-
Notifications
You must be signed in to change notification settings - Fork 247
ASD iOS Compliance Policy Check
directorcia edited this page Nov 24, 2025
·
1 revision
The asd-ioscomp-get.ps1 script is an automated compliance validation tool that checks your Microsoft Intune iOS/iPadOS compliance policies against the Australian Signals Directorate (ASD) Blueprint for Secure Cloud baseline requirements. It compares each policy setting with the recommended configuration and generates detailed compliance reports.
Script Version: 1.0
Last Updated: November 25, 2025
Author: CIAOPS
- Overview
- Features
- Prerequisites
- Installation
- Usage
- Baseline Configuration
- Output Files
- Understanding Results
- Compliance Checks
- Troubleshooting
- Best Practices
- Integration with CI/CD
- Security Considerations
- FAQ
- References
✅ Automated Compliance Checking
- Compares Intune iOS compliance policies against ASD Blueprint baseline
- Validates all critical security settings
- Reports PASS/FAIL status for each setting
✅ Flexible Baseline Sources
- Download latest baseline from GitHub (default)
- Use custom local JSON baseline files
- Support for organization-specific baselines
✅ Comprehensive Reporting
- Professional HTML reports with visual dashboard
- Optional CSV export for data analysis
- Detailed logging for troubleshooting
✅ Multi-Policy Support
- Check all iOS compliance policies in tenant
- Target specific policy by name
- Compare multiple policies in single run
✅ Enterprise Features
- Microsoft Graph API integration
- Domain identification in reports
- Detailed audit logging
- Error handling and validation
-
PowerShell 5.1 or later
- Windows PowerShell 5.1
- PowerShell 7+ (recommended)
-
Microsoft.Graph PowerShell Module
Install-Module Microsoft.Graph.Authentication -Scope CurrentUser
Microsoft Graph API Permissions:
-
DeviceManagementConfiguration.Read.All(required) - OR
Global Readerrole (minimum) -
Organization.Read.All(for domain identification)
Azure AD Roles (minimum):
- Global Reader
- Intune Administrator (read-only)
- Security Reader
- Internet connectivity to download baseline from GitHub
- Access to Microsoft Graph API endpoints:
https://graph.microsoft.comhttps://login.microsoftonline.com
- Windows 10/11
- Windows Server 2016 or later
- macOS (with PowerShell 7+)
- Linux (with PowerShell 7+)
# Install the Microsoft Graph Authentication module
Install-Module Microsoft.Graph.Authentication -Scope CurrentUser -Force
# Verify installation
Get-Module Microsoft.Graph.Authentication -ListAvailableOption A: Clone the repository
git clone https://github.com/directorcia/office365.git
cd office365Option B: Direct download
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/directorcia/office365/master/asd-ioscomp-get.ps1" -OutFile "asd-ioscomp-get.ps1"# Check script content
Get-Content .\asd-ioscomp-get.ps1 | Select-Object -First 20
# Review execution policy
Get-ExecutionPolicy
# Set execution policy if needed (run as Administrator)
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUserRun with default settings (GitHub baseline):
.\asd-ioscomp-get.ps1This will:
- Prompt for Microsoft Graph authentication
- Download the latest ASD baseline from GitHub
- Check all iOS compliance policies in your tenant
- Generate HTML report in parent directory
- Open report in default browser
Export results to CSV:
.\asd-ioscomp-get.ps1 -ExportToCSVUse custom baseline file:
.\asd-ioscomp-get.ps1 -BaselinePath "C:\Baselines\custom-ios-baseline.json"Check specific policy by name:
.\asd-ioscomp-get.ps1 -PolicyName "ASD iOS Compliance"Enable detailed logging:
.\asd-ioscomp-get.ps1 -DetailedLoggingCustom output paths:
.\asd-ioscomp-get.ps1 -HTMLPath "C:\Reports\ios-compliance.html" -CSVPath "C:\Reports\ios-compliance.csv" -ExportToCSVCombined example:
.\asd-ioscomp-get.ps1 -ExportToCSV -DetailedLogging -PolicyName "Production iOS Policy"| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
-ExportToCSV |
Switch | No | False | Export results to CSV file |
-CSVPath |
String | No | Auto-generated | Custom path for CSV export |
-BaselinePath |
String | No | GitHub URL | Path or URL to baseline JSON |
-DetailedLogging |
Switch | No | False | Enable detailed logging to file |
-LogPath |
String | No | Auto-generated | Custom path for log file |
-HTMLPath |
String | No | Auto-generated | Custom path for HTML report |
-PolicyName |
String | No | (all policies) | Target specific policy by name |
The script uses the official ASD Blueprint baseline by default:
URL: https://raw.githubusercontent.com/directorcia/bp/main/Intune/Policies/ASD/ios-compliance.json
Baseline includes:
- Passcode requirements (15+ characters, alphanumeric)
- Device security settings (jailbreak detection)
- OS version requirements (iOS 14.8.1+)
- Threat protection settings
- Mobile threat defense configuration
Create a custom baseline JSON file following this structure:
{
"@odata.type": "#microsoft.graph.iosCompliancePolicy",
"displayName": "Custom iOS Baseline",
"description": "Custom compliance requirements",
"passcodeRequired": true,
"passcodeBlockSimple": true,
"passcodeMinimumLength": 15,
"passcodeRequiredType": "alphanumeric",
"passcodeMinutesOfInactivityBeforeLock": 0,
"passcodeExpirationDays": 365,
"passcodePreviousPasscodeBlockCount": 5,
"passcodeMinimumCharacterSetCount": 1,
"securityBlockJailbrokenDevices": true,
"deviceThreatProtectionEnabled": true,
"deviceThreatProtectionRequiredSecurityLevel": "medium",
"osMinimumVersion": "14.8.1",
"osMinimumBuildVersion": "18H107",
"managedEmailProfileRequired": false,
"advancedThreatProtectionRequiredSecurityLevel": "medium"
}Usage:
.\asd-ioscomp-get.ps1 -BaselinePath "C:\Baselines\custom-ios-baseline.json"Location: Parent directory with timestamp (e.g., asd-ioscomp-get-20251125-143022.html)
Contents:
- Executive summary dashboard
- Total checks performed
- Pass/fail counts
- Compliance percentage
- Overall status
- Connected organization domain
- Generation timestamp
- Detailed results table
- Policy name
- Setting name
- Current value
- Required value
- Compliance status
- Reference links to ASD Blueprint
Features:
- Professional styling with color-coded results
- Responsive design for mobile viewing
- Sortable/filterable table
- Printable format
- Hover effects for better UX
Example Output:
🛡️ ASD iOS Compliance Policy Report
Domain: contoso.onmicrosoft.com
Generated: 25 November 2025 - 14:30:22
Summary:
Total Checks: 45
Passed: 42
Failed: 3
Compliance: 93.33%
Overall Status: NON-COMPLIANT
Location: Parent directory with timestamp (e.g., asd-ioscomp-get-20251125-143022.csv)
Columns:
- Policy
- Setting
- CurrentValue
- RequiredValue
- Status
Usage:
# Import and analyze in PowerShell
$results = Import-Csv "asd-ioscomp-get-20251125-143022.csv"
$results | Where-Object Status -eq "FAIL" | Format-Table
# Open in Excel for analysis
Invoke-Item "asd-ioscomp-get-20251125-143022.csv"Location: Parent directory with timestamp (e.g., asd-ioscomp-get-20251125-143022.log)
Enabled by: -DetailedLogging parameter
Contents:
- Timestamp for each operation
- Baseline loading details
- Graph API connection logs
- Policy retrieval information
- Setting comparison details
- Error messages and stack traces
Example log entries:
[2025-11-25 14:30:15] [INFO] Loading baseline from: https://raw.githubusercontent.com/...
[2025-11-25 14:30:16] [INFO] Baseline loaded successfully
[2025-11-25 14:30:18] [INFO] Retrieved 3 iOS compliance policies
[2025-11-25 14:30:19] [INFO] Check [ASD iOS Policy] passcodeRequired - Current: True, Required: True, Status: PASS
[2025-11-25 14:30:19] [WARN] Check [ASD iOS Policy] passcodeMinimumLength - Current: 10, Required: 15, Status: FAIL
PASS (✓)
- Current setting matches required value
- Setting is compliant with ASD baseline
- No action required
FAIL (✗)
- Current setting does NOT match required value
- Setting is non-compliant
- Remediation required
"Not set" vs Required Value
- Setting is not configured in policy
- Requires configuration to meet baseline
- May indicate default values in use
Value Mismatches
- Current:
10vs Required:15 - Current:
falsevs Required:true - Current:
numericvs Required:alphanumeric
Array/Object Comparisons
- Complex settings compared as JSON strings
- Arrays must match exactly (order matters)
- Empty arrays shown as
[]
| Percentage | Status | Action Required |
|---|---|---|
| 100% | Fully Compliant | Maintain configuration |
| 95-99% | Nearly Compliant | Minor adjustments needed |
| 85-94% | Mostly Compliant | Several settings need attention |
| 70-84% | Partially Compliant | Significant gaps to address |
| <70% | Non-Compliant | Major remediation required |
| Setting | ASD Requirement | Purpose |
|---|---|---|
passcodeRequired |
true |
Enforce device passcode |
passcodeBlockSimple |
true |
Block simple patterns |
passcodeMinimumLength |
15 |
Strong passcode length |
passcodeRequiredType |
alphanumeric |
Complex passcode type |
passcodeMinutesOfInactivityBeforeLock |
0 |
Immediate lock on idle |
passcodeExpirationDays |
365 |
Annual passcode change |
passcodePreviousPasscodeBlockCount |
5 |
Prevent reuse |
passcodeMinimumCharacterSetCount |
1 |
Character diversity |
| Setting | ASD Requirement | Purpose |
|---|---|---|
securityBlockJailbrokenDevices |
true |
Block compromised devices |
deviceThreatProtectionEnabled |
true |
Enable mobile threat defense |
deviceThreatProtectionRequiredSecurityLevel |
medium |
MTD threshold |
| Setting | ASD Requirement | Purpose |
|---|---|---|
osMinimumVersion |
14.8.1 |
Minimum iOS version |
osMinimumBuildVersion |
18H107 |
Specific security patches |
osMaximumVersion |
null |
No maximum restriction |
| Setting | ASD Requirement | Purpose |
|---|---|---|
advancedThreatProtectionRequiredSecurityLevel |
medium |
Defender for Endpoint |
managedEmailProfileRequired |
false |
Email profile requirement |
Cause: Module not installed or not in module path
Solution:
# Install the module
Install-Module Microsoft.Graph.Authentication -Scope CurrentUser -Force
# Verify installation
Get-Module Microsoft.Graph.Authentication -ListAvailable
# Import manually if needed
Import-Module Microsoft.Graph.AuthenticationCause: Authentication failure or network issues
Solution:
# Disconnect and reconnect
Disconnect-MgGraph
Connect-MgGraph -Scopes "DeviceManagementConfiguration.Read.All"
# Check connection
Get-MgContext
# Verify network connectivity
Test-NetConnection graph.microsoft.com -Port 443Cause: Insufficient permissions
Solution:
-
Verify you have required permissions:
DeviceManagementConfiguration.Read.All- OR Global Reader role
-
Request admin consent if needed:
Connect-MgGraph -Scopes "DeviceManagementConfiguration.Read.All" -UseDeviceCode
-
Contact your tenant administrator for permission assignment
Cause: Network connectivity or GitHub access issues
Solution:
# Test GitHub connectivity
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/directorcia/bp/main/Intune/Policies/ASD/ios-compliance.json" -UseBasicParsing
# Use local baseline file as fallback
.\asd-ioscomp-get.ps1 -BaselinePath "C:\Baselines\ios-compliance.json"
# Check proxy settings if behind corporate proxyCause: No iOS policies exist in tenant or filter issue
Solution:
- Verify policies exist in Intune portal
- Check Graph API connectivity:
Connect-MgGraph Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/beta/deviceManagement/deviceCompliancePolicies"
- Ensure policies are iOS type (not Android/Windows)
Cause: Invalid or corrupted baseline JSON
Solution:
- Validate JSON syntax:
Get-Content baseline.json -Raw | ConvertFrom-Json
- Ensure
@odata.typeis#microsoft.graph.iosCompliancePolicy - Re-download baseline from GitHub
- Check for manual edits that broke JSON structure
Cause: File permissions or path issues
Solution:
# Check write permissions to parent directory
Test-Path -Path ".." -PathType Container
# Specify custom output path
.\asd-ioscomp-get.ps1 -HTMLPath "C:\Temp\report.html"
# Run PowerShell as administrator if neededEnable verbose output for troubleshooting:
# Enable PowerShell verbose output
$VerbosePreference = "Continue"
.\asd-ioscomp-get.ps1 -DetailedLogging -Verbose
# Review log file
Get-Content .\asd-ioscomp-get-*.log | Select-Object -Last 50# View script help
Get-Help .\asd-ioscomp-get.ps1 -Full
# View examples
Get-Help .\asd-ioscomp-get.ps1 -Examples
# View parameters
Get-Help .\asd-ioscomp-get.ps1 -Parameter *Schedule regular reviews:
# Weekly compliance check
$trigger = New-ScheduledTaskTrigger -Weekly -DaysOfWeek Monday -At 9am
$action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\asd-ioscomp-get.ps1 -ExportToCSV"
Register-ScheduledTask -TaskName "iOS Compliance Check" -Trigger $trigger -Action $actionStore custom baselines in version control:
# Git workflow
git add custom-ios-baseline.json
git commit -m "Updated iOS baseline - increased passcode length to 16"
git pushIf certain settings cannot meet baseline:
# Document in compliance report
# Add notes to CSV export for audit trail
$results = Import-Csv report.csv
$results | Where-Object Status -eq "FAIL" |
Add-Member -NotePropertyName "Exception" -NotePropertyValue "Business justification here" -PassThru |
Export-Csv report-with-notes.csv -NoTypeInformation- Run compliance check
- Export failures to CSV
- Review with security team
- Use
asd-ioscomp-set.ps1to apply compliant settings - Re-run check to verify
# Check compliance
.\asd-ioscomp-get.ps1 -ExportToCSV
# Review failures
Import-Csv .\asd-ioscomp-get-*.csv | Where-Object Status -eq "FAIL"
# Apply compliant settings (if safe to do so)
.\asd-ioscomp-set.ps1 -PolicyName "ASD iOS Compliance"
# Verify compliance
.\asd-ioscomp-get.ps1For MSPs managing multiple tenants:
# Loop through tenants
$tenants = @("contoso.onmicrosoft.com", "fabrikam.onmicrosoft.com")
foreach ($tenant in $tenants) {
Write-Host "Checking compliance for $tenant"
# Connect to tenant
Connect-MgGraph -TenantId $tenant -Scopes "DeviceManagementConfiguration.Read.All"
# Run check with tenant-specific output
$timestamp = Get-Date -Format "yyyyMMdd-HHmmss"
.\asd-ioscomp-get.ps1 -HTMLPath "C:\Reports\$tenant-$timestamp.html" -ExportToCSV
# Disconnect
Disconnect-MgGraph
}trigger:
- main
pool:
vmImage: 'windows-latest'
steps:
- task: PowerShell@2
inputs:
targetType: 'inline'
script: |
Install-Module Microsoft.Graph.Authentication -Force -Scope CurrentUser
Connect-MgGraph -TenantId $(TenantId) -ClientId $(ClientId) -CertificateThumbprint $(CertThumbprint)
.\asd-ioscomp-get.ps1 -ExportToCSV -DetailedLogging
- task: PublishBuildArtifacts@1
inputs:
pathToPublish: '$(Build.SourcesDirectory)'
artifactName: 'ComplianceReports'name: iOS Compliance Check
on:
schedule:
- cron: '0 9 * * 1' # Every Monday at 9 AM
workflow_dispatch:
jobs:
compliance-check:
runs-on: windows-latest
steps:
- uses: actions/checkout@v2
- name: Install Microsoft Graph
run: Install-Module Microsoft.Graph.Authentication -Force -Scope CurrentUser
shell: pwsh
- name: Run Compliance Check
run: |
Connect-MgGraph -TenantId ${{ secrets.TENANT_ID }} -ClientId ${{ secrets.CLIENT_ID }} -CertificateThumbprint ${{ secrets.CERT_THUMBPRINT }}
.\asd-ioscomp-get.ps1 -ExportToCSV
shell: pwsh
- name: Upload Reports
uses: actions/upload-artifact@v2
with:
name: compliance-reports
path: '*.html'Use certificate-based authentication for automation:
# Create and register app with certificate
$cert = New-SelfSignedCertificate -Subject "CN=ComplianceChecker" -CertStoreLocation "Cert:\CurrentUser\My" -KeySpec Signature
# Connect using certificate
Connect-MgGraph -ClientId "app-id" -TenantId "tenant-id" -CertificateThumbprint $cert.ThumbprintNever store credentials in scripts
- Use managed identities in Azure
- Use certificate-based authentication
- Store secrets in Azure Key Vault
- Use Windows Credential Manager for interactive runs
Grant minimum required permissions:
- Use
DeviceManagementConfiguration.Read.All(read-only) - Avoid Global Administrator role
- Use Azure AD PIM for time-limited access
- Audit permission usage regularly
Protect compliance reports:
- Store in secure locations
- Limit access to security team
- Encrypt reports if containing sensitive data
- Implement retention policies
A:
- Production: Weekly or after policy changes
- Development/Test: Daily or on-demand
- After incidents: Immediately
- Audit preparation: Before scheduled audits
A: Yes, with PowerShell 7+. Install PowerShell Core and the Microsoft.Graph module:
# macOS
brew install powershell
# Linux (Ubuntu)
sudo apt-get install -y powershell
# Then install Graph module
pwsh -Command "Install-Module Microsoft.Graph.Authentication -Scope CurrentUser"A: The script checks all iOS policies by default. Use -PolicyName to target specific policy:
.\asd-ioscomp-get.ps1 -PolicyName "Production iOS Policy"A:
- Download the baseline JSON from GitHub
- Edit settings to match your requirements
- Run script with custom baseline:
.\asd-ioscomp-get.ps1 -BaselinePath "C:\custom-baseline.json"A: Yes, use the companion script asd-ioscomp-set.ps1 to create/update policies with compliant settings. Always review changes before applying.
A:
- Document business justification
- Create custom baseline excluding those settings
- Implement compensating controls
- Review with security team regularly
A: Yes, the script checks Intune policies regardless of co-management status. Ensure the device compliance workload is assigned to Intune.
A: Arrays and complex objects are compared as JSON strings. They must match exactly (including order) to pass. Review the HTML report for detailed current vs required values.
-
ASD Blueprint for Secure Cloud
-
ASD Essential Eight
-
Microsoft Intune Documentation
-
Microsoft Graph API
- asd-ioscomp-set.ps1 - Apply ASD iOS compliance settings
- asd-wincomp-get.ps1 - Windows compliance checking
- asd-wincomp-set.ps1 - Windows compliance configuration
-
iOS Compliance Policy Settings - Security Rationale
- [Link to comprehensive security rationale document]
- Explains why each setting matters
- Real-world attack scenarios
- Implementation guidance
- Source Code: https://github.com/directorcia/office365
- Wiki: https://github.com/directorcia/office365/wiki
- Issues: https://github.com/directorcia/office365/issues
- CIAOPS Blog: https://www.ciaops.com
- YouTube Channel: CIAOPS
- LinkedIn: Robert Crane
- Initial release
- Support for iOS/iPadOS compliance policies
- GitHub baseline integration
- HTML and CSV reporting
- Domain identification
- Detailed logging
- Multi-policy support
- Custom baseline support
Script provided as-is. Use at own risk. No guarantees or warranty provided.
© CIAOPS 2025
For issues, questions, or contributions:
- Open an issue on GitHub: https://github.com/directorcia/office365/issues
- Review the wiki for additional guidance
- Check existing issues for similar problems
- Contribute improvements via pull requests
Document Version: 1.0
Last Updated: November 25, 2025
Maintained by: CIAOPS