Skip to content

Commit a8a64f8

Browse files
kris6673kris6673
committed
Update to only run compliance part if the toggle was set in the frontend
1 parent a67c910 commit a8a64f8

File tree

1 file changed

+58
-71
lines changed

1 file changed

+58
-71
lines changed

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Endpoint/MEM/Invoke-AddDefenderDeployment.ps1

Lines changed: 58 additions & 71 deletions
Original file line numberDiff line numberDiff line change
@@ -21,43 +21,45 @@ Function Invoke-AddDefenderDeployment {
2121
$DefenderExclusions = $Request.Body.Exclusion
2222
$ASR = $Request.Body.ASR
2323
$EDR = $Request.Body.EDR
24-
$results = foreach ($tenant in $Tenants) {
24+
$Results = foreach ($tenant in $Tenants) {
2525
try {
26-
$SettingsObject = @{
27-
id = 'fc780465-2017-40d4-a0c5-307022471b92'
28-
androidEnabled = [bool]$Compliance.ConnectAndroid
29-
iosEnabled = [bool]$Compliance.ConnectIos
30-
windowsEnabled = [bool]$Compliance.Connectwindows
31-
macEnabled = [bool]$Compliance.ConnectMac
32-
partnerUnsupportedOsVersionBlocked = [bool]$Compliance.BlockunsupportedOS
33-
partnerUnresponsivenessThresholdInDays = 7
34-
allowPartnerToCollectIOSApplicationMetadata = [bool]$Compliance.ConnectIosCompliance
35-
allowPartnerToCollectIOSPersonalApplicationMetadata = [bool]$Compliance.ConnectIosCompliance
36-
androidMobileApplicationManagementEnabled = [bool]$Compliance.ConnectAndroidCompliance
37-
iosMobileApplicationManagementEnabled = [bool]$Compliance.appSync
38-
microsoftDefenderForEndpointAttachEnabled = [bool]$true
39-
}
40-
$SettingsObj = $SettingsObject | ConvertTo-Json -Compress
41-
try {
42-
$ExistingSettings = New-GraphGETRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/mobileThreatDefenseConnectors/fc780465-2017-40d4-a0c5-307022471b92' -tenantid $tenant
26+
if ($Compliance) {
27+
$SettingsObject = @{
28+
id = 'fc780465-2017-40d4-a0c5-307022471b92'
29+
androidEnabled = [bool]$Compliance.ConnectAndroid
30+
iosEnabled = [bool]$Compliance.ConnectIos
31+
windowsEnabled = [bool]$Compliance.Connectwindows
32+
macEnabled = [bool]$Compliance.ConnectMac
33+
partnerUnsupportedOsVersionBlocked = [bool]$Compliance.BlockunsupportedOS
34+
partnerUnresponsivenessThresholdInDays = 7
35+
allowPartnerToCollectIOSApplicationMetadata = [bool]$Compliance.ConnectIosCompliance
36+
allowPartnerToCollectIOSPersonalApplicationMetadata = [bool]$Compliance.ConnectIosCompliance
37+
androidMobileApplicationManagementEnabled = [bool]$Compliance.ConnectAndroidCompliance
38+
iosMobileApplicationManagementEnabled = [bool]$Compliance.appSync
39+
microsoftDefenderForEndpointAttachEnabled = [bool]$true
40+
}
41+
$SettingsObj = $SettingsObject | ConvertTo-Json -Compress
42+
try {
43+
$ExistingSettings = New-GraphGETRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/mobileThreatDefenseConnectors/fc780465-2017-40d4-a0c5-307022471b92' -tenantid $tenant
4344

44-
# Check if any setting doesn't match
45-
foreach ($key in $SettingsObject.Keys) {
46-
if ($ExistingSettings.$key -ne $SettingsObject[$key]) {
47-
$ExistingSettings = $false
48-
break
45+
# Check if any setting doesn't match
46+
foreach ($key in $SettingsObject.Keys) {
47+
if ($ExistingSettings.$key -ne $SettingsObject[$key]) {
48+
$ExistingSettings = $false
49+
break
50+
}
4951
}
52+
} catch {
53+
$ExistingSettings = $false
54+
}
55+
if ($ExistingSettings) {
56+
"Defender Intune Configuration already correct and active for $($tenant). Skipping"
57+
} else {
58+
$null = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/mobileThreatDefenseConnectors/' -tenantid $tenant -type POST -body $SettingsObj -AsApp $true
59+
"$($tenant): Successfully set Defender Compliance and Reporting settings. Please remember to enable the Intune Connector in the Defender portal."
5060
}
51-
} catch {
52-
$ExistingSettings = $false
5361
}
5462

