DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.psm1
function Get-TargetResource { [CmdletBinding()] [OutputType([System.Collections.Hashtable])] param ( [Parameter(Mandatory = $true)] [System.String] $DisplayName, [Parameter()] [System.String] $Description, [Parameter()] [System.String] $PeriodOfflineBeforeAccessCheck, [Parameter()] [System.String] $PeriodOnlineBeforeAccessCheck, [Parameter()] [System.String] $AllowedInboundDataTransferSources, [Parameter()] [System.String] $AllowedOutboundDataTransferDestinations, [Parameter()] [System.Boolean] $OrganizationalCredentialsRequired, [Parameter()] [System.String] $AllowedOutboundClipboardSharingLevel, [Parameter()] [System.Boolean] $DataBackupBlocked, [Parameter()] [System.Boolean] $DeviceComplianceRequired, [Parameter()] [System.Boolean] $ManagedBrowserToOpenLinksRequired, [Parameter()] [System.Boolean] $SaveAsBlocked, [Parameter()] [System.String] $PeriodOfflineBeforeWipeIsEnforced, [Parameter()] [System.Boolean] $PinRequired, [Parameter()] [System.UInt32] $MaximumPinRetries, [Parameter()] [System.Boolean] $SimplePinBlocked, [Parameter()] [System.UInt32] $MinimumPinLength, [Parameter()] [System.String] $PinCharacterSet, [Parameter()] [System.String[]] $AllowedDataStorageLocations, [Parameter()] [System.Boolean] $ContactSyncBlocked, [Parameter()] [System.Boolean] $PrintBlocked, [Parameter()] [System.Boolean] $FingerprintBlocked, [Parameter()] [System.String] $AppDataEncryptionType, [Parameter()] [System.String[]] $Apps, [Parameter()] [System.String[]] $Assignments, [Parameter()] [System.String[]] $ExcludedGroups, [Parameter(Mandatory = $true)] [System.String] [ValidateSet('Absent', 'Present')] $Ensure, [Parameter(Mandatory = $true)] [System.Management.Automation.PSCredential] $GlobalAdminAccount ) Write-Verbose -Message "Checking for the Intune iOS App Protection Policy {$DisplayName}" $ConnectionMode = New-M365DSCConnection -Platform 'Intune' ` -InboundParameters $PSBoundParameters #region Telemetry $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace("MSFT_", "") $data = [System.Collections.Generic.Dictionary[[String], [String]]]::new() $data.Add("Resource", $ResourceName) $data.Add("Method", $MyInvocation.MyCommand) $data.Add("Principal", $GlobalAdminAccount.UserName) $data.Add("TenantId", $TenantId) $data.Add("ConnectionMode", $ConnectionMode) Add-M365DSCTelemetryEvent -Data $data #endregion $nullResult = $PSBoundParameters $nullResult.Ensure = 'Absent' try { $policyInfo = Get-IntuneAppProtectionPolicy -Filter "displayName eq '$DisplayName'" ` -ErrorAction Stop | Where-Object -FilterScript { $_.'@odata.type' -eq '#microsoft.graph.iosManagedAppProtection' } if ($null -eq $policyInfo) { Write-Verbose -Message "No iOS App Protection Policy {$DisplayName} was found" return $nullResult } $policy = Get-M365DSCintuneAppProtectionPolicyiOS -PolicyId $policyInfo.Id Write-Verbose -Message "Found iOS App Protection Policy {$DisplayName}" $appsArray = @() if ($null -ne $policy.Apps) { foreach ($app in $policy.Apps) { $appsArray += $app.mobileAppIdentifier.bundleId } } $assignmentsArray = @() if ($null -ne $policy.Assignments) { $allAssignments = $policy.Assignments.target | Where-Object -FilterScript { $_.'