Could not create iosManagedAppProtections policy about intune-powershell-sdk HOT 10 CLOSED

Hi @dballardmaung,

The following will work for you:

New-DeviceAppManagement_ManagedAppPolicies -iosManagedAppProtection -displayName "iOS MAM / APP Policy" -periodOfflineBeforeAccessCheck (New-TimeSpan -Hours 12) -periodOnlineBeforeAccessCheck (New-TimeSpan -Minutes 30) -allowedInboundDataTransferSources managedApps -allowedOutboundDataTransferDestinations managedApps -allowedOutboundClipboardSharingLevel managedAppsWithPasteIn -organizationalCredentialsRequired $false -dataBackupBlocked $true -managedBrowserToOpenLinksRequired $false -deviceComplianceRequired $false -saveAsBlocked $true -periodOfflineBeforeWipeIsEnforced (New-TimeSpan -Days 30) -pinRequired $true -maximumPinRetries 5 -simplePinBlocked $false -minimumPinLength 4 -pinCharacterSet numeric -periodBeforePinReset (New-TimeSpan -Days 30) -allowedDataStorageLocations @("oneDriveForBusiness","sharePoint") -contactSyncBlocked $false -printBlocked $true -fingerprintBlocked $false -disableAppPinIfDevicePinIsSet $false

The reason why yours was failing was the entries for "-periodOnlineBeforeAccessCheck" requires the input to be in a timespan format, so the sample above should help.

Let us know if it doesn't work.

Dave

from intune-powershell-sdk.

Hi @davefalkus,

Thanks for the quick reply and a sample. I will test it out tonight.

Danny

from intune-powershell-sdk.

Hi @davefalkus,

I was able to create iOS and Android App protection policies using your sample you provided. Now I am trying to add Target apps to app protect polices and having no luck after trying several syntax.

I was able to get an output of IosManagedAppProtections_Apps.

Get-DeviceAppManagement_IosManagedAppProtections_Apps -iosManagedAppProtectionId T_e9d815d5-0faa-4517-8700-16bc91912c72 (worked wonderful)

Errors from commands:

• New-DeviceAppManagement_IosManagedAppProtections_Apps

• New-DeviceAppManagement_ManagedAppPolicies_Apps

• Get-DeviceAppManagement_IosManagedAppProtections_Assignments

PS C:> New-DeviceAppManagement_IosManagedAppProtections_Apps -iosManagedAppProtectionId T_e9d815d5-0faa-4517-8700-16bc91912c72 -ODataType iosMobileAppIdentifier -mobileAppIdentifier bundleId=wefwef
New-DeviceAppManagement_IosManagedAppProtections_Apps : 400 Bad Request
{
"error": {
"code": "BadRequest",
"message": "Property mobileAppIdentifier in payload has a value that does not match schema.",
"innerError": {
"request-id": "982e3da2-b257-4992-a864-c8c0177e9113",
"date": "2018-10-04T02:08:51"
}
}
}
At line:1 char:1

• New-DeviceAppManagement_IosManagedAppProtections_Apps -iosManagedAppP ...

•   + CategoryInfo          : ConnectionError: (@{Request=; Response=}:PSObject) [New-DeviceAppMa...rotections_Apps], HttpRequestException
    + FullyQualifiedErrorId : PowerShellGraphSDK_HttpRequestError,Microsoft.Intune.PowerShellGraphSDK.PowerShellCmdlets.New_DeviceAppManagement_IosManagedAppProtections_Apps
  
  

PS C:> New-DeviceAppManagement_IosManagedAppProtections_Apps -iosManagedAppProtectionId T_e9d815d5-0faa-4517-8700-16bc91912c72 -ODataType iosMobileAppIdentifier -mobileAppIdentifier wefwef
New-DeviceAppManagement_IosManagedAppProtections_Apps : 400 Bad Request
{
"error": {
"code": "BadRequest",
"message": "Property mobileAppIdentifier in payload has a value that does not match schema.",
"innerError": {
"request-id": "f304ac07-b817-49a6-a3c2-57be2b9e0c82",
"date": "2018-10-04T02:09:35"
}
}
}
At line:1 char:1

• New-DeviceAppManagement_IosManagedAppProtections_Apps -iosManagedAppP ...

