Monitor Apple token expiration in Intune

Apple tokens for Mobile Device Management like APNS certificates, DEP and VPP tokens need a renewal every 365 days. When an APNS certificate has expired you are forced to re-enroll all of your MDM managed apple devices. To avoid any headaches I put together a few lines of PowerShell which monitor the expiration with Azure automation and send a notification to Microsoft teams or email.

Script

The script is intended to run recurring on Azure automation. And I recommend to setup a schedule which runs the script once a week. The script checks the following apple tokens and triggers the teams notification if it expires in less than the configured number of days:

• Push Notification certificate
• DEP (Device Enrollment Program) tokens
• VPP (Volume Purchase Program) tokens

Hint: You can setup multiple DEP and VPP tokens in your Intune tenant.

Prerequisites

In order to get the monitoring up and running you need at least:

• Azure automation account (ideally with a service principal), if you need a guide to set up an automation account read follow this article
• An incoming webhook for your Microsoft Teams team which will receive the notifications OR an email account to send mails
• The script from my Github techblog repository

Create a Microsoft Teams Webhook

Navigate to your desired teams channel which should receive the notifications and add a new incoming webhook:

Script Configuration

1. (Optional) modify the days before you will receive a notification:
2. Add the generated teams webhook URL to the script
3. Choose one of the available authentication options to Microsoft Graph and ensure that the Graph permissions "DeviceManagementServiceConfig.Read.All" and "DeviceManagementApps.Read.All" are granted to the app registration:
   • Service Principal (setup with this documentation)
   • App based authentication (setup with this documentation)
   • Service account (add the credentials to the automation account)
4. (Optional) you can also enable email notifications if you do not like teams notifications.
5. Add the script to your automation account:
6. Import the Microsoft.Graph.Intune PowerShell module from the module gallery:
7. Configure a schedule to run the script recurring. I'd recommend to run it once a week.

The Script in action

Last but not least let's test the script. To check if a notification gets triggered and delivered successfully you can also increase the threshold value (number of days).

Happy apple token monitoring!