From cd73d7e944a5f29e3e8bd02c9b1359d0b6e38bfc Mon Sep 17 00:00:00 2001 From: Ahmed Darrazi Date: Sat, 3 Jan 2026 02:55:35 +0100 Subject: [PATCH] spec: policy types 017 --- .../checklists/requirements.md | 7 +++ .../plan.md | 41 ++++++++++++++ .../spec.md | 47 ++++++++++++++++ .../tasks.md | 56 +++++++++++++++++++ 4 files changed, 151 insertions(+) create mode 100644 specs/017-policy-types-mam-endpoint-security-baselines/checklists/requirements.md create mode 100644 specs/017-policy-types-mam-endpoint-security-baselines/plan.md create mode 100644 specs/017-policy-types-mam-endpoint-security-baselines/spec.md create mode 100644 specs/017-policy-types-mam-endpoint-security-baselines/tasks.md diff --git a/specs/017-policy-types-mam-endpoint-security-baselines/checklists/requirements.md b/specs/017-policy-types-mam-endpoint-security-baselines/checklists/requirements.md new file mode 100644 index 0000000..90a1936 --- /dev/null +++ b/specs/017-policy-types-mam-endpoint-security-baselines/checklists/requirements.md @@ -0,0 +1,7 @@ +# Requirements Checklist (017) + +- [x] Type keys and Graph resources confirmed for App Config Policies. +- [x] Type keys and Graph resources confirmed for Endpoint Security Policies. +- [x] Type keys and Graph resources confirmed for Security Baselines. +- [x] Restore mode decisions documented (enabled vs preview-only) per type. +- [x] Tests planned for sync + backup + preview. diff --git a/specs/017-policy-types-mam-endpoint-security-baselines/plan.md b/specs/017-policy-types-mam-endpoint-security-baselines/plan.md new file mode 100644 index 0000000..0f4d942 --- /dev/null +++ b/specs/017-policy-types-mam-endpoint-security-baselines/plan.md @@ -0,0 +1,41 @@ +# Plan: Policy Types (MAM App Config + Endpoint Security Policies + Security Baselines) (017) + +**Branch**: `feat/017-policy-types-mam-endpoint-security-baselines` +**Date**: 2026-01-02 +**Input**: [spec.md](./spec.md) + +## Approach +1. Inventory current supported types (config + graph contracts) and identify gaps. +2. Define new type keys and metadata in `config/tenantpilot.php`. +3. Add graph contracts in `config/graph_contracts.php` (resource, assigns, scope tags, create/update methods). +4. Extend snapshot/capture and restore services as needed (special casing only when required). +5. Add tests for: sync listing + backup capture + restore preview entry. + +## Decisions + +### Type keys + Graph resources +- `mamAppConfiguration` (MAM App Config) + - Graph collection: `deviceAppManagement/targetedManagedAppConfigurations` + - Primary `@odata.type`: `#microsoft.graph.targetedManagedAppConfiguration` +- `endpointSecurityPolicy` (Endpoint Security Policies) + - Graph collection: `deviceManagement/configurationPolicies` + - Primary `@odata.type`: `#microsoft.graph.deviceManagementConfigurationPolicy` + - Classification: configuration policies where the snapshot indicates Endpoint Security via `technologies` and/or `templateReference`. +- `securityBaselinePolicy` (Security Baselines) + - Graph collection: `deviceManagement/configurationPolicies` + - Primary `@odata.type`: `#microsoft.graph.deviceManagementConfigurationPolicy` + - Classification: configuration policies where the snapshot indicates a baseline via `templateReference` (template family/type). + +### Restore modes +- `mamAppConfiguration`: `enabled` (risk: medium-high) +- `endpointSecurityPolicy`: `preview-only` (risk: high) +- `securityBaselinePolicy`: `preview-only` (risk: high) + +### Test plan +- Sync: new types show up with correct labels and do not leak into `settingsCatalogPolicy` / `appProtectionPolicy`. +- Backup: items created and snapshots captured for each new type. +- Restore: at minimum, restore preview produces entries; execution remains blocked for preview-only types. + +## Notes +- Default restore mode for security-sensitive types should be conservative (preview-only) unless we already have safe restore semantics. +- Prefer using existing generic graph-contract-driven code paths. diff --git a/specs/017-policy-types-mam-endpoint-security-baselines/spec.md b/specs/017-policy-types-mam-endpoint-security-baselines/spec.md new file mode 100644 index 0000000..293037a --- /dev/null +++ b/specs/017-policy-types-mam-endpoint-security-baselines/spec.md @@ -0,0 +1,47 @@ +# Feature Specification: Policy Types (MAM App Config + Endpoint Security Policies + Security Baselines) (017) + +**Feature Branch**: `feat/017-policy-types-mam-endpoint-security-baselines` +**Created**: 2026-01-02 +**Status**: Draft + +## User Scenarios & Testing + +### User Story 1 — MAM App Config backup & restore (Priority: P1) +As an admin, I want Managed App Configuration policies (App Config) to be inventoried, backed up, and restorable, so I can safely manage MAM configurations (Outlook, Teams, Edge, OneDrive, etc.) at scale. + +This includes both: +- App configuration (app-targeted) via `deviceAppManagement/targetedManagedAppConfigurations` +- App configuration (managed device) via `deviceAppManagement/mobileAppConfigurations` + +**Acceptance