Skip to content

Fixed App Protection policy assignment and group exclusions from Standards run #1323

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Feb 27, 2025
Merged

Fixed App Protection policy assignment and group exclusions from Standards run #1323

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
cc9fc3d
Fixed App Protection policy assignment and group exclusions from Stan…
markheydon Feb 27, 2025
16b314c
Slightly mangled comment block.
markheydon Feb 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Endpoint/MEM/Invoke-AddPolicy.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ Function Invoke-AddPolicy {
$displayname = $Request.Body.displayName
$description = $Request.Body.Description
$AssignTo = if ($Request.Body.AssignTo -ne 'on') { $Request.Body.AssignTo }
$ExcludeGroup = $Request.Body.excludeGroup
$Request.body.customGroup ? ($AssignTo = $Request.body.customGroup) : $null
$RawJSON = $Request.Body.RAWJson

Expand All @@ -27,7 +28,7 @@ Function Invoke-AddPolicy {
}
try {
Write-Host 'Calling Adding policy'
Set-CIPPIntunePolicy -TemplateType $Request.body.TemplateType -Description $description -DisplayName $displayname -RawJSON $RawJSON -AssignTo $AssignTo -tenantFilter $Tenant -Headers $Request.Headers
Set-CIPPIntunePolicy -TemplateType $Request.body.TemplateType -Description $description -DisplayName $displayname -RawJSON $RawJSON -AssignTo $AssignTo -ExcludeGroup $ExcludeGroup -tenantFilter $Tenant -Headers $Request.Headers
Write-LogMessage -headers $Request.Headers -API $APINAME -tenant $($Tenant) -message "Added policy $($Displayname)" -Sev 'Info'
} catch {
"$($_.Exception.Message)"
Expand Down
24 changes: 14 additions & 10 deletions Modules/CIPPCore/Public/Set-CIPPAssignedPolicy.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,17 +2,16 @@ function Set-CIPPAssignedPolicy {
[CmdletBinding(SupportsShouldProcess = $true)]
param(
$GroupName,
$excludeGroup,
$ExcludeGroup,
$PolicyId,
$Type,
$TenantFilter,
$PlatformType,
$PlatformType = 'deviceManagement',
$APIName = 'Assign Policy',
$Headers
)
if (!$PlatformType) {
$PlatformType = 'deviceManagement'
}

Write-Host "Assigning policy $PolicyId ($PlatformType/$Type) to $GroupName"

try {
$assignmentsList = New-Object System.Collections.Generic.List[System.Object]
Expand Down Expand Up @@ -74,8 +73,9 @@ function Set-CIPPAssignedPolicy {
}
}
}
if ($excludeGroup) {
$ExcludeGroupNames = $excludeGroup.Split(',')
if ($ExcludeGroup) {
Write-Host "We're supposed to exclude a custom group. The group is $ExcludeGroup"
$ExcludeGroupNames = $ExcludeGroup.Split(',')
$ExcludeGroupIds = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/groups?$select=id,displayName&$top=999' -tenantid $TenantFilter |
ForEach-Object {
foreach ($SingleName in $ExcludeGroupNames) {
Expand Down Expand Up @@ -104,9 +104,13 @@ function Set-CIPPAssignedPolicy {
$AssignJSON = $assignmentsObject | ConvertTo-Json -Depth 10 -Compress
Write-Host "AssignJSON: $AssignJSON"
if ($PSCmdlet.ShouldProcess($GroupName, "Assigning policy $PolicyId")) {
Write-Host "https://graph.microsoft.com/beta/$($PlatformType)/$Type('$($PolicyId)')/assign"
$null = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/$($PlatformType)/$Type('$($PolicyId)')/assign" -tenantid $TenantFilter -type POST -body $AssignJSON
Write-LogMessage -headers $Headers -API $APIName -message "Assigned $GroupName and excluded $excludeGroup to Policy $PolicyId" -Sev 'Info' -tenant $TenantFilter
$uri = "https://graph.microsoft.com/beta/$($PlatformType)/$Type('$($PolicyId)')/assign"
$null = New-GraphPOSTRequest -uri $uri -tenantid $TenantFilter -type POST -body $AssignJSON
if ($ExcludeGroup) {
Write-LogMessage -headers $Headers -API $APIName -message "Assigned group '$GroupName' and excluded group '$ExcludeGroup' on Policy $PolicyId" -Sev 'Info' -tenant $TenantFilter
} else {
Write-LogMessage -headers $Headers -API $APIName -message "Assigned group '$GroupName' on Policy $PolicyId" -Sev 'Info' -tenant $TenantFilter
}
}