•   + CategoryInfo          : ConnectionError: (@{Request=; Response=}:PSObject) [New-DeviceAppMa...rotections_Apps], HttpRequestException
    + FullyQualifiedErrorId : PowerShellGraphSDK_HttpRequestError,Microsoft.Intune.PowerShellGraphSDK.PowerShellCmdlets.New_DeviceAppManagement_IosManagedAppProtections_Apps
  
  
  

PS C:> New-DeviceAppManagement_ManagedAppPolicies_Apps -managedAppPolicyId T_e9d815d5-0faa-4517-8700-16bc91912c72 -managedAppPolicyODataType 'microsoft.graph.iosManagedAppProtection' -ODataType iosMobileAppIdentifier -mobileAppIdentifier 'bundleId=wefwef'
New-DeviceAppManagement_ManagedAppPolicies_Apps : 400 Bad Request
{
"error": {
"code": "BadRequest",
"message": "Property mobileAppIdentifier in payload has a value that does not match schema.",
"innerError": {
"request-id": "f0c05522-7ad7-4f84-8f37-375457bd487c",
"date": "2018-10-04T01:55:28"
}
}
}
At line:1 char:1

• New-DeviceAppManagement_ManagedAppPolicies_Apps -managedAppPolicyId T ...

•   + CategoryInfo          : ConnectionError: (@{Request=; Response=}:PSObject) [New-DeviceAppMa...ppPolicies_Apps], HttpRequestException
    + FullyQualifiedErrorId : PowerShellGraphSDK_HttpRequestError,Microsoft.Intune.PowerShellGraphSDK.PowerShellCmdlets.New_DeviceAppManagement_ManagedAppPolicies_Apps
    
  
  

PS C:> New-DeviceAppManagement_ManagedAppPolicies_Apps -managedAppPolicyId 'TestIosAppPolicy' -managedAppPolicyODataType 'microsoft.graph.iosManagedAppProtection' -ODataType iosMobileAppIde
ntifier -mobileAppIdentifier 'bundleId=wefwef'
New-DeviceAppManagement_ManagedAppPolicies_Apps : 400 Bad Request
{
"error": {
"code": "BadRequest",
"message": "Property mobileAppIdentifier in payload has a value that does not match schema.",
"innerError": {
"request-id": "6154be79-7b14-476a-9917-e8e34e5f55ab",
"date": "2018-10-04T01:55:49"
}
}
}
At line:1 char:1

• New-DeviceAppManagement_ManagedAppPolicies_Apps -managedAppPolicyId ' ...

•   + CategoryInfo          : ConnectionError: (@{Request=; Response=}:PSObject) [New-DeviceAppMa...ppPolicies_Apps], HttpRequestException
    + FullyQualifiedErrorId : PowerShellGraphSDK_HttpRequestError,Microsoft.Intune.PowerShellGraphSDK.PowerShellCmdlets.New_DeviceAppManagement_ManagedAppPolicies_Apps
  
  

PS C:> Get-DeviceAppManagement_IosManagedAppProtections_Assignments -iosManagedAppProtectionId T_af49a5a1-647a-4e80-809e-babe4bce97ac -iosManagedAppProtectionODataType "microsoft.graph.iosManagedAppProtection"
Get-DeviceAppManagement_IosManagedAppProtections_Assignments : 400 Bad Request
{
"error": {
"code": "No method match route template",
"message": "No OData route exists that match template ~/singleton/navigation/key/cast/navigation with http verb GET for request
/MAMAdmin/MAMAdminFEService/deviceAppManagement/iosManagedAppProtections('T_af49a5a1-647a-4e80-809e-babe4bce97ac')/$/microsoft.management.services.api.iosManagedAppProtection/assignments.",
"innerError": {
"request-id": "1c0bd3d9-7421-4880-9498-e074e7a55e8e",
"date": "2018-10-04T02:03:22"
}
}
}
At line:1 char:1

• Get-DeviceAppManagement_IosManagedAppProtections_Assignments -iosMana ...