Scenarios** +1. Given a tenant with App Config policies, when I sync policies, then I can see them in the policy inventory with correct type labels. +2. Given a policy, when I add it to a backup set, then it is captured and a backup item is created. +3. Given a backup item, when I start a restore preview, then I can see a safe preview of changes. + +### User Story 2 — Endpoint Security policies (not only intents) (Priority: P1) +As an admin, I want Endpoint Security policies (Firewall/Defender/ASR/BitLocker etc.) supported, so the Windows security core can be backed up and restored. + +**Acceptance Scenarios** +1. Given Endpoint Security policies exist, sync shows them as their own policy type. +2. Backup captures them successfully. + +### User Story 3 — Security baselines (Priority: P1) +As an admin, I want Security Baselines supported because they are commonly used and are expected in a complete solution. + +**Acceptance Scenarios** +1. Given baseline policies exist, sync shows them. +2. Backup captures them. + +## Requirements + +### Functional Requirements +- **FR-001**: Add support for Managed App Configuration policies. +- **FR-002**: Add support for Endpoint Security policies beyond intents. +- **FR-003**: Add support for Security Baselines. +- **FR-004**: Each new type must integrate with: inventory, backup, restore preview, and (where safe) restore execution. +- **FR-005**: Changes must be covered by automated tests. + +## Success Criteria +- **SC-001**: New policy types appear in inventory & picker. +- **SC-002**: Backup/restore preview works for new types. +- **SC-003**: No regressions in existing policy flows. diff --git a/specs/017-policy-types-mam-endpoint-security-baselines/tasks.md b/specs/017-policy-types-mam-endpoint-security-baselines/tasks.md new file mode 100644 index 0000000..a031c80 --- /dev/null +++ b/specs/017-policy-types-mam-endpoint-security-baselines/tasks.md @@ -0,0 +1,56 @@ +# Tasks: Policy Types (MAM App Config + Endpoint Security Policies + Security Baselines) (017) + +**Branch**: `feat/017-policy-types-mam-endpoint-security-baselines` +**Date**: 2026-01-02 +**Input**: [spec.md](./spec.md), [plan.md](./plan.md) + +## Phase 1: Setup +- [x] T001 Create spec/plan/tasks and checklist. + +## Phase 2: Inventory & Design +- [x] T002 Inventory existing policy types and identify missing graph resources. +- [x] T003 Decide type keys + restore modes for: app config, endpoint security policies, security baselines. + +## Phase 3: Tests (TDD) +- [x] T004 Add tests for policy sync listing new types (`mamAppConfiguration`, `endpointSecurityPolicy`, `securityBaselinePolicy`). +- [x] T005 Add tests for backup capture creating backup items for new types (`mamAppConfiguration`, `endpointSecurityPolicy`, `securityBaselinePolicy`). +- [x] T006 Add tests for restore preview for new types (at least preview-only for `endpointSecurityPolicy`, `securityBaselinePolicy`). + +## Phase 4: Implementation +- [x] T007 Add new types to `config/tenantpilot.php`. +- [x] T008 Add new graph contracts to `config/graph_contracts.php`. +- [x] T009 Implement any required snapshot/capture/restore handling. + +## Phase 4b: Follow-up (MAM Device App Config) +- [x] T012 Add managed device app configurations (`mobileAppConfigurations`) to supported types + graph contracts + sync test. + +## Phase 5: Verification +- [x] T010 Run targeted tests. +- [x] T011 Run Pint (`./vendor/bin/pint --dirty`). + +## Phase 5b: UI Polish +- [x] T013 Render Enabled/Disabled-like string values as badges in settings views for consistent UI. + +## Phase 4c: Bugfix +- [x] T014 Ensure configuration policy list sync selects `technologies`/`templateReference` so Endpoint Security + Baselines can be classified. + +## Phase 4d: UX Debuggability +- [x] T015 Show per-type sync failures in Policy sync UI so 0-synced cases are actionable. + +## Phase 4e: Bugfix (Graph OData) +- [x] T016 Fix configuration policy list sync `$select` to avoid unsupported `version` field (Graph 400). + +## Phase 4f: Bugfix (Enrollment OData) +- [x] T017 Fix ESP (`windowsEnrollmentStatusPage`) sync filter to avoid Graph 400 "Invalid filter PropertyName". + +## Phase 4g: Bugfix (Endpoint Security Classification) +- [x] T018 Fix endpoint security configuration policies being misclassified as settings catalog when `technologies=mdm`. + +## Phase 4h: Bugfix (Graph Pagination) +- [x] T019 Paginate Graph list responses so Endpoint Security policies on page 2+ are synced. + +## Phase 4i: Feature (Endpoint Security Settings Display) +- [x] T020 Hydrate `configurationPolicies/{id}/settings` for `endpointSecurityPolicy` + `securityBaselinePolicy` snapshots. +- [x] T021 Render Endpoint Security + Baselines via Settings Catalog normalizer/table (diff + UI). +- [x] T022 Prettify Endpoint Security template settings (use `templateReference.templateDisplayName` as fallback category + nicer Firewall rule labels/values). +- [x] T023 Improve Policy General tab cards (template reference summary, badges, readable timestamps).