ABMPS/AppleBusinessManager.psm1

#Requires -Version 7.0
#Requires -Module jwtPS
function Connect-AppleBusinessManager {
    [CmdletBinding(DefaultParameterSetName = 'EnvironmentVariable')]
    param(
        [string][Parameter(ParameterSetName = 'PrivateKeyAsString', Mandatory)]$ClientId,
        [string][Parameter(ParameterSetName = 'PrivateKeyAsString', Mandatory)]$PrivateKey,
        [string][Parameter(ParameterSetName = 'PrivateKeyAsString', Mandatory)]$PrivateKeyId
    )

    if ($PSBoundParameters.Count -eq 0) {
        # Parameters were not bound, check to see if they're already set before attempting to authenticate
        Write-Verbose "Checking to see if existing credentials were set at a script scope that can be re-used"
        if (-not $Script:ClientId -or -not $Script:PrivateKey -or -not $Script:PrivateKeyId) {
            Write-Verbose "Existing credentials not loaded, checking for environment variables"
            if ($PSCmdlet.ParameterSetName -eq 'EnvironmentVariable') {
                if (-not $Env:AppleBusinessManagerClientId -or -not $Env:AppleBusinessManagerPrivateKeyId -or -not $Env:AppleBusinessManagerPrivateKey) {
                    throw "Client ID, Private Key ID and Private Key environment variables were not set for Apple Business Manager"
                }
                $Script:ClientId = $Env:AppleBusinessManagerClientId
                $Script:PrivateKey = $Env:AppleBusinessManagerPrivateKey
                $Script:PrivateKeyId = $Env:AppleBusinessManagerPrivateKeyId
            }
        }
    }
    
    if ($PSCmdlet.ParameterSetName -eq 'PrivateKeyAsString') {
        # Assign the parameters to script scope so we can reuse them later
        $Script:ClientId = $ClientId
        $Script:PrivateKey = $PrivateKey
        $Script:PrivateKeyId = $PrivateKeyId
    }

    $Header = @{
        'kid' = $Script:PrivateKeyId
    }

    $Payload = @{
        aud = "https://account.apple.com/auth/oauth2/v2/token" 
        iss = $Script:ClientId
        sub = $Script:ClientId
        iat = ([System.DateTimeOffset]::Now).ToUnixTimeSeconds()
        exp = ([System.DateTimeOffset]::Now.AddMinutes(15)).ToUnixTimeSeconds()
        jti = [guid]::NewGuid()
    }

    $Hashing = [jwtTypes+encryption]::SHA256
    $Signature = [jwtTypes+algorithm]::ECDsa
    $Algorithm = [jwtTypes+cryptographyType]::new($Signature, $Hashing)
    $JWT = New-JWT -Payload $Payload -Algorithm $Algorithm -Secret $Script:PrivateKey -Header $Header
    Write-Verbose $JWT

    $Script:Body = @{
        'grant_type'            = 'client_credentials'
        'client_id'             = $Script:ClientId
        'client_assertion'      = $JWT
        'client_assertion_type' = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
        'scope'                 = 'business.api'
    }

    $Script:AuthResponse = Invoke-RestMethod -Method Post -Uri 'https://account.apple.com/auth/oauth2/token' -Body $Script:Body -SkipHttpErrorCheck
    if ($Script:AuthResponse.error) {
        throw $Script:AuthResponse.Error
    }
    $Script:ExpiresAt = (Get-Date).AddSeconds($Script:AuthResponse.expires_in)
}

function Get-AppleBusinessManagerBearerToken {
    if (-not $Script:AuthResponse) {
        try {
            Connect-AppleBusinessManager
        }
        catch {
            throw "Authorization has not been completed, use Connect-AppleBusinessManager first."
        }
    }
    if ((Get-Date).AddMinutes(1) -ge $Script:ExpiresAt) {
        # Access token is approaching expiration, get a new access token
        Connect-AppleBusinessManager
    }

