Tomas Kracmar
e13d14edcb
Core enhancements: - Expanded default export/import scope to ~45 object types including DeviceManagementIntents - Added -AllPages pagination support across Graph queries for large tenants - Invoke-GraphRequest now throws on 4xx/5xx instead of silently returning null - Added macOS Keychain fallback for secret retrieval in headless auth flow - Added NameSearchPattern/NameReplacePattern mutation support through export/import forms New toolkit scripts: - Bulk-AppAssignment.ps1: bulk-assign apps to groups/All Users/All Devices - Bulk-AssignmentManager.ps1: add/remove assignments for any policy type with correct @odata.type - Backup-Restore-Assignments.ps1: JSON backup with cross-tenant group resolution - Export-AssignmentsToCsv.ps1: CSV/Markdown documentation output - Bulk-RenamePolicies.ps1: regex search/replace and prefix mutations - Bulk-DeviceOperations.ps1: delete/retire/wipe/lock/sync with -WhatIf safeguards - Start-IntuneManagementTui.ps1: interactive terminal UI for headless operations - Create-IntuneManagementApp.ps1: helper for app registration setup Updated existing scripts: - Export-Policies.ps1 / Import-Policies.ps1: wired mutation params through - Start-HeadlessIntune.ps1: integrated TUI and new parameter forwarding
macOS Intune Management
Cross-platform, headless Intune policy export/import with PowerShell.
This repository is now CLI-first. The old WPF application surface has been removed from the repo. The supported workflow is:
- export policies from a source tenant
- store the exported JSON and migration table
- import into a target tenant with app-only or browser authentication
Entry points
- Start-HeadlessIntune.ps1
- Scripts/Export-Policies.ps1
- Scripts/Import-Policies.ps1
- Headless/IntuneManagement.Headless.psd1
Runtime
pwsh7+- Microsoft Graph app registration
- App-only auth with client secret or certificate, or browser auth with a public client redirect URI
Default object types
The default headless policy scope is:
DeviceConfigurationSettingsCatalogAdministrativeTemplatesCompliancePoliciesEndpointSecurityPolicySets
You can override that list with -ObjectTypes.
Export
pwsh ./Scripts/Export-Policies.ps1 `
-TenantId "<source-tenant-id>" `
-AppId "<app-id>" `
-Secret "<client-secret>" `
-ExportPath "/tmp/intune-export" `
-IncludeAssignments
Export with browser auth
pwsh ./Scripts/Export-Policies.ps1 `
-TenantId "<source-tenant-id>" `
-AuthMode Browser `
-ExportPath "/tmp/intune-export"
Import
pwsh ./Scripts/Import-Policies.ps1 `
-TenantId "<target-tenant-id>" `
-AppId "<app-id>" `
-Secret "<client-secret>" `
-ImportPath "/tmp/intune-export/SourceTenantName" `
-ImportType alwaysImport `
-IncludeAssignments `
-IncludeScopeTags `
-ReplaceDependencyIds
Import with browser auth
pwsh ./Scripts/Import-Policies.ps1 `
-TenantId "<target-tenant-id>" `
-AuthMode Browser `
-ImportPath "/tmp/intune-export/SourceTenantName"
Single entrypoint
pwsh ./Start-HeadlessIntune.ps1 `
-Action Export `
-TenantId "<source-tenant-id>" `
-AppId "<app-id>" `
-Secret "<client-secret>" `
-ExportPath "/tmp/intune-export"
pwsh ./Start-HeadlessIntune.ps1 `
-Action Import `
-TenantId "<target-tenant-id>" `
-AppId "<app-id>" `
-Secret "<client-secret>" `
-ImportPath "/tmp/intune-export/SourceTenantName" `
-ImportType alwaysImport
pwsh ./Start-HeadlessIntune.ps1 `
-Action Export `
-TenantId "<source-tenant-id>" `
-AuthMode Browser `
-RedirectUri "http://localhost" `
-ExportPath "/tmp/intune-export"
Notes
- Export writes a migration table used during cross-tenant import.
- Import can translate dependency IDs and recreate missing assignment groups.
- This repo intentionally does not preserve the old Windows UI launch flow.
- Browser auth uses the system browser and a loopback redirect.
- If you omit
-AppIdwith-AuthMode Browser, the CLI defaults to the Microsoft Graph PowerShell public client app id14d82eec-204b-4c2f-b7e8-296a70dab67e. - If your own app registration does not allow loopback redirects, pass
-AppIdand-RedirectUri "http://localhost"and configure the same redirect URI in Entra ID.