-
Notifications
You must be signed in to change notification settings - Fork 72
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Could not create iosManagedAppProtections policy #4
Comments
Hi @dballardmaung, The following will work for you: New-DeviceAppManagement_ManagedAppPolicies -iosManagedAppProtection -displayName "iOS MAM / APP Policy" -periodOfflineBeforeAccessCheck (New-TimeSpan -Hours 12) -periodOnlineBeforeAccessCheck (New-TimeSpan -Minutes 30) -allowedInboundDataTransferSources managedApps -allowedOutboundDataTransferDestinations managedApps -allowedOutboundClipboardSharingLevel managedAppsWithPasteIn -organizationalCredentialsRequired $false -dataBackupBlocked $true -managedBrowserToOpenLinksRequired $false -deviceComplianceRequired $false -saveAsBlocked $true -periodOfflineBeforeWipeIsEnforced (New-TimeSpan -Days 30) -pinRequired $true -maximumPinRetries 5 -simplePinBlocked $false -minimumPinLength 4 -pinCharacterSet numeric -periodBeforePinReset (New-TimeSpan -Days 30) -allowedDataStorageLocations @("oneDriveForBusiness","sharePoint") -contactSyncBlocked $false -printBlocked $true -fingerprintBlocked $false -disableAppPinIfDevicePinIsSet $false The reason why yours was failing was the entries for "-periodOnlineBeforeAccessCheck" requires the input to be in a timespan format, so the sample above should help. Let us know if it doesn't work. Dave |
Hi @davefalkus, Thanks for the quick reply and a sample. I will test it out tonight. Danny |
Hi @davefalkus, I was able to create iOS and Android App protection policies using your sample you provided. Now I am trying to add Target apps to app protect polices and having no luck after trying several syntax. I was able to get an output of IosManagedAppProtections_Apps. Get-DeviceAppManagement_IosManagedAppProtections_Apps -iosManagedAppProtectionId T_e9d815d5-0faa-4517-8700-16bc91912c72 (worked wonderful) Errors from commands:
PS C:> New-DeviceAppManagement_IosManagedAppProtections_Apps -iosManagedAppProtectionId T_e9d815d5-0faa-4517-8700-16bc91912c72 -ODataType iosMobileAppIdentifier -mobileAppIdentifier bundleId=wefwef
PS C:> New-DeviceAppManagement_IosManagedAppProtections_Apps -iosManagedAppProtectionId T_e9d815d5-0faa-4517-8700-16bc91912c72 -ODataType iosMobileAppIdentifier -mobileAppIdentifier wefwef
PS C:> New-DeviceAppManagement_ManagedAppPolicies_Apps -managedAppPolicyId T_e9d815d5-0faa-4517-8700-16bc91912c72 -managedAppPolicyODataType 'microsoft.graph.iosManagedAppProtection' -ODataType iosMobileAppIdentifier -mobileAppIdentifier 'bundleId=wefwef'
PS C:> New-DeviceAppManagement_ManagedAppPolicies_Apps -managedAppPolicyId 'TestIosAppPolicy' -managedAppPolicyODataType 'microsoft.graph.iosManagedAppProtection' -ODataType iosMobileAppIde
PS C:> Get-DeviceAppManagement_IosManagedAppProtections_Assignments -iosManagedAppProtectionId T_af49a5a1-647a-4e80-809e-babe4bce97ac -iosManagedAppProtectionODataType "microsoft.graph.iosManagedAppProtection"
PS C:> Get-DeviceAppManagement_IosManagedAppProtections_Assignments -iosManagedAppProtectionId T_af49a5a1-647a-4e80-809e-babe4bce97ac -iosManagedAppProtectionODataType "microsoft.graph.iosManagedAppProtection"
Any help is appreciated. What I would like to see is to have some examples for the command when using get help -examples as well as clear information when using -full or -detailed get-help -Examples Danny |
1. Get some managed appsThis should give you all of the apps that you are allowed to target (since you can only target managed apps): $apps = Get-DeviceAppManagement_MobileApps | Where-Object { $_.'@odata.type' -like '#microsoft.graph.managed*' } You can use this list of apps as-is if you want to apply the policy to all managed apps, otherwise you can filter this down further. 2. Get the app identifiers for these appsFor iOS apps, this would be the "bundleId": $appIdentifiers = $apps | ForEach-Object {
if (-not [string]::IsNullOrEmpty($_.bundleId)) {
New-ManagedMobileAppObject -mobileAppIdentifier (New-MobileAppIdentifierObject -iosMobileAppIdentifier -bundleId $_.bundleId)
}
} For Android apps, this is the "packageId": $appIdentifiers = $apps | ForEach-Object {
if (-not [string]::IsNullOrEmpty($_.packageId)) {
New-ManagedMobileAppObject -mobileAppIdentifier (New-MobileAppIdentifierObject -androidMobileAppIdentifier -packageId $_.packageId)
}
} 3. Get a reference to the policy objectTo do this, you can store the result of the cmdlet that you used to create the policy: $policy = New-DeviceAppManagement_ManagedAppPolicies `
-iosManagedAppProtection ` # This platform (iOS/Android) MUST match the type of apps retrieved in step 2
-displayName "iOS MAM / APP Policy" `
-periodOfflineBeforeAccessCheck (New-TimeSpan -Hours 12) `
-periodOnlineBeforeAccessCheck (New-TimeSpan -Minutes 30) `
-allowedInboundDataTransferSources managedApps `
-allowedOutboundDataTransferDestinations managedApps `
-allowedOutboundClipboardSharingLevel managedAppsWithPasteIn `
-organizationalCredentialsRequired $false `
-dataBackupBlocked $true `
-managedBrowserToOpenLinksRequired $false `
-deviceComplianceRequired $false `
-saveAsBlocked $true `
-periodOfflineBeforeWipeIsEnforced (New-TimeSpan -Days 30) `
-pinRequired $true `
-maximumPinRetries 5 `
-simplePinBlocked $false `
-minimumPinLength 4 `
-pinCharacterSet numeric `
-periodBeforePinReset (New-TimeSpan -Days 30) `
-allowedDataStorageLocations @("oneDriveForBusiness","sharePoint") `
-contactSyncBlocked $false `
-printBlocked $true `
-fingerprintBlocked $false `
-disableAppPinIfDevicePinIsSet $false Or if you've already created the policy, you can get it like this: $policy = Get-DeviceAppManagement_IosManagedAppProtections -iosManagedAppProtectionId '<policy ID goes here>' NOTE: Make sure that the type of policy (iOS/Android) matches the platform of the apps being targeted. 4. Target the policy to the appsLet's say that you put the policy object in a variable called Invoke-DeviceAppManagement_ManagedAppPolicies_TargetApps -managedAppPolicyId $policy.id -apps $appIdentifiers Thanks for the feedback about documentation. It is quite difficult to add specific, meaningful examples to the Get-Help documentation itself because the whole module (including documentation) is automatically generated. However, we can definitely add this to the Wiki in this GitHub repo. Also, if this is a common scenario for you, please do let us know. We are working on building up a library of "Scenario Modules" that will simplify common use cases. The scenario modules can be found here: https://github.com/Microsoft/Intune-PowerShell-Management. |
Hi @rohitramu Thanks for the pointers. I was able to develop commands to automate App Protection Policy for iOS.
I am running into some difficulties:
Error return code:
Can you provide any tips/Pointers on my two huddles? Thanks Danny |
Your first command is actually getting the full list of iOS app protection policies instead of just the one you want. Please ensure you provide the policy ID if you want to get a particular policy. Also, from what I can tell, the only way to get the assignments for an app protection policy in Graph v1.0 is by making a "$expand" call: $iosAppPrtPol = Get-DeviceAppManagement_IosManagedAppProtections `
-iosManagedAppProtectionId 'T_62a17798-f812-488b-92f7-0ffc18d93652' `
-Expand assignments
$iosAppPrtPolAssignments = $iosAppPrtPol.assignments In terms of creating a security group assignment for an app protection policy, I'm still investigating how to do that. I'll reply here once I have more information. For creating the iOS store app, you need to provide the $app = New-DeviceAppManagement_MobileApps `
-iosStoreApp `
-displayName 'Adobe Acrobat Reader' `
-publisher 'Adobe' `
-bundleId 'com.adobe.Adobe-Reader' `
-appStoreUrl 'https://itunes.apple.com/us/app/adobe-acrobat-reader/id469337564' `
-applicableDeviceType (New-IosDeviceTypeObject -iPad $true -iPhoneAndIPod $true) `
-minimumSupportedOperatingSystem (New-IosMinimumOperatingSystemObject -v8_0 $true) |
Thanks for your information. I was able to apps for iOS and Built-in Android. Just want to know if there is a cmdlet to add apps from Android Enterprise (Managed Google Play store). I will watch for your update on creating a security group assignment for an app protection policy. Will the next update include creation of Conditional Access policy cmdlet? Thank you for your help. |
Hey Danny, I have uploaded an updated release (please download it from the "Releases" tab in this repository. It includes the cmdlet for assigning an app protection policy to a group. Using the updated release, your commands would look something like this: # 1) Create the policy
$policy = New-DeviceAppManagement_ManagedAppPolicies `
-iosManagedAppProtection ` # This platform (iOS/Android) MUST match the type of apps retrieved in step 2
-displayName "iOS MAM / APP Policy" `
-periodOfflineBeforeAccessCheck (New-TimeSpan -Hours 12) `
-periodOnlineBeforeAccessCheck (New-TimeSpan -Minutes 30) `
-allowedInboundDataTransferSources managedApps `
-allowedOutboundDataTransferDestinations managedApps `
-allowedOutboundClipboardSharingLevel managedAppsWithPasteIn `
-organizationalCredentialsRequired $false `
-dataBackupBlocked $true `
-managedBrowserToOpenLinksRequired $false `
-deviceComplianceRequired $false `
-saveAsBlocked $true `
-periodOfflineBeforeWipeIsEnforced (New-TimeSpan -Days 30) `
-pinRequired $true `
-maximumPinRetries 5 `
-simplePinBlocked $false `
-minimumPinLength 4 `
-pinCharacterSet numeric `
-periodBeforePinReset (New-TimeSpan -Days 30) `
-allowedDataStorageLocations @("oneDriveForBusiness","sharePoint") `
-contactSyncBlocked $false `
-printBlocked $true `
-fingerprintBlocked $false `
-disableAppPinIfDevicePinIsSet $false
# 2) Get managed iOS apps and create "managedMobileApp" PowerShell objects which contain a mobileAppItentifier
$iOSapps = Get-DeviceAppManagement_MobileApps | Where-Object { $_.'@odata.type' -like '#microsoft.graph.managed*' }
$managedAppObjects = $iOSapps | ForEach-Object {
if (-not [string]::IsNullOrEmpty($_.bundleId)) {
New-ManagedMobileAppObject -mobileAppIdentifier (New-MobileAppIdentifierObject -iosMobileAppIdentifier -bundleId $_.bundleId)
}
}
# 3) Target the app protection policy to the apps
Invoke-DeviceAppManagement_IosManagedAppProtections_TargetApps -iosManagedAppProtectionId $policy.id -apps $managedAppObjects
# 4) Assign the app protection policy to some groups
$groups = Get-Groups # Filter this list of groups as you'd like
$groups | ForEach-Object {
Invoke-DeviceAppManagement_IosManagedAppProtections_Assign -iosManagedAppProtectionId $policy.id -assignments @(
New-TargetedManagedAppPolicyAssignmentObject `
-target (New-DeviceAndAppManagementAssignmentTargetObject -groupAssignmentTarget -groupId $group.id)
)
} Regarding Conditional Access and Android Enterprise, I will have to investigate which APIs to use. Could you please open separate issues for each of those so we can keep the discussion on topic? Let me know if you were able to get everything working with iosAppProtectionPolicies, and I can go ahead and close this issue. Kind regards, |
Hi @rohitramu Thank you for your help. I am able to create a whole script that will do what I want to do. I will open a new issue for CA and Android Enterprise. |
Thanks Danny! |
Trying to create a test iOS App protection policy using New-DeviceAppManagement_IosManagedAppProtections but keep on receiving Bad Request 400 after connecting to MSGraph. I am using a demo tenant for this testing.
I use the below command and its parameters:
New-DeviceAppManagement_IosManagedAppProtections -ODataType microsoft.graph.iosManagedAppProtection -displayName TestIosAppPolicy -periodOfflineBeforeAccessCheck 00:12:00 -periodOnlineBeforeAccessCheck 00:00:30 -allowedInboundDataTransferSources allApps -allowedOutboundDataTransferDestinations managedApps -organizationalCredentialsRequired $false -allowedOutboundClipboardSharingLevel managedAppsWithPasteIn -dataBackupBlocked $true -deviceComplianceRequired $true -managedBrowserToOpenLinksRequired $true -saveAsBlocked $true -periodOfflineBeforeWipeIsEnforced 90:00:00 -pinRequired $true -maximumPinRetries 5 -simplePinBlocked $false -minimumPinLength 4 -pinCharacterSet alphanumericAndSymbol -periodBeforePinReset 00:00:00 -allowedDataStorageLocations oneDriveForBusiness,sharePoint,localStorage -contactSyncBlocked $false -printBlocked $true -fingerprintBlocked $false -disableAppPinIfDevicePinIsSet $false -appDataEncryptionType whenDeviceLocked -faceIdBlocked $false
Not sure what I am missing. Appreciate your help with this.
Thanks
Danny
The text was updated successfully, but these errors were encountered: