macOS_IntuneManagement/CHANGELOG_macOS_IntuneToolkit.md

macOS Intune Toolkit Changelog

2026-04-13 — API Permissions Sync for Initialize-IntuneAuth.ps1

Modified

• Scripts/Initialize-IntuneAuth.ps1
  • Unified the required Microsoft Graph application permissions into a single $requiredRoles list defined before app creation/reuse logic:
    • DeviceManagementApps.ReadWrite.All
    • DeviceManagementConfiguration.ReadWrite.All
    • DeviceManagementManagedDevices.ReadWrite.All
    • DeviceManagementScripts.ReadWrite.All
    • DeviceManagementServiceConfig.ReadWrite.All
    • DeviceManagementRBAC.ReadWrite.All
    • Group.ReadWrite.All
    • Directory.Read.All
    • User.Read.All
    • Organization.Read.All
    • Policy.ReadWrite.ConditionalAccess
    • Agreement.ReadWrite.All
    • CloudPC.ReadWrite.All
    • Application.Read.All
  • Existing app patching: When reusing an existing app registration, the script now inspects its current RequiredResourceAccess. If any required permissions are missing, it patches the app via Update-MgApplication, refreshes the local app object, and the downstream admin-consent loop automatically grants consent for the newly added roles.

---

Prior delivered changes (context summary)

New scripts added

• Scripts/Bulk-AppAssignment.ps1 — bulk-assign apps to groups/All Users/All Devices
• Scripts/Bulk-AssignmentManager.ps1 — add/remove assignments for any policy type using correct @odata.type and bulk /assign endpoint
• Scripts/Backup-Restore-Assignments.ps1 — JSON backup with cross-tenant group name resolution
• Scripts/Export-AssignmentsToCsv.ps1 — CSV and Markdown documentation output
• Scripts/Bulk-RenamePolicies.ps1 — search/replace, add/strip prefix across displayName/description
• Scripts/Bulk-DeviceOperations.ps1 — delete/retire/wipe/lock/sync with -WhatIf safeguards
• Scripts/Start-IntuneToolkit.ps1 — unified reverse-numbered fzf-based launcher
• Scripts/Initialize-IntuneAuth.ps1 — one-time Entra app + secret + Keychain setup

Core / Extensions / Headless changes

• Extensions/MSGraph.psm1
  • Invoke-GraphRequest now throws on 4xx/5xx HTTP errors (was silently returning null)
  • Added -AllPages support to Get-GraphObjects and toolkit queries for large tenants
• Headless/IntuneManagement.Headless.psm1
  • Expanded Get-DefaultIntunePolicyObjectTypes to ~45 types, including DeviceManagementIntents
  • Threaded NameSearchPattern / NameReplacePattern through export/import/action flows
• Settings Catalog fixes
  • Uses name property instead of displayName for queries/labels
  • Assignments use #microsoft.graph.deviceManagementConfigurationPolicyAssignment and the bulk POST …/assign endpoint
• TUI / fzf
  • Spacebar toggle, Esc to go back, reverse numbering (10→1) in unified launcher

2026-04-13 — Declarative Baseline Deployer

Added

• Scripts/Deploy-IntuneBaseline.ps1

  • YAML-driven one-click deployment of Intune policies + assignments to new tenants.
  • Supports global and per-policy name mutations (search/replace or prefix).
  • Auto-creates cloud-only security groups if missing.
  • Idempotent imports with configurable conflict resolution (Skip, Update, Error).
  • Full -WhatIf dry-run support.
  • Handles 20+ policy types including Settings Catalog (name property), EndpointSecurity (settings file companion upload), and Applications.
  • Integrates with existing auth stack (Settings.json / macOS Keychain).

• Scripts/ConvertTo-IntuneBaseline.ps1

  • Converts an existing toolkit export folder into a baseline YAML skeleton.
  • Maps folder names to baseline types, extracts display names, and generates empty assignment blocks.

• Baselines/OpenIntuneBaseline.example.yaml

  • Example manifest demonstrating groups, mutations, policies, and assignments.

Dependencies

• powershell-yaml module (auto-install prompt if missing).