ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
046-inventory-sync-button
TenantAtlas/specs/026-custom-compliance-scripts/plan.md
ahmido 602195324b spec/024-additional-intune-types (#28) 
specs for additional intune types

Co-authored-by: Ahmed Darrazi <ahmeddarrazi@adsmac.local>
Reviewed-on: #28
2026-01-04 02:27:44 +00:00

1.2 KiB
Raw Permalink Blame History

Plan: Custom Compliance Scripts (Windows) (026)

Branch: feat/026-custom-compliance-scripts
Date: 2026-01-04
Input: spec.md

Approach

  1. Confirm Graph contract details:
    • resource: deviceManagement/deviceComplianceScripts (beta)
    • patchable fields vs read-only fields
    • assignment pattern: /deviceComplianceScripts/{id}/assign and /assignments
  2. Add deviceComplianceScript to config/tenantpilot.php (category “Compliance”, risk, restore mode).
  3. Add contract entry to config/graph_contracts.php (resource + assignment endpoints + scope tags support).
  4. Implement snapshot capture:
    • ensure detectionScriptContent is preserved and treated like other scripts (safe display, encode/decode where needed)
  5. Implement restore:
    • sanitize payload via contract
    • ensure detectionScriptContent is encoded as expected by Graph
    • apply assignments via assign action
  6. Add normalizer and targeted tests.

Decisions / Notes

  • Restore mode: default enabled (risk: medium-high) because tenant recovery often depends on these scripts.
  • Use the existing script content display rules (TENANTPILOT_SHOW_SCRIPT_CONTENT, max chars).