Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IntuneAppProtectionPolicyiOS Resource in Microsoft365DSC has some issues regarding the implementation #2019

Closed
atdheekurteshi opened this issue Jun 23, 2022 · 3 comments · Fixed by #2085 or #2092
Closed

IntuneAppProtectionPolicyiOS Resource in Microsoft365DSC has some issues regarding the implementation #2019

atdheekurteshi opened this issue Jun 23, 2022 · 3 comments · Fixed by #2085 or #2092
Labels
Bug Something isn't working Intune

Comments

@atdheekurteshi
Copy link

atdheekurteshi commented Jun 23, 2022
edited
Loading

Details of the scenario you tried and the problem that is occurring
When I run the following commands in the PowerShell, everything seems to be working fine for IntuneAppProtectionPolicyiOS:

PS C:\Windows\system32>Connect-MSGraph
$displayName                             = "iOS App Protection Policy"
$description                             = 'TestInune iOS'
$createdDateTime                         = '6/15/2022 8:47:16 AM'
$lastModifiedDateTime                    = '6/15/2022 8:47:16 AM'
$id                                      = 'T_5db44c4e-3b45-4327-8dda-08064d5b9c8c'
$version                                 = '4c09b218-0000-0d00-0000-62a99c940000'
[timespan]$periodOfflineBeforeAccessCheck          = '0'
[timespan]$periodOnlineBeforeAccessCheck           = '5'
$allowedInboundDataTransferSources       = 'managedApps'
$allowedOutboundDataTransferDestinations = 'managedApps'
$organizationalCredentialsRequired       = $false
$allowedOutboundClipboardSharingLevel    = 'allApps'
$dataBackupBlocked                       = $true
$deviceComplianceRequired                = $false
[bool]$managedBrowserToOpenLinksRequired = $true
$saveAsBlocked                           = $true
[timespan]$periodOfflineBeforeWipeIsEnforced       = '90'
$pinRequired                             = $false
$maximumPinRetries                       = 6
$simplePinBlocked                        = $true
$minimumPinLength                        = 6
$pinCharacterSet                         = 'alphanumericAndSymbol'
[timespan]$periodBeforePinReset                    = '0'
$allowedDataStorageLocations             = @('localStorage', 'oneDriveForBusiness', 'sharePoint')
$contactSyncBlocked                      = $true
$printBlocked                            = $false
$fingerprintBlocked                      = $false
$disableAppPinIfDevicePinIsSet           = $false
$minimumRequiredOsVersion                = '13.0'
$minimumWarningOsVersion                 = '13.0'
$minimumRequiredAppVersion               = '0.1'
$minimumWarningAppVersion                = '0.1'
$managedBrowser                          = 'notConfigured'
$isAssigned                              = $true
$appDataEncryptionType                   = 'whenDeviceLocked'
$minimumRequiredSdkVersion               = '0.1'
$deployedAppCount                        = 1
$faceIdBlocked                           = $false
$customBrowserProtocol                   = $null

New-DeviceAppManagement_IosManagedAppProtections -displayName $displayName -description $description -periodOnlineBeforeAccessCheck $periodOnlineBeforeAccessCheck `
-allowedOutboundDataTransferDestinations $allowedOutboundDataTransferDestinations `
-allowedOutboundClipboardSharingLevel $allowedOutboundClipboardSharingLevel `
-saveAsBlocked $saveAsBlocked `
-pinRequired $pinRequired `
-simplePinBlocked $simplePinBlocked `
-minimumPinLength $minimumPinLength `
-allowedDataStorageLocations $allowedDataStorageLocations `
-contactSyncBlocked $contactSyncBlocked `
-printBlocked $printBlocked

### Result - Output

PS C:\Windows\system32> Get-DeviceAppManagement_IosManagedAppProtections
displayName                             : iOS App Protection Policy
description                             : TestInune iOS
createdDateTime                         : 6/23/2022 8:25:03 AM
lastModifiedDateTime                    : 6/23/2022 8:25:03 AM
id                                      : T_e84872ea-a1f6-42f7-bcf7-52c94cbb1730
version                                 : "1703f870-0000-0d00-0000-62b4235f0000"
periodOfflineBeforeAccessCheck          : PT0S
periodOnlineBeforeAccessCheck           : P5D
allowedInboundDataTransferSources       : allApps
allowedOutboundDataTransferDestinations : managedApps
organizationalCredentialsRequired       : False
allowedOutboundClipboardSharingLevel    : allApps
dataBackupBlocked                       : False
deviceComplianceRequired                : False
managedBrowserToOpenLinksRequired       : False
saveAsBlocked                           : True
periodOfflineBeforeWipeIsEnforced       : PT0S
pinRequired                             : False
maximumPinRetries                       : 5
simplePinBlocked                        : True
minimumPinLength                        : 6
pinCharacterSet                         : numeric
periodBeforePinReset                    : PT0S
allowedDataStorageLocations             : {localStorage, oneDriveForBusiness, sharePoint}
contactSyncBlocked                      : True
printBlocked                            : False
fingerprintBlocked                      : False
disableAppPinIfDevicePinIsSet           : False
minimumRequiredOsVersion                : 
minimumWarningOsVersion                 : 
minimumRequiredAppVersion               : 
minimumWarningAppVersion                : 
managedBrowser                          : notConfigured
isAssigned                              : False
appDataEncryptionType                   : useDeviceSettings
minimumRequiredSdkVersion               : 
deployedAppCount                        : 0
faceIdBlocked                           : False
customBrowserProtocol                   :

But when I use the DSC configuration for IntuneAppProtectionPolicyiOS to create a new IntuneAppProtectionPolicyiOS I get a different output of the attributes compared to PowerShell/GUI seems it's not working fine as it supposed to work because almost all attributes are mandatory, and you need to fill all of them to create a policy.
MOF that is used to reproduce the issue (as detailed as possible)
MOF file extract:

/*
@TargetNode='localhost'
@GeneratedBy=
@GenerationDate=
@GenerationHost=
*/
instance of MSFT_IntuneAppProtectionPolicyiOS as $MSFT_IntuneAppProtectionPolicyiOS1ref
{
 MinimumPinLength = 6;
 AllowedInboundDataTransferSources = "managedApps";
 Description = "TestInune iOS";
 Assignments = {
    "123be1234-3c00-40dc-aa7e-rtr624b0a1b5"
};
 DisplayName = "iOS App Protection Policy";
 TenantId = "";
 AllowedOutboundDataTransferDestinations = "managedApps";
 MaximumPinRetries = 6;
 Ensure = "Present";
 SimplePinBlocked = True;
 ResourceID = "[IntuneAppProtectionPolicyiOS]Container-105-3957f023-698f-44a7-8ee8-cc848da7b4ce";
 AllowedOutboundClipboardSharingLevel = "allApps";
 AllowedDataStorageLocations = {
    "localStorage",
    "oneDriveForBusiness",
    "sharePoint"
};
 ApplicationId = "";
 DataBackupBlocked = True;
 ContactSyncBlocked = True;
 CertificateThumbprint = "";
 ModuleVersion = "1.22.615.1";
 SourceInfo = "::10::3::IntuneAppProtectionPolicyiOS";
 ModuleName = "Microsoft365DSC";
 SaveAsBlocked = True;
 PeriodOnlineBeforeAccessCheck = "PT5M";

