Skip to content

Commit

Permalink
Merge pull request #4362 from FabienTschanz/fix-enrollment-platforms
Browse files Browse the repository at this point in the history 
Fix Intune device enrollment platform restrictions
  • Loading branch information
@ykuijs
ykuijs authored Apr 3, 2024
2 parents 8776a69 + a100e20 commit 770982d
Show file tree
Hide file tree
Showing 8 changed files with 148 additions and 69 deletions.
3 changes: 3 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,9 @@
* Fix group assignment by using the corrected function
Update-DeviceConfigurationPolicyAssignment from module M365DSCDRGUtil
FIXES [#4467](https://github.com/microsoft/Microsoft365DSC/issues/4467)
* IntuneDeviceEnrollmentPlatformRestriction
* Fixed an issue where nested settings would throw a conflict
FIXES [#4082](https://github.com/microsoft/Microsoft365DSC/issues/4082)
* IntuneDeviceEnrollmentStatusPageWindows10
* Added support for specifying SelectedMobileAppNames in addition to SelectedMobileAppIds,
which are different for each tenant.
Expand Down
139 changes: 86 additions & 53 deletions ...neDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.psm1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ function Get-TargetResource
[OutputType([System.Collections.Hashtable])]
param
(
[Parameter()]
[Parameter(Mandatory = $true)]
[System.String]
$Identity,

Expand Down Expand Up @@ -109,6 +109,20 @@ function Get-TargetResource
$nullResult = $PSBoundParameters
$nullResult.Ensure = 'Absent'

$PlatformType = ''
$keys = (([Hashtable]$PSBoundParameters).Clone()).Keys
foreach ($key in $keys)
{
if ($null -ne $PSBoundParameters.$key -and $PSBoundParameters.$key.getType().Name -like '*cimInstance*' -and $key -like "*Restriction")
{
if ($DeviceEnrollmentConfigurationType -eq 'singlePlatformRestriction' )
{
$PlatformType = $key.replace('Restriction', '')
break
}
}
}

try
{
try {
Expand All @@ -120,17 +134,21 @@ function Get-TargetResource

if ($null -eq $config)
{
Write-Verbose -Message "No Device Enrollment Platform Restriction {$Identity} was found. Trying to retrieve instance by name {$DisplayName}"
Write-Verbose -Message "Could not find an Intune Device Enrollment Platform Restriction with Id {$Identity}"
$config = Get-MgBetaDeviceManagementDeviceEnrollmentConfiguration -Filter "DisplayName eq '$DisplayName'" `
-ErrorAction silentlyContinue
-ErrorAction SilentlyContinue | Where-Object -FilterScript {
$_.AdditionalProperties.'@odata.type' -like "#microsoft.graph.deviceEnrollmentPlatformRestriction*Configuration" -and
$(if ($null -ne $_.AdditionalProperties.platformType) { $_.AdditionalProperties.platformType -eq $PlatformType } else { $true })
}

if ($null -eq $config)
{
Write-Verbose -Message "No instances found by name {$DisplayName}"
Write-Verbose -Message "Could not find an Intune Device Enrollment Platform Restriction with DisplayName {$DisplayName}"
return $nullResult
}
}

Write-Verbose -Message "Found Device Enrollment Platform Restriction with Name {$($config.DisplayName)}"
Write-Verbose -Message "Found Intune Device Enrollment Platform Restriction with Name {$($config.DisplayName)}"
$results = @{
Identity = $config.Id
DisplayName = $config.DisplayName
Expand All @@ -143,7 +161,7 @@ function Get-TargetResource
TenantId = $TenantId
ApplicationSecret = $ApplicationSecret
CertificateThumbprint = $CertificateThumbprint
Managedidentity = $ManagedIdentity.IsPresent
ManagedIdentity = $ManagedIdentity.IsPresent
}

$results += Get-DevicePlatformRestrictionSetting -Properties $config.AdditionalProperties
Expand All @@ -153,13 +171,14 @@ function Get-TargetResource
$results.Remove('WindowsMobileRestriction') | Out-Null
}

$AssignmentsValues = Get-MgBetaDeviceManagementDeviceEnrollmentConfigurationAssignment -DeviceEnrollmentConfigurationId $config.Id
$assignmentsValues = Get-MgBetaDeviceManagementDeviceEnrollmentConfigurationAssignment -DeviceEnrollmentConfigurationId $config.Id
$assignmentResult = @()
foreach ($assignmentEntry in $AssignmentsValues)
foreach ($assignmentEntry in $assignmentsValues)
{
$assignmentValue = @{
dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type'
deviceAndAppManagementAssignmentFilterType = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString()
deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType)
{ $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString() })
deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId
groupId = $assignmentEntry.Target.AdditionalProperties.groupId
}
Expand All @@ -186,7 +205,7 @@ function Set-TargetResource
[CmdletBinding()]
param
(
[Parameter()]
[Parameter(Mandatory = $true)]
[System.String]
$Identity,

