ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
7217559e5a
TenantAtlas/specs/007-device-config-compliance/spec.md
ahmido d939d45bcf fix: improve assignment capture/restore and filter name handling (#8) 
Resolves assignment filter names when Graph stores filter IDs at assignment root.
Tracks assignment fetch success/failure and shows clearer UI states for versions.
Adds scope tag fallback display in backup set items.
Restored versions now capture applied assignments consistently.

Co-authored-by: Ahmed Darrazi <ahmeddarrazi@adsmac.local>
Reviewed-on: #8
2025-12-28 13:59:12 +00:00

79 lines
6.4 KiB
Markdown
Raw Blame History

# Feature Specification: Device Configuration and Compliance Coverage
**Feature Branch**: `007-device-config-compliance`
**Created**: 2025-12-26
**Status**: Draft
**Input**: Workload list for Intune backup and restore coverage (MVP vs full scope).
## Program Scope Reference (MVP vs Full)
### MVP Scope (Phase 1)
- Device configuration and compliance: administrative templates; settings catalog policies; device configurations (including custom OMA-URI); device compliance policies; assignments.
- Scripts and remediations: PowerShell scripts (Windows); macOS shell scripts (where supported); proactive remediations and assignments.
- Enrollment and Autopilot: Autopilot deployment profiles and assignments; Enrollment Status Page (ESP) if used.
- Update management (Windows): software update rings and assignments.
- Endpoint security: endpoint security configurations (antivirus, firewall, disk encryption, EDR, ASR, account protection) and assignments.
- Tenant administration foundations: assignment filters; scope tags; notification message templates.
### Full Scope (Phase 2+)
- Compliance actions and notifications: actions for noncompliance; compliance notifications and templates.
- Apps and app management: client apps; app protection policies; app configuration policies; assignments; supersedence metadata.
- Enrollment: enrollment restrictions; enrollment notifications; terms and conditions; ADE tokens and profiles.
- Update management: feature update policies; quality update policies; driver update policies; expedite/hotpatch policies.
- Endpoint security: security baselines (Windows security baseline, Microsoft Defender, Microsoft Edge); endpoint privilege management policies.
- Tenant administration: device cleanup rules; RBAC roles and role assignments.
- Connectors and tokens (metadata-only): APNs; VPP tokens; managed Google Play; certificate connectors; remote help settings.
- Inventory / Properties catalog policies (deviceManagement/inventoryPolicies) deferred until required permissions are confirmed.
## Overview
Expand backup and restore coverage for device configuration and compliance workloads, including scripts and remediations. This feature focuses on policy types that are already core to DR and rollback, and builds on existing foundations and assignment mapping capabilities.
## User Scenarios and Testing (mandatory)
### User Story 1 - Backup and Restore Core Configuration Policies (Priority: P1)
As an admin, I want to back up and restore device configuration and compliance policies with their assignments and scope tags, so that a restore reproduces targeting accurately.
**Independent Test**: Select at least one settings catalog policy, one device configuration policy (including an OMA-URI policy), and one device compliance policy. Create a backup with assignments and scope tags enabled. Restore into a tenant with different group IDs and verify assignments are mapped or skipped with clear reasons.
**Acceptance Scenarios**:
1. Given policies with assignments and scope tags, when a backup is captured, then assignments and scope tag metadata are stored alongside the snapshot.
2. Given a restore run with group mapping, when policies are restored, then assignments are applied using mapped group IDs and assignment filters.
3. Given missing mappings, when restore executes, then assignments are skipped and a human readable reason is recorded.
### User Story 2 - Compliance Actions and Notifications (Priority: P2)
As an admin, I want actions for noncompliance and compliance notification templates to be captured and restored, so that compliance workflows remain intact after restore.
**Independent Test**: Create a compliance policy with scheduled actions and a notification template. Capture a backup including foundations. Restore into a tenant without that template and verify the template is created and referenced correctly.
**Acceptance Scenarios**:
1. Given a compliance policy referencing a notification template, when restore executes, then the template is restored first and the policy references the mapped template ID.
2. Given a missing template and no mapping, when restore executes, then the policy is restored without that action and a skip reason is recorded.
### User Story 3 - Scripts and Remediations (Priority: P3)
As an admin, I want scripts and remediations to be captured and restored with assignments, so that endpoint automation is preserved.
**Independent Test**: Capture a PowerShell script and a proactive remediation with assignments. Restore into a test tenant and verify assignments are applied safely.
**Acceptance Scenarios**:
1. Given a script policy with assignments, when restore executes, then the script is recreated or updated and assignments are applied.
2. Given a remediation with missing assignment filter mapping, when restore executes, then the assignment is skipped and the remediation is still restored.
## Requirements (mandatory)
### Functional Requirements
- **FR-007.1**: System MUST support backup and restore for administrative templates, settings catalog policies, device configurations (including OMA-URI), and device compliance policies.
- **FR-007.2**: System MUST capture assignments and scope tags when the backup flags are enabled, using the existing capture orchestrator.
- **FR-007.3**: System MUST handle compliance actions and notification templates by restoring templates first and mapping references in policies.
- **FR-007.4**: System MUST restore scripts and remediations with assignments, applying foundation mappings and group mappings where available.
- **FR-007.5**: System MUST keep Conditional Access restore preview-only until identity dependency mapping is supported.
- **FR-007.6**: System MUST record audit logs for backup and restore actions, including skipped assignments and template mapping outcomes.
### Non-Goals
- No support for app workloads in this feature (tracked separately).
- No connector or token restore (metadata-only handled in a later phase).
## Success Criteria (mandatory)
- **SC-007.1**: For a backup containing at least 10 mixed configuration/compliance items, restore completes with 100% of items in Applied, Partial, or Skipped with reason (no silent failures).
- **SC-007.2**: At least 95% of assignments in a mixed restore are either applied successfully or explicitly skipped with a recorded reason.
- **SC-007.3**: Restore preview for 100 selected items completes in under 2 minutes in a typical admin environment.
Reference in New Issue View Git Blame Copy Permalink