macOS_IntuneManagement/CHANGELOG_macOS_IntuneToolkit.md

macOS Intune Toolkit Changelog

2026-06-14 — Auto-export Settings Catalog definitions for report resolution

Added

• Extensions/EndpointManager.psm1

  • Start-PostExportSettingsCatalog now auto-exports /deviceManagement/configurationSettings to <backup-root>/configurationSettings.json the first time a Settings Catalog policy is exported.
  • New helper Start-ExportSettingsCatalogDefinitions fetches all pages of setting definitions and writes them next to the policy folders.
  • This lets Scripts/Export-SettingsReport.py resolve settingDefinitionId values to the human-readable names shown in the Intune portal without any manual steps.
  • Errors during definition export are logged but do not fail the policy export.

• Scripts/Export-SettingsReport.py

  • New Platform column between Policy and Setting.
  • For Settings Catalog, platform is read from the platforms field (e.g. macOS, windows10).
  • For legacy policies, platform is inferred from platform/platformType or from @odata.type (e.g. #microsoft.graph.iosCompliancePolicy → iOS).

Fixed

• Extensions/MSGraph.psm1

  • Get-GraphMetaData now stores GraphMetaData.xml in the cross-platform data folder (Get-CloudApiDataFolder) instead of the literal Windows path %LOCALAPPDATA%\CloudAPIPowerShellManagement\GraphMetaData.xml.
  • Removed the stray %LOCALAPPDATA%\CloudAPIPowerShellManagement folder from the repository and moved the existing GraphMetaData.xml to the correct macOS app-data location.

• Extensions/MSALAuthentication.psm1

  • On non-Windows platforms the toolkit now skips TokenCacheHelperEx compilation with an informational log instead of throwing a System.Security.Cryptography.ProtectedData.dll error.
  • Applied the same skip to the legacy Add-MSALPrereq_old function for consistency.

• .gitignore

  • Removed the literal %LOCALAPPDATA% ignore patterns; kept GraphMetaData.xml and CloudAPIPowerShellManagement/ ignores as safeguards.

Modified

• AGENTS.md
  • Added Scripts/Export-SettingsReport.py to the main entry points table and noted the automatic Settings Catalog name resolution.

---

2026-04-16 — v4.1.0 — Accountability, PIM & Auth Management

Modified

• Scripts/Initialize-IntuneAuth.ps1

  • App registrations are now named after the authenticated Entra user (e.g., IntuneManagement-tomas.kracmar@cqre.net) instead of the local OS username. This improves audit-log traceability when multiple admins use the toolkit against the same tenant.
  • Added -Delete switch to remove local tenant credentials (Settings.json + macOS Keychain) without touching the Entra app registration.
  • Added -DeleteApp switch to delete both the Entra app registration and local credentials.
  • Onboarding now automatically caches the tenant display name after auth setup, so the TUI shows friendly names immediately.
  • Added Organization.Read.All to the Connect-MgGraph scopes to support tenant name caching.

• Scripts/Start-IntuneToolkit.ps1

  • Added menu items 14 (delete local auth) and 15 (delete auth + app registration) to the TUI.
  • Selecting "[+ Onboard new tenant]" now runs the auth initializer immediately and restarts the launcher, instead of dropping into the main menu for an unconfigured tenant.
  • The TUI now exits cleanly after deleting tenant auth.

• README.md

  • Added Accountability & PIM caveats section explaining the trade-offs of app-only auth versus delegated auth, and how app naming affects audit logs.