•   + CategoryInfo          : ConnectionError: (@{Request=; Response=}:PSObject) [Get-DeviceAppMa...ons_Assignments], HttpRequestException
    + FullyQualifiedErrorId : PowerShellGraphSDK_HttpRequestError,Microsoft.Intune.PowerShellGraphSDK.PowerShellCmdlets.Get_DeviceAppManagement_IosManagedAppProtections_Assignments
  
  

PS C:> Get-DeviceAppManagement_IosManagedAppProtections_Assignments -iosManagedAppProtectionId T_af49a5a1-647a-4e80-809e-babe4bce97ac -iosManagedAppProtectionODataType "microsoft.graph.iosManagedAppProtection"
Get-DeviceAppManagement_IosManagedAppProtections_Assignments : 400 Bad Request
{
"error": {
"code": "No method match route template",
"message": "No OData route exists that match template ~/singleton/navigation/key/cast/navigation with http verb GET for request
/MAMAdmin/MAMAdminFEService/deviceAppManagement/iosManagedAppProtections('T_af49a5a1-647a-4e80-809e-babe4bce97ac')/$/microsoft.management.services.api.iosManagedAppProtection/assignments.",
"innerError": {
"request-id": "1c0bd3d9-7421-4880-9498-e074e7a55e8e",
"date": "2018-10-04T02:03:22"
}
}
}
At line:1 char:1

• Get-DeviceAppManagement_IosManagedAppProtections_Assignments -iosMana ...

•   + CategoryInfo          : ConnectionError: (@{Request=; Response=}:PSObject) [Get-DeviceAppMa...ons_Assignments], HttpRequestException
    + FullyQualifiedErrorId : PowerShellGraphSDK_HttpRequestError,Microsoft.Intune.PowerShellGraphSDK.PowerShellCmdlets.Get_DeviceAppManagement_IosManagedAppProtections_Assignments
  
  
  

Any help is appreciated.

What I would like to see is to have some examples for the command when using get help -examples as well as clear information when using -full or -detailed

get-help -Examples

Danny

from intune-powershell-sdk.

1. Get some managed apps

This should give you all of the apps that you are allowed to target (since you can only target managed apps):

$apps = Get-DeviceAppManagement_MobileApps | Where-Object { $_.'@odata.type' -like '#microsoft.graph.managed*' }

You can use this list of apps as-is if you want to apply the policy to all managed apps, otherwise you can filter this down further.

2. Get the app identifiers for these apps

For iOS apps, this would be the "bundleId":

$appIdentifiers = $apps | ForEach-Object {
   if (-not [string]::IsNullOrEmpty($_.bundleId)) {
     New-ManagedMobileAppObject -mobileAppIdentifier (New-MobileAppIdentifierObject -iosMobileAppIdentifier -bundleId $_.bundleId)
   }
 }

For Android apps, this is the "packageId":

$appIdentifiers = $apps | ForEach-Object {
   if (-not [string]::IsNullOrEmpty($_.packageId)) {
     New-ManagedMobileAppObject -mobileAppIdentifier (New-MobileAppIdentifierObject -androidMobileAppIdentifier -packageId $_.packageId)
   }
 }

3. Get a reference to the policy object

To do this, you can store the result of the cmdlet that you used to create the policy:

