ahmido
602195324b
specs for additional intune types Co-authored-by: Ahmed Darrazi <ahmeddarrazi@adsmac.local> Reviewed-on: #28
26 lines
1.2 KiB
Markdown
26 lines
1.2 KiB
Markdown
# Plan: Custom Compliance Scripts (Windows) (026)
|
|
|
|
**Branch**: `feat/026-custom-compliance-scripts`
|
|
**Date**: 2026-01-04
|
|
**Input**: [spec.md](./spec.md)
|
|
|
|
## Approach
|
|
1. Confirm Graph contract details:
|
|
- resource: `deviceManagement/deviceComplianceScripts` (beta)
|
|
- patchable fields vs read-only fields
|
|
- assignment pattern: `/deviceComplianceScripts/{id}/assign` and `/assignments`
|
|
2. Add `deviceComplianceScript` to `config/tenantpilot.php` (category “Compliance”, risk, restore mode).
|
|
3. Add contract entry to `config/graph_contracts.php` (resource + assignment endpoints + scope tags support).
|
|
4. Implement snapshot capture:
|
|
- ensure `detectionScriptContent` is preserved and treated like other scripts (safe display, encode/decode where needed)
|
|
5. Implement restore:
|
|
- sanitize payload via contract
|
|
- ensure `detectionScriptContent` is encoded as expected by Graph
|
|
- apply assignments via assign action
|
|
6. Add normalizer and targeted tests.
|
|
|
|
## Decisions / Notes
|
|
- **Restore mode**: default `enabled` (risk: medium-high) because tenant recovery often depends on these scripts.
|
|
- Use the existing script content display rules (`TENANTPILOT_SHOW_SCRIPT_CONTENT`, max chars).
|
|
|