IntuneAppProtectionPolicyWindows10¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| AllowedInboundDataTransferSources | Write | String | Indicates the sources from which data is allowed to be transferred. Some possible values are allApps or none. Possible values are: allApps, none. | allApps, none |
| AllowedOutboundClipboardSharingLevel | Write | String | Indicates the level to which the clipboard may be shared across org & non-org resources. Some possible values are anyDestinationAnySource or none. Possible values are: anyDestinationAnySource, none, orgDestinationAnySource, orgDestinationOrgSource, unknownFutureValue. | anyDestinationAnySource, none |
| AllowedOutboundDataTransferDestinations | Write | String | Indicates the destinations to which data is allowed to be transferred. Some possible values are allApps or none. Possible values are: allApps, none. | allApps, none |
| AppActionIfUnableToAuthenticateUser | Write | String | If set, it will specify what action to take in the case where the user is unable to checkin because their authentication token is invalid. This happens when the user is deleted or disabled in AAD. Some possible values are block or wipe. If this property is not set, no action will be taken. Possible values are: block, wipe, warn, blockWhenSettingIsSupported. | block, wipe, warn, blockWhenSettingIsSupported |
| MaximumAllowedDeviceThreatLevel | Write | String | Maximum allowed device threat level, as reported by the Mobile Threat Defense app. Possible values are: notConfigured, secured, low, medium, high. | notConfigured, secured, low, medium, high |
| MaximumRequiredOsVersion | Write | String | Versions bigger than the specified version will block the managed app from accessing company data. For example: '8.1.0' or '13.1.1'. | |
| MaximumWarningOsVersion | Write | String | Versions bigger than the specified version will result in warning message on the managed app from accessing company data. For example: '8.1.0' or '13.1.1'. | |
| MaximumWipeOsVersion | Write | String | Versions bigger than the specified version will wipe the managed app and the associated company data. For example: '8.1.0' or '13.1.1'. | |
| MinimumRequiredAppVersion | Write | String | Versions less than the specified version will block the managed app from accessing company data. For example: '8.1.0' or '13.1.1'. | |
| MinimumRequiredOsVersion | Write | String | Versions less than the specified version will block the managed app from accessing company data. For example: '8.1.0' or '13.1.1'. | |
| MinimumRequiredSdkVersion | Write | String | Versions less than the specified version will block the managed app from accessing company data. For example: '8.1.0' or '13.1.1'. | |
| MinimumWarningAppVersion | Write | String | Versions less than the specified version will result in warning message on the managed app from accessing company data. For example: '8.1.0' or '13.1.1'. | |
| MinimumWarningOsVersion | Write | String | Versions less than the specified version will result in warning message on the managed app from accessing company data. For example: '8.1.0' or '13.1.1'. | |
| MinimumWipeAppVersion | Write | String | Versions less than the specified version will wipe the managed app and the associated company data. For example: '8.1.0' or '13.1.1'. | |
| MinimumWipeOsVersion | Write | String | Versions less than the specified version will wipe the managed app and the associated company data. For example: '8.1.0' or '13.1.1'. | |
| MinimumWipeSdkVersion | Write | String | Versions less than the specified version will wipe the managed app and the associated company data. For example: '8.1.0' or '13.1.1'. | |
| MobileThreatDefenseRemediationAction | Write | String | Determines what action to take if the mobile threat defense threat threshold isn't met. Some possible values are block or wipe. Warn isn't a supported value for this property. Possible values are: block, wipe, warn, blockWhenSettingIsSupported. | block, wipe, warn, blockWhenSettingIsSupported |
