florian-obradovic/Monitor-Apple-Intune-Tokens.ps1

## Monitor-Apple-Intune-Tokens.ps1
<#
    .EXTERNALMODULEDEPENDENCIES  Microsoft.Graph (v.2.0.0-preview)
    .DESCRIPTION
        This script monitors apple token expiration in Intune (Intune) and checks if DEP, VPP, and APNS tokens,
        certificates are valided after the number of specified days.
        It utilizes Microsoft.Graph (v.2.0.0-preview) module to authenticate with the system managed identity of your
        Azure Automation Account.

        Permissions Required: DeviceManagementServiceConfig.Read.All, DeviceManagementApps.Read.All Directory.Read.All

    .NOTES
        Based on the original script of nicola@nicolasuter.ch, https://tech.nicolonsky.ch
        Migrated by Florian Obradovic (@volksvertreter) for use with Microsoft.Graph v2 module & Managed System Identities
        !!!! Mail-Function is untested and needs to be migrated to work with managed identities: https://learningbydoing.cloud/blog/granting-workload-identities-least-priv-mailbox-access-via-graph/ !!!!
#>

Param()

###############################################################################################

# treshold days before expiration notification is fired
$notificationTresholdDays = 90

# Microsoft Teams Webhook URI
$webHookUri = "https://YOUDROMAIN.webhook.office.com/webhookb2/GUID/IncomingWebhook/GUID

# Connect to Microsoft Graph using Microsoft.Graph V2 Preview module and system managed identity
# Locally connect with: Connect-MgGraph -ForceRefresh -scopes "DeviceManagementServiceConfig.Read.All,DeviceManagementApps.Read.All,Directory.Read.All"
Connect-MgGraph -Identity

# Get initial domain name to display as tenant name on teams card
$orgDomain = Get-MgDomain | Where-Object {$_.isInitial} | Select-Object -ExpandProperty Id

# optional mail configuration
<#
    $mailConfig = @{
        SMTPServer = "smtp.office365.com"
        SMTPPort = "587"
        Sender = "sender-address@domain.com"
        Recipients = @("dude@domain.com", "mate@domain.com")
        Header = "Apple token expiration in Intune for tenant: $orgDomain"
    }
#>

# JSON template for teams card message
$bodyTemplate = @"
    {
        "@type": "MessageCard",
        "@context": "https://schema.org/extensions",
        "summary": "Apple token expiration in Intune",
        "themeColor": "D778D7",
        "title": "Apple token expiration in Intune",
         "sections": [
            {
                "facts": [
                    {
                        "name": "Tenant:",
                        "value": "TENANT_DOMAIN"
                    },
                    {
                        "name": "Token Type:",
                        "value": "TOKEN_TYPE"
                    },
                    {
                        "name": "Token Name:",
                        "value": "TOKEN_NAME"
                    },
                    {
                        "name": "Expiration datetime:",
                        "value": "TOKEN_EXPIRATION_DATETIME"
                    },
                    {
                        "name": "Help URL:",
                        "value": "[Microsoft Docs: Renew iOS certificate and tokens](https://docs.microsoft.com/en-us/intune-education/renew-ios-certificate-token)"
                    }
                ],
                "text": "The following Apple token in your Intune Tenant is about to expire:"
            }
        ]
    }
"@

# Mail message template
$mailTemplate = @"
  <html>
  <body>
    <h1>Attention: Apple token expiration in Intune!</h1>
    <br>
    Please make sure to renew your expired apple token in Intune!
    <br>
    <br>
    <b>Token type:</b> TOKEN_TYPE
    <br>
    <b>Token Name:</b> TOKEN_NAME
    <br>
    <b>Expiration Datetime:</b> TOKEN_EXPIRATION_DATETIME <br>
    <b>Help URL: <a href="https://docs.microsoft.com/en-us/intune-education/renew-ios-certificate-token">Microsoft Docs</a><br>
    <br>
    <br/>
  </body>
</html>
"@

# Add configured days to current date for treshold comparison
$notificationTreshold = (Get-Date).AddDays($notificationTresholdDays)

# Process Apple push notification certificate and check for expiration
$applePushNotificationCertificate = Get-MgDeviceManagementApplePushNotificationCertificate

if ($notificationTreshold -ge $applePushNotificationCertificate.expirationDateTime){

    Write-Output "Apple Push Notification Certificate $($applePushNotificationCertificate.'@odata.context'): $($applePushNotificationCertificate.appleIdentifier) will expire soon!"