 ConfigurationName = "MainConfig";

};
instance of OMI_ConfigurationDocument
                {
 Version="2.0.0";
                        MinimumCompatibleVersion = "1.0.0";
                        CompatibleVersionAdditionalProperties= {"Omi_BaseResource:ConfigurationName"};
                        Author="";
                        GenerationDate="";
                        GenerationHost="";
                        Name="MainConfig";
                    };

### Result - Output of the DSC Configuration for IntuneAppProtectionPolicyiOS

PS C:\Windows\system32> Publish-DscConfiguration -Path C:\Users\UserPath\Downloads\m365automationnew\MOFs\MainConfig -Force
PS C:\Windows\system32> Start-DscConfiguration -UseExisting -Force -Verbose -Wait                                                                                                                                                       
Current Values: AllowedDataStorageLocations=(localStorage,oneDriveForBusiness,sharePoint); AllowedInboundDataTransferSources=managedApps; AllowedOutboundClipboardSharingLevel=allApps;AllowedOutboundDataTransferDestinations=managedApps; ApplicationId=***; Assignments=(); CertificateThumbprint=; ContactSyncBlocked=True; DataBackupBlocked=True; Description=TestInune iOS; 
DisplayName=iOS App Protection Policy; Ensure=Absent; MaximumPinRetries=6; MinimumPinLength=6;
PeriodOnlineBeforeAccessCheck=PT5M; SaveAsBlocked=True; SimplePinBlocked=True; TenantId=***; Verbose=True
Target Values: AllowedDataStorageLocations=(localStorage,oneDriveForBusiness,sharePoint); 
AllowedInboundDataTransferSources=managedApps; AllowedOutboundClipboardSharingLevel=allApps;                                              
AllowedOutboundDataTransferDestinations=managedApps; ApplicationId=***; Assignments=(); CertificateThumbprint=; 
ContactSyncBlocked=True; DataBackupBlocked=True; Description=TestInune iOS; DisplayName=iOS App Protection Policy; Ensure=Present; MaximumPinRetries=6; MinimumPinLength=6;    
PeriodOnlineBeforeAccessCheck=PT5M; SaveAsBlocked=True; SimplePinBlocked=True; TenantId=***; Verbose=True                                                                                                                                                                                                                                                                  
Test-TargetResource returned False                                                                                                                                                                                            
Checking for the Intune iOS App Protection Policy {iOS App Protection Policy}                                                                                                                                                       
No iOS App Protection Policy {iOS App Protection Policy} was found                                                                                                                                                                  
Creating new iOS App Protection Policy {iOS App Protection Policy}                                                                                                                                                                  
Es ist nicht möglich, eine Methode für einen Ausdruck aufzurufen, der den NULL hat.
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : InvokeMethodOnNull
    + PSComputerName        : localhost
Es ist nicht möglich, eine Methode für einen Ausdruck aufzurufen, der den NULL hat.
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : InvokeMethodOnNull
    + PSComputerName        : localhost
Es ist nicht möglich, eine Methode für einen Ausdruck aufzurufen, der den NULL hat.
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : InvokeMethodOnNull
    + PSComputerName        : localhost
Es ist nicht möglich, eine Methode für einen Ausdruck aufzurufen, der den NULL hat.
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : InvokeMethodOnNull
    + PSComputerName        : localhost
Es ist nicht möglich, eine Methode für einen Ausdruck aufzurufen, der den NULL hat.
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : InvokeMethodOnNull
    + PSComputerName        : localhost
Es ist nicht möglich, eine Methode für einen Ausdruck aufzurufen, der den NULL hat.
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : InvokeMethodOnNull
    + PSComputerName        : localhost
Es ist nicht möglich, eine Methode für einen Ausdruck aufzurufen, der den NULL hat.
    + CategoryInfo          : InvalidOperation: (:) [], CimException                                                                                                                                                                                                                                                                                                           
	+ FullyQualifiedErrorId : InvokeMethodOnNull                                                                                                                                                                                                                                                                                                                               
	+ PSComputerName        : localhost                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               
	Es ist nicht möglich, eine Methode für einen Ausdruck aufzurufen, der den NULL hat.                                                                                                                                                                                                                                                                                            
	+ CategoryInfo          : InvalidOperation: (:) [], CimException                                                                                                                                                                                                                                                                                                           
	+ FullyQualifiedErrorId : InvokeMethodOnNull                                                                                                                                                                                                                                                                                                                               
	+ PSComputerName        : localhost                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               
JSON:{                                                                                                                                                                                                                                 
		"@odata.type": "#microsoft.graph.iosManagedAppProtection",                                                                                                                                                                                                                                                                                                                 
		"displayName": "iOS App Protection Policy",
                "description": "TestInune iOS",
                "periodOfflineBeforeAccessCheck": "",
                "periodOnlineBeforeAccessCheck": "PT5M",
                "allowedInboundDataTransferSources": "managedApps",                                                                                                                                                                                                                                                                                                                        
		"allowedOutboundDataTransferDestinations": "managedApps",                                                                                                                                                                                                                                                                                                                  
		"organizationalCredentialsRequired": ,                                                                                                                                                                                                                                                                                                                                     
		"allowedOutboundClipboardSharingLevel": "allApps",                                                                                                                                                                                                                                                                                                                         
		"dataBackupBlocked": true,                                                                                                                                                                                                                                                                                                                                                 
		"deviceComplianceRequired": ,                                                                                                                                                                                                                                                                                                                                              
		"managedBrowserToOpenLinksRequired": ,                                                                                                                                                                                                                                                                                                                                     
		"saveAsBlocked": true,                                                                                                                                                                                                                                                                                                                                                     
		"periodOfflineBeforeWipeIsEnforced": "",                                                                                                                                                                                                                                                                                                                                   
		"pinRequired": ,                                                                                                                                                                                                                                                                                                                                                           
		"disableAppPinIfDevicePinIsSet": ,                                                                                                                                                                                                                                                                                                                                         
		"maximumPinRetries": 6,                                                                                                                                                                                                                                                                                                                                                    
		"simplePinBlocked": true,                                                                                                                                                                                                                                                                                                                                                  
		"minimumPinLength": 6,                                                                                                                                                                                                                                                                                                                                                     
		"managedBrowser": "",                                                                                                                                                                                                                                                                                                                                                      
		"minimumRequiredAppVersion": "",                                                                                                                                                                                                                                                                                                                                           
		"minimumRequiredOsVersion": "",                                                                                                                                                                                                                                                                                                                                            
		"minimumRequiredSdkVersion": "",                                                                                                                                                                                                                                                                                                                                           
		"minimumWarningAppVersion": "",                                                                                                                                                                                                                                                                                                                                            
		"minimumWarningOsVersion": "",                                                                                                                                                                                                                                                                                                                                             
		"pinCharacterSet": "",                                                                                                                                                                                                                                                                                                                                                     
		"contactSyncBlocked": true,                                                                                                                                                                                                                                                                                                                                                
		"periodBeforePinReset": "",                                                                                                                                                                                                                                                                                                                                                
		"faceIdBlocked": ,                                                                                                                                                                                                                                                                                                                                                         
		"printBlocked": ,                                                                                                                                                                                                                                                                                                                                                          
		"fingerprintBlocked": ,                                                                                                                                                                                                                                                                                                                                                    
		"appDataEncryptionType": "",                                                                                                                                                                                                                                                                                                                                               
		"allowedDataStorageLocations": [                                                                                                                                                                                                                                                                                                                                   
		"localStorage",                                                                                                                                                                                                                                                                                                                                                            
		"oneDriveForBusiness",                                                                                                                                                                                                                                                                                                                                                     
		"sharePoint"                                                                                                                                                                                                                                                                                                                                                               
		],"apps":[]                                                                                                                                                                                                                                                                                                                                                                
		}                                                                                                                                                                                                                                                                                                                                                                          
		Creating new iOS App Protection policy with JSON payload:                                                                                                                                                                               
		{
			"@odata.type": "#microsoft.graph.iosManagedAppProtection",
			"displayName": "iOS App Protection Policy",
			"description": "TestInune iOS",
			"periodOfflineBeforeAccessCheck": "",
			"periodOnlineBeforeAccessCheck": "PT5M",
			"allowedInboundDataTransferSources": "managedApps",
			"allowedOutboundDataTransferDestinations": "managedApps",
			"organizationalCredentialsRequired": ,
			"allowedOutboundClipboardSharingLevel": "allApps",
			"dataBackupBlocked": true,
			"deviceComplianceRequired": ,
			"managedBrowserToOpenLinksRequired": ,
			"saveAsBlocked": true,
			"periodOfflineBeforeWipeIsEnforced": "",
			"pinRequired": ,
			"disableAppPinIfDevicePinIsSet": ,
			"maximumPinRetries": 6,
			"simplePinBlocked": true,
			"minimumPinLength": 6,
			"managedBrowser": "",
			"minimumRequiredAppVersion": "",
			"minimumRequiredOsVersion": "",
			"minimumRequiredSdkVersion": "",
			"minimumWarningAppVersion": "",
			"minimumWarningOsVersion": "",
			"pinCharacterSet": "",
			"contactSyncBlocked": true,
			"periodBeforePinReset": "",
			"faceIdBlocked": ,
			"printBlocked": ,
			"fingerprintBlocked": ,
			"appDataEncryptionType": "",
			"allowedDataStorageLocations": 
			[
				"localStorage",
				"oneDriveForBusiness",
				"sharePoint"
			],
			"apps":[]
		}
POST https://graph.microsoft.com/beta/deviceAppManagement/managedAppPolicies
HTTP/1.1 400 Bad Request
Transfer-Encoding: chunked
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id: ea279f42-2e9d-4986-aea9-799241f8db28
client-request-id: ea279f42-2e9d-4986-aea9-799241f8db28
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"West Europe","Slice":"E","Ring":"5","ScaleUnit":"003","RoleInstance":"AM1PEPF00014CF5"}}
Date: Thu, 23 Jun 2022 08:37:08 GMT
Content-Encoding: gzip
Content-Type: application/json
{"error":{"code":"ModelValidationFailure","message":"Cannot convert the literal '' to the expected type 'Edm.Duration'.","innerError":{"message":"Cannot convert the literal '' to the expected type 'Edm.Duration'.","date":"2022-06-23T08:37:09","request-id":"ea279f42-2e9d-4986-aea9-799241f8db28","client-request-id":"ea279f42-2e9d-4986-aea9-799241f8db28"}}}
Es ist nicht möglich, eine Methode für einen Ausdruck aufzurufen, der den NULL hat.
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : InvokeMethodOnNull
    + PSComputerName        : localhost
Das Argument kann nicht an den Parameter "PolicyId" gebunden werden, da es sich um eine leere Zeichenfolge handelt.
    + CategoryInfo          : InvalidData: (:) [], CimException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyStringNotAllowed,Set-M365DSCIntuneAppProtectionPolicyiOSAssignment
    + PSComputerName        : localhost

