From 8412af93416d0b64cae292ba2a0573e4a666f3be Mon Sep 17 00:00:00 2001 From: Fabien Tschanz Date: Fri, 29 Mar 2024 11:56:52 +0100 Subject: [PATCH] Simplify enrollment platform restrictions --- ...neDeviceEnrollmentPlatformRestriction.psm1 | 475 ++++++++---------- ...ceEnrollmentPlatformRestriction.schema.mof | 2 - .../readme.md | 5 + .../3-Remove.ps1 | 7 +- ...iceEnrollmentPlatformRestriction.Tests.ps1 | 12 +- 5 files changed, 224 insertions(+), 277 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.psm1 index 2a92cd91de..3bb98c9f90 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.psm1 @@ -8,7 +8,7 @@ function Get-TargetResource [System.String] $Identity, - [Parameter(Mandatory = $true)] + [Parameter()] [System.String] $DisplayName, @@ -53,14 +53,6 @@ function Get-TargetResource [Microsoft.Management.Infrastructure.CimInstance] $MacOSRestriction, - [Parameter()] - [Microsoft.Management.Infrastructure.CimInstance] - $PlatformRestriction, - - [Parameter()] - [ValidateSet('android', 'androidForWork', 'ios', 'mac', 'windows')] - $PlatformType, - [Parameter()] [Microsoft.Management.Infrastructure.CimInstance[]] $Assignments, @@ -117,6 +109,19 @@ function Get-TargetResource $nullResult = $PSBoundParameters $nullResult.Ensure = 'Absent' + $PlatformType = '' + $keys = (([Hashtable]$PSBoundParameters).Clone()).Keys + foreach ($key in $keys) + { + if ($null -ne $PSBoundParameters.$key -and $PSBoundParameters.$key.getType().Name -like '*cimInstance*') + { + if ($DeviceEnrollmentConfigurationType -eq 'singlePlatformRestriction' ) + { + $PlatformType = $key.replace('Restriction', '') + } + } + } + try { try { @@ -130,17 +135,16 @@ function Get-TargetResource { Write-Verbose -Message "Could not find an Intune Device Enrollment Platform Restriction with Id {$Identity}" $config = Get-MgBetaDeviceManagementDeviceEnrollmentConfiguration -Filter "DisplayName eq '$DisplayName'" ` - -ErrorAction SilentlyContinue | Where-Object ` - -FilterScript { ` - $_.AdditionalProperties.'@odata.type' -like "#microsoft.graph.deviceEnrollmentPlatformRestriction*Configuration" -and ` - $(if ($null -ne $_.AdditionalProperties.platformType) { $_.AdditionalProperties.platformType -eq $PlatformType } else { $true }) ` + -ErrorAction SilentlyContinue | Where-Object -FilterScript { + $_.AdditionalProperties.'@odata.type' -like "#microsoft.graph.deviceEnrollmentPlatformRestriction*Configuration" -and + $(if ($null -ne $_.AdditionalProperties.platformType) { $_.AdditionalProperties.platformType -eq $PlatformType } else { $true }) } - } - if ($null -eq $config) - { - Write-Verbose -Message "Could not find an Intune Device Enrollment Platform Restriction with DisplayName {$DisplayName}" - return $nullResult + if ($null -eq $config) + { + Write-Verbose -Message "Could not find an Intune Device Enrollment Platform Restriction with DisplayName {$DisplayName}" + return $nullResult + } } Write-Verbose -Message "Found Intune Device Enrollment Platform Restriction with Name {$($config.DisplayName)}" @@ -159,132 +163,7 @@ function Get-TargetResource ManagedIdentity = $ManagedIdentity.IsPresent } - # Check if it is not a "Default platform restriction" - if ($config.AdditionalProperties.platformType) - { - $results.Add('PlatformType', $config.AdditionalProperties.platformType.ToString()) - - $complexPlatformRestriction = @{} - $complexPlatformRestriction.Add('BlockedManufacturers', $config.AdditionalProperties.platformRestriction.blockedManufacturers) - $complexPlatformRestriction.Add('BlockedSkus', $config.AdditionalProperties.platformRestriction.blockedSkus) - $complexPlatformRestriction.Add('OsMaximumVersion', $config.AdditionalProperties.platformRestriction.osMaximumVersion) - $complexPlatformRestriction.Add('OsMinimumVersion', $config.AdditionalProperties.platformRestriction.osMinimumVersion) - $complexPlatformRestriction.Add('PersonalDeviceEnrollmentBlocked', $config.AdditionalProperties.platformRestriction.personalDeviceEnrollmentBlocked) - $complexPlatformRestriction.Add('PlatformBlocked', $config.AdditionalProperties.platformRestriction.platformBlocked) - if ($complexPlatformRestriction.values.Where({$null -ne $_}).count -eq 0) - { - $complexPlatformRestriction = $null - } - - $results.Add("PlatformRestriction", $complexPlatformRestriction) - } - else - { - $complexAndroidForWorkRestriction = @{} - $complexAndroidForWorkRestriction.Add('BlockedManufacturers', $config.AdditionalProperties.androidForWorkRestriction.blockedManufacturers) - $complexAndroidForWorkRestriction.Add('BlockedSkus', $config.AdditionalProperties.androidForWorkRestriction.blockedSkus) - $complexAndroidForWorkRestriction.Add('OsMaximumVersion', $config.AdditionalProperties.androidForWorkRestriction.osMaximumVersion) - $complexAndroidForWorkRestriction.Add('OsMinimumVersion', $config.AdditionalProperties.androidForWorkRestriction.osMinimumVersion) - $complexAndroidForWorkRestriction.Add('PersonalDeviceEnrollmentBlocked', $config.AdditionalProperties.androidForWorkRestriction.personalDeviceEnrollmentBlocked) - $complexAndroidForWorkRestriction.Add('PlatformBlocked', $config.AdditionalProperties.androidForWorkRestriction.platformBlocked) - if ($complexAndroidForWorkRestriction.values.Where({$null -ne $_}).count -eq 0) - { - $complexAndroidForWorkRestriction = $null - } - - $complexAndroidRestriction = @{} - $complexAndroidRestriction.Add('BlockedManufacturers', $config.AdditionalProperties.androidRestriction.blockedManufacturers) - $complexAndroidRestriction.Add('BlockedSkus', $config.AdditionalProperties.androidRestriction.blockedSkus) - $complexAndroidRestriction.Add('OsMaximumVersion', $config.AdditionalProperties.androidRestriction.osMaximumVersion) - $complexAndroidRestriction.Add('OsMinimumVersion', $config.AdditionalProperties.androidRestriction.osMinimumVersion) - $complexAndroidRestriction.Add('PersonalDeviceEnrollmentBlocked', $config.AdditionalProperties.androidRestriction.personalDeviceEnrollmentBlocked) - $complexAndroidRestriction.Add('PlatformBlocked', $config.AdditionalProperties.androidRestriction.platformBlocked) - if ($complexAndroidRestriction.values.Where({$null -ne $_}).count -eq 0) - { - $complexAndroidRestriction = $null - } - - $complexIosRestriction = @{} - $complexIosRestriction.Add('BlockedManufacturers', $config.AdditionalProperties.iosRestriction.blockedManufacturers) - $complexIosRestriction.Add('BlockedSkus', $config.AdditionalProperties.iosRestriction.blockedSkus) - $complexIosRestriction.Add('OsMaximumVersion', $config.AdditionalProperties.iosRestriction.osMaximumVersion) - $complexIosRestriction.Add('OsMinimumVersion', $config.AdditionalProperties.iosRestriction.osMinimumVersion) - $complexIosRestriction.Add('PersonalDeviceEnrollmentBlocked', $config.AdditionalProperties.iosRestriction.personalDeviceEnrollmentBlocked) - $complexIosRestriction.Add('PlatformBlocked', $config.AdditionalProperties.iosRestriction.platformBlocked) - if ($complexIosRestriction.values.Where({$null -ne $_}).count -eq 0) - { - $complexIosRestriction = $null - } - - $complexMacOSRestriction = @{} - $complexMacOSRestriction.Add('BlockedManufacturers', $config.AdditionalProperties.macOSRestriction.blockedManufacturers) - $complexMacOSRestriction.Add('BlockedSkus', $config.AdditionalProperties.macOSRestriction.blockedSkus) - $complexMacOSRestriction.Add('OsMaximumVersion', $config.AdditionalProperties.macOSRestriction.osMaximumVersion) - $complexMacOSRestriction.Add('OsMinimumVersion', $config.AdditionalProperties.macOSRestriction.osMinimumVersion) - $complexMacOSRestriction.Add('PersonalDeviceEnrollmentBlocked', $config.AdditionalProperties.macOSRestriction.personalDeviceEnrollmentBlocked) - $complexMacOSRestriction.Add('PlatformBlocked', $config.AdditionalProperties.macOSRestriction.platformBlocked) - if ($complexMacOSRestriction.values.Where({$null -ne $_}).count -eq 0) - { - $complexMacOSRestriction = $null - } - - $complexMacRestriction = @{} - $complexMacRestriction.Add('BlockedManufacturers', $config.AdditionalProperties.macRestriction.blockedManufacturers) - $complexMacRestriction.Add('BlockedSkus', $config.AdditionalProperties.macRestriction.blockedSkus) - $complexMacRestriction.Add('OsMaximumVersion', $config.AdditionalProperties.macRestriction.osMaximumVersion) - $complexMacRestriction.Add('OsMinimumVersion', $config.AdditionalProperties.macRestriction.osMinimumVersion) - $complexMacRestriction.Add('PersonalDeviceEnrollmentBlocked', $config.AdditionalProperties.macRestriction.personalDeviceEnrollmentBlocked) - $complexMacRestriction.Add('PlatformBlocked', $config.AdditionalProperties.macRestriction.platformBlocked) - if ($complexMacRestriction.values.Where({$null -ne $_}).count -eq 0) - { - $complexMacRestriction = $null - } - - $complexWindowsHomeSkuRestriction = @{} - $complexWindowsHomeSkuRestriction.Add('BlockedManufacturers', $config.AdditionalProperties.windowsHomeSkuRestriction.blockedManufacturers) - $complexWindowsHomeSkuRestriction.Add('BlockedSkus', $config.AdditionalProperties.windowsHomeSkuRestriction.blockedSkus) - $complexWindowsHomeSkuRestriction.Add('OsMaximumVersion', $config.AdditionalProperties.windowsHomeSkuRestriction.osMaximumVersion) - $complexWindowsHomeSkuRestriction.Add('OsMinimumVersion', $config.AdditionalProperties.windowsHomeSkuRestriction.osMinimumVersion) - $complexWindowsHomeSkuRestriction.Add('PersonalDeviceEnrollmentBlocked', $config.AdditionalProperties.windowsHomeSkuRestriction.personalDeviceEnrollmentBlocked) - $complexWindowsHomeSkuRestriction.Add('PlatformBlocked', $config.AdditionalProperties.windowsHomeSkuRestriction.platformBlocked) - if ($complexWindowsHomeSkuRestriction.values.Where({$null -ne $_}).count -eq 0) - { - $complexWindowsHomeSkuRestriction = $null - } - - $complexWindowsMobileRestriction = @{} - $complexWindowsMobileRestriction.Add('BlockedManufacturers', $config.AdditionalProperties.windowsMobileRestriction.blockedManufacturers) - $complexWindowsMobileRestriction.Add('BlockedSkus', $config.AdditionalProperties.windowsMobileRestriction.blockedSkus) - $complexWindowsMobileRestriction.Add('OsMaximumVersion', $config.AdditionalProperties.windowsMobileRestriction.osMaximumVersion) - $complexWindowsMobileRestriction.Add('OsMinimumVersion', $config.AdditionalProperties.windowsMobileRestriction.osMinimumVersion) - $complexWindowsMobileRestriction.Add('PersonalDeviceEnrollmentBlocked', $config.AdditionalProperties.windowsMobileRestriction.personalDeviceEnrollmentBlocked) - $complexWindowsMobileRestriction.Add('PlatformBlocked', $config.AdditionalProperties.windowsMobileRestriction.platformBlocked) - if ($complexWindowsMobileRestriction.values.Where({$null -ne $_}).count -eq 0) - { - $complexWindowsMobileRestriction = $null - } - - $complexWindowsRestriction = @{} - $complexWindowsRestriction.Add('BlockedManufacturers', $config.AdditionalProperties.windowsRestriction.blockedManufacturers) - $complexWindowsRestriction.Add('BlockedSkus', $config.AdditionalProperties.windowsRestriction.blockedSkus) - $complexWindowsRestriction.Add('OsMaximumVersion', $config.AdditionalProperties.windowsRestriction.osMaximumVersion) - $complexWindowsRestriction.Add('OsMinimumVersion', $config.AdditionalProperties.windowsRestriction.osMinimumVersion) - $complexWindowsRestriction.Add('PersonalDeviceEnrollmentBlocked', $config.AdditionalProperties.windowsRestriction.personalDeviceEnrollmentBlocked) - $complexWindowsRestriction.Add('PlatformBlocked', $config.AdditionalProperties.windowsRestriction.platformBlocked) - if ($complexWindowsRestriction.values.Where({$null -ne $_}).count -eq 0) - { - $complexWindowsRestriction = $null - } - - $results.Add("AndroidForWorkRestriction", $complexAndroidForWorkRestriction) - $results.Add("AndroidRestriction", $complexAndroidRestriction) - $results.Add("IosRestriction", $complexIosRestriction) - $results.Add("MacOSRestriction", $complexMacOSRestriction) - $results.Add("MacRestriction", $complexMacRestriction) - $results.Add("WindowsHomeSkuRestriction", $complexWindowsHomeSkuRestriction) - $results.Add("WindowsMobileRestriction", $complexWindowsMobileRestriction) - $results.Add("WindowsRestriction", $complexWindowsRestriction) - } + $results += Get-DevicePlatformRestrictionSetting -Properties $config.AdditionalProperties if ($null -ne $results.WindowsMobileRestriction) { @@ -296,11 +175,11 @@ function Get-TargetResource foreach ($assignmentEntry in $assignmentsValues) { $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' + dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - {$assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString()}) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId + { $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString() }) + deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId + groupId = $assignmentEntry.Target.AdditionalProperties.groupId } $assignmentResult += $assignmentValue } @@ -329,7 +208,7 @@ function Set-TargetResource [System.String] $Identity, - [Parameter(Mandatory = $true)] + [Parameter()] [System.String] $DisplayName, @@ -374,14 +253,6 @@ function Set-TargetResource [Microsoft.Management.Infrastructure.CimInstance] $MacOSRestriction, - [Parameter()] - [Microsoft.Management.Infrastructure.CimInstance] - $PlatformRestriction, - - [Parameter()] - [ValidateSet('android', 'androidForWork', 'ios', 'mac', 'windows')] - $PlatformType, - [Parameter()] [Microsoft.Management.Infrastructure.CimInstance[]] $Assignments, @@ -435,18 +306,13 @@ function Set-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion - if (-not [System.String]::IsNullOrEmpty($PlatformType) -and $null -eq $PlatformRestriction) { - throw 'If PlatformType is specified, PlatformRestriction is required.' - } - - if ([System.String]::IsNullOrEmpty($PlatformType) -and $null -ne $PlatformRestriction) { - throw 'PlatformRestriction can only be set on policies with a PlatformType.' - } - if ($Ensure -eq 'Absent' -and $Identity -like '*_DefaultPlatformRestrictions') { throw 'Cannot delete the default platform restriction policy.' } + $currentInstance = Get-TargetResource @PSBoundParameters + $PSBoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + $PSBoundParameters.Remove('Identity') | Out-Null $PriorityPresent = $false if ($PSBoundParameters.Keys.Contains('Priority')) { @@ -454,21 +320,13 @@ function Set-TargetResource $PSBoundParameters.Remove('Priority') | Out-Null } - $currentInstance = Get-TargetResource @PSBoundParameters - $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters - $BoundParameters.Remove('Identity') | Out-Null - if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') { Write-Verbose -Message "Creating an Intune Device Enrollment Platform Restriction with DisplayName {$DisplayName}" - $BoundParameters.Remove('Assignments') | Out-Null + $PSBoundParameters.Remove('Assignments') | Out-Null - $CreateParameters = ([Hashtable]$BoundParameters).Clone() - $CreateParameters = Rename-M365DSCCimInstanceParameter -Properties $CreateParameters - $CreateParameters.Remove('Id') | Out-Null - - if ($BoundParameters.Keys.Contains('WindowsMobileRestriction')) + if ($PSBoundParameters.Keys.Contains('WindowsMobileRestriction')) { if ($WindowsMobileRestriction.platformBlocked -eq $false) { @@ -477,62 +335,68 @@ function Set-TargetResource } } - $keys = (([Hashtable]$CreateParameters).Clone()).Keys + $keys = (([Hashtable]$PSBoundParameters).Clone()).Keys foreach ($key in $keys) { - if ($null -ne $CreateParameters.$key -and $CreateParameters.$key.GetType().Name -like '*cimInstance*') + $keyName = $key.substring(0, 1).toLower() + $key.substring(1, $key.length - 1) + $keyValue = $PSBoundParameters.$key + if ($null -ne $PSBoundParameters.$key -and $PSBoundParameters.$key.getType().Name -like '*cimInstance*') { - $CreateParameters.$key = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $CreateParameters.$key + $keyValue = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.$key + if ($DeviceEnrollmentConfigurationType -eq 'singlePlatformRestriction' ) + { + $keyName = 'platformRestriction' + $PSBoundParameters.add('platformType', ($key.replace('Restriction', ''))) + } } + $PSBoundParameters.remove($key) + $PSBoundParameters.add($keyName, $keyValue) } - # Check if it is a "Default platform restriction" - if ([System.String]::IsNullOrEmpty($PlatformType)) + $policyType = '#microsoft.graph.deviceEnrollmentPlatformRestrictionConfiguration' + if ($DeviceEnrollmentConfigurationType -eq 'platformRestrictions' ) { - $CreateParameters.Add('@odata.type', '#microsoft.graph.deviceEnrollmentPlatformRestrictionsConfiguration') + $policyType = '#microsoft.graph.deviceEnrollmentPlatformRestrictionsConfiguration' + $PSBoundParameters.add('deviceEnrollmentConfigurationType ', 'limit') } - else - { - $CreateParameters.Add('@odata.type', '#microsoft.graph.deviceEnrollmentPlatformRestrictionConfiguration') - } - - $policy = New-MgBetaDeviceManagementDeviceEnrollmentConfiguration -BodyParameter $CreateParameters + $PSBoundParameters.add('@odata.type', $policyType) - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + #Write-Verbose ($PSBoundParameters | ConvertTo-Json -Depth 20) - # Skip for the default platform restriction + $policy = New-MgBetaDeviceManagementDeviceEnrollmentConfiguration ` + -BodyParameter ([hashtable]$PSBoundParameters) + + # Assignments from DefaultPolicy are not editable and will raise an alert if ($policy.Id -notlike '*_DefaultPlatformRestrictions') { - if ($null -ne $Assignments -and $Assignments -ne @()) { + if ($null -ne $Assignments -and $Assignments -ne @()) + { $assignmentsHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignments Update-DeviceConfigurationPolicyAssignment ` - -DeviceConfigurationPolicyId $policy.Id ` - -Targets $assignmentsHash ` - -Repository 'deviceManagement/deviceEnrollmentConfigurations' ` - -RootIdentifier 'enrollmentConfigurationAssignments' + -DeviceConfigurationPolicyId $policy.Id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/deviceEnrollmentConfigurations' ` + -RootIdentifier 'enrollmentConfigurationAssignments' } - } - if ($PriorityPresent -and $Priority -ne $policy.Priority) - { - $Uri = "/beta/deviceManagement/deviceEnrollmentConfigurations/{0}/setPriority" -f $policy.Id - $Body = @{ - priority = $Priority + if ($PriorityPresent -and $Priority -ne $policy.Priority) + { + $Uri = "/beta/deviceManagement/deviceEnrollmentConfigurations/{0}/setPriority" -f $policy.Id + $Body = @{ + priority = $Priority + } + Invoke-MgGraphRequest -Method POST -Uri $Uri -Body $Body } - Invoke-MgGraphRequest -Method POST -Uri $Uri -Body $($Body | ConvertTo-Json) } } elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') { - Write-Verbose -Message "Updating the Intune Device Enrollment Platform Restriction with Id {$($currentInstance.Identity)}" - $BoundParameters.Remove('Assignments') | Out-Null + Write-Verbose -Message "Updating the Intune Device Enrollment Platform Restriction with DisplayName {$DisplayName}" + + $PSBoundParameters.Remove('Assignments') | Out-Null - if ($BoundParameters.Keys.Contains('WindowsMobileRestriction')) + if ($PSBoundParameters.Keys.Contains('WindowsMobileRestriction')) { if ($WindowsMobileRestriction.platformBlocked -eq $false) { @@ -541,38 +405,38 @@ function Set-TargetResource } } - $UpdateParameters = ([Hashtable]$BoundParameters).clone() - $UpdateParameters = Rename-M365DSCCimInstanceParameter -Properties $UpdateParameters - - $UpdateParameters.Remove('Id') | Out-Null - $UpdateParameters.Remove('Priority') | Out-Null - - $keys = (([Hashtable]$UpdateParameters).clone()).Keys + $keys = (([Hashtable]$PSBoundParameters).Clone()).Keys foreach ($key in $keys) { - if ($null -ne $UpdateParameters.$key -and $UpdateParameters.$key.getType().Name -like '*cimInstance*') + $keyName = $key.substring(0, 1).toLower() + $key.substring(1, $key.length - 1) + $keyValue = $PSBoundParameters.$key + if ($null -ne $PSBoundParameters.$key -and $PSBoundParameters.$key.getType().Name -like '*cimInstance*') { - $UpdateParameters.$key = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $UpdateParameters.$key + $keyValue = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.$key + if ($DeviceEnrollmentConfigurationType -eq 'singlePlatformRestriction' ) + { + $keyName = 'platformRestriction' + } } + $PSBoundParameters.remove($key) + $PSBoundParameters.add($keyName, $keyValue) } - # Check if it is a "Default platform restriction" - if ($currentInstance.Identity -like "*_DefaultPlatformRestrictions") + $policyType = '#microsoft.graph.deviceEnrollmentPlatformRestrictionConfiguration' + if ($DeviceEnrollmentConfigurationType -eq 'platformRestrictions' ) { - $UpdateParameters.Add("@odata.type", "#microsoft.graph.deviceEnrollmentPlatformRestrictionsConfiguration") - } - else - { - $UpdateParameters.Add("@odata.type", "#microsoft.graph.deviceEnrollmentPlatformRestrictionConfiguration") - $UpdateParameters.Remove("PlatformType") + $policyType = '#microsoft.graph.deviceEnrollmentPlatformRestrictionsConfiguration' } + $PSBoundParameters.add('@odata.type', $policyType) + + #Write-Verbose ($PSBoundParameters | ConvertTo-Json -Depth 20) Update-MgBetaDeviceManagementDeviceEnrollmentConfiguration ` -DeviceEnrollmentConfigurationId $currentInstance.Identity ` - -BodyParameter $UpdateParameters + -BodyParameter ([hashtable]$PSBoundParameters) - # Skip for the default platform restriction - if ($currentInstance.Identity -notlike "*_DefaultPlatformRestrictions") + # Assignments from DefaultPolicy are not editable and will raise an alert + if ($currentInstance.Identity -notlike '*_DefaultPlatformRestrictions') { if ($null -ne $Assignments -and $Assignments -ne @()) { @@ -581,7 +445,7 @@ function Set-TargetResource Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $currentInstance.Identity ` -Targets $assignmentsHash ` - -Repository 'deviceManagement/deviceEnrollmentConfigurations' ` + -Repository 'deviceManagement/deviceEnrollmentConfigurations' -RootIdentifier 'enrollmentConfigurationAssignments' } @@ -591,13 +455,13 @@ function Set-TargetResource $Body = @{ priority = $Priority } - Invoke-MgGraphRequest -Method POST -Uri $Uri -Body $($Body | ConvertTo-Json) + Invoke-MgGraphRequest -Method POST -Uri $Uri -Body $Body } } } elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') { - Write-Verbose -Message "Removing the Intune Device Enrollment Platform Restriction with Name {$DisplayName}" + Write-Verbose -Message "Removing the Intune Device Enrollment Platform Restriction with DisplayName {$DisplayName}" Remove-MgBetaDeviceManagementDeviceEnrollmentConfiguration -DeviceEnrollmentConfigurationId $currentInstance.Identity } } @@ -612,7 +476,7 @@ function Test-TargetResource [System.String] $Identity, - [Parameter(Mandatory = $true)] + [Parameter()] [System.String] $DisplayName, @@ -657,14 +521,6 @@ function Test-TargetResource [Microsoft.Management.Infrastructure.CimInstance] $MacOSRestriction, - [Parameter()] - [Microsoft.Management.Infrastructure.CimInstance] - $PlatformRestriction, - - [Parameter()] - [ValidateSet('android', 'androidForWork', 'ios', 'mac', 'windows')] - $PlatformType, - [Parameter()] [Microsoft.Management.Infrastructure.CimInstance[]] $Assignments, @@ -752,11 +608,23 @@ function Test-TargetResource $ValuesToCheck.Remove('Identity') | Out-Null $ValuesToCheck.Remove('WindowsMobileRestriction') | Out-Null + #Convert any DateTime to String + foreach ($key in $ValuesToCheck.Keys) + { + if (($null -ne $CurrentValues[$key]) ` + -and ($CurrentValues[$key].getType().Name -eq 'DateTime')) + { + $CurrentValues[$key] = $CurrentValues[$key].toString() + } + } + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" + #Compare basic parameters if ($testResult) { + Write-Verbose -Message "Comparing the current values with the desired ones" $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` -Source $($MyInvocation.MyCommand.Source) ` -DesiredValues $PSBoundParameters ` @@ -765,7 +633,7 @@ function Test-TargetResource Write-Verbose -Message "Test-TargetResource returned $testResult" - return $TestResult + return $testResult } function Export-TargetResource @@ -774,6 +642,10 @@ function Export-TargetResource [OutputType([System.String])] param ( + [Parameter()] + [System.String] + $Filter, + [Parameter()] [System.Management.Automation.PSCredential] $Credential, @@ -844,10 +716,7 @@ function Export-TargetResource CertificateThumbprint = $CertificateThumbprint ManagedIdentity = $ManagedIdentity.IsPresent } - $Results = Get-TargetResource @Params - $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` - -Results $Results if ($null -ne $Results.Assignments) { @@ -965,19 +834,9 @@ function Export-TargetResource } } - if ($null -ne $Results.PlatformRestriction) - { - $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject ($Results.PlatformRestriction) -CIMInstanceName DeviceEnrollmentPlatformRestriction - if ($complexTypeStringResult) - { - $Results.PlatformRestriction = $complexTypeStringResult - } - else - { - $Results.Remove('PlatformRestriction') | Out-Null - } - } + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` -ConnectionMode $ConnectionMode ` -ModulePath $PSScriptRoot ` @@ -986,7 +845,12 @@ function Export-TargetResource if ($null -ne $Results.Assignments) { - $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Assignments' -IsCIMArray:$true + $isCIMArray = $false + if ($Results.Assignments.getType().Fullname -like '*[[\]]') + { + $isCIMArray = $true + } + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Assignments' -IsCIMArray:$isCIMArray } if ($null -ne $Results.IosRestriction) @@ -1029,11 +893,6 @@ function Export-TargetResource $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'MacOSRestriction' } - if ($null -ne $Results.PlatformRestriction) - { - $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'PlatformRestriction' - } - $dscContent += $currentDSCBlock Save-M365DSCPartialExport -Content $currentDSCBlock ` -FileName $Global:PartialExportFileName @@ -1064,4 +923,96 @@ function Export-TargetResource } } +function Get-DevicePlatformRestrictionSetting +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = 'true')] + [System.Collections.Hashtable] + $Properties + ) + + $results = @{} + + if ($null -ne $Properties.platformType) + { + $keyName = ($Properties.platformType).Substring(0, 1).toUpper() + ($Properties.platformType).substring(1, $Properties.platformType.length - 1) + 'Restriction' + $keyValue = [Hashtable]::new($Properties.platformRestriction) + $hash = @{} + foreach ($key in $keyValue.Keys) + { + if ($null -ne $keyValue.$key) + { + switch -Wildcard ($keyValue.$key.getType().name) + { + '*[[\]]' + { + if ($keyValue.$key.count -gt 0) + { + $hash.add($key, $keyValue.$key) + } + } + 'String' + { + if (-Not [String]::IsNullOrEmpty($keyValue.$key)) + { + $hash.add($key, $keyValue.$key) + } + } + Default + { + $hash.add($key, $keyValue.$key) + } + } + } + } + $results.add($keyName, $hash) + } + else + { + $platformRestrictions = [Hashtable]::new($Properties) + $platformRestrictions.remove('@odata.type') + $platformRestrictions.remove('@odata.context') + foreach ($key in $platformRestrictions.Keys) + { + $keyName = $key.Substring(0, 1).toUpper() + $key.substring(1, $key.length - 1) + $keyValue = [Hashtable]::new($platformRestrictions.$key) + $hash = @{} + foreach ($key in $keyValue.Keys) + { + if ($null -ne $keyValue.$key) + { + switch -Wildcard ($keyValue.$key.getType().name) + { + '*[[\]]' + { + if ($keyValue.$key.count -gt 0) + { + $hash.add($key, $keyValue.$key) + } + } + 'String' + { + if (-Not [String]::IsNullOrEmpty($keyValue.$key)) + { + $hash.add($key, $keyValue.$key) + } + } + Default + { + $hash.add($key, $keyValue.$key) + } + } + + } + } + $results.add($keyName, $hash) + } + } + + return $results +} + Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.schema.mof index c428c5b53f..dcf1cd7840 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.schema.mof @@ -34,8 +34,6 @@ class MSFT_IntuneDeviceEnrollmentPlatformRestriction : OMI_BaseResource [Write, Description("Windows Home Sku restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] String WindowsHomeSkuRestriction; [Write, Description("Windows mobile restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] String WindowsMobileRestriction; [Write, Description("Windows restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] String WindowsRestriction; - [Write, Description("Restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] String PlatformRestriction; - [Write, Description("Type of platform for which this restriction applies. Possible values are: ios, windows, android, androidForWork, mac, linux."), ValueMap{"ios","windows","android","androidForWork","mac","linux"}, Values{"ios","windows","android","androidForWork","mac","linux"}] String PlatformType; [Write, Description("Support for Enrollment Configuration Type"), ValueMap{"platformRestrictions","singlePlatformRestriction"}, Values{"platformRestrictions","singlePlatformRestriction"}] String DeviceEnrollmentConfigurationType; [Write, Description("Priority is used when a user exists in multiple groups that are assigned enrollment configuration. Users are subject only to the configuration with the lowest priority value.")] UInt32 Priority; [Write, Description("Assignments of the policy."), EmbeddedInstance("MSFT_DeviceManagementConfigurationPolicyAssignments")] String Assignments[]; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/readme.md index 709451d016..d0f9ae85e4 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/readme.md +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/readme.md @@ -4,3 +4,8 @@ ## Description This resource configures the Intune device platform enrollment restrictions. + +**Be aware**: To deploy a Android platform restriction policy, two individual configurations must exist: + +* The first one contains the key for `AndroidRestriction` +* The second one contains the key for `AndroidForWorkRestriction` diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceEnrollmentPlatformRestriction/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceEnrollmentPlatformRestriction/3-Remove.ps1 index 8003fc482a..5727bbb579 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceEnrollmentPlatformRestriction/3-Remove.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceEnrollmentPlatformRestriction/3-Remove.ps1 @@ -22,13 +22,10 @@ Configuration Example Description = "This is a single platform restriction policy."; DeviceEnrollmentConfigurationType = "singlePlatformRestriction"; Identity = "d59e4c28-b6b2-48ad-a6f0-a2132300b99d_SinglePlatformRestriction"; - PlatformRestriction = MSFT_DeviceEnrollmentPlatformRestriction{ - PlatformBlocked = $True - BlockedSkus = @() - BlockedManufacturers = @() + IosRestriction = MSFT_DeviceEnrollmentPlatformRestriction{ + PlatformBlocked = $True PersonalDeviceEnrollmentBlocked = $False }; - PlatformType = "android"; Priority = 1; TenantId = $OrganizationName; } diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceEnrollmentPlatformRestriction.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceEnrollmentPlatformRestriction.Tests.ps1 index ccc153c4da..0c69c176de 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceEnrollmentPlatformRestriction.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceEnrollmentPlatformRestriction.Tests.ps1 @@ -69,8 +69,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { DeviceEnrollmentConfigurationType = 'singlePlatformRestriction' Credential = $Credential Priority = 1 - PlatformType = 'ios' - PlatformRestriction = (New-CimInstance -ClassName MSFT_DeviceEnrollmentPlatformRestriction -Property @{ + IosRestriction = (New-CimInstance -ClassName MSFT_DeviceEnrollmentPlatformRestriction -Property @{ platformBlocked = $False personalDeviceEnrollmentBlocked = $False } -ClientOnly) @@ -123,8 +122,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { DeviceEnrollmentConfigurationType = 'singlePlatformRestriction' Credential = $Credential Priority = 1 - PlatformType = 'ios' - PlatformRestriction = (New-CimInstance -ClassName MSFT_DeviceEnrollmentPlatformRestriction -Property @{ + IosRestriction = (New-CimInstance -ClassName MSFT_DeviceEnrollmentPlatformRestriction -Property @{ platformBlocked = $False personalDeviceEnrollmentBlocked = $False } -ClientOnly) @@ -164,8 +162,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { DeviceEnrollmentConfigurationType = 'singlePlatformRestriction' Credential = $Credential Priority = 1 - PlatformType = 'ios' - PlatformRestriction = (New-CimInstance -ClassName MSFT_DeviceEnrollmentPlatformRestriction -Property @{ + IosRestriction = (New-CimInstance -ClassName MSFT_DeviceEnrollmentPlatformRestriction -Property @{ platformBlocked = $False personalDeviceEnrollmentBlocked = $False } -ClientOnly) @@ -205,8 +202,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { DeviceEnrollmentConfigurationType = 'singlePlatformRestriction' Credential = $Credential Priority = 1 - PlatformType = 'ios' - PlatformRestriction = (New-CimInstance -ClassName MSFT_DeviceEnrollmentPlatformRestriction -Property @{ + IosRestriction = (New-CimInstance -ClassName MSFT_DeviceEnrollmentPlatformRestriction -Property @{ platformBlocked = $False personalDeviceEnrollmentBlocked = $False } -ClientOnly)