    return ($Script:AuthResponse.access_token | ConvertTo-SecureString -AsPlainText -Force)
}

function Invoke-AppleBusinessManagerPagedApiRequest {
    param (
        [Parameter(Mandatory = $true)][uri] $Uri
    )
    $Results = New-Object System.Collections.ArrayList
    while ($Uri) {
        Write-Verbose "Making request to $Uri"
        $Result = Invoke-RestMethod $Uri -Authentication Bearer -Token (Get-AppleBusinessManagerBearerToken) -ErrorAction Stop
        $Uri = $Result.links.next
        $Results.AddRange(@($Result.data)) | Out-Null
    }
    return $Results
}

function Get-AppleBusinessManagerOrgDevice {
    [Alias('Get-AppleBusinessManagerOrgDevices')]
    param (
        [Parameter(Mandatory, ParameterSetName = 'Read')][string] $OrgDeviceId,
        [Parameter(ParameterSetName = 'Read')]
        [Parameter(ParameterSetName = 'List')]
        [string[]] $Fields,
        [Parameter( ParameterSetName = 'Read')]
        [Parameter(ParameterSetName = 'List')]
        [int] $Limit
    )
    $Uri = switch ($PSCmdlet.ParameterSetName) {
        'Read' { "https://api-business.apple.com/v1/orgDevices/$([System.Web.HttpUtility]::UrlEncode($OrgDeviceId))" }
        Default { "https://api-business.apple.com/v1/orgDevices" }
    }
    $UriBuilder = [System.UriBuilder]::new($Uri)
    $QueryString = [System.Web.HttpUtility]::ParseQueryString($UriBuilder.Query)
    if ($PSBoundParameters.ContainsKey('Fields')) {
        $QueryString.Set('fields[orgDevices]', $Fields -join ',')
    }
    if ($PSBoundParameters.ContainsKey('Limit')) {
        $QueryString.Set('limit', $Limit)
    }
    $UriBuilder.Query = $QueryString.ToString()
    return Invoke-AppleBusinessManagerPagedApiRequest -Uri $UriBuilder.Uri
}

function Get-AppleBusinessManagerOrgDeviceMdmServerId {
    param (
        [Parameter(Mandatory)]
        [string] $OrgDeviceId
    )
    return Invoke-AppleBusinessManagerPagedApiRequest -Uri "https://api-business.apple.com/v1/orgDevices/$([System.Web.HttpUtility]::UrlEncode($OrgDeviceId))/relationships/assignedServer"
}

function Get-AppleBusinessManagerOrgDeviceMdmServer {
    param (
        [Parameter(Mandatory)]
        [string] $OrgDeviceId,
        [string[]] $Fields
    )
    $UriBuilder = [System.UriBuilder]::new("https://api-business.apple.com/v1/orgDevices/$([System.Web.HttpUtility]::UrlEncode($OrgDeviceId))/assignedServer")
    $QueryString = [System.Web.HttpUtility]::ParseQueryString($UriBuilder.Query)
    if ($PSBoundParameters.ContainsKey('Fields')) {
        $QueryString.Set('fields[mdmServers]', $Fields -join ',')
    }
    $UriBuilder.Query = $QueryString.ToString()
    return Invoke-AppleBusinessManagerPagedApiRequest -Uri $UriBuilder.Uri
}

function Get-AppleBusinessManagerMdmServer {
    [Alias('Get-AppleBusinessManagerMdmServers')]
    param (
        [string[]] $Fields,
        [int] $Limit
    )
    $UriBuilder = [System.UriBuilder]::new("https://api-business.apple.com/v1/mdmServers")
    $QueryString = [System.Web.HttpUtility]::ParseQueryString($UriBuilder.Query)
    if ($PSBoundParameters.ContainsKey('Fields')) {
        $QueryString.Set('fields[mdmServers]', $Fields -join ',')
    }
    if ($PSBoundParameters.ContainsKey('Limit')) {
        $QueryString.Set('limit', $Limit)
    }
    $UriBuilder.Query = $QueryString.ToString()
    return Invoke-AppleBusinessManagerPagedApiRequest -Uri $UriBuilder.Uri
}

