Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request]: Show expirations on Apple certificates for DEP, VPP, and MDM Push Cert. Alerts would be nice too. #1114

Closed
ITSourcePro opened this issue Sep 8, 2022 · 7 comments
Closed

[Feature Request]: Show expirations on Apple certificates for DEP, VPP, and MDM Push Cert. Alerts would be nice too. #1114

ITSourcePro opened this issue Sep 8, 2022 · 7 comments
Assignees
@JohnDuprey
Labels
enhancement New feature or request no-priority

Comments

@ITSourcePro
Copy link

Description of the new feature - must be an in-depth explanation of the feature you want, reasoning why, and the added benefits for MSPs as a whole.

Keeping an eye on certificate expiration is a top priority as having them expire can force MSP to remove and readd the devices to Intune. It would be a great addition to CIPP to add this feature.

PowerShell commands you would normally use to achieve above request

<#
.SYNOPSIS
Monitor all Apple Connectors like Push Notification Certificate, VPP and DEP tokens.
This script is written to be used in an Azure Automation runbook to monitor your Intune deployment connectors.
.DESCRIPTION
Monitor all Apple Connectors like Push Notification Certificate, VPP and DEP tokens.
.VARIABLES
All variables must be defines in Azure Automation
TenantName
Specify the *.onmicrosoft.com name for your tenant.
AppID
Specify the ClientID of the Azure AD App used for unattended authentication to MS Graph API
AppSecret (encrypted)
Specify the secret key for authentication to the Azure AD App used for unattended authentication to MS Graph (never write that in side the script it self)
ApplicationID
Specify the Application ID of the app registration in Azure AD. By default, the script will attempt to use well known Microsoft Intune PowerShell app registration.
Uri
The Uri for the webhook for the Microsoft Teams channel we are sending the alerts too.
.EXAMPLE
# Script runs unnatended from Azure Automation - all parameters should be defined in Automation account
Monitor-IntuneAppleConnectors.ps1
.NOTES
FileName: Monitor-IntuneAppleConnectors.ps1
Author: Jan Ketil Skanke
Contact: @JankeSkanke
Created: 2020-01-04
Updated: 2020-01-04
Version history:
1.0.0 - (2020-01-04) First release
Required modules:
"Microsoft.graph.intune"
#>
#Define Your Notification Ranges
$AppleMDMPushCertNotificationRange = '30'
$AppleVPPTokenNotificationRange = '30'
$AppleDEPTokenNotificationRange = '30'

Grab variables frrom automation account - this must match your variable names in Azure Automation Account

Example $Uri = Get-AutomationVariable -Name "TeamsChannelUri" means the VariableTeamsChannelUri must exist in Azure Automation with the correct variable.

$TenantName = Get-AutomationVariable -Name 'TenantName'
$AppID = Get-AutomationVariable -Name "msgraph-clientcred-appid"
$AppSecret = Get-AutomationVariable -Name "msgraph-clientcred-appsecret"
$Uri = Get-AutomationVariable -Name "TeamsChannelUri"
$Now = Get-Date
Function Send-TeamsAlerts {
[cmdletbinding()]
Param(
[string]$uri,
[string]$ConnectorName,
[string]$ExpirationStatus,
[string]$AppleId,
[string]$ExpDateStr
)
#Format Message Body for Message Card in Microsoft Teams
$body = @"
{
"@type": "MessageCard",
"@context": "https://schema.org/extensions",
"summary": "Intune Apple Notification",
"themeColor": "ffff00",
"title": "$ExpirationStatus",
"sections": [
{
"activityTitle": "Warning message",
"activitySubtitle": "$Now",
"activityImage": "https://github.com/JankeSkanke/imagerepo/blob/master/warning.png?raw=true",
"facts": [
{
"name": "Connector:",
"value": "$ConnectorName"
},
{
"name": "Status:",
"value": "$ExpirationStatus"
},
{
"name": "AppleID:",
"value": "$AppleID"
},
{
"name": "Expiry Date:",
"value": "$ExpDateStr"
}
],
"text": "Must be renewed by IT Admin before the expiry date."
}
]
}
"@

Post Message Alert to Teams

Invoke-RestMethod -uri $uri -Method Post -body $body -ContentType 'application/json' | Out-Null
Write-Output $ExpirationStatus
}
#Import Modules
import-module "Microsoft.graph.intune"

Connect to Intune MSGraph with Client Secret quietly by updating Graph Environment to use our own Azure AD APP and connecting with a ClientSecret

Update-MSGraphEnvironment -SchemaVersion "beta" -AppId $AppId -AuthUrl "https://login.microsoftonline.com/$TenantName" -Quiet
Connect-MSGraph -ClientSecret $AppSecret -Quiet