So for this to work in DSC, you need to fill all the attributes required from the MSFT_IntuneAppProtectionPolicyiOS.ps1
See below:

       "@odata.type": "#microsoft.graph.iosManagedAppProtection",
        "displayName": "$($Parameters.DisplayName)",
        "description": "$($Parameters.Description)",
        "periodOfflineBeforeAccessCheck": "$($Parameters.PeriodOfflineBeforeAccessCheck)",
        "periodOnlineBeforeAccessCheck": "$($Parameters.PeriodOnlineBeforeAccessCheck)",
        "allowedInboundDataTransferSources": "$($Parameters.AllowedInboundDataTransferSources)",
        "allowedOutboundDataTransferDestinations": "$($Parameters.AllowedOutboundDataTransferDestinations)",
        "organizationalCredentialsRequired": $($Parameters.OrganizationalCredentialsRequired.ToString().ToLower()),
        "allowedOutboundClipboardSharingLevel": "$($Parameters.AllowedOutboundClipboardSharingLevel)",
        "dataBackupBlocked": $($Parameters.DataBackupBlocked.ToString().ToLower()),
        "deviceComplianceRequired": $($Parameters.DeviceComplianceRequired.ToString().ToLower()),
        "managedBrowserToOpenLinksRequired": $($Parameters.ManagedBrowserToOpenLinksRequired.ToString().ToLower()),
        "saveAsBlocked": $($Parameters.SaveAsBlocked.ToString().ToLower()),
        "periodOfflineBeforeWipeIsEnforced": "$($Parameters.PeriodOfflineBeforeWipeIsEnforced)",
        "pinRequired": $($Parameters.PinRequired.ToString().ToLower()),
        "disableAppPinIfDevicePinIsSet": $($Parameters.DisableAppPinIfDevicePinIsSet.ToString().ToLower()),
        "maximumPinRetries": $($Parameters.MaximumPinRetries),
        "simplePinBlocked": $($Parameters.SimplePinBlocked.ToString().ToLower()),
        "minimumPinLength": $($Parameters.MinimumPinLength),
        "managedBrowser": "$($Parameters.ManagedBrowser)",
        "minimumRequiredAppVersion": "$($Parameters.MinimumWarningAppVersion)",
        "minimumRequiredOsVersion": "$($Parameters.MinimumRequiredOsVersion)",
        "minimumRequiredSdkVersion": "$($Parameters.MinimumRequiredSdkVersion)",
        "minimumWarningAppVersion": "$($Parameters.MinimumWarningAppVersion)",
        "minimumWarningOsVersion": "$($Parameters.MinimumWarningOsVersion)",
        "pinCharacterSet": "$($Parameters.PinCharacterSet)",
        "contactSyncBlocked": $($Parameters.ContactSyncBlocked.ToString().ToLower()),
        "periodBeforePinReset": "$($Parameters.PeriodBeforePinReset)",
        "faceIdBlocked": $($Parameters.FaceIdBlocked.ToString().ToLower()),
        "printBlocked": $($Parameters.PrintBlocked.ToString().ToLower()),
        "fingerprintBlocked": $($Parameters.FingerprintBlocked.ToString().ToLower()),
        "appDataEncryptionType": "$($Parameters.AppDataEncryptionType)",
        "allowedDataStorageLocations": $allowedDataStorageLocations

