macOS_IntuneManagement/OPERATIONS_LOG.md

# Agent Operations Log

## Session: 2026-04-13T13:31:37+02:00

### Task
Update `Initialize-IntuneAuth.ps1` to ensure the Entra app registration is granted all Microsoft Graph permissions required by the expanded macOS Intune Toolkit, and log all operations.

---

## Operations performed

1. **ReadFile**
   - Path: `/Users/avedelphina/Local/IntuneManagement/Scripts/Initialize-IntuneAuth.ps1`
   - Line offset: `140`, Lines: `60`
   - Purpose: Inspect the existing roles array and app creation logic.

2. **StrReplaceFile**
   - Path: `/Users/avedelphina/Local/IntuneManagement/Scripts/Initialize-IntuneAuth.ps1`
   - Change: Replaced the inline `$roles` array + app creation block with a unified `$requiredRoles` list and added logic to patch missing permissions into an existing app registration via `Update-MgApplication`.
   - Impact: New apps get the full permission set; existing apps are updated if roles are missing.

3. **Grep**
   - Path: `/Users/avedelphina/Local/IntuneManagement/Scripts/Initialize-IntuneAuth.ps1`
   - Pattern: `New-MgServicePrincipalAppRoleAssignment`
   - Purpose: Verify the downstream admin-consent loop would pick up updated roles.

4. **ReadFile**
   - Path: `/Users/avedelphina/Local/IntuneManagement/Scripts/Initialize-IntuneAuth.ps1`
   - Line offset: `220`, Lines: `50`
   - Purpose: Inspect the consent-granting region around `New-MgServicePrincipalAppRoleAssignment`.

5. **Grep**
   - Path: `/Users/avedelphina/Local/IntuneManagement/Scripts/Initialize-IntuneAuth.ps1`
   - Pattern: `\$roles`
   - Purpose: Confirm no stale `$roles` references remained after the refactor.

6. **Shell**
   - Command: `pwsh -Command "$ErrorActionPreference='Stop'; Get-Command /Users/avedelphina/Local/IntuneManagement/Scripts/Initialize-IntuneAuth.ps1 | Out-Null; Write-Host 'Syntax OK'"`
   - Result: Syntax OK (PowerShell parsed the script without errors).

7. **Shell**
   - Command: `cd /Users/avedelphina/Local/IntuneManagement && git diff -- Scripts/Initialize-IntuneAuth.ps1`
   - Result: No diff output (file is untracked in git).

8. **Shell**
   - Command: `cd /Users/avedelphina/Local/IntuneManagement && git status --short`
   - Result: Listed modified and untracked files, confirming `Scripts/Initialize-IntuneAuth.ps1` is `??` (untracked).

9. **WriteFile**
   - Path: `/Users/avedelphina/Local/IntuneManagement/CHANGELOG_macOS_IntuneToolkit.md`
   - Content: High-level changelog of the permissions update and prior context.

10. **WriteFile**
    - Path: `/Users/avedelphina/Local/IntuneManagement/OPERATIONS_LOG.md`
    - Content: This file.

---

## Files modified in this session
- `Scripts/Initialize-IntuneAuth.ps1`

## Files created in this session
- `CHANGELOG_macOS_IntuneToolkit.md`
- `OPERATIONS_LOG.md`


## Session: 2026-04-13 (continuation)

### Task
Build a declarative Intune baseline deployment system (YAML manifest + deployer script + converter helper).

---

## Operations performed

1. **ReadFile**
   - Path: `/Users/avedelphina/Local/IntuneManagement/Scripts/Bulk-AssignmentManager.ps1`
   - Purpose: Studied auth bootstrap pattern, `$assignableTypes` registry, and assignment payload format.

2. **ReadFile**
   - Path: `/Users/avedelphina/Local/IntuneManagement/Extensions/MSGraph.psm1`
   - Purpose: Verified `Invoke-GraphRequest` parameter names (`Content` alias `Body`, `HttpMethod` alias `Method`).

3. **WriteFile**
   - Path: `/Users/avedelphina/Local/IntuneManagement/Baselines/OpenIntuneBaseline.example.yaml`
   - Content: Example baseline manifest with groups, mutations, and policy assignments.

4. **WriteFile**
   - Path: `/Users/avedelphina/Local/IntuneManagement/Scripts/Deploy-IntuneBaseline.ps1`
   - Content: Main deployer script (~550 lines) with YAML parsing, group creation, policy import/update, mutation, idempotency, and assignment deployment.

5. **WriteFile**
   - Path: `/Users/avedelphina/Local/IntuneManagement/Scripts/ConvertTo-IntuneBaseline.ps1`
   - Content: Helper script that scans an export folder and emits a baseline YAML skeleton.

6. **Shell**
   - Commands: Syntax validation (`Get-Command`) on both new scripts.
   - Result: Both scripts parsed successfully.

7. **WriteFile (append)**
   - Path: `/Users/avedelphina/Local/IntuneManagement/CHANGELOG_macOS_IntuneToolkit.md`
   - Added changelog entry for the baseline deployer feature.

8. **WriteFile (append)**
   - Path: `/Users/avedelphina/Local/IntuneManagement/OPERATIONS_LOG.md`
   - Added this very entry.

## Files created in this session
- `Baselines/OpenIntuneBaseline.example.yaml`
- `Scripts/Deploy-IntuneBaseline.ps1`
- `Scripts/ConvertTo-IntuneBaseline.ps1`


## Session: 2026-04-13 (continuation 2)

### Task
Add the new `Deploy-IntuneBaseline.ps1` to the unified launcher menu, with separate dry-run and write entries.

---

## Operations performed

1. **ReadFile**
   - Path: `/Users/avedelphina/Local/IntuneManagement/Scripts/Start-IntuneToolkit.ps1`
   - Purpose: Inspect menu array, switch mapping, and parameter forwarding logic.

2. **StrReplaceFile**
   - Path: `/Users/avedelphina/Local/IntuneManagement/Scripts/Start-IntuneToolkit.ps1`
   - Changes:
     - Expanded `$menuItems` from 10→0 to 12→0, inserting `Deploy baseline (dry-run / WhatIf)` and `Deploy baseline`.
     - Added `switch` cases for `10` and `11` mapping to `Scripts/Deploy-IntuneBaseline.ps1`.
     - Added `$commonParams.Remove("WhatIf")` in the cleanup block to prevent flag leakage.

3. **Shell**
   - Command: Syntax validation on `Start-IntuneToolkit.ps1`.
   - Result: Syntax OK.

4. **WriteFile (append)**
   - Path: `/Users/avedelphina/Local/IntuneManagement/CHANGELOG_macOS_IntuneToolkit.md`
   - Added launcher integration changelog entry.

5. **WriteFile (append)**
   - Path: `/Users/avedelphina/Local/IntuneManagement/OPERATIONS_LOG.md`
   - Added this operations entry.

## Files modified in this session
- `Scripts/Start-IntuneToolkit.ps1`