Checking Apple Push Notification Cert

$ApplePushCert = Get-IntuneApplePushNotificationCertificate
$ApplePushCertExpDate = $ApplePushCert.expirationDateTime
$ApplePushIdentifier = $ApplePushCert.appleIdentifier
$APNExpDate = $ApplePushCertExpDate.ToShortDateString()

if ($ApplePushCertExpDate -lt (Get-Date)) {
$APNExpirationStatus = "MS Intune: Apple MDM Push certificate has already expired"
Send-TeamsAlerts -uri $uri -ConnectorName "Apple Push Notification Certificate" -ExpirationStatus $APNExpirationStatus -AppleId $ApplePushIdentifier -ExpDateStr $APNExpDate
}
else {
$AppleMDMPushCertDaysLeft = ($ApplePushCertExpDate - (Get-Date))
if ($AppleMDMPushCertDaysLeft.Days -le $AppleMDMPushCertNotificationRange) {
$APNExpirationStatus = "MSIntune: Apple MDM Push certificate expires in $($AppleMDMPushCertDaysLeft.Days) days"
Send-TeamsAlerts -uri $uri -ConnectorName "Apple Push Notification Certificate" -ExpirationStatus $APNExpirationStatus -AppleId $ApplePushIdentifier -ExpDateStr $APNExpDate
}
else {
$APNExpirationStatus = "MSIntune: NOALERT"
Write-Output "APN Certificate OK"
}
}

Checking Apple Volume Purchase Program tokens

$AppleVPPToken = Get-DeviceAppManagement_VppTokens

if($AppleVPPToken.Count -ne '0'){
foreach ($token in $AppleVPPToken){
$AppleVPPExpDate = $token.expirationDateTime
$AppleVPPIdentifier = $token.appleId
$AppleVPPState = $token.state
$VPPExpDateStr = $AppleVPPExpDate.ToShortDateString()
if ($AppleVPPState -ne 'valid') {
$VPPExpirationStatus = "MSIntune: Apple VPP Token is not valid, new token required"
Send-TeamsAlerts -uri $uri -ConnectorName "VPP Token" -ExpirationStatus $VPPExpirationStatus -AppleId $AppleVPPIdentifier -ExpDateStr $VPPExpDateStr
}
else {
$AppleVPPTokenDaysLeft = ($AppleVPPExpDate - (Get-Date))
if ($AppleVPPTokenDaysLeft.Days -le $AppleVPPTokenNotificationRange) {$VPPExpirationStatus = "MSIntune: Apple VPP Token expires in $($AppleVPPTokenDaysLeft.Days) days"
Send-TeamsAlerts -uri $uri -ConnectorName "VPP Token" -ExpirationStatus $VPPExpirationStatus -AppleId $AppleVPPIdentifier -ExpDateStr $VPPExpDateStr
}
else {$VPPExpirationStatus = "MSIntune: NOALERT"
Write-Output "Apple VPP Token OK"
}
}
}
}

Checking DEP Token

$AppleDEPToken = (Invoke-MSGraphRequest -Url 'https://graph.microsoft.com/beta/deviceManagement/depOnboardingSettings' -HttpMethod GET).value
if ($AppleDeptoken.Count -ne '0'){
foreach ($token in $AppleDEPToken){
$AppleDEPExpDate = $token.tokenExpirationDateTime
$AppleDepID = $token.appleIdentifier
$AppleDEPTokenDaysLeft = ($AppleDEPExpDate - (Get-Date))
$DEPExpDateStr = $AppleDEPExpDate.ToShortDateString()
if ($AppleDEPTokenDaysLeft.Days -le $AppleDEPTokenNotificationRange) {
$AppleDEPExpirationStatus = "MSIntune: Apple DEP Token expires in $($AppleDEPTokenDaysLeft.Days) days"
Send-TeamsAlerts -uri $uri -ConnectorName "DEP Token" -ExpirationStatus $AppleDEPExpirationStatus -AppleId $AppleDEPId -ExpDateStr $DEPExpDateStr
}
else {
$AppleDEPExpirationStatus = "MSIntune: NOALERT"
Write-Output "Apple DEP Token OK"
}
}
}
Footer
© 2022 GitHub, Inc.
Footer navigation
Terms
Privacy
Security
Status
Docs
Contact GitHub
Pricing
API
Training
Blog
About
@ITSourcePro ITSourcePro added enhancement New feature or request no-priority labels Sep 8, 2022
@github-actions
Copy link

github-actions bot commented Sep 8, 2022

Thank you for creating a feature request! feature requests are prioritized by our direct contributors. Your current priority is set to "No Priority". If you are a sponsor you can request an upgrade of priority, If you want this feature to be integrated you can always do this yourself by checking out our contributions guide at https://kelvintegelaar.github.io/CIPP/GettingStarted/Contributions.html. Contributors to the CIPP project reserve the right to close feature requests at will.

If your feature request is not picked up in 2 week by a contributor it will be closed.

If you'd like this feature request to be assigned to you, please comment "I would like to work on this please!".

@JohnDuprey
Copy link
Collaborator

I would like to work on this please!

@github-actions
Copy link

Great! I assigned you (@JohnDuprey) to the issue. Have fun working on it!

@JohnDuprey
Copy link
Collaborator

@ITSourcePro I've written up a couple of alerts that mimic your examples. Let me know if these look right.

