Src/Private/Get-AbrIntuneAppConfigPolicies.ps1
|
function Get-AbrIntuneAppConfigPolicies { <# .SYNOPSIS Documents Intune App Configuration Policies (managed device and managed app). .DESCRIPTION Collects and reports on: - Managed Device App Configuration policies (settings pushed to enrolled devices) - Managed App (MAM) App Configuration policies (settings pushed via App Protection) - Assignments with resolved group names and exclusion detection .NOTES Version: 0.1.0 Author: Pai Wei Sing #> [CmdletBinding()] param ( [Parameter(Position = 0, Mandatory)] [string]$TenantId ) begin { Write-PScriboMessage -Message "Collecting Intune App Configuration Policies for $TenantId." Show-AbrDebugExecutionTime -Start -TitleMessage 'App Config Policies' } process { Section -Style Heading2 'App Configuration Policies' { Paragraph "The following section documents App Configuration Policies configured in tenant $TenantId." BlankLine $TotalAppConfigPolicies = 0 $UnassignedAppConfigCount = 0 #region Managed Device App Config Policies try { Write-Host " - Retrieving App Configuration Policies (managed devices)..." $MdmConfigResp = Invoke-MgGraphRequest -Method GET ` -Uri "$($script:GraphEndpoint)/beta/deviceAppManagement/mobileAppConfigurations?`$expand=assignments" ` -ErrorAction SilentlyContinue $MdmConfigs = $MdmConfigResp.value if ($MdmConfigs -and @($MdmConfigs).Count -gt 0) { $null = ($TotalAppConfigPolicies += @($MdmConfigs).Count) Section -Style Heading3 'Managed Device App Configurations' { BlankLine $MdmObj = [System.Collections.ArrayList]::new() foreach ($Cfg in ($MdmConfigs | Sort-Object displayName)) { $assignResolved = Resolve-IntuneAssignments -Assignments $Cfg.assignments -CheckMemberCount:$script:CheckEmptyGroups if ($assignResolved.AssignmentSummary -eq 'Not assigned') { $null = ($UnassignedAppConfigCount++) } $scopeTagStr = if ($script:ResolveScopeTagNames -and $Cfg.roleScopeTagIds) { Get-IntuneScopeTagNames -ScopeTagIds $Cfg.roleScopeTagIds } else { 'Default' } $targetApps = if ($Cfg.targetedMobileApps -and @($Cfg.targetedMobileApps).Count -gt 0) { "$(@($Cfg.targetedMobileApps).Count) app(s)" } else { '--' } $cfgInObj = [ordered] @{ 'Policy Name' = $Cfg.displayName 'Platform' = if ($Cfg.targetedMobileApps) { 'MDM' } else { '--' } 'Targeted Apps' = $targetApps 'Included Groups' = $assignResolved.IncludedGroups 'Excluded Groups' = if ($script:ShowExcludedGroups) { $assignResolved.ExcludedGroups } else { $null } 'Scope Tags' = $scopeTagStr 'Last Modified' = if ($Cfg.lastModifiedDateTime) { ([datetime]$Cfg.lastModifiedDateTime).ToString('yyyy-MM-dd') } else { '--' } } $MdmObj.Add([pscustomobject]$cfgInObj) | Out-Null } $null = (& { if ($HealthCheck.Intune.AppManagement) { $null = ($MdmObj | Where-Object { $_.'Included Groups' -eq '--' } | Set-Style -Style Warning | Out-Null) } }) $MdmTableParams = @{ Name = "Managed Device App Configurations - $TenantId"; ColumnWidths = 18, 7, 10, 20, 18, 8, 19 } if ($Report.ShowTableCaptions) { $MdmTableParams['Caption'] = "- $($MdmTableParams.Name)" } $MdmObj | Table @MdmTableParams if (Get-IntuneExcelSheetEnabled -SheetKey 'AppConfigPolicies') { $script:ExcelSheets['App Config Policies (MDM)'] = $MdmObj } if (Get-IntuneBackupSectionEnabled -SectionKey 'AppConfigPolicies') { $script:BackupData['AppConfigPolicies'] = $MdmConfigs } } } } catch { if (Test-AbrGraphForbidden -ErrorRecord $_) { Write-AbrPermissionError -Section 'App Configuration Policies' -RequiredRole 'Intune Service Administrator or Global Administrator' } else { Write-AbrSectionError -Section 'App Configuration Policies' -Message "$($_.Exception.Message)" } } #endregion #region MAM App Config Policies try { Write-Host " - Retrieving App Configuration Policies (managed apps / MAM)..." $MamConfigResp = Invoke-MgGraphRequest -Method GET ` -Uri "$($script:GraphEndpoint)/beta/deviceAppManagement/targetedManagedAppConfigurations?`$expand=assignments" ` -ErrorAction SilentlyContinue $MamConfigs = $MamConfigResp.value if ($MamConfigs -and @($MamConfigs).Count -gt 0) { $null = ($TotalAppConfigPolicies += @($MamConfigs).Count) Section -Style Heading3 'Managed App (MAM) Configurations' { BlankLine $MamObj = [System.Collections.ArrayList]::new() foreach ($Cfg in ($MamConfigs | Sort-Object displayName)) { $assignResolved = Resolve-IntuneAssignments -Assignments $Cfg.assignments -CheckMemberCount:$script:CheckEmptyGroups if ($assignResolved.AssignmentSummary -eq 'Not assigned') { $null = ($UnassignedAppConfigCount++) } $cfgInObj = [ordered] @{ 'Policy Name' = $Cfg.displayName 'Deployed Apps' = if ($Cfg.apps) { @($Cfg.apps).Count } else { 0 } 'Settings Count' = if ($Cfg.customSettings) { @($Cfg.customSettings).Count } else { 0 } 'Included Groups' = $assignResolved.IncludedGroups 'Excluded Groups' = if ($script:ShowExcludedGroups) { $assignResolved.ExcludedGroups } else { $null } 'Last Modified' = if ($Cfg.lastModifiedDateTime) { ([datetime]$Cfg.lastModifiedDateTime).ToString('yyyy-MM-dd') } else { '--' } } $MamObj.Add([pscustomobject]$cfgInObj) | Out-Null } $null = (& { if ($HealthCheck.Intune.AppManagement) { $null = ($MamObj | Where-Object { $_.'Included Groups' -eq '--' } | Set-Style -Style Warning | Out-Null) } }) $MamTableParams = @{ Name = "Managed App Configurations (MAM) - $TenantId"; ColumnWidths = 22, 12, 11, 22, 18, 15 } if ($Report.ShowTableCaptions) { $MamTableParams['Caption'] = "- $($MamTableParams.Name)" } $MamObj | Table @MamTableParams if (Get-IntuneExcelSheetEnabled -SheetKey 'AppConfigPolicies') { if ($script:ExcelSheets['App Config Policies (MAM)']) { $script:ExcelSheets['App Config Policies (MAM)'] += $MamObj } else { $script:ExcelSheets['App Config Policies (MAM)'] = $MamObj } } } } } catch { if (Test-AbrGraphForbidden -ErrorRecord $_) { Write-AbrPermissionError -Section 'MAM App Configuration Policies' -RequiredRole 'Intune Service Administrator or Global Administrator' } else { Write-AbrSectionError -Section 'MAM App Configuration Policies' -Message "$($_.Exception.Message)" } } #endregion if ($TotalAppConfigPolicies -eq 0) { Paragraph "No App Configuration Policies found in tenant $TenantId." } } } end { Show-AbrDebugExecutionTime -End -TitleMessage 'App Config Policies' } } |