and then generate the MOF file and it works.
In this case we don't need this kind of approach because we want to have only attributes that we want, not all of them.
In PowerShell and in GUI, this kind of approach is possible.
So in this case I have looked a code of MSFT_IntuneAppProtectionPolicyiOS.ps1, and I found that there is possible to create a new IntuneAppProtectionPolicyiOS Policy only with attributes that you like.
Yes that's fine, but there is also a problem here, if you don't provide some attributes they are set by default to FALSE / Other Values.
Below you can check my solution.

function Get-TargetResource
{
    [CmdletBinding()]
    [OutputType([System.Collections.Hashtable])]
    param
    (
        [Parameter(Mandatory = $true)]
        [System.String]
        $DisplayName,
        [Parameter()]
        [System.String]
        $Description,
        [Parameter()]
        [System.String]
        $PeriodOfflineBeforeAccessCheck,
        [Parameter()]
        [System.String]
        $PeriodOnlineBeforeAccessCheck,
        [Parameter()]
        [System.String]
        $AllowedInboundDataTransferSources,
        [Parameter()]
        [System.String]
        $AllowedOutboundDataTransferDestinations,
        [Parameter()]
        [System.Boolean]
        $OrganizationalCredentialsRequired,
        [Parameter()]
        [System.String]
        $AllowedOutboundClipboardSharingLevel,
        [Parameter()]
        [System.Boolean]
        $DataBackupBlocked,
        [Parameter()]
        [System.Boolean]
        $DeviceComplianceRequired,
        [Parameter()]
        [System.String]
        $ManagedBrowser,
        [Parameter()]
        [System.String]
        $MinimumRequiredAppVersion,
        [Parameter()]
        [System.String]
        $MinimumWarningAppVersion,
        [Parameter()]
        [System.String]
        $MinimumRequiredOsVersion,
        [Parameter()]
        [System.String]
        $MinimumWarningOSVersion,
        [Parameter()]
        [System.String]
        $MinimumRequiredSdkVersion,
        [Parameter()]
        [System.Boolean]
        $ManagedBrowserToOpenLinksRequired,
        [Parameter()]
        [System.Boolean]
        $SaveAsBlocked,
        [Parameter()]
        [System.String]
        $PeriodOfflineBeforeWipeIsEnforced,
        [Parameter()]
        [System.Boolean]
        $PinRequired,
        [Parameter()]
        [System.Boolean]
        $DisableAppPinIfDevicePinIsSet,
        [Parameter()]
        [System.UInt32]
        $MaximumPinRetries,
        [Parameter()]
        [System.Boolean]
        $SimplePinBlocked,
        [Parameter()]
        [System.UInt32]
        $MinimumPinLength,
        [Parameter()]
        [System.String]
        $PinCharacterSet,
        [Parameter()]
        [System.String[]]
        $AllowedDataStorageLocations,
        [Parameter()]
        [System.Boolean]
        $ContactSyncBlocked,
        [Parameter()]
        [System.String]
        $PeriodBeforePinReset,
        [Parameter()]
        [System.Boolean]
        $PrintBlocked,
        [Parameter()]
        [System.Boolean]
        $FingerprintBlocked,
        [Parameter()]
        [System.Boolean]
        $FaceIdBlocked,
        [Parameter()]
        [System.String]
        $AppDataEncryptionType,
        [Parameter()]
        [System.String[]]
        $Apps,
        [Parameter()]
        [System.String[]]
        $Assignments,
        [Parameter()]
        [System.String[]]
        $ExcludedGroups,
        [Parameter(Mandatory = $true)]
        [System.String]
        [ValidateSet('Absent', 'Present')]
        $Ensure,
        [Parameter()]
        [System.Management.Automation.PSCredential]
        $Credential,
        [Parameter()]
        [System.String]
        $ApplicationId,
        [Parameter()]
        [System.String]
        $TenantId,
        [Parameter()]
        [System.String]
        $ApplicationSecret,
        [Parameter()]
        [System.String]
        $CertificateThumbprint
    )
    Write-Verbose -Message "Checking for the Intune iOS App Protection Policy {$DisplayName}"
    $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' `
        -InboundParameters $PSBoundParameters

    #Ensure the proper dependencies are installed in the current environment.
    Confirm-M365DSCDependencies

    #region Telemetry
    $ResourceName = 'MSFT_IntuneAppProtectionPolicyiOS'
    $CommandName = $MyInvocation.MyCommand
    $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
        -CommandName $CommandName `
        -Parameters $PSBoundParameters
    Add-M365DSCTelemetryEvent -Data $data
    #endregion

    $nullResult = $PSBoundParameters
    $nullResult.Ensure = 'Absent'
    try
    {
        $policyInfo = Get-MgDeviceAppManagementiOSManagedAppProtection -Filter "displayName eq '$DisplayName'" `
            -ErrorAction Stop

        if ($null -eq $policyInfo)
        {
            Write-Verbose -Message "No iOS App Protection Policy {$DisplayName} was found"
            return $nullResult
        }

        $policy = Get-M365DSCintuneAppProtectionPolicyiOS -PolicyId $policyInfo.Id
        Write-Verbose -Message "Found iOS App Protection Policy {$DisplayName}"

        $appsArray = @()
        if ($null -ne $policy.Apps)
        {
            foreach ($app in $policy.Apps)
            {
                $appsArray += $app.mobileAppIdentifier.bundleId
            }
        }

        $assignmentsArray = @()
        if ($null -ne $policy.Assignments)
        {
            $allAssignments = $policy.Assignments.target | Where-Object -FilterScript { $_.'@odata.type' -eq '#microsoft.graph.groupAssignmentTarget' }

            foreach ($assignment in $allAssignments)
            {
                $assignmentsArray += $assignment.groupId
            }
        }

        $exclusionArray = @()
        if ($null -ne $policy.Assignments)
        {
            $allExclusions = $policy.Assignments.target | Where-Object -FilterScript { $_.'@odata.type' -eq '#microsoft.graph.exclusionGroupAssignmentTarget' }

            foreach ($exclusion in $allExclusions)
            {
                $exclusionArray += $exclusion.groupId
            }
        }
        return @{
            DisplayName                             = $policyInfo.DisplayName
            Description                             = $policy.Description
            PeriodOfflineBeforeAccessCheck          = $policy.PeriodOfflineBeforeAccessCheck
            PeriodOnlineBeforeAccessCheck           = $policy.PeriodOnlineBeforeAccessCheck
            AllowedInboundDataTransferSources       = $policy.AllowedInboundDataTransferSources
            AllowedOutboundDataTransferDestinations = $policy.AllowedOutboundDataTransferDestinations
            OrganizationalCredentialsRequired       = $policy.OrganizationalCredentialsRequired
            AllowedOutboundClipboardSharingLevel    = $policy.AllowedOutboundClipboardSharingLevel
            DataBackupBlocked                       = $policy.DataBackupBlocked
            DeviceComplianceRequired                = $policy.DeviceComplianceRequired
            ManagedBrowser                          = $policy.ManagedBrowser
            MinimumRequiredAppVersion               = $policy.MinimumRequiredAppVersion
            MinimumRequiredOsVersion                = $policy.MinimumRequiredOsVersion
            MinimumRequiredSdkVersion               = $policy.MinimumRequiredSDKVersion
            MinimumWarningAppVersion                = $policy.MinimumWarningAppVersion
            MinimumWarningOsVersion                 = $policy.MinimumWarningOsVersion
            ManagedBrowserToOpenLinksRequired       = $policy.ManagedBrowserToOpenLinksRequired
            SaveAsBlocked                           = $policy.SaveAsBlocked
            PeriodOfflineBeforeWipeIsEnforced       = $policy.PeriodOfflineBeforeWipeIsEnforced
            PinRequired                             = $policy.PinRequired
            DisableAppPinIfDevicePinIsSet           = $policy.disableAppPinIfDevicePinIsSet
            MaximumPinRetries                       = $policy.MaximumPinRetries
            SimplePinBlocked                        = $policy.SimplePinBlocked
            MinimumPinLength                        = $policy.MinimumPinLength
            PinCharacterSet                         = $policy.PinCharacterSet
            AllowedDataStorageLocations             = $policy.AllowedDataStorageLocations
            ContactSyncBlocked                      = $policy.ContactSyncBlocked
            PeriodBeforePinReset                    = $policy.PeriodBeforePinReset
            FaceIdBlocked                           = $policy.FaceIdBlocked
            PrintBlocked                            = $policy.PrintBlocked
            FingerprintBlocked                      = $policy.FingerprintBlocked
            AppDataEncryptionType                   = $policy.AppDataEncryptionType
            Assignments                             = $assignmentsArray
            ExcludedGroups                          = $exclusionArray
            Apps                                    = $appsArray
            Ensure                                  = 'Present'
            Credential                              = $Credential
            ApplicationId                           = $ApplicationId
            ApplicationSecret                       = $ApplicationSecret
            TenantId                                = $TenantId
            CertificateThumbprint                   = $CertificateThumbprint
        }
    }
    catch
    {
        try
        {
            Write-Verbose -Message $_
            $tenantIdValue = $Credential.UserName.Split('@')[1]
            Add-M365DSCEvent -Message $_ -EntryType 'Error' `
                -EventID 1 -Source $($MyInvocation.MyCommand.Source) `
                -TenantId $tenantIdValue
        }
        catch
        {
            Write-Verbose -Message $_
        }
        return $nullResult
    }
}

function Set-TargetResource
{
    [CmdletBinding()]
    param
    (
        [Parameter(Mandatory = $true)]
        [System.String]
        $DisplayName,

        [Parameter()]
        [System.String]
        $Description,

        [Parameter()]
        [System.String]
        $PeriodOfflineBeforeAccessCheck,

        [Parameter()]
        [System.String]
        $PeriodOnlineBeforeAccessCheck,

        [Parameter()]
        [System.String]
        $AllowedInboundDataTransferSources,

        [Parameter()]
        [System.String]
        $AllowedOutboundDataTransferDestinations,

        [Parameter()]
        [System.Boolean]
        $OrganizationalCredentialsRequired,

        [Parameter()]
        [System.String]
        $AllowedOutboundClipboardSharingLevel,

        [Parameter()]
        [System.Boolean]
        $DataBackupBlocked,

        [Parameter()]
        [System.Boolean]
        $DeviceComplianceRequired,

        [Parameter()]
        [System.String]
        $ManagedBrowser,

        [Parameter()]
        [System.String]
        $MinimumRequiredAppVersion,

        [Parameter()]
        [System.String]
        $MinimumWarningAppVersion,

        [Parameter()]
        [System.String]
        $MinimumRequiredOsVersion,

        [Parameter()]
        [System.String]
        $MinimumWarningOsVersion,

        [Parameter()]
        [System.String]
        $MinimumRequiredSdkVersion,

        [Parameter()]
        [System.Boolean]
        $ManagedBrowserToOpenLinksRequired,

        [Parameter()]
        [System.Boolean]
        $SaveAsBlocked,

        [Parameter()]
        [System.String]
        $PeriodOfflineBeforeWipeIsEnforced,

        [Parameter()]
        [System.Boolean]
        $PinRequired,

        [Parameter()]
        [System.Boolean]
        $DisableAppPinIfDevicePinIsSet,

        [Parameter()]
        [System.UInt32]
        $MaximumPinRetries,

        [Parameter()]
        [System.Boolean]
        $SimplePinBlocked,

        [Parameter()]
        [System.UInt32]
        $MinimumPinLength,

        [Parameter()]
        [System.String]
        $PinCharacterSet,

        [Parameter()]
        [System.String[]]
        $AllowedDataStorageLocations,

        [Parameter()]
        [System.Boolean]
        $ContactSyncBlocked,

        [Parameter()]
        [System.String]
        $PeriodBeforePinReset,

        [Parameter()]
        [System.Boolean]
        $PrintBlocked,

        [Parameter()]
        [System.Boolean]
        $FingerprintBlocked,

        [Parameter()]
        [System.Boolean]
        $FaceIdBlocked,

        [Parameter()]
        [System.String]
        $AppDataEncryptionType,

        [Parameter()]
        [System.String[]]
        $Apps,

        [Parameter()]
        [System.String[]]
        $Assignments,

        [Parameter()]
        [System.String[]]
        $ExcludedGroups,

        [Parameter(Mandatory = $true)]
        [System.String]
        [ValidateSet('Absent', 'Present')]
        $Ensure,

