diff --git a/CHANGELOG.md b/CHANGELOG.md index 1bc1efa63e..6b0e47891c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,8 @@ # Change log for Microsoft365DSC # UNRELEASED +* IntuneAppProtectionPolicyiOS + * Fixes [#5589] https://github.com/microsoft/Microsoft365DSC/issues/5589 * AADConditionalAccessPolicy * Fixed DisableResilienceDefaults result diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.psm1 index 72b5ef5b63..d00981d45f 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.psm1 @@ -16,6 +16,110 @@ function Get-TargetResource [System.String] $Description, + [Parameter()] + [System.String[]] + $AllowedDataIngestionLocations, + + [Parameter()] + [System.Boolean] + $AllowWidgetContentSync, + + [Parameter()] + [ValidateSet('block', 'wipe', 'warn', 'blockWhenSettingIsSupported')] + [System.String] + $AppActionIfAccountIsClockedOut, + + [Parameter()] + [ValidateSet('block', 'wipe', 'warn', 'blockWhenSettingIsSupported')] + [System.String] + $AppActionIfUnableToAuthenticateUser, + + [Parameter()] + [ValidateSet('selectedPublicApps', 'allCoreMicrosoftApps', 'allMicrosoftApps','allApps')] + [System.String] + $AppGroupType, + + [Parameter()] + [System.Boolean] + $BlockDataIngestionIntoOrganizationDocuments, + + [Parameter()] + [System.String] + $CustomDialerAppProtocol, + + [Parameter()] + [System.UInt32] + $DeployedAppCount, + + [Parameter()] + [ValidateSet('allApps','managedApps','customApp','blocked')] + [System.String] + $DialerRestrictionLevel, + + [Parameter()] + [System.String[]] + $ExemptedUniversalLinks, + + [Parameter()] + [System.String] + $GracePeriodToBlockAppsDuringOffClockHours, + + [Parameter()] + [System.Boolean] + $IsAssigned, + + [Parameter()] + [System.String[]] + $ManagedUniversalLinks, + + [Parameter()] + [ValidateSet('notConfigured', 'secured', 'low', 'medium', 'high')] + [System.String] + $MaximumAllowedDeviceThreatLevel, + + [Parameter()] + [System.String] + $MaximumRequiredOsVersion, + + [Parameter()] + [System.String] + $MaximumWarningOsVersion, + + [Parameter()] + [System.String] + $MaximumWipeOsVersion, + + [Parameter()] + [System.String] + $MessagingRedirectAppUrlScheme, + + [Parameter()] + [System.String] + $MinimumWarningSdkVersion, + + [Parameter()] + [ValidateSet('defenderOverThirdPartyPartner','thirdPartyPartnerOverDefender','unknownFutureValue')] + [System.String] + $MobileThreatDefensePartnerPriority, + + [Parameter()] + [ValidateSet('block','wipe','warn','blockWhenSettingIsSupported')] + [System.String] + $MobileThreatDefenseRemediationAction, + + [Parameter()] + [System.UInt32] + $PreviousPinBlockCount, + + [Parameter()] + [ValidateSet('anyApp','anyManagedApp','specificApps','blocked')] + [System.String] + $ProtectedMessagingRedirectAppType, + + [Parameter()] + [System.Boolean] + $ThirdPartyKeyboardsBlocked, + [Parameter()] [System.String] $PeriodOfflineBeforeAccessCheck, @@ -319,7 +423,6 @@ function Get-TargetResource { $assignmentsArray += $assignmentValue } - if ($policyAssignment.target.'@odata.type' -eq '#microsoft.graph.exclusionGroupAssignmentTarget') { $exclusionArray += $assignmentValue @@ -362,10 +465,40 @@ function Get-TargetResource $myPinRequiredInsteadOfBiometricTimeout = $policy.PinRequiredInsteadOfBiometricTimeout.toString() } + $myGracePeriodToBlockAppsDuringOffClockHours = $policy.gracePeriodToBlockAppsDuringOffClockHours + if ($null -ne $policy.gracePeriodToBlockAppsDuringOffClockHours) + { + $myGracePeriodToBlockAppsDuringOffClockHours = $policy.gracePeriodToBlockAppsDuringOffClockHours.toString() + } + return @{ Identity = $policy.id DisplayName = $policy.DisplayName Description = $policy.Description + AllowedDataIngestionLocations = [String[]]$policy.AllowedDataIngestionLocations + AllowWidgetContentSync = $policy.AllowWidgetContentSync + AppActionIfAccountIsClockedOut = [string]$policy.appActionIfAccountIsClockedOut + AppActionIfUnableToAuthenticateUser = [string]$policy.appActionIfUnableToAuthenticateUser + AppGroupType = [string]$policy.appGroupType + BlockDataIngestionIntoOrganizationDocuments = $policy.blockDataIngestionIntoOrganizationDocuments + CustomDialerAppProtocol = [string]$policy.customDialerAppProtocol + DeployedAppCount = $policy.deployedAppCount + DialerRestrictionLevel = [string]$policy.dialerRestrictionLevel + ExemptedUniversalLinks = $policy.exemptedUniversalLinks + GracePeriodToBlockAppsDuringOffClockHours = $myGracePeriodToBlockAppsDuringOffClockHours + IsAssigned = $policy.isAssigned + ManagedUniversalLinks = $policy.managedUniversalLinks + MaximumAllowedDeviceThreatLevel = [string]$policy.maximumAllowedDeviceThreatLevel + MaximumRequiredOsVersion = [string]$policy.maximumRequiredOsVersion + MaximumWarningOsVersion = [string]$policy.maximumWarningOsVersion + MaximumWipeOsVersion = [string]$policy.maximumWipeOsVersion + MessagingRedirectAppUrlScheme = [string]$policy.messagingRedirectAppUrlScheme + MinimumWarningSdkVersion = [string]$policy.minimumWarningSdkVersion + MobileThreatDefensePartnerPriority = [string]$policy.mobileThreatDefensePartnerPriority + MobileThreatDefenseRemediationAction = [string]$policy.mobileThreatDefenseRemediationAction + PreviousPinBlockCount = $policy.previousPinBlockCount + ProtectedMessagingRedirectAppType = [string]$policy.protectedMessagingRedirectAppType + thirdPartyKeyboardsBlocked = $policy.thirdPartyKeyboardsBlocked PeriodOfflineBeforeAccessCheck = $myPeriodOfflineBeforeAccessCheck PeriodOnlineBeforeAccessCheck = $myPeriodOnlineBeforeAccessCheck AllowedInboundDataTransferSources = [String]$policy.AllowedInboundDataTransferSources @@ -461,6 +594,110 @@ function Set-TargetResource [System.String] $Description, + [Parameter()] + [System.String[]] + $AllowedDataIngestionLocations, + + [Parameter()] + [System.Boolean] + $AllowWidgetContentSync, + + [Parameter()] + [ValidateSet('block', 'wipe', 'warn', 'blockWhenSettingIsSupported')] + [System.String] + $AppActionIfAccountIsClockedOut, + + [Parameter()] + [ValidateSet('block', 'wipe', 'warn', 'blockWhenSettingIsSupported')] + [System.String] + $AppActionIfUnableToAuthenticateUser, + + [Parameter()] + [ValidateSet('selectedPublicApps', 'allCoreMicrosoftApps', 'allMicrosoftApps','allApps')] + [System.String] + $AppGroupType, + + [Parameter()] + [System.Boolean] + $BlockDataIngestionIntoOrganizationDocuments, + + [Parameter()] + [System.String] + $CustomDialerAppProtocol, + + [Parameter()] + [System.UInt32] + $DeployedAppCount, + + [Parameter()] + [ValidateSet('allApps','managedApps','customApp','blocked')] + [System.String] + $DialerRestrictionLevel, + + [Parameter()] + [System.String[]] + $ExemptedUniversalLinks, + + [Parameter()] + [System.String] + $GracePeriodToBlockAppsDuringOffClockHours, + + [Parameter()] + [System.Boolean] + $IsAssigned, + + [Parameter()] + [System.String[]] + $ManagedUniversalLinks, + + [Parameter()] + [ValidateSet('notConfigured', 'secured', 'low', 'medium', 