Last active
November 23, 2019 18:40
-
-
Save mobernberger/a95b4b5578361e8ddc0fc580b8a5b79f to your computer and use it in GitHub Desktop.
Upload Custom iOS XML IMAP configuration via Intune Graph API
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .COPYRIGHT | |
| Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT license. | |
| See LICENSE in the project root for license information. | |
| Added XML and JSON configuration and UPN parameter by Michael Obernberger | |
| Version: 1.0 | |
| Date: 12.03.2019 | |
| #> | |
| param ( | |
| [Parameter(Mandatory=$True)] | |
| [string]$upn | |
| ) | |
| #################################################### | |
| function Get-AuthToken { | |
| <# | |
| .SYNOPSIS | |
| This function is used to authenticate with the Graph API REST interface | |
| .DESCRIPTION | |
| The function authenticate with the Graph API Interface with the tenant name | |
| .EXAMPLE | |
| Get-AuthToken | |
| Authenticates you with the Graph API interface | |
| .NOTES | |
| NAME: Get-AuthToken | |
| #> | |
| [cmdletbinding()] | |
| param | |
| ( | |
| [Parameter(Mandatory=$true)] | |
| $User | |
| ) | |
| $userUpn = New-Object "System.Net.Mail.MailAddress" -ArgumentList $User | |
| $tenant = $userUpn.Host | |
| Write-Host "Checking for AzureAD module..." | |
| $AadModule = Get-Module -Name "AzureAD" -ListAvailable | |
| if ($AadModule -eq $null) { | |
| Write-Host "AzureAD PowerShell module not found, looking for AzureADPreview" | |
| $AadModule = Get-Module -Name "AzureADPreview" -ListAvailable | |
| } | |
| if ($AadModule -eq $null) { | |
| write-host | |
| write-host "AzureAD Powershell module not installed..." -f Red | |
| write-host "Install by running 'Install-Module AzureAD' or 'Install-Module AzureADPreview' from an elevated PowerShell prompt" -f Yellow | |
| write-host "Script can't continue..." -f Red | |
| write-host | |
| exit | |
| } | |
| # Getting path to ActiveDirectory Assemblies | |
| # If the module count is greater than 1 find the latest version | |
| if($AadModule.count -gt 1){ | |
| $Latest_Version = ($AadModule | select version | Sort-Object)[-1] | |
| $aadModule = $AadModule | ? { $_.version -eq $Latest_Version.version } | |
| # Checking if there are multiple versions of the same module found | |
| if($AadModule.count -gt 1){ | |
| $aadModule = $AadModule | select -Unique | |
| } | |
| $adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll" | |
| $adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll" | |
| } | |
| else { | |
| $adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll" | |
| $adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll" | |
| } | |
| [System.Reflection.Assembly]::LoadFrom($adal) | Out-Null | |
| [System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null | |
| $clientId = "d1ddf0e4-d672-4dae-b554-9d5bdfd93547" | |
| $redirectUri = "urn:ietf:wg:oauth:2.0:oob" | |
| $resourceAppIdURI = "https://graph.microsoft.com" | |
| $authority = "https://login.microsoftonline.com/$Tenant" | |
| try { | |
| $authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority | |
| # https://msdn.microsoft.com/en-us/library/azure/microsoft.identitymodel.clients.activedirectory.promptbehavior.aspx | |
| # Change the prompt behaviour to force credentials each time: Auto, Always, Never, RefreshSession | |
| $platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Auto" | |
| $userId = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier" -ArgumentList ($User, "OptionalDisplayableId") | |
| $authResult = $authContext.AcquireTokenAsync($resourceAppIdURI,$clientId,$redirectUri,$platformParameters,$userId).Result | |
| # If the accesstoken is valid then create the authentication header | |
| if($authResult.AccessToken){ | |
| # Creating header for Authorization token | |
| $authHeader = @{ | |
