ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
cd73d7e944
TenantAtlas/specs/017-policy-types-mam-endpoint-security-baselines/plan.md
Ahmed Darrazi cd73d7e944 spec: policy types 017
2026-01-03 02:55:35 +01:00

2.2 KiB
Raw Blame History

Plan: Policy Types (MAM App Config + Endpoint Security Policies + Security Baselines) (017)

Branch: feat/017-policy-types-mam-endpoint-security-baselines Date: 2026-01-02 Input: spec.md

Approach

  1. Inventory current supported types (config + graph contracts) and identify gaps.
  2. Define new type keys and metadata in config/tenantpilot.php.
  3. Add graph contracts in config/graph_contracts.php (resource, assigns, scope tags, create/update methods).
  4. Extend snapshot/capture and restore services as needed (special casing only when required).
  5. Add tests for: sync listing + backup capture + restore preview entry.

Decisions

Type keys + Graph resources

  • mamAppConfiguration (MAM App Config)
    • Graph collection: deviceAppManagement/targetedManagedAppConfigurations
    • Primary @odata.type: #microsoft.graph.targetedManagedAppConfiguration
  • endpointSecurityPolicy (Endpoint Security Policies)
    • Graph collection: deviceManagement/configurationPolicies
    • Primary @odata.type: #microsoft.graph.deviceManagementConfigurationPolicy
    • Classification: configuration policies where the snapshot indicates Endpoint Security via technologies and/or templateReference.
  • securityBaselinePolicy (Security Baselines)
    • Graph collection: deviceManagement/configurationPolicies
    • Primary @odata.type: #microsoft.graph.deviceManagementConfigurationPolicy
    • Classification: configuration policies where the snapshot indicates a baseline via templateReference (template family/type).

Restore modes

  • mamAppConfiguration: enabled (risk: medium-high)
  • endpointSecurityPolicy: preview-only (risk: high)
  • securityBaselinePolicy: preview-only (risk: high)

Test plan

  • Sync: new types show up with correct labels and do not leak into settingsCatalogPolicy / appProtectionPolicy.
  • Backup: items created and snapshots captured for each new type.
  • Restore: at minimum, restore preview produces entries; execution remains blocked for preview-only types.

Notes

  • Default restore mode for security-sensitive types should be conservative (preview-only) unless we already have safe restore semantics.
  • Prefer using existing generic graph-contract-driven code paths.