$policy = New-DeviceAppManagement_ManagedAppPolicies `
    -iosManagedAppProtection ` # This platform (iOS/Android) MUST match the type of apps retrieved in step 2
    -displayName "iOS MAM / APP Policy" `
    -periodOfflineBeforeAccessCheck (New-TimeSpan -Hours 12) `
    -periodOnlineBeforeAccessCheck (New-TimeSpan -Minutes 30) `
    -allowedInboundDataTransferSources managedApps `
    -allowedOutboundDataTransferDestinations managedApps `
    -allowedOutboundClipboardSharingLevel managedAppsWithPasteIn `
    -organizationalCredentialsRequired $false `
    -dataBackupBlocked $true `
    -managedBrowserToOpenLinksRequired $false `
    -deviceComplianceRequired $false `
    -saveAsBlocked $true `
    -periodOfflineBeforeWipeIsEnforced (New-TimeSpan -Days 30) `
    -pinRequired $true `
    -maximumPinRetries 5 `
    -simplePinBlocked $false `
    -minimumPinLength 4 `
    -pinCharacterSet numeric `
    -periodBeforePinReset (New-TimeSpan -Days 30) `
    -allowedDataStorageLocations @("oneDriveForBusiness","sharePoint") `
    -contactSyncBlocked $false `
    -printBlocked $true `
    -fingerprintBlocked $false `
    -disableAppPinIfDevicePinIsSet $false

Or if you've already created the policy, you can get it like this:

$policy = Get-DeviceAppManagement_IosManagedAppProtections -iosManagedAppProtectionId '<policy ID goes here>'

NOTE: Make sure that the type of policy (iOS/Android) matches the platform of the apps being targeted.

4. Target the policy to the apps

Let's say that you put the policy object in a variable called $policy. The following command should allow you to target the policy to the apps:

Invoke-DeviceAppManagement_ManagedAppPolicies_TargetApps -managedAppPolicyId $policy.id -apps $appIdentifiers

Thanks for the feedback about documentation. It is quite difficult to add specific, meaningful examples to the Get-Help documentation itself because the whole module (including documentation) is automatically generated. However, we can definitely add this to the Wiki in this GitHub repo. Also, if this is a common scenario for you, please do let us know. We are working on building up a library of "Scenario Modules" that will simplify common use cases. The scenario modules can be found here: https://github.com/Microsoft/Intune-PowerShell-Management.

from intune-powershell-sdk.

Hi @rohitramu

Thanks for the pointers. I was able to develop commands to automate App Protection Policy for iOS.

New-DeviceAppManagement_ManagedAppPolicies -iosManagedAppProtection -displayName $PolName -periodOfflineBeforeAccessCheck (New-TimeSpan -Hours 12) -periodOnlineBeforeAccessCheck (New-TimeSpan -Minutes 30) -allowedInboundDataTransferSources allApps -allowedOutboundDataTransferDestinations managedApps -allowedOutboundClipboardSharingLevel managedAppsWithPasteIn -organizationalCredentialsRequired $false -dataBackupBlocked $true -deviceComplianceRequired $true -managedBrowserToOpenLinksRequired $true -saveAsBlocked $true -periodOfflineBeforeWipeIsEnforced (New-TimeSpan -Days 90) -pinRequired $true -maximumPinRetries 5 -simplePinBlocked $false -minimumPinLength 4 -pinCharacterSet Numeric -periodBeforePinReset 00:00:00 -allowedDataStorageLocations oneDriveForBusiness,sharePoint,localStorage -contactSyncBlocked $false -printBlocked $true -fingerprintBlocked $false -disableAppPinIfDevicePinIsSet $false -appDataEncryptionType whenDeviceLocked -faceIdBlocked $false

$iosAppPrtPol = Get-DeviceAppManagement_IosManagedAppProtections

$iOSapps = Get-DeviceAppManagement_MobileApps | Where-Object { $_.'@odata.type' -like '#microsoft.graph.managed*' }

