From 170e2f45eccbf4ba6a4b4126e043067d70a6a1d6 Mon Sep 17 00:00:00 2001 From: Fabien Tschanz Date: Thu, 7 Nov 2024 10:12:49 +0100 Subject: [PATCH] Add Intune Antivirus Exclusions Policy for MacOS --- CHANGELOG.md | 6 +- ..._IntuneAntivirusExclusionsPolicyMacOS.psm1 | 657 ++++++++++++++++++ ...eAntivirusExclusionsPolicyMacOS.schema.mof | 39 ++ .../readme.md | 6 + .../settings.json | 45 ++ .../MSFT_IntuneAntivirusPolicyLinux.psm1 | 14 +- .../MSFT_IntuneAntivirusPolicyLinux/readme.md | 2 +- .../1-Create.ps1 | 47 ++ .../2-Update.ps1 | 47 ++ .../3-Remove.ps1 | 34 + .../M365DSCResourceGenerator.psm1 | 1 + ...neAntivirusExclusionsPolicyMacOS.Tests.ps1 | 404 +++++++++++ 12 files changed, 1293 insertions(+), 9 deletions(-) create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusExclusionsPolicyMacOS/MSFT_IntuneAntivirusExclusionsPolicyMacOS.psm1 create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusExclusionsPolicyMacOS/MSFT_IntuneAntivirusExclusionsPolicyMacOS.schema.mof create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusExclusionsPolicyMacOS/readme.md create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusExclusionsPolicyMacOS/settings.json create mode 100644 Modules/Microsoft365DSC/Examples/Resources/IntuneAntivirusExclusionsPolicyMacOS/1-Create.ps1 create mode 100644 Modules/Microsoft365DSC/Examples/Resources/IntuneAntivirusExclusionsPolicyMacOS/2-Update.ps1 create mode 100644 Modules/Microsoft365DSC/Examples/Resources/IntuneAntivirusExclusionsPolicyMacOS/3-Remove.ps1 create mode 100644 Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAntivirusExclusionsPolicyMacOS.Tests.ps1 diff --git a/CHANGELOG.md b/CHANGELOG.md index 6845ab5c9e..9ed55341fb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,10 @@ # Change log for Microsoft365DSC +# UNRELEASED + +* IntuneAntivirusExclusionsPolicyMacOS + * Initial release. + # 1.24.1106.3 * AzureBillingAccountScheduledAction @@ -19,7 +24,6 @@ * MISC * Fixed issues with API Url's parsing. - # 1.24.1106.1 * AADAccessReviewDefinition diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusExclusionsPolicyMacOS/MSFT_IntuneAntivirusExclusionsPolicyMacOS.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusExclusionsPolicyMacOS/MSFT_IntuneAntivirusExclusionsPolicyMacOS.psm1 new file mode 100644 index 0000000000..8875f95e1d --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusExclusionsPolicyMacOS/MSFT_IntuneAntivirusExclusionsPolicyMacOS.psm1 @@ -0,0 +1,657 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Exclusions, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + $getValue = $null + #region resource generator code + $getValue = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Id -ErrorAction SilentlyContinue + + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Antivirus Exclusions Policy for macOS with Id {$Id}" + + if (-not [System.String]::IsNullOrEmpty($DisplayName)) + { + $getValue = Get-MgBetaDeviceManagementConfigurationPolicy ` + -Filter "Name eq '$DisplayName'" ` + -All ` + -ErrorAction SilentlyContinue + } + } + #endregion + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Antivirus Exclusions Policy for macOS with Name {$DisplayName}." + return $nullResult + } + $Id = $getValue.Id + Write-Verbose -Message "An Intune Antivirus Exclusions Policy for macOS with Id {$Id} and Name {$DisplayName} was found" + + # Retrieve policy specific settings + [array]$settings = Get-MgBetaDeviceManagementConfigurationPolicySetting ` + -DeviceManagementConfigurationPolicyId $Id ` + -ExpandProperty 'settingDefinitions' ` + -All ` + -ErrorAction Stop + + $policySettings = @{} + $policySettings = Export-IntuneSettingCatalogPolicySettings -Settings $settings -ReturnHashtable $policySettings + + #region resource generator code + $complexExclusions = @() + foreach ($currentExclusions in $policySettings.exclusions) + { + $myExclusions = @{} + if ($null -ne $currentExclusions.exclusions_item_type) + { + $myExclusions.Add('Exclusions_item_type', $currentExclusions.exclusions_item_type) + } + if ($null -ne $currentExclusions.exclusions_item_extension) + { + $myExclusions.Add('Exclusions_item_extension', $currentExclusions.exclusions_item_extension) + } + if ($null -ne $currentExclusions.exclusions_item_isDirectory) + { + $myExclusions.Add('Exclusions_item_isDirectory', $currentExclusions.exclusions_item_isDirectory) + } + if ($null -ne $currentExclusions.exclusions_item_name) + { + $myExclusions.Add('Exclusions_item_name', $currentExclusions.exclusions_item_name) + } + if ($null -ne $currentExclusions.exclusions_item_path) + { + $myExclusions.Add('Exclusions_item_path', $currentExclusions.exclusions_item_path) + } + if ($myExclusions.values.Where({$null -ne $_}).Count -gt 0) + { + $complexExclusions += $myExclusions + } + } + $policySettings.Remove('exclusions') | Out-Null + #endregion + + $results = @{ + #region resource generator code + Description = $getValue.Description + DisplayName = $getValue.Name + RoleScopeTagIds = $getValue.RoleScopeTagIds + Id = $getValue.Id + Exclusions = $complexExclusions + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + #endregion + } + $results += $policySettings + + $assignmentsValues = Get-MgBetaDeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $Id + $assignmentResult = @() + if ($assignmentsValues.Count -gt 0) + { + $assignmentResult += ConvertFrom-IntunePolicyAssignment -Assignments $assignmentsValues -IncludeDeviceFilter $true + } + $results.Add('Assignments', $assignmentResult) + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Exclusions, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + $templateReferenceId = '43397174-2244-4006-b5ad-421b369e90d4_1' + $platforms = 'macOS' + $technologies = 'mdm,appleRemoteManagement,microsoftSense' + + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating an Intune Antivirus Exclusions Policy for macOS with Name {$DisplayName}" + $BoundParameters.Remove("Assignments") | Out-Null + + $settings = Get-IntuneSettingCatalogPolicySetting ` + -DSCParams ([System.Collections.Hashtable]$BoundParameters) ` + -TemplateId $templateReferenceId + + $createParameters = @{ + Name = $DisplayName + Description = $Description + TemplateReference = @{ templateId = $templateReferenceId } + Platforms = $platforms + Technologies = $technologies + Settings = $settings + } + + #region resource generator code + $policy = New-MgBetaDeviceManagementConfigurationPolicy -BodyParameter $createParameters + + if ($policy.Id) + { + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments + Update-DeviceConfigurationPolicyAssignment ` + -DeviceConfigurationPolicyId $policy.Id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/configurationPolicies' + } + #endregion + } + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating the Intune Antivirus Exclusions Policy for macOS with Id {$($currentInstance.Id)}" + $BoundParameters.Remove("Assignments") | Out-Null + + $settings = Get-IntuneSettingCatalogPolicySetting ` + -DSCParams ([System.Collections.Hashtable]$BoundParameters) ` + -TemplateId $templateReferenceId + + Update-IntuneDeviceConfigurationPolicy ` + -DeviceConfigurationPolicyId $currentInstance.Id ` + -Name $DisplayName ` + -Description $Description ` + -TemplateReferenceId $templateReferenceId ` + -Platforms $platforms ` + -Technologies $technologies ` + -Settings $settings + + #region resource generator code + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments + Update-DeviceConfigurationPolicyAssignment ` + -DeviceConfigurationPolicyId $currentInstance.Id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/configurationPolicies' + #endregion + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing the Intune Antivirus Exclusions Policy for macOS with Id {$($currentInstance.Id)}" + #region resource generator code + Remove-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $currentInstance.Id + #endregion + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Exclusions, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Intune Antivirus Exclusions Policy for macOS with Id {$Id} and Name {$DisplayName}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + [Hashtable]$ValuesToCheck = @{} + $MyInvocation.MyCommand.Parameters.GetEnumerator() | ForEach-Object { + if ($_.Key -notlike '*Variable' -or $_.Key -notin @('Verbose', 'Debug', 'ErrorAction', 