DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.psm1
function Get-TargetResource { [CmdletBinding()] [OutputType([System.Collections.Hashtable])] param ( [Parameter(Mandatory = $true)] [System.String] $Identity, [Parameter(Mandatory = $true)] [System.String] $DisplayName, [Parameter()] [System.String] $Description, [Parameter()] [ValidateSet('singlePlatformRestriction', 'platformRestrictions')] [System.String] $DeviceEnrollmentConfigurationType, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance] $IosRestriction, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance] $WindowsRestriction, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance] $WindowsHomeSkuRestriction, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance] $WindowsMobileRestriction, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance] $AndroidRestriction, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance] $AndroidForWorkRestriction, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance] $MacRestriction, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance] $MacOSRestriction, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance[]] $Assignments, [Parameter()] [System.Int32] $Priority, [Parameter()] [System.String] [ValidateSet('Absent', 'Present')] $Ensure = 'Present', [Parameter()] [System.Management.Automation.PSCredential] $Credential, [Parameter()] [System.String] $ApplicationId, [Parameter()] [System.String] $TenantId, [Parameter()] [System.Management.Automation.PSCredential] $ApplicationSecret, [Parameter()] [System.String] $CertificateThumbprint, [Parameter()] [Switch] $ManagedIdentity ) Write-Verbose -Message "Checking for the Intune Device Enrollment Restriction {$DisplayName}" $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` -InboundParameters $PSBoundParameters #Ensure the proper dependencies are installed in the current environment. Confirm-M365DSCDependencies #region Telemetry $ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' $CommandName = $MyInvocation.MyCommand $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` -CommandName $CommandName ` -Parameters $PSBoundParameters Add-M365DSCTelemetryEvent -Data $data #endregion $nullResult = $PSBoundParameters $nullResult.Ensure = 'Absent' $PlatformType = '' $keys = (([Hashtable]$PSBoundParameters).Clone()).Keys foreach ($key in $keys) { if ($null -ne $PSBoundParameters.$key -and $PSBoundParameters.$key.getType().Name -like '*cimInstance*' -and $key -like "*Restriction") { if ($DeviceEnrollmentConfigurationType -eq 'singlePlatformRestriction' ) { $PlatformType = $key.replace('Restriction', '') break } } } try { try { $config = Get-MgBetaDeviceManagementDeviceEnrollmentConfiguration -DeviceEnrollmentConfigurationId $Identity -ErrorAction Stop } catch { $config = $null } if ($null -eq $config) { Write-Verbose -Message "Could not find an Intune Device Enrollment Platform Restriction with Id {$Identity}" $config = Get-MgBetaDeviceManagementDeviceEnrollmentConfiguration -Filter "DisplayName eq '$DisplayName'" ` -ErrorAction SilentlyContinue | Where-Object -FilterScript { $_.AdditionalProperties.'@odata.type' -like "#microsoft.graph.deviceEnrollmentPlatformRestriction*Configuration" -and $(if ($null -ne $_.AdditionalProperties.platformType) { $_.AdditionalProperties.platformType -eq $PlatformType } else { $true }) } if ($null -eq $config) { Write-Verbose -Message "Could not find an Intune Device Enrollment Platform Restriction with DisplayName {$DisplayName}" return $nullResult } } Write-Verbose -Message "Found Intune Device Enrollment Platform Restriction with Name {$($config.DisplayName)}" $results = @{ Identity = $config.Id DisplayName = $config.DisplayName Description = $config.Description DeviceEnrollmentConfigurationType = $config.DeviceEnrollmentConfigurationType.toString() Priority = $config.Priority Ensure = 'Present' Credential = $Credential ApplicationId = $ApplicationId TenantId = $TenantId ApplicationSecret = $ApplicationSecret CertificateThumbprint = $CertificateThumbprint ManagedIdentity = $ManagedIdentity.IsPresent } $results += Get-DevicePlatformRestrictionSetting -Properties $config.AdditionalProperties if ($null -ne $results.WindowsMobileRestriction) { $results.Remove('WindowsMobileRestriction') | Out-Null } $assignmentsValues = Get-MgBetaDeviceManagementDeviceEnrollmentConfigurationAssignment -DeviceEnrollmentConfigurationId $config.Id $assignmentResult = @() foreach ($assignmentEntry in $assignmentsValues) { $assignmentValue = @{ dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) { $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString() }) deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId groupId = $assignmentEntry.Target.AdditionalProperties.groupId } $assignmentResult += $assignmentValue } $results.Add('Assignments', $assignmentResult) return $results } catch { New-M365DSCLogEntry -Message 'Error retrieving data:' ` -Exception $_ ` -Source $($MyInvocation.MyCommand.Source) ` -TenantId $TenantId ` -Credential $Credential return $nullResult } } function Set-TargetResource { [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [System.String] $Identity, [Parameter(Mandatory = $true)] [System.String] $DisplayName, [Parameter()] [System.String] $Description, [Parameter()] [ValidateSet('singlePlatformRestriction', 'platformRestrictions')] [System.String] $DeviceEnrollmentConfigurationType, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance] $IosRestriction, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance] $WindowsRestriction, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance] $WindowsHomeSkuRestriction, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance] $WindowsMobileRestriction, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance] $AndroidRestriction, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance] $AndroidForWorkRestriction, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance] $MacRestriction, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance] $MacOSRestriction, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance[]] $Assignments, [Parameter()] [System.Int32] $Priority, [Parameter()] [System.String] [ValidateSet('Absent', 'Present')] $Ensure = 'Present', [Parameter()] [System.Management.Automation.PSCredential] $Credential, [Parameter()] [System.String] $ApplicationId, [Parameter()] [System.String] $TenantId, [Parameter()] [System.Management.Automation.PSCredential] $ApplicationSecret, [Parameter()] [System.String] $CertificateThumbprint, [Parameter()] [Switch] $ManagedIdentity ) $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` -InboundParameters $PSBoundParameters #Ensure the proper dependencies are installed in the current environment. Confirm-M365DSCDependencies #region Telemetry $ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' $CommandName = $MyInvocation.MyCommand $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` -CommandName $CommandName ` -Parameters $PSBoundParameters Add-M365DSCTelemetryEvent -Data $data #endregion if ($Ensure -eq 'Absent' -and $Identity -like '*_DefaultPlatformRestrictions') { throw 'Cannot delete the default platform restriction policy.' } $currentInstance = Get-TargetResource @PSBoundParameters $PSBoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters $PSBoundParameters.Remove('Identity') | Out-Null $PriorityPresent = $false if ($PSBoundParameters.Keys.Contains('Priority')) { $PriorityPresent = $true $PSBoundParameters.Remove('Priority') | Out-Null } if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') { Write-Verbose -Message "Creating an Intune Device Enrollment Platform Restriction with DisplayName {$DisplayName}" $PSBoundParameters.Remove('Assignments') | Out-Null if ($PSBoundParameters.Keys.Contains('WindowsMobileRestriction')) { if ($WindowsMobileRestriction.platformBlocked -eq $false) { Write-Verbose -Message 'Windows Mobile platform is deprecated and cannot be unblocked, reverting back to blocked' $WindowsMobileRestriction.platformBlocked = $true } } $keys = (([Hashtable]$PSBoundParameters).Clone()).Keys foreach ($key in $keys) { $keyName = $key.substring(0, 1).toLower() + $key.substring(1, $key.length - 1) $keyValue = $PSBoundParameters.$key if ($null -ne $PSBoundParameters.$key -and $PSBoundParameters.$key.getType().Name -like '*cimInstance*') { $keyValue = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.$key if ($DeviceEnrollmentConfigurationType -eq 'singlePlatformRestriction' ) { $keyName = 'platformRestriction' $PSBoundParameters.add('platformType', ($key.replace('Restriction', ''))) } } $PSBoundParameters.remove($key) $PSBoundParameters.add($keyName, $keyValue) } $policyType = '#microsoft.graph.deviceEnrollmentPlatformRestrictionConfiguration' if ($DeviceEnrollmentConfigurationType -eq 'platformRestrictions' ) { $policyType = '#microsoft.graph.deviceEnrollmentPlatformRestrictionsConfiguration' $PSBoundParameters.add('deviceEnrollmentConfigurationType ', 'limit') } $PSBoundParameters.add('@odata.type', $policyType) #Write-Verbose ($PSBoundParameters | ConvertTo-Json -Depth 20) $policy = New-MgBetaDeviceManagementDeviceEnrollmentConfiguration ` -BodyParameter ([hashtable]$PSBoundParameters) # Assignments from DefaultPolicy are not editable and will raise an alert if ($policy.Id -notlike '*_DefaultPlatformRestrictions') { $assignmentsHash = @() if ($null -ne $Assignments -and $Assignments.Length -gt 0) { foreach ($assignment in $Assignments) { $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $assignment } } Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $policy.Id ` -Targets $assignmentsHash ` -Repository 'deviceManagement/deviceEnrollmentConfigurations' ` -RootIdentifier 'enrollmentConfigurationAssignments' if ($PriorityPresent -and $Priority -ne $policy.Priority) { $Uri = "/beta/deviceManagement/deviceEnrollmentConfigurations/{0}/setPriority" -f $policy.Id $Body = @{ priority = $Priority } Invoke-MgGraphRequest -Method POST -Uri $Uri -Body $Body } } } elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') { Write-Verbose -Message "Updating the Intune Device Enrollment Platform Restriction with DisplayName {$DisplayName}" $PSBoundParameters.Remove('Assignments') | Out-Null if ($PSBoundParameters.Keys.Contains('WindowsMobileRestriction')) { if ($WindowsMobileRestriction.platformBlocked -eq $false) { Write-Verbose -Message 'Windows Mobile platform is deprecated and cannot be unblocked, reverting back to blocked' $WindowsMobileRestriction.platformBlocked = $true } } $keys = (([Hashtable]$PSBoundParameters).Clone()).Keys foreach ($key in $keys) { $keyName = $key.substring(0, 1).toLower() + $key.substring(1, $key.length - 1) $keyValue = $PSBoundParameters.$key if ($null -ne $PSBoundParameters.$key -and $PSBoundParameters.$key.getType().Name -like '*cimInstance*') { $keyValue = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.$key if ($DeviceEnrollmentConfigurationType -eq 'singlePlatformRestriction' ) { $keyName = 'platformRestriction' } } $PSBoundParameters.remove($key) $PSBoundParameters.add($keyName, $keyValue) } $policyType = '#microsoft.graph.deviceEnrollmentPlatformRestrictionConfiguration' if ($DeviceEnrollmentConfigurationType -eq 'platformRestrictions' ) { $policyType = '#microsoft.graph.deviceEnrollmentPlatformRestrictionsConfiguration' } $PSBoundParameters.add('@odata.type', $policyType) #Write-Verbose ($PSBoundParameters | ConvertTo-Json -Depth 20) Update-MgBetaDeviceManagementDeviceEnrollmentConfiguration ` -DeviceEnrollmentConfigurationId $currentInstance.Identity ` -BodyParameter ([hashtable]$PSBoundParameters) # Assignments from DefaultPolicy are not editable and will raise an alert if ($currentInstance.Identity -notlike '*_DefaultPlatformRestrictions') { $assignmentsHash = @() if ($null -ne $Assignments -and $Assignments.Length -gt 0) { foreach ($assignment in $Assignments) { $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $assignment } } Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $currentInstance.Identity ` -Targets $assignmentsHash ` -Repository 'deviceManagement/deviceEnrollmentConfigurations' ` -RootIdentifier 'enrollmentConfigurationAssignments' if ($PriorityPresent -and $Priority -ne $currentInstance.Priority) { $Uri = "/beta/deviceManagement/deviceEnrollmentConfigurations/{0}/setPriority" -f $currentInstance.Identity $Body = @{ priority = $Priority } Invoke-MgGraphRequest -Method POST -Uri $Uri -Body $Body } } } elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') { Write-Verbose -Message "Removing the Intune Device Enrollment Platform Restriction with DisplayName {$DisplayName}" Remove-MgBetaDeviceManagementDeviceEnrollmentConfiguration -DeviceEnrollmentConfigurationId $currentInstance.Identity } } function Test-TargetResource { [CmdletBinding()] [OutputType([System.Boolean])] param ( [Parameter(Mandatory = $true)] [System.String] $Identity, [Parameter(Mandatory = $true)] [System.String] $DisplayName, [Parameter()] [System.String] $Description, [Parameter()] [ValidateSet('singlePlatformRestriction', 'platformRestrictions')] [System.String] $DeviceEnrollmentConfigurationType, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance] $IosRestriction, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance] $WindowsRestriction, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance] $WindowsHomeSkuRestriction, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance] $WindowsMobileRestriction, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance] $AndroidRestriction, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance] $AndroidForWorkRestriction, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance] $MacRestriction, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance] $MacOSRestriction, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance[]] $Assignments, [Parameter()] [System.Int32] $Priority, [Parameter()] [System.String] [ValidateSet('Absent', 'Present')] $Ensure = 'Present', [Parameter()] [System.Management.Automation.PSCredential] $Credential, [Parameter()] [System.String] $ApplicationId, [Parameter()] [System.String] $TenantId, [Parameter()] [System.Management.Automation.PSCredential] $ApplicationSecret, [Parameter()] [System.String] $CertificateThumbprint, [Parameter()] [Switch] $ManagedIdentity ) #Ensure the proper dependencies are installed in the current environment. Confirm-M365DSCDependencies #region Telemetry $ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' $CommandName = $MyInvocation.MyCommand $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` -CommandName $CommandName ` -Parameters $PSBoundParameters Add-M365DSCTelemetryEvent -Data $data #endregion Write-Verbose -Message "Testing configuration of the Intune Device Enrollment Platform Restriction with Id {$Identity} and DisplayName {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() if ($CurrentValues.Ensure -ne $Ensure) { Write-Verbose -Message "Test-TargetResource returned $false" return $false } $testResult = $true #Compare Cim instances foreach ($key in $PSBoundParameters.Keys) { $source = $PSBoundParameters.$key $target = $CurrentValues.$key if ($source.getType().Name -like '*CimInstance*' -and $key -ne 'WindowsMobileRestriction') { $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` -Target ($target) if (-Not $testResult) { $testResult = $false break } $ValuesToCheck.Remove($key) | Out-Null } } $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck $ValuesToCheck.Remove('Identity') | Out-Null $ValuesToCheck.Remove('WindowsMobileRestriction') | Out-Null #Convert any DateTime to String foreach ($key in $ValuesToCheck.Keys) { if (($null -ne $CurrentValues[$key]) ` -and ($CurrentValues[$key].getType().Name -eq 'DateTime')) { $CurrentValues[$key] = $CurrentValues[$key].toString() } } Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" #Compare basic parameters if ($testResult) { Write-Verbose -Message "Comparing the current values with the desired ones" $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` -Source $($MyInvocation.MyCommand.Source) ` -DesiredValues $PSBoundParameters ` -ValuesToCheck $ValuesToCheck.Keys } Write-Verbose -Message "Test-TargetResource returned $testResult" return $testResult } function Export-TargetResource { [CmdletBinding()] [OutputType([System.String])] param ( [Parameter()] [System.String] $Filter, [Parameter()] [System.Management.Automation.PSCredential] $Credential, [Parameter()] [System.String] $ApplicationId, [Parameter()] [System.String] $TenantId, [Parameter()] [System.Management.Automation.PSCredential] $ApplicationSecret, [Parameter()] [System.String] $CertificateThumbprint, [Parameter()] [Switch] $ManagedIdentity ) $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` -InboundParameters $PSBoundParameters #Ensure the proper dependencies are installed in the current environment. Confirm-M365DSCDependencies #region Telemetry $ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' $CommandName = $MyInvocation.MyCommand $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` -CommandName $CommandName ` -Parameters $PSBoundParameters Add-M365DSCTelemetryEvent -Data $data #endregion try { [array]$configs = Get-MgBetaDeviceManagementDeviceEnrollmentConfiguration ` -All ` -Filter "deviceEnrollmentConfigurationType eq 'singlePlatformRestriction'" ` -ErrorAction Stop $i = 1 $dscContent = '' if ($configs.Length -eq 0) { Write-Host $Global:M365DSCEmojiGreenCheckMark } else { Write-Host "`r`n" -NoNewline } foreach ($config in $configs) { Write-Host " |---[$i/$($configs.Count)] $($config.displayName)" -NoNewline $params = @{ Identity = $config.id DisplayName = $config.displayName Ensure = 'Present' Credential = $Credential ApplicationId = $ApplicationId TenantId = $TenantId ApplicationSecret = $ApplicationSecret CertificateThumbprint = $CertificateThumbprint ManagedIdentity = $ManagedIdentity.IsPresent } $Results = Get-TargetResource @Params if ($null -ne $Results.Assignments) { $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject ([Array]$Results.Assignments) -CIMInstanceName DeviceManagementConfigurationPolicyAssignments if ($complexTypeStringResult) { $Results.Assignments = $complexTypeStringResult } else { $Results.Remove('Assignments') | Out-Null } } if ($null -ne $Results.IosRestriction) { $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject ($Results.IosRestriction) -CIMInstanceName DeviceEnrollmentPlatformRestriction if ($complexTypeStringResult) { $Results.IosRestriction = $complexTypeStringResult } else { $Results.Remove('IosRestriction') | Out-Null } } if ($null -ne $Results.WindowsRestriction) { $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject ($Results.WindowsRestriction) -CIMInstanceName DeviceEnrollmentPlatformRestriction if ($complexTypeStringResult) { $Results.WindowsRestriction = $complexTypeStringResult } else { $Results.Remove('WindowsRestriction') | Out-Null } } if ($null -ne $Results.WindowsHomeSkuRestriction) { $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject ($Results.WindowsHomeSkuRestriction) -CIMInstanceName DeviceEnrollmentPlatformRestriction if ($complexTypeStringResult) { $Results.WindowsHomeSkuRestriction = $complexTypeStringResult } else { $Results.Remove('WindowsHomeSkuRestriction') | Out-Null } } if ($null -ne $Results.WindowsMobileRestriction) { $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject ($Results.WindowsMobileRestriction) -CIMInstanceName DeviceEnrollmentPlatformRestriction if ($complexTypeStringResult) { $Results.WindowsMobileRestriction = $complexTypeStringResult } else { $Results.Remove('WindowsMobileRestriction') | Out-Null } } if ($null -ne $Results.AndroidRestriction) { $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject ($Results.AndroidRestriction) -CIMInstanceName DeviceEnrollmentPlatformRestriction if ($complexTypeStringResult) { $Results.AndroidRestriction = $complexTypeStringResult } else { $Results.Remove('AndroidRestriction') | Out-Null } } if ($null -ne $Results.AndroidForWorkRestriction) { $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject ($Results.AndroidForWorkRestriction) -CIMInstanceName DeviceEnrollmentPlatformRestriction if ($complexTypeStringResult) { $Results.AndroidForWorkRestriction = $complexTypeStringResult } else { $Results.Remove('AndroidForWorkRestriction') | Out-Null } } if ($null -ne $Results.MacRestriction) { $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject ($Results.MacRestriction) -CIMInstanceName DeviceEnrollmentPlatformRestriction if ($complexTypeStringResult) { $Results.MacRestriction = $complexTypeStringResult } else { $Results.Remove('MacRestriction') | Out-Null } } if ($null -ne $Results.MacOSRestriction) { $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject ($Results.MacOSRestriction) -CIMInstanceName DeviceEnrollmentPlatformRestriction if ($complexTypeStringResult) { $Results.MacOSRestriction = $complexTypeStringResult } else { $Results.Remove('MacOSRestriction') | Out-Null } } $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` -Results $Results $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` -ConnectionMode $ConnectionMode ` -ModulePath $PSScriptRoot ` -Results $Results ` -Credential $Credential if ($null -ne $Results.Assignments) { $isCIMArray = $false if ($Results.Assignments.getType().Fullname -like '*[[\]]') { $isCIMArray = $true } $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Assignments' -IsCIMArray:$isCIMArray } if ($null -ne $Results.IosRestriction) { $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'IosRestriction' } if ($null -ne $Results.WindowsRestriction) { $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'WindowsRestriction' } if ($null -ne $Results.WindowsHomeSkuRestriction) { $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'WindowsHomeSkuRestriction' } if ($null -ne $Results.WindowsMobileRestriction) { $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'WindowsMobileRestriction' } if ($null -ne $Results.AndroidRestriction) { $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'AndroidRestriction' } if ($null -ne $Results.AndroidForWorkRestriction) { $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'AndroidForWorkRestriction' } if ($null -ne $Results.MacRestriction) { $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'MacRestriction' } if ($null -ne $Results.MacOSRestriction) { $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'MacOSRestriction' } $dscContent += $currentDSCBlock Save-M365DSCPartialExport -Content $currentDSCBlock ` -FileName $Global:PartialExportFileName $i++ Write-Host $Global:M365DSCEmojiGreenCheckMark } return $dscContent } catch { if ($_.Exception -like '*401*' -or $_.ErrorDetails.Message -like "*`"ErrorCode`":`"Forbidden`"*" -or ` $_.Exception -like "*Request not applicable to target tenant*") { Write-Host "`r`n $($Global:M365DSCEmojiYellowCircle) The current tenant is not registered for Intune." } else { Write-Host $Global:M365DSCEmojiRedX New-M365DSCLogEntry -Message 'Error during Export:' ` -Exception $_ ` -Source $($MyInvocation.MyCommand.Source) ` -TenantId $TenantId ` -Credential $Credential } return '' } } function Get-DevicePlatformRestrictionSetting { [CmdletBinding()] [OutputType([System.Collections.Hashtable])] param ( [Parameter(Mandatory = 'true')] [System.Collections.Hashtable] $Properties ) $results = @{} if ($null -ne $Properties.platformType) { $keyName = ($Properties.platformType).Substring(0, 1).toUpper() + ($Properties.platformType).substring(1, $Properties.platformType.length - 1) + 'Restriction' $keyValue = [Hashtable]::new($Properties.platformRestriction) $hash = @{} foreach ($key in $keyValue.Keys) { if ($null -ne $keyValue.$key) { switch -Wildcard ($keyValue.$key.getType().name) { '*[[\]]' { if ($keyValue.$key.count -gt 0) { $hash.add($key, $keyValue.$key) } } 'String' { if (-Not [String]::IsNullOrEmpty($keyValue.$key)) { $hash.add($key, $keyValue.$key) } } Default { $hash.add($key, $keyValue.$key) } } } } $results.add($keyName, $hash) } else { $platformRestrictions = [Hashtable]::new($Properties) $platformRestrictions.remove('@odata.type') $platformRestrictions.remove('@odata.context') foreach ($key in $platformRestrictions.Keys) { $keyName = $key.Substring(0, 1).toUpper() + $key.substring(1, $key.length - 1) $keyValue = [Hashtable]::new($platformRestrictions.$key) $hash = @{} foreach ($key in $keyValue.Keys) { if ($null -ne $keyValue.$key) { switch -Wildcard ($keyValue.$key.getType().name) { '*[[\]]' { if ($keyValue.$key.count -gt 0) { $hash.add($key, $keyValue.$key) } } 'String' { if (-Not [String]::IsNullOrEmpty($keyValue.$key)) { $hash.add($key, $keyValue.$key) } } Default { $hash.add($key, $keyValue.$key) } } } } $results.add($keyName, $hash) } } return $results } Export-ModuleMember -Function *-TargetResource |