# Tasks: Policy Types (MAM App Config + Endpoint Security Policies + Security Baselines) (017)

**Branch**: `feat/017-policy-types-mam-endpoint-security-baselines`
**Date**: 2026-01-02
**Input**: [spec.md](./spec.md), [plan.md](./plan.md)

## Phase 1: Setup
- [x] T001 Create spec/plan/tasks and checklist.

## Phase 2: Inventory & Design
- [x] T002 Inventory existing policy types and identify missing graph resources.
- [x] T003 Decide type keys + restore modes for: app config, endpoint security policies, security baselines.

## Phase 3: Tests (TDD)
- [x] T004 Add tests for policy sync listing new types (`mamAppConfiguration`, `endpointSecurityPolicy`, `securityBaselinePolicy`).
- [x] T005 Add tests for backup capture creating backup items for new types (`mamAppConfiguration`, `endpointSecurityPolicy`, `securityBaselinePolicy`).
- [x] T006 Add tests for restore preview for new types (at least preview-only for `endpointSecurityPolicy`, `securityBaselinePolicy`).

## Phase 4: Implementation
- [x] T007 Add new types to `config/tenantpilot.php`.
- [x] T008 Add new graph contracts to `config/graph_contracts.php`.
- [x] T009 Implement any required snapshot/capture/restore handling.

## Phase 4b: Follow-up (MAM Device App Config)
- [x] T012 Add managed device app configurations (`mobileAppConfigurations`) to supported types + graph contracts + sync test.

## Phase 5: Verification
- [x] T010 Run targeted tests.
- [x] T011 Run Pint (`./vendor/bin/pint --dirty`).

## Phase 5b: UI Polish
- [x] T013 Render Enabled/Disabled-like string values as badges in settings views for consistent UI.

## Phase 4c: Bugfix
- [x] T014 Ensure configuration policy list sync selects `technologies`/`templateReference` so Endpoint Security + Baselines can be classified.

## Phase 4d: UX Debuggability
- [x] T015 Show per-type sync failures in Policy sync UI so 0-synced cases are actionable.

## Phase 4e: Bugfix (Graph OData)
- [x] T016 Fix configuration policy list sync `$select` to avoid unsupported `version` field (Graph 400).

## Phase 4f: Bugfix (Enrollment OData)
- [x] T017 Fix ESP (`windowsEnrollmentStatusPage`) sync filter to avoid Graph 400 "Invalid filter PropertyName".

## Phase 4g: Bugfix (Endpoint Security Classification)
- [x] T018 Fix endpoint security configuration policies being misclassified as settings catalog when `technologies=mdm`.

## Phase 4h: Bugfix (Graph Pagination)
- [x] T019 Paginate Graph list responses so Endpoint Security policies on page 2+ are synced.

## Phase 4i: Feature (Endpoint Security Settings Display)
- [x] T020 Hydrate `configurationPolicies/{id}/settings` for `endpointSecurityPolicy` + `securityBaselinePolicy` snapshots.
- [x] T021 Render Endpoint Security + Baselines via Settings Catalog normalizer/table (diff + UI).
- [x] T022 Prettify Endpoint Security template settings (use `templateReference.templateDisplayName` as fallback category + nicer Firewall rule labels/values).
- [x] T023 Improve Policy General tab cards (template reference summary, badges, readable timestamps).