| PeriodOfflineBeforeAccessCheck | Write | String | The period after which access is checked when the device is not connected to the internet. For example, PT5M indicates that the interval is 5 minutes in duration. A timespan value of PT0S indicates that access will be blocked immediately when the device is not connected to the internet. | |
| PeriodOfflineBeforeWipeIsEnforced | Write | String | The amount of time an app is allowed to remain disconnected from the internet before all managed data it is wiped. For example, P5D indicates that the interval is 5 days in duration. A timespan value of PT0S indicates that managed data will never be wiped when the device is not connected to the internet. | |
| PrintBlocked | Write | Boolean | When TRUE, indicates that printing is blocked from managed apps. When FALSE, indicates that printing is allowed from managed apps. Default value is FALSE. | |
| Description | Write | String | The policy's description. | |
| DisplayName | Key | String | Policy display name. | |
| RoleScopeTagIds | Write | StringArray[] | List of Scope Tags for this Entity instance. | |
| Id | Write | String | The unique identifier for an entity. Read-only. | |
| Apps | Write | StringArray[] | List of IDs representing the Windows apps controlled by this protection policy. | |
| Assignments | Write | MSFT_DeviceManagementConfigurationPolicyAssignments[] | Represents the assignment to the Intune policy. | |
| Ensure | Write | String | Present ensures the policy exists, absent ensures it is removed. | Present, Absent |
| Credential | Write | PSCredential | Credentials of the Admin | |
| ApplicationId | Write | String | Id of the Azure Active Directory application to authenticate with. | |
| TenantId | Write | String | Id of the Azure Active Directory tenant used for authentication. | |
| ApplicationSecret | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | |
| CertificateThumbprint | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | |
| ManagedIdentity | Write | Boolean | Managed ID being used for authentication. | |
| AccessTokens | Write | StringArray[] | Access token used for authentication. |
MSFT_DeviceManagementConfigurationPolicyAssignments¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| dataType | Write | String | The type of the target assignment. | #microsoft.graph.cloudPcManagementGroupAssignmentTarget, #microsoft.graph.groupAssignmentTarget, #microsoft.graph.allLicensedUsersAssignmentTarget, #microsoft.graph.allDevicesAssignmentTarget, #microsoft.graph.exclusionGroupAssignmentTarget, #microsoft.graph.configurationManagerCollectionAssignmentTarget |
| deviceAndAppManagementAssignmentFilterType | Write | String | The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude. | none, include, exclude |
| deviceAndAppManagementAssignmentFilterId | Write | String | The Id of the filter for the target assignment. | |
| deviceAndAppManagementAssignmentFilterDisplayName | Write | String | The display name of the filter for the target assignment. | |
| groupId | Write | String | The group Id that is the target of the assignment. | |
| groupDisplayName | Write | String | The group Display Name that is the target of the assignment. | |
| collectionId | Write | String | The collection Id that is the target of the assignment.(ConfigMgr) |
Description¶
Intune App Protection Policy for Windows10
Permissions¶
Microsoft Graph¶
To authenticate with the Microsoft Graph API, this resource requires the following permissions:
Delegated permissions¶
-
Read
- DeviceManagementConfiguration.Read.All, DeviceManagementApps.Read.All, Group.Read.All
-
Update
- DeviceManagementConfiguration.ReadWrite.All, DeviceManagementApps.ReadWrite.All, Group.Read.All
Application permissions¶
-
Read
- DeviceManagementConfiguration.Read.All, DeviceManagementApps.Read.All, Group.Read.All
-
Update
- DeviceManagementConfiguration.ReadWrite.All, DeviceManagementApps.ReadWrite.All, Group.Read.All
Examples¶
Example 1¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
param
(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
IntuneAppProtectionPolicyWindows10 "IntuneAppProtectionPolicyWindows10-IntuneAppProtectionPolicyWindows10_1"
{
AllowedInboundDataTransferSources = "allApps";
AllowedOutboundClipboardSharingLevel = "anyDestinationAnySource";
AllowedOutboundDataTransferDestinations = "allApps";
AppActionIfUnableToAuthenticateUser = "wipe";
ApplicationId = $ConfigurationData.NonNodeData.ApplicationId;
Apps = @("com.microsoft.edge");
Assignments = @(
MSFT_DeviceManagementConfigurationPolicyAssignments{
dataType = "#microsoft.graph.groupAssignmentTarget"
deviceAndAppManagementAssignmentFilterType = "none"
groupDisplayName = "Include"
groupId = "56ae142c-f960-4436-a445-6b371fc8338b"
}
MSFT_DeviceManagementConfigurationPolicyAssignments{
dataType = "#microsoft.graph.exclusionGroupAssignmentTarget"
deviceAndAppManagementAssignmentFilterType = "none"
groupDisplayName = "Exclude"
groupId = "258a1749-8408-4dd0-8028-fab6208a28d7"
}
);
CertificateThumbprint = $ConfigurationData.NonNodeData.CertificateThumbprint;
Description = "";
DisplayName = "IntuneAppProtectionPolicyWindows10_1";
Ensure = "Present";
MaximumAllowedDeviceThreatLevel = "secured";
MaximumRequiredOsVersion = "12.0.0.0";
MinimumRequiredSdkVersion = "1.0.0.0";
MinimumWarningAppVersion = "0.0.0";
MinimumWarningOsVersion = "10.0.0.0";
MobileThreatDefenseRemediationAction = "block";
PeriodOfflineBeforeAccessCheck = "P1D";
PeriodOfflineBeforeWipeIsEnforced = "P90D";
PrintBlocked = $False;
RoleScopeTagIds = @("0");
TenantId = $OrganizationName;
}
}
}
Example 2¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
param
(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
IntuneAppProtectionPolicyWindows10 "IntuneAppProtectionPolicyWindows10-IntuneAppProtectionPolicyWindows10_1"
{
AllowedInboundDataTransferSources = "allApps";
AllowedOutboundClipboardSharingLevel = "anyDestinationAnySource";
AllowedOutboundDataTransferDestinations = "allApps";
AppActionIfUnableToAuthenticateUser = "wipe";
ApplicationId = $ConfigurationData.NonNodeData.ApplicationId;
Apps = @("com.microsoft.edge");
Assignments = @(
MSFT_DeviceManagementConfigurationPolicyAssignments{
dataType = "#microsoft.graph.groupAssignmentTarget"
deviceAndAppManagementAssignmentFilterType = "none"
groupDisplayName = "Include"
groupId = "56ae142c-f960-4436-a445-6b371fc8338b"
}
MSFT_DeviceManagementConfigurationPolicyAssignments{
dataType = "#microsoft.graph.exclusionGroupAssignmentTarget"
deviceAndAppManagementAssignmentFilterType = "none"
groupDisplayName = "Exclude"
groupId = "258a1749-8408-4dd0-8028-fab6208a28d7"
}
);
CertificateThumbprint = $ConfigurationData.NonNodeData.CertificateThumbprint;
Description = "";
DisplayName = "IntuneAppProtectionPolicyWindows10_1";
Ensure = "Present";
MaximumAllowedDeviceThreatLevel = "secured";
MaximumRequiredOsVersion = "12.0.0.0";
MinimumRequiredSdkVersion = "1.0.0.0";
MinimumWarningAppVersion = "0.0.0";
MinimumWarningOsVersion = "10.0.0.0";
MobileThreatDefenseRemediationAction = "block";
PeriodOfflineBeforeAccessCheck = "P1D";
PeriodOfflineBeforeWipeIsEnforced = "P180D"; # Updated property
PrintBlocked = $False;
RoleScopeTagIds = @("0");
TenantId = $OrganizationName;
}
}
}
Example 3¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
param
(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
IntuneAppProtectionPolicyWindows10 "IntuneAppProtectionPolicyWindows10-IntuneAppProtectionPolicyWindows10_1"
{
ApplicationId = $ConfigurationData.NonNodeData.ApplicationId;
CertificateThumbprint = $ConfigurationData.NonNodeData.CertificateThumbprint;
DisplayName = "IntuneAppProtectionPolicyWindows10_1";
Ensure = "Absent";
TenantId = $OrganizationName;
}
}
}