search

Micke-K / IntuneManagement

Copy, export, import, delete, document and compare policies and profiles in Intune and Azure with PowerShell script and WPF UI. Import ADMX files and registry settings with ADMX ingestion. View and edit PowerShell script.
MIT License
1.05k stars 189 forks source link

iOS App Configuration #260

Closed Arne-RFA closed 1 week ago

Arne-RFA commented 2 weeks ago

I see an issue with iOS App Configuration (currently running release 3.9.7)

The "template" (what I export from) and "destination" (where I deploy to) both have the same app (Outlook) deployed via VPP (Volume Purchase Program) for iOS and via Google Managed Play Store for Android (both source and destination using the US store).

With iOS The policy is exported and deployed, but shows "The targeted app no longer exists. You can delete this inactive app configuration policy." and none of the settings are able to be edited, the only option is to delete.

With Android The policy is not deployed Log message shows the below (I have deleted the Request ID and the Activity ID)

Import App Configuration (Device) object Android Enterprise (Fully Managed Device) Outlook
Failed to invoke MS Graph with URL https://graph.microsoft.com/beta/deviceAppManagement/mobileAppConfigurations (Request ID: <deleted>). Status code: BadRequest. Response message: . Response message: An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: <deleted> - Url: https://fef.amsua0102.manage.microsoft.com/AppLifecycle_2408/StatelessAppMetadataFEService/deviceAppManagement/mobileAppConfigurations?api-version=5024-05-15 Exception: The remote server returned an error: (400) Bad Request.

I've found the below that look as if they might be related. https://github.com/Micke-K/IntuneManagement/issues/231 https://github.com/Micke-K/IntuneManagement/issues/255

As an aside from https://github.com/Micke-K/IntuneManagement/issues/231 "anyone" can sign up for Google Enterprise for Intune App deployment, just go to https://intune.microsoft.com/#view/Microsoft_Intune_DeviceSettings/DevicesMenu/~/enrollment > Android > Managed Google Play, complete the enrollment (can use Tenant domain email address) and then Managed Google Play apps can be added in Intune.

Micke-K commented 2 weeks ago

Hello,

Did you try the attached file from #255? I attached it in this one as well.

This should fix the Android problem. You will have to export the policy using the attached file as well since this adds additional information to the exported file.

I probably have to do the same for the iOS policies with apps deployed via VPP. Not sure if I can detect that but should be possible one or the other.

Can you upload the iOS policy so I can have a look? Or can you create a dummy iOS policy with Outlook from VPP.

Cheers!

EndpointManager.zip

Arne-RFA commented 2 weeks ago

Hi

Confirmed, the updated EndpointManager.psm1 works perfectly for Android, thanks!

Exported iOS policy with the VPP Outlook selected as below. iOS (Managed Device) Outlook.json

Micke-K commented 2 weeks ago

Hello,

Thank you for the update.

Did you try importing the iOS policy with the new file?

The policy you attached includes the new required property so it could work. Unless I only use the property on Android imports.

Cheers!

Arne-RFA commented 2 weeks ago

iOS still imports, but the policy shows "The targeted app no longer exists. You can delete this inactive app configuration policy."

Micke-K commented 2 weeks ago

Hmm, ok. I'll try to spend some time on it on the weekend.

Cheers!

Arne-RFA commented 2 weeks ago

Thanks!

Micke-K commented 2 weeks ago

Hello,

I'm going through the code. Looks like it should work so not sure what is happing there.

Can you send the logs of the import? There might be some hints in there.

Cheers!

Arne-RFA commented 1 week ago

Hi,

The "console" output shows

Import objects
Policies with Targeted Apps detected
Adding app target for RFA Policy - iOS (Managed Device) Outlook
WARNING: No Microsoft Outlook application found of type #microsoft.graph.iosStoreApp. 9ada73ad-be33-4691-9da5-29509ea8afcf will not be translated and added to target list
Could not find targeted apps in the evnironment. Verify that they are added. Policy import might fail
Object with name iOS (Managed Device) Outlook already exists. Object will not be imported
Loading App Configuration (Device) objects

CloudAPIPowerShellManagement.log as below (with some names and paths lightly obfuscated (to remove user and tenant names etc).

CloudAPIPowerShellManagement.log

Quite happy to provide unobfuscated via email, but would be difficult in a public GitHub issue.

Looking at the CloudAPIPowerShellManagement.log, While I'm quite sure it is "cosmetic" the OS detection is incorrect, while it says "OS: Windows 10 Enterprise multi-session" it is a W11 AVD.

Arne-RFA commented 1 week ago

For the OS version, the post from OlivTheFrog might be an alternative to lines 95-98 in core.psm1 (dropping the specific comparison that was in the post) https://www.reddit.com/r/PowerShell/comments/15lbb3t/with_powershell_how_can_i_returndisplay_my/

Micke-K commented 1 week ago

Thank you for that. I might convert it to Get-ComputerInfo instead oof reading the registry.

The interesting part though is this:

WARNING: No Microsoft Outlook application found of type #microsoft.graph.iosStoreApp. 9ada73ad-be33-4691-9da5-29509ea8afcf will not be translated and added to target list
Could not find targeted apps in the environment. Verify that they are added. Policy import might fail

It uses this code to find the app.

(Invoke-GraphRequest -Url "/deviceAppManagement/mobileApps?$filter=displayName eq '$appName'").value`

So this will look for an app with the same name. It then filters the result based on object type. In this case: "#microsoft.graph.iosStoreApp".

Based on the code and the error message, this means that it found at least one app with the name but none of the app(s) found was the requested type.

What type is the "Microsoft Outlook" deployed via VPP in the second tenant? View the app info in the tool and then check the @OData.Type property. Also, when you are in the View dialog, click "Load full" and see if the OData.Type changes.

Cheers!

Micke-K commented 1 week ago

I also found that the code should not add this information for iOS Configuration policies.

This is the if statement to add the #CustomRefTargetedApps property.

if($obj.'@OData.Type' -eq "#microsoft.graph.androidManagedAppProtection" -or
$obj.'@OData.Type' -eq "#microsoft.graph.androidForWorkMobileAppConfiguration" -or
$obj.'@OData.Type' -eq "#microsoft.graph.androidManagedStoreAppConfiguration")
{
    Code to add the property...
}

I have no clue how the property ended up in the json file.

I created a new file that will add the #CustomRefTargetedApps property for iosMobileAppConfiguration as well during export. I also added additional logging eg each app returned, Name, Id and type.

You can PM me on twitter if you have an account there, @Micke_K_72. We might be able to solve this with the additional logging. I hope it will give some hints on what is going on.

Cheers!

EndpointManager.zip

Cheers!

Arne-RFA commented 1 week ago

re Outlook application type Within Intune I have Google Managed Play, and iOS VPP image

In the tool under Applications, I see two entries for "Microsoft Outlook" one is the iOS version, and the other is (by simple elimination) Android, but if I do an export from the tenant, only the Android one has a .json file, I wonder if this is because they both have the same name, and the iOS export happens before the Android export, which then overwrites?

Checking a different (iOS only) app, the .json shows 

"@odata.type":  "#microsoft.graph.iosStoreApp",

I will try with the new one (-:

I do not appear to be able to message you on X, but you should be able to DM me (I @ed you in a post)

image

Arne-RFA commented 1 week ago

Apologies, what I should have done is export just that Application...

I've removed the date for "largeIcon", and mildly obfuscated vppTokenOrganizationName and vppTokenAppleId, but otherwise is as below

Microsoft Outlook.json

Micke-K commented 1 week ago

The json for the app says the type is:

microsoft.graph.iosVppApp

That is not what it says in the exported policy file. That's probably why it is failing. So the question is then if it has different app type between list and full object API.

Still don't understand how the property got there unless it was by an earlier version I created that didn't have the if statement.

At least we're getting somewhere with this and have some idea what the problem is.

Let's see what it says with the new file. Export the policy again and then retry import in new tenant. Then upload the import part of the log.

Thanks for the help troubleshooting this.

Cheers!

Micke-K commented 1 week ago

If that doesn't work, try this one. Just a quick change that might cause it.

Cheers!

EndpointManager.zip

Arne-RFA commented 1 week ago

/me is an idiot

After seeing again in your post above that the export did not show microsoft.graph.iosVppApp, although I was sure that the App Configuration Profile was for the VPP version, on deleting it and the App Store version version of Outlook, then recreating so that it could only be against the app store version, the import worked...

many apologies for wasting your time.

Micke-K commented 1 week ago

No need to be sorry!

Thank you for helping with testing and troubleshooting the iOS policy. It was definitely not a waste of time.

Cheers!