104 lines
5.7 KiB
Markdown
104 lines
5.7 KiB
Markdown
# macOS Intune Toolkit Changelog
|
|
|
|
## 2026-04-16 — v4.0.1 — Accountability, PIM & Auth Management
|
|
|
|
### Modified
|
|
- **`Scripts/Initialize-IntuneAuth.ps1`**
|
|
- App registrations are now named after the **authenticated Entra user** (e.g., `IntuneManagement-tomas.kracmar@cqre.net`) instead of the local OS username. This improves audit-log traceability when multiple admins use the toolkit against the same tenant.
|
|
- Added `-Delete` switch to remove local tenant credentials (`Settings.json` + macOS Keychain) without touching the Entra app registration.
|
|
- Added `-DeleteApp` switch to delete both the **Entra app registration** and local credentials.
|
|
- Onboarding now automatically caches the tenant display name after auth setup, so the TUI shows friendly names immediately.
|
|
- Added `Organization.Read.All` to the `Connect-MgGraph` scopes to support tenant name caching.
|
|
|
|
- **`Scripts/Start-IntuneToolkit.ps1`**
|
|
- Added menu items **14** (delete local auth) and **15** (delete auth + app registration) to the TUI.
|
|
- Selecting **"[+ Onboard new tenant]"** now runs the auth initializer immediately and restarts the launcher, instead of dropping into the main menu for an unconfigured tenant.
|
|
- The TUI now exits cleanly after deleting tenant auth.
|
|
|
|
- **`README.md`**
|
|
- Added **Accountability & PIM caveats** section explaining the trade-offs of app-only auth versus delegated auth, and how app naming affects audit logs.
|
|
|
|
---
|
|
|
|
## 2026-04-13 — API Permissions Sync for `Initialize-IntuneAuth.ps1`
|
|
|
|
### Modified
|
|
- **`Scripts/Initialize-IntuneAuth.ps1`**
|
|
- Unified the required Microsoft Graph application permissions into a single `$requiredRoles` list defined before app creation/reuse logic:
|
|
- `DeviceManagementApps.ReadWrite.All`
|
|
- `DeviceManagementConfiguration.ReadWrite.All`
|
|
- `DeviceManagementManagedDevices.ReadWrite.All`
|
|
- `DeviceManagementScripts.ReadWrite.All`
|
|
- `DeviceManagementServiceConfig.ReadWrite.All`
|
|
- `DeviceManagementRBAC.ReadWrite.All`
|
|
- `Group.ReadWrite.All`
|
|
- `Directory.Read.All`
|
|
- `User.Read.All`
|
|
- `Organization.Read.All`
|
|
- `Policy.ReadWrite.ConditionalAccess`
|
|
- `Agreement.ReadWrite.All`
|
|
- `CloudPC.ReadWrite.All`
|
|
- `Application.Read.All`
|
|
- **Existing app patching**: When reusing an existing app registration, the script now inspects its current `RequiredResourceAccess`. If any required permissions are missing, it patches the app via `Update-MgApplication`, refreshes the local app object, and the downstream admin-consent loop automatically grants consent for the newly added roles.
|
|
|
|
---
|
|
|
|
## Prior delivered changes (context summary)
|
|
|
|
### New scripts added
|
|
- `Scripts/Bulk-AppAssignment.ps1` — bulk-assign apps to groups/All Users/All Devices
|
|
- `Scripts/Bulk-AssignmentManager.ps1` — add/remove assignments for any policy type using correct `@odata.type` and bulk `/assign` endpoint
|
|
- `Scripts/Backup-Restore-Assignments.ps1` — JSON backup with cross-tenant group name resolution
|
|
- `Scripts/Export-AssignmentsToCsv.ps1` — CSV and Markdown documentation output
|
|
- `Scripts/Bulk-RenamePolicies.ps1` — search/replace, add/strip prefix across displayName/description
|
|
- `Scripts/Bulk-DeviceOperations.ps1` — delete/retire/wipe/lock/sync with `-WhatIf` safeguards
|
|
- `Scripts/Start-IntuneToolkit.ps1` — unified reverse-numbered `fzf`-based launcher
|
|
- `Scripts/Initialize-IntuneAuth.ps1` — one-time Entra app + secret + Keychain setup
|
|
|
|
### Core / Extensions / Headless changes
|
|
- **`Extensions/MSGraph.psm1`**
|
|
- `Invoke-GraphRequest` now throws on 4xx/5xx HTTP errors (was silently returning null)
|
|
- Added `-AllPages` support to `Get-GraphObjects` and toolkit queries for large tenants
|
|
- **`Headless/IntuneManagement.Headless.psm1`**
|
|
- Expanded `Get-DefaultIntunePolicyObjectTypes` to ~45 types, including `DeviceManagementIntents`
|
|
- Threaded `NameSearchPattern` / `NameReplacePattern` through export/import/action flows
|
|
- **Settings Catalog fixes**
|
|
- Uses `name` property instead of `displayName` for queries/labels
|
|
- Assignments use `#microsoft.graph.deviceManagementConfigurationPolicyAssignment` and the bulk `POST …/assign` endpoint
|
|
- **TUI / `fzf`**
|
|
- Spacebar toggle, Esc to go back, reverse numbering (10→1) in unified launcher
|
|
|
|
|
|
## 2026-04-13 — Declarative Baseline Deployer
|
|
|
|
### Added
|
|
- **`Scripts/Deploy-IntuneBaseline.ps1`**
|
|
- YAML-driven one-click deployment of Intune policies + assignments to new tenants.
|
|
- Supports global and per-policy name mutations (`search`/`replace` or `prefix`).
|
|
- Auto-creates cloud-only security groups if missing.
|
|
- Idempotent imports with configurable conflict resolution (`Skip`, `Update`, `Error`).
|
|
- Full `-WhatIf` dry-run support.
|
|
- Handles 20+ policy types including Settings Catalog (`name` property), EndpointSecurity (settings file companion upload), and Applications.
|
|
- Integrates with existing auth stack (Settings.json / macOS Keychain).
|
|
|
|
- **`Scripts/ConvertTo-IntuneBaseline.ps1`**
|
|
- Converts an existing toolkit export folder into a baseline YAML skeleton.
|
|
- Maps folder names to baseline types, extracts display names, and generates empty assignment blocks.
|
|
|
|
- **`Baselines/OpenIntuneBaseline.example.yaml`**
|
|
- Example manifest demonstrating groups, mutations, policies, and assignments.
|
|
|
|
### Dependencies
|
|
- `powershell-yaml` module (auto-install prompt if missing).
|
|
|
|
|
|
## 2026-04-13 — Unified Launcher: Baseline Deployer Integration
|
|
|
|
### Modified
|
|
- **`Scripts/Start-IntuneToolkit.ps1`**
|
|
- Added menu entries for baseline deployment:
|
|
- `10. Deploy baseline`
|
|
- `11. Deploy baseline (dry-run / WhatIf)`
|
|
- Forwards `-WhatIf` switch correctly when dry-run option is selected.
|
|
- Ensures `WhatIf` flag is cleared between loop iterations to avoid leakage to other tools.
|