@odata.type' -eq '#microsoft.graph.groupAssignmentTarget' } foreach ($assignment in $allAssignments) { $assignmentsArray += $assignment.groupId } } $exclusionArray = @() if ($null -ne $policy.Assignments) { $allExclusions = $policy.Assignments.target | Where-Object -FilterScript { $_.'@odata.type' -eq '#microsoft.graph.exclusionGroupAssignmentTarget' } foreach ($exclusion in $allExclusions) { $exclusionArray += $exclusion.groupId } } return @{ DisplayName = $policy.DisplayName Description = $policy.Description PeriodOfflineBeforeAccessCheck = $policy.PeriodOfflineBeforeAccessCheck PeriodOnlineBeforeAccessCheck = $policy.PeriodOnlineBeforeAccessCheck AllowedInboundDataTransferSources = $policy.AllowedInboundDataTransferSources AllowedOutboundDataTransferDestinations = $policy.AllowedOutboundDataTransferDestinations OrganizationalCredentialsRequired = $policy.OrganizationalCredentialsRequired AllowedOutboundClipboardSharingLevel = $policy.AllowedOutboundClipboardSharingLevel DataBackupBlocked = $policy.DataBackupBlocked DeviceComplianceRequired = $policy.DeviceComplianceRequired ManagedBrowserToOpenLinksRequired = $policy.ManagedBrowserToOpenLinksRequired SaveAsBlocked = $policy.SaveAsBlocked PeriodOfflineBeforeWipeIsEnforced = $policy.PeriodOfflineBeforeWipeIsEnforced PinRequired = $policy.PinRequired MaximumPinRetries = $policy.MaximumPinRetries SimplePinBlocked = $policy.SimplePinBlocked MinimumPinLength = $policy.MinimumPinLength PinCharacterSet = $policy.PinCharacterSet AllowedDataStorageLocations = $policy.AllowedDataStorageLocations ContactSyncBlocked = $policy.ContactSyncBlocked PrintBlocked = $policy.PrintBlocked FingerprintBlocked = $policy.FingerprintBlocked AppDataEncryptionType = $policy.AppDataEncryptionType Assignments = $assignmentsArray ExcludedGroups = $exclusionArray Apps = $appsArray Ensure = "Present" GlobalAdminAccount = $GlobalAdminAccount } } catch { try { Write-Verbose -Message $_ $tenantIdValue = $GlobalAdminAccount.UserName.Split('@')[1] Add-M365DSCEvent -Message $_ -EntryType 'Error' ` -EventID 1 -Source $($MyInvocation.MyCommand.Source) ` -TenantId $tenantIdValue } catch { Write-Verbose -Message $_ } return $nullResult } } function Set-TargetResource { [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [System.String] $DisplayName, [Parameter()] [System.String] $Description, [Parameter()] [System.String] $PeriodOfflineBeforeAccessCheck, [Parameter()] [System.String] $PeriodOnlineBeforeAccessCheck, [Parameter()] [System.String] $AllowedInboundDataTransferSources, [Parameter()] [System.String] $AllowedOutboundDataTransferDestinations, [Parameter()] [System.Boolean] $OrganizationalCredentialsRequired, [Parameter()] [System.String] $AllowedOutboundClipboardSharingLevel, [Parameter()] [System.Boolean] $DataBackupBlocked, [Parameter()] [System.Boolean] $DeviceComplianceRequired, [Parameter()] [System.Boolean] $ManagedBrowserToOpenLinksRequired, [Parameter()] [System.Boolean] $SaveAsBlocked, [Parameter()] [System.String] $PeriodOfflineBeforeWipeIsEnforced, [Parameter()] [System.Boolean] $PinRequired, [Parameter()] [System.UInt32] $MaximumPinRetries, [Parameter()] [System.Boolean] $SimplePinBlocked, [Parameter()] [System.UInt32] $MinimumPinLength, [Parameter()] [System.String] $PinCharacterSet, [Parameter()] [System.String[]] $AllowedDataStorageLocations, [Parameter()] [System.Boolean] $ContactSyncBlocked, [Parameter()] [System.Boolean] $PrintBlocked, [Parameter()] [System.Boolean] $FingerprintBlocked, [Parameter()] [System.String] $AppDataEncryptionType, [Parameter()] [System.String[]] $Apps, [Parameter()] [System.String[]] $Assignments, [Parameter()] [System.String[]] $ExcludedGroups, [Parameter(Mandatory = $true)] [System.String] [ValidateSet('Absent', 'Present')] $Ensure, [Parameter(Mandatory = $true)] [System.Management.Automation.PSCredential] $GlobalAdminAccount ) $ConnectionMode = New-M365DSCConnection -Platform 'Intune' ` -InboundParameters $PSBoundParameters #region Telemetry $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace("MSFT_", "") $data = [System.Collections.Generic.Dictionary[[String], [String]]]::new() $data.Add("Resource", $ResourceName) $data.Add("Method", $MyInvocation.MyCommand) $data.Add("Principal", $GlobalAdminAccount.UserName) $data.Add("TenantId", $TenantId) $data.Add("ConnectionMode", $ConnectionMode) Add-M365DSCTelemetryEvent -Data $data #endregion $currentPolicy = Get-TargetResource @PSBoundParameters $setParams = $PSBoundParameters $setParams.Remove("Ensure") | Out-Null $setParams.Remove("GlobalAdminAccount") | Out-Null if ($Ensure -eq 'Present' -and $currentPolicy.Ensure -eq 'Absent') { Write-Verbose -Message "Creating new iOS App Protection Policy {$DisplayName}" $JsonContent = Get-M365DSCIntuneAppProtectionPolicyiOSJSON -Parameters $PSBoundParameters Write-Verbose -Message "JSON: $JsonContent" New-M365DSCIntuneAppProtectionPolicyiOS -JSONContent $JsonContent $policyInfo = Get-IntuneAppProtectionPolicy -Filter "displayName eq '$DisplayName'" ` -ErrorAction Stop | Where-Object -FilterScript { $_.'@odata.type' -eq '#microsoft.graph.iosManagedAppProtection' } $assignmentJSON = Get-M365DSCIntuneAppProtectionPolicyiOSAssignmentJson -Assignments $Assignments ` -Exclusions $ExcludedGroups Set-M365DSCIntuneAppProtectionPolicyiOSAssignment -JsonContent $assignmentJSON ` -PolicyId $policyInfo.Id } elseif ($Ensure -eq 'Present' -and $currentPolicy.Ensure -eq 'Present') { Write-Verbose -Message "Updating existing iOS App Protection Policy {$DisplayName}" $policyInfo = Get-IntuneAppProtectionPolicy -Filter "displayName eq '$DisplayName'" ` -ErrorAction Stop | Where-Object -FilterScript { $_.'@odata.type' -eq '#microsoft.graph.iosManagedAppProtection' } $JsonContent = Get-M365DSCIntuneAppProtectionPolicyiOSJSON -Parameters $PSBoundParameters ` -IncludeApps $false Set-M365DSCIntuneAppProtectionPolicyiOS -JSONContent $JsonContent ` -PolicyId ($policyInfo.id) $appJSON = Get-M365DSCIntuneAppProtectionPolicyiOSAppsJSON -Parameters $PSBoundParameters Set-M365DSCIntuneAppProtectionPolicyiOSApps -JSONContent $appJSON ` -PolicyId $policyInfo.Id } elseif ($Ensure -eq 'Absent' -and $currentPolicy.Ensure -eq 'Present') { Write-Verbose -Message "Removing iOS App Protection Policy {$DisplayName}" $policyInfo = Get-IntuneAppProtectionPolicy -Filter "displayName eq '$DisplayName'" ` -ErrorAction Stop | Where-Object -FilterScript { $_.'