    # if mailconfig is enabled use mail template instead of teams card
    if ($mailConfig){

        $body = $mailTemplate
        $body = $body.Replace("TENANT_DOMAIN", $orgDomain )
        $body = $body.Replace("TOKEN_TYPE", "Apple Push Notification Certificate")
        $body = $body.Replace("TOKEN_NAME", $applePushNotificationCertificate.appleIdentifier)
        $body = $body.Replace("TOKEN_EXPIRATION_DATETIME", $applePushNotificationCertificate.expirationDateTime)

        $creds = Get-AutomationPSCredential -Name $mailConfig.sender
        Send-MailMessage -UseSsl -From $mailConfig.Sender -To $mailConfig.Recipients -SmtpServer $mailConfig.SMTPServer -Port $mailConfig.SMTPPort -Subject $mailConfig.Header -Body $body -Credential $creds -BodyAsHtml

    }

    $body = $bodyTemplate
    $body = $body.Replace("TENANT_DOMAIN", $orgDomain )
    $body = $body.Replace("TOKEN_TYPE", "Apple Push Notification Certificate")
    $body = $body.Replace("TOKEN_NAME", $applePushNotificationCertificate.appleIdentifier)
    $body = $body.Replace("TOKEN_EXPIRATION_DATETIME", $applePushNotificationCertificate.expirationDateTime)

    if (-not $mailConfig){

        $request = Invoke-WebRequest -Method Post -Uri $webHookUri -Body $body -UseBasicParsing

    }

    }

    else {

    Write-Output "Apple Push Notification Certificate $($applePushNotificationCertificate.'@odata.context'): $($applePushNotificationCertificate.appleIdentifier) still valid!"

}

# Process all Apple vpp tokens and check if they will expire soon
$appleVppTokens = Get-MgDeviceAppManagementVppToken

$appleVppTokens | ForEach-Object {

    $appleVppToken = $PSItem

    if ($notificationTreshold -ge $appleVppToken.ExpirationDateTime){

        Write-Output "Apple VPP Token $($appleVppToken.'@odata.context'): $($appleVppToken.appleIdentifier) will expire soon!"

        # if mailconfig is enabled use mail template instead of teams card
        if ($mailConfig){

            $body = $mailTemplate
            $body = $body.Replace("TENANT_DOMAIN", $orgDomain )
            $body = $body.Replace('TOKEN_TYPE', "Apple VPP Token")
            $body = $body.Replace("TOKEN_NAME", "$($appleVppToken.organizationName): $($appleVppToken.appleId)")
            $body = $body.Replace("TOKEN_EXPIRATION_DATETIME", $appleVppToken.expirationDateTime)

            $creds = Get-AutomationPSCredential -Name $mailConfig.sender
            Send-MailMessage -UseSsl -From $mailConfig.Sender -To $mailConfig.Recipients -SmtpServer $mailConfig.SMTPServer -Port $mailConfig.SMTPPort -Subject $mailConfig.Header -Body $body -Credential $creds -BodyAsHtml

        }

        $body = $bodyTemplate
        $body = $body.Replace("TENANT_DOMAIN", $orgDomain )
        $body = $body.Replace('TOKEN_TYPE', "Apple VPP Token")
        $body = $body.Replace("TOKEN_NAME", "$($appleVppToken.organizationName): $($appleVppToken.appleId)")
        $body = $body.Replace("TOKEN_EXPIRATION_DATETIME", $appleVppToken.expirationDateTime)

        if (-not $mailConfig){

            $request = Invoke-WebRequest -Method Post -Uri $webHookUri -Body $body -UseBasicParsing

        }

    }

    else {

        Write-Output "Apple VPP Token $($appleVppToken.'@odata.context'): $($appleVppToken.appleId) still valid!"

