Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IntuneAppConfigurationDevicePolicy: Not working #4724

Closed
ricmestre opened this issue May 31, 2024 · 12 comments · Fixed by #4727
Closed

IntuneAppConfigurationDevicePolicy: Not working #4724

ricmestre opened this issue May 31, 2024 · 12 comments · Fixed by #4727

Comments

@ricmestre
Copy link
Contributor

Description of the issue

I have 2 policies of this kind, one for Android and another for iOS and they have 2 different problems. I'm able to export them but:

Cannot apply the Android policy to a different tenant, the error message like whenever something bad happens in Graph side is not conclusive, and no, there's nothing additional in event viewer to debug this further.

For the iOS policy it's easy, the module is calling Get-M365DSCDRGComplexTypeToString on MicrosoftGraphappConfigurationSettingItem1 instead of MicrosoftGraphappConfigurationSettingItem as referred in the schema so it complains when trying to compile the blueprint to MOF that that type doesn't exist. After changing the blueprint manually to the correct type I was able to compile it and apply the policy to another tenant but then there's another problem, Test-DscConfiguration returns false, it looks like Assignments is not working, this is because groupDisplayName is not being exported, only the groupId, and of course won't work when applying to a different tenant since those Ids don't exist in the target tenant.

@FabienTschanz Could you please have a look?