'WarningAction', 'InformationAction')) + { + if ($null -ne $CurrentValues[$_.Key] -or $null -ne $PSBoundParameters[$_.Key]) + { + $ValuesToCheck.Add($_.Key, $null) + if (-not $PSBoundParameters.ContainsKey($_.Key)) + { + $PSBoundParameters.Add($_.Key, $null) + } + } + } + } + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + $ValuesToCheck.Remove('Id') | Out-Null + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + #region resource generator code + $policyTemplateID = "43397174-2244-4006-b5ad-421b369e90d4_1" + [array]$getValue = Get-MgBetaDeviceManagementConfigurationPolicy ` + -Filter $Filter ` + -All ` + -ErrorAction Stop | Where-Object ` + -FilterScript { + $_.TemplateReference.TemplateId -eq $policyTemplateID + } + #endregion + + $i = 1 + $dscContent = '' + if ($getValue.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $getValue) + { + $displayedKey = $config.Id + if (-not [String]::IsNullOrEmpty($config.displayName)) + { + $displayedKey = $config.displayName + } + elseif (-not [string]::IsNullOrEmpty($config.name)) + { + $displayedKey = $config.name + } + Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline + $params = @{ + Id = $config.Id + DisplayName = $config.Name + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + if ($null -ne $Results.Exclusions) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.Exclusions ` + -CIMInstanceName 'MicrosoftGraphIntuneSettingsCatalogExclusions' + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.Exclusions = $complexTypeStringResult + } + else + { + $Results.Remove('Exclusions') | Out-Null + } + } + + if ($Results.Assignments) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject $Results.Assignments -CIMInstanceName DeviceManagementConfigurationPolicyAssignments + if ($complexTypeStringResult) + { + $Results.Assignments = $complexTypeStringResult + } + else + { + $Results.Remove('Assignments') | Out-Null + } + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + if ($Results.Exclusions) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "Exclusions" -IsCIMArray:$True + } + + if ($Results.Assignments) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "Assignments" -IsCIMArray:$true + } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusExclusionsPolicyMacOS/MSFT_IntuneAntivirusExclusionsPolicyMacOS.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusExclusionsPolicyMacOS/MSFT_IntuneAntivirusExclusionsPolicyMacOS.schema.mof new file mode 100644 index 0000000000..61692545e8 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusExclusionsPolicyMacOS/MSFT_IntuneAntivirusExclusionsPolicyMacOS.schema.mof @@ -0,0 +1,39 @@ +[ClassVersion("1.0.0.0")] +class MSFT_DeviceManagementConfigurationPolicyAssignments +{ + [Write, Description("The type of the target assignment."), ValueMap{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}, Values{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}] String dataType; + [Write, Description("The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude."), ValueMap{"none","include","exclude"}, Values{"none","include","exclude"}] String deviceAndAppManagementAssignmentFilterType; + [Write, Description("The Id of the filter for the target assignment.")] String deviceAndAppManagementAssignmentFilterId; + [Write, Description("The group Id that is the target of the assignment.")] String groupId; + [Write, Description("The group Display Name that is the target of the assignment.")] String groupDisplayName; + [Write, Description("The collection Id that is the target of the assignment.(ConfigMgr)")] String collectionId; +}; + +[ClassVersion("1.0.0.0")] +class MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions +{ + [Write, Description("Type - Depends on exclusions (0: Path, 1: File extension, 2: Process name)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String exclusions_item_type; + [Write, Description("File extension - Depends on exclusions_item_type=1")] String exclusions_item_extension; + [Write, Description("File name - exclusions_item_type=2")] String exclusions_item_name; + [Write, Description("Path - exclusions_item_type=0")] String exclusions_item_path; + [Write, Description("Is