# Feature Specification: Policy Types (MAM App Config + Endpoint Security Policies + Security Baselines) (017) **Feature Branch**: `feat/017-policy-types-mam-endpoint-security-baselines` **Created**: 2026-01-02 **Status**: Draft ## User Scenarios & Testing ### User Story 1 — MAM App Config backup & restore (Priority: P1) As an admin, I want Managed App Configuration policies (App Config) to be inventoried, backed up, and restorable, so I can safely manage MAM configurations (Outlook, Teams, Edge, OneDrive, etc.) at scale. This includes both: - App configuration (app-targeted) via `deviceAppManagement/targetedManagedAppConfigurations` - App configuration (managed device) via `deviceAppManagement/mobileAppConfigurations` **Acceptance Scenarios** 1. Given a tenant with App Config policies, when I sync policies, then I can see them in the policy inventory with correct type labels. 2. Given a policy, when I add it to a backup set, then it is captured and a backup item is created. 3. Given a backup item, when I start a restore preview, then I can see a safe preview of changes. ### User Story 2 — Endpoint Security policies (not only intents) (Priority: P1) As an admin, I want Endpoint Security policies (Firewall/Defender/ASR/BitLocker etc.) supported, so the Windows security core can be backed up and restored. **Acceptance Scenarios** 1. Given Endpoint Security policies exist, sync shows them as their own policy type. 2. Backup captures them successfully. ### User Story 3 — Security baselines (Priority: P1) As an admin, I want Security Baselines supported because they are commonly used and are expected in a complete solution. **Acceptance Scenarios** 1. Given baseline policies exist, sync shows them. 2. Backup captures them. ## Requirements ### Functional Requirements - **FR-001**: Add support for Managed App Configuration policies. - **FR-002**: Add support for Endpoint Security policies beyond intents. - **FR-003**: Add support for Security Baselines. - **FR-004**: Each new type must integrate with: inventory, backup, restore preview, and (where safe) restore execution. - **FR-005**: Changes must be covered by automated tests. ## Success Criteria - **SC-001**: New policy types appear in inventory & picker. - **SC-002**: Backup/restore preview works for new types. - **SC-003**: No regressions in existing policy flows.