@odata.type' -eq '#microsoft.graph.iosManagedAppProtection' } Remove-IntuneAppProtectionPolicy -managedAppPolicyId $policyInfo.id } } function Test-TargetResource { [CmdletBinding()] [OutputType([System.Boolean])] param ( [Parameter(Mandatory = $true)] [System.String] $DisplayName, [Parameter()] [System.String] $Description, [Parameter()] [System.String] $PeriodOfflineBeforeAccessCheck, [Parameter()] [System.String] $PeriodOnlineBeforeAccessCheck, [Parameter()] [System.String] $AllowedInboundDataTransferSources, [Parameter()] [System.String] $AllowedOutboundDataTransferDestinations, [Parameter()] [System.Boolean] $OrganizationalCredentialsRequired, [Parameter()] [System.String] $AllowedOutboundClipboardSharingLevel, [Parameter()] [System.Boolean] $DataBackupBlocked, [Parameter()] [System.Boolean] $DeviceComplianceRequired, [Parameter()] [System.Boolean] $ManagedBrowserToOpenLinksRequired, [Parameter()] [System.Boolean] $SaveAsBlocked, [Parameter()] [System.String] $PeriodOfflineBeforeWipeIsEnforced, [Parameter()] [System.Boolean] $PinRequired, [Parameter()] [System.UInt32] $MaximumPinRetries, [Parameter()] [System.Boolean] $SimplePinBlocked, [Parameter()] [System.UInt32] $MinimumPinLength, [Parameter()] [System.String] $PinCharacterSet, [Parameter()] [System.String[]] $AllowedDataStorageLocations, [Parameter()] [System.Boolean] $ContactSyncBlocked, [Parameter()] [System.Boolean] $PrintBlocked, [Parameter()] [System.Boolean] $FingerprintBlocked, [Parameter()] [System.String] $AppDataEncryptionType, [Parameter()] [System.String[]] $Apps, [Parameter()] [System.String[]] $Assignments, [Parameter()] [System.String[]] $ExcludedGroups, [Parameter(Mandatory = $true)] [System.String] [ValidateSet('Absent', 'Present')] $Ensure, [Parameter(Mandatory = $true)] [System.Management.Automation.PSCredential] $GlobalAdminAccount ) #region Telemetry $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace("MSFT_", "") $data = [System.Collections.Generic.Dictionary[[String], [String]]]::new() $data.Add("Resource", $ResourceName) $data.Add("Method", $MyInvocation.MyCommand) $data.Add("Principal", $GlobalAdminAccount.UserName) $data.Add("TenantId", $TenantId) Add-M365DSCTelemetryEvent -Data $data #endregion Write-Verbose -Message "Testing configuration of iOS App Protection Policy {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" $ValuesToCheck = $PSBoundParameters $ValuesToCheck.Remove('GlobalAdminAccount') | Out-Null $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` -Source $($MyInvocation.MyCommand.Source) ` -DesiredValues $PSBoundParameters ` -ValuesToCheck $ValuesToCheck.Keys Write-Verbose -Message "Test-TargetResource returned $TestResult" return $TestResult } function Export-TargetResource { [CmdletBinding()] [OutputType([System.String])] param ( [Parameter(Mandatory = $true)] [System.Management.Automation.PSCredential] $GlobalAdminAccount ) $ConnectionMode = New-M365DSCConnection -Platform 'Intune' ` -InboundParameters $PSBoundParameters #region Telemetry $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace("MSFT_", "") $data = [System.Collections.Generic.Dictionary[[String], [String]]]::new() $data.Add("Resource", $ResourceName) $data.Add("Method", $MyInvocation.MyCommand) $data.Add("Principal", $GlobalAdminAccount.UserName) $data.Add("TenantId", $TenantId) $data.Add("ConnectionMode", $ConnectionMode) Add-M365DSCTelemetryEvent -Data $data #endregion try { [array]$policies = Get-IntuneAppProtectionPolicy -ErrorAction Stop | Where-Object -FilterScript { $_.'@odata.type' -eq '#microsoft.graph.iosManagedAppProtection' } $i = 1 $dscContent = '' Write-Host "`r`n" -NoNewline foreach ($policy in $policies) { Write-Host " |---[$i/$($policies.Count)] $($policy.displayName)" -NoNewline $params = @{ DisplayName = $policy.displayName Ensure = 'Present' GlobalAdminAccount = $GlobalAdminAccount } $Results = Get-TargetResource @Params $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` -Results $Results $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` -ConnectionMode $ConnectionMode ` -ModulePath $PSScriptRoot ` -Results $Results ` -GlobalAdminAccount $GlobalAdminAccount $dscContent += $currentDSCBlock Save-M365DSCPartialExport -Content $currentDSCBlock ` -FileName $Global:PartialExportFileName $i++ Write-Host $Global:M365DSCEmojiGreenCheckMark } return $dscContent } catch { if ($_.Exception -like '*401*') { Write-Host "`r`n $($Global:M365DSCEmojiYellowCircle) The current tenant is not registered for Intune." } try { Write-Verbose -Message $_ $tenantIdValue = $GlobalAdminAccount.UserName.Split('@')[1] Add-M365DSCEvent -Message $_ -EntryType 'Error' ` -EventID 1 -Source $($MyInvocation.MyCommand.Source) ` -TenantId $tenantIdValue } catch { Write-Verbose -Message $_ } return "" } } function Get-M365DSCIntuneAppProtectionPolicyiOS { [CmdletBinding()] [OutputType([PSCustomObject])] param( [Parameter(Mandatory = $true)] [System.String] $PolicyId ) try { $Url = "https://graph.microsoft.com/beta/deviceAppManagement/iosManagedAppProtections('$PolicyId')/`?expand=apps,assignments" $response = Invoke-MSGraphRequest -HttpMethod Get ` -Url $Url return $response } catch { Write-Verbose -Message $_ $tenantIdValue = $GlobalAdminAccount.UserName.Split('@')[1] Add-M365DSCEvent -Message $_ -EntryType 'Error' ` -EventID 1 -Source $($MyInvocation.MyCommand.Source) ` -TenantId $tenantIdValue } return $null } function Get-M365DSCIntuneAppProtectionPolicyiOSJSON { [CmdletBinding()] [OutputType([System.String])] param( [Parameter(Mandatory = $true)] [System.Collections.Hashtable] $Parameters, [Parameter()] [System.Boolean] $IncludeApps = $true ) #region AllowedDataStorageLocations $allowedDataStorageLocations = "[" $foundOne = $false foreach ($allowedLocation in $Parameters.AllowedDataStorageLocations) { $foundOne = $true $allowedDataStorageLocations += "`r`n`"$allowedLocation`"," } if ($foundOne) { $allowedDataStorageLocations = $allowedDataStorageLocations.TrimEnd(',') + " `r`n" } $allowedDataStorageLocations += "]," #endregion #region Apps $appsValue = "[" $foundOne = $false foreach ($app in $Parameters.Apps) { $foundOne = $true $appsValue += @" `r`n{ "id":"$($app)", "mobileAppIdentifier": { "@odata.type": "#microsoft.graph.iosMobileAppIdentifier", "bundleId": "$app" } }, "@ } if ($foundOne) { $appsValue = $appsValue.TrimEnd(',') + " `r`n" } $appsValue += "]" #endregion $JsonContent = @" { "@odata.type": "#microsoft.graph.iosManagedAppProtection", "displayName": "$($Parameters.DisplayName)", "description": "$($Parameters.Description)", "periodOfflineBeforeAccessCheck": "$($Parameters.PeriodOfflineBeforeAccessCheck)", "periodOnlineBeforeAccessCheck": "$($Parameters.PeriodOnlineBeforeAccessCheck)", "allowedInboundDataTransferSources": "$($Parameters.AllowedInboundDataTransferSources)", "allowedOutboundDataTransferDestinations": "$($Parameters.AllowedOutboundDataTransferDestinations)", "organizationalCredentialsRequired": $($Parameters.OrganizationalCredentialsRequired.ToString().ToLower()), "allowedOutboundClipboardSharingLevel": "$($Parameters.AllowedOutboundClipboardSharingLevel)", "dataBackupBlocked": $($Parameters.DataBackupBlocked.ToString().ToLower()), "deviceComplianceRequired": $($Parameters.DeviceComplianceRequired.ToString().ToLower()), "managedBrowserToOpenLinksRequired": $($Parameters.ManagedBrowserToOpenLinksRequired.ToString().ToLower()), "saveAsBlocked": $($Parameters.SaveAsBlocked.ToString().ToLower()), "periodOfflineBeforeWipeIsEnforced": "$($Parameters.PeriodOfflineBeforeWipeIsEnforced)", "pinRequired": $($Parameters.PinRequired.ToString().ToLower()), "maximumPinRetries": $($Parameters.MaximumPinRetries), "simplePinBlocked": $($Parameters.SimplePinBlocked.ToString().ToLower()), "minimumPinLength": $($Parameters.MinimumPinLength), "pinCharacterSet": "$($Parameters.PinCharacterSet)", "contactSyncBlocked": $($Parameters.ContactSyncBlocked.ToString().ToLower()), "printBlocked": $($Parameters.PrintBlocked.ToString().ToLower()), "fingerprintBlocked": $($Parameters.FingerprintBlocked.ToString().ToLower()), "appDataEncryptionType": "$($Parameters.AppDataEncryptionType)", "allowedDataStorageLocations": $allowedDataStorageLocations "@ if ($IncludeApps) { $JSOnContent += "`"apps`":$appsValue`r`n" } $JsonContent += "}" return $JsonContent } function Get-M365DSCIntuneAppProtectionPolicyiOSAppsJSON { [CmdletBinding()] [OutputType([System.String])] param( [Parameter(Mandatory = $true)] [System.Collections.Hashtable] $Parameters ) #region Apps $appsValue = "[" $foundOne = $false foreach ($app in $Parameters.Apps) { $foundOne = $true $appsValue += @" `r`n{ "id":"$($app)", "mobileAppIdentifier": { "@odata.type": "#microsoft.graph.iosMobileAppIdentifier", "bundleId": "$app" } }, "@ } if ($foundOne) { $appsValue = $appsValue.TrimEnd(',') + " `r`n" } $appsValue += "]" #endregion $JsonContent = @" { "apps": $appsValue } "@ return $JsonContent } function Get-M365DSCIntuneAppProtectionPolicyiOSAssignmentJSON { [CmdletBinding()] [OutputType([System.String])] param( [Parameter(Mandatory = $true)] [System.String[]] $Assignments, [Parameter(Mandatory = $true)] [System.String[]] $Exclusions ) $JsonContent = "{`r`n" $JsonContent += "`"assignments`":[`r`n" foreach ($assignment in $Assignments) { $JsonContent += " {`"target`":{`r`n" $JsonContent += " `"groupId`":`"$assignment`",`r`n" $JsonContent += " `"@odata.type`":`"#microsoft.graph.groupAssignmentTarget`"`r`n" $JsonContent += " }}," } foreach ($exclusion in $Exclusions) { $JsonContent += " {`"target`":{`r`n" $JsonContent += " `"groupId`":`"$exclusion`",`r`n" $JsonContent += " `"@odata.type`":`"#microsoft.graph.exclusionGroupAssignmentTarget`"`r`n" $JsonContent += " }}," } $JsonContent = $JsonContent.TrimEnd(',') $JsonContent += "]`r`n" $JsonContent += "`r`n}" return $JsonContent } function New-M365DSCIntuneAppProtectionPolicyiOS { [CmdletBinding()] param( [Parameter(Mandatory = $true)] [System.String] $JSONContent ) try { $Url = 'https://graph.microsoft.com/beta/deviceAppManagement/managedAppPolicies' Write-Verbose -Message "Creating new iOS App Protection policy with JSON payload: `r`n$JSONContent" Invoke-MSGraphRequest -HttpMethod POST ` -Url $Url ` -Content $JSONContent ` -Headers @{"Content-Type" = "application/json" } | Out-Null } catch { Write-Verbose -Message $_ $tenantIdValue = $GlobalAdminAccount.UserName.Split('@')[1] Add-M365DSCEvent -Message $_ -EntryType 'Error' ` -EventID 1 -Source $($MyInvocation.MyCommand.Source) ` -TenantId $tenantIdValue } } function Set-M365DSCIntuneAppProtectionPolicyiOS { [CmdletBinding()] param( [Parameter(Mandatory = $true)] [System.String] $JSONContent, [Parameter(Mandatory = $true)] [System.String] $PolicyId ) try { $Url = "https://graph.microsoft.com/beta/deviceAppManagement/iosManagedAppProtections('$PolicyId')/" Write-Verbose -Message "Creating new iOS App Protection policy with JSON payload: `r`n$JSONContent" Invoke-MSGraphRequest -HttpMethod PATCH ` -Url $Url ` -Content $JSONContent ` -Headers @{"Content-Type" = "application/json" } | Out-Null } catch { Write-Verbose -Message $_ $tenantIdValue = $GlobalAdminAccount.UserName.Split('@')[1] Add-M365DSCEvent -Message $_ -EntryType 'Error' ` -EventID 1 -Source $($MyInvocation.MyCommand.Source) ` -TenantId $tenantIdValue } } function Set-M365DSCIntuneAppProtectionPolicyiOSApps { [CmdletBinding()] param( [Parameter(Mandatory = $true)] [System.String] $JSONContent, [Parameter(Mandatory = $true)] [System.String] $PolicyId ) try { $Url = "https://graph.microsoft.com/beta/deviceAppManagement/managedAppPolicies/$PolicyId/targetApps" Write-Verbose -Message "Updating Apps for iOS App Protection policy with JSON payload: `r`n$JSONContent" Invoke-MSGraphRequest -HttpMethod POST ` -Url $Url ` -Content $JSONContent ` -Headers @{"Content-Type" = "application/json" } | Out-Null } catch { Write-Verbose -Message $_ $tenantIdValue = $GlobalAdminAccount.UserName.Split('@')[1] Add-M365DSCEvent -Message $_ -EntryType 'Error' ` -EventID 1 -Source $($MyInvocation.MyCommand.Source) ` -TenantId $tenantIdValue } } function Set-M365DSCIntuneAppProtectionPolicyiOSAssignment { [CmdletBinding()] param( [Parameter(Mandatory = $true)] [System.String] $JSONContent, [Parameter(Mandatory = $true)] [System.String] $PolicyId ) try { $Url = "https://graph.microsoft.com/beta/deviceAppManagement/iosManagedAppProtections('$PolicyId')/assign" Write-Verbose -Message "Group Assignment for iOS App Protection policy with JSON payload: `r`n$JSONContent" Invoke-MSGraphRequest -HttpMethod POST ` -Url $Url ` -Content $JSONContent ` -Headers @{"Content-Type" = "application/json" } | Out-Null } catch { Write-Verbose -Message $_ $tenantIdValue = $GlobalAdminAccount.UserName.Split('@')[1] Add-M365DSCEvent -Message $_ -EntryType 'Error' ` -EventID 1 -Source $($MyInvocation.MyCommand.Source) ` -TenantId $tenantIdValue } } Export-ModuleMember -Function *-TargetResource |