Skip to content

Commit 7c8b737

Browse files
OfficialEscoOfficialEsco
committed
feat: New MDM User Scope standard
1 parent d078e22 commit 7c8b737

File tree

2 files changed

+107
-0
lines changed

2 files changed

+107
-0
lines changed

Modules/CIPPCore/Public/SAMManifest.json

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -554,6 +554,10 @@
554554
{
555555
"id": "b7887744-6746-4312-813d-72daeaee7e2d",
556556
"type": "Scope"
557+
},
558+
{
559+
"id": "a8ead177-1889-4546-9387-f25e658e2a79",
560+
"type": "Scope"
557561
}
558562
]
559563
},

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMDMScope.ps1

Lines changed: 103 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,103 @@
1+
function Invoke-CIPPStandardMDMScope {
2+
<#
3+
.FUNCTIONALITY
4+
Internal
5+
.COMPONENT
6+
(APIName) MDMScope
7+
#>
8+
9+
param($Tenant, $Settings)
10+
11+
$CurrentInfo = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/mobileDeviceManagementPolicies/0000000a-0000-0000-c000-000000000000?$expand=includedGroups' -tenantid $Tenant
12+
13+
$StateIsCorrect = ($CurrentInfo.termsOfUseUrl -eq 'https://portal.manage.microsoft.com/TermsofUse.aspx') -and
14+
($CurrentInfo.discoveryUrl -eq 'https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc') -and
15+
($CurrentInfo.complianceUrl -eq 'https://portal.manage.microsoft.com/?portalAction=Compliance') -and
16+
($CurrentInfo.appliesTo -eq $Settings.appliesTo) -and
17+
($Settings.appliesTo -ne 'selected' -or ($CurrentInfo.includedGroups.displayName -contains $Settings.customGroup))
18+
19+
If ($Settings.remediate -eq $true) {
20+
if ($StateIsCorrect -eq $true) {
21+
Write-LogMessage -API 'Standards' -tenant $tenant -message 'MDM Scope already correctly configured' -sev Info
22+
} else {
23+
$GraphParam = @{
24+
tenantid = $tenant
25+
Uri = 'https://graph.microsoft.com/beta/policies/mobileDeviceManagementPolicies/0000000a-0000-0000-c000-000000000000'
26+
ContentType = 'application/json; charset=utf-8'
27+
asApp = $false
28+
type = 'PATCH'
29+
AddedHeaders = @{'Accept-Language' = 0 }
30+
Body = @{
31+
'termsOfUseUrl' = 'https://portal.manage.microsoft.com/TermsofUse.aspx'
32+
'discoveryUrl' = 'https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc'
33+
'complianceUrl' = 'https://portal.manage.microsoft.com/?portalAction=Compliance'
34+
} | ConvertTo-Json
35+
}
36+
37+
try {
38+
New-GraphPostRequest @GraphParam
39+
Write-LogMessage -API 'Standards' -tenant $tenant -message 'Successfully configured MDM Scope' -sev Info
40+
} catch {
41+
$ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
42+
Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to configure MDM Scope." -sev Error -LogData $ErrorMessage
43+
}
44+
45+
# Workaround for MDM Scope Assignment error: "Could not set MDM Scope for [TENANT]: Simultaneous patch requests on both the appliesTo and URL properties are currently not supported."
46+
if ($Settings.appliesTo -ne 'selected') {
47+
$GraphParam = @{
48+
tenantid = $tenant
49+
Uri = 'https://graph.microsoft.com/beta/policies/mobileDeviceManagementPolicies/0000000a-0000-0000-c000-000000000000'
50+
ContentType = 'application/json; charset=utf-8'
51+
asApp = $false
52+
type = 'PATCH'
53+
AddedHeaders = @{'Accept-Language' = 0 }
54+
Body = @{
55+
'appliesTo' = $Settings.appliesTo
56+
} | ConvertTo-Json
57+
}
58+
59+
try {
60+
New-GraphPostRequest @GraphParam
61+
Write-LogMessage -API 'Standards' -tenant $tenant -message "Successfully assigned $($Settings.appliesTo) to MDM Scope" -sev Info
62+
} catch {
63+
$ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
64+
Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to assign $($Settings.appliesTo) to MDM Scope." -sev Error -LogData $ErrorMessage
65+
}
66+
} else {
67+
$GroupID = (New-GraphGetRequest -Uri "https://graph.microsoft.com/beta/groups?`$top=999&`$select=id,displayName&`$filter=displayName eq '$($Settings.customGroup)'" -tenantid $tenant -asApp $true).id
68+
$GraphParam = @{
69+
tenantid = $tenant
70+
Uri = 'https://graph.microsoft.com/beta/policies/mobileDeviceManagementPolicies/0000000a-0000-0000-c000-000000000000/includedGroups/$ref'
71+
ContentType = 'application/json; charset=utf-8'
72+
asApp = $false
73+
type = 'POST'
74+
AddedHeaders = @{'Accept-Language' = 0 }
75+
Body = @{
76+
'@odata.id' = "https://graph.microsoft.com/odata/groups('$GroupID')"
77+
} | ConvertTo-Json
78+
}
79+
80+
try {
81+
New-GraphPostRequest @GraphParam
82+
Write-LogMessage -API 'Standards' -tenant $tenant -message "Successfully assigned $($Settings.customGroup) to MDM Scope" -sev Info
83+
} catch {
84+
$ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
85+
Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to assign $($Settings.customGroup) to MDM Scope" -sev Error -LogData $ErrorMessage
86+
}
87+
}
88+
}
89+
}
90+
91+
if ($Settings.alert -eq $true -eq $true) {
92+
if ($StateIsCorrect) {
93+
Write-LogMessage -API 'Standards' -tenant $tenant -message 'MDM Scope is correctly configured' -sev Info
94+
} else {
95+
Write-LogMessage -API 'Standards' -tenant $tenant -message 'MDM Scope is not correctly configured' -sev Alert
96+
}
97+
}
98+
99+
if ($Settings.report -eq $true) {
100+
Add-CIPPBPAField -FieldName 'MDMScope' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $tenant
101+
}
102+
103+
}

0 commit comments

Comments
 (0)