function Get-AppleBusinessManagerMdmServerDevice {
    param (
        [Parameter(Mandatory)]
        [string] $MdmServerId,
        [int] $Limit
    )
    $UriBuilder = [System.UriBuilder]::new("https://api-business.apple.com/v1/mdmServers/$([System.Web.HttpUtility]::UrlEncode($MdmServerId))/relationships/devices")
    $QueryString = [System.Web.HttpUtility]::ParseQueryString($UriBuilder.Query)
    if ($PSBoundParameters.ContainsKey('Limit')) {
        $QueryString.Set('limit', $Limit)
    }
    $UriBuilder.Query = $QueryString.ToString()
    return Invoke-AppleBusinessManagerPagedApiRequest -Uri $UriBuilder.Uri
}
Initial Version 2025-06-12 10:19:06 -07:00			`#Requires -Version 7.0`
			`#Requires -Module jwtPS`
			`function Connect-AppleBusinessManager {`
Allow passing connection info as string params, better instructions 2025-06-12 10:19:06 -07:00			`[CmdletBinding(DefaultParameterSetName = 'EnvironmentVariable')]`
			`param(`
			`[string][Parameter(ParameterSetName = 'PrivateKeyAsString', Mandatory)]$ClientId,`
			`[string][Parameter(ParameterSetName = 'PrivateKeyAsString', Mandatory)]$PrivateKey,`
			`[string][Parameter(ParameterSetName = 'PrivateKeyAsString', Mandatory)]$PrivateKeyId`
			`)`
Add Get/Read operations, better credential refreshing 2025-06-12 10:19:07 -07:00
			`if ($PSBoundParameters.Count -eq 0) {`
			`# Parameters were not bound, check to see if they're already set before attempting to authenticate`
			`Write-Verbose "Checking to see if existing credentials were set at a script scope that can be re-used"`
			`if (-not $Script:ClientId -or -not $Script:PrivateKey -or -not $Script:PrivateKeyId) {`
			`Write-Verbose "Existing credentials not loaded, checking for environment variables"`
			`if ($PSCmdlet.ParameterSetName -eq 'EnvironmentVariable') {`
			`if (-not $Env:AppleBusinessManagerClientId -or -not $Env:AppleBusinessManagerPrivateKeyId -or -not $Env:AppleBusinessManagerPrivateKey) {`
			`throw "Client ID, Private Key ID and Private Key environment variables were not set for Apple Business Manager"`
			`}`
			`$Script:ClientId = $Env:AppleBusinessManagerClientId`
			`$Script:PrivateKey = $Env:AppleBusinessManagerPrivateKey`
			`$Script:PrivateKeyId = $Env:AppleBusinessManagerPrivateKeyId`
			`}`
Allow passing connection info as string params, better instructions 2025-06-12 10:19:06 -07:00			`}`
Initial Version 2025-06-12 10:19:06 -07:00			`}`
Add Get/Read operations, better credential refreshing 2025-06-12 10:19:07 -07:00
			`if ($PSCmdlet.ParameterSetName -eq 'PrivateKeyAsString') {`
			`# Assign the parameters to script scope so we can reuse them later`
			`$Script:ClientId = $ClientId`
			`$Script:PrivateKey = $PrivateKey`
			`$Script:PrivateKeyId = $PrivateKeyId`
			`}`

Initial Version 2025-06-12 10:19:06 -07:00			`$Header = @{`
			`'kid' = $Script:PrivateKeyId`
			`}`

