IntuneAppProtectionPolicyiOS Doesn't accept multiple arguments for TargetedAppManagementLevels

[acmcg]

Description of the issue

IntuneAppProtectionPolicyiOS doesn't accept multiple arguments for TargetedAppManagementLevels, which it should, e.g. 'unmanaged,mdm'

works if you specify 'unmanaged' or 'mdm', but not when there are multiple items

Microsoft 365 DSC Version

1.24.731.1

Which workloads are affected

Intune

The DSC configuration

# Generated with Microsoft365DSC version 1.24.731.1
# For additional information on how to use Microsoft365DSC, please visit https://aka.ms/M365DSC
param (
)

Configuration config
{
    param (
    )

    $OrganizationName = $ConfigurationData.NonNodeData.OrganizationName

    Import-DscResource -ModuleName 'Microsoft365DSC' -ModuleVersion '1.24.731.1'

    Node localhost
    {

        # For information on how to use this resource, please refer to:
        # https://github.com/microsoft/Microsoft365DSC/wiki/IntuneAppProtectionPolicyiOS
        IntuneAppProtectionPolicyiOS "IntuneAppProtectionPolicyiOS-ManageApps_Policies"
        {
            AllowedDataStorageLocations                    = @();
            AllowedInboundDataTransferSources              = "allApps";
            AllowedOutboundClipboardSharingExceptionLength = 0;
            AllowedOutboundClipboardSharingLevel           = "managedAppsWithPasteIn";
            AllowedOutboundDataTransferDestinations        = "managedApps";
            AppActionIfDeviceComplianceRequired            = "block";
            AppActionIfIosDeviceModelNotAllowed            = "block";
            AppActionIfMaximumPinRetriesExceeded           = "block";
            AppDataEncryptionType                          = "whenDeviceLocked";
            ApplicationId                                  = $ConfigurationData.NonNodeData.ApplicationId;
            Apps                                           = @("com.microsoft.office.excel","com.microsoft.office.outlook","com.microsoft.office.powerpoint","com.microsoft.office.word","com.microsoft.sharepoint","com.microsoft.skydrive","com.microsoft.skype.teams");
            Assignments                                    = @("db36c061-070c-43ff-a386-9f34caccaa43");
            CertificateThumbprint                          = $ConfigurationData.NonNodeData.CertificateThumbprint;
            ContactSyncBlocked                             = $False;
            CustomBrowserProtocol                          = "";
            DataBackupBlocked                              = $True;
            Description                                    = "Policy to apply to all manage apps";
            DeviceComplianceRequired                       = $True;
            DisableAppPinIfDevicePinIsSet                  = $False;
            DisableProtectionOfManagedOutboundOpenInData   = $False;
            DisplayName                                    = "ManageApps_Policies";
            Ensure                                         = "Present";
            ExcludedGroups                                 = @();
            ExemptedAppProtocols                           = @("Default:tel;telprompt;skype;app-settings;calshow;itms;itmss;itms-apps;itms-appss;itms-services;");
            FaceIdBlocked                                  = $False;
            FilterOpenInToOnlyManagedApps                  = $False;
            FingerprintBlocked                             = $False;
            Identity                                       = "T_b512958b-a49b-4da8-b1c9-be34b1dbea51";
            ManagedBrowser                                 = "notConfigured";
            ManagedBrowserToOpenLinksRequired              = $True;
            MaximumPinRetries                              = 5;
            MinimumPinLength                               = 6;
            NotificationRestriction                        = "allow";
            OrganizationalCredentialsRequired              = $False;
            PeriodBeforePinReset                           = "00:00:00";
            PeriodOfflineBeforeAccessCheck                 = "12:00:00";
            PeriodOfflineBeforeWipeIsEnforced              = "90.00:00:00";
            PeriodOnlineBeforeAccessCheck                  = "00:30:00";
            PinCharacterSet                                = "alphanumericAndSymbol";
            PinRequired                                    = $True;
            PinRequiredInsteadOfBiometricTimeout           = "00:30:00";
            PrintBlocked                                   = $True;
            ProtectInboundDataFromUnknownSources           = $False;
            SaveAsBlocked                                  = $True;
            SimplePinBlocked                               = $True;
            TargetedAppManagementLevels                    = "unmanaged,mdm";
            TenantId                                       = $OrganizationName;
        }
    }
}

Verbose logs showing the problem

##[error]PSDesiredStateConfiguration\Configuration : At least one of the values 'unmanaged,mdm' is not supported or valid for 
property 'TargetedAppManagementLevels' on class 'IntuneAppProtectionPolicyiOS'. Please specify only supported values: 
unspecified, unmanaged, mdm, androidEnterprise.
At C:\agent\_work\15\s\artefact\intune\IntuneAppProtectionPolicyiOS\export\IntuneAppProtectionPolicyiOS.ps1:6 char:1
+ Configuration config
+ ~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Write-Error], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : UnsupportedValueForProperty,Configuration

Environment Information + PowerShell Version

No response

[FabienTschanz]

@acmcg I'm trying to find the appropriate property in the GUI, but unfortunately, I can't find it. Where can I recreate so that this property changes its value?

[acmcg]

It is managementtype, you can see it is multivalued here:

and here:

[FabienTschanz]

@acmcg I am unable to select anything in that dropdown. Do I have to configure some specific settings for it to work? Can you try and create a new policy and configure the same setting there? To me it seems that Microsoft moved this setting to the filter in the assignments, that's why we can't select anything there in new policies.

[acmcg]

You cannot change the selection (drop down) after deployment. Agreed it seems to have moved to the assignments

However I can still set this parameter using the DSC module, just not as a list. If I used unmanaged for example all works fine

[FabienTschanz]

@acmcg How do I have to configure a new policy so that it shows as assigned to unmanaged devices, just like in your screenshot? Updating something what we can‘t do anymore in the Intune portal isn‘t really something we want to do because nobody would use that (simply because they wouldn‘t know it existed).

[acmcg]

You can't do this manually now from the portal. To your point above, if we don't support the use of multiple values for 'Device Types' the exports from existing policies are not useful (they cannot be imported).

[FabienTschanz]

@acmcg I opened a Pull Request to address the situation. Checked it on my side, and it's working, if you specify the property like TargetedAppManagementLevels = @('unmanaged', 'mdm). It doesn't work with a single string unfortunately. If I wanted it to do that way, I would have needed to remove the syntax completion.