Microsoft 365 DSC Version

1.24.529.1

Which workloads are affected

Intune

The DSC configuration

IntuneAppConfigurationDevicePolicy "IntuneAppConfigurationDevicePolicy-Apple iOS - Outlook Configuration Profile"
        {
            Assignments          = @(
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    dataType = '#microsoft.graph.exclusionGroupAssignmentTarget'
                    groupId = '5f193407-78ae-4e74-8c36-ed2db0bcad90'
                }
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    dataType = '#microsoft.graph.groupAssignmentTarget'
                    groupId = 'fd028132-7fb9-4f7c-b3d9-8767e2508b0b'
                }
            );
            Credential           = $Credscredential;
            Description          = "";
            DisplayName          = "Apple iOS - Outlook Configuration Profile";
            Ensure               = "Present";
            Id                   = "838c7429-3336-4e70-a896-807e0561b8ec";
            RoleScopeTagIds      = @("0");
            Settings             = @(
                MSFT_MicrosoftGraphappConfigurationSettingItem1{
                    AppConfigKey = 'com.microsoft.outlook.EmailProfile.AccountType'
                    AppConfigKeyType = 'stringType'
                    AppConfigKeyValue = 'ModernAuth'
                }
                MSFT_MicrosoftGraphappConfigurationSettingItem1{
                    AppConfigKey = 'com.microsoft.outlook.EmailProfile.EmailUPN'
                    AppConfigKeyType = 'stringType'
                    AppConfigKeyValue = '{{userprincipalname}}'
                }
                MSFT_MicrosoftGraphappConfigurationSettingItem1{
                    AppConfigKey = 'com.microsoft.outlook.EmailProfile.EmailAddress'
                    AppConfigKeyType = 'stringType'
                    AppConfigKeyValue = '{{mail}}'
                }
                MSFT_MicrosoftGraphappConfigurationSettingItem1{
                    AppConfigKey = 'com.microsoft.outlook.Mail.FocusedInbox'
                    AppConfigKeyType = 'booleanType'
                    AppConfigKeyValue = 'true'
                }
                MSFT_MicrosoftGraphappConfigurationSettingItem1{
                    AppConfigKey = 'com.microsoft.outlook.Contacts.LocalSyncEnabled'
                    AppConfigKeyType = 'booleanType'
                    AppConfigKeyValue = 'true'
                }
                MSFT_MicrosoftGraphappConfigurationSettingItem1{
                    AppConfigKey = 'com.microsoft.outlook.Mail.BlockExternalImagesEnabled'
                    AppConfigKeyType = 'booleanType'
                    AppConfigKeyValue = 'false'
                }
            );
            TargetedMobileApps   = @("ce0d9513-9e59-47d3-af47-5599f85c4104");
        }
        IntuneAppConfigurationDevicePolicy "IntuneAppConfigurationDevicePolicy-Android Work Profile - Outlook Configuration Profile"
        {
            Assignments          = @(
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    dataType = '#microsoft.graph.groupAssignmentTarget'
                    groupId = '832e341f-af79-43e4-bfcb-aa31f2fb4112'
                }
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    dataType = '#microsoft.graph.exclusionGroupAssignmentTarget'
                    groupId = 'e2ac5083-d70c-4bd5-9b17-5e9bd5c23372'
                }
            );
            ConnectedAppsEnabled = $False;
            Credential           = $Credscredential;
            Description          = "";
            DisplayName          = "Android Work Profile - Outlook Configuration Profile";
            Ensure               = "Present";
            Id                   = "f2414a0b-9d79-4bff-b8b4-ed968fc6feb2";
            PackageId            = "app:com.microsoft.office.outlook";
            PayloadJson          = "eyJraW5kIjoiYW5kcm9pZGVudGVycHJpc2UjbWFuYWdlZENvbmZpZ3VyYXRpb24iLCJwcm9kdWN0SWQiOiJhcHA6Y29tLm1pY3Jvc29mdC5vZmZpY2Uub3V0bG9vayIsIm1hbmFnZWRQcm9wZXJ0eSI6W3sia2V5IjoiY29tLm1pY3Jvc29mdC5vdXRsb29rLkVtYWlsUHJvZmlsZS5BY2NvdW50VHlwZSIsInZhbHVlU3RyaW5nIjoiTW9kZXJuQXV0aCJ9LHsia2V5IjoiY29tLm1pY3Jvc29mdC5vdXRsb29rLkVtYWlsUHJvZmlsZS5FbWFpbFVQTiIsInZhbHVlU3RyaW5nIjoie3t1c2VycHJpbmNpcGFsbmFtZX19In0seyJrZXkiOiJjb20ubWljcm9zb2Z0Lm91dGxvb2suRW1haWxQcm9maWxlLkVtYWlsQWRkcmVzcyIsInZhbHVlU3RyaW5nIjoie3ttYWlsfX0ifSx7ImtleSI6ImNvbS5taWNyb3NvZnQub3V0bG9vay5NYWlsLkZvY3VzZWRJbmJveCIsInZhbHVlQm9vbCI6dHJ1ZX0seyJrZXkiOiJjb20ubWljcm9zb2Z0Lm91dGxvb2suQ29udGFjdHMuTG9jYWxTeW5jRW5hYmxlZCIsInZhbHVlQm9vbCI6dHJ1ZX0seyJrZXkiOiJjb20ubWljcm9zb2Z0Lm91dGxvb2suTWFpbC5CbG9ja0V4dGVybmFsSW1hZ2VzRW5hYmxlZCIsInZhbHVlQm9vbCI6ZmFsc2V9XX0=";
            ProfileApplicability = "default";
            RoleScopeTagIds      = @("0");
            TargetedMobileApps   = @("386d347e-51dd-419c-85c1-02918f07538b");
        }

