diff --git a/CHANGELOG.md b/CHANGELOG.md index a79a6282eb..c2b154ff4c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -36,6 +36,9 @@ * Fix group assignment by using the corrected function Update-DeviceConfigurationPolicyAssignment from module M365DSCDRGUtil FIXES [#4467](https://github.com/microsoft/Microsoft365DSC/issues/4467) +* IntuneDeviceEnrollmentPlatformRestriction + * Fixed an issue where nested settings would throw a conflict + FIXES [#4082](https://github.com/microsoft/Microsoft365DSC/issues/4082) * IntuneDeviceEnrollmentStatusPageWindows10 * Added support for specifying SelectedMobileAppNames in addition to SelectedMobileAppIds, which are different for each tenant. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.psm1 index b6f2f20f3d..b0b9856958 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.psm1 @@ -4,7 +4,7 @@ function Get-TargetResource [OutputType([System.Collections.Hashtable])] param ( - [Parameter()] + [Parameter(Mandatory = $true)] [System.String] $Identity, @@ -109,6 +109,20 @@ function Get-TargetResource $nullResult = $PSBoundParameters $nullResult.Ensure = 'Absent' + $PlatformType = '' + $keys = (([Hashtable]$PSBoundParameters).Clone()).Keys + foreach ($key in $keys) + { + if ($null -ne $PSBoundParameters.$key -and $PSBoundParameters.$key.getType().Name -like '*cimInstance*' -and $key -like "*Restriction") + { + if ($DeviceEnrollmentConfigurationType -eq 'singlePlatformRestriction' ) + { + $PlatformType = $key.replace('Restriction', '') + break + } + } + } + try { try { @@ -120,17 +134,21 @@ function Get-TargetResource if ($null -eq $config) { - Write-Verbose -Message "No Device Enrollment Platform Restriction {$Identity} was found. Trying to retrieve instance by name {$DisplayName}" + Write-Verbose -Message "Could not find an Intune Device Enrollment Platform Restriction with Id {$Identity}" $config = Get-MgBetaDeviceManagementDeviceEnrollmentConfiguration -Filter "DisplayName eq '$DisplayName'" ` - -ErrorAction silentlyContinue + -ErrorAction SilentlyContinue | Where-Object -FilterScript { + $_.AdditionalProperties.'@odata.type' -like "#microsoft.graph.deviceEnrollmentPlatformRestriction*Configuration" -and + $(if ($null -ne $_.AdditionalProperties.platformType) { $_.AdditionalProperties.platformType -eq $PlatformType } else { $true }) + } + if ($null -eq $config) { - Write-Verbose -Message "No instances found by name {$DisplayName}" + Write-Verbose -Message "Could not find an Intune Device Enrollment Platform Restriction with DisplayName {$DisplayName}" return $nullResult } } - Write-Verbose -Message "Found Device Enrollment Platform Restriction with Name {$($config.DisplayName)}" + Write-Verbose -Message "Found Intune Device Enrollment Platform Restriction with Name {$($config.DisplayName)}" $results = @{ Identity = $config.Id DisplayName = $config.DisplayName @@ -143,7 +161,7 @@ function Get-TargetResource TenantId = $TenantId ApplicationSecret = $ApplicationSecret CertificateThumbprint = $CertificateThumbprint - Managedidentity = $ManagedIdentity.IsPresent + ManagedIdentity = $ManagedIdentity.IsPresent } $results += Get-DevicePlatformRestrictionSetting -Properties $config.AdditionalProperties @@ -153,13 +171,14 @@ function Get-TargetResource $results.Remove('WindowsMobileRestriction') | Out-Null } - $AssignmentsValues = Get-MgBetaDeviceManagementDeviceEnrollmentConfigurationAssignment -DeviceEnrollmentConfigurationId $config.Id + $assignmentsValues = Get-MgBetaDeviceManagementDeviceEnrollmentConfigurationAssignment -DeviceEnrollmentConfigurationId $config.Id $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + foreach ($assignmentEntry in $assignmentsValues) { $assignmentValue = @{ dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString() + deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) + { $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString() }) deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId groupId = $assignmentEntry.Target.AdditionalProperties.groupId } @@ -186,7 +205,7 @@ function Set-TargetResource [CmdletBinding()] param ( - [Parameter()] + [Parameter(Mandatory = $true)] [System.String] $Identity, @@ -288,7 +307,11 @@ function Set-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion - $currentCategory = Get-TargetResource @PSBoundParameters + if ($Ensure -eq 'Absent' -and $Identity -like '*_DefaultPlatformRestrictions') { + throw 'Cannot delete the default platform restriction policy.' + } + + $currentInstance = Get-TargetResource @PSBoundParameters $PSBoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters $PSBoundParameters.Remove('Identity') | Out-Null $PriorityPresent = $false @@ -298,9 +321,9 @@ function Set-TargetResource $PSBoundParameters.Remove('Priority') | Out-Null } - if ($Ensure -eq 'Present' -and $currentCategory.Ensure -eq 'Absent') + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') { - Write-Verbose -Message "Creating new Device Enrollment Platform Restriction {$DisplayName}" + Write-Verbose -Message "Creating an Intune Device Enrollment Platform Restriction with DisplayName {$DisplayName}" $PSBoundParameters.Remove('Assignments') | Out-Null @@ -309,12 +332,11 @@ function Set-TargetResource if ($WindowsMobileRestriction.platformBlocked -eq $false) { Write-Verbose -Message 'Windows Mobile platform is deprecated and cannot be unblocked, reverting back to blocked' - $WindowsMobileRestriction.platformBlocked = $true } } - $keys = (([Hashtable]$PSBoundParameters).clone()).Keys + $keys = (([Hashtable]$PSBoundParameters).Clone()).Keys foreach ($key in $keys) { $keyName = $key.substring(0, 1).toLower() + $key.substring(1, $key.length - 1) @@ -345,18 +367,22 @@ function Set-TargetResource $policy = New-MgBetaDeviceManagementDeviceEnrollmentConfiguration ` -BodyParameter ([hashtable]$PSBoundParameters) - #Assignments from DefaultPolicy are not editable and will raise an alert + # Assignments from DefaultPolicy are not editable and will raise an alert if ($policy.Id -notlike '*_DefaultPlatformRestrictions') { - if ($null -ne $Assignments -and $Assignments -ne @()) + $assignmentsHash = @() + if ($null -ne $Assignments -and $Assignments.Length -gt 0) { - $assignmentsHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignments - - Update-DeviceConfigurationPolicyAssignment ` - -DeviceConfigurationPolicyId $policy.Id ` - -Targets $assignmentsHash ` - -Repository 'deviceManagement/deviceEnrollmentConfigurations' + foreach ($assignment in $Assignments) + { + $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $assignment + } } + Update-DeviceConfigurationPolicyAssignment ` + -DeviceConfigurationPolicyId $policy.Id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/deviceEnrollmentConfigurations' ` + -RootIdentifier 'enrollmentConfigurationAssignments' if ($PriorityPresent -and $Priority -ne $policy.Priority) { @@ -368,9 +394,9 @@ function Set-TargetResource } } } - elseif ($Ensure -eq 'Present' -and $currentCategory.Ensure -eq 'Present') + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') { - Write-Verbose -Message "Updating Device Enrollment Platform Restriction {$DisplayName}" + Write-Verbose -Message "Updating the Intune Device Enrollment Platform Restriction with DisplayName {$DisplayName}" $PSBoundParameters.Remove('Assignments') | Out-Null @@ -379,12 +405,11 @@ function Set-TargetResource if ($WindowsMobileRestriction.platformBlocked -eq $false) { Write-Verbose -Message 'Windows Mobile platform is deprecated and cannot be unblocked, reverting back to blocked' - $WindowsMobileRestriction.platformBlocked = $true } } - $keys = (([Hashtable]$PSBoundParameters).clone()).Keys + $keys = (([Hashtable]$PSBoundParameters).Clone()).Keys foreach ($key in $keys) { $keyName = $key.substring(0, 1).toLower() + $key.substring(1, $key.length - 1) @@ -407,27 +432,33 @@ function Set-TargetResource $policyType = '#microsoft.graph.deviceEnrollmentPlatformRestrictionsConfiguration' } $PSBoundParameters.add('@odata.type', $policyType) + #Write-Verbose ($PSBoundParameters | ConvertTo-Json -Depth 