From 15210313cdd4b0121a7a12ecd93d8a68fe3ee0cc Mon Sep 17 00:00:00 2001
From: Tomas Kracmar <tomas.kracmar@cqre.net>
Date: Thu, 16 Apr 2026 11:02:54 +0200
Subject: [PATCH] chore: clean ignored cache, refresh README, add VERSION 4.0.0

---
 .gitignore |  1 +
 README.md  | 39 +++++++++++++++++++++++++++++++++++++--
 VERSION    |  1 +
 3 files changed, 39 insertions(+), 2 deletions(-)
 create mode 100644 VERSION

diff --git a/.gitignore b/.gitignore
index ae25975..afaab40 100644
--- a/.gitignore
+++ b/.gitignore
@@ -12,4 +12,5 @@
 IntuneManagement.log
 GraphMetaData.xml
 %LOCALAPPDATA%/
+*%LOCALAPPDATA%*
 CloudAPIPowerShellManagement/
diff --git a/README.md b/README.md
index 98e8159..7353c3d 100644
--- a/README.md
+++ b/README.md
@@ -2,17 +2,35 @@
 
 Cross-platform, headless Intune policy export/import with PowerShell.
 
+**Current version:** `4.0.0` — see [`CHANGELOG_macOS_IntuneToolkit.md`](CHANGELOG_macOS_IntuneToolkit.md) for recent changes.
+
 This repository is now CLI-first. The old WPF application surface has been removed from the repo. The supported workflow is:
 
 1. export policies from a source tenant
 2. store the exported JSON and migration table
 3. import into a target tenant with app-only or browser authentication
 
+## Quick start
+
+The easiest way to get started is the unified launcher. It provides a single terminal UI for every tool and remembers your tenants.
+
+```powershell
+pwsh ./Scripts/Start-IntuneToolkit.ps1
+```
+
+If `fzf` is installed you get an interactive picker; otherwise you get a numbered menu. You can also pass a tenant directly:
+
+```powershell
+pwsh ./Scripts/Start-IntuneToolkit.ps1 -TenantId "<tenant-id>"
+```
+
 ## Entry points
 
-* [Start-HeadlessIntune.ps1](/Users/avedelphina/Local/IntuneManagement/Start-HeadlessIntune.ps1)
+* [Scripts/Start-IntuneToolkit.ps1](/Users/avedelphina/Local/IntuneManagement/Scripts/Start-IntuneToolkit.ps1) — unified launcher (recommended)
+* [Start-HeadlessIntune.ps1](/Users/avedelphina/Local/IntuneManagement/Start-HeadlessIntune.ps1) — single action wrapper with optional TUI
 * [Scripts/Export-Policies.ps1](/Users/avedelphina/Local/IntuneManagement/Scripts/Export-Policies.ps1)
 * [Scripts/Import-Policies.ps1](/Users/avedelphina/Local/IntuneManagement/Scripts/Import-Policies.ps1)
+* [Scripts/Initialize-IntuneAuth.ps1](/Users/avedelphina/Local/IntuneManagement/Scripts/Initialize-IntuneAuth.ps1) — one-time Entra app + secret + Keychain setup
 * [Headless/IntuneManagement.Headless.psd1](/Users/avedelphina/Local/IntuneManagement/Headless/IntuneManagement.Headless.psd1)
 
 ## Runtime
@@ -34,6 +52,14 @@ The default headless policy scope is:
 
 You can override that list with `-ObjectTypes`.
 
+## First-time setup
+
+If you don't already have an Entra app registration, run the auth initializer. It creates the app, grants admin consent, and stores the secret in the macOS Keychain (or Windows Credential Manager).
+
+```powershell
+pwsh ./Scripts/Initialize-IntuneAuth.ps1
+```
+
 ## Export
 
 ```powershell
@@ -77,7 +103,7 @@ pwsh ./Scripts/Import-Policies.ps1 `
   -ImportPath "/tmp/intune-export/SourceTenantName"
 ```
 
-## Single entrypoint
+## Single action entry point
 
 ```powershell
 pwsh ./Start-HeadlessIntune.ps1 `
@@ -107,6 +133,15 @@ pwsh ./Start-HeadlessIntune.ps1 `
   -ExportPath "/tmp/intune-export"
 ```
 
+## Additional toolkit scripts
+
+* **Baseline deployment** — [`Deploy-IntuneBaseline.ps1`](Scripts/Deploy-IntuneBaseline.ps1) deploys a YAML manifest of policies + assignments to a tenant, with dry-run support. [`ConvertTo-IntuneBaseline.ps1`](Scripts/ConvertTo-IntuneBaseline.ps1) turns an existing export folder into a baseline skeleton.
+* **Bulk assignments** — [`Bulk-AssignmentManager.ps1`](Scripts/Bulk-AssignmentManager.ps1) adds or removes assignments for any policy type using the bulk `/assign` endpoint. [`Bulk-AppAssignment.ps1`](Scripts/Bulk-AppAssignment.ps1) does the same for applications.
+* **Backup / restore assignments** — [`Backup-Restore-Assignments.ps1`](Scripts/Backup-Restore-Assignments.ps1) saves assignments to JSON and can restore them with cross-tenant group name resolution.
+* **Bulk rename** — [`Bulk-RenamePolicies.ps1`](Scripts/Bulk-RenamePolicies.ps1) performs search/replace or prefix mutations across policy names and descriptions.
+* **Device operations** — [`Bulk-DeviceOperations.ps1`](Scripts/Bulk-DeviceOperations.ps1) supports delete, retire, wipe, lock, and sync with `-WhatIf` safeguards.
+* **Assignment documentation** — [`Export-AssignmentsToCsv.ps1`](Scripts/Export-AssignmentsToCsv.ps1) exports assignments to CSV and Markdown.
+
 ## Notes
 
 * Export writes a migration table used during cross-tenant import.
diff --git a/VERSION b/VERSION
new file mode 100644
index 0000000..fcdb2e1
--- /dev/null
+++ b/VERSION
@@ -0,0 +1 @@
+4.0.0