Created
April 21, 2023 19:27
-
-
Save florian-obradovic/047b2512ce4ceac1f121f9d0e15a6656 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .EXTERNALMODULEDEPENDENCIES Microsoft.Graph (v.2.0.0-preview) | |
| .DESCRIPTION | |
| This script monitors apple token expiration in Intune (Intune) and checks if DEP, VPP, and APNS tokens, | |
| certificates are valided after the number of specified days. | |
| It utilizes Microsoft.Graph (v.2.0.0-preview) module to authenticate with the system managed identity of your | |
| Azure Automation Account. | |
| Permissions Required: DeviceManagementServiceConfig.Read.All, DeviceManagementApps.Read.All Directory.Read.All | |
| .NOTES | |
| Based on the original script of [email protected], https://tech.nicolonsky.ch | |
| Migrated by Florian Obradovic (@volksvertreter) for use with Microsoft.Graph v2 module & Managed System Identities | |
| !!!! Mail-Function is untested and needs to be migrated to work with managed identities: https://learningbydoing.cloud/blog/granting-workload-identities-least-priv-mailbox-access-via-graph/ !!!! | |
| #> | |
| Param() | |
| ############################################################################################### | |
| # treshold days before expiration notification is fired | |
| $notificationTresholdDays = 90 | |
| # Microsoft Teams Webhook URI | |
| $webHookUri = "https://YOUDROMAIN.webhook.office.com/webhookb2/GUID/IncomingWebhook/GUID | |
| # Connect to Microsoft Graph using Microsoft.Graph V2 Preview module and system managed identity | |
| # Locally connect with: Connect-MgGraph -ForceRefresh -scopes "DeviceManagementServiceConfig.Read.All,DeviceManagementApps.Read.All,Directory.Read.All" | |
| Connect-MgGraph -Identity | |
| # Get initial domain name to display as tenant name on teams card | |
| $orgDomain = Get-MgDomain | Where-Object {$_.isInitial} | Select-Object -ExpandProperty Id | |
| # optional mail configuration | |
| <# | |
| $mailConfig = @{ | |
| SMTPServer = "smtp.office365.com" | |
| SMTPPort = "587" | |
| Sender = "[email protected]" | |
| Recipients = @("[email protected]", "[email protected]") | |
| Header = "Apple token expiration in Intune for tenant: $orgDomain" | |
| } | |
| #> | |
| # JSON template for teams card message | |
| $bodyTemplate = @" | |
| { | |
| "@type": "MessageCard", | |
| "@context": "https://schema.org/extensions", | |
| "summary": "Apple token expiration in Intune", | |
| "themeColor": "D778D7", | |
| "title": "Apple token expiration in Intune", | |
| "sections": [ | |
| { | |
| "facts": [ | |
| { | |
| "name": "Tenant:", | |
| "value": "TENANT_DOMAIN" | |
| }, | |
| { | |
| "name": "Token Type:", | |
| "value": "TOKEN_TYPE" | |
| }, | |
| { | |
| "name": "Token Name:", | |
| "value": "TOKEN_NAME" | |
| }, | |
| { | |
| "name": "Expiration datetime:", | |
| "value": "TOKEN_EXPIRATION_DATETIME" | |
| }, | |
| { | |
| "name": "Help URL:", | |
| "value": "[Microsoft Docs: Renew iOS certificate and tokens](https://docs.microsoft.com/en-us/intune-education/renew-ios-certificate-token)" | |
| } | |
| ], | |
| "text": "The following Apple token in your Intune Tenant is about to expire:" | |
| } | |
| ] | |
| } | |
| "@ | |
| # Mail message template | |
| $mailTemplate = @" | |
| <html> | |
| <body> | |
| <h1>Attention: Apple token expiration in Intune!</h1> | |
| <br> | |
| Please make sure to renew your expired apple token in Intune! | |
| <br> | |
| <br> | |
| <b>Token type:</b> TOKEN_TYPE | |
| <br> | |
| <b>Token Name:</b> TOKEN_NAME | |
| <br> | |
| <b>Expiration Datetime:</b> TOKEN_EXPIRATION_DATETIME <br> | |
| <b>Help URL: <a href="https://docs.microsoft.com/en-us/intune-education/renew-ios-certificate-token">Microsoft Docs</a><br> | |
| <br> | |
| <br/> | |
| </body> | |
| </html> | |
| "@ | |
| # Add configured days to current date for treshold comparison | |
| $notificationTreshold = (Get-Date).AddDays($notificationTresholdDays) | |
| # Process Apple push notification certificate and check for expiration | |
| $applePushNotificationCertificate = Get-MgDeviceManagementApplePushNotificationCertificate | |
| if ($notificationTreshold -ge $applePushNotificationCertificate.expirationDateTime){ | |
| Write-Output "Apple Push Notification Certificate $($applePushNotificationCertificate.'@odata.context'): $($applePushNotificationCertificate.appleIdentifier) will expire soon!" | |
| # if mailconfig is enabled use mail template instead of teams card | |
| if ($mailConfig){ | |
| $body = $mailTemplate | |
| $body = $body.Replace("TENANT_DOMAIN", $orgDomain ) | |
| $body = $body.Replace("TOKEN_TYPE", "Apple Push Notification Certificate") | |
| $body = $body.Replace("TOKEN_NAME", $applePushNotificationCertificate.appleIdentifier) | |
| $body = $body.Replace("TOKEN_EXPIRATION_DATETIME", $applePushNotificationCertificate.expirationDateTime) | |
| $creds = Get-AutomationPSCredential -Name $mailConfig.sender | |
| Send-MailMessage -UseSsl -From $mailConfig.Sender -To $mailConfig.Recipients -SmtpServer $mailConfig.SMTPServer -Port $mailConfig.SMTPPort -Subject $mailConfig.Header -Body $body -Credential $creds -BodyAsHtml | |
| } | |
| $body = $bodyTemplate | |
| $body = $body.Replace("TENANT_DOMAIN", $orgDomain ) | |
| $body = $body.Replace("TOKEN_TYPE", "Apple Push Notification Certificate") | |
| $body = $body.Replace("TOKEN_NAME", $applePushNotificationCertificate.appleIdentifier) | |
| $body = $body.Replace("TOKEN_EXPIRATION_DATETIME", $applePushNotificationCertificate.expirationDateTime) | |
| if (-not $mailConfig){ | |
| $request = Invoke-WebRequest -Method Post -Uri $webHookUri -Body $body -UseBasicParsing | |
| } | |
| } | |
| else { | |
| Write-Output "Apple Push Notification Certificate $($applePushNotificationCertificate.'@odata.context'): $($applePushNotificationCertificate.appleIdentifier) still valid!" | |
| } | |
| # Process all Apple vpp tokens and check if they will expire soon | |
| $appleVppTokens = Get-MgDeviceAppManagementVppToken | |
| $appleVppTokens | ForEach-Object { | |
| $appleVppToken = $PSItem | |
| if ($notificationTreshold -ge $appleVppToken.ExpirationDateTime){ | |
| Write-Output "Apple VPP Token $($appleVppToken.'@odata.context'): $($appleVppToken.appleIdentifier) will expire soon!" | |
| # if mailconfig is enabled use mail template instead of teams card | |
| if ($mailConfig){ | |
| $body = $mailTemplate | |
| $body = $body.Replace("TENANT_DOMAIN", $orgDomain ) | |
| $body = $body.Replace('TOKEN_TYPE', "Apple VPP Token") | |
| $body = $body.Replace("TOKEN_NAME", "$($appleVppToken.organizationName): $($appleVppToken.appleId)") | |
| $body = $body.Replace("TOKEN_EXPIRATION_DATETIME", $appleVppToken.expirationDateTime) | |
| $creds = Get-AutomationPSCredential -Name $mailConfig.sender | |
| Send-MailMessage -UseSsl -From $mailConfig.Sender -To $mailConfig.Recipients -SmtpServer $mailConfig.SMTPServer -Port $mailConfig.SMTPPort -Subject $mailConfig.Header -Body $body -Credential $creds -BodyAsHtml | |
| } | |
| $body = $bodyTemplate | |
| $body = $body.Replace("TENANT_DOMAIN", $orgDomain ) | |
| $body = $body.Replace('TOKEN_TYPE', "Apple VPP Token") | |
| $body = $body.Replace("TOKEN_NAME", "$($appleVppToken.organizationName): $($appleVppToken.appleId)") | |
| $body = $body.Replace("TOKEN_EXPIRATION_DATETIME", $appleVppToken.expirationDateTime) | |
| if (-not $mailConfig){ | |
| $request = Invoke-WebRequest -Method Post -Uri $webHookUri -Body $body -UseBasicParsing | |
| } | |
| } | |
| else { | |
| Write-Output "Apple VPP Token $($appleVppToken.'@odata.context'): $($appleVppToken.appleId) still valid!" | |
| } | |
| } | |
| # Process all Apple DEP Tokens (we have to switch to the beta endpoint) | |
| $appleDepTokens = (Invoke-MgGraphRequest -Method GET -Uri "beta/deviceManagement/depOnboardingSettings").value | |
| $appleDepTokens | ForEach-Object { | |
| $appleDepToken = $PSItem | |
| if ($notificationTreshold -ge $appleDepToken.tokenExpirationDateTime){ | |
| Write-Output "Apple DEP Token $($appleDepToken.'@odata.context'): $($appleDepToken.appleIdentifier) will expire soon!" | |
| # if mailconfig is enabled use mail template instead of teams card | |
| if ($mailConfig){ | |
| $body = $mailTemplate | |
| $body = $body.Replace("TENANT_DOMAIN", $orgDomain ) | |
| $body = $body.Replace("TOKEN_TYPE", "Apple DEP Token") | |
| $body = $body.Replace("TOKEN_NAME", "$($appleDepToken.tokenName): $($appleDepToken.appleIdentifier)") | |
| $body = $body.Replace("TOKEN_EXPIRATION_DATETIME", $appleDepToken.tokenExpirationDateTime) | |
| $creds = Get-AutomationPSCredential -Name $mailConfig.sender | |
| Send-MailMessage -UseSsl -From $mailConfig.Sender -To $mailConfig.Recipients -SmtpServer $mailConfig.SMTPServer -Port $mailConfig.SMTPPort -Subject $mailConfig.Header -Body $body -Credential $creds -BodyAsHtml | |
| } | |
| $body = $bodyTemplate | |
| $body = $body.Replace("TENANT_DOMAIN", $orgDomain ) | |
| $body = $body.Replace("TOKEN_TYPE", "Apple DEP Token") | |
| $body = $body.Replace("TOKEN_NAME", "$($appleDepToken.tokenName): $($appleDepToken.appleIdentifier)") | |
| $body = $body.Replace("TOKEN_EXPIRATION_DATETIME", $appleDepToken.tokenExpirationDateTime) | |
| if (-not $mailConfig){ | |
| $request = Invoke-WebRequest -Method Post -Uri $webHookUri -Body $body -UseBasicParsing | |
| } | |
| } | |
| else { | |
| Write-Output "Apple DEP Token $($appleDepToken.'@odata.context'): $($appleDepToken.appleIdentifier) still valid!" | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment