From 67d96b0fcfb700114a9c2e1ed8d48ece45a9cd30 Mon Sep 17 00:00:00 2001 From: dannyKBjj Date: Wed, 18 Dec 2024 15:07:53 +0000 Subject: [PATCH] MSFT_IntuneTrustedRootCertificateAndroidWork Adds certificate support for Android Work Configuration Profiles. --- CHANGELOG.md | 2 + ...tuneTrustedRootCertificateAndroidWork.psm1 | 701 ++++++++++++++++++ ...ustedRootCertificateAndroidWork.schema.mof | 29 + .../readme.md | 6 + .../settings.json | 44 ++ .../1-Create.ps1 | 36 + .../2-Update.ps1 | 36 + .../3-Remove.ps1 | 34 + ...rustedRootCertificateAndroidWork.Tests.ps1 | 225 ++++++ 9 files changed, 1113 insertions(+) create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_IntuneTrustedRootCertificateAndroidWork/MSFT_IntuneTrustedRootCertificateAndroidWork.psm1 create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_IntuneTrustedRootCertificateAndroidWork/MSFT_IntuneTrustedRootCertificateAndroidWork.schema.mof create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_IntuneTrustedRootCertificateAndroidWork/readme.md create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_IntuneTrustedRootCertificateAndroidWork/settings.json create mode 100644 Modules/Microsoft365DSC/Examples/Resources/IntuneTrustedRootCertificateAndroidWork/1-Create.ps1 create mode 100644 Modules/Microsoft365DSC/Examples/Resources/IntuneTrustedRootCertificateAndroidWork/2-Update.ps1 create mode 100644 Modules/Microsoft365DSC/Examples/Resources/IntuneTrustedRootCertificateAndroidWork/3-Remove.ps1 create mode 100644 Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneTrustedRootCertificateAndroidWork.Tests.ps1 diff --git a/CHANGELOG.md b/CHANGELOG.md index ec62e49028..2e70516c95 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,8 @@ * AADApplication * Added support for Oauth2PermissionScopes. * Fixes comparison issue for permissions. +* IntuneTrustedRootCertificateAndroidWork + * Initial Release * TeamsMeetingPolicy * Adds support for additional Copilot setting value. * FIXES [#5573](https://github.com/microsoft/Microsoft365DSC/issues/5573) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneTrustedRootCertificateAndroidWork/MSFT_IntuneTrustedRootCertificateAndroidWork.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneTrustedRootCertificateAndroidWork/MSFT_IntuneTrustedRootCertificateAndroidWork.psm1 new file mode 100644 index 0000000000..0fa0f59232 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneTrustedRootCertificateAndroidWork/MSFT_IntuneTrustedRootCertificateAndroidWork.psm1 @@ -0,0 +1,701 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Id, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $certFileName, + + [Parameter()] + [System.String] + $trustedRootCertificate, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + } + catch + { + Write-Verbose -Message 'Connection to the workload failed.' + } + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + if (-not [string]::IsNullOrWhiteSpace($id)) + { + $getValue = Get-MgBetaDeviceManagementDeviceConfiguration -DeviceConfigurationId $id -ErrorAction SilentlyContinue + } + + #region resource generator code + if ($null -eq $getValue) + { + $getValue = Get-MgBetaDeviceManagementDeviceConfiguration -All -Filter "DisplayName eq '$Displayname'" -ErrorAction SilentlyContinue | Where-Object ` + -FilterScript { ` + $_.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.androidWorkProfileTrustedRootCertificate' ` + } + } + #endregion + + if ($null -eq $getValue) + { + Write-Verbose -Message "No Intune Trusted Root Certificate Policy for Android Work with Id {$id} was found" + return $nullResult + } + + $Id = $getValue.Id + + Write-Verbose -Message "An Intune Trusted Root Certificate Policy for Android Work with id {$id} and DisplayName {$DisplayName} was found" + + $results = @{ + #region resource generator code + Id = $getValue.Id + Description = $getValue.Description + DisplayName = $getValue.DisplayName + certFileName = $getValue.AdditionalProperties.certFileName + trustedRootCertificate = $getValue.AdditionalProperties.trustedRootCertificate + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + Managedidentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + version = $getValue.AdditionalProperties.version + } + + $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Results.Id + $assignmentResult = @() + if ($assignmentsValues.Count -gt 0) + { + $assignmentResult += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($assignmentsValues) + } + $results.Add('Assignments', $assignmentResult) + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Id, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $certFileName, + + [Parameter()] + [System.String] + $trustedRootCertificate, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + } + catch + { + Write-Verbose -Message $_ + } + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating {$DisplayName}" + $BoundParameters.Remove('Assignments') | Out-Null + $CreateParameters = ([Hashtable]$BoundParameters).clone() + $CreateParameters = Rename-M365DSCCimInstanceParameter -Properties $CreateParameters + $AdditionalProperties = Get-M365DSCAdditionalProperties -Properties ($CreateParameters) + + foreach ($key in $AdditionalProperties.keys) + { + if ($key -ne '@odata.type') + { + $keyName = $key.substring(0, 1).ToUpper() + $key.substring(1, $key.length - 1) + $CreateParameters.remove($keyName) + } + } + + if ($AdditionalProperties.ContainsKey('trustedRootCertificate')) { + $AdditionalProperties['trustedRootCertificate'] = [Convert]::FromBase64String($AdditionalProperties['trustedRootCertificate']) + Write-Verbose "trustedRootCertificate converted to bytes." + } + + $CreateParameters.Remove('Id') | Out-Null + + foreach ($key in ($CreateParameters.clone()).Keys) + { + if ($CreateParameters[$key].getType().Fullname -like '*CimInstance*') + { + $CreateParameters[$key] = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $CreateParameters[$key] + } + } + + $CreateParameters.add('AdditionalProperties', $AdditionalProperties) + + #region resource generator code + $policy = New-MgBetaDeviceManagementDeviceConfiguration @CreateParameters + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments + + if ($policy.id) + { + Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $policy.id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/deviceConfigurations' + } + #endregion + } + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating {$DisplayName}" + $BoundParameters.Remove('Assignments') | Out-Null + $UpdateParameters = ([Hashtable]$BoundParameters).clone() + $UpdateParameters = Rename-M365DSCCimInstanceParameter -Properties $UpdateParameters + $AdditionalProperties = Get-M365DSCAdditionalProperties -Properties ($UpdateParameters) + + foreach ($key in $AdditionalProperties.keys) + { + if ($key -ne '@odata.type') + { + $keyName = $key.substring(0, 1).ToUpper() + $key.substring(1, $key.length - 1) + $UpdateParameters.remove($keyName) + } + } + + if ($AdditionalProperties.ContainsKey('trustedRootCertificate')) { + $AdditionalProperties['trustedRootCertificate'] = [Convert]::FromBase64String($AdditionalProperties['trustedRootCertificate']) + Write-Verbose "trustedRootCertificate converted to bytes." + } + + $UpdateParameters.Remove('Id') | Out-Null + + foreach ($key in ($UpdateParameters.clone()).Keys) + { + if ($UpdateParameters[$key].getType().Fullname -like '*CimInstance*') + { + $UpdateParameters[$key] = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $UpdateParameters[$key] + } + } + $UpdateParameters.add('AdditionalProperties', $AdditionalProperties) + + #region resource generator code + Update-MgBetaDeviceManagementDeviceConfiguration @UpdateParameters ` + -DeviceConfigurationId $currentInstance.Id + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments + Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $currentInstance.id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/deviceConfigurations' + #endregion + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing {$DisplayName}" + #region resource generator code + Remove-MgBetaDeviceManagementDeviceConfiguration -DeviceConfigurationId $currentInstance.Id + #endregion + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Id, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $certFileName, + + [Parameter()] + [System.String] + $trustedRootCertificate, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of {$id}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) { break } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + $ValuesToCheck.Remove('Id') | Out-Null + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + #Convert any DateTime to String + foreach ($key in $ValuesToCheck.Keys) + { + if (($null -ne $CurrentValues[$key]) ` + -and ($CurrentValues[$key].getType().Name -eq 'DateTime')) + { + $CurrentValues[$key] = $CurrentValues[$key].toString() + } + } + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + + #region resource generator code + [array]$getValue = Get-MgBetaDeviceManagementDeviceConfiguration -Filter $Filter -All ` + -ErrorAction Stop | Where-Object ` + -FilterScript { ` + $_.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.androidWorkProfileTrustedRootCertificate' ` + } + #endregion + + $i = 1 + $dscContent = '' + if ($getValue.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $getValue) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + Write-Host " |---[$i/$($getValue.Count)] $($config.DisplayName)" -NoNewline + $params = @{ + Id = $config.id + DisplayName = $config.DisplayName + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + Managedidentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + if ($Results.Assignments) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject $Results.Assignments -CIMInstanceName DeviceManagementConfigurationPolicyAssignments + if ($complexTypeStringResult) + { + $Results.Assignments = $complexTypeStringResult + } + else + { + $Results.Remove('Assignments') | Out-Null + } + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + if ($Results.Assignments) + { + $isCIMArray = $false + if ($Results.Assignments.getType().Fullname -like '*[[\]]') + { + $isCIMArray = $true + } + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Assignments' -IsCIMArray:$isCIMArray + } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + + return $dscContent + } + catch + { + if ($_.Exception -like '*401*' -or $_.ErrorDetails.Message -like "*`"ErrorCode`":`"Forbidden`"*" -or ` + $_.Exception -like "*Request not applicable to target tenant*") + { + Write-Host "`r`n $($Global:M365DSCEmojiYellowCircle) The current tenant is not registered for Intune." + } + else + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + } + + return '' + } +} + +function Get-M365DSCAdditionalProperties +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = 'true')] + [System.Collections.Hashtable] + $Properties + ) + + $additionalProperties = @( + 'certFileName' + 'trustedRootCertificate' + ) + + $results = @{'@odata.type' = '#microsoft.graph.androidWorkProfileTrustedRootCertificate' } + $cloneProperties = $Properties.clone() + foreach ($property in $cloneProperties.Keys) + { + if ($property -in ($additionalProperties) ) + { + $propertyName = $property[0].ToString().ToLower() + $property.Substring(1, $property.Length - 1) + if ($properties.$property -and $properties.$property.getType().FullName -like '*CIMInstance*') + { + if ($properties.$property.getType().FullName -like '*[[\]]') + { + $array = @() + foreach ($item in $properties.$property) + { + $array += Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $item + } + $propertyValue = $array + } + else + { + $propertyValue = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $properties.$property + } + + } + else + { + $propertyValue = $properties.$property + } + + $results.Add($propertyName, $propertyValue) + } + } + if ($results.Count -eq 1) + { + return $null + } + return $results +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneTrustedRootCertificateAndroidWork/MSFT_IntuneTrustedRootCertificateAndroidWork.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneTrustedRootCertificateAndroidWork/MSFT_IntuneTrustedRootCertificateAndroidWork.schema.mof new file mode 100644 index 0000000000..3a1e6a0b50 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneTrustedRootCertificateAndroidWork/MSFT_IntuneTrustedRootCertificateAndroidWork.schema.mof @@ -0,0 +1,29 @@ +[ClassVersion("1.0.0.0")] +class MSFT_DeviceManagementConfigurationPolicyAssignments +{ + [Write, Description("The type of the target assignment."), ValueMap{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}, Values{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}] String dataType; + [Write, Description("The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude."), ValueMap{"none","include","exclude"}, Values{"none","include","exclude"}] String deviceAndAppManagementAssignmentFilterType; + [Write, Description("The Id of the filter for the target assignment.")] String deviceAndAppManagementAssignmentFilterId; + [Write, Description("The group Id that is the target of the assignment.")] String groupId; + [Write, Description("The group Display Name that is the target of the assignment.")] String groupDisplayName; + [Write, Description("The collection Id that is the target of the assignment.(ConfigMgr)")] String collectionId; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("IntuneTrustedRootCertificateAndroidWork")] +class MSFT_IntuneTrustedRootCertificateAndroidWork : OMI_BaseResource +{ + [Write, Description("Id of the Intune policy.")] String Id; + [Key, Description("Display name of the Intune policy.")] String DisplayName; + [Write, Description("Admin provided description of the Device Configuration. Inherited from managedDeviceMobileAppConfiguration")] String Description; + [Write, Description("File name to display in UI.")] String certFileName; + [Write, Description("Trusted Root Certificate.")] String trustedRootCertificate; + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Represents the assignment to the Intune policy."), EmbeddedInstance("MSFT_DeviceManagementConfigurationPolicyAssignments")] String Assignments[]; + [Write, Description("Credentials of the Intune Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneTrustedRootCertificateAndroidWork/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneTrustedRootCertificateAndroidWork/readme.md new file mode 100644 index 0000000000..6643b78dd2 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneTrustedRootCertificateAndroidWork/readme.md @@ -0,0 +1,6 @@ + +# IntuneTrustedRootCertificateAndroidWork + +## Description + +This resource configures an Intune Android Work Trusted Root Certificate Policy. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneTrustedRootCertificateAndroidWork/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneTrustedRootCertificateAndroidWork/settings.json new file mode 100644 index 0000000000..14290a3a7a --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneTrustedRootCertificateAndroidWork/settings.json @@ -0,0 +1,44 @@ +{ + "resourceName": "IntuneTrustedRootCertificateAndroidWork", + "description": "This resource configures an Android Work Intune Trusted Root Certificate Policy.", + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "Group.Read.All" + }, + { + "name": "DeviceManagementConfiguration.Read.All" + } + ], + "update": [ + { + "name": "Group.Read.All" + }, + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } + ] + }, + "application": { + "read": [ + { + "name": "Group.Read.All" + }, + { + "name": "DeviceManagementConfiguration.Read.All" + } + ], + "update": [ + { + "name": "Group.Read.All" + }, + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneTrustedRootCertificateAndroidWork/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneTrustedRootCertificateAndroidWork/1-Create.ps1 new file mode 100644 index 0000000000..7c66426874 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneTrustedRootCertificateAndroidWork/1-Create.ps1 @@ -0,0 +1,36 @@ +<# +This example creates a new Intune Trusted Root Certificate Configuration Policy for Android Work devices +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName 'Microsoft365DSC' + + Node localhost + { + IntuneTrustedRootCertificateAndroidWork "ConfigureIntuneTrustedRootCertificateAndroidWork" + { + Description = "IntuneTrustedRootCertificateAndroidWork Description"; + DisplayName = "IntuneTrustedRootCertificateAndroidWork DisplayName"; + Ensure = "Present"; + certFileName = "fakename.cer"; + trustedRootCertificate = "insertValidBase64StringHere"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneTrustedRootCertificateAndroidWork/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneTrustedRootCertificateAndroidWork/2-Update.ps1 new file mode 100644 index 0000000000..4ae26ec5c8 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneTrustedRootCertificateAndroidWork/2-Update.ps1 @@ -0,0 +1,36 @@ +<# +This example creates a new Intune Trusted Root Certificate Configuration Policy for Android Work devices +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName 'Microsoft365DSC' + + Node localhost + { + IntuneTrustedRootCertificateAndroidWork "ConfigureIntuneTrustedRootCertificateAndroidWork" + { + Description = "IntuneTrustedRootCertificateAndroidWork Description"; + DisplayName = "IntuneTrustedRootCertificateAndroidWork DisplayName"; + Ensure = "Present"; + certFileName = "newfakename.cer"; #changed value + trustedRootCertificate = "insertValidBase64StringHereForAnotherCert" #changed value + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneTrustedRootCertificateAndroidWork/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneTrustedRootCertificateAndroidWork/3-Remove.ps1 new file mode 100644 index 0000000000..e85b7ffbe9 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneTrustedRootCertificateAndroidWork/3-Remove.ps1 @@ -0,0 +1,34 @@ +<# +This example creates a new Intune Trusted Root Certificate Configuration Policy for Android Work devices +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName 'Microsoft365DSC' + + Node localhost + { + IntuneTrustedRootCertificateAndroidWork "ConfigureIntuneTrustedRootCertificateAndroidWork" + { + Description = "IntuneTrustedRootCertificateAndroidWork Description"; + DisplayName = "IntuneTrustedRootCertificateAndroidWork DisplayName"; + Ensure = "Absent"; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneTrustedRootCertificateAndroidWork.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneTrustedRootCertificateAndroidWork.Tests.ps1 new file mode 100644 index 0000000000..9438b7f5a0 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneTrustedRootCertificateAndroidWork.Tests.ps1 @@ -0,0 +1,225 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource 'IntuneTrustedRootCertificateAndroidWork' -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + $secpasswd = ConvertTo-SecureString ((New-Guid).ToString()) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return 'Credentials' + } + + Mock -CommandName Update-MgBetaDeviceManagementDeviceConfiguration -MockWith { + } + + Mock -CommandName New-MgBetaDeviceManagementDeviceConfiguration -MockWith { + } + + Mock -CommandName Remove-MgBetaDeviceManagementDeviceConfiguration -MockWith { + } + + Mock -CommandName Get-MgBetaDeviceManagementDeviceCompliancePolicyAssignment -MockWith { + + return @() + } + Mock -CommandName Update-DeviceConfigurationPolicyAssignment -MockWith { + } + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + + # Test contexts + Context -Name "When the IntuneTrustedRootCertificateAndroidWork doesn't already exist" -Fixture { + BeforeAll { + $testParams = @{ + DisplayName = 'Test IntuneTrustedRootCertificateAndroidWork' + Description = 'Test IntuneTrustedRootCertificateAndroidWork Description' + certFileName = "FakeStringValue" + trustedRootCertificate = "fakestringvalue0" + Ensure = 'Present' + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceManagementDeviceConfiguration -MockWith { + return $null + } + } + + It 'Should return absent from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should create the IntuneTrustedRootCertificateAndroidWork from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName 'New-MgBetaDeviceManagementDeviceConfiguration' -Exactly 1 + } + } + + Context -Name 'When the IntuneTrustedRootCertificateAndroidWork already exists and is NOT in the Desired State' -Fixture { + BeforeAll { + $testParams = @{ + DisplayName = 'Test IntuneTrustedRootCertificateAndroidWork' + Description = 'Test IntuneTrustedRootCertificateAndroidWork Description' + certFileName = "FakeStringValue" + trustedRootCertificate = "fakestringvalue0" + Ensure = 'Present' + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceManagementDeviceConfiguration -MockWith { + return @{ + DisplayName = 'Test IntuneTrustedRootCertificateAndroidWork' + Description = 'Different Value' + Id = 'e30954ac-a65e-4dcb-ab79-91d45f3c52b4' + AdditionalProperties = @{ + certFileName = "FakeStringValue" + trustedRootCertificate = "fakestringvalue0" + '@odata.type' = '#microsoft.graph.androidWorkProfileTrustedRootCertificate' + } + } + } + } + + It 'Should return Present from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should update the IntuneTrustedRootCertificateAndroidWork from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaDeviceManagementDeviceConfiguration -Exactly 1 + + } + } + + Context -Name 'When the policy already exists and IS in the Desired State' -Fixture { + BeforeAll { + $testParams = @{ + DisplayName = 'Test IntuneTrustedRootCertificateAndroidWork' + Description = 'Test IntuneTrustedRootCertificateAndroidWork Description' + certFileName = "FakeStringValue" + trustedRootCertificate = "fakestringvalue0" + Ensure = 'Present' + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceManagementDeviceConfiguration -MockWith { + return @{ + DisplayName = 'Test IntuneTrustedRootCertificateAndroidWork' + Description = 'Test IntuneTrustedRootCertificateAndroidWork Description' + Id = 'e30954ac-a65e-4dcb-ab79-91d45f3c52b4' + AdditionalProperties = @{ + certFileName = "FakeStringValue" + trustedRootCertificate = "fakestringvalue0" + '@odata.type' = '#microsoft.graph.androidWorkProfileTrustedRootCertificate' + } + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name 'When the policy exists and it SHOULD NOT' -Fixture { + BeforeAll { + $testParams = @{ + DisplayName = 'Test IntuneTrustedRootCertificateAndroidWork' + Description = 'Test IntuneTrustedRootCertificateAndroidWork Description' + certFileName = "FakeStringValue" + trustedRootCertificate = "fakestringvalue0" + Ensure = 'Absent' + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceManagementDeviceConfiguration -MockWith { + return @{ + DisplayName = 'Test IntuneTrustedRootCertificateAndroidWork' + Description = 'Test IntuneTrustedRootCertificateAndroidWork Description' + Id = 'e30954ac-a65e-4dcb-ab79-91d45f3c52b4' + AdditionalProperties = @{ + certFileName = "FakeStringValue" + trustedRootCertificate = "fakestringvalue0" + '@odata.type' = '#microsoft.graph.androidWorkProfileTrustedRootCertificate' + } + } + } + } + + It 'Should return Present from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the IntuneTrustedRootCertificateAndroidWork from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaDeviceManagementDeviceConfiguration -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceManagementDeviceConfiguration -MockWith { + return @{ + DisplayName = 'Test IntuneTrustedRootCertificateAndroidWork' + Description = 'Test IntuneTrustedRootCertificateAndroidWork Description' + Id = 'e30954ac-a65e-4dcb-ab79-91d45f3c52b4' + AdditionalProperties = @{ + certFileName = "FakeStringValue" + trustedRootCertificate = "fakestringvalue0" + '@odata.type' = '#microsoft.graph.androidWorkProfileTrustedRootCertificate' + } + } + } + } + + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope \ No newline at end of file