ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
93dbd3b13d
TenantAtlas/specs/017-policy-types-mam-endpoint-security-baselines/plan.md
ahmido 412dd7ad66 feat/017-policy-types-mam-endpoint-security-baselines (#23) 
Hydrate configurationPolicies/{id}/settings for endpoint security/baseline policies so snapshots include real rule data.
Treat those types like Settings Catalog policies in the normalizer so they show the searchable settings table, recognizable categories, and readable choice values (firewall-specific formatting + interface badge parsing).
Improve “General” tab cards: badge lists for platforms/technologies, template reference summary (name/family/version/ID), and ISO timestamps rendered as YYYY‑MM‑DD HH:MM:SS; added regression test for the view.

Co-authored-by: Ahmed Darrazi <ahmeddarrazi@adsmac.local>
Reviewed-on: #23
2026-01-03 02:06:35 +00:00

2.2 KiB
Raw Blame History

Plan: Policy Types (MAM App Config + Endpoint Security Policies + Security Baselines) (017)

Branch: feat/017-policy-types-mam-endpoint-security-baselines Date: 2026-01-02 Input: spec.md

Approach

  1. Inventory current supported types (config + graph contracts) and identify gaps.
  2. Define new type keys and metadata in config/tenantpilot.php.
  3. Add graph contracts in config/graph_contracts.php (resource, assigns, scope tags, create/update methods).
  4. Extend snapshot/capture and restore services as needed (special casing only when required).
  5. Add tests for: sync listing + backup capture + restore preview entry.

Decisions

Type keys + Graph resources

  • mamAppConfiguration (MAM App Config)
    • Graph collection: deviceAppManagement/targetedManagedAppConfigurations
    • Primary @odata.type: #microsoft.graph.targetedManagedAppConfiguration
  • endpointSecurityPolicy (Endpoint Security Policies)
    • Graph collection: deviceManagement/configurationPolicies
    • Primary @odata.type: #microsoft.graph.deviceManagementConfigurationPolicy
    • Classification: configuration policies where the snapshot indicates Endpoint Security via technologies and/or templateReference.
  • securityBaselinePolicy (Security Baselines)
    • Graph collection: deviceManagement/configurationPolicies
    • Primary @odata.type: #microsoft.graph.deviceManagementConfigurationPolicy
    • Classification: configuration policies where the snapshot indicates a baseline via templateReference (template family/type).

Restore modes

  • mamAppConfiguration: enabled (risk: medium-high)
  • endpointSecurityPolicy: preview-only (risk: high)
  • securityBaselinePolicy: preview-only (risk: high)

Test plan

  • Sync: new types show up with correct labels and do not leak into settingsCatalogPolicy / appProtectionPolicy.
  • Backup: items created and snapshots captured for each new type.
  • Restore: at minimum, restore preview produces entries; execution remains blocked for preview-only types.

Notes

  • Default restore mode for security-sensitive types should be conservative (preview-only) unless we already have safe restore semantics.
  • Prefer using existing generic graph-contract-driven code paths.