        [Parameter()]
        [System.Management.Automation.PSCredential]
        $Credential,

        [Parameter()]
        [System.String]
        $ApplicationId,

        [Parameter()]
        [System.String]
        $TenantId,

        [Parameter()]
        [System.String]
        $ApplicationSecret,

        [Parameter()]
        [System.String]
        $CertificateThumbprint
    )
    $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' `
        -InboundParameters $PSBoundParameters

    #Ensure the proper dependencies are installed in the current environment.
    Confirm-M365DSCDependencies

    #region Telemetry
    $ResourceName = 'MSFT_IntuneAppProtectionPolicyiOS'
    $CommandName = $MyInvocation.MyCommand
    $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
        -CommandName $CommandName `
        -Parameters $PSBoundParameters
    Add-M365DSCTelemetryEvent -Data $data
    #endregion

    $currentPolicy = Get-TargetResource @PSBoundParameters
    $setParams = $PSBoundParameters
    $setParams.Remove('Ensure') | Out-Null
    $setParams.Remove('Credential') | Out-Null
    if ($Ensure -eq 'Present' -and $currentPolicy.Ensure -eq 'Absent')
    {
        Write-Verbose -Message "Creating new iOS App Protection Policy {$DisplayName}"
        $JsonContent = Get-M365DSCIntuneAppProtectionPolicyiOSJSON -Parameters $PSBoundParameters
        Write-Verbose -Message "JSON: $JsonContent"
        New-M365DSCIntuneAppProtectionPolicyiOS -JSONContent $JsonContent

        $policyInfo = Get-MgDeviceAppManagementiOSManagedAppProtection -Filter "displayName eq '$DisplayName'" `
            -ErrorAction Stop
        $assignmentJSON = Get-M365DSCIntuneAppProtectionPolicyiOSAssignmentJson -Assignments $Assignments `
            -Exclusions $ExcludedGroups

        Set-M365DSCIntuneAppProtectionPolicyiOSAssignment -JsonContent $assignmentJSON `
            -PolicyId $policyInfo.id
    }
    elseif ($Ensure -eq 'Present' -and $currentPolicy.Ensure -eq 'Present')
    {
        Write-Verbose -Message "Updating existing iOS App Protection Policy {$DisplayName}"
        $policyInfo = Get-MgDeviceAppManagementiOSManagedAppProtection -Filter "displayName eq '$DisplayName'" `
            -ErrorAction Stop

        $JsonContent = Get-M365DSCIntuneAppProtectionPolicyiOSJSON -Parameters $PSBoundParameters `
            -IncludeApps $false
        Set-M365DSCIntuneAppProtectionPolicyiOS -JSONContent $JsonContent `
            -PolicyId ($policyInfo.id)

        $appJSON = Get-M365DSCIntuneAppProtectionPolicyiOSAppsJSON -Parameters $PSBoundParameters
        Set-M365DSCIntuneAppProtectionPolicyiOSApps -JSONContent $appJSON `
            -PolicyId $policyInfo.Id

    }
    elseif ($Ensure -eq 'Absent' -and $currentPolicy.Ensure -eq 'Present')
    {
        Write-Verbose -Message "Removing iOS App Protection Policy {$DisplayName}"
        $policyInfo = Get-MgDeviceAppManagementiOSManagedAppProtection -Filter "displayName eq '$DisplayName'" `
            -ErrorAction Stop
        Remove-MgDeviceAppManagementiOSManagedAppProtection -IosManagedAppProtectionId $policyInfo.id
    }
}

function Get-M365DSCIntuneAppProtectionPolicyiOS
{
    [CmdletBinding()]
    [OutputType([PSCustomObject])]
    param(
        [Parameter(Mandatory = $true)]
        [System.String]
        $PolicyId
    )
    try
    {
        $Url = "https://graph.microsoft.com/beta/deviceAppManagement/iosManagedAppProtections('$PolicyId')/`?expand=apps,assignments"
        $response = Invoke-MgGraphRequest -Method Get `
            -Uri $Url
        return $response
    }
    catch
    {
        Write-Verbose -Message $_
        $tenantIdValue = $Credential.UserName.Split('@')[1]
        Add-M365DSCEvent -Message $_ -EntryType 'Error' `
            -EventID 1 -Source $($MyInvocation.MyCommand.Source) `
            -TenantId $tenantIdValue
    }
    return $null
}

function Get-M365DSCIntuneAppProtectionPolicyiOSJSON
{
    [CmdletBinding()]
    [OutputType([System.String])]
    param(
        [Parameter(Mandatory = $true)]
        [System.Collections.Hashtable]
        $Parameters,

        [Parameter()]
        [System.Boolean]
        $IncludeApps = $true
    )

    #region AllowedDataStorageLocations
    $allowedDataStorageLocations = '['
    $foundOne = $false
    foreach ($allowedLocation in $Parameters.AllowedDataStorageLocations)
    {
        $foundOne = $true
        $allowedDataStorageLocations += "`r`n`"$allowedLocation`","
    }
    if ($foundOne)
    {
        $allowedDataStorageLocations = $allowedDataStorageLocations.TrimEnd(',') + " `r`n"
    }
    $allowedDataStorageLocations += '],'
    #endregion

    #region Apps
    $appsValue = '['
    $foundOne = $false
    foreach ($app in $Parameters.Apps)
    {
        $foundOne = $true

        $appsValue += @"
            `r`n{
                "id":"$($app)",
                "mobileAppIdentifier": {
                    "@odata.type": "#microsoft.graph.iosMobileAppIdentifier",
                    "bundleId": "$app"
                }
            },
"@
    }
    if ($foundOne)
    {
        $appsValue = $appsValue.TrimEnd(',') + " `r`n"
    }
    $appsValue += ']'
    #endregion

In JsonContent I provided only attributes that I need.