| 'Content-Type'='application/json' | |
| 'Authorization'="Bearer " + $authResult.AccessToken | |
| 'ExpiresOn'=$authResult.ExpiresOn | |
| } | |
| return $authHeader | |
| } | |
| else { | |
| Write-Host | |
| Write-Host "Authorization Access Token is null, please re-run authentication..." -ForegroundColor Red | |
| Write-Host | |
| break | |
| } | |
| } | |
| catch { | |
| write-host $_.Exception.Message -f Red | |
| write-host $_.Exception.ItemName -f Red | |
| write-host | |
| break | |
| } | |
| } | |
| #################################################### | |
| Function Add-DeviceConfigurationPolicy(){ | |
| <# | |
| .SYNOPSIS | |
| This function is used to add an device configuration policy using the Graph API REST interface | |
| .DESCRIPTION | |
| The function connects to the Graph API Interface and adds a device configuration policy | |
| .EXAMPLE | |
| Add-DeviceConfigurationPolicy -JSON $JSON | |
| Adds a device configuration policy in Intune | |
| .NOTES | |
| NAME: Add-DeviceConfigurationPolicy | |
| #> | |
| [cmdletbinding()] | |
| param | |
| ( | |
| $JSON | |
| ) | |
| $graphApiVersion = "Beta" | |
| $DCP_resource = "deviceManagement/deviceConfigurations" | |
| Write-Verbose "Resource: $DCP_resource" | |
| try { | |
| if($JSON -eq "" -or $JSON -eq $null){ | |
| write-host "No JSON specified, please specify valid JSON for the Android Policy..." -f Red | |
| } | |
| else { | |
| Test-JSON -JSON $JSON | |
| $uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)" | |
| Invoke-RestMethod -Uri $uri -Headers $authToken -Method Post -Body $JSON -ContentType "application/json" | |
| } | |
| } | |
| catch { | |
| $ex = $_.Exception | |
| $errorResponse = $ex.Response.GetResponseStream() | |
| $reader = New-Object System.IO.StreamReader($errorResponse) | |
| $reader.BaseStream.Position = 0 | |
| $reader.DiscardBufferedData() | |
| $responseBody = $reader.ReadToEnd(); | |
| Write-Host "Response content:`n$responseBody" -f Red | |
| Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)" | |
| write-host | |
| break | |
| } | |
| } | |
| #################################################### | |
| Function Test-JSON(){ | |
| <# | |
| .SYNOPSIS | |
| This function is used to test if the JSON passed to a REST Post request is valid | |
| .DESCRIPTION | |
| The function tests if the JSON passed to the REST Post is valid | |
| .EXAMPLE | |
| Test-JSON -JSON $JSON | |
| Test if the JSON is valid before calling the Graph REST interface | |
| .NOTES | |
| NAME: Test-AuthHeader | |
| #> | |
| param ( | |
| $JSON | |
| ) | |
| try { | |
| $TestJSON = ConvertFrom-Json $JSON -ErrorAction Stop | |
| $validJson = $true | |
| } | |
| catch { | |
| $validJson = $false | |
| $_.Exception | |
| } | |
| if (!$validJson){ | |
| Write-Host "Provided JSON isn't in valid JSON format" -f Red | |
| break | |
| } | |
| } | |
| #################################################### | |
| #region Authentication | |
| write-host | |
| # Checking if authToken exists before running authentication | |
| if($global:authToken){ | |
| # Setting DateTime to Universal time to work in all timezones | |
| $DateTime = (Get-Date).ToUniversalTime() | |
| # If the authToken exists checking when it expires | |
| $TokenExpires = ($authToken.ExpiresOn.datetime - $DateTime).Minutes | |
| if($TokenExpires -le 0){ | |
| write-host "Authentication Token expired" $TokenExpires "minutes ago" -ForegroundColor Yellow | |
| write-host | |
| # Defining User Principal Name if not present | |
| if($User -eq $null -or $User -eq ""){ | |
| $User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication" | |
| Write-Host | |
| } | |
| $global:authToken = Get-AuthToken -User $User | |
| } | |
| } | |
| # Authentication doesn't exist, calling Get-AuthToken function | |
| else { | |
| if($User -eq $null -or $User -eq ""){ | |
