Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IntuneAppProtectionPolicyiOS - MinimumWipeOsVersion comparisons fail in Test-TargetResource #3000

Closed
menswearUK opened this issue Mar 14, 2023 · 0 comments · Fixed by #3001 or #3014
Closed

IntuneAppProtectionPolicyiOS - MinimumWipeOsVersion comparisons fail in Test-TargetResource #3000

menswearUK opened this issue Mar 14, 2023 · 0 comments · Fixed by #3001 or #3014

Comments

@menswearUK
Copy link
Contributor

Details of the scenario you tried and the problem that is occurring

When running Test-Targetresource in the IntuneAppProtectionPolicyiOS resource comparison of the value Test-M365DSCParameterState fail. This causes the config to be re-applied when not required and also for test-dscresource to return false when the profile is in the correct state

Verbose logs showing the problem

VERBOSE: [COMPUTER]: [[IntuneAppProtectionPolicyiOS]a12345b6-1a2b-3c4d-a1ab-1f2abc1a1234] Testing configuration of iOS App Protection Policy {testiospolicy} VERBOSE: [COMPUTER]: [[IntuneAppProtectionPolicyiOS]a12345b6-1a2b-3c4d-a1ab-1f2abc1a1234] Checking for the Intune iOS App Protection Policy {testiospolicy}
VERBOSE: [COMPUTER]: [[IntuneAppProtectionPolicyiOS]a12345b6-1a2b-3c4d-a1ab-1f2abc1a1234]
Found iOS App Protection Policy {testiospolicy}
VERBOSE: [COMPUTER]: [[IntuneAppProtectionPolicyiOS]a12345b6-1a2b-3c4d-a1ab-1f2abc1a1234] GET