'high')] + [System.String] + $MaximumAllowedDeviceThreatLevel, + + [Parameter()] + [System.String] + $MaximumRequiredOsVersion, + + [Parameter()] + [System.String] + $MaximumWarningOsVersion, + + [Parameter()] + [System.String] + $MaximumWipeOsVersion, + + [Parameter()] + [System.String] + $MessagingRedirectAppUrlScheme, + + [Parameter()] + [System.String] + $MinimumWarningSdkVersion, + + [Parameter()] + [ValidateSet('defenderOverThirdPartyPartner','thirdPartyPartnerOverDefender','unknownFutureValue')] + [System.String] + $MobileThreatDefensePartnerPriority, + + [Parameter()] + [ValidateSet('block','wipe','warn','blockWhenSettingIsSupported')] + [System.String] + $MobileThreatDefenseRemediationAction, + + [Parameter()] + [System.UInt32] + $PreviousPinBlockCount, + + [Parameter()] + [ValidateSet('anyApp','anyManagedApp','specificApps','blocked')] + [System.String] + $ProtectedMessagingRedirectAppType, + + [Parameter()] + [System.Boolean] + $ThirdPartyKeyboardsBlocked, + [Parameter()] [System.String] $PeriodOfflineBeforeAccessCheck, @@ -742,6 +979,7 @@ function Set-TargetResource 'PeriodOfflineBeforeWipeIsEnforced' 'PeriodBeforePinReset' 'PinRequiredInsteadOfBiometricTimeout' + 'GracePeriodToBlockAppsDuringOffClockHours' ) foreach ($duration in $durationParameters) { @@ -769,10 +1007,17 @@ function Set-TargetResource } $createParameters.ExemptedAppProtocols = $myExemptedAppProtocols - $policy = New-MgBetaDeviceAppManagementiOSManagedAppProtection -BodyParameter $createParameters + $arrayTemp = @("minimumWarningSdkVersion","maximumRequiredOsVersion","maximumWarningOsVersion","maximumWipeOsVersion") + Foreach($item in $arrayTemp) + { + if ($createParameters.$item -eq "") + { + $createParameters.Remove($item) #for some reason cmdlet can't handle this being blank, which is annoying as we can't enforce it + } + } + $policy = New-MgBetaDeviceAppManagementiOSManagedAppProtection -BodyParameter $createParameters Update-IntuneAppProtectionPolicyiOSApp -IosManagedAppProtectionId $policy.id -Apps $myApps - Write-Verbose -Message 'Updating policy assignments' Update-IntuneAppProtectionPolicyiOSAssignment -IosManagedAppProtectionId $policy.id -Assignments $myAssignments } @@ -785,6 +1030,15 @@ function Set-TargetResource $updateParameters.Remove('Apps') $updateParameters.TargetedAppManagementLevels = $updateParameters.TargetedAppManagementLevels -join ',' + $arrayTemp = @("minimumWarningSdkVersion","maximumRequiredOsVersion","maximumWarningOsVersion","maximumWipeOsVersion") + Foreach($item in $arrayTemp) + { + if ($updateParameters.$item -eq "") + { + $updateParameters.Remove($item) #for some reason cmdlet can't handle this being blank, which is annoying as we can't enforce it + } + } + $myApps = Get-IntuneAppProtectionPolicyiOSAppsToHashtable -Parameters $PSBoundParameters $myAssignments = Get-IntuneAppProtectionPolicyiOSAssignmentToHashtable -Parameters $PSBoundParameters @@ -794,6 +1048,7 @@ function Set-TargetResource 'PeriodOfflineBeforeWipeIsEnforced' 'PeriodBeforePinReset' 'PinRequiredInsteadOfBiometricTimeout' + 'GracePeriodToBlockAppsDuringOffClockHours' ) foreach ($duration in $durationParameters) { @@ -813,7 +1068,6 @@ function Set-TargetResource $updateParameters.ExemptedAppProtocols = $myExemptedAppProtocols Update-MgBetaDeviceAppManagementiOSManagedAppProtection -IosManagedAppProtectionId $Identity -BodyParameter $updateParameters - Update-IntuneAppProtectionPolicyiOSApp -IosManagedAppProtectionId $Identity -Apps $myApps Write-Verbose -Message "Updating policy assignments: $myassignments" @@ -845,6 +1099,110 @@ function Test-TargetResource [System.String] $Description, + [Parameter()] + [System.String[]] + $AllowedDataIngestionLocations, + + [Parameter()] + [System.Boolean] + $AllowWidgetContentSync, + + [Parameter()] + [ValidateSet('block', 'wipe', 'warn', 'blockWhenSettingIsSupported')] + [System.String] + $AppActionIfAccountIsClockedOut, + + [Parameter()] + [ValidateSet('block', 'wipe', 'warn', 'blockWhenSettingIsSupported')] + [System.String] + $AppActionIfUnableToAuthenticateUser, + + [Parameter()] + [ValidateSet('selectedPublicApps', 'allCoreMicrosoftApps', 'allMicrosoftApps','allApps')] + [System.String] + $AppGroupType, + + [Parameter()] + [System.Boolean] + $BlockDataIngestionIntoOrganizationDocuments, + + [Parameter()] + [System.String] + $CustomDialerAppProtocol, + + [Parameter()] + [System.UInt32] + $DeployedAppCount, + + [Parameter()] + [ValidateSet('allApps','managedApps','customApp','blocked')] + [System.String] + $DialerRestrictionLevel, + + [Parameter()] + [System.String[]] + $ExemptedUniversalLinks, + + [Parameter()] + [System.String] + $GracePeriodToBlockAppsDuringOffClockHours, + + [Parameter()] + [System.Boolean] + $IsAssigned, + + [Parameter()] + [System.String[]] + $ManagedUniversalLinks, + + [Parameter()] + [ValidateSet('notConfigured', 'secured', 'low', 'medium', 'high')] + [System.String] + $MaximumAllowedDeviceThreatLevel, + + [Parameter()] + [System.String] + $MaximumRequiredOsVersion, + + [Parameter()] + [System.String] + $MaximumWarningOsVersion, + + [Parameter()] + [System.String] + $MaximumWipeOsVersion, + + [Parameter()] + [System.String] + $MessagingRedirectAppUrlScheme, + + [Parameter()] + [System.String] + $MinimumWarningSdkVersion, + + [Parameter()] + [ValidateSet('defenderOverThirdPartyPartner','thirdPartyPartnerOverDefender','unknownFutureValue')] + [System.String] + $MobileThreatDefensePartnerPriority, + + [Parameter()] + [ValidateSet('block','wipe','warn','blockWhenSettingIsSupported')] + [System.String] + $MobileThreatDefenseRemediationAction, + + [Parameter()] + [System.UInt32] + $PreviousPinBlockCount, + + [Parameter()] + [ValidateSet('anyApp','anyManagedApp','specificApps','blocked')] + [System.String] + $ProtectedMessagingRedirectAppType, + + [Parameter()] + [System.Boolean] + $ThirdPartyKeyboardsBlocked, + [Parameter()] [System.String] $PeriodOfflineBeforeAccessCheck, @@ -966,23 +1324,19 @@ function Test-TargetResource [System.String] $AppDataEncryptionType, - [Parameter()] [System.String] $MinimumWipeOSVersion, - [Parameter()] [System.String] $MinimumWipeAppVersion, - [Parameter()] [ValidateSet('block', 'wipe', 'warn')] [System.String] $AppActionIfDeviceComplianceRequired, - [Parameter()] [ValidateSet('block', 'wipe', 'warn')] [System.String] @@ -992,12 +1346,10 @@ function Test-TargetResource [System.String] $PinRequiredInsteadOfBiometricTimeout, - [Parameter()] [System.Uint32] $AllowedOutboundClipboardSharingExceptionLength, - [Parameter()] [ValidateSet('allow', 'blockOrganizationalData', 'block')] [System.String] @@ -1020,23 +1372,19 @@ function Test-TargetResource [System.String[]] $AllowedIosDeviceModels, - [Parameter()] [ValidateSet('block', 'wipe', 'warn')] [System.String] $AppActionIfIosDeviceModelNotAllowed, - [Parameter()] [System.Boolean] $FilterOpenInToOnlyManagedApps, - [Parameter()] [System.Boolean] $DisableProtectionOfManagedOutboundOpenInData, - [Parameter()] [System.Boolean] $ProtectInboundDataFromUnknownSources, @@ -1109,7 +1457,6 @@ function Test-TargetResource Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() - $ValuesToCheck.Remove('Identity') $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.schema.mof index 1801c4dd5f..c480543983 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyiOS/MSFT_IntuneAppProtectionPolicyiOS.schema.mof @@ -4,6 +4,30 @@ class MSFT_IntuneAppProtectionPolicyiOS : OMI_BaseResource [Key, Description("Display name of the iOS App Protection Policy.")] String DisplayName; [Write, Description("Identity of the iOS App Protection Policy.")] String Identity; [Write, Description("Description of the iOS App Protection