If you are employed at an MSP or frequently set up Intune for various organizations, you likely find yourself configuring the same policies and profiles multiple times each month. The capability to bulk export and import your standard configuration policies will streamline your deployments, ensuring greater efficiency and consistency. This article outlines some methods to export your policies, and I will follow up with another piece on how to bulk import these policies. I contemplated updating my post from over two years ago (Export & Import settings catalog profiles between tenants with PowerShell and Graph API – SMBtotheCloud), but most of it would require a major rewrite, so I opted to create a new one. Manually setting up your policies can be labor-intensive and error-prone. You may also wish to back up your existing policies, or if you’ve taken over a tenant with a disorganized set of policies, you might want to export them prior to making any adjustments. Intune introduced the feature to export settings catalog profiles as JSON via the Intune dashboard some time ago, though this process must be completed one policy at a time, and it’s limited to certain platforms or policy types. Currently, it is only applicable to Windows Settings Catalog policies.
This option is suitable for a single policy or two, but another approach should be employed if you have numerous policies to export or are dealing with non-Windows settings catalog policies. I will discuss two additional methods in this post:
- Utilizing Edge/Chrome developer tools. This option is beneficial if you are wary of PowerShell or only need to export a few policies that do not support the Export JSON feature, unlike settings catalog policies.
- Employing PowerShell and the Graph API to download your policies as JSON files. This approach is considerably more efficient when exporting or backing up multiple policies.
Exporting Policies as JSON Using Edge Developer Tools
As previously mentioned, this method may serve as a solution if you possess only a handful of policies to export that do not allow for JSON export in the Intune dashboard. Log into your Intune dashboard and navigate to the policy section you wish to export. For this example, we will export an AV policy, as these do not natively support JSON exporting in the dashboard.
Open the Edge developer tools by pressing the F12 key.
Choose the Network tool and verify that the record button is red. This indicates it is capturing activity:
Return to the Intune dashboard, select the Intune policy you wish to capture and begin editing. You do not need to make any alterations (unless you choose to). After opening it, click through the various settings pages until you reach the Review page, then click Save.
After clicking Save, check the developer tools console. Look for an entry beginning with configurationPolicies (or the specific type of profile you just edited) and a request method of fetch:
Select that entry. You can confirm it’s the correct entry because it should have a request method of “PUT,” indicating it was updated, and will contain the entire body (even though no alterations were made).
Click on the Payload tab. Right-click the top level and select copy. This is the JSON representation of the configuration profile.
Open Notepad or any other text/code editor and paste the copied contents. You should see the profile’s description and name in the top two lines. The remainder of the JSON encompasses the policy settings:
Save your JSON file, and repeat the process for any additional policies. While this may not be the most effective method, it is certainly an option. Additionally, the developer tools allow you to retrieve the Graph API resource. Most will fall under deviceManagement/configurationPolicies, though this may vary based on what you are exporting. For instance, custom OMA-URI policies can be found under deviceManagement/deviceConfigurations. Simply check the request URL found in the headers section of a get or put request.
It’s important to note that not all custom OMA-URI policies can be exported/imported simply. For instance, if you are employing a custom OMA-URI policy to deploy a local account with a password, the password will be encrypted in the JSON upon export. This also applies to custom macOS mobileconfig policies. These exceptions will require manual creation or editing of the JSON file.
Bulk Exporting All Policies/Profiles Using PowerShell
While experimenting with the Edge Developer tools can be enjoyable, if you’re after efficiency, PowerShell is the way to go for exporting your policies. This script from GitHub will pull all of your Conditional Access policies, device configurations (both custom policies and templates), device Configuration Policies, App Protection Policies, and App Configuration Policies. These will be exported into their respective directories in the c:\temp folder on the machine running the script. This setup was sufficient for my needs, but the script can easily be modified to encompass additional policies or direct the JSON files to a different location. To illustrate, simply adjust the path and output variables for what you intend to export, as well as modify the URI to point to the appropriate resource.
#Custom Device Configuration Profiles
$path = "C:\temp\androidManagedAppProtections"
New-Item -Path $path -ItemType Directory -Force
Write-Host -ForegroundColor Green "Exporting Android App Protection Policies to $path"
$uri = "https://graph.microsoft.com/beta/deviceAppManagement/androidManagedAppProtections/"
$response = Invoke-MgGraphRequest -Method GET -Uri $uri
$policyIds = $response.value.id
Foreach ($policyId in $PolicyIds) {
$policy = Invoke-MgGraphRequest -Method GET -URI $uri$policyId
$policyjson = $policy | ConvertTo-Json -Depth 10
$name = $policy.displayname
$policyJson | Out-File -FilePath "$path\$name.json" -Encoding utf8
write-host -ForegroundColor yellow "Exported $name successfully"
}After the script completes, you’ll find a parent folder for each policy type under C:\Temp, along with a transcript log.
Here’s an example of the JSON output:
The script should wrap up in just a few seconds. Here’s how it appears during execution:
I will follow up shortly with a brief post and another script for importing the JSON files.
