NEw tests, not tested

Author: KelvinTegelaar

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-CIPPDBCacheData.ps1

@@ -198,6 +198,10 @@ function Push-CIPPDBCacheData {
             Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "ExoAcceptedDomains collection failed: $($_.Exception.Message)" -sev Error
         }
 
+        try { Set-CIPPDBCacheIntuneAppProtectionPolicies -TenantFilter $TenantFilter } catch {
+            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "IntuneAppProtectionPolicies collection failed: $($_.Exception.Message)" -sev Error
+        }
+
         Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Completed database cache collection for tenant' -sev Info
 
     } catch {

Modules/CIPPCore/Public/Set-CIPPDBCacheIntuneAppProtectionPolicies.ps1

@@ -0,0 +1,39 @@
+function Set-CIPPDBCacheIntuneAppProtectionPolicies {
+    <#
+    .SYNOPSIS
+        Caches Intune App Protection Policies
+
+    .PARAMETER TenantFilter
+        The tenant to cache app protection policies for
+    #>
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory = $true)]
+        [string]$TenantFilter
+    )
+
+    try {
+        Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Caching Intune App Protection Policies' -sev Info
+
+        # iOS Managed App Protection Policies
+        $IosPolicies = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/deviceAppManagement/iosManagedAppProtections?$expand=assignments' -tenantid $TenantFilter
+        if ($IosPolicies) {
+            Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'IntuneIosAppProtectionPolicies' -Data $IosPolicies
+            Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'IntuneIosAppProtectionPolicies' -Data $IosPolicies -Count
+            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "Cached $($IosPolicies.Count) iOS app protection policies" -sev Info
+        }
+        $IosPolicies = $null
+
+        # Android Managed App Protection Policies
+        $AndroidPolicies = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/deviceAppManagement/androidManagedAppProtections?$expand=assignments' -tenantid $TenantFilter
+        if ($AndroidPolicies) {
+            Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'IntuneAndroidAppProtectionPolicies' -Data $AndroidPolicies
+            Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'IntuneAndroidAppProtectionPolicies' -Data $AndroidPolicies -Count
+            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "Cached $($AndroidPolicies.Count) Android app protection policies" -sev Info
+        }
+        $AndroidPolicies = $null
+
+    } catch {
+        Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "Failed to cache App Protection Policies: $($_.Exception.Message)" -sev Error
+    }
+}

Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21865.ps1

@@ -30,8 +30,8 @@ function Invoke-CippTestZTNA21865 {
             foreach ($Location in $NamedLocations) {
                 $Name = $Location.displayName
                 $Type = if ($Location.'@odata.type' -eq '#microsoft.graph.ipNamedLocation') { 'IP-based' } 
-                        elseif ($Location.'@odata.type' -eq '#microsoft.graph.countryNamedLocation') { 'Country-based' } 
-                        else { 'Unknown' }
+                elseif ($Location.'@odata.type' -eq '#microsoft.graph.countryNamedLocation') { 'Country-based' } 
+                else { 'Unknown' }
                 $Trusted = if ($Location.isTrusted) { 'Yes' } else { 'No' }
                 $ResultMarkdown += "| $Name | $Type | $Trusted |`n"
             }

Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21964.ps1

@@ -0,0 +1,38 @@
+function Invoke-CippTestZTNA21964 {
+    param($Tenant)
+
+    $TestId = 'ZTNA21964'
+
+    try {
+        $AuthStrengths = New-CIPPDbRequest -TenantFilter $Tenant -Type 'AuthenticationStrengths'
+
+        if (-not $AuthStrengths) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Identity' -Status 'Investigate' -ResultMarkdown 'Authentication strength policies not found in database' -Risk 'High' -Name 'Enable protected actions to secure Conditional Access policy creation and changes' -UserImpact 'Low' -ImplementationEffort 'Low' -Category 'Access control'
+            return
+        }
+
+        $BuiltInStrengths = @($AuthStrengths | Where-Object { $_.policyType -eq 'builtIn' })
+        $CustomStrengths = @($AuthStrengths | Where-Object { $_.policyType -eq 'custom' })
+
+        $ResultMarkdown = "## Authentication Strength Policies`n`n"
+        $ResultMarkdown += "Found $($AuthStrengths.Count) authentication strength policies ($($BuiltInStrengths.Count) built-in, $($CustomStrengths.Count) custom).`n`n"
+
+        if ($CustomStrengths.Count -gt 0) {
+            $ResultMarkdown += "### Custom Authentication Strengths`n`n"
+            $ResultMarkdown += "| Name | Combinations |`n"
+            $ResultMarkdown += "| :--- | :---------- |`n"
+            foreach ($strength in $CustomStrengths) {
+                $combinations = if ($strength.allowedCombinations) { $strength.allowedCombinations.Count } else { 0 }
+                $ResultMarkdown += "| $($strength.displayName) | $combinations methods |`n"
+            }
+        }
+
+        $Status = 'Passed'
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Identity' -Status $Status -ResultMarkdown $ResultMarkdown -Risk 'High' -Name 'Enable protected actions to secure Conditional Access policy creation and changes' -UserImpact 'Low' -ImplementationEffort 'Low' -Category 'Access control'
+
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Identity' -Status 'Failed' -ResultMarkdown "Error running test: $($ErrorMessage.NormalizedError)" -Risk 'High' -Name 'Enable protected actions to secure Conditional Access policy creation and changes' -UserImpact 'Low' -ImplementationEffort 'Low' -Category 'Access control'
+    }
+}

Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA24545.ps1

@@ -0,0 +1,42 @@
+function Invoke-CippTestZTNA24545 {
+    param($Tenant)
+
+    $TestId = 'ZTNA24545'
+
+    try {
+        $IntunePolicies = New-CIPPDbRequest -TenantFilter $Tenant -Type 'IntunePolicies'
+
+        if (-not $IntunePolicies) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status 'Investigate' -ResultMarkdown 'Intune policies not found in database' -Risk 'High' -Name 'Compliance policies protect fully managed and corporate-owned Android devices' -UserImpact 'Medium' -ImplementationEffort 'Low' -Category 'Tenant'
+            return
+        }
+
+        $AndroidPolicies = @($IntunePolicies | Where-Object { $_.'@odata.type' -eq '#microsoft.graph.androidDeviceOwnerCompliancePolicy' })
+        $AssignedPolicies = @($AndroidPolicies | Where-Object { $_.assignments -and $_.assignments.Count -gt 0 })
+
+        $Passed = $AssignedPolicies.Count -gt 0
+
+        if ($Passed) {
+            $ResultMarkdown = "✅ At least one compliance policy for Android Enterprise Fully managed devices exists and is assigned.`n`n"
+        } else {
+            $ResultMarkdown = "❌ No compliance policy for Android Enterprise exists or none are assigned.`n`n"
+        }
+
+        $ResultMarkdown += "## Android Device Owner Compliance Policies`n`n"
+        $ResultMarkdown += "| Policy Name | Assigned |`n"
+        $ResultMarkdown += "| :---------- | :------- |`n"
+
+        foreach ($policy in $AndroidPolicies) {
+            $assigned = if ($policy.assignments -and $policy.assignments.Count -gt 0) { '✅ Yes' } else { '❌ No' }
+            $ResultMarkdown += "| $($policy.displayName) | $assigned |`n"
+        }
+
+        $Status = if ($Passed) { 'Passed' } else { 'Failed' }
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status $Status -ResultMarkdown $ResultMarkdown -Risk 'High' -Name 'Compliance policies protect fully managed and corporate-owned Android devices' -UserImpact 'Medium' -ImplementationEffort 'Low' -Category 'Tenant'
+
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status 'Failed' -ResultMarkdown "Error running test: $($ErrorMessage.NormalizedError)" -Risk 'High' -Name 'Compliance policies protect fully managed and corporate-owned Android devices' -UserImpact 'Medium' -ImplementationEffort 'Low' -Category 'Tenant'
+    }
+}

Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA24547.ps1

@@ -0,0 +1,42 @@
+function Invoke-CippTestZTNA24547 {
+    param($Tenant)
+
+    $TestId = 'ZTNA24547'
+
+    try {
+        $IntunePolicies = New-CIPPDbRequest -TenantFilter $Tenant -Type 'IntunePolicies'
+
+        if (-not $IntunePolicies) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status 'Investigate' -ResultMarkdown 'Intune policies not found in database' -Risk 'High' -Name 'Compliance policies protect personally owned Android devices' -UserImpact 'Medium' -ImplementationEffort 'Low' -Category 'Tenant'
+            return
+        }
+
+        $AndroidPolicies = @($IntunePolicies | Where-Object { $_.'@odata.type' -eq '#microsoft.graph.androidWorkProfileCompliancePolicy' })
+        $AssignedPolicies = @($AndroidPolicies | Where-Object { $_.assignments -and $_.assignments.Count -gt 0 })
+
+        $Passed = $AssignedPolicies.Count -gt 0
+
+        if ($Passed) {
+            $ResultMarkdown = "✅ At least one compliance policy for Android Work Profile devices exists and is assigned.`n`n"
+        } else {
+            $ResultMarkdown = "❌ No compliance policy for Android Work Profile exists or none are assigned.`n`n"
+        }
+
+        $ResultMarkdown += "## Android Work Profile Compliance Policies`n`n"
+        $ResultMarkdown += "| Policy Name | Assigned |`n"
+        $ResultMarkdown += "| :---------- | :------- |`n"
+
+        foreach ($policy in $AndroidPolicies) {
+            $assigned = if ($policy.assignments -and $policy.assignments.Count -gt 0) { '✅ Yes' } else { '❌ No' }
+            $ResultMarkdown += "| $($policy.displayName) | $assigned |`n"
+        }
+
+        $Status = if ($Passed) { 'Passed' } else { 'Failed' }
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status $Status -ResultMarkdown $ResultMarkdown -Risk 'High' -Name 'Compliance policies protect personally owned Android devices' -UserImpact 'Medium' -ImplementationEffort 'Low' -Category 'Tenant'
+
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status 'Failed' -ResultMarkdown "Error running test: $($ErrorMessage.NormalizedError)" -Risk 'High' -Name 'Compliance policies protect personally owned Android devices' -UserImpact 'Medium' -ImplementationEffort 'Low' -Category 'Tenant'
+    }
+}

Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA24548.ps1

@@ -0,0 +1,40 @@
+function Invoke-CippTestZTNA24548 {
+    param($Tenant)
+
+    $TestId = 'ZTNA24548'
+
+    try {
+        $IosPolicies = New-CIPPDbRequest -TenantFilter $Tenant -Type 'IntuneIosAppProtectionPolicies'
+
+        if (-not $IosPolicies) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status 'Investigate' -ResultMarkdown 'iOS app protection policies not found in database' -Risk 'High' -Name 'Data on iOS/iPadOS is protected by app protection policies' -UserImpact 'Low' -ImplementationEffort 'Low' -Category 'Tenant'
+            return
+        }
+
+        $AssignedPolicies = @($IosPolicies | Where-Object { $_.assignments -and $_.assignments.Count -gt 0 })
+        $Passed = $AssignedPolicies.Count -gt 0
+
+        if ($Passed) {
+            $ResultMarkdown = "✅ At least one iOS app protection policy exists and is assigned.`n`n"
+        } else {
+            $ResultMarkdown = "❌ No iOS app protection policy exists or none are assigned.`n`n"
+        }
+
+        $ResultMarkdown += "## iOS App Protection Policies`n`n"
+        $ResultMarkdown += "| Policy Name | Assigned |`n"
+        $ResultMarkdown += "| :---------- | :------- |`n"
+
+        foreach ($policy in $IosPolicies) {
+            $assigned = if ($policy.assignments -and $policy.assignments.Count -gt 0) { '✅ Yes' } else { '❌ No' }
+            $ResultMarkdown += "| $($policy.displayName) | $assigned |`n"
+        }
+
+        $Status = if ($Passed) { 'Passed' } else { 'Failed' }
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status $Status -ResultMarkdown $ResultMarkdown -Risk 'High' -Name 'Data on iOS/iPadOS is protected by app protection policies' -UserImpact 'Low' -ImplementationEffort 'Low' -Category 'Tenant'
+
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status 'Failed' -ResultMarkdown "Error running test: $($ErrorMessage.NormalizedError)" -Risk 'High' -Name 'Data on iOS/iPadOS is protected by app protection policies' -UserImpact 'Low' -ImplementationEffort 'Low' -Category 'Tenant'
+    }
+}

Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA24549.ps1

@@ -0,0 +1,40 @@
+function Invoke-CippTestZTNA24549 {
+    param($Tenant)
+
+    $TestId = 'ZTNA24549'
+
+    try {
+        $AndroidPolicies = New-CIPPDbRequest -TenantFilter $Tenant -Type 'IntuneAndroidAppProtectionPolicies'
+
+        if (-not $AndroidPolicies) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status 'Investigate' -ResultMarkdown 'Android app protection policies not found in database' -Risk 'High' -Name 'Data on Android is protected by app protection policies' -UserImpact 'Low' -ImplementationEffort 'Low' -Category 'Tenant'
+            return
+        }
+
+        $AssignedPolicies = @($AndroidPolicies | Where-Object { $_.assignments -and $_.assignments.Count -gt 0 })
+        $Passed = $AssignedPolicies.Count -gt 0
+
+        if ($Passed) {
+            $ResultMarkdown = "✅ At least one Android app protection policy exists and is assigned.`n`n"
+        } else {
+            $ResultMarkdown = "❌ No Android app protection policy exists or none are assigned.`n`n"
+        }
+
+        $ResultMarkdown += "## Android App Protection Policies`n`n"
+        $ResultMarkdown += "| Policy Name | Assigned |`n"
+        $ResultMarkdown += "| :---------- | :------- |`n"
+
+        foreach ($policy in $AndroidPolicies) {
+            $assigned = if ($policy.assignments -and $policy.assignments.Count -gt 0) { '✅ Yes' } else { '❌ No' }
+            $ResultMarkdown += "| $($policy.displayName) | $assigned |`n"
+        }
+
+        $Status = if ($Passed) { 'Passed' } else { 'Failed' }
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status $Status -ResultMarkdown $ResultMarkdown -Risk 'High' -Name 'Data on Android is protected by app protection policies' -UserImpact 'Low' -ImplementationEffort 'Low' -Category 'Tenant'
+
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status 'Failed' -ResultMarkdown "Error running test: $($ErrorMessage.NormalizedError)" -Risk 'High' -Name 'Data on Android is protected by app protection policies' -UserImpact 'Low' -ImplementationEffort 'Low' -Category 'Tenant'
+    }
+}

Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA24553.ps1

@@ -0,0 +1,48 @@
+function Invoke-CippTestZTNA24553 {
+    param($Tenant)
+
+    $TestId = 'ZTNA24553'
+
+    try {
+        $IntunePolicies = New-CIPPDbRequest -TenantFilter $Tenant -Type 'IntunePolicies'
+
+        if (-not $IntunePolicies) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status 'Investigate' -ResultMarkdown 'Intune policies not found in database' -Risk 'High' -Name 'Windows Update policies are enforced to reduce risk from unpatched vulnerabilities' -UserImpact 'Medium' -ImplementationEffort 'Low' -Category 'Tenant'
+            return
+        }
+
+        $UpdatePolicies = @($IntunePolicies | Where-Object {
+                $_.'@odata.type' -in @(
+                    '#microsoft.graph.windowsUpdateForBusinessConfiguration',
+                    '#microsoft.graph.windows10CompliancePolicy'
+                )
+            })
+
+        $AssignedPolicies = @($UpdatePolicies | Where-Object { $_.assignments -and $_.assignments.Count -gt 0 })
+        $Passed = $AssignedPolicies.Count -gt 0
+
+        if ($Passed) {
+            $ResultMarkdown = "✅ Windows Update policies are configured and assigned.`n`n"
+        } else {
+            $ResultMarkdown = "❌ No Windows Update policies are configured or assigned.`n`n"
+        }
+
+        $ResultMarkdown += "## Windows Update Policies`n`n"
+        $ResultMarkdown += "| Policy Name | Type | Assigned |`n"
+        $ResultMarkdown += "| :---------- | :--- | :------- |`n"
+
+        foreach ($policy in $UpdatePolicies) {
+            $type = if ($policy.'@odata.type' -eq '#microsoft.graph.windowsUpdateForBusinessConfiguration') { 'Update' } else { 'Compliance' }
+            $assigned = if ($policy.assignments -and $policy.assignments.Count -gt 0) { '✅ Yes' } else { '❌ No' }
+            $ResultMarkdown += "| $($policy.displayName) | $type | $assigned |`n"
+        }
+
+        $Status = if ($Passed) { 'Passed' } else { 'Failed' }
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status $Status -ResultMarkdown $ResultMarkdown -Risk 'High' -Name 'Windows Update policies are enforced to reduce risk from unpatched vulnerabilities' -UserImpact 'Medium' -ImplementationEffort 'Low' -Category 'Tenant'
+
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status 'Failed' -ResultMarkdown "Error running test: $($ErrorMessage.NormalizedError)" -Risk 'High' -Name 'Windows Update policies are enforced to reduce risk from unpatched vulnerabilities' -UserImpact 'Medium' -ImplementationEffort 'Low' -Category 'Tenant'
+    }
+}