20) + Update-MgBetaDeviceManagementDeviceEnrollmentConfiguration ` - -BodyParameter ([hashtable]$PSBoundParameters) ` - -DeviceEnrollmentConfigurationId $currentCategory.Identity + -DeviceEnrollmentConfigurationId $currentInstance.Identity ` + -BodyParameter ([hashtable]$PSBoundParameters) - #Assignments from DefaultPolicy are not editable and will raise an alert - if ($currentCategory.Identity -notlike '*_DefaultPlatformRestrictions') + # Assignments from DefaultPolicy are not editable and will raise an alert + if ($currentInstance.Identity -notlike '*_DefaultPlatformRestrictions') { - if ($null -ne $Assignments -and $Assignments -ne @()) + $assignmentsHash = @() + if ($null -ne $Assignments -and $Assignments.Length -gt 0) { - $assignmentsHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignments - - Update-DeviceConfigurationPolicyAssignment ` - -DeviceConfigurationPolicyId $currentCategory.Identity ` - -Targets $assignmentsHash ` - -Repository 'deviceManagement/deviceEnrollmentConfigurations' + foreach ($assignment in $Assignments) + { + $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $assignment + } } + Update-DeviceConfigurationPolicyAssignment ` + -DeviceConfigurationPolicyId $currentInstance.Identity ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/deviceEnrollmentConfigurations' ` + -RootIdentifier 'enrollmentConfigurationAssignments' - if ($PriorityPresent -and $Priority -ne $currentCategory.Priority) + if ($PriorityPresent -and $Priority -ne $currentInstance.Priority) { - $Uri = "/beta/deviceManagement/deviceEnrollmentConfigurations/{0}/setPriority" -f $currentCategory.Identity + $Uri = "/beta/deviceManagement/deviceEnrollmentConfigurations/{0}/setPriority" -f $currentInstance.Identity $Body = @{ priority = $Priority } @@ -435,11 +466,10 @@ function Set-TargetResource } } } - elseif ($Ensure -eq 'Absent' -and $currentCategory.Ensure -eq 'Present') + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') { - Write-Verbose -Message "Removing Device Enrollment Platform Restriction {$DisplayName}" - - Remove-MgBetaDeviceManagementDeviceEnrollmentConfiguration -DeviceEnrollmentConfigurationId $currentCategory.Identity + Write-Verbose -Message "Removing the Intune Device Enrollment Platform Restriction with DisplayName {$DisplayName}" + Remove-MgBetaDeviceManagementDeviceEnrollmentConfiguration -DeviceEnrollmentConfigurationId $currentInstance.Identity } } @@ -449,7 +479,7 @@ function Test-TargetResource [OutputType([System.Boolean])] param ( - [Parameter()] + [Parameter(Mandatory = $true)] [System.String] $Identity, @@ -546,10 +576,10 @@ function Test-TargetResource -Parameters $PSBoundParameters Add-M365DSCTelemetryEvent -Data $data #endregion - Write-Verbose -Message "Testing configuration of Device Enrollment Platform Restriction {$DisplayName}" + Write-Verbose -Message "Testing configuration of the Intune Device Enrollment Platform Restriction with Id {$Identity} and DisplayName {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters - $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() if ($CurrentValues.Ensure -ne $Ensure) { @@ -597,6 +627,7 @@ function Test-TargetResource Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" + #Compare basic parameters if ($testResult) { @@ -607,9 +638,9 @@ function Test-TargetResource -ValuesToCheck $ValuesToCheck.Keys } - Write-Verbose -Message "Test-TargetResource returned $TestResult" + Write-Verbose -Message "Test-TargetResource returned $testResult" - return $TestResult + return $testResult } function Export-TargetResource @@ -663,8 +694,10 @@ function Export-TargetResource try { - [array]$configs = Get-MgBetaDeviceManagementDeviceEnrollmentConfiguration -All:$true -Filter $Filter -ErrorAction Stop ` - | Where-Object -FilterScript { $_.AdditionalProperties.'@odata.type' -like '#microsoft.graph.deviceEnrollmentPlatform*Configuration' } + [array]$configs = Get-MgBetaDeviceManagementDeviceEnrollmentConfiguration ` + -All ` + -Filter "deviceEnrollmentConfigurationType eq 'singlePlatformRestriction'" ` + -ErrorAction Stop $i = 1 $dscContent = '' @@ -688,7 +721,7 @@ function Export-TargetResource TenantId = $TenantId ApplicationSecret = $ApplicationSecret CertificateThumbprint = $CertificateThumbprint - Managedidentity = $ManagedIdentity.IsPresent + ManagedIdentity = $ManagedIdentity.IsPresent } $Results = Get-TargetResource @Params @@ -817,7 +850,6 @@ function Export-TargetResource -Results $Results ` -Credential $Credential - if ($null -ne $Results.Assignments) { $isCIMArray = $false @@ -842,6 +874,7 @@ function Export-TargetResource { $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'WindowsHomeSkuRestriction' } + if ($null -ne $Results.WindowsMobileRestriction) { $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'WindowsMobileRestriction' diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.schema.mof index 86c13038c2..f78715c641 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.schema.mof @@ -23,21 +23,21 @@ class MSFT_DeviceEnrollmentPlatformRestriction [ClassVersion("1.0.0.0"), FriendlyName("IntuneDeviceEnrollmentPlatformRestriction")] class MSFT_IntuneDeviceEnrollmentPlatformRestriction : OMI_BaseResource { - [Write, Description("Identity of the device enrollment platform restriction.")] String Identity; + [Key, Description("Identity of the device enrollment platform restriction.")] String Identity; [Key, Description("Display name of the device enrollment platform restriction.")] String DisplayName; [Write, Description("Description of the device enrollment platform restriction.")] String Description; - [Write, Description("Support for Enrollment Configuration Type Inherited from deviceEnrollmentConfiguration."), ValueMap{"singlePlatformRestriction","platformRestrictions"}, Values{"singlePlatformRestriction","platformRestrictions"}] String DeviceEnrollmentConfigurationType; - [Write, Description("Ios restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] string IosRestriction; - [Write, Description("Windows restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] string WindowsRestriction; - [Write, Description("Windows home Sku restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] string WindowsHomeSkuRestriction; - [Write, Description("Windows Mobile restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] string WindowsMobileRestriction; - [Write, Description("Android Device Administrator restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] string AndroidRestriction; - [Write, Description("Android Enterprise restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] string AndroidForWorkRestriction; - [Write, Description("Mac restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] string MacRestriction; - [Write, Description("Mac OS restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] string MacOSRestriction; - [Write, Description("Assignments of the policy."), EmbeddedInstance("MSFT_DeviceManagementConfigurationPolicyAssignments")] string Assignments[]; - [Write, Description("Priority is used when a user exists in multiple groups that are assigned enrollment configuration. Users are subject only to the configuration with the lowest priority value. Inherited from deviceEnrollmentConfiguration.")] UInt32 Priority; - [Write, Description("Present ensures the restriction exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Android for work restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] String AndroidForWorkRestriction; + [Write, Description("Android restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] String AndroidRestriction; + [Write, Description("Ios restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] String IosRestriction; + [Write, Description("Mac restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] String MacOSRestriction; + [Write, Description("Mac restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] String MacRestriction; + [Write, Description("Windows Home Sku restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] String WindowsHomeSkuRestriction; + [Write, Description("Windows