spec: policy types 017
This commit is contained in:
Ahmed Darrazi
parent
a8bdfc5a77
commit
cd73d7e944
@ -0,0 +1,7 @@
|
|||||||
|
# Requirements Checklist (017)
|
||||||
|
|
||||||
|
- [x] Type keys and Graph resources confirmed for App Config Policies.
|
||||||
|
- [x] Type keys and Graph resources confirmed for Endpoint Security Policies.
|
||||||
|
- [x] Type keys and Graph resources confirmed for Security Baselines.
|
||||||
|
- [x] Restore mode decisions documented (enabled vs preview-only) per type.
|
||||||
|
- [x] Tests planned for sync + backup + preview.
|
||||||
@ -0,0 +1,41 @@
|
|||||||
|
# Plan: Policy Types (MAM App Config + Endpoint Security Policies + Security Baselines) (017)
|
||||||
|
|
||||||
|
**Branch**: `feat/017-policy-types-mam-endpoint-security-baselines`
|
||||||
|
**Date**: 2026-01-02
|
||||||
|
**Input**: [spec.md](./spec.md)
|
||||||
|
|
||||||
|
## Approach
|
||||||
|
1. Inventory current supported types (config + graph contracts) and identify gaps.
|
||||||
|
2. Define new type keys and metadata in `config/tenantpilot.php`.
|
||||||
|
3. Add graph contracts in `config/graph_contracts.php` (resource, assigns, scope tags, create/update methods).
|
||||||
|
4. Extend snapshot/capture and restore services as needed (special casing only when required).
|
||||||
|
5. Add tests for: sync listing + backup capture + restore preview entry.
|
||||||
|
|
||||||
|
## Decisions
|
||||||
|
|
||||||
|
### Type keys + Graph resources
|
||||||
|
- `mamAppConfiguration` (MAM App Config)
|
||||||
|
- Graph collection: `deviceAppManagement/targetedManagedAppConfigurations`
|
||||||
|
- Primary `@odata.type`: `#microsoft.graph.targetedManagedAppConfiguration`
|
||||||
|
- `endpointSecurityPolicy` (Endpoint Security Policies)
|
||||||
|
- Graph collection: `deviceManagement/configurationPolicies`
|
||||||
|
- Primary `@odata.type`: `#microsoft.graph.deviceManagementConfigurationPolicy`
|
||||||
|
- Classification: configuration policies where the snapshot indicates Endpoint Security via `technologies` and/or `templateReference`.
|
||||||
|
- `securityBaselinePolicy` (Security Baselines)
|
||||||
|
- Graph collection: `deviceManagement/configurationPolicies`
|
||||||
|
- Primary `@odata.type`: `#microsoft.graph.deviceManagementConfigurationPolicy`
|
||||||
|
- Classification: configuration policies where the snapshot indicates a baseline via `templateReference` (template family/type).
|
||||||
|
|
||||||
|
### Restore modes
|
||||||
|
- `mamAppConfiguration`: `enabled` (risk: medium-high)
|
||||||
|
- `endpointSecurityPolicy`: `preview-only` (risk: high)
|
||||||
|
- `securityBaselinePolicy`: `preview-only` (risk: high)
|
||||||
|
|
||||||
|
### Test plan
|
||||||
|
- Sync: new types show up with correct labels and do not leak into `settingsCatalogPolicy` / `appProtectionPolicy`.
|
||||||
|
- Backup: items created and snapshots captured for each new type.
|
||||||
|
- Restore: at minimum, restore preview produces entries; execution remains blocked for preview-only types.
|
||||||
|
|
||||||
|
## Notes
|
||||||
|
- Default restore mode for security-sensitive types should be conservative (preview-only) unless we already have safe restore semantics.
|
||||||
|
- Prefer using existing generic graph-contract-driven code paths.
|
||||||
@ -0,0 +1,47 @@
|
|||||||
|
# Feature Specification: Policy Types (MAM App Config + Endpoint Security Policies + Security Baselines) (017)
|
||||||
|
|
||||||
|
**Feature Branch**: `feat/017-policy-types-mam-endpoint-security-baselines`
|
||||||
|
**Created**: 2026-01-02
|
||||||
|
**Status**: Draft
|
||||||
|
|
||||||
|
## User Scenarios & Testing
|
||||||
|
|
||||||
|
### User Story 1 — MAM App Config backup & restore (Priority: P1)
|
||||||
|
As an admin, I want Managed App Configuration policies (App Config) to be inventoried, backed up, and restorable, so I can safely manage MAM configurations (Outlook, Teams, Edge, OneDrive, etc.) at scale.
|
||||||
|
|
||||||
|
This includes both:
|
||||||
|
- App configuration (app-targeted) via `deviceAppManagement/targetedManagedAppConfigurations`
|
||||||
|
- App configuration (managed device) via `deviceAppManagement/mobileAppConfigurations`
|
||||||
|
|
||||||
|
**Acceptance Scenarios**
|
||||||
|
1. Given a tenant with App Config policies, when I sync policies, then I can see them in the policy inventory with correct type labels.
|
||||||
|
2. Given a policy, when I add it to a backup set, then it is captured and a backup item is created.
|
||||||
|
3. Given a backup item, when I start a restore preview, then I can see a safe preview of changes.
|
||||||
|
|
||||||
|
### User Story 2 — Endpoint Security policies (not only intents) (Priority: P1)
|
||||||
|
As an admin, I want Endpoint Security policies (Firewall/Defender/ASR/BitLocker etc.) supported, so the Windows security core can be backed up and restored.
|
||||||
|
|
||||||
|
**Acceptance Scenarios**
|
||||||
|
1. Given Endpoint Security policies exist, sync shows them as their own policy type.
|
||||||
|
2. Backup captures them successfully.
|
||||||
|
|
||||||
|
### User Story 3 — Security baselines (Priority: P1)
|
||||||
|
As an admin, I want Security Baselines supported because they are commonly used and are expected in a complete solution.
|
||||||
|
|
||||||
|
**Acceptance Scenarios**
|
||||||
|
1. Given baseline policies exist, sync shows them.
|
||||||
|
2. Backup captures them.
|
||||||
|
|
||||||
|
## Requirements
|
||||||
|
|
||||||
|
### Functional Requirements
|
||||||
|
- **FR-001**: Add support for Managed App Configuration policies.
|
||||||
|
- **FR-002**: Add support for Endpoint Security policies beyond intents.
|
||||||
|
- **FR-003**: Add support for Security Baselines.
|
||||||
|
- **FR-004**: Each new type must integrate with: inventory, backup, restore preview, and (where safe) restore execution.
|
||||||
|
- **FR-005**: Changes must be covered by automated tests.
|
||||||
|
|
||||||
|
## Success Criteria
|
||||||
|
- **SC-001**: New policy types appear in inventory & picker.
|
||||||
|
- **SC-002**: Backup/restore preview works for new types.
|
||||||
|
- **SC-003**: No regressions in existing policy flows.
|
||||||
@ -0,0 +1,56 @@
|
|||||||
|
# Tasks: Policy Types (MAM App Config + Endpoint Security Policies + Security Baselines) (017)
|
||||||
|
|
||||||
|
**Branch**: `feat/017-policy-types-mam-endpoint-security-baselines`
|
||||||
|
**Date**: 2026-01-02
|
||||||
|
**Input**: [spec.md](./spec.md), [plan.md](./plan.md)
|
||||||
|
|
||||||
|
## Phase 1: Setup
|
||||||
|
- [x] T001 Create spec/plan/tasks and checklist.
|
||||||
|
|
||||||
|
## Phase 2: Inventory & Design
|
||||||
|
- [x] T002 Inventory existing policy types and identify missing graph resources.
|
||||||
|
- [x] T003 Decide type keys + restore modes for: app config, endpoint security policies, security baselines.
|
||||||
|
|
||||||
|
## Phase 3: Tests (TDD)
|
||||||
|
- [x] T004 Add tests for policy sync listing new types (`mamAppConfiguration`, `endpointSecurityPolicy`, `securityBaselinePolicy`).
|
||||||
|
- [x] T005 Add tests for backup capture creating backup items for new types (`mamAppConfiguration`, `endpointSecurityPolicy`, `securityBaselinePolicy`).
|
||||||
|
- [x] T006 Add tests for restore preview for new types (at least preview-only for `endpointSecurityPolicy`, `securityBaselinePolicy`).
|
||||||
|
|
||||||
|
## Phase 4: Implementation
|
||||||
|
- [x] T007 Add new types to `config/tenantpilot.php`.
|
||||||
|
- [x] T008 Add new graph contracts to `config/graph_contracts.php`.
|
||||||
|
- [x] T009 Implement any required snapshot/capture/restore handling.
|
||||||
|
|
||||||
|
## Phase 4b: Follow-up (MAM Device App Config)
|
||||||
|
- [x] T012 Add managed device app configurations (`mobileAppConfigurations`) to supported types + graph contracts + sync test.
|
||||||
|
|
||||||
|
## Phase 5: Verification
|
||||||
|
- [x] T010 Run targeted tests.
|
||||||
|
- [x] T011 Run Pint (`./vendor/bin/pint --dirty`).
|
||||||
|
|
||||||
|
## Phase 5b: UI Polish
|
||||||
|
- [x] T013 Render Enabled/Disabled-like string values as badges in settings views for consistent UI.
|
||||||
|
|
||||||
|
## Phase 4c: Bugfix
|
||||||
|
- [x] T014 Ensure configuration policy list sync selects `technologies`/`templateReference` so Endpoint Security + Baselines can be classified.
|
||||||
|
|
||||||
|
## Phase 4d: UX Debuggability
|
||||||
|
- [x] T015 Show per-type sync failures in Policy sync UI so 0-synced cases are actionable.
|
||||||
|
|
||||||
|
## Phase 4e: Bugfix (Graph OData)
|
||||||
|
- [x] T016 Fix configuration policy list sync `$select` to avoid unsupported `version` field (Graph 400).
|
||||||
|
|
||||||
|
## Phase 4f: Bugfix (Enrollment OData)
|
||||||
|
- [x] T017 Fix ESP (`windowsEnrollmentStatusPage`) sync filter to avoid Graph 400 "Invalid filter PropertyName".
|
||||||
|
|
||||||
|
## Phase 4g: Bugfix (Endpoint Security Classification)
|
||||||
|
- [x] T018 Fix endpoint security configuration policies being misclassified as settings catalog when `technologies=mdm`.
|
||||||
|
|
||||||
|
## Phase 4h: Bugfix (Graph Pagination)
|
||||||
|
- [x] T019 Paginate Graph list responses so Endpoint Security policies on page 2+ are synced.
|
||||||
|
|
||||||
|
## Phase 4i: Feature (Endpoint Security Settings Display)
|
||||||
|
- [x] T020 Hydrate `configurationPolicies/{id}/settings` for `endpointSecurityPolicy` + `securityBaselinePolicy` snapshots.
|
||||||
|
- [x] T021 Render Endpoint Security + Baselines via Settings Catalog normalizer/table (diff + UI).
|
||||||
|
- [x] T022 Prettify Endpoint Security template settings (use `templateReference.templateDisplayName` as fallback category + nicer Firewall rule labels/values).
|
||||||
|
- [x] T023 Improve Policy General tab cards (template reference summary, badges, readable timestamps).
|
||||||
Loading…
Reference in New Issue
Block a user