Seeking Help with Intune App Control for Business Policy Status

Swahela Mulla 95 Reputation points
2023-11-15T14:29:31.89+00:00

Hello Everyone,

I'm looking for assistance regarding the retrieval of Intune App Control for Business policy device and user status through PowerShell or Microsoft Graph API.

Are there specific PowerShell commands or Microsoft Graph API endpoints available for fetching these details? If anyone has insights or can share relevant documentation, it would be much appreciated.

Thank you for your help!

Best regards,

Swahela Mulla

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,002 questions
Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,893 questions
Microsoft Intune Application management
Microsoft Intune Application management
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Application management: The process of creating, configuring, managing, and monitoring applications.
941 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,053 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,508 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Carlos Solís Salazar 17,886 Reputation points
    2023-11-16T16:35:58.9233333+00:00

    To retrieve Intune App Protection Policy (APP) device and user status through PowerShell or the Microsoft Graph API, you can use the following methods:

    Using Microsoft Graph API

    Microsoft Graph API is a powerful tool for accessing data in Microsoft 365 services including Intune. To fetch Intune App Protection Policy status, you would typically use the following endpoints:

    1. List App Protection Policies:
      • Endpoint: GET /deviceAppManagement/managedAppPolicies
      • This endpoint lists all app protection policies.
    2. Get App Protection Policy Device Status:
      • Endpoint: GET /deviceAppManagement/managedAppPolicies/{policyId}/deviceStatuses
      • This endpoint retrieves the status of devices for a specified app protection policy.
    3. Get App Protection Policy User Status:
      • Endpoint: GET /deviceAppManagement/managedAppPolicies/{policyId}/userStatuses
      • This endpoint retrieves the status of users for a specified app protection policy.

    You will need the appropriate permissions to access these endpoints, such as DeviceManagementApps.Read.All or more specific permissions depending on your requirements.

    To use these endpoints, you first need to authenticate to Microsoft Graph, typically using OAuth 2.0. After authentication, you can make HTTP requests to these endpoints.

    Using PowerShell

    For PowerShell, the primary tool is the Microsoft Graph PowerShell SDK. However, as of my last update in April 2023, direct cmdlets for retrieving Intune App Protection Policy status might not be readily available in the SDK. In such a case, you can use the SDK to authenticate and make custom requests to the Microsoft Graph API endpoints.

    Here's a basic structure of how you might do this:

    1. Install the Microsoft Graph PowerShell SDK (if not already installed):
         Install-Module Microsoft.Graph -Scope CurrentUser
      
    2. Authenticate:
         Connect-MgGraph -Scopes "DeviceManagementApps.Read.All"
      
    3. Make a Custom Request:
         $policyId = "<Your-Policy-ID>"
         $deviceStatuses = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/deviceAppManagement/managedAppPolicies/$policyId/deviceStatuses"
         $userStatuses = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/deviceAppManagement/managedAppPolicies/$policyId/userStatuses"
      
      Replace <Your-Policy-ID> with the ID of the specific app protection policy.

    For more detailed information and the latest updates, please refer to the Microsoft Graph API documentation, particularly the sections on Intune and app protection policies: Microsoft Graph API Documentation.

    Accept the answer if the information helped you. This will help us and others in the community as well.

    0 comments No comments

  2. Crystal-MSFT 48,591 Reputation points Microsoft Vendor
    2023-11-20T06:39:43.92+00:00

    @Swahela Mulla, Based on my researching, I find we can use Get deviceHealthScriptDeviceState to get the Intune App Control for Business policy device status. Here is a link with more details:

    https://learn.microsoft.com/en-us/graph/api/intune-devices-devicehealthscriptdevicestate-get?view=graph-rest-beta

    Hope the above information can help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  3. Nick Eckermann 581 Reputation points
    2023-11-20T14:35:07.6866667+00:00

    You can use the gui interface to start your graph lookups and then find the code snippet for what you are looking for in powershell.

    Head to the url that contains the gui version of the reporting you are looking for. Open up the dev tools and look for the graph uri it calls when looking up the policy or reporting details. Then you can use graph explorer to test the graph uri and also see the powershell equivalent.

    https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-app-control-policy#monitor-app-control-for-business-policies-and-the-managed-installer

    Checking for managed installer status looks for the Health Script Microsoft implements for the managed installer.
    https://graph.microsoft.com/beta/deviceManagement/deviceHealthScripts?$expand=assignments,runSummary&$filter=(deviceHealthScriptType%20eq%20%27managedInstallerScript%27)

    User's image

    User's image

    Code snippets return the powershell option which will return the health script guids for the managedInstallerScript types.

    Get-MgBetaDeviceManagementDeviceHealthScript -ExpandProperty "assignments,runSummary" -Filter "(deviceHealthScriptType eq 'managedInstallerScript')" 
    

    Once you have the guid for the managedInstallerScript you are looking to check. Then you can then run the reporting against the script.

    User's image

    https://graph.microsoft.com/beta/deviceManagement/deviceHealthScripts/2972cb31-b9a7-4231-9414-490fd471a1d3/deviceRunStates?$top=40&$expand=managedDevice
    Noticed I removed the extra blank filter at the end so that it would return the powershelll option.

    Get-MgBetaDeviceManagementDeviceHealthScriptDeviceRunState -DeviceHealthScriptId $deviceHealthScriptId -Top 40 -ExpandProperty "managedDevice" 
    

    Viewing the reporting for the other xml policies you have deployed is a bit tricker. I will have to come back to that one later.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.