Expand Down Expand Up @@ -288,7 +307,11 @@ function Set-TargetResource
Add-M365DSCTelemetryEvent -Data $data
#endregion

$currentCategory = Get-TargetResource @PSBoundParameters
if ($Ensure -eq 'Absent' -and $Identity -like '*_DefaultPlatformRestrictions') {
throw 'Cannot delete the default platform restriction policy.'
}

$currentInstance = Get-TargetResource @PSBoundParameters
$PSBoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters
$PSBoundParameters.Remove('Identity') | Out-Null
$PriorityPresent = $false
Expand All @@ -298,9 +321,9 @@ function Set-TargetResource
$PSBoundParameters.Remove('Priority') | Out-Null
}

if ($Ensure -eq 'Present' -and $currentCategory.Ensure -eq 'Absent')
if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent')
{
Write-Verbose -Message "Creating new Device Enrollment Platform Restriction {$DisplayName}"
Write-Verbose -Message "Creating an Intune Device Enrollment Platform Restriction with DisplayName {$DisplayName}"

$PSBoundParameters.Remove('Assignments') | Out-Null

Expand All @@ -309,12 +332,11 @@ function Set-TargetResource
if ($WindowsMobileRestriction.platformBlocked -eq $false)
{
Write-Verbose -Message 'Windows Mobile platform is deprecated and cannot be unblocked, reverting back to blocked'

$WindowsMobileRestriction.platformBlocked = $true
}
}

$keys = (([Hashtable]$PSBoundParameters).clone()).Keys
$keys = (([Hashtable]$PSBoundParameters).Clone()).Keys
foreach ($key in $keys)
{
$keyName = $key.substring(0, 1).toLower() + $key.substring(1, $key.length - 1)
Expand Down Expand Up @@ -345,18 +367,22 @@ function Set-TargetResource
$policy = New-MgBetaDeviceManagementDeviceEnrollmentConfiguration `
-BodyParameter ([hashtable]$PSBoundParameters)

#Assignments from DefaultPolicy are not editable and will raise an alert
# Assignments from DefaultPolicy are not editable and will raise an alert
if ($policy.Id -notlike '*_DefaultPlatformRestrictions')
{
if ($null -ne $Assignments -and $Assignments -ne @())
$assignmentsHash = @()
if ($null -ne $Assignments -and $Assignments.Length -gt 0)
{
$assignmentsHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignments

Update-DeviceConfigurationPolicyAssignment `
-DeviceConfigurationPolicyId $policy.Id `
-Targets $assignmentsHash `
-Repository 'deviceManagement/deviceEnrollmentConfigurations'
foreach ($assignment in $Assignments)
{
$assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $assignment
}
}
Update-DeviceConfigurationPolicyAssignment `
-DeviceConfigurationPolicyId $policy.Id `
-Targets $assignmentsHash `
-Repository 'deviceManagement/deviceEnrollmentConfigurations' `
-RootIdentifier 'enrollmentConfigurationAssignments'

if ($PriorityPresent -and $Priority -ne $policy.Priority)
{
Expand All @@ -368,9 +394,9 @@ function Set-TargetResource
}
}
}
elseif ($Ensure -eq 'Present' -and $currentCategory.Ensure -eq 'Present')
elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present')
{
Write-Verbose -Message "Updating Device Enrollment Platform Restriction {$DisplayName}"
Write-Verbose -Message "Updating the Intune Device Enrollment Platform Restriction with DisplayName {$DisplayName}"

$PSBoundParameters.Remove('Assignments') | Out-Null

Expand All @@ -379,12 +405,11 @@ function Set-TargetResource
if ($WindowsMobileRestriction.platformBlocked -eq $false)
{
Write-Verbose -Message 'Windows Mobile platform is deprecated and cannot be unblocked, reverting back to blocked'

$WindowsMobileRestriction.platformBlocked = $true
}
}

$keys = (([Hashtable]$PSBoundParameters).clone()).Keys
$keys = (([Hashtable]$PSBoundParameters).Clone()).Keys
foreach ($key in $keys)
{
$keyName = $key.substring(0, 1).toLower() + $key.substring(1, $key.length - 1)
Expand All @@ -407,39 +432,44 @@ function Set-TargetResource
$policyType = '#microsoft.graph.deviceEnrollmentPlatformRestrictionsConfiguration'
}
$PSBoundParameters.add('@odata.type', $policyType)

#Write-Verbose ($PSBoundParameters | ConvertTo-Json -Depth 20)

Update-MgBetaDeviceManagementDeviceEnrollmentConfiguration `
-BodyParameter ([hashtable]$PSBoundParameters) `
-DeviceEnrollmentConfigurationId $currentCategory.Identity
-DeviceEnrollmentConfigurationId $currentInstance.Identity `
-BodyParameter ([hashtable]$PSBoundParameters)