directory (false: Disabled, true: Enabled) - Depends on exclusions_item_type=0"), ValueMap{"false", "true"}, Values{"false", "true"}] String exclusions_item_isDirectory; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("IntuneAntivirusExclusionsPolicyMacOS")] +class MSFT_IntuneAntivirusExclusionsPolicyMacOS : OMI_BaseResource +{ + [Write, Description("Policy description")] String Description; + [Key, Description("Policy name")] String DisplayName; + [Write, Description("List of Scope Tags for this Entity instance.")] String RoleScopeTagIds[]; + [Write, Description("The unique identifier for an entity. Read-only.")] String Id; + [Write, Description("Scan exclusions"), EmbeddedInstance("MSFT_MicrosoftGraphIntuneSettingsCatalogexclusions")] String Exclusions[]; + [Write, Description("Represents the assignment to the Intune policy."), EmbeddedInstance("MSFT_DeviceManagementConfigurationPolicyAssignments")] String Assignments[]; + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusExclusionsPolicyMacOS/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusExclusionsPolicyMacOS/readme.md new file mode 100644 index 0000000000..3cc0102f6b --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusExclusionsPolicyMacOS/readme.md @@ -0,0 +1,6 @@ + +# IntuneAntivirusExclusionsPolicyMacOS + +## Description + +Intune Antivirus Exclusions Policy for macOS diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusExclusionsPolicyMacOS/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusExclusionsPolicyMacOS/settings.json new file mode 100644 index 0000000000..d32d971b67 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusExclusionsPolicyMacOS/settings.json @@ -0,0 +1,45 @@ +{ + "resourceName": "IntuneAntivirusExclusionsPolicyMacOS", + "description": "This resource configures an Intune Antivirus Exclusions Policy for macOS.", + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "DeviceManagementConfiguration.Read.All" + }, + { + "name": "Group.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + }, + { + "name": "Group.Read.All" + } + ] + }, + "application": { + "read": [ + { + "name": "DeviceManagementConfiguration.Read.All" + }, + { + "name": "Group.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + }, + { + "name": "Group.Read.All" + } + ] + } + } +} + +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyLinux/MSFT_IntuneAntivirusPolicyLinux.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyLinux/MSFT_IntuneAntivirusPolicyLinux.psm1 index 3dd9f006c1..72565b2ca6 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyLinux/MSFT_IntuneAntivirusPolicyLinux.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyLinux/MSFT_IntuneAntivirusPolicyLinux.psm1 @@ -201,7 +201,7 @@ function Get-TargetResource if ($null -eq $getValue) { - Write-Verbose -Message "Could not find an Intune Antivirus Policy Linux with Id {$Id}" + Write-Verbose -Message "Could not find an Intune Antivirus Policy for Linux with Id {$Id}" if (-not [System.String]::IsNullOrEmpty($DisplayName)) { @@ -213,11 +213,11 @@ function Get-TargetResource #endregion if ($null -eq $getValue) { - Write-Verbose -Message "Could not find an Intune Antivirus Policy Linux with Name {$DisplayName}." + Write-Verbose -Message "Could not find an Intune Antivirus Policy for Linux with Name {$DisplayName}." return $nullResult } $Id = $getValue.Id - Write-Verbose -Message "An Intune Antivirus Policy Linux with Id {$Id} and Name {$DisplayName} was found" + Write-Verbose -Message "An Intune Antivirus Policy for Linux with Id {$Id} and Name {$DisplayName} was found" # Retrieve policy specific settings [array]$settings = Get-MgBetaDeviceManagementConfigurationPolicySetting ` @@ -526,7 +526,7 @@ function Set-TargetResource if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') { - Write-Verbose -Message "Creating an Intune Antivirus Policy Linux with Name {$DisplayName}" + Write-Verbose -Message "Creating an Intune Antivirus Policy for Linux with Name {$DisplayName}" $BoundParameters.Remove("Assignments") | Out-Null $settings = Get-IntuneSettingCatalogPolicySetting ` @@ -557,7 +557,7 @@ function Set-TargetResource } elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') { - Write-Verbose -Message "Updating the Intune Antivirus Policy Linux with Id {$($currentInstance.Id)}" + Write-Verbose -Message "Updating the Intune Antivirus Policy for Linux with Id {$($currentInstance.Id)}" $BoundParameters.Remove("Assignments") | Out-Null $settings = Get-IntuneSettingCatalogPolicySetting ` @@ -583,7 +583,7 @@ function Set-TargetResource } elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') { - Write-Verbose -Message "Removing the Intune Antivirus Policy Linux with Id {$($currentInstance.Id)}" + Write-Verbose -Message "Removing the Intune Antivirus Policy for Linux with Id {$($currentInstance.Id)}" #region resource generator code Remove-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $currentInstance.Id #endregion @@ -779,7 +779,7 @@ function Test-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion - Write-Verbose -Message "Testing configuration of the Intune Antivirus Policy Linux with Id {$Id} and Name {$DisplayName}" + Write-Verbose -Message "Testing configuration of the Intune Antivirus Policy for Linux with Id {$Id} and Name {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters [Hashtable]$ValuesToCheck = @{} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyLinux/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyLinux/readme.md index d8060ea61a..eb17dbff4f 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyLinux/readme.md +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyLinux/readme.md @@ -3,4 +3,4 @@ ## Description -Intune Antivirus Policy Linux +Intune Antivirus Policy for Linux diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneAntivirusExclusionsPolicyMacOS/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneAntivirusExclusionsPolicyMacOS/1-Create.ps1 new file mode 100644 index 0000000000..8d1e5f3825 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneAntivirusExclusionsPolicyMacOS/1-Create.ps1 @@ -0,0 +1,47 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneAntivirusExclusionsPolicyMacOS 'myIntuneAntivirusExclusionsPolicyMacOS' + { + Assignments = @(); + Description = ""; + DisplayName = "Test"; + Ensure = "Present"; + Exclusions = @( + MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions{ + Exclusions_item_extension = '.dmg' + Exclusions_item_type = '1' + } + MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions{ + Exclusions_item_name = 'process1' + Exclusions_item_type = '2' + } + ); + RoleScopeTagIds = @("0"); + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} \ No newline at end of file diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneAntivirusExclusionsPolicyMacOS/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneAntivirusExclusionsPolicyMacOS/2-Update.ps1 new file mode 100644 index 0000000000..4fc62dc9b7 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneAntivirusExclusionsPolicyMacOS/2-Update.ps1 @@ -0,0 +1,47 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneAntivirusExclusionsPolicyMacOS 'myIntuneAntivirusExclusionsPolicyMacOS' + { + Assignments = @(); + Description = ""; + DisplayName = "Test"; + Ensure = "Present"; + Exclusions = @( + MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions{ + Exclusions_item_extension = '.xcode' # Updated property + Exclusions_item_type = '1' + } + MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions{ + Exclusions_item_name = 'process1' + Exclusions_item_type = '2' + } + ); + RoleScopeTagIds = @("0"); + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} \ No newline at end of file diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneAntivirusExclusionsPolicyMacOS/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneAntivirusExclusionsPolicyMacOS/3-Remove.ps1 new file mode 100644 index 0000000000..d89bdb52e9 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneAntivirusExclusionsPolicyMacOS/3-Remove.ps1 @@ -0,0 +1,34 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneAntivirusExclusionsPolicyMacOS 'myIntuneAntivirusPolicyMacOS' + { + DisplayName = 'test' + Ensure = 'Absent' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/ResourceGenerator/M365DSCResourceGenerator.psm1 b/ResourceGenerator/M365DSCResourceGenerator.psm1 index 085b2decca..546378e4ee 100644 --- a/ResourceGenerator/M365DSCResourceGenerator.psm1 +++ b/ResourceGenerator/M365DSCResourceGenerator.psm1 @@ -497,6 +497,7 @@ $($userDefinitionSettings.MOF -join "`r`n") 'Mac O S' = 'for macOS' 'I O S' = 'for iOS' 'A A D' = 'Azure AD' + 'Linux' = 'for Linux' } $resourceDescription = ($ResourceName -split '_')[0] -creplace '(?