From 17640db1a374a5e079bce4051af7d8b083607667 Mon Sep 17 00:00:00 2001 From: Fabien Tschanz Date: Thu, 25 Jan 2024 13:05:51 +0100 Subject: [PATCH 1/3] Update deprecated Intune enrollment platform restrictions --- CHANGELOG.md | 4 + ...neDeviceEnrollmentPlatformRestriction.psm1 | 541 +++++++++++------- ...ceEnrollmentPlatformRestriction.schema.mof | 29 +- .../3-Remove.ps1 | 15 +- ...iceEnrollmentPlatformRestriction.Tests.ps1 | 38 +- 5 files changed, 387 insertions(+), 240 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 12c63de705..3acea8daed 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -33,6 +33,10 @@ QueryString and Characteristic parameters. * EXOAddressList * Fixed an issue trying to create a new instance when DisplayName is empty. +* IntuneDeviceEnrollmentPlatformRestriction + * Update the Intune enrollment platform restriction logic to the single platform approach. + * Fixed an issue where the assignment would not be updated. + * Introduce additional validation for selected properties. * SCAutoSensitivityLabelRule * Correct export indentation, which caused an issue with report conversion to JSON. FIXES [[#4240](https://github.com/microsoft/Microsoft365DSC/issues/4240)] diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.psm1 index 7214303fba..7e9888f1d9 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.psm1 @@ -53,6 +53,18 @@ function Get-TargetResource [Microsoft.Management.Infrastructure.CimInstance] $MacOSRestriction, + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $PlatformRestriction, + + [Parameter()] + [ValidateSet('android', 'androidForWork', 'ios', 'mac', 'windows')] + $PlatformType, + + [Parameter()] + [System.Int32] + $Priority, + [Parameter()] [Microsoft.Management.Infrastructure.CimInstance[]] $Assignments, @@ -107,51 +119,184 @@ function Get-TargetResource try { - $config = Get-MgBetaDeviceManagementDeviceEnrollmentConfiguration -DeviceEnrollmentConfigurationId $Identity -ErrorAction silentlyContinue + $getValue = Get-MgBetaDeviceManagementDeviceEnrollmentConfiguration -DeviceEnrollmentConfigurationId $Identity -ErrorAction SilentlyContinue - if ($null -eq $config) + if ($null -eq $getValue) { - Write-Verbose -Message "No Device Enrollment Platform Restriction {$Identity} was found. Trying to retrieve instance by name {$DisplayName}" - $config = Get-MgBetaDeviceManagementDeviceEnrollmentConfiguration -Filter "DisplayName eq '$DisplayName'" ` - -ErrorAction silentlyContinue - if ($null -eq $config) - { - Write-Verbose -Message "No instances found by name {$DisplayName}" - return $nullResult - } + Write-Verbose -Message "Could not find an Intune Device Enrollment Platform Restriction with Id {$Identity}" + + $getValue = Get-MgBetaDeviceManagementDeviceEnrollmentConfiguration -Filter "DisplayName eq '$DisplayName'" ` + -ErrorAction SilentlyContinue | Where-Object ` + -FilterScript { ` + $_.AdditionalProperties.'@odata.type' -like "#microsoft.graph.deviceEnrollmentPlatformRestriction*Configuration" -and ` + $(if ($null -ne $_.AdditionalProperties.platformType) { $_.AdditionalProperties.platformType -eq $PlatformType } else { $true }) ` + } } - Write-Verbose -Message "Found Device Enrollment Platform Restriction with Name {$($config.DisplayName)}" + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Device Enrollment Platform Restriction with DisplayName {$DisplayName}" + return $nullResult + } + + Write-Verbose -Message "Found Intune Device Enrollment Platform Restriction with Name {$($getValue.DisplayName)}" $results = @{ - Identity = $config.Id - DisplayName = $config.DisplayName - Description = $config.Description - DeviceEnrollmentConfigurationType = $config.DeviceEnrollmentConfigurationType.toString() + Identity = $getValue.Id + DisplayName = $getValue.DisplayName + Description = $getValue.Description + DeviceEnrollmentConfigurationType = $getValue.DeviceEnrollmentConfigurationType.ToString() + Priority = $getValue.Priority Ensure = 'Present' Credential = $Credential ApplicationId = $ApplicationId TenantId = $TenantId ApplicationSecret = $ApplicationSecret CertificateThumbprint = $CertificateThumbprint - Managedidentity = $ManagedIdentity.IsPresent + ManagedIdentity = $ManagedIdentity.IsPresent } - $results += Get-DevicePlatformRestrictionSetting -Properties $config.AdditionalProperties + # Check if it is not a "Default platform restriction" + if ($getValue.AdditionalProperties.platformType) + { + $results.Add('PlatformType', $getValue.AdditionalProperties.platformType.ToString()) + + $complexPlatformRestriction = @{} + $complexPlatformRestriction.Add('BlockedManufacturers', $getValue.AdditionalProperties.platformRestriction.blockedManufacturers) + $complexPlatformRestriction.Add('BlockedSkus', $getValue.AdditionalProperties.platformRestriction.blockedSkus) + $complexPlatformRestriction.Add('OsMaximumVersion', $getValue.AdditionalProperties.platformRestriction.osMaximumVersion) + $complexPlatformRestriction.Add('OsMinimumVersion', $getValue.AdditionalProperties.platformRestriction.osMinimumVersion) + $complexPlatformRestriction.Add('PersonalDeviceEnrollmentBlocked', $getValue.AdditionalProperties.platformRestriction.personalDeviceEnrollmentBlocked) + $complexPlatformRestriction.Add('PlatformBlocked', $getValue.AdditionalProperties.platformRestriction.platformBlocked) + if ($complexPlatformRestriction.values.Where({$null -ne $_}).count -eq 0) + { + $complexPlatformRestriction = $null + } + + $results.Add("PlatformRestriction", $complexPlatformRestriction) + } + else + { + $complexAndroidForWorkRestriction = @{} + $complexAndroidForWorkRestriction.Add('BlockedManufacturers', $getValue.AdditionalProperties.androidForWorkRestriction.blockedManufacturers) + $complexAndroidForWorkRestriction.Add('BlockedSkus', $getValue.AdditionalProperties.androidForWorkRestriction.blockedSkus) + $complexAndroidForWorkRestriction.Add('OsMaximumVersion', $getValue.AdditionalProperties.androidForWorkRestriction.osMaximumVersion) + $complexAndroidForWorkRestriction.Add('OsMinimumVersion', $getValue.AdditionalProperties.androidForWorkRestriction.osMinimumVersion) + $complexAndroidForWorkRestriction.Add('PersonalDeviceEnrollmentBlocked', $getValue.AdditionalProperties.androidForWorkRestriction.personalDeviceEnrollmentBlocked) + $complexAndroidForWorkRestriction.Add('PlatformBlocked', $getValue.AdditionalProperties.androidForWorkRestriction.platformBlocked) + if ($complexAndroidForWorkRestriction.values.Where({$null -ne $_}).count -eq 0) + { + $complexAndroidForWorkRestriction = $null + } + + $complexAndroidRestriction = @{} + $complexAndroidRestriction.Add('BlockedManufacturers', $getValue.AdditionalProperties.androidRestriction.blockedManufacturers) + $complexAndroidRestriction.Add('BlockedSkus', $getValue.AdditionalProperties.androidRestriction.blockedSkus) + $complexAndroidRestriction.Add('OsMaximumVersion', $getValue.AdditionalProperties.androidRestriction.osMaximumVersion) + $complexAndroidRestriction.Add('OsMinimumVersion', $getValue.AdditionalProperties.androidRestriction.osMinimumVersion) + $complexAndroidRestriction.Add('PersonalDeviceEnrollmentBlocked', $getValue.AdditionalProperties.androidRestriction.personalDeviceEnrollmentBlocked) + $complexAndroidRestriction.Add('PlatformBlocked', $getValue.AdditionalProperties.androidRestriction.platformBlocked) + if ($complexAndroidRestriction.values.Where({$null -ne $_}).count -eq 0) + { + $complexAndroidRestriction = $null + } + + $complexIosRestriction = @{} + $complexIosRestriction.Add('BlockedManufacturers', $getValue.AdditionalProperties.iosRestriction.blockedManufacturers) + $complexIosRestriction.Add('BlockedSkus', $getValue.AdditionalProperties.iosRestriction.blockedSkus) + $complexIosRestriction.Add('OsMaximumVersion', $getValue.AdditionalProperties.iosRestriction.osMaximumVersion) + $complexIosRestriction.Add('OsMinimumVersion', $getValue.AdditionalProperties.iosRestriction.osMinimumVersion) + $complexIosRestriction.Add('PersonalDeviceEnrollmentBlocked', $getValue.AdditionalProperties.iosRestriction.personalDeviceEnrollmentBlocked) + $complexIosRestriction.Add('PlatformBlocked', $getValue.AdditionalProperties.iosRestriction.platformBlocked) + if ($complexIosRestriction.values.Where({$null -ne $_}).count -eq 0) + { + $complexIosRestriction = $null + } + + $complexMacOSRestriction = @{} + $complexMacOSRestriction.Add('BlockedManufacturers', $getValue.AdditionalProperties.macOSRestriction.blockedManufacturers) + $complexMacOSRestriction.Add('BlockedSkus', $getValue.AdditionalProperties.macOSRestriction.blockedSkus) + $complexMacOSRestriction.Add('OsMaximumVersion', $getValue.AdditionalProperties.macOSRestriction.osMaximumVersion) + $complexMacOSRestriction.Add('OsMinimumVersion', $getValue.AdditionalProperties.macOSRestriction.osMinimumVersion) + $complexMacOSRestriction.Add('PersonalDeviceEnrollmentBlocked', $getValue.AdditionalProperties.macOSRestriction.personalDeviceEnrollmentBlocked) + $complexMacOSRestriction.Add('PlatformBlocked', $getValue.AdditionalProperties.macOSRestriction.platformBlocked) + if ($complexMacOSRestriction.values.Where({$null -ne $_}).count -eq 0) + { + $complexMacOSRestriction = $null + } + + $complexMacRestriction = @{} + $complexMacRestriction.Add('BlockedManufacturers', $getValue.AdditionalProperties.macRestriction.blockedManufacturers) + $complexMacRestriction.Add('BlockedSkus', $getValue.AdditionalProperties.macRestriction.blockedSkus) + $complexMacRestriction.Add('OsMaximumVersion', $getValue.AdditionalProperties.macRestriction.osMaximumVersion) + $complexMacRestriction.Add('OsMinimumVersion', $getValue.AdditionalProperties.macRestriction.osMinimumVersion) + $complexMacRestriction.Add('PersonalDeviceEnrollmentBlocked', $getValue.AdditionalProperties.macRestriction.personalDeviceEnrollmentBlocked) + $complexMacRestriction.Add('PlatformBlocked', $getValue.AdditionalProperties.macRestriction.platformBlocked) + if ($complexMacRestriction.values.Where({$null -ne $_}).count -eq 0) + { + $complexMacRestriction = $null + } + + $complexWindowsHomeSkuRestriction = @{} + $complexWindowsHomeSkuRestriction.Add('BlockedManufacturers', $getValue.AdditionalProperties.windowsHomeSkuRestriction.blockedManufacturers) + $complexWindowsHomeSkuRestriction.Add('BlockedSkus', $getValue.AdditionalProperties.windowsHomeSkuRestriction.blockedSkus) + $complexWindowsHomeSkuRestriction.Add('OsMaximumVersion', $getValue.AdditionalProperties.windowsHomeSkuRestriction.osMaximumVersion) + $complexWindowsHomeSkuRestriction.Add('OsMinimumVersion', $getValue.AdditionalProperties.windowsHomeSkuRestriction.osMinimumVersion) + $complexWindowsHomeSkuRestriction.Add('PersonalDeviceEnrollmentBlocked', $getValue.AdditionalProperties.windowsHomeSkuRestriction.personalDeviceEnrollmentBlocked) + $complexWindowsHomeSkuRestriction.Add('PlatformBlocked', $getValue.AdditionalProperties.windowsHomeSkuRestriction.platformBlocked) + if ($complexWindowsHomeSkuRestriction.values.Where({$null -ne $_}).count -eq 0) + { + $complexWindowsHomeSkuRestriction = $null + } + + $complexWindowsMobileRestriction = @{} + $complexWindowsMobileRestriction.Add('BlockedManufacturers', $getValue.AdditionalProperties.windowsMobileRestriction.blockedManufacturers) + $complexWindowsMobileRestriction.Add('BlockedSkus', $getValue.AdditionalProperties.windowsMobileRestriction.blockedSkus) + $complexWindowsMobileRestriction.Add('OsMaximumVersion', $getValue.AdditionalProperties.windowsMobileRestriction.osMaximumVersion) + $complexWindowsMobileRestriction.Add('OsMinimumVersion', $getValue.AdditionalProperties.windowsMobileRestriction.osMinimumVersion) + $complexWindowsMobileRestriction.Add('PersonalDeviceEnrollmentBlocked', $getValue.AdditionalProperties.windowsMobileRestriction.personalDeviceEnrollmentBlocked) + $complexWindowsMobileRestriction.Add('PlatformBlocked', $getValue.AdditionalProperties.windowsMobileRestriction.platformBlocked) + if ($complexWindowsMobileRestriction.values.Where({$null -ne $_}).count -eq 0) + { + $complexWindowsMobileRestriction = $null + } + + $complexWindowsRestriction = @{} + $complexWindowsRestriction.Add('BlockedManufacturers', $getValue.AdditionalProperties.windowsRestriction.blockedManufacturers) + $complexWindowsRestriction.Add('BlockedSkus', $getValue.AdditionalProperties.windowsRestriction.blockedSkus) + $complexWindowsRestriction.Add('OsMaximumVersion', $getValue.AdditionalProperties.windowsRestriction.osMaximumVersion) + $complexWindowsRestriction.Add('OsMinimumVersion', $getValue.AdditionalProperties.windowsRestriction.osMinimumVersion) + $complexWindowsRestriction.Add('PersonalDeviceEnrollmentBlocked', $getValue.AdditionalProperties.windowsRestriction.personalDeviceEnrollmentBlocked) + $complexWindowsRestriction.Add('PlatformBlocked', $getValue.AdditionalProperties.windowsRestriction.platformBlocked) + if ($complexWindowsRestriction.values.Where({$null -ne $_}).count -eq 0) + { + $complexWindowsRestriction = $null + } + + $results.Add("AndroidForWorkRestriction", $complexAndroidForWorkRestriction) + $results.Add("AndroidRestriction", $complexAndroidRestriction) + $results.Add("IosRestriction", $complexIosRestriction) + $results.Add("MacOSRestriction", $complexMacOSRestriction) + $results.Add("MacRestriction", $complexMacRestriction) + $results.Add("WindowsHomeSkuRestriction", $complexWindowsHomeSkuRestriction) + $results.Add("WindowsMobileRestriction", $complexWindowsMobileRestriction) + $results.Add("WindowsRestriction", $complexWindowsRestriction) + } if ($null -ne $results.WindowsMobileRestriction) { $results.Remove('WindowsMobileRestriction') | Out-Null } - $AssignmentsValues = Get-MgBetaDeviceManagementDeviceEnrollmentConfigurationAssignment -DeviceEnrollmentConfigurationId $config.Id + $assignmentsValues = Get-MgBetaDeviceManagementDeviceEnrollmentConfigurationAssignment -DeviceEnrollmentConfigurationId $getValue.Id $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + foreach ($assignmentEntry in $assignmentsValues) { $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString() - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId + dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' + deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) + {$assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString()}) + deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId + groupId = $assignmentEntry.Target.AdditionalProperties.groupId } $assignmentResult += $assignmentValue } @@ -225,6 +370,18 @@ function Set-TargetResource [Microsoft.Management.Infrastructure.CimInstance] $MacOSRestriction, + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $PlatformRestriction, + + [Parameter()] + [ValidateSet('android', 'androidForWork', 'ios', 'mac', 'windows')] + $PlatformType, + + [Parameter()] + [System.Int32] + $Priority, + [Parameter()] [Microsoft.Management.Infrastructure.CimInstance[]] $Assignments, @@ -273,78 +430,90 @@ function Set-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion - $currentCategory = Get-TargetResource @PSBoundParameters - $PSBoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters - $PSBoundParameters.Remove('Identity') | Out-Null + if (-not [System.String]::IsNullOrEmpty($PlatformType) -and $null -eq $PlatformRestriction) { + throw 'If PlatformType is specified, PlatformRestriction is required.' + } + + if ([System.String]::IsNullOrEmpty($PlatformType) -and $null -ne $PlatformRestriction) { + throw 'PlatformRestriction can only be set on policies with a PlatformType.' + } + + if ($Ensure -eq 'Absent' -and $Identity -like '*_DefaultPlatformRestrictions') { + throw 'Cannot delete the default platform restriction policy.' + } + + $currentInstance = Get-TargetResource @PSBoundParameters - if ($Ensure -eq 'Present' -and $currentCategory.Ensure -eq 'Absent') + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + $BoundParameters.Remove('Identity') | Out-Null + + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') { - Write-Verbose -Message "Creating new Device Enrollment Platform Restriction {$DisplayName}" + Write-Verbose -Message "Creating an Intune Device Enrollment Platform Restriction with DisplayName {$DisplayName}" + + $BoundParameters.Remove('Assignments') | Out-Null - $PSBoundParameters.Remove('Assignments') | Out-Null + $CreateParameters = ([Hashtable]$BoundParameters).Clone() + $CreateParameters = Rename-M365DSCCimInstanceParameter -Properties $CreateParameters + $CreateParameters.Remove('Id') | Out-Null - if ($PSBoundParameters.Keys.Contains('WindowsMobileRestriction')) + if ($BoundParameters.Keys.Contains('WindowsMobileRestriction')) { if ($WindowsMobileRestriction.platformBlocked -eq $false) { Write-Verbose -Message 'Windows Mobile platform is deprecated and cannot be unblocked, reverting back to blocked' - $WindowsMobileRestriction.platformBlocked = $true } } - $keys = (([Hashtable]$PSBoundParameters).clone()).Keys + $keys = (([Hashtable]$CreateParameters).Clone()).Keys foreach ($key in $keys) { - $keyName = $key.substring(0, 1).toLower() + $key.substring(1, $key.length - 1) - $keyValue = $PSBoundParameters.$key - if ($null -ne $PSBoundParameters.$key -and $PSBoundParameters.$key.getType().Name -like '*cimInstance*') + if ($null -ne $CreateParameters.$key -and $CreateParameters.$key.GetType().Name -like '*cimInstance*') { - $keyValue = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.$key - if ($DeviceEnrollmentConfigurationType -eq 'singlePlatformRestriction' ) - { - $keyName = 'platformRestriction' - $PSBoundParameters.add('platformType', ($key.replace('Restriction', ''))) - } + $CreateParameters.$key = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $CreateParameters.$key } - $PSBoundParameters.remove($key) - $PSBoundParameters.add($keyName, $keyValue) } - $policyType = '#microsoft.graph.deviceEnrollmentPlatformRestrictionConfiguration' - if ($DeviceEnrollmentConfigurationType -eq 'platformRestrictions' ) + # Check if it is a "Default platform restriction" + if ([System.String]::IsNullOrEmpty($PlatformType)) { - $policyType = '#microsoft.graph.deviceEnrollmentPlatformRestrictionsConfiguration' - $PSBoundParameters.add('deviceEnrollmentConfigurationType ', 'limit') + $CreateParameters.Add('@odata.type', '#microsoft.graph.deviceEnrollmentPlatformRestrictionsConfiguration') } - $PSBoundParameters.add('@odata.type', $policyType) - - #Write-Verbose ($PSBoundParameters | ConvertTo-Json -Depth 20) + else + { + $CreateParameters.Add('@odata.type', '#microsoft.graph.deviceEnrollmentPlatformRestrictionConfiguration') + } + + $policy = New-MgBetaDeviceManagementDeviceEnrollmentConfiguration -BodyParameter $CreateParameters - $policy = New-MgBetaDeviceManagementDeviceEnrollmentConfiguration ` - -BodyParameter ([hashtable]$PSBoundParameters) + $assignmentsHash = @() + foreach ($assignment in $Assignments) + { + $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment + } - #Assignments from DefaultPolicy are not editable and will raise an alert + # Skip for the default platform restriction if ($policy.Id -notlike '*_DefaultPlatformRestrictions') { - if ($null -ne $Assignments -and $Assignments -ne @()) - { - $assignmentsHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignments + Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $policy.Id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/deviceEnrollmentConfigurations' ` + -RootIdentifier 'enrollmentConfigurationAssignments' + } - Update-DeviceConfigurationPolicyAssignment ` - -DeviceConfigurationPolicyId $policy.id ` - -Targets $assignmentsHash ` - -Repository 'deviceManagement/deviceEnrollmentConfigurations' - } + if ($policy.Priority -ne $Priority) + { + Write-Warning -Message 'Priority of the new policy is not equal to the specified priority. To solve this issue, reapply the configuration or make sure that the lowest priority policies are applied after the highest priority ones.' } } - elseif ($Ensure -eq 'Present' -and $currentCategory.Ensure -eq 'Present') + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') { - Write-Verbose -Message "Updating Device Enrollment Platform Restriction {$DisplayName}" + Write-Verbose -Message "Updating the Intune Device Enrollment Platform Restriction with Id {$($currentInstance.Identity)}" + $BoundParameters.Remove('Assignments') | Out-Null - $PSBoundParameters.Remove('Assignments') | Out-Null - - if ($PSBoundParameters.Keys.Contains('WindowsMobileRestriction')) + if ($BoundParameters.Keys.Contains('WindowsMobileRestriction')) { if ($WindowsMobileRestriction.platformBlocked -eq $false) { @@ -354,55 +523,63 @@ function Set-TargetResource } } - $keys = (([Hashtable]$PSBoundParameters).clone()).Keys + $UpdateParameters = ([Hashtable]$BoundParameters).clone() + $UpdateParameters = Rename-M365DSCCimInstanceParameter -Properties $UpdateParameters + + $UpdateParameters.Remove('Id') | Out-Null + $UpdateParameters.Remove('Priority') | Out-Null + + $keys = (([Hashtable]$UpdateParameters).clone()).Keys foreach ($key in $keys) { - $keyName = $key.substring(0, 1).toLower() + $key.substring(1, $key.length - 1) - $keyValue = $PSBoundParameters.$key - if ($null -ne $PSBoundParameters.$key -and $PSBoundParameters.$key.getType().Name -like '*cimInstance*') + if ($null -ne $UpdateParameters.$key -and $UpdateParameters.$key.getType().Name -like '*cimInstance*') { - $keyValue = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.$key - if ($DeviceEnrollmentConfigurationType -eq 'singlePlatformRestriction' ) - { - $keyName = 'platformRestriction' - } + $UpdateParameters.$key = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $UpdateParameters.$key } - $PSBoundParameters.remove($key) - $PSBoundParameters.add($keyName, $keyValue) } - $policyType = '#microsoft.graph.deviceEnrollmentPlatformRestrictionConfiguration' - if ($DeviceEnrollmentConfigurationType -eq 'platformRestrictions' ) + # Check if it is a "Default platform restriction" + if ($currentInstance.Identity -like "*_DefaultPlatformRestrictions") { - $policyType = '#microsoft.graph.deviceEnrollmentPlatformRestrictionsConfiguration' + $UpdateParameters.Add("@odata.type", "#microsoft.graph.deviceEnrollmentPlatformRestrictionsConfiguration") } - $PSBoundParameters.add('@odata.type', $policyType) - #Write-Verbose ($PSBoundParameters | ConvertTo-Json -Depth 20) - Update-MgBetaDeviceManagementDeviceEnrollmentConfiguration ` - -BodyParameter ([hashtable]$PSBoundParameters) ` - -DeviceEnrollmentConfigurationId $Identity - - #Assignments from DefaultPolicy are not editable and will raise an alert - if ($Identity -notlike '*_DefaultPlatformRestrictions') + else { - if ($null -ne $Assignments -and $Assignments -ne @()) - { - $assignmentsHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignments + $UpdateParameters.Add("@odata.type", "#microsoft.graph.deviceEnrollmentPlatformRestrictionConfiguration") + $UpdateParameters.Remove("PlatformType") + } - Update-DeviceConfigurationPolicyAssignment ` - -DeviceConfigurationPolicyId $Identity ` - -Targets $assignmentsHash ` - -Repository 'deviceManagement/deviceEnrollmentConfigurations' + Update-MgBetaDeviceManagementDeviceEnrollmentConfiguration ` + -DeviceEnrollmentConfigurationId $currentInstance.Identity ` + -BodyParameter $UpdateParameters + + $assignmentsHash = @() + foreach ($assignment in $Assignments) + { + $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment + } + + # Skip for the default platform restriction + if ($currentInstance.Identity -notlike "*_DefaultPlatformRestrictions") + { + if ($Priority -ne $currentInstance.Priority) + { + $uri = "/beta/deviceManagement/deviceEnrollmentConfigurations/$($currentInstance.Identity)/setpriority" + Invoke-MgGraphRequest -Method POST -Uri $uri -Body $(@{ 'priority' = $Priority} | ConvertTo-Json) -ErrorAction Stop } + + Update-DeviceConfigurationPolicyAssignment ` + -DeviceConfigurationPolicyId $currentInstance.Identity ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/deviceEnrollmentConfigurations' ` + -RootIdentifier 'enrollmentConfigurationAssignments' } } - elseif ($Ensure -eq 'Absent' -and $currentCategory.Ensure -eq 'Present') + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') { - Write-Verbose -Message "Removing Device Enrollment Platform Restriction {$DisplayName}" - $config = Get-MgBetaDeviceManagementDeviceEnrollmentConfiguration -Filter "displayName eq '$DisplayName'" ` - | Where-Object -FilterScript { $_.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.deviceEnrollmentPlatformRestrictionsConfiguration' } + Write-Verbose -Message "Removing the Intune Device Enrollment Platform Restriction with Id {$($currentInstance.Identity)}" - Remove-MgBetaDeviceManagementDeviceEnrollmentConfiguration -DeviceEnrollmentConfigurationId $config.id + Remove-MgBetaDeviceManagementDeviceEnrollmentConfiguration -DeviceEnrollmentConfigurationId $currentInstance.Identity } } @@ -461,6 +638,18 @@ function Test-TargetResource [Microsoft.Management.Infrastructure.CimInstance] $MacOSRestriction, + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $PlatformRestriction, + + [Parameter()] + [ValidateSet('android', 'androidForWork', 'ios', 'mac', 'windows')] + $PlatformType, + + [Parameter()] + [System.Int32] + $Priority, + [Parameter()] [Microsoft.Management.Infrastructure.CimInstance[]] $Assignments, @@ -505,10 +694,10 @@ function Test-TargetResource -Parameters $PSBoundParameters Add-M365DSCTelemetryEvent -Data $data #endregion - Write-Verbose -Message "Testing configuration of Device Enrollment Platform Restriction {$DisplayName}" + Write-Verbose -Message "Testing configuration of the Intune Device Enrollment Platform Restriction with Id {$Identity} and DisplayName {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters - $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() if ($CurrentValues.Ensure -ne $Ensure) { @@ -544,29 +733,18 @@ function Test-TargetResource $ValuesToCheck.Remove('Identity') | Out-Null $ValuesToCheck.Remove('WindowsMobileRestriction') | Out-Null - #Convert any DateTime to String - foreach ($key in $ValuesToCheck.Keys) - { - if (($null -ne $CurrentValues[$key]) ` - -and ($CurrentValues[$key].getType().Name -eq 'DateTime')) - { - $CurrentValues[$key] = $CurrentValues[$key].toString() - } - } - Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" #Compare basic parameters if ($testResult) { - Write-Verbose -Message "Comparing the current values with the desired ones" $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` -Source $($MyInvocation.MyCommand.Source) ` -DesiredValues $PSBoundParameters ` -ValuesToCheck $ValuesToCheck.Keys } - Write-Verbose -Message "Test-TargetResource returned $TestResult" + Write-Verbose -Message "Test-TargetResource returned $testResult" return $TestResult } @@ -577,10 +755,6 @@ function Export-TargetResource [OutputType([System.String])] param ( - [Parameter()] - [System.String] - $Filter, - [Parameter()] [System.Management.Automation.PSCredential] $Credential, @@ -622,8 +796,10 @@ function Export-TargetResource try { - [array]$configs = Get-MgBetaDeviceManagementDeviceEnrollmentConfiguration -All:$true -Filter $Filter -ErrorAction Stop ` - | Where-Object -FilterScript { $_.AdditionalProperties.'@odata.type' -like '#microsoft.graph.deviceEnrollmentPlatform*Configuration' } + [array]$configs = Get-MgBetaDeviceManagementDeviceEnrollmentConfiguration ` + -All ` + -Filter "deviceEnrollmentConfigurationType eq 'singlePlatformRestriction'" ` + -ErrorAction Stop $i = 1 $dscContent = '' @@ -647,9 +823,12 @@ function Export-TargetResource TenantId = $TenantId ApplicationSecret = $ApplicationSecret CertificateThumbprint = $CertificateThumbprint - Managedidentity = $ManagedIdentity.IsPresent + ManagedIdentity = $ManagedIdentity.IsPresent } + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results if ($null -ne $Results.Assignments) { @@ -767,24 +946,28 @@ function Export-TargetResource } } + if ($null -ne $Results.PlatformRestriction) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject ($Results.PlatformRestriction) -CIMInstanceName DeviceEnrollmentPlatformRestriction + if ($complexTypeStringResult) + { + $Results.PlatformRestriction = $complexTypeStringResult + } + else + { + $Results.Remove('PlatformRestriction') | Out-Null + } + } - $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` - -Results $Results $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` -ConnectionMode $ConnectionMode ` -ModulePath $PSScriptRoot ` -Results $Results ` -Credential $Credential - if ($null -ne $Results.Assignments) { - $isCIMArray = $false - if ($Results.Assignments.getType().Fullname -like '*[[\]]') - { - $isCIMArray = $true - } - $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Assignments' -IsCIMArray:$isCIMArray + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Assignments' -IsCIMArray:$true } if ($null -ne $Results.IosRestriction) @@ -801,6 +984,7 @@ function Export-TargetResource { $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'WindowsHomeSkuRestriction' } + if ($null -ne $Results.WindowsMobileRestriction) { $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'WindowsMobileRestriction' @@ -826,6 +1010,11 @@ function Export-TargetResource $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'MacOSRestriction' } + if ($null -ne $Results.PlatformRestriction) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'PlatformRestriction' + } + $dscContent += $currentDSCBlock Save-M365DSCPartialExport -Content $currentDSCBlock ` -FileName $Global:PartialExportFileName @@ -856,96 +1045,4 @@ function Export-TargetResource } } -function Get-DevicePlatformRestrictionSetting -{ - [CmdletBinding()] - [OutputType([System.Collections.Hashtable])] - param - ( - [Parameter(Mandatory = 'true')] - [System.Collections.Hashtable] - $Properties - ) - - $results = @{} - - if ($null -ne $Properties.platformType) - { - $keyName = ($Properties.platformType).Substring(0, 1).toUpper() + ($Properties.platformType).substring(1, $Properties.platformType.length - 1) + 'Restriction' - $keyValue = [Hashtable]::new($Properties.platformRestriction) - $hash = @{} - foreach ($key in $keyValue.Keys) - { - if ($null -ne $keyValue.