    }
}

# Process all Apple DEP Tokens (we have to switch to the beta endpoint)
$appleDepTokens = (Invoke-MgGraphRequest -Method GET -Uri "beta/deviceManagement/depOnboardingSettings").value

$appleDepTokens | ForEach-Object {

    $appleDepToken = $PSItem

    if ($notificationTreshold -ge $appleDepToken.tokenExpirationDateTime){

        Write-Output "Apple DEP Token $($appleDepToken.'@odata.context'): $($appleDepToken.appleIdentifier) will expire soon!"

        # if mailconfig is enabled use mail template instead of teams card
        if ($mailConfig){

            $body = $mailTemplate
            $body = $body.Replace("TENANT_DOMAIN", $orgDomain )
            $body = $body.Replace("TOKEN_TYPE", "Apple DEP Token")
            $body = $body.Replace("TOKEN_NAME", "$($appleDepToken.tokenName): $($appleDepToken.appleIdentifier)")
            $body = $body.Replace("TOKEN_EXPIRATION_DATETIME", $appleDepToken.tokenExpirationDateTime)

            $creds = Get-AutomationPSCredential -Name $mailConfig.sender
            Send-MailMessage -UseSsl -From $mailConfig.Sender -To $mailConfig.Recipients -SmtpServer $mailConfig.SMTPServer -Port $mailConfig.SMTPPort -Subject $mailConfig.Header -Body $body -Credential $creds -BodyAsHtml

        }

        $body = $bodyTemplate
        $body = $body.Replace("TENANT_DOMAIN", $orgDomain )
        $body = $body.Replace("TOKEN_TYPE", "Apple DEP Token")
        $body = $body.Replace("TOKEN_NAME", "$($appleDepToken.tokenName): $($appleDepToken.appleIdentifier)")
        $body = $body.Replace("TOKEN_EXPIRATION_DATETIME", $appleDepToken.tokenExpirationDateTime)

        if (-not $mailConfig){

            $request = Invoke-WebRequest -Method Post -Uri $webHookUri -Body $body -UseBasicParsing

        }

    }

    else {

        Write-Output "Apple DEP Token $($appleDepToken.'@odata.context'): $($appleDepToken.appleIdentifier) still valid!"

    }
}
	<#
	.EXTERNALMODULEDEPENDENCIES Microsoft.Graph (v.2.0.0-preview)
	.DESCRIPTION
	This script monitors apple token expiration in Intune (Intune) and checks if DEP, VPP, and APNS tokens,
	certificates are valided after the number of specified days.
	It utilizes Microsoft.Graph (v.2.0.0-preview) module to authenticate with the system managed identity of your
	Azure Automation Account.

	Permissions Required: DeviceManagementServiceConfig.Read.All, DeviceManagementApps.Read.All Directory.Read.All

	.NOTES
	Based on the original script of nicola@nicolasuter.ch, https://tech.nicolonsky.ch
	Migrated by Florian Obradovic (@volksvertreter) for use with Microsoft.Graph v2 module & Managed System Identities
	!!!! Mail-Function is untested and needs to be migrated to work with managed identities: https://learningbydoing.cloud/blog/granting-workload-identities-least-priv-mailbox-access-via-graph/ !!!!
	#>

	Param()

	###############################################################################################

	# treshold days before expiration notification is fired
	$notificationTresholdDays = 90

	# Microsoft Teams Webhook URI
	$webHookUri = "https://YOUDROMAIN.webhook.office.com/webhookb2/GUID/IncomingWebhook/GUID

	# Connect to Microsoft Graph using Microsoft.Graph V2 Preview module and system managed identity
	# Locally connect with: Connect-MgGraph -ForceRefresh -scopes "DeviceManagementServiceConfig.Read.All,DeviceManagementApps.Read.All,Directory.Read.All"
	Connect-MgGraph -Identity

	# Get initial domain name to display as tenant name on teams card
	$orgDomain = Get-MgDomain \| Where-Object {$_.isInitial} \| Select-Object -ExpandProperty Id

	# optional mail configuration
	<#
	$mailConfig = @{
	SMTPServer = "smtp.office365.com"
	SMTPPort = "587"
	Sender = "sender-address@domain.com"
	Recipients = @("dude@domain.com", "mate@domain.com")
	Header = "Apple token expiration in Intune for tenant: $orgDomain"
	}
	#>

