cqrenet/macOS_IntuneManagement
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 3 Wiki Activity
113 Commits 1 Branch 4 Tags
07c25e897adffc153b7b0ff7d4e523b9f53f89f6
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Tomas Kracmar 07c25e897a fix(assignments): use bulk /assign endpoint for removals on all types 
Settings Catalog and other bulk-assign types do not support DELETE on
individual assignments. Removal now reloads existing assignments,
filters out selected targets, sanitizes remaining payloads, and
re-POSTs to <API>/<id>/assign. This mirrors the add flow and works
universally across all supported object types.
2026-04-14 18:50:02 +02:00
Baselines
feat(baseline): declarative Intune baseline deployer
2026-04-14 14:59:29 +02:00
Bin
Add browser auth for headless runs
2026-04-08 16:09:30 +02:00
CS
3.9.2
2023-10-17 20:34:44 +11:00
Extensions
feat(toolkit): complete macOS Intune Toolkit v1
2026-04-14 15:11:09 +02:00
Headless
feat(toolkit): complete macOS Intune Toolkit v1
2026-04-14 15:11:09 +02:00
Runtime
feat(toolkit): complete macOS Intune Toolkit v1
2026-04-14 15:11:09 +02:00
Scripts
fix(assignments): use bulk /assign endpoint for removals on all types
2026-04-14 18:50:02 +02:00
.gitignore
chore: ignore GraphMetaData.xml and CloudAPIPowerShellManagement cache files
2026-04-14 15:12:52 +02:00
CHANGELOG_macOS_IntuneToolkit.md
feat(launcher): add baseline deployer to unified menu
2026-04-14 15:05:15 +02:00
Core.psm1
feat(toolkit): complete macOS Intune Toolkit v1
2026-04-14 15:11:09 +02:00
LICENSE
Create LICENSE
2019-06-10 13:44:25 +10:00
OPERATIONS_LOG.md
feat(launcher): add baseline deployer to unified menu
2026-04-14 15:05:15 +02:00
README.md
Make browser auth app id optional
2026-04-08 19:10:45 +02:00
ReleaseNotes.md
3.10.1
2025-09-14 14:15:15 +10:00
Start-HeadlessIntune.ps1
feat(toolkit): complete macOS Intune Toolkit v1
2026-04-14 15:11:09 +02:00

README.md

macOS Intune Management

Cross-platform, headless Intune policy export/import with PowerShell.

This repository is now CLI-first. The old WPF application surface has been removed from the repo. The supported workflow is:

  1. export policies from a source tenant
  2. store the exported JSON and migration table
  3. import into a target tenant with app-only or browser authentication

Entry points

Runtime

  • pwsh 7+
  • Microsoft Graph app registration
  • App-only auth with client secret or certificate, or browser auth with a public client redirect URI

Default object types

The default headless policy scope is:

  • DeviceConfiguration
  • SettingsCatalog
  • AdministrativeTemplates
  • CompliancePolicies
  • EndpointSecurity
  • PolicySets

You can override that list with -ObjectTypes.

Export

pwsh ./Scripts/Export-Policies.ps1 `
  -TenantId "<source-tenant-id>" `
  -AppId "<app-id>" `
  -Secret "<client-secret>" `
  -ExportPath "/tmp/intune-export" `
  -IncludeAssignments

Export with browser auth

pwsh ./Scripts/Export-Policies.ps1 `
  -TenantId "<source-tenant-id>" `
  -AuthMode Browser `
  -ExportPath "/tmp/intune-export"

Import

pwsh ./Scripts/Import-Policies.ps1 `
  -TenantId "<target-tenant-id>" `
  -AppId "<app-id>" `
  -Secret "<client-secret>" `
  -ImportPath "/tmp/intune-export/SourceTenantName" `
  -ImportType alwaysImport `
  -IncludeAssignments `
  -IncludeScopeTags `
  -ReplaceDependencyIds

Import with browser auth

pwsh ./Scripts/Import-Policies.ps1 `
  -TenantId "<target-tenant-id>" `
  -AuthMode Browser `
  -ImportPath "/tmp/intune-export/SourceTenantName"

Single entrypoint

pwsh ./Start-HeadlessIntune.ps1 `
  -Action Export `
  -TenantId "<source-tenant-id>" `
  -AppId "<app-id>" `
  -Secret "<client-secret>" `
  -ExportPath "/tmp/intune-export"

pwsh ./Start-HeadlessIntune.ps1 `
  -Action Import `
  -TenantId "<target-tenant-id>" `
  -AppId "<app-id>" `
  -Secret "<client-secret>" `
  -ImportPath "/tmp/intune-export/SourceTenantName" `
  -ImportType alwaysImport

pwsh ./Start-HeadlessIntune.ps1 `
  -Action Export `
  -TenantId "<source-tenant-id>" `
  -AuthMode Browser `
  -RedirectUri "http://localhost" `
  -ExportPath "/tmp/intune-export"

Notes

  • Export writes a migration table used during cross-tenant import.
  • Import can translate dependency IDs and recreate missing assignment groups.
  • This repo intentionally does not preserve the old Windows UI launch flow.
  • Browser auth uses the system browser and a loopback redirect.
  • If you omit -AppId with -AuthMode Browser, the CLI defaults to the Microsoft Graph PowerShell public client app id 14d82eec-204b-4c2f-b7e8-296a70dab67e.
  • If your own app registration does not allow loopback redirects, pass -AppId and -RedirectUri "http://localhost" and configure the same redirect URI in Entra ID.
Reference in New Issue View Git Blame Copy Permalink
Description
No description provided
Readme MIT 40 MiB
Releases 3
v4.1.0 Latest
2026-04-16 13:43:42 +00:00
Languages
PowerShell 99.5%
C# 0.5%