cqrenet/macOS_IntuneManagement
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 3 Wiki Activity
Files
239e3ec16ec5cb5d26cb7e70aa8003a811e2c515
macOS_IntuneManagement/README.md

3.3 KiB
Raw Blame History

macOS Intune Management

Cross-platform, headless Intune policy export/import with PowerShell.

This repository is now CLI-first. The old WPF application surface has been removed from the repo. The supported workflow is:

  1. export policies from a source tenant
  2. store the exported JSON and migration table
  3. import into a target tenant with app-only or browser authentication

Entry points

Runtime

  • pwsh 7+
  • Microsoft Graph app registration
  • App-only auth with client secret or certificate, or browser auth with a public client redirect URI

Default object types

The default headless policy scope is:

  • DeviceConfiguration
  • SettingsCatalog
  • AdministrativeTemplates
  • CompliancePolicies
  • EndpointSecurity
  • PolicySets

You can override that list with -ObjectTypes.

Export

pwsh ./Scripts/Export-Policies.ps1 `
  -TenantId "<source-tenant-id>" `
  -AppId "<app-id>" `
  -Secret "<client-secret>" `
  -ExportPath "/tmp/intune-export" `
  -IncludeAssignments

Export with browser auth

pwsh ./Scripts/Export-Policies.ps1 `
  -TenantId "<source-tenant-id>" `
  -AppId "<public-client-app-id>" `
  -AuthMode Browser `
  -ExportPath "/tmp/intune-export"

Import

pwsh ./Scripts/Import-Policies.ps1 `
  -TenantId "<target-tenant-id>" `
  -AppId "<app-id>" `
  -Secret "<client-secret>" `
  -ImportPath "/tmp/intune-export/SourceTenantName" `
  -ImportType alwaysImport `
  -IncludeAssignments `
  -IncludeScopeTags `
  -ReplaceDependencyIds

Import with browser auth

pwsh ./Scripts/Import-Policies.ps1 `
  -TenantId "<target-tenant-id>" `
  -AppId "<public-client-app-id>" `
  -AuthMode Browser `
  -ImportPath "/tmp/intune-export/SourceTenantName"

Single entrypoint

pwsh ./Start-HeadlessIntune.ps1 `
  -Action Export `
  -TenantId "<source-tenant-id>" `
  -AppId "<app-id>" `
  -Secret "<client-secret>" `
  -ExportPath "/tmp/intune-export"

pwsh ./Start-HeadlessIntune.ps1 `
  -Action Import `
  -TenantId "<target-tenant-id>" `
  -AppId "<app-id>" `
  -Secret "<client-secret>" `
  -ImportPath "/tmp/intune-export/SourceTenantName" `
  -ImportType alwaysImport

pwsh ./Start-HeadlessIntune.ps1 `
  -Action Export `
  -TenantId "<source-tenant-id>" `
  -AppId "<public-client-app-id>" `
  -AuthMode Browser `
  -RedirectUri "http://localhost" `
  -ExportPath "/tmp/intune-export"

Notes

  • Export writes a migration table used during cross-tenant import.
  • Import can translate dependency IDs and recreate missing assignment groups.
  • This repo intentionally does not preserve the old Windows UI launch flow.
  • Browser auth uses the system browser and a loopback redirect. If your app registration does not allow loopback redirects, pass -RedirectUri "http://localhost" and configure the same redirect URI in Entra ID.
Reference in New Issue View Git Blame Copy Permalink