---

2026-04-13 — API Permissions Sync for Initialize-IntuneAuth.ps1

Modified

• Scripts/Initialize-IntuneAuth.ps1
  • Unified the required Microsoft Graph application permissions into a single $requiredRoles list defined before app creation/reuse logic:
    • DeviceManagementApps.ReadWrite.All
    • DeviceManagementConfiguration.ReadWrite.All
    • DeviceManagementManagedDevices.ReadWrite.All
    • DeviceManagementScripts.ReadWrite.All
    • DeviceManagementServiceConfig.ReadWrite.All
    • DeviceManagementRBAC.ReadWrite.All
    • Group.ReadWrite.All
    • Directory.Read.All
    • User.Read.All
    • Organization.Read.All
    • Policy.ReadWrite.ConditionalAccess
    • Agreement.ReadWrite.All
    • CloudPC.ReadWrite.All
    • Application.Read.All
  • Existing app patching: When reusing an existing app registration, the script now inspects its current RequiredResourceAccess. If any required permissions are missing, it patches the app via Update-MgApplication, refreshes the local app object, and the downstream admin-consent loop automatically grants consent for the newly added roles.

---

Prior delivered changes (context summary)

New scripts added

• Scripts/Bulk-AppAssignment.ps1 — bulk-assign apps to groups/All Users/All Devices
• Scripts/Bulk-AssignmentManager.ps1 — add/remove assignments for any policy type using correct @odata.type and bulk /assign endpoint
• Scripts/Backup-Restore-Assignments.ps1 — JSON backup with cross-tenant group name resolution
• Scripts/Export-AssignmentsToCsv.ps1 — CSV and Markdown documentation output
• Scripts/Bulk-RenamePolicies.ps1 — search/replace, add/strip prefix across displayName/description
• Scripts/Bulk-DeviceOperations.ps1 — delete/retire/wipe/lock/sync with -WhatIf safeguards
• Scripts/Start-IntuneToolkit.ps1 — unified reverse-numbered fzf-based launcher
• Scripts/Initialize-IntuneAuth.ps1 — one-time Entra app + secret + Keychain setup

Core / Extensions / Headless changes

• Extensions/MSGraph.psm1
  • Invoke-GraphRequest now throws on 4xx/5xx HTTP errors (was silently returning null)
  • Added -AllPages support to Get-GraphObjects and toolkit queries for large tenants
• Headless/IntuneManagement.Headless.psm1
  • Expanded Get-DefaultIntunePolicyObjectTypes to ~45 types, including DeviceManagementIntents
  • Threaded NameSearchPattern / NameReplacePattern through export/import/action flows
• Settings Catalog fixes
  • Uses name property instead of displayName for queries/labels
  • Assignments use #microsoft.graph.deviceManagementConfigurationPolicyAssignment and the bulk POST …/assign endpoint
• TUI / fzf
  • Spacebar toggle, Esc to go back, reverse numbering (10→1) in unified launcher

2026-04-13 — Declarative Baseline Deployer

Added

• Scripts/Deploy-IntuneBaseline.ps1

  • YAML-driven one-click deployment of Intune policies + assignments to new tenants.
  • Supports global and per-policy name mutations (search/replace or prefix).
  • Auto-creates cloud-only security groups if missing.
  • Idempotent imports with configurable conflict resolution (Skip, Update, Error).
  • Full -WhatIf dry-run support.
  • Handles 20+ policy types including Settings Catalog (name property), EndpointSecurity (settings file companion upload), and Applications.
  • Integrates with existing auth stack (Settings.json / macOS Keychain).

• Scripts/ConvertTo-IntuneBaseline.ps1

  • Converts an existing toolkit export folder into a baseline YAML skeleton.
  • Maps folder names to baseline types, extracts display names, and generates empty assignment blocks.

• Baselines/OpenIntuneBaseline.example.yaml

  • Example manifest demonstrating groups, mutations, policies, and assignments.

Dependencies

• powershell-yaml module (auto-install prompt if missing).

2026-04-13 — Unified Launcher: Baseline Deployer Integration

Modified

• Scripts/Start-IntuneToolkit.ps1
  • Added menu entries for baseline deployment:
    • 10. Deploy baseline
    • 11. Deploy baseline (dry-run / WhatIf)
  • Forwards -WhatIf switch correctly when dry-run option is selected.
  • Ensures WhatIf flag is cleared between loop iterations to avoid leakage to other tools.