https://graph.microsoft.com/beta/deviceAppManagement/iosManagedAppProtections('T_12345678-1234-1234-1234-123456789012')
/assignments with 0-byte payload
VERBOSE: [COMPUTER]: [[IntuneAppProtectionPolicyiOS]a12345b6-1a2b-3c4d-a1ab-1f2abc1a1234]
received 173-byte response of content type application/json
VERBOSE: [COMPUTER]: [[IntuneAppProtectionPolicyiOS]a12345b6-1a2b-3c4d-a1ab-1f2abc1a1234]
Current Values: AllowedDataStorageLocations=(); AllowedInboundDataTransferSources=allApps;
AllowedIosDeviceModels=$null; AllowedOutboundClipboardSharingExceptionLength=0;
AllowedOutboundClipboardSharingLevel=managedAppsWithPasteIn; AllowedOutboundDataTransferDestinations=allApps;
AppActionIfDeviceComplianceRequired=block; AppActionIfIosDeviceModelNotAllowed=block;
AppActionIfMaximumPinRetriesExceeded=block; AppDataEncryptionType=whenDeviceLocked; ApplicationId=;
ApplicationSecret=;
Apps=(com.microsoft.bing.halseyassistant,com.microsoft.d365.fs.mobile,com.microsoft.dynamics,com.microsoft.dynamics.inv
oice,com.microsoft.dynamics.iphone.moca,com.microsoft.dynamics.iphone.moca.fieldservices,com.microsoft.dynamics.iphone.
moca.sales,com.microsoft.lync2013.iphone,com.microsoft.mobile.polymer,com.microsoft.msapps,com.microsoft.msedge,com.mic rosoft.o365shdmobileapp,com.microsoft.office.excel,com.microsoft.office.outlook,com.microsoft.office.powerpoint,com.mic rosoft.office.word,com.microsoft.office365booker,com.microsoft.officelens,com.microsoft.officemobile,com.microsoft.onen ote,com.microsoft.plannermobile,com.microsoft.powerbimobile,com.microsoft.procsimo,com.microsoft.ramobile,com.microsoft .rms-sharing,com.microsoft.scmx,com.microsoft.sharepoint,com.microsoft.shiftr,com.microsoft.skydrive,com.microsoft.skyp e.teams,com.microsoft.splists,com.microsoft.stream,com.microsoft.to-do,com.microsoft.visio,com.microsoft.whiteboard,com .microsoft.workfolders,com.veradocs.ios.appstore.intune,wefwef); Assignments=(); CertificateThumbprint=; ContactSyncBlocked=False; Credential=$null; CustomBrowserProtocol=; DataBackupBlocked=False; Description=A test iOS Policy; DeviceComplianceRequired=True; DisableAppPinIfDevicePinIsSet=False; DisableProtectionOfManagedOutboundOpenInData=False; DisplayName=testiospolicy; Ensure=Present; ExcludedGroups=(); ExemptedAppProtocols=(Default:skype;app-settings;calshow;itms;itmss;itms-apps;itms-appss;itms-services;); FaceIdBlocked=False; FilterOpenInToOnlyManagedApps=False; FingerprintBlocked=False; Identity=T_12345678-1234-1234-1234-123456789012; ManagedBrowser=notConfigured; ManagedBrowserToOpenLinksRequired=False; Managedidentity=False; MaximumPinRetries=5; MinimumPinLength=4; MinimumRequiredAppVersion=$null; MinimumRequiredOsVersion=$null; MinimumRequiredSdkVersion=$null; MinimumWarningAppVersion=$null; MinimumWarningOSVersion=$null; MinimumWipeAppVersion=$null; MinimumWipeOSVersion=14.8; MinimumWipeSdkVersion=$null; NotificationRestriction=allow; OrganizationalCredentialsRequired=False; PeriodBeforePinReset=90.00:00:00; PeriodOfflineBeforeAccessCheck=12:00:00; PeriodOfflineBeforeWipeIsEnforced=90.00:00:00; PeriodOnlineBeforeAccessCheck=00:30:00; PinCharacterSet=numeric; PinRequired=True; PinRequiredInsteadOfBiometricTimeout=00:30:00; PrintBlocked=False; ProtectInboundDataFromUnknownSources=False; SaveAsBlocked=False; SimplePinBlocked=True; TargetedAppManagementLevels=unmanaged; TenantId=*** VERBOSE: [COMPUTER]: [[IntuneAppProtectionPolicyiOS]a12345b6-1a2b-3c4d-a1ab-1f2abc1a1234] Target Values: AllowedDataStorageLocations=(); AllowedInboundDataTransferSources=allApps; AllowedOutboundClipboardSharingExceptionLength=0; AllowedOutboundClipboardSharingLevel=managedAppsWithPasteIn; AllowedOutboundDataTransferDestinations=allApps; AppActionIfDeviceComplianceRequired=block; AppActionIfIosDeviceModelNotAllowed=block; AppActionIfMaximumPinRetriesExceeded=block; AppDataEncryptionType=whenDeviceLocked; ApplicationId=; ApplicationSecret=; Apps=(com.microsoft.bing.halseyassistant,com.microsoft.d365.fs.mobile,com.microsoft.dynamics,com.microsoft.dynamics.inv oice,com.microsoft.dynamics.iphone.moca,com.microsoft.dynamics.iphone.moca.fieldservices,com.microsoft.dynamics.iphone. moca.sales,com.microsoft.lync2013.iphone,com.microsoft.mobile.polymer,com.microsoft.msapps,com.microsoft.msedge,com.mic rosoft.o365shdmobileapp,com.microsoft.office.excel,com.microsoft.office.outlook,com.microsoft.office.powerpoint,com.mic rosoft.office.word,com.microsoft.office365booker,com.microsoft.officelens,com.microsoft.officemobile,com.microsoft.onen ote,com.microsoft.plannermobile,com.microsoft.powerbimobile,com.microsoft.procsimo,com.microsoft.ramobile,com.microsoft .rms-sharing,com.microsoft.scmx,com.microsoft.sharepoint,com.microsoft.shiftr,com.microsoft.skydrive,com.microsoft.skyp e.teams,com.microsoft.splists,com.microsoft.stream,com.microsoft.to-do,com.microsoft.visio,com.microsoft.whiteboard,com .microsoft.workfolders,com.veradocs.ios.appstore.intune,wefwef); Assignments=(); ContactSyncBlocked=False; CustomBrowserProtocol=; DataBackupBlocked=False; Description=A test iOS Policy; DeviceComplianceRequired=True; DisableAppPinIfDevicePinIsSet=False; DisableProtectionOfManagedOutboundOpenInData=False; DisplayName=testiospolicy; Ensure=Present; ExcludedGroups=(); ExemptedAppProtocols=(Default:skype;app-settings;calshow;itms;itmss;itms-apps;itms-appss;itms-services;); FaceIdBlocked=False; FilterOpenInToOnlyManagedApps=False; FingerprintBlocked=False; Identity=T_12345678-1234-1234-1234-123456789012; ManagedBrowser=notConfigured; ManagedBrowserToOpenLinksRequired=False; ManagedIdentity=False; MaximumPinRetries=5; MinimumPinLength=4; MinimumWipeOsVersion=14.8; NotificationRestriction=allow; OrganizationalCredentialsRequired=False; PeriodBeforePinReset=90.00:00:00; PeriodOfflineBeforeAccessCheck=12:00:00; PeriodOfflineBeforeWipeIsEnforced=90.00:00:00; PeriodOnlineBeforeAccessCheck=00:30:00; PinCharacterSet=numeric; PinRequired=True; PinRequiredInsteadOfBiometricTimeout=00:30:00; PrintBlocked=False; ProtectInboundDataFromUnknownSources=False; SaveAsBlocked=False; SimplePinBlocked=True; TargetedAppManagementLevels=unmanaged; TenantId=***; Verbose=True VERBOSE: [COMPUTER]: [[IntuneAppProtectionPolicyiOS]a12345b6-1a2b-3c4d-a1ab-1f2abc1a1234] String value for property MinimumWipeOsVersion does not match. Current state is '' and desired state is '14.8'
VERBOSE: [COMPUTER]: [[IntuneAppProtectionPolicyiOS]a12345b6-1a2b-3c4d-a1ab-1f2abc1a1234]
Detected Drifted Parameter [MSFT_IntuneAppProtectionPolicyiOS]MinimumWipeOsVersion
VERBOSE: [COMPUTER]: [[IntuneAppProtectionPolicyiOS]a12345b6-1a2b-3c4d-a1ab-1f2abc1a1234]
Test-TargetResource returned False
VERBOSE: [COMPUTER]: LCM: [ End Test ] [[IntuneAppProtectionPolicyiOS]a12345b6-1a2b-3c4d-a1ab-1f2abc1a1234] in
31.4250 seconds.
VERBOSE: [COMPUTER]: LCM: [ Start Set ] [[IntuneAppProtectionPolicyiOS]a12345b6-1a2b-3c4d-a1ab-1f2abc1a1234]
VERBOSE: [COMPUTER]: [[IntuneAppProtectionPolicyiOS]a12345b6-1a2b-3c4d-a1ab-1f2abc1a1234]
Checking for the Intune iOS App Protection Policy {testiospolicy}
VERBOSE: [COMPUTER]: [[IntuneAppProtectionPolicyiOS]a12345b6-1a2b-3c4d-a1ab-1f2abc1a1234]
Found iOS App Protection Policy {testiospolicy}
VERBOSE: [COMPUTER]: [[IntuneAppProtectionPolicyiOS]a12345b6-1a2b-3c4d-a1ab-1f2abc1a1234] GET

https://graph.microsoft.com/beta/deviceAppManagement/iosManagedAppProtections('T_12345678-1234-1234-1234-123456789012')
/assignments with 0-byte payload
VERBOSE: [COMPUTER]: [[IntuneAppProtectionPolicyiOS]a12345b6-1a2b-3c4d-a1ab-1f2abc1a1234]
received 173-byte response of content type application/json
VERBOSE: [COMPUTER]: [[IntuneAppProtectionPolicyiOS]a12345b6-1a2b-3c4d-a1ab-1f2abc1a1234]
Updating existing iOS App Protection Policy {testiospolicy}

Suggested solution to the issue

I added a verbose switch to the call to Test-M365DSCParameterState in the above output to show the reason for the error
the output line is here:
[[IntuneAppProtectionPolicyiOS]a12345b6-1a2b-3c4d-a1ab-1f2abc1a1234] String value for property MinimumWipeOsVersion does not match. Current state is '' and desired state is '14.8'

However, the current and target values in the output do show the same value - it's only when the comparison is run the null vlaue appears.
The cause appears to be the case of the OS value in the input parameters causing the Test-M365DSCParameterState function to pull up a null value in one instance.
The key on the current values is "MinimumWipeOSVersion" but the value from PSBoundParameters is "MinimumWipeOsVersion" Because of this it compares one correct value with a null value and returns false

Amending the case of these values to match resolves this error

The DSC configuration that is used to reproduce the issue (as detailed as possible)

# Generated with Microsoft365DSC version 1.23.222.1
# For additional information on how to use Microsoft365DSC, please visit https://aka.ms/M365DSC
#param (
#)

Configuration IntuneAppProtectionPolicyIOS
{


    #$OrganizationName = $ConfigurationData.NonNodeData.OrganizationName

    Import-DscResource -ModuleName 'Microsoft365DSC' # -ModuleVersion '1.23.222.1'