Verbose logs showing the problem

VERBOSE: [  REDACTED]:                            [[IntuneAppConfigurationDevicePolicy]IntuneAppConfigurationDevicePolicy-Android Work Profile - Outlook Configuration Profile] Creating an Intune App          Configuration Device Policy with DisplayName {Android Work Profile - Outlook Configuration Profile}
[BadRequest] :
{
"_version": 3,
"Message": "An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 1a34666b-2d89-4020-a16b-170a1732f322 - Url:
2405/StatelessAppMetadataFEService/deviceAppManagement/mobileAppConfigurations?api-version=5024-03-08",
"CustomApiErrorPhrase": "",
"RetryAfter": null,
"ErrorSourceService": "",
"HttpHeaders":
"{}"                                                                                                                                                                                             }
+ CategoryInfo          : InvalidOperation: ({ Headers = , b...Configuration }:) [], CimException
+ FullyQualifiedErrorId : BadRequest,Microsoft.Graph.Beta.PowerShell.Cmdlets.NewMgBetaDeviceAppManagementMobileAppConfiguration_Create
+ PSComputerName        : localhost
VERBOSE: [  REDACTED]: LCM:  [ End    Set      ]  [[IntuneAppConfigurationDevicePolicy]IntuneAppConfigurationDevicePolicy-Android Work Profile - Outlook Configuration Profile]  in 1.5980 seconds.             The PowerShell DSC resource '[IntuneAppConfigurationDevicePolicy
IntuneAppConfigurationDevicePolicy-Android Work Profile - Outlook Configuration Profile' with SourceInfo                                         'C:\temp\dsc\IntuneAppConfigurationDevicePolicy.ps1::34::9::IntuneAppConfigurationDevicePolicy' threw one or more non-terminating errors while running the Set-TargetResource functionality. These errors are     logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
CategoryInfo          : InvalidOperation: (:) [], CimException
+ FullyQualifiedErrorId : NonTerminatingErrorFromProvider                                                                                                                                                         + PSComputerName        : localhost
VERBOSE: [  REDACTED]: LCM:  [ End    Set      ]
The SendConfigurationApply function did not succeed.
+ CategoryInfo          : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
+ FullyQualifiedErrorId : MI RESULT 1
+ PSComputerName        : localhost

Environment Information + PowerShell Version

OsName               : Microsoft Windows 11 Enterprise                                                                                                                                                            OsOperatingSystemSKU : EnterpriseEdition                                                                                                                                                                          OsArchitecture       : 64-bit                                                                                                                                                                                     WindowsVersion       : 2009                                                                                                                                                                                       WindowsBuildLabEx    : 22621.1.amd64fre.ni_release.220506-1250                                                                                                                                                    OsLanguage           : en-US                                                                                                                                                                                      OsMuiLanguages       : {en-US, en-GB}                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   
                                                                                                                                                                                                                                                                                                                                                                Name                           Value                                                                                                                                                                              ----                           -----                                                                                                                                                                              PSVersion                      5.1.22621.2506                                                                                                                                                                     PSEdition                      Desktop                                                                                                                                                                            PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                                                                                                            BuildVersion                   10.0.22621.2506                                                                                                                                                                    CLRVersion                     4.0.30319.42000                                                                                                                                                                    WSManStackVersion              3.0                                                                                                                                                                                PSRemotingProtocolVersion      2.3                                                                                                                                                                                SerializationVersion           1.1.0.1
@FabienTschanz
Copy link
Contributor

@ricmestre Will do, but honestly I don't have any idea why it worked for all settings I checked with. Sorry about that.

@FabienTschanz
Copy link
Contributor

FabienTschanz commented May 31, 2024

@ricmestre I created a pull request to address the assignments and the MOF compilation. Your error with the Android policy is because you probably want to target the Outlook app, but the TargetedMobileApps references the PowerPoint application. If you want to target Outlook, the id would be 690b2365-6bf5-4c8f-b916-99f4dd49899e.

By the way: Thank you for the hint with the groupDisplayName, I'll check and add that to the DRG in my pull request.

@ricmestre
Copy link
Contributor Author

ricmestre commented May 31, 2024

@FabienTschanz Thank you for looking into this so quickly :)

The assignments are being exported with the display name and can use them to apply the policy to another tenant now, but the comparison still fails, if I change that chunk for what's in IntuneDeviceConfigurationPolicyWindows10 then it works, please check it here. EDIT: Maybe it's also a good candidate to include in the DRG since the one placed there is the same one you used here.

Regarding the Android policy thanks for the tip but unfortunately it still fails with the same error message even after using the correct Id.

@FabienTschanz
Copy link
Contributor

@ricmestre I updated the logic to be pretty much the same as in the code you mentioned, but with an existing comparison function for the assignments. I'll check your Android policy again.