<=\w)([A-Z])', ' $1' foreach ($platform in $platforms.keys) diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAntivirusExclusionsPolicyMacOS.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAntivirusExclusionsPolicyMacOS.Tests.ps1 new file mode 100644 index 0000000000..2abd4aed6e --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAntivirusExclusionsPolicyMacOS.Tests.ps1 @@ -0,0 +1,404 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "IntuneAntivirusExclusionsPolicyMacOS" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName Update-MgBetaDeviceManagementConfigurationPolicy -MockWith { + } + + Mock -CommandName New-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return @{ + Id = '12345-12345-12345-12345-12345' + } + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return @{ + Id = '12345-12345-12345-12345-12345' + Description = 'My Test' + Name = 'My Test' + RoleScopeTagIds = @("FakeStringValue") + TemplateReference = @{ + TemplateId = '43397174-2244-4006-b5ad-421b369e90d4_1' + } + } + } + + Mock -CommandName Remove-MgBetaDeviceManagementConfigurationPolicy -MockWith { + } + + Mock -CommandName Update-IntuneDeviceConfigurationPolicy -MockWith { + } + + Mock -CommandName Get-IntuneSettingCatalogPolicySetting -MockWith { + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { + return @( + @{ + Id = 0 + SettingDefinitions = @( + @{ + Id = 'com.apple.managedclient.preferences_exclusions' + Name = 'exclusions' + OffsetUri = 'exclusions' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSettingGroupCollectionDefinition' + maximumCount = 600 + minimumCount = 0 + childIds = @( + 'com.apple.managedclient.preferences_exclusions_item_$type', + 'com.apple.managedclient.preferences_exclusions_item_extension', + 'com.apple.managedclient.preferences_exclusions_item_name' + ) + } + }, + @{ + Id = 'com.apple.managedclient.preferences_exclusions_item_$type' + Name = 'exclusions_item_$type' + OffsetUri = 'exclusions_item_$type' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + options = @( + @{ + itemId = 'com.apple.managedclient.preferences_exclusions_item_$type_1' + name = 'Path' + dependentOn = @( + @{ + dependentOn = 'com.apple.managedclient.preferences_exclusions' + parentSettingId = 'com.apple.managedclient.preferences_exclusions' + } + ) + } + ) + } + }, + @{ + Id = 'com.apple.managedclient.preferences_exclusions_item_extension' + Name = 'exclusions_item_extension' + OffsetUri = 'exclusions/[{0}]/extension' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingDefinition' + dependentOn = @( + @{ + dependentOn = 'com.apple.managedclient.preferences_exclusions_item_$type_1' + parentSettingId = 'com.apple.managedclient.preferences_exclusions_item_$type' + } + ) + } + }, + @{ + Id = 'com.apple.managedclient.preferences_exclusions_item_name' + Name = 'exclusions_item_name' + OffsetUri = 'exclusions/[{0}]/name' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingDefinition' + dependentOn = @( + @{ + dependentOn = 'com.apple.managedclient.preferences_exclusions_item_$type_2' + parentSettingId = 'com.apple.managedclient.preferences_exclusions_item_$type' + } + ) + } + } + ) + SettingInstance = @{ + SettingDefinitionId = 'com.apple.managedclient.preferences_exclusions' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'e2d557ab-357e-4727-978e-0d655facbb23' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' + groupSettingCollectionValue = @( + @{ + children = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + settingDefinitionId = 'com.apple.managedclient.preferences_exclusions_item_$type' + choiceSettingValue = @{ + children = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance' + settingDefinitionId = 'com.apple.managedclient.preferences_exclusions_item_extension' + simpleSettingValue = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' + value = '.dmg' + } + } + ) + value = 'com.apple.managedclient.preferences_exclusions_item_$type_1' + } + } + ) + }, + @{ + children = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + settingDefinitionId = 'com.apple.managedclient.preferences_exclusions_item_$type' + choiceSettingValue = @{ + children = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance' + settingDefinitionId = 'com.apple.managedclient.preferences_exclusions_item_name' + simpleSettingValue = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' + value = 'Test' + } + } + ) + value = 'com.apple.managedclient.preferences_exclusions_item_$type_2' + } + } + ) + } + ) + } + } + } + ) + } + + Mock -CommandName Update-DeviceConfigurationPolicyAssignment -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicyAssignment -MockWith { + return @(@{ + Id = '12345-12345-12345-12345-12345' + Source = 'direct' + SourceId = '12345-12345-12345-12345-12345' + Target = @{ + DeviceAndAppManagementAssignmentFilterId = '12345-12345-12345-12345-12345' + DeviceAndAppManagementAssignmentFilterType = 'none' + AdditionalProperties = @( + @{ + '@odata.type' = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + } + ) + } + }) + } + } + # Test contexts + Context -Name "The IntuneAntivirusExclusionsPolicyMacOS should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + Exclusions = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions -Property @{ + Exclusions_item_extension = '.dmg' + Exclusions_item_type = '1' + } -ClientOnly) + (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions -Property @{ + Exclusions_item_name = 'Test' + Exclusions_item_type = '2' + } -ClientOnly) + ); + Id = "12345-12345-12345-12345-12345" + DisplayName = "My Test" + RoleScopeTagIds = @("FakeStringValue") + Ensure = "Present" + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaDeviceManagementConfigurationPolicy -Exactly 1 + } + } + + Context -Name "The IntuneAntivirusExclusionsPolicyMacOS exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + Exclusions = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions -Property @{ + Exclusions_item_extension = '.dmg' + Exclusions_item_type = '1' + } -ClientOnly) + (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions -Property @{ + Exclusions_item_name = 'Test' + Exclusions_item_type = '2' + } -ClientOnly) + ); + Id = "12345-12345-12345-12345-12345" + DisplayName = "My Test" + RoleScopeTagIds = @("FakeStringValue") + Ensure = "Absent" + Credential = $Credential; + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should Remove the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaDeviceManagementConfigurationPolicy -Exactly 1 + } + } + Context -Name "The IntuneAntivirusExclusionsPolicyMacOS Exists and Values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + Exclusions = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions -Property @{ + Exclusions_item_extension = '.dmg' + Exclusions_item_type = '1' + } -ClientOnly) + (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions -Property @{ + Exclusions_item_name = 'Test' + Exclusions_item_type = '2' + } -ClientOnly) + ); + Id = "12345-12345-12345-12345-12345" + DisplayName = "My Test" + RoleScopeTagIds = @("FakeStringValue") + Ensure = "Present" + Credential = $Credential; + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The IntuneAntivirusExclusionsPolicyMacOS exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + Exclusions = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions -Property @{ + Exclusions_item_extension = '.xcode' # Drift + Exclusions_item_type = '1' + } -ClientOnly) + (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions -Property @{ + Exclusions_item_name = 'Test' + Exclusions_item_type = '2' + } -ClientOnly) + ); + Id = "12345-12345-12345-12345-12345" + DisplayName = "My Test" + RoleScopeTagIds = @("FakeStringValue") + Ensure = "Present" + Credential = $Credential; + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-IntuneDeviceConfigurationPolicy -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + } + + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope