IntuneDeviceFeaturesConfigurationPolicyIOS

Parameters

Parameter Attribute DataType Description Allowed Values
Id Write String Id of the Intune policy.
DisplayName Key String Display name of the Intune policy.
Description Write String Description of the Intune policy.
Assignments Write MSFT_DeviceManagementConfigurationPolicyAssignments[] Represents the assignment to the Intune policy.
Ensure Write String Present ensures the policy exists, absent ensures it is removed. Present, Absent
Credential Write PSCredential Credentials of the Intune Admin
ApplicationId Write String Id of the Azure Active Directory application to authenticate with.
TenantId Write String Id of the Azure Active Directory tenant used for authentication.
ApplicationSecret Write PSCredential Secret of the Azure Active Directory tenant used for authentication.
CertificateThumbprint Write String Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.
ManagedIdentity Write Boolean Managed ID being used for authentication.
AccessTokens Write StringArray[] Access token used for authentication.
RoleScopeTagIds Write StringArray[] List of Scope Tags for this Entity instance. Inherited from deviceConfiguration.
DeviceManagementApplicabilityRuleOsEdition Write MSFT_deviceManagementApplicabilityRuleOsEdition[] The OS edition applicability for this Policy. Inherited from deviceConfiguration.
DeviceManagementApplicabilityRuleOsVersion Write MSFT_deviceManagementApplicabilityRuleOsVersion[] The OS version applicability rule for this Policy. Inherited from deviceConfiguration.
DeviceManagementApplicabilityRuleDeviceMode Write MSFT_deviceManagementApplicabilityRuleDeviceMode[] The device mode applicability rule for this Policy. Inherited from deviceConfiguration.
AirPrintDestinations Write MSFT_airPrintDestination[] An array of AirPrint printers that should always be shown.
AssetTagTemplate Write String Asset tag information for the device, displayed on the login window and lock screen.
ContentFilterSettings Write MSFT_iosWebContentFilterSpecificWebsitesAccess[] Gets or sets iOS Web Content Filter settings, supervised mode only.
LockScreenFootnote Write String A footnote displayed on the login window and lock screen. Available in iOS 9.3.1 and later.
HomeScreenDockIcons Write MSFT_iosHomeScreenApp[] A list of app and folders to appear on the Home Screen Dock. This collection can contain a maximum of 500 elements.
HomeScreenPages Write MSFT_iosHomeScreenItem[] A list of pages on the Home Screen. This collection can contain a maximum of 500 elements.
HomeScreenGridWidth Write UInt32 Gets or sets the number of columns to render when configuring iOS home screen layout settings. If this value is configured, homeScreenGridHeight must be configured as well.
HomeScreenGridHeight Write UInt32 Gets or sets the number of rows to render when configuring iOS home screen layout settings. If this value is configured, homeScreenGridWidth must be configured as well.
NotificationSettings Write MSFT_iosNotificationSettings[] Notification settings for each bundle id. Applicable to devices in supervised mode only (iOS 9.3 and later).
SingleSignOnSettings Write MSFT_iosSingleSignOnSettings[] The Kerberos login settings that enable apps on receiving devices to authenticate smoothly.
WallpaperDisplayLocation Write String A wallpaper display location specifier. Possible values are: notConfigured, lockScreen, homeScreen, lockAndHomeScreens. notConfigured, lockScreen, homeScreen, lockAndHomeScreens
WallpaperImage Write MSFT_mimeContent[] A wallpaper image must be in either PNG or JPEG format. It requires a supervised device with iOS 8 or later version.
IosSingleSignOnExtension Write MSFT_iosSingleSignOnExtension[] Gets or sets a single sign-on extension profile.

MSFT_DeviceManagementConfigurationPolicyAssignments

Parameters

Parameter Attribute DataType Description Allowed Values
dataType Write String The type of the target assignment. #microsoft.graph.groupAssignmentTarget, #microsoft.graph.allLicensedUsersAssignmentTarget, #microsoft.graph.allDevicesAssignmentTarget, #microsoft.graph.exclusionGroupAssignmentTarget, #microsoft.graph.configurationManagerCollectionAssignmentTarget
deviceAndAppManagementAssignmentFilterType Write String The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude. none, include, exclude
deviceAndAppManagementAssignmentFilterId Write String The Id of the filter for the target assignment.
groupId Write String The group Id that is the target of the assignment.
groupDisplayName Write String The group Display Name that is the target of the assignment.
collectionId Write String The collection Id that is the target of the assignment.(ConfigMgr)

MSFT_airPrintDestination

Parameters

Parameter Attribute DataType Description Allowed Values
ipAddress Write String The IP Address of the AirPrint destination.
resourcePath Write String The Resource Path associated with the printer. This corresponds to the rp parameter of the _ipps.tcp Bonjour record. For example: printers/Canon_MG5300_series, printers/Xerox_Phaser_7600, ipp/print, Epson_IPP_Printer.
port Write UInt32 The listening port of the AirPrint destination. If this key is not specified, AirPrint will use the default port. Available in iOS 11.0 and later.
forceTls Write Boolean If true, AirPrint connections are secured by Transport Layer Security (TLS). Default is false. Available in iOS 11.0 and later.

MSFT_iosWebContentFilterBase

Parameters

Parameter Attribute DataType Description Allowed Values
url Write String url.
bookmarkFolder Write String bookmarkFolder.
displayName Write String displayName.

MSFT_iosWebContentFilterSpecificWebsitesAccess

Parameters

Parameter Attribute DataType Description Allowed Values
dataType Write String The type of data.
specificWebsitesOnly Write MSFT_iosWebContentFilterBase[] specificWebsitesOnly, embedded instance of iosWebContentFilterBase.
websiteList Write MSFT_iosWebContentFilterBase[] websiteList, embedded instance of iosWebContentFilterBase.
allowedUrls Write StringArray[] allowedUrls.
blockedUrls Write StringArray[] blockedUrls.

MSFT_iosHomeScreenApp

Parameters

Parameter Attribute DataType Description Allowed Values
displayName Write String Name of the app. Inherited from iosHomeScreenItem.
bundleID Write String BundleID of the app if isWebClip is false or the URL of a web clip if isWebClip is true.
isWebClip Write Boolean Is it a website URL or an app

MSFT_iosHomeScreenItem

Parameters

Parameter Attribute DataType Description Allowed Values
icons Write MSFT_iosHomeScreenApp[] A list of apps, folders, and web clips to appear on a page. This collection can contain a maximum of 500 elements.

MSFT_iosNotificationSettings

Parameters

Parameter Attribute DataType Description Allowed Values
bundleID Write String Bundle id of the app to which to apply these notification settings.
appName Write String Application name to be associated with the BundleID.
publisher Write String Publisher to be associated with the BundleID.
enabled Write Boolean Indicates whether notifications are allowed for this app.
showInNotificationCenter Write Boolean Indicates whether notifications can be shown in the notification center.
showOnLockScreen Write Boolean Indicates whether notifications can be shown on the lock screen.
alertType Write String Indicates the type of alert for notifications for this app. Possible values are: deviceDefault, banner, modal, none. deviceDefault, banner, modal, none
badgesEnabled Write Boolean Indicates whether badges are allowed for this app.
soundsEnabled Write Boolean Indicates whether sounds are allowed for this app.
previewVisibility Write String Overrides the notification preview policy set by the user on an iOS device. Possible values are: notConfigured, alwaysShow, hideWhenLocked, neverShow. notConfigured, alwaysShow, hideWhenLocked, neverShow

MSFT_appListItem

Parameters

Parameter Attribute DataType Description Allowed Values
name Write String The application name.
publisher Write String The publisher of the application.
appStoreUrl Write String The Store URL of the application.
appId Write String The application or bundle identifier of the application.

MSFT_iosSingleSignOnSettings

Parameters

Parameter Attribute DataType Description Allowed Values
allowedAppsList Write MSFT_appListItem[] List of app identifiers that are allowed to use this login. If this field is omitted, the login applies to all applications on the device. This collection can contain a maximum of 500 elements.
allowedUrls Write StringArray[] List of HTTP URLs that must be matched in order to use this login. With iOS 9.0 or later, wildcard characters may be used.
displayName Write String The display name of login settings shown on the receiving device.
kerberosPrincipalName Write String A Kerberos principal name. If not provided, the user is prompted for one during profile installation.
kerberosRealm Write String A Kerberos realm name. Case sensitive.

MSFT_mimeContent

Parameters

Parameter Attribute DataType Description Allowed Values
type Write String Indicates the content mime type.
value Write StringArray[] The byte array that contains the actual content.

MSFT_keyTypedValuePair

Parameters

Parameter Attribute DataType Description Allowed Values
dataType Write String The type of data.
key Write String Key for the custom data entry.
value Write String Value for the custom data entry.

MSFT_iosSingleSignOnExtension

Parameters

Parameter Attribute DataType Description Allowed Values
dataType Write String The type of data.
Realm Write String The case-sensitive realm name for this profile.
Domains Write StringArray[] A list of hosts or domain names for which the app extension performs SSO.
BlockAutomaticLogin Write Boolean Enables or disables Keychain usage.
CacheName Write String The Generic Security Services name of the Kerberos cache to use for this profile.
CredentialBundleIdAccessControlList Write StringArray[] A list of app Bundle IDs allowed to access the Kerberos Ticket Granting Ticket.
DomainRealms Write StringArray[] A list of realms for custom domain-realm mapping. Realms are case sensitive.
IsDefaultRealm Write Boolean When true, this profile's realm will be selected as the default. Necessary if multiple Kerberos-type profiles are configured.
PasswordBlockModification Write Boolean Enables or disables password changes.
PasswordExpirationDays Write UInt32 Overrides the default password expiration in days. For most domains, this value is calculated automatically.
PasswordExpirationNotificationDays Write UInt32 The number of days until the user is notified that their password will expire (default is 15).
UserPrincipalName Write String The principal user name to use for this profile. The realm name does not need to be included.
PasswordRequireActiveDirectoryComplexity Write Boolean Enables or disables whether passwords must meet Active Directory's complexity requirements.
PasswordPreviousPasswordBlockCount Write UInt32 The number of previous passwords to block.
PasswordMinimumLength Write UInt32 The minimum length of a password.
PasswordMinimumAgeDays Write UInt32 The minimum number of days until a user can change their password again.
PasswordRequirementsDescription Write String A description of the password complexity requirements.
RequireUserPresence Write Boolean Whether to require authentication via Touch ID, Face ID, or a passcode to access the keychain entry.
ActiveDirectorySiteCode Write String The Active Directory site.
PasswordEnableLocalSync Write Boolean Enables or disables password syncing. This won't affect users logged in with a mobile account on macOS.
BlockActiveDirectorySiteAutoDiscovery Write Boolean Enables or disables whether the Kerberos extension can automatically determine its site name.
PasswordChangeUrl Write String The URL that the user will be sent to when they initiate a password change.
SignInHelpText Write String Text displayed to the user at the Kerberos sign-in window. Available for devices running iOS and iPadOS versions 14 and later.
ManagedAppsInBundleIdACLIncluded Write Boolean When set to True, the Kerberos extension allows managed apps, and any apps entered with the app bundle ID to access the credential. When set to False, the Kerberos extension allows all apps to access the credential. Available for devices running iOS and iPadOS versions 14 and later.
EnableSharedDeviceMode Write Boolean Enables or disables shared device mode.
BundleIdAccessControlList Write StringArray[] An optional list of additional bundle IDs allowed to use the AAD extension for single sign-on.
Configurations Write MSFT_keyTypedValuePair[] Gets or sets a list of typed key-value pairs used to configure Credential-type profiles. This collection can contain a maximum of 500 elements.
ExtensionIdentifier Write String Gets or sets the bundle ID of the app extension that performs SSO for the specified URLs.
TeamIdentifier Write String Gets or sets the team ID of the app extension that performs SSO for the specified URLs.
urlPrefixes Write StringArray[] One or more URL prefixes of identity providers on whose behalf the app extension performs single sign-on. URLs must begin with http:// or https://. All URL prefixes must be unique for all profiles.

MSFT_deviceManagementApplicabilityRuleOsEdition

Parameters

Parameter Attribute DataType Description Allowed Values
Name Write String Name for object
OsEditionTypes Write StringArray[] Applicability rule OS edition type
RuleType Write String Applicability Rule type include, exclude

MSFT_deviceManagementApplicabilityRuleOsVersion

Parameters

Parameter Attribute DataType Description Allowed Values
Name Write String Name for object
MinOSVersion Write String Min OS version for Applicability Rule
MaxOSVersion Write String Max OS version for Applicability Rule
RuleType Write String Applicability Rule type include, exclude

MSFT_deviceManagementApplicabilityRuleDeviceMode

Parameters

Parameter Attribute DataType Description Allowed Values
Name Key String Name for object
DeviceMode Write String Applicability rule for device mode standardConfiguration, sModeConfiguration
RuleType Write String Applicability Rule type include, exclude

Description

This resource configures an Intune Device Features Configuration Policy for iOS Device.

Permissions

Microsoft Graph

To authenticate with the Microsoft Graph API, this resource required the following permissions:

Delegated permissions

  • Read

    • Group.Read.All, DeviceManagementConfiguration.Read.All
  • Update

    • Group.Read.All, DeviceManagementConfiguration.ReadWrite.All

Application permissions

  • Read

    • Group.Read.All, DeviceManagementConfiguration.Read.All
  • Update

    • Group.Read.All, DeviceManagementConfiguration.ReadWrite.All

Examples

Example 1

This example creates a new Intune Device Features Configuration Policy for IOS.

Configuration Example
{
    param(
        [Parameter()]
        [System.String]
        $ApplicationId,

        [Parameter()]
        [System.String]
        $TenantId,

        [Parameter()]
        [System.String]
        $CertificateThumbprint
    )
    Import-DscResource -ModuleName Microsoft365DSC

    Node localhost
    {
        IntuneDeviceFeaturesConfigurationPolicyIOS "IntuneDeviceFeaturesConfigurationPolicyIOS-FakeStringValue"
        {
            ApplicationId            = $ApplicationId;
            TenantId                 = $TenantId;
            CertificateThumbprint    = $CertificateThumbprint;
            AirPrintDestinations     = @(
                MSFT_airPrintDestination{
                    port = 0
                    resourcePath = 'printers/xerox_Phase'
                    forceTls = $False
                    ipAddress = '1.0.0.1'
                }
            );
            Assignments              = @();
            ContentFilterSettings    = @(
                MSFT_iosWebContentFilterSpecificWebsitesAccess{
                    allowedUrls = @('www.allowed.com')
                    dataType = '#microsoft.graph.iosWebContentFilterAutoFilter'
                    blockedUrls = @('www.blocked.com')
                }
            );
            Description              = "FakeStringValue";
            DisplayName              = "FakeStringValue";
            Ensure                   = "Present";
            HomeScreenDockIcons      = @(
                MSFT_iosHomeScreenApp{
                    bundleID = 'com.apple.store.Jolly'
                    displayName = 'Apple Store'
                    isWebClip = $False
                }
            );
            HomeScreenPages          = @(
                MSFT_iosHomeScreenItem{
                    icons = @(
                        MSFT_iosHomeScreenApp{
                            bundleID = 'com.apple.AppStore'
                            displayName = 'App Store'
                            isWebClip = $False
                        }
                    )

                }
            );
            Id                       = "ab915bca-1234-4b11-8acb-719a771139bc";
            IosSingleSignOnExtension = @(
                MSFT_iosSingleSignOnExtension{
                    extensionIdentifier = 'com.example.sso.credential'
                    dataType = '#microsoft.graph.iosCredentialSingleSignOnExtension'
                    domains = @('example.com')
                    teamIdentifier = '4HMSJJRMAD'
                    realm = 'EXAMPLE.COM'
                }
            );
            NotificationSettings     = @(
                MSFT_iosNotificationSettings{
                    alertType = 'banner'
                    enabled = $True
                    showOnLockScreen = $True
                    badgesEnabled = $True
                    soundsEnabled = $True
                    publisher = 'fakepublisher'
                    bundleID = 'app.id'
                    showInNotificationCenter = $True
                    previewVisibility = 'hideWhenLocked'
                    appName = 'fakeapp'
                }
            );
            SingleSignOnSettings     = @(
                MSFT_iosSingleSignOnSettings{
                    allowedAppsList = @(
                        MSFT_appListItem{
                            appId = 'com.microsoft.companyportal'
                            name = 'Intune Company Portal'
                        }
                    )
                    allowedUrls = @('https://www.fakeurl.com')
                    kerberosRealm = 'fakerealm.com'
                    displayName = 'FakeStringValue'
                    kerberosPrincipalName = 'userPrincipalName'
                }
            );
            WallpaperDisplayLocation = "notConfigured";
        }
    }
}

Example 2

This example creates a new Intune Device Features Configuration Policy for IOS.

Configuration Example
{
    param(
        [Parameter()]
        [System.String]
        $ApplicationId,

        [Parameter()]
        [System.String]
        $TenantId,

        [Parameter()]
        [System.String]
        $CertificateThumbprint
    )
    Import-DscResource -ModuleName Microsoft365DSC

    Node localhost
    {
        IntuneDeviceFeaturesConfigurationPolicyIOS "IntuneDeviceFeaturesConfigurationPolicyIOS-FakeStringValue"
        {
            ApplicationId            = $ApplicationId;
            TenantId                 = $TenantId;
            CertificateThumbprint    = $CertificateThumbprint;
            AirPrintDestinations     = @(
                MSFT_airPrintDestination{
                    port = 0
                    resourcePath = 'printers/xerox_Phase'
                    forceTls = $False
                    ipAddress = '1.0.0.1'
                }
            );
            Assignments              = @();
            ContentFilterSettings    = @(
                MSFT_iosWebContentFilterSpecificWebsitesAccess{
                    allowedUrls = @('www.allowed.com')
                    dataType = '#microsoft.graph.iosWebContentFilterAutoFilter'
                    blockedUrls = @('www.blocked.com')
                }
            );
            Description              = "FakeStringValue - NEW VALUE"; #changed
            DisplayName              = "FakeStringValue";
            Ensure                   = "Present";
            HomeScreenDockIcons      = @(
                MSFT_iosHomeScreenApp{
                    bundleID = 'com.apple.store.Jolly'
                    displayName = 'Apple Store'
                    isWebClip = $False
                }
            );
            HomeScreenPages          = @(
                MSFT_iosHomeScreenItem{
                    icons = @(
                        MSFT_iosHomeScreenApp{
                            bundleID = 'com.apple.AppStore'
                            displayName = 'App Store'
                            isWebClip = $False
                        }
                    )

                }
            );
            Id                       = "ab915bca-1234-4b11-8acb-719a771139bc";
            IosSingleSignOnExtension = @(
                MSFT_iosSingleSignOnExtension{
                    extensionIdentifier = 'com.example.sso.credential'
                    dataType = '#microsoft.graph.iosCredentialSingleSignOnExtension'
                    domains = @('example.com')
                    teamIdentifier = '4HMSJJRMAD'
                    realm = 'EXAMPLE.COM'
                }
            );
            NotificationSettings     = @(
                MSFT_iosNotificationSettings{
                    alertType = 'banner'
                    enabled = $True
                    showOnLockScreen = $True
                    badgesEnabled = $True
                    soundsEnabled = $True
                    publisher = 'fakepublisher'
                    bundleID = 'app.id'
                    showInNotificationCenter = $True
                    previewVisibility = 'hideWhenLocked'
                    appName = 'fakeapp'
                }
            );
            SingleSignOnSettings     = @(
                MSFT_iosSingleSignOnSettings{
                    allowedAppsList = @(
                        MSFT_appListItem{
                            appId = 'com.microsoft.companyportal'
                            name = 'Intune Company Portal'
                        }
                    )
                    allowedUrls = @('https://www.fakeurl.com')
                    kerberosRealm = 'fakerealm.com'
                    displayName = 'FakeStringValue'
                    kerberosPrincipalName = 'userPrincipalName'
                }
            );
            WallpaperDisplayLocation = "notConfigured";
        }
    }
}

Example 3

This example creates a new Intune Device Features Configuration Policy for IOS.

Configuration Example
{
    param(
        [Parameter()]
        [System.String]
        $ApplicationId,

        [Parameter()]
        [System.String]
        $TenantId,

        [Parameter()]
        [System.String]
        $CertificateThumbprint
    )
    Import-DscResource -ModuleName Microsoft365DSC

    Node localhost
    {
        IntuneDeviceFeaturesConfigurationPolicyIOS "IntuneDeviceFeaturesConfigurationPolicyIOS-FakeStringValue"
        {
            DisplayName              = "FakeStringValue";
            ApplicationId            = $ApplicationId;
            TenantId                 = $TenantId;
            CertificateThumbprint    = $CertificateThumbprint;
            Ensure                   = 'Absent'
        }
    }
}