			`$Payload = @{`
			`aud = "https://account.apple.com/auth/oauth2/v2/token"`
			`iss = $Script:ClientId`
			`sub = $Script:ClientId`
			`iat = ([System.DateTimeOffset]::Now).ToUnixTimeSeconds()`
			`exp = ([System.DateTimeOffset]::Now.AddMinutes(15)).ToUnixTimeSeconds()`
			`jti = [guid]::NewGuid()`
			`}`

			`$Hashing = [jwtTypes+encryption]::SHA256`
			`$Signature = [jwtTypes+algorithm]::ECDsa`
			`$Algorithm = [jwtTypes+cryptographyType]::new($Signature, $Hashing)`
			`$JWT = New-JWT -Payload $Payload -Algorithm $Algorithm -Secret $Script:PrivateKey -Header $Header`
			`Write-Verbose $JWT`

			`$Script:Body = @{`
			`'grant_type' = 'client_credentials'`
			`'client_id' = $Script:ClientId`
			`'client_assertion' = $JWT`
			`'client_assertion_type' = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'`
			`'scope' = 'business.api'`
			`}`

			`$Script:AuthResponse = Invoke-RestMethod -Method Post -Uri 'https://account.apple.com/auth/oauth2/token' -Body $Script:Body -SkipHttpErrorCheck`
			`if ($Script:AuthResponse.error) {`
			`throw $Script:AuthResponse.Error`
			`}`
			`$Script:ExpiresAt = (Get-Date).AddSeconds($Script:AuthResponse.expires_in)`
			`}`

			`function Get-AppleBusinessManagerBearerToken {`
			`if (-not $Script:AuthResponse) {`
			`try {`
			`Connect-AppleBusinessManager`
			`}`
			`catch {`
			`throw "Authorization has not been completed, use Connect-AppleBusinessManager first."`
			`}`
			`}`
			`if ((Get-Date).AddMinutes(1) -ge $Script:ExpiresAt) {`
			`# Access token is approaching expiration, get a new access token`
			`Connect-AppleBusinessManager`
			`}`

			`return ($Script:AuthResponse.access_token \| ConvertTo-SecureString -AsPlainText -Force)`
			`}`

			`function Invoke-AppleBusinessManagerPagedApiRequest {`
			`param (`
			`[Parameter(Mandatory = $true)][uri] $Uri`
			`)`
			`$Results = New-Object System.Collections.ArrayList`
			`while ($Uri) {`
Add Get/Read operations, better credential refreshing 2025-06-12 10:19:07 -07:00			`Write-Verbose "Making request to $Uri"`
Initial Version 2025-06-12 10:19:06 -07:00			`$Result = Invoke-RestMethod $Uri -Authentication Bearer -Token (Get-AppleBusinessManagerBearerToken) -ErrorAction Stop`
			`$Uri = $Result.links.next`
Add Get/Read operations, better credential refreshing 2025-06-12 10:19:07 -07:00			`$Results.AddRange(@($Result.data)) \| Out-Null`
Initial Version 2025-06-12 10:19:06 -07:00			`}`
			`return $Results`
			`}`

Add Get/Read operations, better credential refreshing 2025-06-12 10:19:07 -07:00			`function Get-AppleBusinessManagerOrgDevice {`
			`[Alias('Get-AppleBusinessManagerOrgDevices')]`
			`param (`
			`[Parameter(Mandatory, ParameterSetName = 'Read')][string] $OrgDeviceId,`
			`[Parameter(ParameterSetName = 'Read')]`
			`[Parameter(ParameterSetName = 'List')]`
			`[string[]] $Fields,`
			`[Parameter( ParameterSetName = 'Read')]`
			`[Parameter(ParameterSetName = 'List')]`
			`[int] $Limit`
			`)`
			`$Uri = switch ($PSCmdlet.ParameterSetName) {`
			`'Read' { "https://api-business.apple.com/v1/orgDevices/$([System.Web.HttpUtility]::UrlEncode($OrgDeviceId))" }`
			`Default { "https://api-business.apple.com/v1/orgDevices" }`
			`}`
			`$UriBuilder = [System.UriBuilder]::new($Uri)`
			`$QueryString = [System.Web.HttpUtility]::ParseQueryString($UriBuilder.Query)`
			`if ($PSBoundParameters.ContainsKey('Fields')) {`
			`$QueryString.Set('fields[orgDevices]', $Fields -join ',')`
			`}`
			`if ($PSBoundParameters.ContainsKey('Limit')) {`
			`$QueryString.Set('limit', $Limit)`
			`}`
			`$UriBuilder.Query = $QueryString.ToString()`
			`return Invoke-AppleBusinessManagerPagedApiRequest -Uri $UriBuilder.Uri`
			`}`

