buckbanzai/ABMPS
buckbanzai/ABMPS
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ABMPS/AppleBusinessManager.psm1

88 lines
No EOL
3.5 KiB
PowerShell
Raw Blame History

#Requires -Version 7.0
#Requires -Module jwtPS
function Connect-AppleBusinessManager {
[CmdletBinding(DefaultParameterSetName = 'EnvironmentVariable')]
param(
[string][Parameter(ParameterSetName = 'PrivateKeyAsString', Mandatory)]$ClientId,
[string][Parameter(ParameterSetName = 'PrivateKeyAsString', Mandatory)]$PrivateKey,
[string][Parameter(ParameterSetName = 'PrivateKeyAsString', Mandatory)]$PrivateKeyId
)
if ($PSCmdlet.ParameterSetName -eq 'EnvironmentVariable') {
if (-not $Env:AppleBusinessManagerClientId -or -not $Env:AppleBusinessManagerPrivateKeyId -or -not $Env:AppleBusinessManagerPrivateKey) {
throw "Client ID, Private Key ID and Private Key environment variables were not set for Apple Business Manager"
}
$Script:ClientId = $Env:AppleBusinessManagerClientId
$Script:PrivateKey = $Env:AppleBusinessManagerPrivateKey
$Script:PrivateKeyId = $Env:AppleBusinessManagerPrivateKeyId
}
$Header = @{
'kid' = $Script:PrivateKeyId
}
$Payload = @{
aud = "https://account.apple.com/auth/oauth2/v2/token"
iss = $Script:ClientId
sub = $Script:ClientId
iat = ([System.DateTimeOffset]::Now).ToUnixTimeSeconds()
exp = ([System.DateTimeOffset]::Now.AddMinutes(15)).ToUnixTimeSeconds()
jti = [guid]::NewGuid()
}
$Hashing = [jwtTypes+encryption]::SHA256
$Signature = [jwtTypes+algorithm]::ECDsa
$Algorithm = [jwtTypes+cryptographyType]::new($Signature, $Hashing)
$JWT = New-JWT -Payload $Payload -Algorithm $Algorithm -Secret $Script:PrivateKey -Header $Header
Write-Verbose $JWT
$Script:Body = @{
'grant_type' = 'client_credentials'
'client_id' = $Script:ClientId
'client_assertion' = $JWT
'client_assertion_type' = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
'scope' = 'business.api'
}
$Script:AuthResponse = Invoke-RestMethod -Method Post -Uri 'https://account.apple.com/auth/oauth2/token' -Body $Script:Body -SkipHttpErrorCheck
if ($Script:AuthResponse.error) {
throw $Script:AuthResponse.Error
}
$Script:ExpiresAt = (Get-Date).AddSeconds($Script:AuthResponse.expires_in)
}
function Get-AppleBusinessManagerBearerToken {
if (-not $Script:AuthResponse) {
try {
Connect-AppleBusinessManager
}
catch {
throw "Authorization has not been completed, use Connect-AppleBusinessManager first."
}
}
if ((Get-Date).AddMinutes(1) -ge $Script:ExpiresAt) {
# Access token is approaching expiration, get a new access token
Connect-AppleBusinessManager
}
return ($Script:AuthResponse.access_token | ConvertTo-SecureString -AsPlainText -Force)
}
function Invoke-AppleBusinessManagerPagedApiRequest {
param (
[Parameter(Mandatory = $true)][uri] $Uri
)
$Results = New-Object System.Collections.ArrayList
while ($Uri) {
$Result = Invoke-RestMethod $Uri -Authentication Bearer -Token (Get-AppleBusinessManagerBearerToken) -ErrorAction Stop
$Uri = $Result.links.next
$Results.AddRange($Result.data) | Out-Null
}
return $Results
}
function Get-AppleBusinessManagerOrgDevices {
return Invoke-AppleBusinessManagerPagedApiRequest -Uri "https://api-business.apple.com/v1/orgDevices"
}
function Get-AppleBusinessManagerMdmServers {
return Invoke-AppleBusinessManagerPagedApiRequest -Uri "https://api-business.apple.com/v1/mdmServers"
}
Reference in a new issue View git blame Copy permalink