$appIosIdentifiers = $iOSapps | ForEach-Object{
	if (-not [string]::IsNullOrEmpty($_.bundleId))
	{
		$placer1 = $_.bundleId
		If ($placer1 -ne 'com.box.mdmios' -and `
		$placer1 -ne 'com.sharefile.mobile.intune' -and `
		$placer1 -ne 'com.microsoft.office365booker' -and `
		$placer1 -ne 'nl.msi.ibabspro.it' -and `
		$placer1 -ne 'com.microsoft.o365smb.engagex' -and `
		$placer1 -ne 'com.microsoft.dynamics' -and `
		$placer1 -ne 'com.microsoft.dynamics.iphone.moca' -and `
		$placer1 -ne 'com.microsoft.dynamics.invoice' -and `
		$placer1 -ne 'com.microsoft.mobile.polymer' -and `
		$placer1 -ne 'com.microsoft.shiftr' -and `
		$placer1 -ne 'com.microsoft.groupies-daily' -and `
		$placer1 -ne 'com.printeron.printeron.microsoft' -and `
		$placer1 -ne 'com.microsoft.rdc.ios' -and `
		$placer1 -ne 'com.veradocs.ios.appstore.intune')
		{
			New-ManagedMobileAppObject -mobileAppIdentifier (New-MobileAppIdentifierObject -iosMobileAppIdentifier -bundleId $placer1)
		}
	}}

$iOSpolicy = Get-DeviceAppManagement_IosManagedAppProtections -iosManagedAppProtectionId $iosAppPrtPol.id

Invoke-DeviceAppManagement_ManagedAppPolicies_TargetApps -managedAppPolicyId $iOSpolicy.id -apps $appIosIdentifiers

I am running into some difficulties:

• Add assignment using security group to iOS app protection policy using below cmdlet with iosManagedAppProtections id and
  Get-DeviceAppManagement_IosManagedAppProtections_Assignments -iosManagedAppProtectionId T_62a17798-f812-488b-92f7-0ffc18d93652 -iosManagedAppProtectionODataType microsoft.graph.iosManagedAppProtection

• Adding a new App from iosStoreApp using the below code and ran into an error. I followed your example of adding a webapp for adding iosStoreApp
  New-DeviceAppManagement_MobileApps -iosStoreApp -displayName 'Adobe Acrobat Reader' -publisher 'Adobe' -bundleId 'com.adobe.Adobe-Reader' -appStoreUrl 'https://itunes.apple.com/us/app/adobe-acrobat-reader/id469337564'

Error return code:

New-DeviceAppManagement_MobileApps : 400 Bad Request
{
  "error": {
    "code": "",
    "message": "The request is invalid.",
    "innerError": {
      "request-id": "886b8204-69d1-4fcf-ac6d-3580f2fd917f",
      "date": "2018-10-05T02:56:35"
    }
  }
}
At line:1 char:1
+ New-DeviceAppManagement_MobileApps -iosStoreApp -displayName 'Adobe A ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ConnectionError: (@{Request=; Response=}:PSObject) [New-DeviceAppManagement_MobileApps],
    HttpRequestException
    + FullyQualifiedErrorId : PowerShellGraphSDK_HttpRequestError,Microsoft.Intune.PowerShellGraphSDK.PowerShellCmdlet
   s.New_DeviceAppManagement_MobileApps

Can you provide any tips/Pointers on my two huddles?

Thanks

Danny

from intune-powershell-sdk.

Your first command is actually getting the full list of iOS app protection policies instead of just the one you want. Please ensure you provide the policy ID if you want to get a particular policy. Also, from what I can tell, the only way to get the assignments for an app protection policy in Graph v1.0 is by making a "$expand" call:

$iosAppPrtPol = Get-DeviceAppManagement_IosManagedAppProtections `
    -iosManagedAppProtectionId 'T_62a17798-f812-488b-92f7-0ffc18d93652' `
    -Expand assignments

$iosAppPrtPolAssignments = $iosAppPrtPol.assignments

In terms of creating a security group assignment for an app protection policy, I'm still investigating how to do that. I'll reply here once I have more information.

For creating the iOS store app, you need to provide the applicableDeviceType and minimumSupportedOperatingSystem parameters:

$app = New-DeviceAppManagement_MobileApps `
    -iosStoreApp `
    -displayName 'Adobe Acrobat Reader' `
    -publisher 'Adobe' `
    -bundleId 'com.adobe.Adobe-Reader' `
    -appStoreUrl 'https://itunes.apple.com/us/app/adobe-acrobat-reader/id469337564' `
    -applicableDeviceType (New-IosDeviceTypeObject -iPad $true -iPhoneAndIPod $true) `
    -minimumSupportedOperatingSystem (New-IosMinimumOperatingSystemObject -v8_0 $true)

from intune-powershell-sdk.

