updates to tests

Author: KelvinTegelaar

Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA24541.ps1

@@ -4,7 +4,7 @@ function Invoke-CippTestZTNA24541 {
     $TestId = 'ZTNA24541'
 
     try {
-        $IntunePolicies = New-CIPPDbRequest -TenantFilter $Tenant -Type 'IntunePolicies'
+        $IntunePolicies = New-CIPPDbRequest -TenantFilter $Tenant -Type 'IntuneDeviceCompliancePolicies'
 
         if (-not $IntunePolicies) {
             Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status 'Investigate' -ResultMarkdown 'Intune policies not found in database' -Risk 'High' -Name 'Compliance policies protect Windows devices' -UserImpact 'Medium' -ImplementationEffort 'Low' -Category 'Tenant'

Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA24542.ps1

@@ -4,7 +4,7 @@ function Invoke-CippTestZTNA24542 {
     $TestId = 'ZTNA24542'
 
     try {
-        $IntunePolicies = New-CIPPDbRequest -TenantFilter $Tenant -Type 'IntunePolicies'
+        $IntunePolicies = New-CIPPDbRequest -TenantFilter $Tenant -Type 'IntuneDeviceCompliancePolicies'
 
         if (-not $IntunePolicies) {
             Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status 'Investigate' -ResultMarkdown 'Intune policies not found in database' -Risk 'High' -Name 'Compliance policies protect macOS devices' -UserImpact 'Medium' -ImplementationEffort 'Low' -Category 'Tenant'

Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA24543.ps1

@@ -4,7 +4,7 @@ function Invoke-CippTestZTNA24543 {
     $TestId = 'ZTNA24543'
 
     try {
-        $IntunePolicies = New-CIPPDbRequest -TenantFilter $Tenant -Type 'IntunePolicies'
+        $IntunePolicies = New-CIPPDbRequest -TenantFilter $Tenant -Type 'IntuneDeviceCompliancePolicies'
 
         if (-not $IntunePolicies) {
             Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status 'Investigate' -ResultMarkdown 'Intune policies not found in database' -Risk 'High' -Name 'Compliance policies protect iOS/iPadOS devices' -UserImpact 'Medium' -ImplementationEffort 'Low' -Category 'Tenant'

Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA24545.ps1

@@ -4,7 +4,7 @@ function Invoke-CippTestZTNA24545 {
     $TestId = 'ZTNA24545'
 
     try {
-        $IntunePolicies = New-CIPPDbRequest -TenantFilter $Tenant -Type 'IntunePolicies'
+        $IntunePolicies = New-CIPPDbRequest -TenantFilter $Tenant -Type 'IntuneDeviceCompliancePolicies'
 
         if (-not $IntunePolicies) {
             Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status 'Investigate' -ResultMarkdown 'Intune policies not found in database' -Risk 'High' -Name 'Compliance policies protect fully managed and corporate-owned Android devices' -UserImpact 'Medium' -ImplementationEffort 'Low' -Category 'Tenant'

Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA24547.ps1

@@ -4,7 +4,7 @@ function Invoke-CippTestZTNA24547 {
     $TestId = 'ZTNA24547'
 
     try {
-        $IntunePolicies = New-CIPPDbRequest -TenantFilter $Tenant -Type 'IntunePolicies'
+        $IntunePolicies = New-CIPPDbRequest -TenantFilter $Tenant -Type 'IntuneDeviceCompliancePolicies'
 
         if (-not $IntunePolicies) {
             Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status 'Investigate' -ResultMarkdown 'Intune policies not found in database' -Risk 'High' -Name 'Compliance policies protect personally owned Android devices' -UserImpact 'Medium' -ImplementationEffort 'Low' -Category 'Tenant'

Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA24553.ps1

@@ -4,7 +4,7 @@ function Invoke-CippTestZTNA24553 {
     $TestId = 'ZTNA24553'
 
     try {
-        $IntunePolicies = New-CIPPDbRequest -TenantFilter $Tenant -Type 'IntunePolicies'
+        $IntunePolicies = New-CIPPDbRequest -TenantFilter $Tenant -Type 'IntuneDeviceCompliancePolicies'
 
         if (-not $IntunePolicies) {
             Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status 'Investigate' -ResultMarkdown 'Intune policies not found in database' -Risk 'High' -Name 'Windows Update policies are enforced to reduce risk from unpatched vulnerabilities' -UserImpact 'Medium' -ImplementationEffort 'Low' -Category 'Tenant'

Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA24839.ps1

@@ -0,0 +1,47 @@
+function Invoke-CippTestZTNA24839 {
+    param($Tenant)
+
+    $TestId = 'ZTNA24839'
+
+    try {
+        $DeviceConfigs = New-CIPPDbRequest -TenantFilter $Tenant -Type 'IntuneDeviceConfigurations'
+
+        if (-not $DeviceConfigs) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status 'Investigate' -ResultMarkdown 'Device configurations not found in database' -Risk 'High' -Name 'Secure Wi-Fi profiles protect iOS devices from unauthorized network access' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'Data'
+            return
+        }
+
+        $iOSWifiConfProfiles = @($DeviceConfigs | Where-Object { $_.'@odata.type' -eq '#microsoft.graph.iosWiFiConfiguration' })
+        $CompliantIosWifiConfProfiles = @($iOSWifiConfProfiles | Where-Object { $_.wiFiSecurityType -in @('wpa2Enterprise', 'wpaEnterprise') })
+        $AssignedCompliantProfiles = @($CompliantIosWifiConfProfiles | Where-Object { $_.assignments -and $_.assignments.Count -gt 0 })
+        $Passed = $AssignedCompliantProfiles.Count -gt 0
+
+        if ($Passed) {
+            $ResultMarkdown = "✅ At least one Enterprise Wi-Fi profile for iOS exists and is assigned.`n`n"
+        } else {
+            $ResultMarkdown = "❌ No Enterprise Wi-Fi profile for iOS exists or none are assigned.`n`n"
+        }
+
+        if ($iOSWifiConfProfiles.Count -gt 0) {
+            $ResultMarkdown += "## iOS WiFi Configuration Profiles`n`n"
+            $ResultMarkdown += "| Policy Name | Wi-Fi Security Type | Assigned |`n"
+            $ResultMarkdown += "| :---------- | :------------------ | :------- |`n"
+
+            foreach ($policy in $iOSWifiConfProfiles) {
+                $securityType = if ($policy.wiFiSecurityType) { $policy.wiFiSecurityType } else { 'Unknown' }
+                $assigned = if ($policy.assignments -and $policy.assignments.Count -gt 0) { '✅ Yes' } else { '❌ No' }
+                $ResultMarkdown += "| $($policy.displayName) | $securityType | $assigned |`n"
+            }
+        } else {
+            $ResultMarkdown += "No iOS WiFi configuration profiles found.`n"
+        }
+
+        $Status = if ($Passed) { 'Passed' } else { 'Failed' }
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status $Status -ResultMarkdown $ResultMarkdown -Risk 'High' -Name 'Secure Wi-Fi profiles protect iOS devices from unauthorized network access' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'Data'
+
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status 'Failed' -ResultMarkdown "Error running test: $($ErrorMessage.NormalizedError)" -Risk 'High' -Name 'Secure Wi-Fi profiles protect iOS devices from unauthorized network access' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'Data'
+    }
+}

Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA24840.ps1

@@ -0,0 +1,47 @@
+function Invoke-CippTestZTNA24840 {
+    param($Tenant)
+
+    $TestId = 'ZTNA24840'
+
+    try {
+        $DeviceConfigs = New-CIPPDbRequest -TenantFilter $Tenant -Type 'IntuneDeviceConfigurations'
+
+        if (-not $DeviceConfigs) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status 'Investigate' -ResultMarkdown 'Device configurations not found in database' -Risk 'High' -Name 'Secure Wi-Fi profiles protect Android devices from unauthorized network access' -UserImpact 'Low' -ImplementationEffort 'Low' -Category 'Data'
+            return
+        }
+
+        $AndroidWifiConfProfiles = @($DeviceConfigs | Where-Object { $_.'@odata.type' -eq '#microsoft.graph.androidDeviceOwnerEnterpriseWiFiConfiguration' })
+        $CompliantAndroidWifiConfProfiles = @($AndroidWifiConfProfiles | Where-Object { $_.wiFiSecurityType -eq 'wpaEnterprise' })
+        $AssignedCompliantProfiles = @($CompliantAndroidWifiConfProfiles | Where-Object { $_.assignments -and $_.assignments.Count -gt 0 })
+        $Passed = $AssignedCompliantProfiles.Count -gt 0
+
+        if ($Passed) {
+            $ResultMarkdown = "✅ At least one Enterprise Wi-Fi profile for android exists and is assigned.`n`n"
+        } else {
+            $ResultMarkdown = "❌ No Enterprise Wi-Fi profile for android exists or none are assigned.`n`n"
+        }
+
+        if ($CompliantAndroidWifiConfProfiles.Count -gt 0) {
+            $ResultMarkdown += "## Android Wi-Fi Configuration Profiles`n`n"
+            $ResultMarkdown += "| Policy Name | Wi-Fi Security Type | Assigned |`n"
+            $ResultMarkdown += "| :---------- | :------------------ | :------- |`n"
+
+            foreach ($policy in $CompliantAndroidWifiConfProfiles) {
+                $securityType = if ($policy.wiFiSecurityType) { $policy.wiFiSecurityType } else { 'Unknown' }
+                $assigned = if ($policy.assignments -and $policy.assignments.Count -gt 0) { '✅ Yes' } else { '❌ No' }
+                $ResultMarkdown += "| $($policy.displayName) | $securityType | $assigned |`n"
+            }
+        } else {
+            $ResultMarkdown += "No compliant Android Enterprise WiFi configuration profiles found.`n"
+        }
+
+        $Status = if ($Passed) { 'Passed' } else { 'Failed' }
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status $Status -ResultMarkdown $ResultMarkdown -Risk 'High' -Name 'Secure Wi-Fi profiles protect Android devices from unauthorized network access' -UserImpact 'Low' -ImplementationEffort 'Low' -Category 'Data'
+
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status 'Failed' -ResultMarkdown "Error running test: $($ErrorMessage.NormalizedError)" -Risk 'High' -Name 'Secure Wi-Fi profiles protect Android devices from unauthorized network access' -UserImpact 'Low' -ImplementationEffort 'Low' -Category 'Data'
+    }
+}

Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA24870.ps1

@@ -0,0 +1,47 @@
+function Invoke-CippTestZTNA24870 {
+    param($Tenant)
+
+    $TestId = 'ZTNA24870'
+
+    try {
+        $DeviceConfigs = New-CIPPDbRequest -TenantFilter $Tenant -Type 'IntuneDeviceConfigurations'
+
+        if (-not $DeviceConfigs) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status 'Investigate' -ResultMarkdown 'Device configurations not found in database' -Risk 'High' -Name 'Secure Wi-Fi profiles protect macOS devices from unauthorized network access' -UserImpact 'Low' -ImplementationEffort 'Low' -Category 'Data'
+            return
+        }
+
+        $MacOSWifiConfProfiles = @($DeviceConfigs | Where-Object { $_.'@odata.type' -eq '#microsoft.graph.macOSWiFiConfiguration' })
+        $CompliantMacOSWifiConfProfiles = @($MacOSWifiConfProfiles | Where-Object { $_.wiFiSecurityType -eq 'wpaEnterprise' })
+        $AssignedCompliantProfiles = @($CompliantMacOSWifiConfProfiles | Where-Object { $_.assignments -and $_.assignments.Count -gt 0 })
+        $Passed = $AssignedCompliantProfiles.Count -gt 0
+
+        if ($Passed) {
+            $ResultMarkdown = "✅ At least one Enterprise Wi-Fi profile for macOS exists and is assigned.`n`n"
+        } else {
+            $ResultMarkdown = "❌ No Enterprise Wi-Fi profile for macOS exists or none are assigned.`n`n"
+        }
+
+        if ($CompliantMacOSWifiConfProfiles.Count -gt 0) {
+            $ResultMarkdown += "## macOS WiFi Configuration Profiles`n`n"
+            $ResultMarkdown += "| Policy Name | Wi-Fi Security Type | Assigned |`n"
+            $ResultMarkdown += "| :---------- | :------------------ | :------- |`n"
+
+            foreach ($policy in $CompliantMacOSWifiConfProfiles) {
+                $securityType = if ($policy.wiFiSecurityType) { $policy.wiFiSecurityType } else { 'Unknown' }
+                $assigned = if ($policy.assignments -and $policy.assignments.Count -gt 0) { '✅ Yes' } else { '❌ No' }
+                $ResultMarkdown += "| $($policy.displayName) | $securityType | $assigned |`n"
+            }
+        } else {
+            $ResultMarkdown += "No compliant macOS Enterprise WiFi configuration profiles found.`n"
+        }
+
+        $Status = if ($Passed) { 'Passed' } else { 'Failed' }
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status $Status -ResultMarkdown $ResultMarkdown -Risk 'High' -Name 'Secure Wi-Fi profiles protect macOS devices from unauthorized network access' -UserImpact 'Low' -ImplementationEffort 'Low' -Category 'Data'
+
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status 'Failed' -ResultMarkdown "Error running test: $($ErrorMessage.NormalizedError)" -Risk 'High' -Name 'Secure Wi-Fi profiles protect macOS devices from unauthorized network access' -UserImpact 'Low' -ImplementationEffort 'Low' -Category 'Data'
+    }
+}