baseline:
  name: OpenIntuneBaseline-v3-Example
  conflictResolution: Skip      # Skip | Update | Error
  whatIf: false

  # Global name mutation applied to every policy (optional)
  tenantMutation:
    search: "OIB-"
    replace: "CONTOSO-"
    # Alternatively use prefix instead of search/replace:
    # prefix: "CONTOSO-"

  # Cloud-only security groups to create if they do not exist
  groups:
    - displayName: "Baseline - Windows Devices"
      mailNickname: "BaselineWinDevices"
      securityEnabled: true
    - displayName: "Baseline - macOS Devices"
      mailNickname: "BaselineMacDevices"
      securityEnabled: true
    - displayName: "Baseline - Pilot Users"
      mailNickname: "BaselinePilotUsers"
      securityEnabled: true

  policies:
    # Device Configuration
    - sourcePath: ./policies/OIB-Windows-Defender-ASR.json
      type: DeviceConfiguration
      assignments:
        - targetType: Group
          groupName: "Baseline - Windows Devices"

    # Settings Catalog (uses 'name' instead of displayName)
    - sourcePath: ./policies/OIB-SettingsCatalog-LoginWindow.json
      type: SettingsCatalog
      # Per-policy mutation override
      mutation:
        search: "OIB-"
        replace: "CONTOSO-"
      assignments:
        - targetType: Group
          groupName: "Baseline - macOS Devices"
        - targetType: AllDevices

    # Compliance Policy
    - sourcePath: ./policies/OIB-Compliance-Windows.json
      type: CompliancePolicies
      assignments:
        - targetType: Group
          groupName: "Baseline - Windows Devices"

    # Endpoint Security (DeviceManagementIntents)
    # If a sibling file *_Settings.json exists, it will be imported automatically.
    - sourcePath: ./policies/OIB-EndpointSecurity-Defender.json
      type: EndpointSecurity
      assignments:
        - targetType: Group
          groupName: "Baseline - Windows Devices"

    # Administrative Templates
    - sourcePath: ./policies/OIB-ADMX-OfficeSettings.json
      type: AdministrativeTemplates
      assignments:
        - targetType: Group
          groupName: "Baseline - Pilot Users"

    # macOS Script
    - sourcePath: ./policies/OIB-MacScript-CompanyBranding.json
      type: MacScripts
      assignments:
        - targetType: Group
          groupName: "Baseline - macOS Devices"

    # Application (metadata JSON only; .intunewin binary upload is NOT handled here)
    - sourcePath: ./apps/OIB-CompanyPortal.json
      type: Applications
      assignments:
        - targetType: AllUsers
          intent: Available
        - targetType: AllDevices
          intent: Required