Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Custom OMA-URI values encrypted after export/import #29

Closed
easyngit opened this issue Sep 28, 2021 · 9 comments
Closed

Custom OMA-URI values encrypted after export/import #29

easyngit opened this issue Sep 28, 2021 · 9 comments

Comments

@easyngit
Copy link

easyngit commented Sep 28, 2021

Hi,

We have been seeing a weird issue after we have done an export and import to a tenant. All values from what we can tell get set as encrypted and all we see in the values is "***"

Chrome-failure

Chrome-EncrypedValues

We discovered this issue first time when we tried to import some policies for Google Chrome. But we have also seen this happening to our ADMX OMA-URI policy for Lenovo Commercial Vantage.
So far the only solution we have found is to manually recreate the values that get encrypted.

Edit: This has happened around 4 times the last 2 months.

@easyngit
Copy link
Author

easyngit commented Sep 28, 2021

A workaround to this issue has been to click view on a file and click "Load Full" before doing the export. Seems like there is an issue with the secret during standard export.

@Micke-K
Copy link
Owner

Micke-K commented Sep 28, 2021

Hello!

Thank you for reporting this. The secret values was something Microsoft introduced a few months ago. Strings are now stored as encrypted in Intune but support for this was implemented in a previous version.

I cannot replicate the issue with the latest version. I exported a Custom OMA-URI for Chrome. If I look at values without loading the Full View, value is ***** but in the exported file it is the actual string. I did NOT loaded the full value before export. I also did a Bulk Exporting of all Device Configuration profiles directly after I started the app and the actual strings values were exported.

What versions of EndpointManager.psm1 and MSGraph.ps1 do you have? Versions are available in About. It should be 3.1.11 and 3.1.6.

Note that the json files must be re-exported to get the decrypted strings in the json. Exported files with ***** values cannot be decrypted after export.

@Micke-K
Copy link
Owner

Micke-K commented Sep 29, 2021

This is taken care of by the Start-PostGetDeviceConfiguration function in the EndpointManager.psm1 file. This function is called every time the full Device Configuration object is loaded e.g. View Full Object, Export Object, Document Object etc.

image

@Micke-K
Copy link
Owner

Micke-K commented Sep 30, 2021

@easyngit Any update on this? Did you try re-export the profiles with the new version?

@easyngit
Copy link
Author

@Micke-K Sorry for the late reply im away from work untill monday so will discuss this with my colleague then. If you want we can just close this issue now. Thanks for taking time responding! This is a great tool.

@Micke-K
Copy link
Owner

Micke-K commented Sep 30, 2021

No problem and thank you!
I'll close it when you have verified that it working.

Cheers!

@easyngit
Copy link
Author

easyngit commented Oct 7, 2021

Hi Micke!

Sorry for the delayed response, we have been discussing this error this week and been trying to find out why this is happening. We have seen the error multiple times in our OMA URI policies but we have so far been unsuccessful in finding the culprit of why they don't retain their secret when exporting directly from the view without pressing View --> Load Full first.

I have created a meeting for tomorow with my colleague where we will try to troubleshoot further. Will come back to you tomorow.

@Micke-K
Copy link
Owner

Micke-K commented Oct 7, 2021

I'm not sure if I misunderstood your problem. The values for OMA-URI will always be ***** when you view details and then visible when you load the full object. The full object is loaded during export so clear text values will be included in the export.

This is because Microsoft encrypts the strings and the API returns ***** when objects are loaded. A second API is required to decrypt the string. This is only called when loading the full object.

@easyngit
Copy link
Author

Issue hasn't reccured this or last week so we suspect Microsoft had a issue they resolved. Gonna close this one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants