-
-
Notifications
You must be signed in to change notification settings - Fork 31
Home
IntuneCD or, Intune Continuous Delivery as it stands for is a Python package that is used to back up, update and document configurations in Intune. It was created with running it from a CI/CD pipeline in mind. Using this approach we get complete history of which configurations have been changed and what setting has been changed.
The main function is to back up configurations from Intune to a Git repository from a DEV environment and if any configurations has changed, push them to PROD Intune environment.
When running IntuneCD in a pipeline with a Git repo, the flow of backing up and updating configurations looks like this:
flowchart LR
A[Change in DEV] --> B[Backup pipeline] --> C[Git repo] --> D{Change Approved?};
D -- Yes --> E[Update pipeline] --> F[PROD];
D -- No --> G[End];
Above, it is assumed that the main branch of the repository is protected so that a Pull Request is required for the changes to be merged into the main branch from the backup pipeline. If the change is approved and merged, the update pipeline will automatically run and push the changed to the PROD environment. If not approved, no change will be pushed.
| Payload | Back up | Update | Document | Create | Remove | Audit | Notes |
|---|---|---|---|---|---|---|---|
| Apple Push Notification | π | π | π | ||||
| Apple Volume Purchase Program tokens | π | π | π | ||||
| Application Configuration Policies | π | π | π | π | π | π | |
| Application Protection Policies | π | π | π | π | π | π | |
| Applications | π | π | π | ||||
| Compliance Policies | π | π | π | π | π | π | |
| Conditional Access | π | π | π | π | π | π | Assignments are not updated currently |
| Device Categories | π | π | π | π | π | π | |
| Device Configurations | π | π | π | π | π | π | For custom macOS and iOS configurations, mobileconfigs are backed up |
| Device Management Settings | π | π* | π | π | Interactive authentication is currently required to update these settings | ||
| Group Policy Configurations | π | π | π | π | π | π | For custom ADMX, the presentation value will not be added when creating the configuration |
| Enrollment profiles | π [^1] | π | π | π [^2] | π [^3] | π | |
| Enrollment Status Page | π | π | π | π | π | ||
| Endpoint Security | π | π | π | π | π | π | Security Baselines Antivirus Disk Encryption Firewall Endpoint Detection and Response Attack Surface Reduction Account Protection |
| Filters | π | π | π | π | π | ||
| Managed Google Play | π | π | π | ||||
| Notification Templates | π | π | π | π | π | π | |
| Proactive Remediation | π | π | π | π | π | π | |
| Partner Connections | π | π | π | Compliance Management Remote Assistance |
|||
| Shell Scripts | π | π | π | π | π | π | |
| Custom Attributes | π | π | π | π | π | π | |
| Powershell Scripts | π | π | π | π | π | π | |
| Settings Catalog Policies | π | π | π | π | π | ||
| Enrollment Configurations | π | π | π | π | π | π | Enrollment platform restrictions Enrollment device limit Windows Hello For Business |
| Windows Driver Updates | π | π | π | π | π | π | |
| Windows Feature Updates | π | π | π | π | π | π | |
| Windows Quality Updates | π | π | π | π | π | π | |
| Roles | π | π | π | π | π | π | Only custom roles are managed |
| Scope Tags | π | π | π | π | π | π | |
| Activation Lock Bypass Codes | π | ||||||
| Custom Compliance Scripts | π | π | π | π | π | π |
[^1]: Only Apple Business Manager and Windows Autopilot profiles are backed up. [^2]: Only Windows Autopilot profiles are created. [^3]: Only Windows Autopilot profiles are removed.
When this tool tries to update configurations, it matches the display name. Therefore, the display name from DEV must match in PROD.
Updating Windows Update Rings configurations is currently not supported, the tool can however create update rings if they don't exist.