55-
if ($ExistingSettings) {
56-
"Defender Intune Configuration already correct and active for $($tenant). Skipping"
57-
} else {
58-
$null = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/mobileThreatDefenseConnectors/' -tenantid $tenant -type POST -body $SettingsObj -AsApp $true
59-
"$($tenant): Successfully set Defender Compliance and Reporting settings. Please remember to enable the Intune Connector in the Defender portal."
60-
}
6163

6264
if ($PolicySettings) {
6365
$Settings = switch ($PolicySettings) {
@@ -260,76 +262,62 @@ Function Invoke-AddDefenderDeployment {
260262
}
261263
}
262264
# Exclusion Policy Section
263-
$ExclusionToggle = $Request.Body.showExclusionPolicy
264-
$ExcludedExtensions = $Request.Body.Exclusion.excludedExtensions
265-
$ExcludedPaths = $Request.Body.Exclusion.excludedPaths
266-
$ExcludedProcesses = $Request.Body.Exclusion.excludedProcesses
267-
$ExclusionAssignTo = $Request.Body.Exclusion.AssignTo
268-
if ($ExclusionToggle -and $DefenderExclusions) {
269-
function Escape-ExclusionValue($val) {
270-
$escaped = $val -replace '\\', '\\\\' # Escape backslashes
271-
if ($escaped -match ' ' -and -not ($escaped -match '^".*"$')) {
272-
$escaped = '"' + $escaped + '"'
273-
}
274-
return $escaped
275-
}
276-
$extArr = @()
277-
if ($ExcludedExtensions) {
278-
$extArr = $ExcludedExtensions | Where-Object { $_ -and $_.Trim() } | ForEach-Object {
279-
@{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue'; value = (Escape-ExclusionValue $_) }
265+
if ($DefenderExclusions) {
266+
$ExclusionAssignTo = $DefenderExclusions.AssignTo
267+
if ($DefenderExclusions.excludedExtensions) {
268+
$ExcludedExtensions = $DefenderExclusions.excludedExtensions | Where-Object { $_ -and $_.Trim() } | ForEach-Object {
269+
@{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue'; value = $_ }
280270
}
281271
}
282-
$pathArr = @()
283-
if ($ExcludedPaths) {
284-
$pathArr = $ExcludedPaths | Where-Object { $_ -and $_.Trim() } | ForEach-Object {
285-
@{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue'; value = (Escape-ExclusionValue $_) }
272+
if ($DefenderExclusions.excludedPaths) {
273+
$ExcludedPaths = $DefenderExclusions.excludedPaths | Where-Object { $_ -and $_.Trim() } | ForEach-Object {
274+
@{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue'; value = $_ }
286275
}
287276
}
288-
$procArr = @()
289-
if ($ExcludedProcesses) {
290-
$procArr = $ExcludedProcesses | Where-Object { $_ -and $_.Trim() } | ForEach-Object {
291-
@{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue'; value = (Escape-ExclusionValue $_) }
277+
if ($DefenderExclusions.excludedProcesses) {
278+
$ExcludedProcesses = $DefenderExclusions.excludedProcesses | Where-Object { $_ -and $_.Trim() } | ForEach-Object {
279+
@{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue'; value = $_ }
292280
}
293281
}
294-
$ExclusionSettings = @()
295-
if ($extArr.Count -gt 0) {
296-
$ExclusionSettings = $ExclusionSettings + @(@{
282+
$ExclusionSettings = [System.Collections.Generic.List[System.Object]]::new()
283+
if ($ExcludedExtensions.Count -gt 0) {
284+
$ExclusionSettings.Add(@{
297285
id = '2'
298286
settingInstance = @{
299287
'@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance'
300288
settingDefinitionId = 'device_vendor_msft_policy_config_defender_excludedextensions'
301289
settingInstanceTemplateReference = @{ settingInstanceTemplateId = 'c203725b-17dc-427b-9470-673a2ce9cd5e' }
302-
simpleSettingCollectionValue = @($extArr)
290+
simpleSettingCollectionValue = @($ExcludedExtensions)