$key) - { - switch -Wildcard ($keyValue.$key.getType().name) - { - '*[[\]]' - { - if ($keyValue.$key.count -gt 0) - { - $hash.add($key, $keyValue.$key) - } - } - 'String' - { - if (-Not [String]::IsNullOrEmpty($keyValue.$key)) - { - $hash.add($key, $keyValue.$key) - } - } - Default - { - $hash.add($key, $keyValue.$key) - } - } - } - } - $results.add($keyName, $hash) - } - else - { - $platformRestrictions = [Hashtable]::new($Properties) - $platformRestrictions.remove('@odata.type') - $platformRestrictions.remove('@odata.context') - foreach ($key in $platformRestrictions.Keys) - { - $keyName = $key.Substring(0, 1).toUpper() + $key.substring(1, $key.length - 1) - $keyValue = [Hashtable]::new($platformRestrictions.$key) - $hash = @{} - foreach ($key in $keyValue.Keys) - { - if ($null -ne $keyValue.$key) - { - switch -Wildcard ($keyValue.$key.getType().name) - { - '*[[\]]' - { - if ($keyValue.$key.count -gt 0) - { - $hash.add($key, $keyValue.$key) - } - } - 'String' - { - if (-Not [String]::IsNullOrEmpty($keyValue.$key)) - { - $hash.add($key, $keyValue.$key) - } - } - Default - { - $hash.add($key, $keyValue.$key) - } - } - - } - } - $results.add($keyName, $hash) - } - } - - return $results -} - Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.schema.mof index 673102cc1e..4c7a90c3ca 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.schema.mof @@ -24,22 +24,25 @@ class MSFT_DeviceEnrollmentPlatformRestriction class MSFT_IntuneDeviceEnrollmentPlatformRestriction : OMI_BaseResource { [Write, Description("Identity of the device enrollment platform restriction.")] String Identity; - [Key, Description("Display name of the device enrollment platform restriction.")] String DisplayName; + [Write, Description("Display name of the device enrollment platform restriction.")] String DisplayName; [Write, Description("Description of the device enrollment platform restriction.")] String Description; - [Write, Description("Support for Enrollment Configuration Type Inherited from deviceEnrollmentConfiguration."), ValueMap{"singlePlatformRestriction","platformRestrictions"}, Values{"singlePlatformRestriction","platformRestrictions"}] String DeviceEnrollmentConfigurationType; - [Write, Description("Ios restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] string IosRestriction; - [Write, Description("Windows restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] string WindowsRestriction; - [Write, Description("Windows home Sku restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] string WindowsHomeSkuRestriction; - [Write, Description("Windows Mobile restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] string WindowsMobileRestriction; - [Write, Description("Android Device Administrator restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] string AndroidRestriction; - [Write, Description("Android Enterprise restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] string AndroidForWorkRestriction; - [Write, Description("Mac restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] string MacRestriction; - [Write, Description("Mac OS restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] string MacOSRestriction; - [Write, Description("Assignments of the policy."), EmbeddedInstance("MSFT_DeviceManagementConfigurationPolicyAssignments")] string Assignments[]; - [Write, Description("Present ensures the restriction exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Android for work restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] String AndroidForWorkRestriction; + [Write, Description("Android restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] String AndroidRestriction; + [Write, Description("Ios restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] String IosRestriction; + [Write, Description("Mac restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] String MacOSRestriction; + [Write, Description("Mac restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] String MacRestriction; + [Write, Description("Windows Home Sku restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] String WindowsHomeSkuRestriction; + [Write, Description("Windows mobile restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] String WindowsMobileRestriction; + [Write, Description("Windows restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] String WindowsRestriction; + [Write, Description("Restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] String PlatformRestriction; + [Write, Description("Type of platform for which this restriction applies. Possible values are: ios, windows, android, androidForWork, mac, linux."), ValueMap{"ios","windows","android","androidForWork","mac","linux"}, Values{"ios","windows","android","androidForWork","mac","linux"}] String PlatformType; + [Write, Description("Support for Enrollment Configuration Type"), ValueMap{"platformRestrictions","singlePlatformRestriction"}, Values{"platformRestrictions","singlePlatformRestriction"}] String DeviceEnrollmentConfigurationType; + [Write, Description("Priority is used when a user exists in multiple groups that are assigned enrollment configuration. Users are subject only to the configuration with the lowest priority value.")] UInt32 Priority; + [Write, Description("Assignments of the policy."), EmbeddedInstance("MSFT_DeviceManagementConfigurationPolicyAssignments")] String Assignments[]; + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; [Write, Description("Credentials of the Intune Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; - [Write, Description("Name of the Azure Active Directory tenant used for authentication. Format contoso.onmicrosoft.com")] String TenantId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceEnrollmentPlatformRestriction/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceEnrollmentPlatformRestriction/3-Remove.ps1 index bf083ccd97..4f9981f298 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceEnrollmentPlatformRestriction/3-Remove.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceEnrollmentPlatformRestriction/3-Remove.ps1 @@ -16,8 +16,21 @@ Configuration Example IntuneDeviceEnrollmentPlatformRestriction 'DeviceEnrollmentPlatformRestriction' { Credential = $Credscredential - DisplayName = "All users and all devices"; + DisplayName = "Removed Policy"; Ensure = "Absent"; + Assignments = @(); + Description = "Enrollment restriction for POC users. Markus Köchli"; + DeviceEnrollmentConfigurationType = "singlePlatformRestriction"; + Identity = "d59e4c28-b6b2-48ad-a6f0-a2132300b99d_SinglePlatformRestriction"; + PlatformRestriction = MSFT_DeviceEnrollmentPlatformRestriction{ + PlatformBlocked = $True + BlockedSkus = @() + BlockedManufacturers = @() + PersonalDeviceEnrollmentBlocked = $False + }; + PlatformType = "android"; + Priority = 1; + TenantId = $OrganizationName; } } } diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceEnrollmentPlatformRestriction.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceEnrollmentPlatformRestriction.Tests.ps1 index 7859f4063d..ccc153c4da 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceEnrollmentPlatformRestriction.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceEnrollmentPlatformRestriction.Tests.ps1 @@ -68,7 +68,9 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Ensure = 'Present' DeviceEnrollmentConfigurationType = 'singlePlatformRestriction' Credential = $Credential - IosRestriction = (New-CimInstance -ClassName MSFT_DeviceEnrollmentPlatformRestriction -Property @{ + Priority = 1 + PlatformType = 'ios' + PlatformRestriction = (New-CimInstance -ClassName MSFT_DeviceEnrollmentPlatformRestriction -Property @{ platformBlocked = $False personalDeviceEnrollmentBlocked = $False } -ClientOnly) @@ -77,6 +79,24 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Mock -CommandName Get-MgBetaDeviceManagementDeviceEnrollmentConfiguration -MockWith { return $null } + + Mock -CommandName New-MgBetaDeviceManagementDeviceEnrollmentConfiguration -MockWith { + return @{ + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceEnrollmentPlatformRestrictionConfiguration' + PlatformRestriction = @{ + PersonalDeviceEnrollmentBlocked = $False + PlatformBlocked = $False + } + platformType = 'ios' + } + id = '12345-12345-12345-12345-12345_SinglePlatformRestriction' + DeviceEnrollmentConfigurationType = 'singlePlatformRestriction' + Description = '' + DisplayName = 'My DSC Restriction' + Priority = 1 + } + } } It 'Should return absent from the Get method' { @@ -102,7 +122,9 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Ensure = 'Present' DeviceEnrollmentConfigurationType = 'singlePlatformRestriction' Credential = $Credential - IosRestriction = (New-CimInstance -ClassName MSFT_DeviceEnrollmentPlatformRestriction -Property @{ + Priority = 1 + PlatformType = 'ios' + PlatformRestriction = (New-CimInstance -ClassName MSFT_DeviceEnrollmentPlatformRestriction -Property @{ platformBlocked = $False personalDeviceEnrollmentBlocked = $False } -ClientOnly) @@ -122,6 +144,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { DeviceEnrollmentConfigurationType = 'singlePlatformRestriction' Description = '' DisplayName = 'My DSC Restriction' + Priority = 1 } } } @@ -140,7 +163,9 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Ensure = 'Present' DeviceEnrollmentConfigurationType = 'singlePlatformRestriction' Credential = $Credential - iOSRestriction = (New-CimInstance -ClassName MSFT_DeviceEnrollmentPlatformRestriction -Property @{ + Priority = 1 + PlatformType = 'ios' + PlatformRestriction = (New-CimInstance -ClassName MSFT_DeviceEnrollmentPlatformRestriction -Property @{ platformBlocked = $False personalDeviceEnrollmentBlocked = $False } -ClientOnly) @@ -160,6 +185,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { DeviceEnrollmentConfigurationType = 'singlePlatformRestriction' Description = '' DisplayName = 'My DSC Restriction' + Priority = 1 } } } @@ -178,7 +204,9 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Ensure = 'Absent' DeviceEnrollmentConfigurationType = 'singlePlatformRestriction' Credential = $Credential - iOSRestriction = (New-CimInstance -ClassName MSFT_DeviceEnrollmentPlatformRestriction -Property @{ + Priority = 1 + PlatformType = 'ios' + PlatformRestriction = (New-CimInstance -ClassName MSFT_DeviceEnrollmentPlatformRestriction -Property @{ platformBlocked = $False personalDeviceEnrollmentBlocked = $False } -ClientOnly) @@ -198,6 +226,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { DeviceEnrollmentConfigurationType = 'singlePlatformRestriction' Description = '' DisplayName = 'My DSC Restriction' + Priority = 1 } } } @@ -238,6 +267,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { DeviceEnrollmentConfigurationType = 'singlePlatformRestriction' Description = '' DisplayName = 'My DSC Restriction' + Priority = 1 } } } From 359110e5bcfe756f88063f3c2bf8e5f3eb656f59 Mon Sep 17 00:00:00 2001 From: Fabien Tschanz Date: Fri, 29 Mar 2024 11:56:52 +0100 Subject: [PATCH 2/3] Simplify enrollment platform restrictions --- ...neDeviceEnrollmentPlatformRestriction.psm1 | 497 ++++++++---------- ...ceEnrollmentPlatformRestriction.schema.mof | 2 - .../readme.md | 5 + .../3-Remove.ps1 | 7 +- ...iceEnrollmentPlatformRestriction.Tests.ps1 | 12 +- 5 files changed, 238 insertions(+), 285 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.psm1 index 2a92cd91de..b917098eac 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.psm1 @@ -8,7 +8,7 @@ function Get-TargetResource [System.String] $Identity, - [Parameter(Mandatory = $true)] + [Parameter()] [System.String] $DisplayName, @@ -53,14 +53,6 @@ function Get-TargetResource [Microsoft.Management.Infrastructure.CimInstance] $MacOSRestriction, - [Parameter()] - [Microsoft.Management.Infrastructure.CimInstance] - $PlatformRestriction, - - [Parameter()] - [ValidateSet('android', 'androidForWork', 'ios', 'mac', 'windows')] - $PlatformType, - [Parameter()] [Microsoft.Management.Infrastructure.CimInstance[]] $Assignments, @@ -117,6 +109,19 @@ function Get-TargetResource $nullResult = $PSBoundParameters $nullResult.Ensure = 'Absent' + $PlatformType = '' + $keys = (([Hashtable]$PSBoundParameters).Clone()).Keys + foreach ($key in $keys) + { + if ($null -ne $PSBoundParameters.$key -and $PSBoundParameters.$key.getType().Name -like '*cimInstance*') + { + if ($DeviceEnrollmentConfigurationType -eq 'singlePlatformRestriction' ) + { + $PlatformType = $key.replace('Restriction', '') + } + } + } + try { try { @@ -130,17 +135,16 @@ function Get-TargetResource { Write-Verbose -Message "Could not find an Intune Device Enrollment Platform Restriction with Id {$Identity}" $config = Get-MgBetaDeviceManagementDeviceEnrollmentConfiguration -Filter "DisplayName eq '$DisplayName'" ` - -ErrorAction SilentlyContinue | Where-Object ` - -FilterScript { ` - $_.AdditionalProperties.'@odata.type' -like "#microsoft.graph.deviceEnrollmentPlatformRestriction*Configuration" -and ` - $(if ($null -ne $_.AdditionalProperties.platformType) { $_.AdditionalProperties.platformType -eq $PlatformType } else { $true }) ` + -ErrorAction SilentlyContinue | Where-Object -FilterScript { + $_.AdditionalProperties.'@odata.type' -like "#microsoft.graph.deviceEnrollmentPlatformRestriction*Configuration" -and + $(if ($null -ne $_.AdditionalProperties.platformType) { $_.AdditionalProperties.platformType -eq $PlatformType } else { $true }) } - } - if ($null -eq $config) - { - Write-Verbose -Message "Could not find an Intune Device Enrollment Platform Restriction with DisplayName {$DisplayName}" - return $nullResult + if ($null -eq $config) + { + Write-Verbose -Message "Could not find an Intune Device Enrollment Platform Restriction with DisplayName {$DisplayName}" + return $nullResult + } } Write-Verbose -Message "Found Intune Device Enrollment Platform Restriction with Name {$($config.DisplayName)}" @@ -159,132 +163,7 @@ function Get-TargetResource ManagedIdentity = $ManagedIdentity.IsPresent } - # Check if it is not a "Default platform restriction" - if ($config.AdditionalProperties.platformType) - { - $results.Add('PlatformType', $config.AdditionalProperties.platformType.ToString()) - - $complexPlatformRestriction = @{} - $complexPlatformRestriction.Add('BlockedManufacturers', $config.AdditionalProperties.platformRestriction.blockedManufacturers) - $complexPlatformRestriction.Add('BlockedSkus', $config.AdditionalProperties.platformRestriction.blockedSkus) - $complexPlatformRestriction.Add('OsMaximumVersion', $config.AdditionalProperties.platformRestriction.osMaximumVersion) - $complexPlatformRestriction.Add('OsMinimumVersion', $config.AdditionalProperties.platformRestriction.osMinimumVersion) - $complexPlatformRestriction.Add('PersonalDeviceEnrollmentBlocked', $config.AdditionalProperties.platformRestriction.personalDeviceEnrollmentBlocked) - $complexPlatformRestriction.Add('PlatformBlocked', $config.AdditionalProperties.platformRestriction.platformBlocked) - if ($complexPlatformRestriction.values.Where({$null -ne $_}).count -eq 0) - { - $complexPlatformRestriction = $null - } - - $results.Add("PlatformRestriction", $complexPlatformRestriction) - } - else - { - $complexAndroidForWorkRestriction = @{} - $complexAndroidForWorkRestriction.Add('BlockedManufacturers', $config.AdditionalProperties.androidForWorkRestriction.blockedManufacturers) - $complexAndroidForWorkRestriction.Add('BlockedSkus', $config.AdditionalProperties.androidForWorkRestriction.blockedSkus) - $complexAndroidForWorkRestriction.Add('OsMaximumVersion', $config.AdditionalProperties.androidForWorkRestriction.osMaximumVersion) - $complexAndroidForWorkRestriction.Add('OsMinimumVersion', $config.AdditionalProperties.androidForWorkRestriction.osMinimumVersion) - $complexAndroidForWorkRestriction.Add('PersonalDeviceEnrollmentBlocked', $config.AdditionalProperties.androidForWorkRestriction.personalDeviceEnrollmentBlocked) - $complexAndroidForWorkRestriction.Add('PlatformBlocked', $config.AdditionalProperties.androidForWorkRestriction.platformBlocked) - if ($complexAndroidForWorkRestriction.values.Where({$null -ne $_}).count -eq 0) - { - $complexAndroidForWorkRestriction = $null - } - - $complexAndroidRestriction = @{} - $complexAndroidRestriction.Add('BlockedManufacturers', $config.AdditionalProperties.androidRestriction.blockedManufacturers) - $complexAndroidRestriction.Add('BlockedSkus', $config.AdditionalProperties.androidRestriction.blockedSkus) - $complexAndroidRestriction.Add('OsMaximumVersion', $config.AdditionalProperties.androidRestriction.osMaximumVersion) - $complexAndroidRestriction.Add('OsMinimumVersion', $config.AdditionalProperties.androidRestriction.osMinimumVersion) - $complexAndroidRestriction.Add('PersonalDeviceEnrollmentBlocked', $config.AdditionalProperties.androidRestriction.personalDeviceEnrollmentBlocked) - $complexAndroidRestriction.Add('PlatformBlocked', $config.AdditionalProperties.androidRestriction.platformBlocked) - if ($complexAndroidRestriction.values.Where({$null -ne $_}).count -eq 0) - { - $complexAndroidRestriction = $null - } - - $complexIosRestriction = @{} - $complexIosRestriction.Add('BlockedManufacturers', $config.AdditionalProperties.iosRestriction.blockedManufacturers) - $complexIosRestriction.Add('BlockedSkus', $config.AdditionalProperties.iosRestriction.blockedSkus) - $complexIosRestriction.Add('OsMaximumVersion', $config.AdditionalProperties.iosRestriction.osMaximumVersion) - $complexIosRestriction.Add('OsMinimumVersion', $config.AdditionalProperties.iosRestriction.osMinimumVersion) - $complexIosRestriction.Add('PersonalDeviceEnrollmentBlocked', $config.AdditionalProperties.iosRestriction.personalDeviceEnrollmentBlocked) - $complexIosRestriction.Add('PlatformBlocked', $config.AdditionalProperties.iosRestriction.platformBlocked) - if ($complexIosRestriction.values.Where({$null -ne $_}).count -eq 0) - { - $complexIosRestriction = $null - } - - $complexMacOSRestriction = @{} - $complexMacOSRestriction.Add('BlockedManufacturers', $config.AdditionalProperties.macOSRestriction.blockedManufacturers) - $complexMacOSRestriction.Add('BlockedSkus', $config.AdditionalProperties.macOSRestriction.blockedSkus) - $complexMacOSRestriction.Add('OsMaximumVersion', $config.AdditionalProperties.macOSRestriction.osMaximumVersion) - $complexMacOSRestriction.Add('OsMinimumVersion', $config.AdditionalProperties.macOSRestriction.osMinimumVersion) - $complexMacOSRestriction.Add('PersonalDeviceEnrollmentBlocked', $config.AdditionalProperties.macOSRestriction.personalDeviceEnrollmentBlocked) - $complexMacOSRestriction.Add('PlatformBlocked', $config.AdditionalProperties.macOSRestriction.platformBlocked) - if ($complexMacOSRestriction.values.Where({$null -ne $_}).count -eq 0) - { - $complexMacOSRestriction = $null - } - - $complexMacRestriction = @{} - $complexMacRestriction.Add('BlockedManufacturers', $config.AdditionalProperties.macRestriction.blockedManufacturers) - $complexMacRestriction.Add('BlockedSkus', $config.AdditionalProperties.macRestriction.blockedSkus) - $complexMacRestriction.Add('OsMaximumVersion', $config.AdditionalProperties.macRestriction.osMaximumVersion) - $complexMacRestriction.Add('OsMinimumVersion', $config.AdditionalProperties.macRestriction.osMinimumVersion) - $complexMacRestriction.Add('PersonalDeviceEnrollmentBlocked', $config.AdditionalProperties.macRestriction.personalDeviceEnrollmentBlocked) - $complexMacRestriction.Add('PlatformBlocked', $config.AdditionalProperties.macRestriction.platformBlocked) - if ($complexMacRestriction.values.Where({$null -ne $_}).count -eq 0) - { - $complexMacRestriction = $null - } - - $complexWindowsHomeSkuRestriction = @{} - $complexWindowsHomeSkuRestriction.Add('BlockedManufacturers', $config.AdditionalProperties.windowsHomeSkuRestriction.blockedManufacturers) - $complexWindowsHomeSkuRestriction.Add('BlockedSkus', $config.AdditionalProperties.windowsHomeSkuRestriction.blockedSkus) - $complexWindowsHomeSkuRestriction.Add('OsMaximumVersion', $config.AdditionalProperties.windowsHomeSkuRestriction.osMaximumVersion) - $complexWindowsHomeSkuRestriction.Add('OsMinimumVersion', $config.AdditionalProperties.windowsHomeSkuRestriction.osMinimumVersion) - $complexWindowsHomeSkuRestriction.Add('PersonalDeviceEnrollmentBlocked', $config.AdditionalProperties.windowsHomeSkuRestriction.personalDeviceEnrollmentBlocked) - $complexWindowsHomeSkuRestriction.Add('PlatformBlocked', $config.AdditionalProperties.windowsHomeSkuRestriction.platformBlocked) - if ($complexWindowsHomeSkuRestriction.values.Where({$null -ne $_}).count -eq 0) - { - $complexWindowsHomeSkuRestriction = $null - } - - $complexWindowsMobileRestriction = @{} - $complexWindowsMobileRestriction.Add('BlockedManufacturers', $config.AdditionalProperties.windowsMobileRestriction.blockedManufacturers) - $complexWindowsMobileRestriction.Add('BlockedSkus', $config.AdditionalProperties.windowsMobileRestriction.blockedSkus) - $complexWindowsMobileRestriction.Add('OsMaximumVersion', $config.AdditionalProperties.windowsMobileRestriction.osMaximumVersion) - $complexWindowsMobileRestriction.Add('OsMinimumVersion', $config.AdditionalProperties.windowsMobileRestriction.osMinimumVersion) - $complexWindowsMobileRestriction.Add('PersonalDeviceEnrollmentBlocked', $config.AdditionalProperties.windowsMobileRestriction.personalDeviceEnrollmentBlocked) - $complexWindowsMobileRestriction.Add('PlatformBlocked', $config.AdditionalProperties.windowsMobileRestriction.platformBlocked) - if ($complexWindowsMobileRestriction.values.Where({$null -ne $_}).count -eq 0) - { - $complexWindowsMobileRestriction = $null - } - - $complexWindowsRestriction = @{} - $complexWindowsRestriction.Add('BlockedManufacturers', $config.AdditionalProperties.windowsRestriction.blockedManufacturers) - $complexWindowsRestriction.Add('BlockedSkus', $config.AdditionalProperties.windowsRestriction.blockedSkus) - $complexWindowsRestriction.Add('OsMaximumVersion', $config.AdditionalProperties.windowsRestriction.osMaximumVersion) - $complexWindowsRestriction.Add('OsMinimumVersion', $config.AdditionalProperties.windowsRestriction.osMinimumVersion) - $complexWindowsRestriction.Add('PersonalDeviceEnrollmentBlocked', $config.AdditionalProperties.windowsRestriction.personalDeviceEnrollmentBlocked) - $complexWindowsRestriction.Add('PlatformBlocked', $config.AdditionalProperties.windowsRestriction.platformBlocked) - if ($complexWindowsRestriction.values.Where({$null -ne $_}).count -eq 0) - { - $complexWindowsRestriction = $null - } - - $results.Add("AndroidForWorkRestriction", $complexAndroidForWorkRestriction) - $results.Add("AndroidRestriction", $complexAndroidRestriction) - $results.Add("IosRestriction", $complexIosRestriction) - $results.Add("MacOSRestriction", $complexMacOSRestriction) - $results.Add("MacRestriction", $complexMacRestriction) - $results.Add("WindowsHomeSkuRestriction", $complexWindowsHomeSkuRestriction) - $results.Add("WindowsMobileRestriction", $complexWindowsMobileRestriction) - $results.Add("WindowsRestriction", $complexWindowsRestriction) - } + $results += Get-DevicePlatformRestrictionSetting -Properties $config.AdditionalProperties if ($null -ne $results.WindowsMobileRestriction) { @@ -296,11 +175,11 @@ function Get-TargetResource foreach ($assignmentEntry in $assignmentsValues) { $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' + dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - {$assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString()}) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId + { $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString() }) + deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId + groupId = $assignmentEntry.Target.AdditionalProperties.groupId } $assignmentResult += $assignmentValue } @@ -329,7 +208,7 @@ function Set-TargetResource [System.String] $Identity, - [Parameter(Mandatory = $true)] + [Parameter()] [System.String] $DisplayName, @@ -374,14 +253,6 @@ function Set-TargetResource [Microsoft.Management.Infrastructure.CimInstance] $MacOSRestriction, - [Parameter()] - [Microsoft.Management.Infrastructure.CimInstance] - $PlatformRestriction, - - [Parameter()] - [ValidateSet('android', 'androidForWork', 'ios', 'mac', 'windows')] - $PlatformType, - [Parameter()] [Microsoft.Management.Infrastructure.CimInstance[]] $Assignments, @@ -435,18 +306,13 @@ function Set-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion - if (-not [System.String]::IsNullOrEmpty($PlatformType) -and $null -eq $PlatformRestriction) { - throw 'If PlatformType is specified, PlatformRestriction is required.' - } - - if ([System.String]::IsNullOrEmpty($PlatformType) -and $null -ne $PlatformRestriction) { - throw 'PlatformRestriction can only be set on policies with a PlatformType.' - } - if ($Ensure -eq 'Absent' -and $Identity -like '*_DefaultPlatformRestrictions') { throw 'Cannot delete the default platform restriction policy.' } + $currentInstance = Get-TargetResource @PSBoundParameters + $PSBoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + $PSBoundParameters.Remove('Identity') | Out-Null $PriorityPresent = $false if ($PSBoundParameters.Keys.Contains('Priority')) { @@ -454,21 +320,13 @@ function Set-TargetResource $PSBoundParameters.Remove('Priority') | Out-Null } - $currentInstance = Get-TargetResource @PSBoundParameters - $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters - $BoundParameters.Remove('Identity') | Out-Null - if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') { Write-Verbose -Message "Creating an Intune Device Enrollment Platform Restriction with DisplayName {$DisplayName}" - $BoundParameters.Remove('Assignments') | Out-Null + $PSBoundParameters.Remove('Assignments') | Out-Null - $CreateParameters = ([Hashtable]$BoundParameters).Clone() - $CreateParameters = Rename-M365DSCCimInstanceParameter -Properties $CreateParameters - $CreateParameters.Remove('Id') | Out-Null - - if ($BoundParameters.Keys.Contains('WindowsMobileRestriction')) + if ($PSBoundParameters.Keys.Contains('WindowsMobileRestriction')) { if ($WindowsMobileRestriction.platformBlocked -eq $false) { @@ -477,62 +335,71 @@ function Set-TargetResource } } - $keys = (([Hashtable]$CreateParameters).Clone()).Keys + $keys = (([Hashtable]$PSBoundParameters).Clone()).Keys foreach ($key in $keys) { - if ($null -ne $CreateParameters.$key -and $CreateParameters.$key.GetType().Name -like '*cimInstance*') + $keyName = $key.substring(0, 1).toLower() + $key.substring(1, $key.length - 1) + $keyValue = $PSBoundParameters.$key + if ($null -ne $PSBoundParameters.$key -and $PSBoundParameters.$key.getType().Name -like '*cimInstance*') { - $CreateParameters.$key = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $CreateParameters.$key + $keyValue = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.$key + if ($DeviceEnrollmentConfigurationType -eq 'singlePlatformRestriction' ) + { + $keyName = 'platformRestriction' + $PSBoundParameters.add('platformType', ($key.replace('Restriction', ''))) + } } + $PSBoundParameters.remove($key) + $PSBoundParameters.add($keyName, $keyValue) } - # Check if it is a "Default platform restriction" - if ([System.String]::IsNullOrEmpty($PlatformType)) + $policyType = '#microsoft.graph.deviceEnrollmentPlatformRestrictionConfiguration' + if ($DeviceEnrollmentConfigurationType -eq 'platformRestrictions' ) { - $CreateParameters.Add('@odata.type', '#microsoft.graph.deviceEnrollmentPlatformRestrictionsConfiguration') + $policyType = '#microsoft.graph.deviceEnrollmentPlatformRestrictionsConfiguration' + $PSBoundParameters.add('deviceEnrollmentConfigurationType ', 'limit') } - else - { - $CreateParameters.Add('@odata.type', '#microsoft.graph.deviceEnrollmentPlatformRestrictionConfiguration') - } - - $policy = New-MgBetaDeviceManagementDeviceEnrollmentConfiguration -BodyParameter $CreateParameters + $PSBoundParameters.add('@odata.type', $policyType) - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + #Write-Verbose ($PSBoundParameters | ConvertTo-Json -Depth 20) + + $policy = New-MgBetaDeviceManagementDeviceEnrollmentConfiguration ` + -BodyParameter ([hashtable]$PSBoundParameters) - # Skip for the default platform restriction + # Assignments from DefaultPolicy are not editable and will raise an alert if ($policy.Id -notlike '*_DefaultPlatformRestrictions') { - if ($null -ne $Assignments -and $Assignments -ne @()) { - $assignmentsHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignments - - Update-DeviceConfigurationPolicyAssignment ` - -DeviceConfigurationPolicyId $policy.Id ` + $assignmentsHash = @() + if ($null -ne $Assignments -and $Assignments.Length -gt 0) + { + foreach ($assignment in $Assignments) + { + $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $assignment + } + } + Update-DeviceConfigurationPolicyAssignment ` + -DeviceConfigurationPolicyId $currentInstance.Identity ` -Targets $assignmentsHash ` -Repository 'deviceManagement/deviceEnrollmentConfigurations' ` -RootIdentifier 'enrollmentConfigurationAssignments' - } - } - if ($PriorityPresent -and $Priority -ne $policy.Priority) - { - $Uri = "/beta/deviceManagement/deviceEnrollmentConfigurations/{0}/setPriority" -f $policy.Id - $Body = @{ - priority = $Priority + if ($PriorityPresent -and $Priority -ne $policy.Priority) + { + $Uri = "/beta/deviceManagement/deviceEnrollmentConfigurations/{0}/setPriority" -f $policy.Id + $Body = @{ + priority = $Priority + } + Invoke-MgGraphRequest -Method POST -Uri $Uri -Body $Body } - Invoke-MgGraphRequest -Method POST -Uri $Uri -Body $($Body | ConvertTo-Json) } } elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') { - Write-Verbose -Message "Updating the Intune Device Enrollment Platform Restriction with Id {$($currentInstance.Identity)}" - $BoundParameters.Remove('Assignments') | Out-Null + Write-Verbose -Message "Updating the Intune Device Enrollment Platform Restriction with DisplayName {$DisplayName}" + + $PSBoundParameters.Remove('Assignments') | Out-Null - if ($BoundParameters.Keys.Contains('WindowsMobileRestriction')) + if ($PSBoundParameters.Keys.Contains('WindowsMobileRestriction')) { if ($WindowsMobileRestriction.platformBlocked -eq $false) { @@ -541,49 +408,52 @@ function Set-TargetResource } } - $UpdateParameters = ([Hashtable]$BoundParameters).clone() - $UpdateParameters = Rename-M365DSCCimInstanceParameter -Properties $UpdateParameters - - $UpdateParameters.Remove('Id') | Out-Null - $UpdateParameters.Remove('Priority') | Out-Null - - $keys = (([Hashtable]$UpdateParameters).clone()).Keys + $keys = (([Hashtable]$PSBoundParameters).Clone()).Keys foreach ($key in $keys) { - if ($null -ne $UpdateParameters.$key -and $UpdateParameters.$key.getType().Name -like '*cimInstance*') + $keyName = $key.substring(0, 1).toLower() + $key.substring(1, $key.length - 1) + $keyValue = $PSBoundParameters.$key + if ($null -ne $PSBoundParameters.$key -and $PSBoundParameters.$key.getType().Name -like '*cimInstance*') { - $UpdateParameters.$key = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $UpdateParameters.$key + $keyValue = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.$key + if ($DeviceEnrollmentConfigurationType -eq 'singlePlatformRestriction' ) + { + $keyName = 'platformRestriction' + } } + $PSBoundParameters.remove($key) + $PSBoundParameters.add($keyName, $keyValue) } - # Check if it is a "Default platform restriction" - if ($currentInstance.Identity -like "*_DefaultPlatformRestrictions") - { - $UpdateParameters.Add("@odata.type", "#microsoft.graph.deviceEnrollmentPlatformRestrictionsConfiguration") - } - else + $policyType = '#microsoft.graph.deviceEnrollmentPlatformRestrictionConfiguration' + if ($DeviceEnrollmentConfigurationType -eq 'platformRestrictions' ) { - $UpdateParameters.Add("@odata.type", "#microsoft.graph.deviceEnrollmentPlatformRestrictionConfiguration") - $UpdateParameters.Remove("PlatformType") + $policyType = '#microsoft.graph.deviceEnrollmentPlatformRestrictionsConfiguration' } + $PSBoundParameters.add('@odata.type', $policyType) + + #Write-Verbose ($PSBoundParameters | ConvertTo-Json -Depth 20) Update-MgBetaDeviceManagementDeviceEnrollmentConfiguration ` -DeviceEnrollmentConfigurationId $currentInstance.Identity ` - -BodyParameter $UpdateParameters + -BodyParameter ([hashtable]$PSBoundParameters) - # Skip for the default platform restriction - if ($currentInstance.Identity -notlike "*_DefaultPlatformRestrictions") + # Assignments from DefaultPolicy are not editable and will raise an alert + if ($currentInstance.Identity -notlike '*_DefaultPlatformRestrictions') { - if ($null -ne $Assignments -and $Assignments -ne @()) + $assignmentsHash = @() + if ($null -ne $Assignments -and $Assignments.Length -gt 0) { - $assignmentsHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignments - - Update-DeviceConfigurationPolicyAssignment ` - -DeviceConfigurationPolicyId $currentInstance.Identity ` - -Targets $assignmentsHash ` - -Repository 'deviceManagement/deviceEnrollmentConfigurations' ` - -RootIdentifier 'enrollmentConfigurationAssignments' + foreach ($assignment in $Assignments) + { + $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $assignment + } } + Update-DeviceConfigurationPolicyAssignment ` + -DeviceConfigurationPolicyId $currentInstance.Identity ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/deviceEnrollmentConfigurations' ` + -RootIdentifier 'enrollmentConfigurationAssignments' if ($PriorityPresent -and $Priority -ne $currentInstance.Priority) { @@ -591,13 +461,13 @@ function Set-TargetResource $Body = @{ priority = $Priority } - Invoke-MgGraphRequest -Method POST -Uri $Uri -Body $($Body | ConvertTo-Json) + Invoke-MgGraphRequest -Method POST -Uri $Uri -Body $Body } } } elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') { - Write-Verbose -Message "Removing the Intune Device Enrollment Platform Restriction with Name {$DisplayName}" + Write-Verbose -Message "Removing the Intune Device Enrollment Platform Restriction with DisplayName {$DisplayName}" Remove-MgBetaDeviceManagementDeviceEnrollmentConfiguration -DeviceEnrollmentConfigurationId $currentInstance.Identity } } @@ -612,7 +482,7 @@ function Test-TargetResource [System.String] $Identity, - [Parameter(Mandatory = $true)] + [Parameter()] [System.String] $DisplayName, @@ -657,14 +527,6 @@ function Test-TargetResource [Microsoft.Management.Infrastructure.CimInstance] $MacOSRestriction, - [Parameter()] - [Microsoft.Management.Infrastructure.CimInstance] - $PlatformRestriction, - - [Parameter()] - [ValidateSet('android', 'androidForWork', 'ios', 'mac', 'windows')] - $PlatformType, - [Parameter()] [Microsoft.Management.Infrastructure.CimInstance[]] $Assignments, @@ -752,11 +614,23 @@ function Test-TargetResource $ValuesToCheck.Remove('Identity') | Out-Null $ValuesToCheck.Remove('WindowsMobileRestriction') | Out-Null + #Convert any DateTime to String + foreach ($key in $ValuesToCheck.Keys) + { + if (($null -ne $CurrentValues[$key]) ` + -and ($CurrentValues[$key].getType().Name -eq 'DateTime')) + { + $CurrentValues[$key] = $CurrentValues[$key].toString() + } + } + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" + #Compare basic parameters if ($testResult) { + Write-Verbose -Message "Comparing the current values with the desired ones" $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` -Source $($MyInvocation.MyCommand.Source) ` -DesiredValues $PSBoundParameters ` @@ -765,7 +639,7 @@ function Test-TargetResource Write-Verbose -Message "Test-TargetResource returned $testResult" - return $TestResult + return $testResult } function Export-TargetResource @@ -774,6 +648,10 @@ function Export-TargetResource [OutputType([System.String])] param ( + [Parameter()] + [System.String] + $Filter, + [Parameter()] [System.Management.Automation.PSCredential] $Credential, @@ -844,10 +722,7 @@ function Export-TargetResource CertificateThumbprint = $CertificateThumbprint ManagedIdentity = $ManagedIdentity.IsPresent } - $Results = Get-TargetResource @Params - $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` - -Results $Results if ($null -ne $Results.Assignments) { @@ -965,19 +840,9 @@ function Export-TargetResource } } - if ($null -ne $Results.PlatformRestriction) - { - $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject ($Results.PlatformRestriction) -CIMInstanceName DeviceEnrollmentPlatformRestriction - if ($complexTypeStringResult) - { - $Results.PlatformRestriction = $complexTypeStringResult - } - else - { - $Results.Remove('PlatformRestriction') | Out-Null - } - } + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` -ConnectionMode $ConnectionMode ` -ModulePath $PSScriptRoot ` @@ -986,7 +851,12 @@ function Export-TargetResource if ($null -ne $Results.Assignments) { - $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Assignments' -IsCIMArray:$true + $isCIMArray = $false + if ($Results.Assignments.getType().Fullname -like '*[[\]]') + { + $isCIMArray = $true + } + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Assignments' -IsCIMArray:$isCIMArray } if ($null -ne $Results.IosRestriction) @@ -1029,11 +899,6 @@ function Export-TargetResource $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'MacOSRestriction' } - if ($null -ne $Results.PlatformRestriction) - { - $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'PlatformRestriction' - } - $dscContent += $currentDSCBlock Save-M365DSCPartialExport -Content $currentDSCBlock ` -FileName $Global:PartialExportFileName @@ -1064,4 +929,96 @@ function Export-TargetResource } } +function Get-DevicePlatformRestrictionSetting +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = 'true')] + [System.Collections.Hashtable] + $Properties + ) + + $results = @{} + + if ($null -ne $Properties.platformType) + { + $keyName = ($Properties.platformType).Substring(0, 1).toUpper() + ($Properties.platformType).substring(1, $Properties.platformType.length - 1) + 'Restriction' + $keyValue = [Hashtable]::new($Properties.platformRestriction) + $hash = @{} + foreach ($key in $keyValue.Keys) + { + if ($null -ne $keyValue.