IntuneDeviceConfigurationPolicyMacOS: Test-DSCConfiguration reports that resource is not in desired state in some scenarios

[ricmestre]

Description of the issue

So now that I got the resource working I found out that there are two different problems with it in terms of testing its state after being deployed.

First problem is with Assignments, this CIM instance has some sub-properties that by default are either null or empty and those are not exported to the blueprint, so basically in terms of exporting the policy, then deleting it and finally recreating it with the same settings it works without issues but running Test-DSCConfiguration will fail (no errors, it just comes back as not in desired state) because those null or empty fields comparing to what's in the blueprint won't match since the properties are not there to begin with. To fix this is as simple as changing the code in Test-TargetResource used to compare CIM instances, I used the one that is used in MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined which I know works.

Second problem is with property CompliantAppsList, which takes an array of CIM instances of type MSFT_MicrosoftGraphapplistitemMacOS, and this one is tricky because of the whole breaking change conversation, so what happens here is that exports end up with an array of MSFT_MicrosoftGraphapplistitem so MacOS is missing from the end of the string which causes in itself 2 problems, one is that it cannot be redeployed to the tenant since the datatype is not correct according to the schema, the other problem is that albeit Test-DSCConfiguration doesn't fail it will always report that the resource it's not in desired state even if it's sub-properties are all correct.

Fix for second problem is as simple as changing Export-TargetResource to export the correct CIM instance, but wouldn't this be considered a breaking change? I bet no one is using this resource even for monitoring or they would report it ages ago, but if this falls in breaking change waters then the fix here that wouldn't be considered as one (contrary to all other cases) is to actually change its datatype in the schema and in the module to MSFT_MicrosoftGraphapplistitem since that's what's currently being exported to the blueprints.

@NikCharlebois I'll raise a PR with fixes for both problems, for the second one I'll make the change to export the correct CIM instance, if you think I should instead change the datatype please let me know.

Microsoft 365 DSC Version

1.24.110.1

Which workloads are affected

other

The DSC configuration

IntuneDeviceConfigurationPolicyMacOS "IntuneDeviceConfigurationPolicyMacOS-IntuneDeviceConfigurationPolicyMacOS_1"
        {
            AddingGameCenterFriendsBlocked                  = $True;
            AirDropBlocked                                  = $False;
            AppleWatchBlockAutoUnlock                       = $False;
            ApplicationId                                   = $IntuneApplicationId;
            Assignments                                     = @(
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    dataType = '#microsoft.graph.groupAssignmentTarget'
                    groupId = '053dc89a-be83-411a-bad3-909904b7239e'
                }
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    dataType = '#microsoft.graph.groupAssignmentTarget'
                    groupId = 'b0b8fd3f-af2a-453b-be57-80182d599f02'
                }
            );
            CameraBlocked                                   = $False;
            CertificateThumbprint                           = $IntuneCertThumbprint;
            ClassroomAppBlockRemoteScreenObservation        = $False;
            ClassroomAppForceUnpromptedScreenObservation    = $False;
            ClassroomForceAutomaticallyJoinClasses          = $False;
            ClassroomForceRequestPermissionToLeaveClasses   = $False;
            ClassroomForceUnpromptedAppAndDeviceLock        = $False;
            CompliantAppListType                            = "appsNotInListCompliant";
            CompliantAppsList                               = @(
                MSFT_MicrosoftGraphapplistitem{
                    name = 'appname2'
                    publisher = 'publisher'
                    appId = 'bundle'
                }
            );
            ContentCachingBlocked                           = $False;
            DefinitionLookupBlocked                         = $True;
            DisplayName                                     = "IntuneDeviceConfigurationPolicyMacOS_1";
            Ensure                                          = "Present";
            EraseContentAndSettingsBlocked                  = $False;
            GameCenterBlocked                               = $False;
            ICloudBlockActivityContinuation                 = $False;
            ICloudBlockAddressBook                          = $False;
            ICloudBlockBookmarks                            = $False;
            ICloudBlockCalendar                             = $False;
            ICloudBlockDocumentSync                         = $False;
            ICloudBlockMail                                 = $False;
            ICloudBlockNotes                                = $False;
            ICloudBlockPhotoLibrary                         = $False;
            ICloudBlockReminders                            = $False;
            ICloudDesktopAndDocumentsBlocked                = $False;
            ICloudPrivateRelayBlocked                       = $False;
            Id                                              = "498e741d-c26f-4d1d-9313-c50f84feed22";
            ITunesBlockFileSharing                          = $False;
            ITunesBlockMusicService                         = $False;
            KeyboardBlockDictation                          = $False;
            KeychainBlockCloudSync                          = $False;
            MultiplayerGamingBlocked                        = $False;
            PasswordBlockAirDropSharing                     = $False;
            PasswordBlockAutoFill                           = $False;
            PasswordBlockFingerprintUnlock                  = $False;
            PasswordBlockModification                       = $False;
            PasswordBlockProximityRequests                  = $False;
            PasswordBlockSimple                             = $False;
            PasswordRequired                                = $False;
            PasswordRequiredType                            = "deviceDefault";
            PrivacyAccessControls                           = @(
                MSFT_MicrosoftGraphmacosprivacyaccesscontrolitem{
                    displayName = 'test'
                    identifier = 'test45'
                    identifierType = 'path'
                    codeRequirement = 'test'
                    staticCodeValidation = $False
                    blockCamera = $True
                    blockMicrophone = $False
                    blockScreenCapture = $False
                    blockListenEvent = $False
                    speechRecognition = 'notConfigured'
                    accessibility = 'notConfigured'
                    addressBook = 'enabled'
                    calendar = 'notConfigured'
                    reminders = 'notConfigured'
                    photos = 'notConfigured'
                    mediaLibrary = 'notConfigured'
                    fileProviderPresence = 'notConfigured'
                    systemPolicyAllFiles = 'notConfigured'
                    systemPolicySystemAdminFiles = 'notConfigured'
                    systemPolicyDesktopFolder = 'notConfigured'
                    systemPolicyDocumentsFolder = 'notConfigured'
                    systemPolicyDownloadsFolder = 'notConfigured'
                    systemPolicyNetworkVolumes = 'notConfigured'
                    systemPolicyRemovableVolumes = 'notConfigured'
                    postEvent = 'notConfigured'
                }
            );
            SafariBlockAutofill                             = $False;
            ScreenCaptureBlocked                            = $False;
            SoftwareUpdateMajorOSDeferredInstallDelayInDays = 30;
            SoftwareUpdateMinorOSDeferredInstallDelayInDays = 30;
            SoftwareUpdateNonOSDeferredInstallDelayInDays   = 30;
            SoftwareUpdatesEnforcedDelayInDays              = 30;
            SpotlightBlockInternetResults                   = $False;
            TenantId                                        = $OrganizationName;
            UpdateDelayPolicy                               = @("delayOSUpdateVisibility","delayAppUpdateVisibility","delayMajorOsUpdateVisibility");
            WallpaperModificationBlocked                    = $False;
        }

Verbose logs showing the problem

Test-DSCConfiguration reports that resource is not in desired state

Environment Information + PowerShell Version

OsName               : Microsoft Windows 11 Enterprise
OsOperatingSystemSKU : EnterpriseEdition
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 22621.1.amd64fre.ni_release.220506-1250
OsLanguage           : en-US
OsMuiLanguages       : {en-US, en-GB}

Name                           Value
----                           -----
PSVersion                      5.1.22621.1778
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.22621.1778
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1