@FabienTschanz
Copy link
Contributor

@ricmestre I took your configuration and only changed the id in TargetedMobileApps to the one I mentioned earlier, and creating and updating the policy works without any issues. I'm a bit confused here 😕

@ricmestre
Copy link
Contributor Author

ricmestre commented Jun 4, 2024

I struggled a bit here syncing the managed android store, but basically I'm now able to apply the policy with one caveat, the Id of the targeted app actually is always different per each tenant so after applying the correct one assigned to mine it worked. For some reason the iOS policy doesn't complain but after opening it in the admin portal it says that the targeted app doesn't exist anymore and therefore the policy can be deleted.

So the missing link here is to also export the names of the apps along with their GUIDs, and then in Set-TargetResource search for the GUID and if not found search by display name.

EDIT: Forgot to add, but what if there are apps with the same name, which there will be like the ones from Microsoft per each OS? Is there a way to differentiate? Would it be better to split this resource into different OSes?

EDIT2: Just having the app's display name exported might not be enough, I forgot that even for the same OS might be separate apps per each store from where you can install them, e.g. since I synced my managed google play store I now have 2 "Microsoft Outlook" apps, one for the managed store and another for the regular store (note that I still have yet another one just for iOS). Get-MgBetaDeviceAppMgtMobileApp gives you this information.

@FabienTschanz
Copy link
Contributor

@ricmestre Thanks a bunch for the analysis. My 2 cents:

A differentiation into different OSes shouldn't be necessary. Policies for iOS either contain the property EncodedSettingXml or Settings, whereas the Android policies contain payloadJson (and packageId, but I don't use that one). I also wouldn't export the display name, but rather the unique app identifier, which is the packageId for Android and bundleId for iOS. That way, as soon as I differentiated the OS, I can adapt the filter and search for the appropriate app, grab that id and insert it into targetedMobileApps.

Will test that and provide an updated version. Sure hope that's the last thing we have to fix before it finally works as intended 😢

@ricmestre
Copy link
Contributor Author

In that case it's easy to differentiate and filter the OSes, nevertheless please remember about the different stores for Android. See below, the first entry #microsoft.graph.managedAndroidStoreApp is for the regular store, the second entry is iOS which you can ignore for now and the last entry #microsoft.graph.androidManagedStoreApp is for the managed google play store, so we both now that it's exactly the same app but it's actually not since they are from different stores!

Also it's very confusing why they used so similar names for both stores, but it is what is.

image

@FabienTschanz
Copy link
Contributor

@ricmestre Got it, thanks a bunch for the hint. I just analyzed the Intune portal and found out that only apps of type managedAndroidStoreApp are selectable for the configuration policies. Will consider that in my implementation. Stay tuned

@FabienTschanz
Copy link
Contributor

@ricmestre Should all be done now. If you want, you can try it again with the latest changes in my PR. I set it to Draft to prevent a merge if it doesn't work correctly, but from my testing it works.

@ricmestre
Copy link
Contributor Author

ricmestre commented Jun 4, 2024

@FabienTschanz Code looks good but more importantly everything is working now :) I tried to export my current policies from tenant A, apply them to a tenant B, change their settings to something else and then finally remove them and everything worked.

The admins who will be using this will probably not understand what they're even looking at in the Android's payloadJson, would it be too much to probably convert it to json in exports and then back to jwt when setting it? Something like the below, if it's too much to ask I can do it myself after your PR is approved.

# Convert to $payloadJson to JSON
[Text.Encoding]::ASCII.GetString([Convert]::FromBase64String($payloadJson))

# Convert $json to JWT
[Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($json))

@FabienTschanz
Copy link
Contributor

@ricmestre Awesome, thanks for the feedback. I agree that the real JSON content would be better, unfortunately ReverseDSC has an issue with nested double quotes ("), which get all deleted if they are in a property block. I have microsoft/ReverseDSC#36 open that addresses that issue, but unfortunately it is not yet merged 😢

In my opinion, as soon as that one is merged, we can switch to the real JSON string in the configuration. @NikCharlebois Can you help us with merging the PR over in the ReverseDSC repository?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants