Monitor Apple VPP DEP and APNS expiration in Microsoft Intune

Apple tokens for Mobile Device Management like APNS certificates, DEP and VPP tokens need a renewal every 365 days. When an APNS certificate has expired you are forced to re-enroll all of your MDM managed apple devices. To avoid any headaches I put together a few lines of PowerShell which monitor the expiration with Azure automation and send a notification to Microsoft teams or email.

Script

The script is intended to run recurring on Azure automation. And I recommend to setup a schedule which runs the script once a week. The script checks the following apple tokens and triggers the teams notification if it expires in less than the configured number of days:

Push Notification certificate
DEP (Device Enrollment Program) tokens
VPP (Volume Purchase Program) tokens

Hint: You can setup multiple DEP and VPP tokens in your Intune tenant.

The triggered notification is delivered to Microsoft Teams as message card with some details about the token

Prerequisites

In order to get the monitoring up and running you need at least:

Azure automation account (ideally with a service principal), if you need a guide to set up an automation account read follow this article
An incoming webhook for your Microsoft Teams team which will receive the notifications OR an email account to send mails
The script from my Github techblog repository

Create a Microsoft Teams Webhook

Navigate to your desired teams channel which should receive the notifications and add a new incoming webhook:

Script Configuration

(Optional) modify the days before you will receive a notification:
Add the generated teams webhook URL to the script
Choose one of the available authentication options to Microsoft Graph and ensure that the Graph permissions "DeviceManagementServiceConfig.Read.All" and "DeviceManagementApps.Read.All" are granted to the app registration:
- Service Principal (setup with this documentation)
- App based authentication (setup with this documentation)
- Service account (add the credentials to the automation account)
(Optional) you can also enable email notifications if you do not like teams notifications.
Add the script to your automation account:
Import the Microsoft.Graph.Intune PowerShell module from the module gallery:
Configure a schedule to run the script recurring. I'd recommend to run it once a week.

The Script in action

Last but not least let's test the script. To check if a notification gets triggered and delivered successfully you can also increase the threshold value (number of days).

Happy apple token monitoring!

Monitor Apple token expiration in Intune

Nicola Suter

Nicola Suter

Script

Prerequisites

Create a Microsoft Teams Webhook

Script Configuration

The Script in action

Managing the new Microsoft Edge Browser with Intune

Prevent Intune devices from getting the Microsoft search (Bing) plugin

Deploy fonts to Intune managed Windows 10 devices

Connecting to foreign Intune tenants with Microsoft Graph and PowerShell

Blogging year 2019 in numbers