# macOS Intune Management

Cross-platform, headless Intune policy export/import with PowerShell.

This repository is now CLI-first. The old WPF application surface has been removed from the repo. The supported workflow is:

1. export policies from a source tenant
2. store the exported JSON and migration table
3. import into a target tenant with app-only or browser authentication

## Entry points

* [Start-HeadlessIntune.ps1](/Users/avedelphina/Local/IntuneManagement/Start-HeadlessIntune.ps1)
* [Scripts/Export-Policies.ps1](/Users/avedelphina/Local/IntuneManagement/Scripts/Export-Policies.ps1)
* [Scripts/Import-Policies.ps1](/Users/avedelphina/Local/IntuneManagement/Scripts/Import-Policies.ps1)
* [Headless/IntuneManagement.Headless.psd1](/Users/avedelphina/Local/IntuneManagement/Headless/IntuneManagement.Headless.psd1)

## Runtime

* `pwsh` 7+
* Microsoft Graph app registration
* App-only auth with client secret or certificate, or browser auth with a public client redirect URI

## Default object types

The default headless policy scope is:

* `DeviceConfiguration`
* `SettingsCatalog`
* `AdministrativeTemplates`
* `CompliancePolicies`
* `EndpointSecurity`
* `PolicySets`

You can override that list with `-ObjectTypes`.

## Export

```powershell
pwsh ./Scripts/Export-Policies.ps1 `
  -TenantId "<source-tenant-id>" `
  -AppId "<app-id>" `
  -Secret "<client-secret>" `
  -ExportPath "/tmp/intune-export" `
  -IncludeAssignments
```

## Export with browser auth

```powershell
pwsh ./Scripts/Export-Policies.ps1 `
  -TenantId "<source-tenant-id>" `
  -AuthMode Browser `
  -ExportPath "/tmp/intune-export"
```

## Import

```powershell
pwsh ./Scripts/Import-Policies.ps1 `
  -TenantId "<target-tenant-id>" `
  -AppId "<app-id>" `
  -Secret "<client-secret>" `
  -ImportPath "/tmp/intune-export/SourceTenantName" `
  -ImportType alwaysImport `
  -IncludeAssignments `
  -IncludeScopeTags `
  -ReplaceDependencyIds
```

## Import with browser auth

```powershell
pwsh ./Scripts/Import-Policies.ps1 `
  -TenantId "<target-tenant-id>" `
  -AuthMode Browser `
  -ImportPath "/tmp/intune-export/SourceTenantName"
```

## Single entrypoint

```powershell
pwsh ./Start-HeadlessIntune.ps1 `
  -Action Export `
  -TenantId "<source-tenant-id>" `
  -AppId "<app-id>" `
  -Secret "<client-secret>" `
  -ExportPath "/tmp/intune-export"
```

```powershell
pwsh ./Start-HeadlessIntune.ps1 `
  -Action Import `
  -TenantId "<target-tenant-id>" `
  -AppId "<app-id>" `
  -Secret "<client-secret>" `
  -ImportPath "/tmp/intune-export/SourceTenantName" `
  -ImportType alwaysImport
```

```powershell
pwsh ./Start-HeadlessIntune.ps1 `
  -Action Export `
  -TenantId "<source-tenant-id>" `
  -AuthMode Browser `
  -RedirectUri "http://localhost" `
  -ExportPath "/tmp/intune-export"
```

## Notes

* Export writes a migration table used during cross-tenant import.
* Import can translate dependency IDs and recreate missing assignment groups.
* This repo intentionally does not preserve the old Windows UI launch flow.
* Browser auth uses the system browser and a loopback redirect.
* If you omit `-AppId` with `-AuthMode Browser`, the CLI defaults to the Microsoft Graph PowerShell public client app id `14d82eec-204b-4c2f-b7e8-296a70dab67e`.
* If your own app registration does not allow loopback redirects, pass `-AppId` and `-RedirectUri "http://localhost"` and configure the same redirect URI in Entra ID.