# macOS Intune Toolkit Changelog ## 2026-04-13 — API Permissions Sync for `Initialize-IntuneAuth.ps1` ### Modified - **`Scripts/Initialize-IntuneAuth.ps1`** - Unified the required Microsoft Graph application permissions into a single `$requiredRoles` list defined before app creation/reuse logic: - `DeviceManagementApps.ReadWrite.All` - `DeviceManagementConfiguration.ReadWrite.All` - `DeviceManagementManagedDevices.ReadWrite.All` - `DeviceManagementScripts.ReadWrite.All` - `DeviceManagementServiceConfig.ReadWrite.All` - `DeviceManagementRBAC.ReadWrite.All` - `Group.ReadWrite.All` - `Directory.Read.All` - `User.Read.All` - `Organization.Read.All` - `Policy.ReadWrite.ConditionalAccess` - `Agreement.ReadWrite.All` - `CloudPC.ReadWrite.All` - `Application.Read.All` - **Existing app patching**: When reusing an existing app registration, the script now inspects its current `RequiredResourceAccess`. If any required permissions are missing, it patches the app via `Update-MgApplication`, refreshes the local app object, and the downstream admin-consent loop automatically grants consent for the newly added roles. --- ## Prior delivered changes (context summary) ### New scripts added - `Scripts/Bulk-AppAssignment.ps1` — bulk-assign apps to groups/All Users/All Devices - `Scripts/Bulk-AssignmentManager.ps1` — add/remove assignments for any policy type using correct `@odata.type` and bulk `/assign` endpoint - `Scripts/Backup-Restore-Assignments.ps1` — JSON backup with cross-tenant group name resolution - `Scripts/Export-AssignmentsToCsv.ps1` — CSV and Markdown documentation output - `Scripts/Bulk-RenamePolicies.ps1` — search/replace, add/strip prefix across displayName/description - `Scripts/Bulk-DeviceOperations.ps1` — delete/retire/wipe/lock/sync with `-WhatIf` safeguards - `Scripts/Start-IntuneToolkit.ps1` — unified reverse-numbered `fzf`-based launcher - `Scripts/Initialize-IntuneAuth.ps1` — one-time Entra app + secret + Keychain setup ### Core / Extensions / Headless changes - **`Extensions/MSGraph.psm1`** - `Invoke-GraphRequest` now throws on 4xx/5xx HTTP errors (was silently returning null) - Added `-AllPages` support to `Get-GraphObjects` and toolkit queries for large tenants - **`Headless/IntuneManagement.Headless.psm1`** - Expanded `Get-DefaultIntunePolicyObjectTypes` to ~45 types, including `DeviceManagementIntents` - Threaded `NameSearchPattern` / `NameReplacePattern` through export/import/action flows - **Settings Catalog fixes** - Uses `name` property instead of `displayName` for queries/labels - Assignments use `#microsoft.graph.deviceManagementConfigurationPolicyAssignment` and the bulk `POST …/assign` endpoint - **TUI / `fzf`** - Spacebar toggle, Esc to go back, reverse numbering (10→1) in unified launcher ## 2026-04-13 — Declarative Baseline Deployer ### Added - **`Scripts/Deploy-IntuneBaseline.ps1`** - YAML-driven one-click deployment of Intune policies + assignments to new tenants. - Supports global and per-policy name mutations (`search`/`replace` or `prefix`). - Auto-creates cloud-only security groups if missing. - Idempotent imports with configurable conflict resolution (`Skip`, `Update`, `Error`). - Full `-WhatIf` dry-run support. - Handles 20+ policy types including Settings Catalog (`name` property), EndpointSecurity (settings file companion upload), and Applications. - Integrates with existing auth stack (Settings.json / macOS Keychain). - **`Scripts/ConvertTo-IntuneBaseline.ps1`** - Converts an existing toolkit export folder into a baseline YAML skeleton. - Maps folder names to baseline types, extracts display names, and generates empty assignment blocks. - **`Baselines/OpenIntuneBaseline.example.yaml`** - Example manifest demonstrating groups, mutations, policies, and assignments. ### Dependencies - `powershell-yaml` module (auto-install prompt if missing).