mobile restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] String WindowsMobileRestriction; + [Write, Description("Windows restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] String WindowsRestriction; + [Write, Description("Support for Enrollment Configuration Type"), ValueMap{"platformRestrictions","singlePlatformRestriction"}, Values{"platformRestrictions","singlePlatformRestriction"}] String DeviceEnrollmentConfigurationType; + [Write, Description("Priority is used when a user exists in multiple groups that are assigned enrollment configuration. Users are subject only to the configuration with the lowest priority value.")] UInt32 Priority; + [Write, Description("Assignments of the policy."), EmbeddedInstance("MSFT_DeviceManagementConfigurationPolicyAssignments")] String Assignments[]; + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; [Write, Description("Credentials of the Intune Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; [Write, Description("Name of the Azure Active Directory tenant used for authentication. Format contoso.onmicrosoft.com")] String TenantId; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/readme.md index 709451d016..d0f9ae85e4 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/readme.md +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/readme.md @@ -4,3 +4,8 @@ ## Description This resource configures the Intune device platform enrollment restrictions. + +**Be aware**: To deploy a Android platform restriction policy, two individual configurations must exist: + +* The first one contains the key for `AndroidRestriction` +* The second one contains the key for `AndroidForWorkRestriction` diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceEnrollmentPlatformRestriction/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceEnrollmentPlatformRestriction/1-Create.ps1 index d4f86f83bd..59d2180462 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceEnrollmentPlatformRestriction/1-Create.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceEnrollmentPlatformRestriction/1-Create.ps1 @@ -33,6 +33,7 @@ Configuration Example DeviceEnrollmentConfigurationType = "platformRestrictions"; DisplayName = "All users and all devices"; Ensure = "Present"; + Identity = "3868d43e-873e-4416-8fd1-fc3d67c7c15c_DefaultPlatformRestrictions"; IosRestriction = MSFT_DeviceEnrollmentPlatformRestriction{ platformBlocked = $False personalDeviceEnrollmentBlocked = $False diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceEnrollmentPlatformRestriction/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceEnrollmentPlatformRestriction/2-Update.ps1 index 199e66794f..24eecb9143 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceEnrollmentPlatformRestriction/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceEnrollmentPlatformRestriction/2-Update.ps1 @@ -32,6 +32,7 @@ Configuration Example Description = "This is the default Device Type Restriction applied with the lowest priority to all users regardless of group membership."; DeviceEnrollmentConfigurationType = "platformRestrictions"; DisplayName = "All users and all devices"; + Identity = "3868d43e-873e-4416-8fd1-fc3d67c7c15c_DefaultPlatformRestrictions"; Ensure = "Present"; IosRestriction = MSFT_DeviceEnrollmentPlatformRestriction{ platformBlocked = $True # Updated Property diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceEnrollmentPlatformRestriction/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceEnrollmentPlatformRestriction/3-Remove.ps1 index bf083ccd97..5727bbb579 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceEnrollmentPlatformRestriction/3-Remove.