303291
}
304292
})
305293
}
306-
if ($pathArr.Count -gt 0) {
307-
$ExclusionSettings = $ExclusionSettings + @(@{
294+
if ($ExcludedPaths.Count -gt 0) {
295+
$ExclusionSettings.Add(@{
308296
id = '1'
309297
settingInstance = @{
310298
'@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance'
311299
settingDefinitionId = 'device_vendor_msft_policy_config_defender_excludedpaths'
312300
settingInstanceTemplateReference = @{ settingInstanceTemplateId = 'aaf04adc-c639-464f-b4a7-152e784092e8' }
313-
simpleSettingCollectionValue = @($pathArr)
301+
simpleSettingCollectionValue = @($ExcludedPaths)
314302
}
315303
})
316304
}
317-
if ($procArr.Count -gt 0) {
318-
$ExclusionSettings = $ExclusionSettings + @(@{
305+
if ($ExcludedProcesses.Count -gt 0) {
306+
$ExclusionSettings.Add(@{
319307
id = '0'
320308
settingInstance = @{
321309
'@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance'
322310
settingDefinitionId = 'device_vendor_msft_policy_config_defender_excludedprocesses'
323311
settingInstanceTemplateReference = @{ settingInstanceTemplateId = '96b046ed-f138-4250-9ae0-b0772a93d16f' }
324-
simpleSettingCollectionValue = @($procArr)
312+
simpleSettingCollectionValue = @($ExcludedProcesses)
325313
}
326314
})
327315
}
328316
if ($ExclusionSettings.Count -gt 0) {
329317
$ExclusionBody = ConvertTo-Json -Depth 15 -Compress -InputObject @{
330318
name = 'Default AV Exclusion Policy'
331319
displayName = 'Default AV Exclusion Policy'
332-
settings = $ExclusionSettings
320+
settings = @($ExclusionSettings)
333321
platforms = 'windows10'
334322
technologies = 'mdm,microsoftSense'
335323
templateReference = @{
@@ -347,26 +335,25 @@ Function Invoke-AddDefenderDeployment {
347335
if ($ExclusionAssignTo -and $ExclusionAssignTo -ne 'none') {
348336
$AssignBody = if ($ExclusionAssignTo -ne 'AllDevicesAndUsers') { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.' + $($ExclusionAssignTo) + 'AssignmentTarget"}}]}' } else { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.allDevicesAssignmentTarget"}},{"id":"","target":{"@odata.type":"#microsoft.graph.allLicensedUsersAssignmentTarget"}}]}' }
349337
$null = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies('$($ExclusionRequest.id)')/assign" -tenantid $tenant -type POST -body $AssignBody
350-
Write-LogMessage -headers $Headers -API $APINAME -tenant $($tenant) -message "Assigned Exclusion policy to $($ExclusionAssignTo)" -Sev 'Info'
338+
Write-LogMessage -headers $Headers -API $APIName -tenant $tenant -message "Assigned Exclusion policy to $($ExclusionAssignTo)" -Sev 'Info'
351339
}
352340
"$($tenant): Successfully set Default AV Exclusion Policy settings"
353341
}
354342
}
355343
}
356344
} catch {
357345
"Failed to add policy for $($tenant): $($_.Exception.Message)"
358-
Write-LogMessage -headers $Headers -API $APINAME -tenant $($tenant) -message "Failed adding policy $($DisplayName). Error: $($_.Exception.Message)" -Sev 'Error'
346+
Write-LogMessage -headers $Headers -API $APIName -tenant $tenant -message "Failed adding policy $($DisplayName). Error: $($_.Exception.Message)" -Sev 'Error'
359347
continue
360348
}
361349

362350
}
363351

364-
$body = [pscustomobject]@{'Results' = @($results) }
365352

366353
# Associate values to output bindings by calling 'Push-OutputBinding'.
367354
Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
368355
StatusCode = [HttpStatusCode]::OK
369-
Body = $body
356+
Body = @{'Results' = @($Results) }
370357
})
371358

372359
}

0 commit comments

Comments
 (0)