$key) + { + switch -Wildcard ($keyValue.$key.getType().name) + { + '*[[\]]' + { + if ($keyValue.$key.count -gt 0) + { + $hash.add($key, $keyValue.$key) + } + } + 'String' + { + if (-Not [String]::IsNullOrEmpty($keyValue.$key)) + { + $hash.add($key, $keyValue.$key) + } + } + Default + { + $hash.add($key, $keyValue.$key) + } + } + } + } + $results.add($keyName, $hash) + } + else + { + $platformRestrictions = [Hashtable]::new($Properties) + $platformRestrictions.remove('@odata.type') + $platformRestrictions.remove('@odata.context') + foreach ($key in $platformRestrictions.Keys) + { + $keyName = $key.Substring(0, 1).toUpper() + $key.substring(1, $key.length - 1) + $keyValue = [Hashtable]::new($platformRestrictions.$key) + $hash = @{} + foreach ($key in $keyValue.Keys) + { + if ($null -ne $keyValue.$key) + { + switch -Wildcard ($keyValue.$key.getType().name) + { + '*[[\]]' + { + if ($keyValue.$key.count -gt 0) + { + $hash.add($key, $keyValue.$key) + } + } + 'String' + { + if (-Not [String]::IsNullOrEmpty($keyValue.$key)) + { + $hash.add($key, $keyValue.$key) + } + } + Default + { + $hash.add($key, $keyValue.$key) + } + } + + } + } + $results.add($keyName, $hash) + } + } + + return $results +} + Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.schema.mof index c428c5b53f..dcf1cd7840 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.schema.mof @@ -34,8 +34,6 @@ class MSFT_IntuneDeviceEnrollmentPlatformRestriction : OMI_BaseResource [Write, Description("Windows Home Sku restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] String WindowsHomeSkuRestriction; [Write, Description("Windows mobile restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] String WindowsMobileRestriction; [Write, Description("Windows restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] String WindowsRestriction; - [Write, Description("Restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] String PlatformRestriction; - [Write, Description("Type of platform for which this restriction applies. Possible values are: ios, windows, android, androidForWork, mac, linux."), ValueMap{"ios","windows","android","androidForWork","mac","linux"}, Values{"ios","windows","android","androidForWork","mac","linux"}] String PlatformType; [Write, Description("Support for Enrollment Configuration Type"), ValueMap{"platformRestrictions","singlePlatformRestriction"}, Values{"platformRestrictions","singlePlatformRestriction"}] String DeviceEnrollmentConfigurationType; [Write, Description("Priority is used when a user exists in multiple groups that are assigned enrollment configuration. Users are subject only to the configuration with the lowest priority value.")] UInt32 Priority; [Write, Description("Assignments of the policy."), EmbeddedInstance("MSFT_DeviceManagementConfigurationPolicyAssignments")] String Assignments[]; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/readme.md index 709451d016..d0f9ae85e4 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/readme.md +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/readme.md @@ -4,3 +4,8 @@ ## Description This resource configures the Intune device platform enrollment restrictions. + +**Be aware**: To deploy a Android platform restriction policy, two individual configurations must exist: + +* The first one contains the key for `AndroidRestriction` +* The second one contains the key for `AndroidForWorkRestriction` diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceEnrollmentPlatformRestriction/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceEnrollmentPlatformRestriction/3-Remove.ps1 index 8003fc482a..5727bbb579 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceEnrollmentPlatformRestriction/3-Remove.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceEnrollmentPlatformRestriction/3-Remove.ps1 @@ -22,13 +22,10 @@ Configuration Example Description = "This is a single platform restriction policy."; DeviceEnrollmentConfigurationType = "singlePlatformRestriction"; Identity = "d59e4c28-b6b2-48ad-a6f0-a2132300b99d_SinglePlatformRestriction"; - PlatformRestriction = MSFT_DeviceEnrollmentPlatformRestriction{ - PlatformBlocked = $True - BlockedSkus = @() - BlockedManufacturers = @() + IosRestriction = MSFT_DeviceEnrollmentPlatformRestriction{ + PlatformBlocked = $True PersonalDeviceEnrollmentBlocked = $False }; - PlatformType = "android"; Priority = 1; TenantId = $OrganizationName; } diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceEnrollmentPlatformRestriction.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceEnrollmentPlatformRestriction.Tests.ps1 index ccc153c4da..0c69c176de 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceEnrollmentPlatformRestriction.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceEnrollmentPlatformRestriction.Tests.ps1 @@ -69,8 +69,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { DeviceEnrollmentConfigurationType = 'singlePlatformRestriction' Credential = $Credential Priority = 1 - PlatformType = 'ios' - PlatformRestriction = (New-CimInstance -ClassName MSFT_DeviceEnrollmentPlatformRestriction -Property @{ + IosRestriction = (New-CimInstance -ClassName MSFT_DeviceEnrollmentPlatformRestriction -Property @{ platformBlocked = $False personalDeviceEnrollmentBlocked = $False } -ClientOnly) @@ -123,8 +122,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { DeviceEnrollmentConfigurationType = 'singlePlatformRestriction' Credential = $Credential Priority = 1 - PlatformType = 'ios' - PlatformRestriction = (New-CimInstance -ClassName MSFT_DeviceEnrollmentPlatformRestriction -Property @{ + IosRestriction = (New-CimInstance -ClassName MSFT_DeviceEnrollmentPlatformRestriction -Property @{ platformBlocked = $False personalDeviceEnrollmentBlocked = $False } -ClientOnly) @@ -164,8 +162,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { DeviceEnrollmentConfigurationType = 'singlePlatformRestriction' Credential = $Credential Priority = 1 - PlatformType = 'ios' - PlatformRestriction = (New-CimInstance -ClassName MSFT_DeviceEnrollmentPlatformRestriction -Property @{ + IosRestriction = (New-CimInstance -ClassName MSFT_DeviceEnrollmentPlatformRestriction -Property @{ platformBlocked = $False personalDeviceEnrollmentBlocked = $False } -ClientOnly) @@ -205,8 +202,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { DeviceEnrollmentConfigurationType = 'singlePlatformRestriction' Credential = $Credential Priority = 1 - PlatformType = 'ios' - PlatformRestriction = (New-CimInstance -ClassName MSFT_DeviceEnrollmentPlatformRestriction -Property @{ + IosRestriction = (New-CimInstance -ClassName MSFT_DeviceEnrollmentPlatformRestriction -Property @{ platformBlocked = $False personalDeviceEnrollmentBlocked = $False } -ClientOnly) From a100e207c2c25dcfc70da00d046b1287b8ad9172 Mon Sep 17 00:00:00 2001 From: Fabien Tschanz Date: Wed, 3 Apr 2024 13:26:59 +0200 Subject: [PATCH 3/3] Add required displayName parameter to enrollment restrictions --- ...SFT_IntuneDeviceEnrollmentPlatformRestriction.psm1 | 11 ++++++----- ...tuneDeviceEnrollmentPlatformRestriction.schema.mof | 2 +- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.psm1 index b917098eac..b0b9856958 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.psm1 @@ -8,7 +8,7 @@ function Get-TargetResource [System.String] $Identity, - [Parameter()] + [Parameter(Mandatory = $true)] [System.String] $DisplayName, @@ -113,11 +113,12 @@ function Get-TargetResource $keys = (([Hashtable]$PSBoundParameters).Clone()).Keys foreach ($key in $keys) { - if ($null -ne $PSBoundParameters.$key -and $PSBoundParameters.$key.getType().Name -like '*cimInstance*') + if ($null -ne $PSBoundParameters.$key -and $PSBoundParameters.$key.getType().Name -like '*cimInstance*' -and $key -like "*Restriction") { if ($DeviceEnrollmentConfigurationType -eq 'singlePlatformRestriction' ) { $PlatformType = $key.replace('Restriction', '') + break } } } @@ -208,7 +209,7 @@ function Set-TargetResource [System.String] $Identity, - [Parameter()] + [Parameter(Mandatory = $true)] [System.String] $DisplayName, @@ -378,7 +379,7 @@ function Set-TargetResource } } Update-DeviceConfigurationPolicyAssignment ` - -DeviceConfigurationPolicyId $currentInstance.Identity ` + -DeviceConfigurationPolicyId $policy.Id ` -Targets $assignmentsHash ` -Repository 'deviceManagement/deviceEnrollmentConfigurations' ` -RootIdentifier 'enrollmentConfigurationAssignments' @@ -482,7 +483,7 @@ function Test-TargetResource [System.String] $Identity, - [Parameter()] + [Parameter(Mandatory = $true)] [System.String] $DisplayName, diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.schema.mof index dcf1cd7840..f78715c641 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.schema.mof @@ -24,7 +24,7 @@ class MSFT_DeviceEnrollmentPlatformRestriction class MSFT_IntuneDeviceEnrollmentPlatformRestriction : OMI_BaseResource { [Key, Description("Identity of the device enrollment platform restriction.")] String Identity; - [Write, Description("Display name of the device enrollment platform restriction.")] String DisplayName; + [Key, Description("Display name of the device enrollment platform restriction.")] String DisplayName; [Write, Description("Description of the device enrollment platform restriction.")] String Description; [Write, Description("Android for work restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] String AndroidForWorkRestriction; [Write, Description("Android restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] String AndroidRestriction;