	# JSON template for teams card message
	$bodyTemplate = @"
	{
	"@type": "MessageCard",
	"@context": "https://schema.org/extensions",
	"summary": "Apple token expiration in Intune",
	"themeColor": "D778D7",
	"title": "Apple token expiration in Intune",
	"sections": [
	{
	"facts": [
	{
	"name": "Tenant:",
	"value": "TENANT_DOMAIN"
	},
	{
	"name": "Token Type:",
	"value": "TOKEN_TYPE"
	},
	{
	"name": "Token Name:",
	"value": "TOKEN_NAME"
	},
	{
	"name": "Expiration datetime:",
	"value": "TOKEN_EXPIRATION_DATETIME"
	},
	{
	"name": "Help URL:",
	"value": "[Microsoft Docs: Renew iOS certificate and tokens](https://docs.microsoft.com/en-us/intune-education/renew-ios-certificate-token)"
	}
	],
	"text": "The following Apple token in your Intune Tenant is about to expire:"
	}
	]
	}
	"@

	# Mail message template
	$mailTemplate = @"
	<html>
	<body>
	<h1>Attention: Apple token expiration in Intune!</h1>
	<br>
	Please make sure to renew your expired apple token in Intune!
	<br>
	<br>
	<b>Token type:</b> TOKEN_TYPE
	<br>
	<b>Token Name:</b> TOKEN_NAME
	<br>
	<b>Expiration Datetime:</b> TOKEN_EXPIRATION_DATETIME <br>
	<b>Help URL: <a href="https://docs.microsoft.com/en-us/intune-education/renew-ios-certificate-token">Microsoft Docs</a><br>
	<br>
	<br/>
	</body>
	</html>
	"@

	# Add configured days to current date for treshold comparison
	$notificationTreshold = (Get-Date).AddDays($notificationTresholdDays)

	# Process Apple push notification certificate and check for expiration
	$applePushNotificationCertificate = Get-MgDeviceManagementApplePushNotificationCertificate

	if ($notificationTreshold -ge $applePushNotificationCertificate.expirationDateTime){

	Write-Output "Apple Push Notification Certificate $($applePushNotificationCertificate.'@odata.context'): $($applePushNotificationCertificate.appleIdentifier) will expire soon!"

	# if mailconfig is enabled use mail template instead of teams card
	if ($mailConfig){

	$body = $mailTemplate
	$body = $body.Replace("TENANT_DOMAIN", $orgDomain )
	$body = $body.Replace("TOKEN_TYPE", "Apple Push Notification Certificate")
	$body = $body.Replace("TOKEN_NAME", $applePushNotificationCertificate.appleIdentifier)
	$body = $body.Replace("TOKEN_EXPIRATION_DATETIME", $applePushNotificationCertificate.expirationDateTime)

	$creds = Get-AutomationPSCredential -Name $mailConfig.sender
	Send-MailMessage -UseSsl -From $mailConfig.Sender -To $mailConfig.Recipients -SmtpServer $mailConfig.SMTPServer -Port $mailConfig.SMTPPort -Subject $mailConfig.Header -Body $body -Credential $creds -BodyAsHtml

	}

	$body = $bodyTemplate
	$body = $body.Replace("TENANT_DOMAIN", $orgDomain )
	$body = $body.Replace("TOKEN_TYPE", "Apple Push Notification Certificate")
	$body = $body.Replace("TOKEN_NAME", $applePushNotificationCertificate.appleIdentifier)
	$body = $body.Replace("TOKEN_EXPIRATION_DATETIME", $applePushNotificationCertificate.expirationDateTime)

	if (-not $mailConfig){

	$request = Invoke-WebRequest -Method Post -Uri $webHookUri -Body $body -UseBasicParsing

	}

	}

	else {

	Write-Output "Apple Push Notification Certificate $($applePushNotificationCertificate.'@odata.context'): $($applePushNotificationCertificate.appleIdentifier) still valid!"

	}

	# Process all Apple vpp tokens and check if they will expire soon
	$appleVppTokens = Get-MgDeviceAppManagementVppToken

	$appleVppTokens \| ForEach-Object {

	$appleVppToken = $PSItem

	if ($notificationTreshold -ge $appleVppToken.ExpirationDateTime){

	Write-Output "Apple VPP Token $($appleVppToken.'@odata.context'): $($appleVppToken.appleIdentifier) will expire soon!"

	# if mailconfig is enabled use mail template instead of teams card
	if ($mailConfig){

	$body = $mailTemplate
	$body = $body.Replace("TENANT_DOMAIN", $orgDomain )
	$body = $body.Replace('TOKEN_TYPE', "Apple VPP Token")
	$body = $body.Replace("TOKEN_NAME", "$($appleVppToken.organizationName): $($appleVppToken.appleId)")
	$body = $body.Replace("TOKEN_EXPIRATION_DATETIME", $appleVppToken.expirationDateTime)

	$creds = Get-AutomationPSCredential -Name $mailConfig.sender
	Send-MailMessage -UseSsl -From $mailConfig.Sender -To $mailConfig.Recipients -SmtpServer $mailConfig.SMTPServer -Port $mailConfig.SMTPPort -Subject $mailConfig.Header -Body $body -Credential $creds -BodyAsHtml

	}

	$body = $bodyTemplate
	$body = $body.Replace("TENANT_DOMAIN", $orgDomain )
	$body = $body.Replace('TOKEN_TYPE', "Apple VPP Token")
	$body = $body.Replace("TOKEN_NAME", "$($appleVppToken.organizationName): $($appleVppToken.appleId)")
	$body = $body.Replace("TOKEN_EXPIRATION_DATETIME", $appleVppToken.expirationDateTime)

	if (-not $mailConfig){

	$request = Invoke-WebRequest -Method Post -Uri $webHookUri -Body $body -UseBasicParsing

	}

	}

	else {

	Write-Output "Apple VPP Token $($appleVppToken.'@odata.context'): $($appleVppToken.appleId) still valid!"

	}
	}

	# Process all Apple DEP Tokens (we have to switch to the beta endpoint)
	$appleDepTokens = (Invoke-MgGraphRequest -Method GET -Uri "beta/deviceManagement/depOnboardingSettings").value

	$appleDepTokens \| ForEach-Object {

	$appleDepToken = $PSItem

	if ($notificationTreshold -ge $appleDepToken.tokenExpirationDateTime){

	Write-Output "Apple DEP Token $($appleDepToken.'@odata.context'): $($appleDepToken.appleIdentifier) will expire soon!"

	# if mailconfig is enabled use mail template instead of teams card
	if ($mailConfig){

	$body = $mailTemplate
	$body = $body.Replace("TENANT_DOMAIN", $orgDomain )
	$body = $body.Replace("TOKEN_TYPE", "Apple DEP Token")
	$body = $body.Replace("TOKEN_NAME", "$($appleDepToken.tokenName): $($appleDepToken.appleIdentifier)")
	$body = $body.Replace("TOKEN_EXPIRATION_DATETIME", $appleDepToken.tokenExpirationDateTime)

	$creds = Get-AutomationPSCredential -Name $mailConfig.sender
	Send-MailMessage -UseSsl -From $mailConfig.Sender -To $mailConfig.Recipients -SmtpServer $mailConfig.SMTPServer -Port $mailConfig.SMTPPort -Subject $mailConfig.Header -Body $body -Credential $creds -BodyAsHtml

	}

	$body = $bodyTemplate
	$body = $body.Replace("TENANT_DOMAIN", $orgDomain )
	$body = $body.Replace("TOKEN_TYPE", "Apple DEP Token")
	$body = $body.Replace("TOKEN_NAME", "$($appleDepToken.tokenName): $($appleDepToken.appleIdentifier)")
	$body = $body.Replace("TOKEN_EXPIRATION_DATETIME", $appleDepToken.tokenExpirationDateTime)

	if (-not $mailConfig){

	$request = Invoke-WebRequest -Method Post -Uri $webHookUri -Body $body -UseBasicParsing

	}

	}

	else {

	Write-Output "Apple DEP Token $($appleDepToken.'@odata.context'): $($appleDepToken.appleIdentifier) still valid!"

	}
	}