    Node localhost
    {
        IntuneAppProtectionPolicyiOS a12345b6-1a2b-3c4d-a1ab-1f2abc1a1234
        {
            AllowedDataStorageLocations                    = @();
            AllowedInboundDataTransferSources              = "allApps";
            AllowedOutboundClipboardSharingExceptionLength = 0;
            AllowedOutboundClipboardSharingLevel           = "managedAppsWithPasteIn";
            AllowedOutboundDataTransferDestinations        = "allApps";
            AppActionIfDeviceComplianceRequired            = "block";
            AppActionIfIosDeviceModelNotAllowed            = "block";
            AppActionIfMaximumPinRetriesExceeded           = "block";
            AppDataEncryptionType                          = "whenDeviceLocked";
            ApplicationId                                  = $ConfigurationData.NonNodeData.ApplicationId;
            ApplicationSecret                              = New-Object System.Management.Automation.PSCredential ('ApplicationSecret', (ConvertTo-SecureString $ConfigurationData.NonNodeData.ApplicationSecret -AsPlainText -Force));
            Apps                                           = @("com.microsoft.bing.halseyassistant","com.microsoft.d365.fs.mobile","com.microsoft.dynamics","com.microsoft.dynamics.invoice","com.microsoft.dynamics.iphone.moca","com.microsoft.dynamics.iphone.moca.fieldservices","com.microsoft.dynamics.iphone.moca.sales","com.microsoft.lync2013.iphone","com.microsoft.mobile.polymer","com.microsoft.msapps","com.microsoft.msedge","com.microsoft.o365shdmobileapp","com.microsoft.office.excel","com.microsoft.office.outlook","com.microsoft.office.powerpoint","com.microsoft.office.word","com.microsoft.office365booker","com.microsoft.officelens","com.microsoft.officemobile","com.microsoft.onenote","com.microsoft.plannermobile","com.microsoft.powerbimobile","com.microsoft.procsimo","com.microsoft.ramobile","com.microsoft.rms-sharing","com.microsoft.scmx","com.microsoft.sharepoint","com.microsoft.shiftr","com.microsoft.skydrive","com.microsoft.skype.teams","com.microsoft.splists","com.microsoft.stream","com.microsoft.to-do","com.microsoft.visio","com.microsoft.whiteboard","com.microsoft.workfolders","com.veradocs.ios.appstore.intune","wefwef");
            Assignments                                    = @();
            ContactSyncBlocked                             = $False;
            CustomBrowserProtocol                          = "";
            DataBackupBlocked                              = $False;
            Description                                    = "A test iOS Policy";
            DeviceComplianceRequired                       = $True;
            DisableAppPinIfDevicePinIsSet                  = $False;
            DisableProtectionOfManagedOutboundOpenInData   = $False;
            DisplayName                                    = "testiospolicy";
            Ensure                                         = "Present";
            ExcludedGroups                                 = @();
            ExemptedAppProtocols                           = @("Default:skype;app-settings;calshow;itms;itmss;itms-apps;itms-appss;itms-services;");
            FaceIdBlocked                                  = $False;
            FilterOpenInToOnlyManagedApps                  = $False;
            FingerprintBlocked                             = $False;
            Identity                                       = "T_12345678-1234-1234-1234-123456789012";
            ManagedBrowser                                 = "notConfigured";
            ManagedBrowserToOpenLinksRequired              = $False;
            Managedidentity                                = $False;
            MaximumPinRetries                              = 5;
            MinimumPinLength                               = 4;
            MinimumWipeOSVersion                           = "14.8";
            NotificationRestriction                        = "allow";
            OrganizationalCredentialsRequired              = $False;
            PeriodBeforePinReset                           = "90.00:00:00";
            PeriodOfflineBeforeAccessCheck                 = "12:00:00";
            PeriodOfflineBeforeWipeIsEnforced              = "90.00:00:00";
            PeriodOnlineBeforeAccessCheck                  = "00:30:00";
            PinCharacterSet                                = "numeric";
            PinRequired                                    = $True;
            PinRequiredInsteadOfBiometricTimeout           = "00:30:00";
            PrintBlocked                                   = $False;
            ProtectInboundDataFromUnknownSources           = $False;
            SaveAsBlocked                                  = $False;
            SimplePinBlocked                               = $True;
            TargetedAppManagementLevels                    = "unmanaged";
            TenantId                                       = $ConfigurationData.NonNodeData.TenantId;
        }
    }
}

#M365TenantConfig -ConfigurationData .\ConfigurationData.psd1

The operating system the target node is running

na/ cl;oud configuration

Version of the DSC module that was used ('dev' if using current dev branch)

dev
@menswearUK menswearUK mentioned this issue Mar 14, 2023
Merged
ykuijs added a commit that referenced this issue Mar 14, 2023
@ykuijs
Merge pull request #3001 from menswearUK/MinimumWipeOsVersion-fix
02995aa 
IntuneAppProtectionPolicyiOS  - amended case on instances of MinimumWipeOSVersion - fixes #3000
@ykuijs ykuijs mentioned this issue Mar 15, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@menswearUK