{ $_.'ApnCertExpiry' -eq $true } {
            try {
                $Filter = "RowKey eq 'ApnCertExpiry' and PartitionKey eq '{0}'" -f $Tenant.tenantid
                $LastRun = Get-AzDataTableEntity @LastRunTable -Filter $Filter
                $Yesterday = (Get-Date).AddDays(-1)
                if (-not $LastRun.Timestamp.DateTime -or ($LastRun.Timestamp.DateTime -le $Yesterday)) {
                    $Apn = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/applePushNotificationCertificate' -tenantid $Tenant.tenant 
                    if ($Apn.expirationDateTime -lt (Get-Date).AddDays(30) -and $Apn.expirationDateTime -gt (Get-Date).AddDays(-7)) {
                        "Apple Push Notification certificate for '{0}' is expiring on {1}" -f $App.appleIdentifier, $Apn.expirationDateTime
                    }
                }
                $LastRun = @{
                    RowKey       = 'ApnCertExpiry'
                    PartitionKey = $Tenant.tenantid
                }
                Add-AzDataTableEntity @LastRunTable -Entity $LastRun -Force         
            }
            catch {
                #$Message = 'Exception on line {0} - {1}' -f $_.InvocationInfo.ScriptLineNumber, $_.Exception.Message
                #Write-LogMessage -message $Message -API 'Alerts' -tenant $tenant.tenant -sev Error
            }
        }
        { $_.'VppTokenExpiry' -eq $true } {
            try {
                $Filter = "RowKey eq 'VppTokenExpiry' and PartitionKey eq '{0}'" -f $Tenant.tenantid
                $LastRun = Get-AzDataTableEntity @LastRunTable -Filter $Filter
                $Yesterday = (Get-Date).AddDays(-1)
                if (-not $LastRun.Timestamp.DateTime -or ($LastRun.Timestamp.DateTime -le $Yesterday)) {
                    $VppTokens = (New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/deviceAppManagement/vppTokens' -tenantid $Tenant.tenant).value 
                    foreach ($Vpp in $VppTokens) {
                        if ($Vpp.state -ne 'valid') {
                            'Apple Volume Purchase Program Token is not valid, new token required'
                        }
                        if ($Vpp.expirationDateTime -lt (Get-Date).AddDays(30) -and $Vpp.expirationDateTime -gt (Get-Date).AddDays(-7)) {
                            'Apple Volume Purchase Program token expiring on {0}' -f $Vpp.expirationDateTime
                        } 
                    }
                    $LastRun = @{
                        RowKey       = 'VppTokenExpiry'
                        PartitionKey = $Tenant.tenantid
                    }
                    Add-AzDataTableEntity @LastRunTable -Entity $LastRun -Force
                }
            }
            catch {
                #$Message = 'Exception on line {0} - {1}' -f $_.InvocationInfo.ScriptLineNumber, $_.Exception.Message
                #Write-LogMessage -message $Message -API 'Alerts' -tenant $tenant.tenant -sev Error
            }
        }
        { $_.'DepTokenExpiry' -eq $true } {
            try {
                $Filter = "RowKey eq 'DepTokenExpiry' and PartitionKey eq '{0}'" -f $Tenant.tenantid
                $LastRun = Get-AzDataTableEntity @LastRunTable -Filter $Filter
                $Yesterday = (Get-Date).AddDays(-1)
                if (-not $LastRun.Timestamp.DateTime -or ($LastRun.Timestamp.DateTime -le $Yesterday)) {
                    $DepTokens = (New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/depOnboardingSettings' -tenantid $Tenant.tenant).value 
                    foreach ($Dep in $DepTokens) {
                        if ($Dep.tokenExpirationDateTime -lt (Get-Date).AddDays(30) -and $Dep.tokenExpirationDateTime -gt (Get-Date).AddDays(-7)) {
                            'Apple Device Enrollment Program token expiring on {0}' -f $Dep.expirationDateTime
                        }
                    }
                    $LastRun = @{
                        RowKey       = 'DepTokenExpiry'
                        PartitionKey = $Tenant.tenantid
                    }
                    Add-AzDataTableEntity @LastRunTable -Entity $LastRun -Force 
                }
            }
            catch {
                #$Message = 'Exception on line {0} - {1}' -f $_.InvocationInfo.ScriptLineNumber, $_.Exception.Message
                #Write-LogMessage -message $Message -API 'Alerts' -tenant $tenant.tenant -sev Error
            }
        }

@ITSourcePro
Copy link
Author

Looks right to me! Thanks for working that out that script!

JohnDuprey added a commit to JohnDuprey/CIPP that referenced this issue Sep 13, 2022
@JohnDuprey
New Alerts
6b4635e 
- APN Certificate Expiry
- VPP Token Expiry
- DEP Token Expiry

fixes KelvinTegelaar#1114
@JohnDuprey JohnDuprey mentioned this issue Sep 13, 2022
Merged
@KelvinTegelaar
Copy link
Owner

Added in Dev, testing. :)

@KelvinTegelaar
Copy link
Owner

Works well, thanks @JohnDuprey

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JohnDuprey JohnDuprey

Labels
enhancement New feature or request no-priority
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@JohnDuprey @KelvinTegelaar @ITSourcePro