    $JsonContent = @"
    {
        '@odata.type': '#microsoft.graph.iosManagedAppProtection',
        'displayName': "$($Parameters.DisplayName)",
        'description': "$($Parameters.Description)",
        'periodOnlineBeforeAccessCheck': "$($Parameters.PeriodOnlineBeforeAccessCheck)",
        'allowedOutboundClipboardSharingLevel': "$($Parameters.AllowedOutboundClipboardSharingLevel)",
        'allowedOutboundDataTransferDestinations': "$($Parameters.AllowedOutboundDataTransferDestinations)",
        'dataBackupBlocked': $($Parameters.DataBackupBlocked.ToString().ToLower()),
        'saveAsBlocked': $($Parameters.SaveAsBlocked.ToString().ToLower()),
        'simplePinBlocked': $($Parameters.SimplePinBlocked.ToString().ToLower()),
        'minimumPinLength': $($Parameters.MinimumPinLength),
        "allowedDataStorageLocations": $allowedDataStorageLocations
"@

    if ($IncludeApps)
    {
        $JSOnContent += "`"apps`":$appsValue`r`n"
    }
    $JsonContent += '}'
    return $JsonContent
}

function Get-M365DSCIntuneAppProtectionPolicyiOSAppsJSON
{
    [CmdletBinding()]
    [OutputType([System.String])]
    param(
        [Parameter(Mandatory = $true)]
        [System.Collections.Hashtable]
        $Parameters
    )

    #region Apps
    $appsValue = '['
    $foundOne = $false
    foreach ($app in $Parameters.Apps)
    {
        $foundOne = $true

        $appsValue += @"
            `r`n{
                "id":"$($app)",
                "mobileAppIdentifier": {
                    "@odata.type": "#microsoft.graph.iosMobileAppIdentifier",
                    "bundleId": "$app"
                }
            },
"@
    }
    if ($foundOne)
    {
        $appsValue = $appsValue.TrimEnd(',') + " `r`n"
    }
    $appsValue += ']'
    #endregion

    $JsonContent = @"
    {
        "apps": $appsValue
    }
"@
    return $JsonContent
}

function Get-M365DSCIntuneAppProtectionPolicyiOSAssignmentJSON
{
    [CmdletBinding()]
    [OutputType([System.String])]
    param(
        [Parameter(Mandatory = $true)]
        [System.String[]]
        $Assignments,

        [Parameter(Mandatory = $false)]
        [System.String[]]
        $Exclusions
    )

    $JsonContent = "{`r`n"
    $JsonContent += "`"assignments`":[`r`n"
    foreach ($assignment in $Assignments)
    {
        $JsonContent += " {`"target`":{`r`n"
        $JsonContent += " `"groupId`":`"$assignment`",`r`n"
        $JsonContent += " `"@odata.type`":`"#microsoft.graph.groupAssignmentTarget`"`r`n"
        $JsonContent += ' }},'
    }
    foreach ($exclusion in $Exclusions)
    {
        $JsonContent += " {`"target`":{`r`n"
        $JsonContent += " `"groupId`":`"$exclusion`",`r`n"
        $JsonContent += " `"@odata.type`":`"#microsoft.graph.exclusionGroupAssignmentTarget`"`r`n"
        $JsonContent += ' }},'
    }
    $JsonContent = $JsonContent.TrimEnd(',')
    $JsonContent += "]`r`n"
    $JsonContent += "`r`n}"

    return $JsonContent
}

function New-M365DSCIntuneAppProtectionPolicyiOS
{
    [CmdletBinding()]
    param(
        [Parameter(Mandatory = $true)]
        [System.String]
        $JSONContent
    )
    try
    {
        $Url = 'https://graph.microsoft.com/beta/deviceAppManagement/managedAppPolicies'
        Write-Verbose -Message "Creating new iOS App Protection policy with JSON payload: `r`n$JSONContent"
        Invoke-MgGraphRequest -Method POST `
            -Uri $Url `
            -Body $JSONContent `
            -Headers @{'Content-Type' = 'application/json' } | Out-Null
    }
    catch
    {
        Write-Verbose -Message $_
        $tenantIdValue = $Credential.UserName.Split('@')[1]
        Add-M365DSCEvent -Message $_ -EntryType 'Error' `
            -EventID 1 -Source $($MyInvocation.MyCommand.Source) `
            -TenantId $tenantIdValue
    }
}

function Set-M365DSCIntuneAppProtectionPolicyiOS
{
    [CmdletBinding()]
    param(
        [Parameter(Mandatory = $true)]
        [System.String]
        $JSONContent,

        [Parameter(Mandatory = $true)]
        [System.String]
        $PolicyId
    )
    try
    {
        $Url = "https://graph.microsoft.com/beta/deviceAppManagement/iosManagedAppProtections('$PolicyId')/"
        Write-Verbose -Message "Updating iOS App Protection policy with JSON payload: `r`n$JSONContent"
        Invoke-MgGraphRequest -Method PATCH `
            -Uri $Url `
            -Body $JSONContent `
            -Headers @{'Content-Type' = 'application/json' } | Out-Null
    }
    catch
    {
        Write-Verbose -Message $_
        $tenantIdValue = $Credential.UserName.Split('@')[1]
        Add-M365DSCEvent -Message $_ -EntryType 'Error' `
            -EventID 1 -Source $($MyInvocation.MyCommand.Source) `
            -TenantId $tenantIdValue
    }
}

function Set-M365DSCIntuneAppProtectionPolicyiOSApps
{
    [CmdletBinding()]
    param(
        [Parameter(Mandatory = $true)]
        [System.String]
        $JSONContent,

        [Parameter(Mandatory = $true)]
        [System.String]
        $PolicyId
    )
    try
    {
        $Url = "https://graph.microsoft.com/beta/deviceAppManagement/managedAppPolicies/$PolicyId/targetApps"
        Write-Verbose -Message "Updating Apps for iOS App Protection policy with JSON payload: `r`n$JSONContent"
        Invoke-MgGraphRequest -Method POST `
            -Uri $Url `
            -Body $JSONContent `
            -Headers @{'Content-Type' = 'application/json' } | Out-Null
    }
    catch
    {
        Write-Verbose -Message $_
        $tenantIdValue = $Credential.UserName.Split('@')[1]
        Add-M365DSCEvent -Message $_ -EntryType 'Error' `
            -EventID 1 -Source $($MyInvocation.MyCommand.Source) `
            -TenantId $tenantIdValue
    }
}

function Set-M365DSCIntuneAppProtectionPolicyiOSAssignment
{
    [CmdletBinding()]
    param(
        [Parameter(Mandatory = $true)]
        [System.String]
        $JSONContent,

        [Parameter(Mandatory = $false)]
        [System.String]
        $PolicyId
    )
    try
    {
        $Url = "https://graph.microsoft.com/beta/deviceAppManagement/iosManagedAppProtections('$PolicyId')/assign"
        Write-Verbose -Message "Group Assignment for iOS App Protection policy with JSON payload: `r`n$JSONContent"
        Invoke-MgGraphRequest -Method POST `
            -Uri $Url `
            -Body $JSONContent `
            -Headers @{'Content-Type' = 'application/json' } | Out-Null
    }
    catch
    {
        Write-Verbose -Message $_
        $tenantIdValue = $Credential.UserName.Split('@')[1]
        Add-M365DSCEvent -Message $_ -EntryType 'Error' `
            -EventID 1 -Source $($MyInvocation.MyCommand.Source) `
            -TenantId $tenantIdValue
    }
}

