Initial Version

2025-06-12 10:19:06 -07:00 · 2025-06-12 10:19:06 -07:00 · 740994ae40
commit 740994ae40
4 changed files with 217 additions and 0 deletions
--- a/AppleBusinessManager.psm1
+++ b/AppleBusinessManager.psm1
@ -0,0 +1,81 @@
+#Requires -Version 7.0
+#Requires -Module jwtPS
+function Connect-AppleBusinessManager {
+    if (-not $Env:AppleBusinessManagerClientId -or -not $Env:AppleBusinessManagerPrivateKeyId -or -not $Env:AppleBusinessManagerPrivateKey) {
+        throw "Client ID, Private Key ID and Private Key environment variables were not set for Apple Business Manager"
+    }
+    $Script:ClientId = $Env:AppleBusinessManagerClientId
+    $Script:PrivateKey = $Env:AppleBusinessManagerPrivateKey
+    $Script:PrivateKeyId = $Env:AppleBusinessManagerPrivateKeyId
+
+    $Header = @{
+        'kid' = $Script:PrivateKeyId
+    }
+
+    $Payload = @{
+        aud = "https://account.apple.com/auth/oauth2/v2/token" 
+        iss = $Script:ClientId
+        sub = $Script:ClientId
+        iat = ([System.DateTimeOffset]::Now).ToUnixTimeSeconds()
+        exp = ([System.DateTimeOffset]::Now.AddMinutes(15)).ToUnixTimeSeconds()
+        jti = [guid]::NewGuid()
+    }
+
+    $Hashing = [jwtTypes+encryption]::SHA256
+    $Signature = [jwtTypes+algorithm]::ECDsa
+    $Algorithm = [jwtTypes+cryptographyType]::new($Signature, $Hashing)
+    $JWT = New-JWT -Payload $Payload -Algorithm $Algorithm -Secret $Script:PrivateKey -Header $Header
+    Write-Verbose $JWT
+
+    $Script:Body = @{
+        'grant_type'            = 'client_credentials'
+        'client_id'             = $Script:ClientId
+        'client_assertion'      = $JWT
+        'client_assertion_type' = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
+        'scope'                 = 'business.api'
+    }
+
+    $Script:AuthResponse = Invoke-RestMethod -Method Post -Uri 'https://account.apple.com/auth/oauth2/token' -Body $Script:Body -SkipHttpErrorCheck
+    if ($Script:AuthResponse.error) {
+        throw $Script:AuthResponse.Error
+    }
+    $Script:ExpiresAt = (Get-Date).AddSeconds($Script:AuthResponse.expires_in)
+}
+
+function Get-AppleBusinessManagerBearerToken {
+    if (-not $Script:AuthResponse) {
+        try {
+            Connect-AppleBusinessManager
+        }
+        catch {
+            throw "Authorization has not been completed, use Connect-AppleBusinessManager first."
+        }
+    }
+    if ((Get-Date).AddMinutes(1) -ge $Script:ExpiresAt) {
+        # Access token is approaching expiration, get a new access token
+        Connect-AppleBusinessManager
+    }
+
+    return ($Script:AuthResponse.access_token | ConvertTo-SecureString -AsPlainText -Force)
+}
+
+function Invoke-AppleBusinessManagerPagedApiRequest {
+    param (
+        [Parameter(Mandatory = $true)][uri] $Uri
+    )
+    $Results = New-Object System.Collections.ArrayList
+    while ($Uri) {
+        $Result = Invoke-RestMethod $Uri -Authentication Bearer -Token (Get-AppleBusinessManagerBearerToken) -ErrorAction Stop
+        $Uri = $Result.links.next
+        $Results.AddRange($Result.data) | Out-Null
+    }
+    return $Results
+}
+
+function Get-AppleBusinessManagerOrgDevices {
+    return Invoke-AppleBusinessManagerPagedApiRequest -Uri "https://api-business.apple.com/v1/orgDevices"
+}
+
+function Get-AppleBusinessManagerMdmServers {
+    return Invoke-AppleBusinessManagerPagedApiRequest -Uri "https://api-business.apple.com/v1/mdmServers"
+}