} catch {
Expand Down
52 changes: 29 additions & 23 deletions Modules/CIPPCore/Public/Set-CIPPIntunePolicy.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,126 +6,132 @@ function Set-CIPPIntunePolicy {
$DisplayName,
$RawJSON,
$AssignTo,
$excludeGroup,
$ExcludeGroup,
$Headers,
$APINAME,
$tenantFilter
)
try {
switch ($TemplateType) {
'AppProtection' {
$PlatformType = 'deviceAppManagement'
$TemplateType = ($RawJSON | ConvertFrom-Json).'@odata.type' -replace '#microsoft.graph.', ''
$PolicyFile = $RawJSON | ConvertFrom-Json
$Null = $PolicyFile | Add-Member -MemberType NoteProperty -Name 'description' -Value $description -Force
$null = $PolicyFile | Add-Member -MemberType NoteProperty -Name 'displayName' -Value $displayname -Force
$RawJSON = ConvertTo-Json -InputObject $PolicyFile -Depth 20
$TemplateTypeURL = if ($TemplateType -eq 'windowsInformationProtectionPolicy') { 'windowsInformationProtectionPolicies' } else { "$($TemplateType)s" }
$CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/deviceAppManagement/$TemplateTypeURL" -tenantid $tenantFilter
$CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL" -tenantid $tenantFilter
if ($displayname -in $CheckExististing.displayName) {
$PostType = 'edited'
$ExistingID = $CheckExististing | Where-Object -Property displayName -EQ $displayname
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceAppManagement/$TemplateTypeURL/$($ExistingID.Id)" -tenantid $tenantFilter -type PATCH -body $RawJSON
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL/$($ExistingID.Id)" -tenantid $tenantFilter -type PATCH -body $RawJSON
$CreateRequest = $CheckExististing | Where-Object -Property displayName -EQ $DisplayName
} else {
$PostType = 'added'
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceAppManagement/$TemplateTypeURL" -tenantid $tenantFilter -type POST -body $RawJSON
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL" -tenantid $tenantFilter -type POST -body $RawJSON
}
}
'deviceCompliancePolicies' {
$PlatformType = 'deviceManagement'
$TemplateTypeURL = 'deviceCompliancePolicies'
$CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenantFilter
$CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL" -tenantid $tenantFilter
$JSON = $RawJSON | ConvertFrom-Json | Select-Object * -ExcludeProperty id, createdDateTime, lastModifiedDateTime, version, '[email protected]', '@odata.context'
$JSON.scheduledActionsForRule = @($JSON.scheduledActionsForRule | Select-Object * -ExcludeProperty '[email protected]')
if ($displayname -in $CheckExististing.displayName) {
$RawJSON = ConvertTo-Json -InputObject ($JSON | Select-Object * -ExcludeProperty 'scheduledActionsForRule') -Depth 20 -Compress
$PostType = 'edited'
$ExistingID = $CheckExististing | Where-Object -Property displayName -EQ $displayname
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL/$($ExistingID.Id)" -tenantid $tenantFilter -type PATCH -body $RawJSON
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL/$($ExistingID.Id)" -tenantid $tenantFilter -type PATCH -body $RawJSON
Write-LogMessage -headers $Headers -API $APINAME -tenant $($tenantFilter) -message "Updated policy $($DisplayName) to template defaults" -Sev 'info'
$CreateRequest = $CheckExististing | Where-Object -Property displayName -EQ $DisplayName
} else {
$RawJSON = ConvertTo-Json -InputObject $JSON -Depth 20 -Compress
$PostType = 'added'
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenantFilter -type POST -body $RawJSON
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL" -tenantid $tenantFilter -type POST -body $RawJSON
Write-LogMessage -headers $Headers -API $APINAME -tenant $($tenantFilter) -message "Added policy $($DisplayName) via template" -Sev 'info'
}
}
'Admin' {
$PlatformType = 'deviceManagement'
$TemplateTypeURL = 'groupPolicyConfigurations'
$CreateBody = '{"description":"' + $description + '","displayName":"' + $displayname + '","roleScopeTagIds":["0"]}'
$CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenantFilter
$CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL" -tenantid $tenantFilter
if ($displayname -in $CheckExististing.displayName) {
$ExistingID = $CheckExististing | Where-Object -Property displayName -EQ $displayname
$ExistingData = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL('$($ExistingID.id)')/definitionValues" -tenantid $tenantFilter
$ExistingData = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL('$($ExistingID.id)')/definitionValues" -tenantid $tenantFilter
$DeleteJson = $RawJSON | ConvertFrom-Json -Depth 10
$DeleteJson.deletedIds = @($ExistingData.id)
$DeleteJson.added = @()
$DeleteJson = ConvertTo-Json -Depth 10 -InputObject $DeleteJson
$DeleteRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL('$($ExistingID.id)')/updateDefinitionValues" -tenantid $tenantFilter -type POST -body $DeleteJson
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL('$($ExistingID.id)')/updateDefinitionValues" -tenantid $tenantFilter -type POST -body $RawJSON
$DeleteRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL('$($ExistingID.id)')/updateDefinitionValues" -tenantid $tenantFilter -type POST -body $DeleteJson
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL('$($ExistingID.id)')/updateDefinitionValues" -tenantid $tenantFilter -type POST -body $RawJSON
$CreateRequest = $CheckExististing | Where-Object -Property displayName -EQ $DisplayName
Write-LogMessage -headers $Headers -API $APINAME -tenant $($tenantFilter) -message "Updated policy $($Displayname) to template defaults" -Sev 'info'
$PostType = 'edited'
} else {
$PostType = 'added'
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenantFilter -type POST -body $CreateBody
$UpdateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL('$($CreateRequest.id)')/updateDefinitionValues" -tenantid $tenantFilter -type POST -body $RawJSON
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL" -tenantid $tenantFilter -type POST -body $CreateBody
$UpdateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL('$($CreateRequest.id)')/updateDefinitionValues" -tenantid $tenantFilter -type POST -body $RawJSON
Write-LogMessage -headers $Headers -API $APINAME -tenant $($tenantFilter) -message "Added policy $($Displayname) to template defaults" -Sev 'info'