| $User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication" | |
| Write-Host | |
| } | |
| # Getting the authorization token | |
| $global:authToken = Get-AuthToken -User $User | |
| } | |
| #endregion | |
| #region Build XML (Added by Michael Obernberger) | |
| #Split out the surname of the upn | |
| $name = ($upn.Split('.')[1]).Split('@')[0] | |
| #Split out the first letter of the name | |
| $conUsername = ($upn.Substring(0,1) + '.' + $name) | |
| #Building the custom XML payload with the variables $name and $conUsername | |
| $xmlPayload = @" | |
| <?xml version="1.0" encoding="UTF-8"?> | |
| <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
| <plist version="1.0"> | |
| <dict> | |
| <key>PayloadContent</key> | |
| <array> | |
| <dict> | |
| <key>EmailAccountDescription</key> | |
| <string>Contoso Confidential</string> | |
| <key>EmailAccountName</key> | |
| <string>Confidential</string> | |
| <key>EmailAccountType</key> | |
| <string>EmailTypeIMAP</string> | |
| <key>EmailAddress</key> | |
| <string>$conUsername@contoso.com</string> | |
| <key>IncomingMailServerAuthentication</key> | |
| <string>EmailAuthPassword</string> | |
| <key>IncomingMailServerHostName</key> | |
| <string>outlook.office365.com</string> | |
| <key>IncomingMailServerPortNumber</key> | |
| <integer>993</integer> | |
| <key>IncomingMailServerUseSSL</key> | |
| <true/> | |
| <key>IncomingMailServerUsername</key> | |
| <string>$upn\$conUsername</string> | |
| <key>OutgoingMailServerAuthentication</key> | |
| <string>EmailAuthPassword</string> | |
| <key>OutgoingMailServerHostName</key> | |
| <string>smtp.office365.com</string> | |
| <key>OutgoingMailServerPortNumber</key> | |
| <integer>587</integer> | |
| <key>OutgoingMailServerUseSSL</key> | |
| <true/> | |
| <key>OutgoingMailServerUsername</key> | |
| <string>$upn</string> | |
| <key>OutgoingPasswordSameAsIncomingPassword</key> | |
| <false/> | |
| <key>PayloadDescription</key> | |
| <string>Configures Email settings</string> | |
| <key>PayloadDisplayName</key> | |
| <string>Contoso Confidential</string> | |
| <key>PayloadIdentifier</key> | |
| <string>com.apple.mail.managed.986F43CA-D8EE-481F-BDC1-873CC3729587</string> | |
| <key>PayloadType</key> | |
| <string>com.apple.mail.managed</string> | |
| <key>PayloadUUID</key> | |
| <string>986F43CA-D8EE-481F-BDC1-873CC3729587</string> | |
| <key>PayloadVersion</key> | |
| <integer>1</integer> | |
| <key>SMIMEEnablePerMessageSwitch</key> | |
| <false/> | |
| <key>SMIMEEnabled</key> | |
| <false/> | |
| <key>SMIMEEncryptionEnabled</key> | |
| <false/> | |
| <key>SMIMESigningEnabled</key> | |
| <false/> | |
| <key>allowMailDrop</key> | |
| <false/> | |
| <key>disableMailRecentsSyncing</key> | |
| <false/> | |
| </dict> | |
| </array> | |
| <key>PayloadDisplayName</key> | |
| <string>Untitled</string> | |
| <key>PayloadIdentifier</key> | |
| <string>MacBook-Pro.A07A9EDD-1358-4A3E-BD89-D31978778B3F</string> | |
| <key>PayloadRemovalDisallowed</key> | |
| <false/> | |
| <key>PayloadType</key> | |
| <string>Configuration</string> | |
| <key>PayloadUUID</key> | |
| <string>EF8E9924-D761-4F2F-B13F-E38012DCA40D</string> | |
| <key>PayloadVersion</key> | |
| <integer>1</integer> | |
| </dict> | |
| </plist> | |
| "@ | |
| #endregion | |
| #region Build JSON Payload (Added by Michael Obernberger) | |
| $bytes = [System.Text.Encoding]::UTF8.GetBytes($xmlPayload) | |
| $encodedPayload =[Convert]::ToBase64String($bytes) | |
| $jsonConfig = @" | |
| { | |
| "@odata.type": "#microsoft.graph.iosCustomConfiguration", | |
| "displayName": "iOS - Confidential $name", | |
| "payloadName": "Confidential - $conUsername", | |
| "payloadFileName": "config.xml", | |
| "payload": "$encodedPayload" | |
| } | |
| "@ | |
| #endregion | |
| Add-DeviceConfigurationPolicy -Json $jsonConfig |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment