-
Notifications
You must be signed in to change notification settings - Fork 0
/
Invoke-AppInstalledDevicesGroup.ps1
116 lines (94 loc) · 4.98 KB
/
Invoke-AppInstalledDevicesGroup.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
<#
.AUTHOR
jorgeasaurus
.DESCRIPTION
This function manages a group of devices with a specified application installed.
It adds devices to the group if the application is detected and removes devices from the group if the application is no longer detected.
.PARAMETER AppDisplayName
The display name of the application to search for.
.EXAMPLE
Invoke-AppInstalledDevicesGroup -AppDisplayName "Adobe Acrobat (64-bit)"
This example manages a group of devices with Adobe Acrobat (64-bit) installed.
.NOTES
Required Powershell Modules:
Name Version
---- -------
Microsoft.Graph.Authentication 2.15.0
Microsoft.Graph.Beta.DeviceManagement 2.15.0
Microsoft.Graph.Beta.Groups 2.15.0
Microsoft.Graph.Beta.Identity.DirectoryManagement 2.15.0
Required Microsoft Graph API Permissions:
- DeviceManagementConfiguration.ReadWrite.All
- DeviceManagementManagedDevices.ReadWrite.All
- Directory.ReadWrite.All
- Group.ReadWrite.All
- GroupMember.ReadWrite.All
- Device.ReadWrite.All
#>
function Invoke-AppInstalledDevicesGroup {
[CmdletBinding()]
param (
[Parameter(Mandatory = $true)]
[string]$AppDisplayName
)
try {
# Retrieve detected installations of the specified application
$DetectedInstalls = Get-MgBetaDeviceManagementDetectedApp -Filter "displayname eq '$AppDisplayName'" -ErrorAction Stop
if ($null -ne $DetectedInstalls) {
# Retrieve hostnames of devices where the application is detected
$DetectedInstallHostnames = $DetectedInstalls | ForEach-Object {
$DetectedInstall = $_
Get-MgBetaDeviceManagementDetectedAppManagedDevice -DetectedAppId $DetectedInstall.id -ErrorAction Stop | Select-Object DeviceName
} | Select-Object DeviceName -Unique
# Define group details
$GroupName = "$($AppDisplayName -replace '[^a-zA-Z0-9]', '')_Installed_Devices" # Remove space and characters for MailNickname
$GroupDescription = "Devices with [$AppDisplayName] installed"
# Check if the group already exists
$Group = Get-MgBetaGroup -Filter "displayName eq '$GroupName'" -ErrorAction Stop | Select-Object -First 1
# Create the group if it doesn't exist
if (-not $Group) {
$GroupParams = @{
DisplayName = $GroupName
Description = $GroupDescription
MailEnabled = $false
MailNickname = $GroupName
SecurityEnabled = $true
GroupTypes = @()
}
$Group = New-MgBetaGroup @GroupParams
Write-Host "Device Group '$GroupName' created."
}
# Get current members of the group
$CurrentGroupMembers = Get-MgBetaGroupMember -GroupId $Group.Id -ErrorAction Stop | ForEach-Object { Get-MgBetaDevice -DeviceId $_.Id -ErrorAction Stop }
# Loop through detected installations to add devices to the group
$DetectedInstallHostnames | ForEach-Object {
$DetectedInstallHostname = $_
# Check if the device is already a member of the group
$IsInGroup = $CurrentGroupMembers | Where-Object { $_.DisplayName -eq $DetectedInstallHostname.DeviceName }
# Add the device to the group if it's not already a member
if (-not $IsInGroup) {
$deviceObject = Get-MgBetaDevice -Filter "displayname eq '$($DetectedInstallHostname.DeviceName)'" -ErrorAction Stop
New-MgBetaGroupMember -GroupId $group.Id -DirectoryObjectId $deviceObject.id -ErrorAction Stop
Write-Host "Added $($DetectedInstallHostname.DeviceName) to group '$GroupName'."
}
}
# Clean up: Remove devices from the group if they no longer have the app installed
$CurrentGroupMembers | ForEach-Object {
$GroupMember = $_
$IsStillDetected = $DetectedInstallHostnames | Where-Object { $_.DeviceName -eq $GroupMember.DisplayName }
# Remove the device from the group if it's no longer detected
if (-not $IsStillDetected) {
$deviceObject = Get-MgBetaDevice -Filter "displayname eq '$($GroupMember.DisplayName)'" -ErrorAction Stop
Remove-MgBetaGroupMemberByRef -GroupId $group.Id -DirectoryObjectId $deviceObject.id -ErrorAction Stop
Write-Host "Removed $($GroupMember.DisplayName) from group '$GroupName' as '$AppDisplayName' is no longer detected."
}
}
}
else {
Write-Host "No installs found for '$AppDisplayName' in your tenant."
}
}
catch {
Write-Warning "$($error[0].exception.message)"
}
}