}
}
'Device' {
$PlatformType = 'deviceManagement'
$TemplateTypeURL = 'deviceConfigurations'
$PolicyFile = $RawJSON | ConvertFrom-Json
$Null = $PolicyFile | Add-Member -MemberType NoteProperty -Name 'description' -Value "$description" -Force
$null = $PolicyFile | Add-Member -MemberType NoteProperty -Name 'displayName' -Value $displayname -Force
$CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenantFilter
$CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL" -tenantid $tenantFilter
$ExistingID = $CheckExististing | Where-Object -Property displayName -EQ $DisplayName | Select-Object -Last 1
$PolicyFile = $policyFile | Select-Object * -ExcludeProperty 'featureUpdatesWillBeRolledBack', 'qualityUpdatesWillBeRolledBack', 'qualityUpdatesPauseStartDate', 'featureUpdatesPauseStartDate'
$RawJSON = ConvertTo-Json -InputObject $PolicyFile -Depth 100 -Compress
if ($ExistingID) {
$PostType = 'edited'
Write-Host "Raw JSON is $RawJSON"
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL/$($ExistingID.Id)" -tenantid $tenantFilter -type PATCH -body $RawJSON
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL/$($ExistingID.Id)" -tenantid $tenantFilter -type PATCH -body $RawJSON
$CreateRequest = $CheckExististing | Where-Object -Property displayName -EQ $DisplayName
Write-LogMessage -headers $Headers -API $APINAME -tenant $($tenantFilter) -message "Updated policy $($DisplayName) to template defaults" -Sev 'info'
} else {
$PostType = 'added'
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenantFilter -type POST -body $RawJSON
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL" -tenantid $tenantFilter -type POST -body $RawJSON
Write-LogMessage -headers $Headers -API $APINAME -tenant $($tenantFilter) -message "Added policy $($DisplayName) via template" -Sev 'info'

}
}
'Catalog' {
$PlatformType = 'deviceManagement'
$TemplateTypeURL = 'configurationPolicies'
$DisplayName = ($RawJSON | ConvertFrom-Json).Name
$CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenantFilter
$CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL" -tenantid $tenantFilter
if ($DisplayName -in $CheckExististing.name) {
$ExistingID = $CheckExististing | Where-Object -Property Name -EQ $DisplayName
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL/$($ExistingID.Id)" -tenantid $tenantFilter -type PUT -body $RawJSON
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL/$($ExistingID.Id)" -tenantid $tenantFilter -type PUT -body $RawJSON
$CreateRequest = $CheckExististing | Where-Object -Property Name -EQ $DisplayName
$PostType = 'edited'
} else {
$PostType = 'added'
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenantFilter -type POST -body $RawJSON
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL" -tenantid $tenantFilter -type POST -body $RawJSON
Write-LogMessage -headers $Headers -API $APINAME -tenant $($tenantFilter) -message "Added policy $($DisplayName) via template" -Sev 'info'
}
}
'windowsDriverUpdateProfiles' {
$PlatformType = 'deviceManagement'
$TemplateTypeURL = 'windowsDriverUpdateProfiles'
$File = ($RawJSON | ConvertFrom-Json)
$DisplayName = $File.displayName ?? $File.Name
$CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenantFilter
$CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL" -tenantid $tenantFilter
if ($DisplayName -in $CheckExististing.displayName) {
$PostType = 'edited'
$ExistingID = $CheckExististing | Where-Object -Property displayName -EQ $displayname
Write-Host 'We are editing'
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL/$($ExistingID.Id)" -tenantid $tenantFilter -type PUT -body $RawJSON
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL/$($ExistingID.Id)" -tenantid $tenantFilter -type PUT -body $RawJSON
$CreateRequest = $CheckExististing | Where-Object -Property displayName -EQ $DisplayName

} else {
$PostType = 'added'
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenantFilter -type POST -body $RawJSON
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL" -tenantid $tenantFilter -type POST -body $RawJSON
Write-LogMessage -headers $Headers -API $APINAME -tenant $($tenantFilter) -message "Added policy $($DisplayName) via template" -Sev 'info'
}
}
Expand All @@ -136,7 +142,7 @@ function Set-CIPPIntunePolicy {
Write-Host "Assigning policy to $($AssignTo) with ID $($CreateRequest.id) and type $TemplateTypeURL for tenant $tenantFilter"
Write-Host "ID is $($CreateRequest.id)"

Set-CIPPAssignedPolicy -GroupName $AssignTo -PolicyId $CreateRequest.id -Type $TemplateTypeURL -TenantFilter $tenantFilter -excludeGroup $excludeGroup
Set-CIPPAssignedPolicy -GroupName $AssignTo -PolicyId $CreateRequest.id -PlatformType $PlatformType -Type $TemplateTypeURL -TenantFilter $tenantFilter -ExcludeGroup $ExcludeGroup
}
return "Successfully $($PostType) policy for $($tenantFilter) with display name $($Displayname)"
} catch {
Expand Down
Loading