			`function Get-AppleBusinessManagerOrgDeviceMdmServerId {`
			`param (`
			`[Parameter(Mandatory)]`
			`[string] $OrgDeviceId`
			`)`
			`return Invoke-AppleBusinessManagerPagedApiRequest -Uri "https://api-business.apple.com/v1/orgDevices/$([System.Web.HttpUtility]::UrlEncode($OrgDeviceId))/relationships/assignedServer"`
			`}`

			`function Get-AppleBusinessManagerOrgDeviceMdmServer {`
			`param (`
			`[Parameter(Mandatory)]`
			`[string] $OrgDeviceId,`
			`[string[]] $Fields`
			`)`
			`$UriBuilder = [System.UriBuilder]::new("https://api-business.apple.com/v1/orgDevices/$([System.Web.HttpUtility]::UrlEncode($OrgDeviceId))/assignedServer")`
			`$QueryString = [System.Web.HttpUtility]::ParseQueryString($UriBuilder.Query)`
			`if ($PSBoundParameters.ContainsKey('Fields')) {`
			`$QueryString.Set('fields[mdmServers]', $Fields -join ',')`
			`}`
			`$UriBuilder.Query = $QueryString.ToString()`
			`return Invoke-AppleBusinessManagerPagedApiRequest -Uri $UriBuilder.Uri`
Initial Version 2025-06-12 10:19:06 -07:00			`}`

Add Get/Read operations, better credential refreshing 2025-06-12 10:19:07 -07:00			`function Get-AppleBusinessManagerMdmServer {`
			`[Alias('Get-AppleBusinessManagerMdmServers')]`
			`param (`
			`[string[]] $Fields,`
			`[int] $Limit`
			`)`
			`$UriBuilder = [System.UriBuilder]::new("https://api-business.apple.com/v1/mdmServers")`
			`$QueryString = [System.Web.HttpUtility]::ParseQueryString($UriBuilder.Query)`
			`if ($PSBoundParameters.ContainsKey('Fields')) {`
			`$QueryString.Set('fields[mdmServers]', $Fields -join ',')`
			`}`
			`if ($PSBoundParameters.ContainsKey('Limit')) {`
			`$QueryString.Set('limit', $Limit)`
			`}`
			`$UriBuilder.Query = $QueryString.ToString()`
			`return Invoke-AppleBusinessManagerPagedApiRequest -Uri $UriBuilder.Uri`
			`}`

			`function Get-AppleBusinessManagerMdmServerDevice {`
			`param (`
			`[Parameter(Mandatory)]`
			`[string] $MdmServerId,`
			`[int] $Limit`
			`)`
			`$UriBuilder = [System.UriBuilder]::new("https://api-business.apple.com/v1/mdmServers/$([System.Web.HttpUtility]::UrlEncode($MdmServerId))/relationships/devices")`
			`$QueryString = [System.Web.HttpUtility]::ParseQueryString($UriBuilder.Query)`
			`if ($PSBoundParameters.ContainsKey('Limit')) {`
			`$QueryString.Set('limit', $Limit)`
			`}`
			`$UriBuilder.Query = $QueryString.ToString()`
			`return Invoke-AppleBusinessManagerPagedApiRequest -Uri $UriBuilder.Uri`
Initial Version 2025-06-12 10:19:06 -07:00			`}`