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceEnrollmentPlatformRestriction/3-Remove.ps1 @@ -16,8 +16,18 @@ Configuration Example IntuneDeviceEnrollmentPlatformRestriction 'DeviceEnrollmentPlatformRestriction' { Credential = $Credscredential - DisplayName = "All users and all devices"; + DisplayName = "Removed Policy"; Ensure = "Absent"; + Assignments = @(); + Description = "This is a single platform restriction policy."; + DeviceEnrollmentConfigurationType = "singlePlatformRestriction"; + Identity = "d59e4c28-b6b2-48ad-a6f0-a2132300b99d_SinglePlatformRestriction"; + IosRestriction = MSFT_DeviceEnrollmentPlatformRestriction{ + PlatformBlocked = $True + PersonalDeviceEnrollmentBlocked = $False + }; + Priority = 1; + TenantId = $OrganizationName; } } } diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceEnrollmentPlatformRestriction.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceEnrollmentPlatformRestriction.Tests.ps1 index 7859f4063d..0c69c176de 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceEnrollmentPlatformRestriction.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceEnrollmentPlatformRestriction.Tests.ps1 @@ -68,6 +68,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Ensure = 'Present' DeviceEnrollmentConfigurationType = 'singlePlatformRestriction' Credential = $Credential + Priority = 1 IosRestriction = (New-CimInstance -ClassName MSFT_DeviceEnrollmentPlatformRestriction -Property @{ platformBlocked = $False personalDeviceEnrollmentBlocked = $False @@ -77,6 +78,24 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Mock -CommandName Get-MgBetaDeviceManagementDeviceEnrollmentConfiguration -MockWith { return $null } + + Mock -CommandName New-MgBetaDeviceManagementDeviceEnrollmentConfiguration -MockWith { + return @{ + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceEnrollmentPlatformRestrictionConfiguration' + PlatformRestriction = @{ + PersonalDeviceEnrollmentBlocked = $False + PlatformBlocked = $False + } + platformType = 'ios' + } + id = '12345-12345-12345-12345-12345_SinglePlatformRestriction' + DeviceEnrollmentConfigurationType = 'singlePlatformRestriction' + Description = '' + DisplayName = 'My DSC Restriction' + Priority = 1 + } + } } It 'Should return absent from the Get method' { @@ -102,6 +121,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Ensure = 'Present' DeviceEnrollmentConfigurationType = 'singlePlatformRestriction' Credential = $Credential + Priority = 1 IosRestriction = (New-CimInstance -ClassName MSFT_DeviceEnrollmentPlatformRestriction -Property @{ platformBlocked = $False personalDeviceEnrollmentBlocked = $False @@ -122,6 +142,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { DeviceEnrollmentConfigurationType = 'singlePlatformRestriction' Description = '' DisplayName = 'My DSC Restriction' + Priority = 1 } } } @@ -140,7 +161,8 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Ensure = 'Present' DeviceEnrollmentConfigurationType = 'singlePlatformRestriction' Credential = $Credential - iOSRestriction = (New-CimInstance -ClassName MSFT_DeviceEnrollmentPlatformRestriction -Property @{ + Priority = 1 + IosRestriction = (New-CimInstance -ClassName MSFT_DeviceEnrollmentPlatformRestriction -Property @{ platformBlocked = $False personalDeviceEnrollmentBlocked = $False } -ClientOnly) @@ -160,6 +182,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { DeviceEnrollmentConfigurationType = 'singlePlatformRestriction' Description = '' DisplayName = 'My DSC Restriction' + Priority = 1 } } } @@ -178,7 +201,8 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Ensure = 'Absent' DeviceEnrollmentConfigurationType = 'singlePlatformRestriction' Credential = $Credential - iOSRestriction = (New-CimInstance -ClassName MSFT_DeviceEnrollmentPlatformRestriction -Property @{ + Priority = 1 + IosRestriction = (New-CimInstance -ClassName MSFT_DeviceEnrollmentPlatformRestriction -Property @{ platformBlocked = $False personalDeviceEnrollmentBlocked = $False } -ClientOnly) @@ -198,6 +222,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { DeviceEnrollmentConfigurationType = 'singlePlatformRestriction' Description = '' DisplayName = 'My DSC Restriction' + Priority = 1 } } } @@ -238,6 +263,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { DeviceEnrollmentConfigurationType = 'singlePlatformRestriction' Description = '' DisplayName = 'My DSC Restriction' + Priority = 1 } } }