379be824b4de7ff2 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Sat, 26 Oct 2024 14:40:30 +0000 Subject: [PATCH 15/16] Updated Schema Definition --- Modules/Microsoft365DSC/SchemaDefinition.json | 140 ++++++++++++++++++ 1 file changed, 140 insertions(+) diff --git a/Modules/Microsoft365DSC/SchemaDefinition.json b/Modules/Microsoft365DSC/SchemaDefinition.json index c022e6c25c..283665d2d7 100644 --- a/Modules/Microsoft365DSC/SchemaDefinition.json +++ b/Modules/Microsoft365DSC/SchemaDefinition.json @@ -35774,6 +35774,146 @@ } ] }, + { + "ClassName": "MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfileQRImage", + "Parameters": [ + { + "CIMType": "String", + "Name": "type", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "value", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile", + "Parameters": [ + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AccountId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TokenValue", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TokenCreationDateTime", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TokenExpirationDateTime", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "EnrolledDeviceCount", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "EnrollmentTokenUsageCount", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "QrCodeContent", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "QrCodeImage", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "RoleScopeTagIds", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ConfigureWifi", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "WifiSsid", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "WifiPassword", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "WifiHidden", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsTeamsDeviceProfile", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_IntuneDeviceRemediationRunSchedule", "Parameters": [ From 922406281aaabb67cd37b147a8f464781af8a868 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Sat, 26 Oct 2024 14:41:46 +0000 Subject: [PATCH 16/16] Updated {Create} Intune Integration Tests --- ...M365DSCIntegration.INTUNE.Create.Tests.ps1 | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 index 6d0984debe..99f00c6c45 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 @@ -2237,6 +2237,27 @@ TenantId = $TenantId; CertificateThumbprint = $CertificateThumbprint; } + IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile 'IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile-MyTestEnrollmentProfile' + { + AccountId = "8d2ac1fd-0ac9-4047-af2f-f1e6323c9a34e"; + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + ConfigureWifi = $True; + Description = "This is my enrollment profile"; + DisplayName = "MyTestEnrollmentProfile"; + EnrolledDeviceCount = 0; + EnrollmentMode = "corporateOwnedDedicatedDevice"; + EnrollmentTokenType = "default"; + EnrollmentTokenUsageCount = 0; + Ensure = "Present"; + IsTeamsDeviceProfile = $False; + RoleScopeTagIds = @("0"); + TenantId = $TenantId; + TokenCreationDateTime = "10/26/2024 1:02:29 AM"; + TokenExpirationDateTime = "10/31/2024 3:59:59 AM"; + WifiHidden = $False; + WifiSecurityType = "none"; + } IntuneDeviceRemediation 'ConfigureDeviceRemediation' { Assignments = @(