Connect-MgGraph -UseDeviceAuthentication

$displayName = 'iOS App Protection Policy'
$description = 'TestInune iOS'
$periodOfflineBeforeAccessCheck = 'PT5M'
$periodOnlineBeforeAccessCheck = 'PT5M'
$allowedInboundDataTransferSources = 'managedApps'
$allowedOutboundDataTransferDestinations = 'managedApps'
$organizationalCredentialsRequired = $false
$allowedOutboundClipboardSharingLevel = 'allApps'
$dataBackupBlocked = $true
$deviceComplianceRequired = $false
$managedBrowserToOpenLinksRequired = $true
$saveAsBlocked = $true
$periodOfflineBeforeWipeIsEnforced = 'P90D'
$pinRequired = $false
$maximumPinRetries = 6
$simplePinBlocked = $true
$minimumPinLength = 6
$pinCharacterSet = 'alphanumericAndSymbol'
$periodBeforePinReset = 'PT0S'
$allowedDataStorageLocations = @('localStorage', 'oneDriveForBusiness', 'sharePoint')
$contactSyncBlocked = $true
$printBlocked = $false
$fingerprintBlocked = $false
$disableAppPinIfDevicePinIsSet = $false
$minimumRequiredOsVersion = '13.0'
$minimumWarningOsVersion = '13.0'
$minimumRequiredAppVersion = '0.1'
$minimumWarningAppVersion = '0.1'
$managedBrowser = 'notConfigured'
$excludedGroups = @('123be1234-3c00-40dc-aa7e-rtr624b0a1b5')
$appDataEncryptionType = 'whenDeviceLocked'
$minimumRequiredSdkVersion = '0.1'
$faceIdBlocked = $false
$apps = @('com.cisco.jabberimintune.ios')
$ensure = 'Present'

Set-TargetResource `
    -Assignments @('123be1234-3c00-40dc-aa7e-rtr624b0a1b5') `
    -Ensure $ensure `
    -DisplayName $displayName `
    -Description $description `
    -PeriodOnlineBeforeAccessCheck $periodOnlineBeforeAccessCheck `
    -AllowedOutboundDataTransferDestinations $allowedOutboundDataTransferDestinations `
    -AllowedOutboundClipboardSharingLevel $allowedOutboundClipboardSharingLevel `
    -DataBackupBlocked $dataBackupBlocked `
    -SaveAsBlocked $saveAsBlocked `
    -SimplePinBlocked $simplePinBlocked `
    -MinimumPinLength $minimumPinLength `
    -AllowedDataStorageLocations $allowedDataStorageLocations `
    -ContactSyncBlocked $contactSyncBlocked `
    -ApplicationId '' `
    -TenantId '' `
    -CertificateThumbprint ''

Result - Output

PS C:\Windows\system32> Get-DeviceAppManagement_IosManagedAppProtections
displayName                             : iOS App Protection Policy
description                             : TestInune iOS
createdDateTime                         : 6/23/2022 9:26:27 AM
lastModifiedDateTime                    : 6/23/2022 9:26:27 AM
id                                      : T_b35750de-47cf-448f-aeff-070413b23e45
version                                 : "1c0303b1-0000-0d00-0000-62b431c30000"
periodOfflineBeforeAccessCheck          : PT0S (set by default)
periodOnlineBeforeAccessCheck           : PT5M (set by default)
allowedInboundDataTransferSources       : allApps
allowedOutboundDataTransferDestinations : managedApps
organizationalCredentialsRequired       : False (set by default)
allowedOutboundClipboardSharingLevel    : allApps
dataBackupBlocked                       : True 
deviceComplianceRequired                : False (set by default)
managedBrowserToOpenLinksRequired       : False (set by default)
saveAsBlocked                           : True
periodOfflineBeforeWipeIsEnforced       : PT0S (set by default)
pinRequired                             : False (set by default)
maximumPinRetries                       : 5 (set by default)
simplePinBlocked                        : True
minimumPinLength                        : 6
pinCharacterSet                         : numeric (set by default)
periodBeforePinReset                    : PT0S (set by default)
allowedDataStorageLocations             : {localStorage, oneDriveForBusiness, sharePoint}
contactSyncBlocked                      : False
printBlocked                            : False (set by default)
fingerprintBlocked                      : False (set by default)
disableAppPinIfDevicePinIsSet           : False (set by default)
minimumRequiredOsVersion                : 
minimumWarningOsVersion                 : 
minimumRequiredAppVersion               : 
minimumWarningAppVersion                : 
managedBrowser                          : notConfigured (set by default)
isAssigned                              : True 
appDataEncryptionType                   : useDeviceSettings (set by default)
minimumRequiredSdkVersion               : 
deployedAppCount                        : 0 (set by default)
faceIdBlocked                           : False  (set by default)
customBrowserProtocol                   : 
assigmnets - (missing)

Here you can see that some attributes are set by default that I have not provided in the SET method, here is something wrong, and I think if there is a possibility to change it would be nice.
Also, the Assignments are Set, but they don't appear on the newly created policy here, seems something is definitely wrong.

#### The operating system the target node is running
<!--
    Please provide as much as possible about the target node, for example
    edition, version, build and language.
    On OS with WMF 5.1 the following command can help get this information.
OsName               : Microsoft Windows 10 Pro
OsOperatingSystemSKU : 48
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 19041.1.amd64fre.vb_release.191206-1406
OsLanguage           : en-US
OsMuiLanguages       : {en-US, de-DE}
-->
#### Version of the DSC module that was used ('dev' if using current dev branch)
1.22.615.1
@andikrueger andikrueger added Intune Bug Something isn't working labels Jun 23, 2022
@andikrueger
Copy link
Collaborator

@RuudGijsbers Could you have a look at this one?

NikCharlebois added a commit to NikCharlebois/Microsoft365DSC that referenced this issue Jul 8, 2022
@NikCharlebois
Fixes microsoft#2019
7535d2a
@NikCharlebois NikCharlebois mentioned this issue Jul 8, 2022
Merged
NikCharlebois added a commit that referenced this issue Jul 8, 2022
@NikCharlebois
Merge pull request #2085 from NikCharlebois/Fixes-2019
aba77a2 
Fixes #2019
@NikCharlebois NikCharlebois mentioned this issue Jul 13, 2022
Merged
@atdheekurteshi
Copy link
Author

This issue was tested with a Microsoft365DSC Version: 1.22.713.1 but still it is not working the same error as described above.

@NikCharlebois NikCharlebois reopened this Jul 18, 2022
@atdheekurteshi
Copy link
Author

This issue was tested with a Microsoft365DSC Version: 1.22.720.1 and its working.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Something isn't working Intune
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fixes #2019 NikCharlebois/Microsoft365DSC
Release 1.22.713.1 NikCharlebois/Microsoft365DSC
3 participants
@atdheekurteshi @NikCharlebois @andikrueger