#Assignments from DefaultPolicy are not editable and will raise an alert
if ($currentCategory.Identity -notlike '*_DefaultPlatformRestrictions')
# Assignments from DefaultPolicy are not editable and will raise an alert
if ($currentInstance.Identity -notlike '*_DefaultPlatformRestrictions')
{
if ($null -ne $Assignments -and $Assignments -ne @())
$assignmentsHash = @()
if ($null -ne $Assignments -and $Assignments.Length -gt 0)
{
$assignmentsHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignments

Update-DeviceConfigurationPolicyAssignment `
-DeviceConfigurationPolicyId $currentCategory.Identity `
-Targets $assignmentsHash `
-Repository 'deviceManagement/deviceEnrollmentConfigurations'
foreach ($assignment in $Assignments)
{
$assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $assignment
}
}
Update-DeviceConfigurationPolicyAssignment `
-DeviceConfigurationPolicyId $currentInstance.Identity `
-Targets $assignmentsHash `
-Repository 'deviceManagement/deviceEnrollmentConfigurations' `
-RootIdentifier 'enrollmentConfigurationAssignments'

if ($PriorityPresent -and $Priority -ne $currentCategory.Priority)
if ($PriorityPresent -and $Priority -ne $currentInstance.Priority)
{
$Uri = "/beta/deviceManagement/deviceEnrollmentConfigurations/{0}/setPriority" -f $currentCategory.Identity
$Uri = "/beta/deviceManagement/deviceEnrollmentConfigurations/{0}/setPriority" -f $currentInstance.Identity
$Body = @{
priority = $Priority
}
Invoke-MgGraphRequest -Method POST -Uri $Uri -Body $Body
}
}
}
elseif ($Ensure -eq 'Absent' -and $currentCategory.Ensure -eq 'Present')
elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present')
{
Write-Verbose -Message "Removing Device Enrollment Platform Restriction {$DisplayName}"

Remove-MgBetaDeviceManagementDeviceEnrollmentConfiguration -DeviceEnrollmentConfigurationId $currentCategory.Identity
Write-Verbose -Message "Removing the Intune Device Enrollment Platform Restriction with DisplayName {$DisplayName}"
Remove-MgBetaDeviceManagementDeviceEnrollmentConfiguration -DeviceEnrollmentConfigurationId $currentInstance.Identity
}
}

Expand All @@ -449,7 +479,7 @@ function Test-TargetResource
[OutputType([System.Boolean])]
param
(
[Parameter()]
[Parameter(Mandatory = $true)]
[System.String]
$Identity,

Expand Down Expand Up @@ -546,10 +576,10 @@ function Test-TargetResource
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion
Write-Verbose -Message "Testing configuration of Device Enrollment Platform Restriction {$DisplayName}"
Write-Verbose -Message "Testing configuration of the Intune Device Enrollment Platform Restriction with Id {$Identity} and DisplayName {$DisplayName}"

$CurrentValues = Get-TargetResource @PSBoundParameters
$ValuesToCheck = ([Hashtable]$PSBoundParameters).clone()
$ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone()

if ($CurrentValues.Ensure -ne $Ensure)
{
Expand Down Expand Up @@ -597,6 +627,7 @@ function Test-TargetResource

Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)"
Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)"

#Compare basic parameters
if ($testResult)
{
Expand All @@ -607,9 +638,9 @@ function Test-TargetResource
-ValuesToCheck $ValuesToCheck.Keys
}

Write-Verbose -Message "Test-TargetResource returned $TestResult"
Write-Verbose -Message "Test-TargetResource returned $testResult"

return $TestResult
return $testResult
}

function Export-TargetResource
Expand Down Expand Up @@ -663,8 +694,10 @@ function Export-TargetResource

try
{
[array]$configs = Get-MgBetaDeviceManagementDeviceEnrollmentConfiguration -All:$true -Filter $Filter -ErrorAction Stop `
| Where-Object -FilterScript { $_.AdditionalProperties.'@odata.type' -like '#microsoft.graph.deviceEnrollmentPlatform*Configuration' }
[array]$configs = Get-MgBetaDeviceManagementDeviceEnrollmentConfiguration `
-All `
-Filter "deviceEnrollmentConfigurationType eq 'singlePlatformRestriction'" `
-ErrorAction Stop

$i = 1
$dscContent = ''
Expand All @@ -688,7 +721,7 @@ function Export-TargetResource
TenantId = $TenantId
ApplicationSecret = $ApplicationSecret
CertificateThumbprint = $CertificateThumbprint
Managedidentity = $ManagedIdentity.IsPresent
ManagedIdentity = $ManagedIdentity.IsPresent
}
$Results = Get-TargetResource @Params

Expand Down Expand Up @@ -817,7 +850,6 @@ function Export-TargetResource
-Results $Results `
-Credential $Credential


if ($null -ne $Results.Assignments)
{
$isCIMArray = $false
Expand All @@ -842,6 +874,7 @@ function Export-TargetResource
{
$currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'WindowsHomeSkuRestriction'
}

if ($null -ne $Results.WindowsMobileRestriction)
{
$currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'WindowsMobileRestriction'
Expand Down
Loading

0 comments on commit 770982d

Please sign in to comment.