@rohitramu

Thanks for your information. I was able to apps for iOS and Built-in Android. Just want to know if there is a cmdlet to add apps from Android Enterprise (Managed Google Play store).

I will watch for your update on creating a security group assignment for an app protection policy.

Will the next update include creation of Conditional Access policy cmdlet?

Thank you for your help.

from intune-powershell-sdk.

Hey Danny,

I have uploaded an updated release (please download it from the "Releases" tab in this repository. It includes the cmdlet for assigning an app protection policy to a group. Using the updated release, your commands would look something like this:

# 1) Create the policy
$policy = New-DeviceAppManagement_ManagedAppPolicies `
    -iosManagedAppProtection ` # This platform (iOS/Android) MUST match the type of apps retrieved in step 2
    -displayName "iOS MAM / APP Policy" `
    -periodOfflineBeforeAccessCheck (New-TimeSpan -Hours 12) `
    -periodOnlineBeforeAccessCheck (New-TimeSpan -Minutes 30) `
    -allowedInboundDataTransferSources managedApps `
    -allowedOutboundDataTransferDestinations managedApps `
    -allowedOutboundClipboardSharingLevel managedAppsWithPasteIn `
    -organizationalCredentialsRequired $false `
    -dataBackupBlocked $true `
    -managedBrowserToOpenLinksRequired $false `
    -deviceComplianceRequired $false `
    -saveAsBlocked $true `
    -periodOfflineBeforeWipeIsEnforced (New-TimeSpan -Days 30) `
    -pinRequired $true `
    -maximumPinRetries 5 `
    -simplePinBlocked $false `
    -minimumPinLength 4 `
    -pinCharacterSet numeric `
    -periodBeforePinReset (New-TimeSpan -Days 30) `
    -allowedDataStorageLocations @("oneDriveForBusiness","sharePoint") `
    -contactSyncBlocked $false `
    -printBlocked $true `
    -fingerprintBlocked $false `
    -disableAppPinIfDevicePinIsSet $false

# 2) Get managed iOS apps and create "managedMobileApp" PowerShell objects which contain a mobileAppItentifier
$iOSapps = Get-DeviceAppManagement_MobileApps | Where-Object { $_.'@odata.type' -like '#microsoft.graph.managed*' }
$managedAppObjects = $iOSapps | ForEach-Object {
    if (-not [string]::IsNullOrEmpty($_.bundleId)) {
        New-ManagedMobileAppObject -mobileAppIdentifier (New-MobileAppIdentifierObject -iosMobileAppIdentifier -bundleId $_.bundleId)
    }
}

# 3) Target the app protection policy to the apps
Invoke-DeviceAppManagement_IosManagedAppProtections_TargetApps -iosManagedAppProtectionId $policy.id -apps $managedAppObjects

# 4) Assign the app protection policy to some groups
$groups = Get-Groups # Filter this list of groups as you'd like
$groups | ForEach-Object {
    Invoke-DeviceAppManagement_IosManagedAppProtections_Assign -iosManagedAppProtectionId $policy.id -assignments @(
        New-TargetedManagedAppPolicyAssignmentObject `
            -target (New-DeviceAndAppManagementAssignmentTargetObject -groupAssignmentTarget -groupId $group.id)
    )
}

Regarding Conditional Access and Android Enterprise, I will have to investigate which APIs to use. Could you please open separate issues for each of those so we can keep the discussion on topic?

Let me know if you were able to get everything working with iosAppProtectionPolicies, and I can go ahead and close this issue.

Kind regards,
Rohit

from intune-powershell-sdk.

Hi @rohitramu

Thank you for your help. I am able to create a whole script that will do what I want to do. I will open a new issue for CA and Android Enterprise.

from intune-powershell-sdk.

Thanks Danny!

from intune-powershell-sdk.