Policy.")] String Description; + [Write, Description("Data storage locations where a user may store managed data. Inherited from managedAppProtection.")] String AllowedDataIngestionLocations[]; + [Write, Description("Indicates if content sync for widgets is allowed for iOS on App Protection Policies.")] Boolean AllowWidgetContentSync; + [Write, Description("Defines a managed app behavior, either block or warn, if the user is clocked out (non-working time)."), ValueMap{"block","wipe","warn","blockWhenSettingIsSupported"}, Values{"block","wipe","warn","blockWhenSettingIsSupported"}] String AppActionIfAccountIsClockedOut; + [Write, Description("If set, it will specify what action to take in the case where the user is unable to checkin because their authentication token is invalid. This happens when the user is deleted or disabled in AAD. ."), ValueMap{"block","wipe","warn","blockWhenSettingIsSupported"}, Values{"block","wipe","warn","blockWhenSettingIsSupported"}] String AppActionIfUnableToAuthenticateUser; + [Write, Description("Public Apps selection: group or individual Inherited from targetedManagedAppProtection."), ValueMap{"selectedPublicApps","allCoreMicrosoftApps","allMicrosoftApps","allApps"}, Values{"selectedPublicApps","allCoreMicrosoftApps","allMicrosoftApps","allApps"}] String AppGroupType; + [Write, Description("Indicates whether a user can bring data into org documents.")] boolean BlockDataIngestionIntoOrganizationDocuments; + [Write, Description("Protocol of a custom dialer app to click-to-open a phone number on iOS, for example, skype:.")] String CustomDialerAppProtocol; + [Write, Description("Count of apps to which the current policy is deployed.")] UInt32 DeployedAppCount; + [Write, Description("The classes of dialer apps that are allowed to click-to-open a phone number."), ValueMap{"allApps","managedApps","customApp","blocked"}, Values{"allApps","managedApps","customApp","blocked"}] String DialerRestrictionLevel; + [Write, Description("A list of custom urls that are allowed to invocate an unmanaged app.")] String ExemptedUniversalLinks[]; + [Write, Description("A grace period before blocking app access during off clock hours.")] String GracePeriodToBlockAppsDuringOffClockHours; + [Write, Description("Indicates if the policy is deployed to any inclusion groups or not.")] Boolean IsAssigned; + [Write, Description("A list of custom urls that are allowed to invocate a managed app.")] String managedUniversalLinks[]; + [Write, Description("Maximum allowed device threat level, as reported by the MTD app Inherited from managedAppProtection."), ValueMap{"notConfigured","secured","low","medium","high"}, Values{"notConfigured","secured","low","medium","high"}] String MaximumAllowedDeviceThreatLevel; + [Write, Description("Versions bigger than the specified version will block the managed app from accessing company data. Inherited from managedAppProtection.")] String MaximumRequiredOsVersion; + [Write, Description("Versions bigger than the specified version will block the managed app from accessing company data. Inherited from managedAppProtection.")] String MaximumWarningOsVersion; + [Write, Description("Versions bigger than the specified version will block the managed app from accessing company data. Inherited from managedAppProtection.")] String MaximumWipeOsVersion; + [Write, Description("When a specific app redirection is enforced by protectedMessagingRedirectAppType in an App Protection Policy, this value defines the app url redirect schemes which are allowed to be used.")] String MessagingRedirectAppUrlScheme; + [Write, Description("Versions less than the specified version will result in warning message on the managed app from accessing company data.")] String MinimumWarningSdkVersion; + [Write, Description("Indicates how to prioritize which Mobile Threat Defense (MTD) partner is enabled for a given platform, when more than one is enabled. An app can only be actively using a single Mobile Threat Defense partner. When NULL, Microsoft Defender will be given preference. Otherwise setting the value to defenderOverThirdPartyPartner or thirdPartyPartnerOverDefender will make explicit which partner to prioritize."), ValueMap{"defenderOverThirdPartyPartner","thirdPartyPartnerOverDefender","unknownFutureValue"}, Values{"defenderOverThirdPartyPartner","thirdPartyPartnerOverDefender","unknownFutureValue"}] String MobileThreatDefensePartnerPriority; + [Write, Description("Determines what action to take if the mobile threat defense threat threshold isn't met. Warn isn't a supported value for this property Inherited from managedAppProtection."), ValueMap{"block","wipe","warn","blockWhenSettingIsSupported"}, Values{"block","wipe","warn","blockWhenSettingIsSupported"}] String MobileThreatDefenseRemediationAction; + [Write, Description("Requires a pin to be unique from the number specified in this property. Inherited from managedAppProtection.")] UInt32 PreviousPinBlockCount; + [Write, Description("Defines how app messaging redirection is protected by an App Protection Policy. Default is anyApp. Inherited from managedAppProtection."), ValueMap{"anyApp","anyManagedApp","specificApps","blocked"}, Values{"anyApp","anyManagedApp","specificApps","blocked"}] String ProtectedMessagingRedirectAppType; + [Write, Description("Defines if third party keyboards are allowed while accessing a managed app.")] Boolean ThirdPartyKeyboardsBlocked; [Write, Description("The period after which access is checked when the device is not connected to the internet.")] String PeriodOfflineBeforeAccessCheck; [Write, Description("The period after which access is checked when the device is connected to the internet.")] String PeriodOnlineBeforeAccessCheck; [Write, Description("Sources from which data is allowed to be transferred. Possible values are: allApps, managedApps, none."), ValueMap{"allApps","managedApps", "none"}, Values{"allApps","managedApps", "none"}] String AllowedInboundDataTransferSources; @@ -41,7 +65,7 @@ class MSFT_IntuneAppProtectionPolicyiOS : OMI_BaseResource [Write, Description("Specify the number of characters that may be cut or copied from Org data and accounts to any application. This setting overrides the AllowedOutboundClipboardSharingLevel restriction. Default value of '0' means no exception is allowed.")] Uint32 AllowedOutboundClipboardSharingExceptionLength; [Write, Description("Specify app notification restriction."), ValueMap{"allow","blockOrganizationalData","block"}, Values{"allow","blockOrganizationalData","block"}] String NotificationRestriction; [Write, Description("The intended app management levels for this policy."), ValueMap{"unspecified","unmanaged","mdm","androidEnterprise"}, Values{"unspecified","unmanaged","mdm","androidEnterprise"}] String TargetedAppManagementLevels[]; - [Write, Description("Require app data to be encrypted."), Values{"useDeviceSettings","afterDeviceRestart","whenDeviceLockedExceptOpenFiles","whenDeviceLocked"}, ValueMap{"useDeviceSettings","afterDeviceRestart","whenDeviceLockedExceptOpenFiles","whenDeviceLocked"}] String AppDataEncryptionType; + [Write, Description("Require app data to be encrypted."), Values{"useDeviceSettings","afterDeviceRestart","whenDeviceLockedExceptOpenFiles","whenDeviceLocked"}, ValueMap{"useDeviceSettings","afterDeviceRestart","whenDeviceLockedExceptOpenFiles","whenDeviceLocked"}] String AppDataEncryptionType; [Write, Description("Apps in this list will be exempt from the policy and will be able to receive data from managed apps.")] String ExemptedAppProtocols[]; [Write, Description("Versions less than the specified version will block the managed app from accessing company data.")] String MinimumWipeSdkVersion; [Write, Description("Semicolon seperated list of device models allowed, as a string, for the managed app to work.")] String AllowedIosDeviceModels[]; diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAppProtectionPolicyiOS.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAppProtectionPolicyiOS.Tests.ps1 index f9816cfe26..90e6e2a2d3 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAppProtectionPolicyiOS.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAppProtectionPolicyiOS.Tests.ps1 @@ -77,45 +77,73 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Context -Name "When the Policy doesn't already exist" -Fixture { BeforeAll { $testParams = @{ - AllowedDataStorageLocations = @('sharePoint') - AllowedInboundDataTransferSources = 'managedApps' - AllowedOutboundClipboardSharingLevel = 'managedAppsWithPasteIn' - AllowedOutboundDataTransferDestinations = 'managedApps' - AppDataEncryptionType = 'whenDeviceLocked' - Apps = @('com.cisco.jabberimintune.ios', 'com.pervasent.boardpapers.ios', 'com.sharefile.mobile.intune.ios') - Assignments = @('6ee86c9f-2b3c-471d-ad38-ff4673ed723e') - ContactSyncBlocked = $False - DataBackupBlocked = $False - Description = '' - DeviceComplianceRequired = $True - DisplayName = 'DSC Policy' - Ensure = 'Present' - ExcludedGroups = @('3eacc231-d77b-4efb-bb5f-310f68bd6198') - FaceIdBlocked = $False - FingerprintBlocked = $False - Credential = $Credential - ManagedBrowser = 'microsoftEdge' - MinimumRequiredAppVersion = '0.2' - MinimumRequiredOSVersion = '0.2' - MinimumRequiredSdkVersion = '0.1' - MinimumWarningAppVersion = '0.1' - MinimumWarningOSVersion = '0.1' - ManagedBrowserToOpenLinksRequired = $True - MaximumPinRetries = 5 - MinimumPinLength = 4 - OrganizationalCredentialsRequired = $False - PeriodBeforePinReset = '90.00:00:00' - PeriodOfflineBeforeAccessCheck = '12:00:00' - PeriodOfflineBeforeWipeIsEnforced = '90.00:00:00' - PeriodOnlineBeforeAccessCheck = '00:30:00' - PinCharacterSet = 'alphanumericAndSymbol' - PinRequired = $True - DisableAppPinIfDevicePinIsSet = $False - PrintBlocked = $False - SaveAsBlocked = $True - SimplePinBlocked = $False - Identity = '12345-12345-12345-12345-12345' - TargetedAppManagementLevels = @('unmanaged') + AllowedDataIngestionLocations = @("oneDriveForBusiness","sharePoint","camera"); + AllowedOutboundClipboardSharingExceptionLength = 0; + AllowWidgetContentSync = $True; + AppActionIfDeviceComplianceRequired = "wipe"; + AppActionIfIosDeviceModelNotAllowed = "block"; + AppActionIfUnableToAuthenticateUser = "block"; + AppGroupType = "selectedPublicApps"; + BlockDataIngestionIntoOrganizationDocuments = $True; + CustomBrowserProtocol = "access://open?url=http"; + CustomDialerAppProtocol = "skype"; + DeployedAppCount = 3; + DialerRestrictionLevel = "allApps"; + DisableProtectionOfManagedOutboundOpenInData = $False; + ExemptedUniversalLinks = @("http://facetime.apple.com","http://maps.apple.com","https://facetime.apple.com","https://maps.apple.com"); + FilterOpenInToOnlyManagedApps = $False; + IsAssigned = $True; + ManagedUniversalLinks = @("http://*.appsplatform.us/*","http://*.onedrive.com/*","http://*.powerapps.cn/*"); + MaximumAllowedDeviceThreatLevel = "low"; + MaximumRequiredOsVersion = "1"; + MaximumWarningOsVersion = "1"; + MaximumWipeOsVersion = "1"; + MessagingRedirectAppUrlScheme = "https://www.fakesite.com"; + MobileThreatDefenseRemediationAction = "block"; + NotificationRestriction = "blockOrganizationalData"; + PreviousPinBlockCount = 0; + ProtectedMessagingRedirectAppType = "anyApp"; + ProtectInboundDataFromUnknownSources = $False; + ThirdPartyKeyboardsBlocked = $True; + AllowedDataStorageLocations = @('sharePoint') + AllowedInboundDataTransferSources = 'managedApps' + AllowedOutboundClipboardSharingLevel = 'managedAppsWithPasteIn' + AllowedOutboundDataTransferDestinations = 'managedApps' + AppDataEncryptionType = 'whenDeviceLocked' + Apps = @('com.cisco.jabberimintune.ios', 'com.pervasent.boardpapers.ios', 'com.sharefile.mobile.intune.ios') + Assignments = @('6ee86c9f-2b3c-471d-ad38-ff4673ed723e') + ContactSyncBlocked = $False + DataBackupBlocked = $False + Description = '' + DeviceComplianceRequired = $True + DisplayName = 'DSC Policy' + Ensure = 'Present' + ExcludedGroups = @('3eacc231-d77b-4efb-bb5f-310f68bd6198') + FaceIdBlocked = $False + FingerprintBlocked = $False + Credential = $Credential + ManagedBrowser = 'microsoftEdge' + MinimumRequiredAppVersion = '0.2' + MinimumRequiredOSVersion = '0.2' + MinimumRequiredSdkVersion = '0.1' + MinimumWarningAppVersion = '0.1' + MinimumWarningOSVersion = '0.1' + ManagedBrowserToOpenLinksRequired = $True + MaximumPinRetries = 5 + MinimumPinLength = 4 + OrganizationalCredentialsRequired = $False + PeriodBeforePinReset = '90.00:00:00' + PeriodOfflineBeforeAccessCheck = '12:00:00' + PeriodOfflineBeforeWipeIsEnforced = '90.00:00:00' + PeriodOnlineBeforeAccessCheck = '00:30:00' + PinCharacterSet = 'alphanumericAndSymbol' + PinRequired = $True + DisableAppPinIfDevicePinIsSet = $False + PrintBlocked = $False + SaveAsBlocked = $True + SimplePinBlocked = $False + Identity = '12345-12345-12345-12345-12345' + TargetedAppManagementLevels = @('unmanaged') } Mock -CommandName Get-MgBetaDeviceAppManagementiosManagedAppProtection -MockWith { return $null @@ -139,84 +167,140 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Context -Name 'When the policy already exists and is NOT in the Desired State' -Fixture { BeforeAll { $testParams = @{ - AllowedDataStorageLocations = @('sharePoint') - AllowedInboundDataTransferSources = 'managedApps' - AllowedOutboundClipboardSharingLevel = 'managedAppsWithPasteIn' - AllowedOutboundDataTransferDestinations = 'managedApps' - AppDataEncryptionType = 'whenDeviceLocked' - Apps = @('com.cisco.jabberimintune.ios', 'com.pervasent.boardpapers.ios', 'com.sharefile.mobile.intune.ios') - Assignments = @('6ee86c9f-2b3c-471d-ad38-ff4673ed723e') - ContactSyncBlocked = $False - DataBackupBlocked = $False - Description = '' - DeviceComplianceRequired = $True - DisplayName = 'DSC Policy' - Ensure = 'Present' - ExcludedGroups = @('3eacc231-d77b-4efb-bb5f-310f68bd6198') - FaceIdBlocked = $False - FingerprintBlocked = $False - Credential = $Credential - ManagedBrowser = 'microsoftEdge' - MinimumRequiredAppVersion = '0.2' - MinimumRequiredOSVersion = '0.2' - MinimumRequiredSdkVersion = '0.1' - MinimumWarningAppVersion = '0.1' - MinimumWarningOSVersion = '0.1' - ManagedBrowserToOpenLinksRequired = $False; #Drift - MaximumPinRetries = 5 - MinimumPinLength = 4 - OrganizationalCredentialsRequired = $False - PeriodBeforePinReset = '90.00:00:00' - PeriodOfflineBeforeAccessCheck = '12:00:00' - PeriodOfflineBeforeWipeIsEnforced = '90.00:00:00' - PeriodOnlineBeforeAccessCheck = '00:30:00' - PinCharacterSet = 'alphanumericAndSymbol' - PinRequired = $True - DisableAppPinIfDevicePinIsSet = $False - PrintBlocked = $False - SaveAsBlocked = $True - SimplePinBlocked = $False - Identity = '12345-12345-12345-12345-12345' - TargetedAppManagementLevels = @('unmanaged') + AllowedDataIngestionLocations = @("oneDriveForBusiness","sharePoint","camera"); + AllowedOutboundClipboardSharingExceptionLength = 0; + AllowWidgetContentSync = $True; + AppActionIfDeviceComplianceRequired = "wipe"; + AppActionIfIosDeviceModelNotAllowed = "block"; + AppActionIfUnableToAuthenticateUser = "block"; + AppGroupType = "selectedPublicApps"; + BlockDataIngestionIntoOrganizationDocuments = $True; + CustomBrowserProtocol = "access://open?url=http"; + CustomDialerAppProtocol = "skype"; + DeployedAppCount = 3; + DialerRestrictionLevel = "allApps"; + DisableProtectionOfManagedOutboundOpenInData = $False; + ExemptedUniversalLinks = @("http://facetime.apple.com","http://maps.apple.com","https://facetime.apple.com","https://maps.apple.com"); + FilterOpenInToOnlyManagedApps = $False; + IsAssigned = $True; + ManagedUniversalLinks = @("http://*.appsplatform.us/*","http://*.onedrive.com/*","http://*.powerapps.cn/*"); + MaximumAllowedDeviceThreatLevel = "low"; + MaximumRequiredOsVersion = "1"; + MaximumWarningOsVersion = "1"; + MaximumWipeOsVersion = "1"; + MessagingRedirectAppUrlScheme = "https://www.fakesite.com"; + MobileThreatDefenseRemediationAction = "block"; + NotificationRestriction = "blockOrganizationalData"; + PreviousPinBlockCount = 0; + ProtectedMessagingRedirectAppType = "anyApp"; + ProtectInboundDataFromUnknownSources = $False; + ThirdPartyKeyboardsBlocked = $True; + AllowedDataStorageLocations = @('sharePoint') + AllowedInboundDataTransferSources = 'managedApps' + AllowedOutboundClipboardSharingLevel = 'managedAppsWithPasteIn' + AllowedOutboundDataTransferDestinations = 'managedApps' + AppDataEncryptionType = 'whenDeviceLocked' + Apps = @('com.cisco.jabberimintune.ios', 'com.pervasent.boardpapers.ios', 'com.sharefile.mobile.intune.ios') + Assignments = @('6ee86c9f-2b3c-471d-ad38-ff4673ed723e') + ContactSyncBlocked = $False + DataBackupBlocked = $False + Description = '' + DeviceComplianceRequired = $True + DisplayName = 'DSC Policy' + Ensure = 'Present' + ExcludedGroups = @('3eacc231-d77b-4efb-bb5f-310f68bd6198') + FaceIdBlocked = $False + FingerprintBlocked = $False + Credential = $Credential + ManagedBrowser = 'microsoftEdge' + MinimumRequiredAppVersion = '0.2' + MinimumRequiredOSVersion = '0.2' + MinimumRequiredSdkVersion = '0.1' + MinimumWarningAppVersion = '0.1' + MinimumWarningOSVersion = '0.1' + ManagedBrowserToOpenLinksRequired = $False; #Drift + MaximumPinRetries = 5 + MinimumPinLength = 4 + OrganizationalCredentialsRequired = $False + PeriodBeforePinReset = '90.00:00:00' + PeriodOfflineBeforeAccessCheck = '12:00:00' + PeriodOfflineBeforeWipeIsEnforced = '90.00:00:00' + PeriodOnlineBeforeAccessCheck = '00:30:00' + PinCharacterSet = 'alphanumericAndSymbol' + PinRequired = $True + DisableAppPinIfDevicePinIsSet = $False + PrintBlocked = $False + SaveAsBlocked = $True + SimplePinBlocked = $False + Identity = '12345-12345-12345-12345-12345' + TargetedAppManagementLevels = @('unmanaged') } Mock -CommandName Get-MgBetaDeviceAppManagementiosManagedAppProtection -MockWith { return @{ '@odata.type' = '#microsoft.graph.iosManagedAppProtection' - AllowedDataStorageLocations = @('sharePoint') - AllowedInboundDataTransferSources = 'managedApps' - AllowedOutboundClipboardSharingLevel = 'managedAppsWithPasteIn' - AllowedOutboundDataTransferDestinations = 'managedApps' - AppDataEncryptionType = 'whenDeviceLocked' - ContactSyncBlocked = $False - DataBackupBlocked = $False - Description = '' - DeviceComplianceRequired = $True - DisplayName = 'DSC Policy' - FaceIdBlocked = $False - FingerprintBlocked = $False - ManagedBrowser = 'microsoftEdge' - MinimumRequiredAppVersion = '0.2' - MinimumRequiredOSVersion = '0.2' - MinimumRequiredSdkVersion = '0.1' - MinimumWarningAppVersion = '0.1' - MinimumWarningOSVersion = '0.1' - ManagedBrowserToOpenLinksRequired = $True - MaximumPinRetries = 5 - MinimumPinLength = 4 - OrganizationalCredentialsRequired = $False - PeriodBeforePinReset = '90.00:00:00' - PeriodOfflineBeforeAccessCheck = '12:00:00' - PeriodOfflineBeforeWipeIsEnforced = '90.00:00:00' - PeriodOnlineBeforeAccessCheck = '00:30:00' - PinCharacterSet = 'alphanumericAndSymbol' - PinRequired = $True - DisableAppPinIfDevicePinIsSet = $False - PrintBlocked = $False - SaveAsBlocked = $True - SimplePinBlocked = $False - id = '12345-12345-12345-12345-12345' - TargetedAppManagementLevels = 'unmanaged' + AllowedDataIngestionLocations = @("oneDriveForBusiness","sharePoint","camera"); + AllowedOutboundClipboardSharingExceptionLength = 0; + AllowWidgetContentSync = $True; + AppActionIfDeviceComplianceRequired = "wipe"; + AppActionIfIosDeviceModelNotAllowed = "block"; + AppActionIfUnableToAuthenticateUser = "block"; + AppGroupType = "selectedPublicApps"; + BlockDataIngestionIntoOrganizationDocuments = $True; + CustomBrowserProtocol = "access://open?url=http"; + CustomDialerAppProtocol = "skype"; + DeployedAppCount = 3; + DialerRestrictionLevel = "allApps"; + DisableProtectionOfManagedOutboundOpenInData = $False; + ExemptedUniversalLinks = @("http://facetime.apple.com","http://maps.apple.com","https://facetime.apple.com","https://maps.apple.com"); + FilterOpenInToOnlyManagedApps = $False; + IsAssigned = $True; + ManagedUniversalLinks = @("http://*.appsplatform.us/*","http://*.onedrive.com/*","http://*.powerapps.cn/*"); + MaximumAllowedDeviceThreatLevel = "low"; + MaximumRequiredOsVersion = "1"; + MaximumWarningOsVersion = "1"; + MaximumWipeOsVersion = "1"; + MessagingRedirectAppUrlScheme = "https://www.fakesite.com"; + MobileThreatDefenseRemediationAction = "block"; + NotificationRestriction = "blockOrganizationalData"; + PreviousPinBlockCount = 0; + ProtectedMessagingRedirectAppType = "anyApp"; + ProtectInboundDataFromUnknownSources = $False; + ThirdPartyKeyboardsBlocked = $True; + AllowedDataStorageLocations = @('sharePoint') + AllowedInboundDataTransferSources = 'managedApps' + AllowedOutboundClipboardSharingLevel = 'managedAppsWithPasteIn' + AllowedOutboundDataTransferDestinations = 'managedApps' + AppDataEncryptionType = 'whenDeviceLocked' + ContactSyncBlocked = $False + DataBackupBlocked = $False + Description = '' + DeviceComplianceRequired = $True + DisplayName = 'DSC Policy' + FaceIdBlocked = $False + FingerprintBlocked = $False + ManagedBrowser = 'microsoftEdge' + MinimumRequiredAppVersion = '0.2' + MinimumRequiredOSVersion = '0.2' + MinimumRequiredSdkVersion = '0.1' + MinimumWarningAppVersion = '0.1' + MinimumWarningOSVersion = '0.1' + ManagedBrowserToOpenLinksRequired = $True + MaximumPinRetries = 5 + MinimumPinLength = 4 + OrganizationalCredentialsRequired = $False + PeriodBeforePinReset = '90.00:00:00' + PeriodOfflineBeforeAccessCheck = '12:00:00' + PeriodOfflineBeforeWipeIsEnforced = '90.00:00:00' + PeriodOnlineBeforeAccessCheck = '00:30:00' + PinCharacterSet = 'alphanumericAndSymbol' + PinRequired = $True + DisableAppPinIfDevicePinIsSet = $False + PrintBlocked = $False + SaveAsBlocked = $True + SimplePinBlocked = $False + id = '12345-12345-12345-12345-12345' + TargetedAppManagementLevels = 'unmanaged' } } Mock -CommandName Get-MgBetaDeviceAppManagementiosManagedAppProtectionApp -MockWith { @@ -286,82 +370,138 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Context -Name 'When the policy already exists and IS in the Desired State' -Fixture { BeforeAll { $testParams = @{ - AllowedDataStorageLocations = @('sharePoint') - AllowedInboundDataTransferSources = 'managedApps' - AllowedOutboundClipboardSharingLevel = 'managedAppsWithPasteIn' - AllowedOutboundDataTransferDestinations = 'managedApps' - AppDataEncryptionType = 'whenDeviceLocked' - Apps = @('com.cisco.jabberimintune.ios', 'com.pervasent.boardpapers.ios', 'com.sharefile.mobile.intune.ios') - ContactSyncBlocked = $False - DataBackupBlocked = $False - Description = '' - DeviceComplianceRequired = $True - DisplayName = 'DSC Policy' - Ensure = 'Present' - FaceIdBlocked = $False - FingerprintBlocked = $False - Credential = $Credential - ManagedBrowser = 'microsoftEdge' - MinimumRequiredAppVersion = '0.2' - MinimumRequiredOsVersion = '0.2' - MinimumRequiredSdkVersion = '0.1' - MinimumWarningAppVersion = '0.1' - MinimumWarningOsVersion = '0.1' - ManagedBrowserToOpenLinksRequired = $True - MaximumPinRetries = 5 - MinimumPinLength = 4 - OrganizationalCredentialsRequired = $False - PeriodBeforePinReset = '90.00:00:00' - PeriodOfflineBeforeAccessCheck = '12:00:00' - PeriodOfflineBeforeWipeIsEnforced = '90.00:00:00' - PeriodOnlineBeforeAccessCheck = '00:30:00' - PinCharacterSet = 'alphanumericAndSymbol' - PinRequired = $True - DisableAppPinIfDevicePinIsSet = $False - PrintBlocked = $False - SaveAsBlocked = $True - SimplePinBlocked = $False - Identity = '12345-12345-12345-12345-12345' - TargetedAppManagementLevels = @('unmanaged') + AllowedDataIngestionLocations = @("oneDriveForBusiness","sharePoint","camera"); + AllowedOutboundClipboardSharingExceptionLength = 0; + AllowWidgetContentSync = $True; + AppActionIfDeviceComplianceRequired = "wipe"; + AppActionIfIosDeviceModelNotAllowed = "block"; + AppActionIfUnableToAuthenticateUser = "block"; + AppGroupType = "selectedPublicApps"; + BlockDataIngestionIntoOrganizationDocuments = $True; + CustomBrowserProtocol = "access://open?url=http"; + CustomDialerAppProtocol = "skype"; + DeployedAppCount = 3; + DialerRestrictionLevel = "allApps"; + DisableProtectionOfManagedOutboundOpenInData = $False; + ExemptedUniversalLinks = @("http://facetime.apple.com","http://maps.apple.com","https://facetime.apple.com","https://maps.apple.com"); + FilterOpenInToOnlyManagedApps = $False; + IsAssigned = $True; + ManagedUniversalLinks = @("http://*.appsplatform.us/*","http://*.onedrive.com/*","http://*.powerapps.cn/*"); + MaximumAllowedDeviceThreatLevel = "low"; + MaximumRequiredOsVersion = "1"; + MaximumWarningOsVersion = "1"; + MaximumWipeOsVersion = "1"; + MessagingRedirectAppUrlScheme = "https://www.fakesite.com"; + MobileThreatDefenseRemediationAction = "block"; + NotificationRestriction = "blockOrganizationalData"; + PreviousPinBlockCount = 0; + ProtectedMessagingRedirectAppType = "anyApp"; + ProtectInboundDataFromUnknownSources = $False; + ThirdPartyKeyboardsBlocked = $True; + AllowedDataStorageLocations = @('sharePoint') + AllowedInboundDataTransferSources = 'managedApps' + AllowedOutboundClipboardSharingLevel = 'managedAppsWithPasteIn' + AllowedOutboundDataTransferDestinations = 'managedApps' + AppDataEncryptionType = 'whenDeviceLocked' + Apps = @('com.cisco.jabberimintune.ios', 'com.pervasent.boardpapers.ios', 'com.sharefile.mobile.intune.ios') + ContactSyncBlocked = $False + DataBackupBlocked = $False + Description = '' + DeviceComplianceRequired = $True + DisplayName = 'DSC Policy' + Ensure = 'Present' + FaceIdBlocked = $False + FingerprintBlocked = $False + Credential = $Credential + ManagedBrowser = 'microsoftEdge' + MinimumRequiredAppVersion = '0.2' + MinimumRequiredOsVersion = '0.2' + MinimumRequiredSdkVersion = '0.1' + MinimumWarningAppVersion = '0.1' + MinimumWarningOsVersion = '0.1' + ManagedBrowserToOpenLinksRequired = $True + MaximumPinRetries = 5 + MinimumPinLength = 4 + OrganizationalCredentialsRequired = $False + PeriodBeforePinReset = '90.00:00:00' + PeriodOfflineBeforeAccessCheck = '12:00:00' + PeriodOfflineBeforeWipeIsEnforced = '90.00:00:00' + PeriodOnlineBeforeAccessCheck = '00:30:00' + PinCharacterSet = 'alphanumericAndSymbol' + PinRequired = $True + DisableAppPinIfDevicePinIsSet = $False + PrintBlocked = $False + SaveAsBlocked = $True + SimplePinBlocked = $False + Identity = '12345-12345-12345-12345-12345' + TargetedAppManagementLevels = @('unmanaged') } Mock -CommandName Get-MgBetaDeviceAppManagementiosManagedAppProtection -MockWith { return @{ '@odata.type' = '#microsoft.graph.iosManagedAppProtection' - AllowedDataStorageLocations = @('sharePoint') - AllowedInboundDataTransferSources = 'managedApps' - AllowedOutboundClipboardSharingLevel = 'managedAppsWithPasteIn' - AllowedOutboundDataTransferDestinations = 'managedApps' - AppDataEncryptionType = 'whenDeviceLocked' - ContactSyncBlocked = $False - DataBackupBlocked = $False - Description = '' - DeviceComplianceRequired = $True - DisplayName = 'DSC Policy' - FaceIdBlocked = $False - FingerprintBlocked = $False - ManagedBrowser = 'microsoftEdge' - MinimumRequiredAppVersion = '0.2' - MinimumRequiredOsVersion = '0.2' - MinimumRequiredSdkVersion = '0.1' - MinimumWarningAppVersion = '0.1' - MinimumWarningOsVersion = '0.1' - ManagedBrowserToOpenLinksRequired = $True - MaximumPinRetries = 5 - MinimumPinLength = 4 - OrganizationalCredentialsRequired = $False - PeriodBeforePinReset = '90.00:00:00' - PeriodOfflineBeforeAccessCheck = '12:00:00' - PeriodOfflineBeforeWipeIsEnforced = '90.00:00:00' - PeriodOnlineBeforeAccessCheck = '00:30:00' - PinCharacterSet = 'alphanumericAndSymbol' - PinRequired = $True - DisableAppPinIfDevicePinIsSet = $False - PrintBlocked = $False - SaveAsBlocked = $True - SimplePinBlocked = $False - id = '12345-12345-12345-12345-12345' - TargetedAppManagementLevels = 'unmanaged' + AllowedDataIngestionLocations = @("oneDriveForBusiness","sharePoint","camera"); + AllowedOutboundClipboardSharingExceptionLength = 0; + AllowWidgetContentSync = $True; + AppActionIfDeviceComplianceRequired = "wipe"; + AppActionIfIosDeviceModelNotAllowed = "block"; + AppActionIfUnableToAuthenticateUser = "block"; + AppGroupType = "selectedPublicApps"; + BlockDataIngestionIntoOrganizationDocuments = $True; + CustomBrowserProtocol = "access://open?url=http"; + CustomDialerAppProtocol = "skype"; + DeployedAppCount = 3; + DialerRestrictionLevel = "allApps"; + DisableProtectionOfManagedOutboundOpenInData = $False; + ExemptedUniversalLinks = @("http://facetime.apple.com","http://maps.apple.com","https://facetime.apple.com","https://maps.apple.com"); + FilterOpenInToOnlyManagedApps = $False; + IsAssigned = $True; + ManagedUniversalLinks = @("http://*.appsplatform.us/*","http://*.onedrive.com/*","http://*.powerapps.cn/*"); + MaximumAllowedDeviceThreatLevel = "low"; + MaximumRequiredOsVersion = "1"; + MaximumWarningOsVersion = "1"; + MaximumWipeOsVersion = "1"; + MessagingRedirectAppUrlScheme = "https://www.fakesite.com"; + MobileThreatDefenseRemediationAction = "block"; + NotificationRestriction = "blockOrganizationalData"; + PreviousPinBlockCount = 0; + ProtectedMessagingRedirectAppType = "anyApp"; + ProtectInboundDataFromUnknownSources = $False; + ThirdPartyKeyboardsBlocked = $True; + AllowedDataStorageLocations = @('sharePoint') + AllowedInboundDataTransferSources = 'managedApps' + AllowedOutboundClipboardSharingLevel = 'managedAppsWithPasteIn' + AllowedOutboundDataTransferDestinations = 'managedApps' + AppDataEncryptionType = 'whenDeviceLocked' + ContactSyncBlocked = $False + DataBackupBlocked = $False + Description = '' + DeviceComplianceRequired = $True + DisplayName = 'DSC Policy' + FaceIdBlocked = $False + FingerprintBlocked = $False + ManagedBrowser = 'microsoftEdge' + MinimumRequiredAppVersion = '0.2' + MinimumRequiredOsVersion = '0.2' + MinimumRequiredSdkVersion = '0.1' + MinimumWarningAppVersion = '0.1' + MinimumWarningOsVersion = '0.1' + ManagedBrowserToOpenLinksRequired = $True + MaximumPinRetries = 5 + MinimumPinLength = 4 + OrganizationalCredentialsRequired = $False + PeriodBeforePinReset = '90.00:00:00' + PeriodOfflineBeforeAccessCheck = '12:00:00' + PeriodOfflineBeforeWipeIsEnforced = '90.00:00:00' + PeriodOnlineBeforeAccessCheck = '00:30:00' + PinCharacterSet = 'alphanumericAndSymbol' + PinRequired = $True + DisableAppPinIfDevicePinIsSet = $False + PrintBlocked = $False + SaveAsBlocked = $True + SimplePinBlocked = $False + id = '12345-12345-12345-12345-12345' + TargetedAppManagementLevels = 'unmanaged' } } Mock -CommandName Get-MgBetaDeviceAppManagementiosManagedAppProtectionApp -MockWith { @@ -422,84 +562,140 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Context -Name 'When the policy exists and it SHOULD NOT' -Fixture { BeforeAll { $testParams = @{ - AllowedDataStorageLocations = @('sharePoint') - AllowedInboundDataTransferSources = 'managedApps' - AllowedOutboundClipboardSharingLevel = 'managedAppsWithPasteIn' - AllowedOutboundDataTransferDestinations = 'managedApps' - AppDataEncryptionType = 'whenDeviceLocked' - Apps = @('com.cisco.jabberimintune.ios', 'com.pervasent.boardpapers.ios', 'com.sharefile.mobile.intune.ios') - Assignments = @('6ee86c9f-2b3c-471d-ad38-ff4673ed723e') - ContactSyncBlocked = $False - DataBackupBlocked = $False - Description = '' - DeviceComplianceRequired = $True - DisplayName = 'DSC Policy' - Ensure = 'Absent' - ExcludedGroups = @('3eacc231-d77b-4efb-bb5f-310f68bd6198') - FaceIdBlocked = $False - FingerprintBlocked = $False - Credential = $Credential - ManagedBrowser = 'microsoftEdge' - MinimumRequiredAppVersion = '0.2' - MinimumRequiredOSVersion = '0.2' - MinimumRequiredSdkVersion = '0.1' - MinimumWarningAppVersion = '0.1' - MinimumWarningOSVersion = '0.1' - ManagedBrowserToOpenLinksRequired = $True - MaximumPinRetries = 5 - MinimumPinLength = 4 - OrganizationalCredentialsRequired = $False - PeriodBeforePinReset = '90.00:00:00' - PeriodOfflineBeforeAccessCheck = '12:00:00' - PeriodOfflineBeforeWipeIsEnforced = '90.00:00:00' - PeriodOnlineBeforeAccessCheck = '00:30:00' - PinCharacterSet = 'alphanumericAndSymbol' - PinRequired = $True - DisableAppPinIfDevicePinIsSet = $False - PrintBlocked = $False - SaveAsBlocked = $True - SimplePinBlocked = $False - Identity = '12345-12345-12345-12345-12345' - TargetedAppManagementLevels = @('unmanaged') + AllowedDataIngestionLocations = @("oneDriveForBusiness","sharePoint","camera"); + AllowedOutboundClipboardSharingExceptionLength = 0; + AllowWidgetContentSync = $True; + AppActionIfDeviceComplianceRequired = "wipe"; + AppActionIfIosDeviceModelNotAllowed = "block"; + AppActionIfUnableToAuthenticateUser = "block"; + AppGroupType = "selectedPublicApps"; + BlockDataIngestionIntoOrganizationDocuments = $True; + CustomBrowserProtocol = "access://open?url=http"; + CustomDialerAppProtocol = "skype"; + DeployedAppCount = 3; + DialerRestrictionLevel = "allApps"; + DisableProtectionOfManagedOutboundOpenInData = $False; + ExemptedUniversalLinks = @("http://facetime.apple.com","http://maps.apple.com","https://facetime.apple.com","https://maps.apple.com"); + FilterOpenInToOnlyManagedApps = $False; + IsAssigned = $True; + ManagedUniversalLinks = @("http://*.appsplatform.us/*","http://*.onedrive.com/*","http://*.powerapps.cn/*"); + MaximumAllowedDeviceThreatLevel = "low"; + MaximumRequiredOsVersion = "1"; + MaximumWarningOsVersion = "1"; + MaximumWipeOsVersion = "1"; + MessagingRedirectAppUrlScheme = "https://www.fakesite.com"; + MobileThreatDefenseRemediationAction = "block"; + NotificationRestriction = "blockOrganizationalData"; + PreviousPinBlockCount = 0; + ProtectedMessagingRedirectAppType = "anyApp"; + ProtectInboundDataFromUnknownSources = $False; + ThirdPartyKeyboardsBlocked = $True; + AllowedDataStorageLocations = @('sharePoint') + AllowedInboundDataTransferSources = 'managedApps' + AllowedOutboundClipboardSharingLevel = 'managedAppsWithPasteIn' + AllowedOutboundDataTransferDestinations = 'managedApps' + AppDataEncryptionType = 'whenDeviceLocked' + Apps = @('com.cisco.jabberimintune.ios', 'com.pervasent.boardpapers.ios', 'com.sharefile.mobile.intune.ios') + Assignments = @('6ee86c9f-2b3c-471d-ad38-ff4673ed723e') + ContactSyncBlocked = $False + DataBackupBlocked = $False + Description = '' + DeviceComplianceRequired = $True + DisplayName = 'DSC Policy' + Ensure = 'Absent' + ExcludedGroups = @('3eacc231-d77b-4efb-bb5f-310f68bd6198') + FaceIdBlocked = $False + FingerprintBlocked = $False + Credential = $Credential + ManagedBrowser = 'microsoftEdge' + MinimumRequiredAppVersion = '0.2' + MinimumRequiredOSVersion = '0.2' + MinimumRequiredSdkVersion = '0.1' + MinimumWarningAppVersion = '0.1' + MinimumWarningOSVersion = '0.1' + ManagedBrowserToOpenLinksRequired = $True + MaximumPinRetries = 5 + MinimumPinLength = 4 + OrganizationalCredentialsRequired = $False + PeriodBeforePinReset = '90.00:00:00' + PeriodOfflineBeforeAccessCheck = '12:00:00' + PeriodOfflineBeforeWipeIsEnforced = '90.00:00:00' + PeriodOnlineBeforeAccessCheck = '00:30:00' + PinCharacterSet = 'alphanumericAndSymbol' + PinRequired = $True + DisableAppPinIfDevicePinIsSet = $False + PrintBlocked = $False + SaveAsBlocked = $True + SimplePinBlocked = $False + Identity = '12345-12345-12345-12345-12345' + TargetedAppManagementLevels = @('unmanaged') } Mock -CommandName Get-MgBetaDeviceAppManagementiosManagedAppProtection -MockWith { return @{ - '@odata.type' = '#microsoft.graph.iosManagedAppProtection' - AllowedDataStorageLocations = @('sharePoint') - AllowedInboundDataTransferSources = 'managedApps' - AllowedOutboundClipboardSharingLevel = 'managedAppsWithPasteIn' - AllowedOutboundDataTransferDestinations = 'managedApps' - AppDataEncryptionType = 'whenDeviceLocked' - ContactSyncBlocked = $False - DataBackupBlocked = $False - Description = '' - DeviceComplianceRequired = $True - DisplayName = 'DSC Policy' - FaceIdBlocked = $False - FingerprintBlocked = $False - ManagedBrowser = 'microsoftEdge' - MinimumRequiredAppVersion = '0.2' - MinimumRequiredOSVersion = '0.2' - MinimumRequiredSdkVersion = '0.1' - MinimumWarningAppVersion = '0.1' - MinimumWarningOSVersion = '0.1' - ManagedBrowserToOpenLinksRequired = $True - MaximumPinRetries = 5 - MinimumPinLength = 4 - OrganizationalCredentialsRequired = $False - PeriodBeforePinReset = '90.00:00:00' - PeriodOfflineBeforeAccessCheck = '12:00:00' - PeriodOfflineBeforeWipeIsEnforced = '90.00:00:00' - PeriodOnlineBeforeAccessCheck = '00:30:00' - PinCharacterSet = 'alphanumericAndSymbol' - PinRequired = $True - DisableAppPinIfDevicePinIsSet = $False - PrintBlocked = $False - SaveAsBlocked = $True - SimplePinBlocked = $False - id = '12345-12345-12345-12345-12345' - TargetedAppManagementLevels = 'unmanaged' + '@odata.type' = '#microsoft.graph.iosManagedAppProtection' + AllowedDataIngestionLocations = @("oneDriveForBusiness","sharePoint","camera"); + AllowedOutboundClipboardSharingExceptionLength = 0; + AllowWidgetContentSync = $True; + AppActionIfDeviceComplianceRequired = "wipe"; + AppActionIfIosDeviceModelNotAllowed = "block"; + AppActionIfUnableToAuthenticateUser = "block"; + AppGroupType = "selectedPublicApps"; + BlockDataIngestionIntoOrganizationDocuments = $True; + CustomBrowserProtocol = "access://open?url=http"; + CustomDialerAppProtocol = "skype"; + DeployedAppCount = 3; + DialerRestrictionLevel = "allApps"; + DisableProtectionOfManagedOutboundOpenInData = $False; + ExemptedUniversalLinks = @("http://facetime.apple.com","http://maps.apple.com","https://facetime.apple.com","https://maps.apple.com"); + FilterOpenInToOnlyManagedApps = $False; + IsAssigned = $True; + ManagedUniversalLinks = @("http://*.appsplatform.us/*","http://*.onedrive.com/*","http://*.powerapps.cn/*"); + MaximumAllowedDeviceThreatLevel = "low"; + MaximumRequiredOsVersion = "1"; + MaximumWarningOsVersion = "1"; + MaximumWipeOsVersion = "1"; + MessagingRedirectAppUrlScheme = "https://www.fakesite.com"; + MobileThreatDefenseRemediationAction = "block"; + NotificationRestriction = "blockOrganizationalData"; + PreviousPinBlockCount = 0; + ProtectedMessagingRedirectAppType = "anyApp"; + ProtectInboundDataFromUnknownSources = $False; + ThirdPartyKeyboardsBlocked = $True; + AllowedDataStorageLocations = @('sharePoint') + AllowedInboundDataTransferSources = 'managedApps' + AllowedOutboundClipboardSharingLevel = 'managedAppsWithPasteIn' + AllowedOutboundDataTransferDestinations = 'managedApps' + AppDataEncryptionType = 'whenDeviceLocked' + ContactSyncBlocked = $False + DataBackupBlocked = $False + Description = '' + DeviceComplianceRequired = $True + DisplayName = 'DSC Policy' + FaceIdBlocked = $False + FingerprintBlocked = $False + ManagedBrowser = 'microsoftEdge' + MinimumRequiredAppVersion = '0.2' + MinimumRequiredOSVersion = '0.2' + MinimumRequiredSdkVersion = '0.1' + MinimumWarningAppVersion = '0.1' + MinimumWarningOSVersion = '0.1' + ManagedBrowserToOpenLinksRequired = $True + MaximumPinRetries = 5 + MinimumPinLength = 4 + OrganizationalCredentialsRequired = $False + PeriodBeforePinReset = '90.00:00:00' + PeriodOfflineBeforeAccessCheck = '12:00:00' + PeriodOfflineBeforeWipeIsEnforced = '90.00:00:00' + PeriodOnlineBeforeAccessCheck = '00:30:00' + PinCharacterSet = 'alphanumericAndSymbol' + PinRequired = $True + DisableAppPinIfDevicePinIsSet = $False + PrintBlocked = $False + SaveAsBlocked = $True + SimplePinBlocked = $False + id = '12345-12345-12345-12345-12345' + TargetedAppManagementLevels = 'unmanaged' } } Mock -CommandName Get-MgBetaDeviceAppManagementiosManagedAppProtectionApp -MockWith { @@ -577,40 +773,68 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Mock -CommandName Get-MgBetaDeviceAppManagementiosManagedAppProtection -MockWith { return @{ '@odata.type' = '#microsoft.graph.iosManagedAppProtection' - AllowedDataStorageLocations = @('sharePoint') - AllowedInboundDataTransferSources = 'managedApps' - AllowedOutboundClipboardSharingLevel = 'managedAppsWithPasteIn' - AllowedOutboundDataTransferDestinations = 'managedApps' - AppDataEncryptionType = 'whenDeviceLocked' - ContactSyncBlocked = $False - DataBackupBlocked = $False - Description = '' - DeviceComplianceRequired = $True - DisplayName = 'DSC Policy' - FaceIdBlocked = $False - FingerprintBlocked = $False - ManagedBrowser = 'microsoftEdge' - MinimumRequiredAppVersion = '0.2' - MinimumRequiredOSVersion = '0.2' - MinimumRequiredSdkVersion = '0.1' - MinimumWarningAppVersion = '0.1' - MinimumWarningOSVersion = '0.1' - ManagedBrowserToOpenLinksRequired = $True - MaximumPinRetries = 5 - MinimumPinLength = 4 - OrganizationalCredentialsRequired = $False - PeriodBeforePinReset = '90.00:00:00' - PeriodOfflineBeforeAccessCheck = '12:00:00' - PeriodOfflineBeforeWipeIsEnforced = '90.00:00:00' - PeriodOnlineBeforeAccessCheck = '00:30:00' - PinCharacterSet = 'alphanumericAndSymbol' - PinRequired = $True - DisableAppPinIfDevicePinIsSet = $False - PrintBlocked = $False - SaveAsBlocked = $True - SimplePinBlocked = $False - id = '12345-12345-12345-12345-12345' - TargetedAppManagementLevels = 'unmanaged' + AllowedDataIngestionLocations = @("oneDriveForBusiness","sharePoint","camera"); + AllowedOutboundClipboardSharingExceptionLength = 0; + AllowWidgetContentSync = $True; + AppActionIfDeviceComplianceRequired = "wipe"; + AppActionIfIosDeviceModelNotAllowed = "block"; + AppActionIfUnableToAuthenticateUser = "block"; + AppGroupType = "selectedPublicApps"; + BlockDataIngestionIntoOrganizationDocuments = $True; + CustomBrowserProtocol = "access://open?url=http"; + CustomDialerAppProtocol = "skype"; + DeployedAppCount = 3; + DialerRestrictionLevel = "allApps"; + DisableProtectionOfManagedOutboundOpenInData = $False; + ExemptedUniversalLinks = @("http://facetime.apple.com","http://maps.apple.com","https://facetime.apple.com","https://maps.apple.com"); + FilterOpenInToOnlyManagedApps = $False; + IsAssigned = $True; + ManagedUniversalLinks = @("http://*.appsplatform.us/*","http://*.onedrive.com/*","http://*.powerapps.cn/*"); + MaximumAllowedDeviceThreatLevel = "low"; + MaximumRequiredOsVersion = "1"; + MaximumWarningOsVersion = "1"; + MaximumWipeOsVersion = "1"; + MessagingRedirectAppUrlScheme = "https://www.fakesite.com"; + MobileThreatDefenseRemediationAction = "block"; + NotificationRestriction = "blockOrganizationalData"; + PreviousPinBlockCount = 0; + ProtectedMessagingRedirectAppType = "anyApp"; + ProtectInboundDataFromUnknownSources = $False; + ThirdPartyKeyboardsBlocked = $True; + AllowedDataStorageLocations = @('sharePoint') + AllowedInboundDataTransferSources = 'managedApps' + AllowedOutboundClipboardSharingLevel = 'managedAppsWithPasteIn' + AllowedOutboundDataTransferDestinations = 'managedApps' + AppDataEncryptionType = 'whenDeviceLocked' + ContactSyncBlocked = $False + DataBackupBlocked = $False + Description = '' + DeviceComplianceRequired = $True + DisplayName = 'DSC Policy' + FaceIdBlocked = $False + FingerprintBlocked = $False + ManagedBrowser = 'microsoftEdge' + MinimumRequiredAppVersion = '0.2' + MinimumRequiredOSVersion = '0.2' + MinimumRequiredSdkVersion = '0.1' + MinimumWarningAppVersion = '0.1' + MinimumWarningOSVersion = '0.1' + ManagedBrowserToOpenLinksRequired = $True + MaximumPinRetries = 5 + MinimumPinLength = 4 + OrganizationalCredentialsRequired = $False + PeriodBeforePinReset = '90.00:00:00' + PeriodOfflineBeforeAccessCheck = '12:00:00' + PeriodOfflineBeforeWipeIsEnforced = '90.00:00:00' + PeriodOnlineBeforeAccessCheck = '00:30:00' + PinCharacterSet = 'alphanumericAndSymbol' + PinRequired = $True + DisableAppPinIfDevicePinIsSet = $False + PrintBlocked = $False + SaveAsBlocked = $True + SimplePinBlocked = $False + id = '12345-12345-12345-12345-12345' + TargetedAppManagementLevels = 'unmanaged' } } Mock -CommandName Get-MgBetaDeviceAppManagementiosManagedAppProtectionApp -MockWith {