Intune or Microsoft Endpoint Manager is to tool for Mobile Device Management (MDM) or Mobile Application Management (MAM). Device management was mostly focussed on devices like iOS and Android where Windows 10 was most likely managed using System Center Configuration Manager (SCCM). Windows 10 is perfectly manageable in an MDM scenario for years using Microsoft Intune. I’ve created some default policies in my developer tenant which I’ll be exporting and importing using the Graph API. My focus at the moment is Windows 10 but I’ll be adding iOS, Android and MacOS policies later. Some iOS, Android and MacOS policies will also be downloaded automatically. This script can be customized to suit your needs as it can also be used as a backup solution for your policies and configuration, or just to verify if the policies are the same as they were 1 month ago.
Intune policies
Besides some general configuration I’ve created the following policies:
-
- Deployment profiles
- Compliance policy
- Security baselines
- Update rings
- App protection policy
- Configuration policies
- Identity protection
- Device restrictions
- Endpoint protection
- Administrative templates can be exported using the scripts by Sandy Tsang (MSIntune/Intune-PowerShell/DeviceConfiguration at master · sandytsang/MSIntune · GitHub). I’m hoping Microsoft will add the graph functionality to the settings catalog which is currently still in preview.
- Microsoft Defender ATP
- Health Monitoring
The following settings are still a work in progress
- Enrollment profiles
- Apps
- Branding
- Other config
Graph API
I will be using the Graph API for exporting and importing Intune policies and configuration.
Permissions
We will be reading and writing so we need to add application permissions to call the API’s in Azure Active Directory.
Add the below API permissions. (Note that these permissions can do harm in the wrong hands. Create conditional access policies to limit the attack surface.)
- DeviceManagementApps.ReadWrite.All
- DeviceManagementConfiguration.ReadWrite.All
- DeviceManagementServiceConfig.ReadWrite.All
Note the following information as we will need it for the script
- Client ID
- Client Secret
- Tenant ID
- Output location
Export Intune policies
The script has been uploaded to O365ExportImport/ExportAndImport/Intune at main · CloudSecuritea/O365ExportImport · GitHub where it can be downloaded, changed and used. Run the following command to start the export:
export-intune.ps1 and provide the script with the required parameters
The files will be created in the specified location
Import Conditional Access policies
We have just exported the Intune policies. The JSON files will now be used to import this configuration. Note that running the script will create new policies and you will need to delete old policies if present. Assignments are currently not configured directly and will need to be set afterwards.
The script has been uploaded to O365ExportImport/ExportAndImport/Intune at main · CloudSecuritea/O365ExportImport · GitHub where it can be downloaded, changed and used. Run the following command to start the import:
import-intune.ps1 and provide the script with the required parameters
Things to do
- Add more configuration items
- Automatically delete and assign