Openclaw Intune Skill

一项全面的技能，使 OpenClaw 代理能够通过 Graph API 全面管理 Microsoft Intune。涵盖设备、应用程序、策略、合规性、用户、组、报告、Autopilot、脚本和远程操作。

## 概述（中文）

一项全面的技能，使 OpenClaw 代理能够通过 Graph API 全面管理 Microsoft Intune。涵盖设备、应用程序、策略、合规性、用户、组、报告、Autopilot、脚本和远程操作。

## 原文

# Microsoft Intune – Complete Management Skill

This skill gives the agent **full control over Microsoft Intune** via the Microsoft Graph API. It covers device management, application deployment, compliance & configuration policies, user & group management, Autopilot, PowerShell scripts, reporting, and all remote device actions.

---

## 🔑 Authentication

Before ANY Intune operation, the agent MUST obtain an OAuth 2.0 access token.

The following environment variables must be configured:
- `INTUNE_TENANT_ID` – Microsoft 365 Tenant ID
- `INTUNE_CLIENT_ID` – Entra ID App Registration Client ID
- `INTUNE_CLIENT_SECRET` – Entra ID App Registration Secret

### Token Request
**POST** `https://login.microsoftonline.com/{INTUNE_TENANT_ID}/oauth2/v2.0/token`

**Body (x-www-form-urlencoded):**
```
client_id={INTUNE_CLIENT_ID}
&scope=https://graph.microsoft.com/.default
&client_secret={INTUNE_CLIENT_SECRET}
&grant_type=client_credentials
```

Extract `access_token` from the JSON response. Use it as:
```
Authorization: Bearer <access_token>
```

### Required API Permissions (App Registration)
The Entra ID App Registration needs the following Microsoft Graph **Application** permissions:
- `DeviceManagementManagedDevices.ReadWrite.All`
- `DeviceManagementConfiguration.ReadWrite.All`
- `DeviceManagementApps.ReadWrite.All`
- `DeviceManagementServiceConfig.ReadWrite.All`
- `DeviceManagementRBAC.ReadWrite.All`
- `Directory.Read.All`
- `User.Read.All`
- `Group.ReadWrite.All`
- `GroupMember.ReadWrite.All`

---

## 🛡️ Safety Rules (CRITICAL)

1. **Read operations (GET):** Always safe. Execute without confirmation.
2. **Sync/Restart operations:** Ask for confirmation: *"Soll ich Gerät X wirklich syncen/neustarten?"*
3. **Destructive operations (Wipe, Retire, Delete):** ALWAYS require explicit confirmation. Say: *"⚠️ Achtung: Das löscht alle Daten auf dem Gerät. Bist du sicher?"*
4. **Policy creation/modification:** Confirm before applying: *"Soll ich diese Policy wirklich erstellen/ändern?"*
5. **Never dump raw JSON** to the user. Always format output as readable Markdown tables or summaries.
6. **Error handling:** If an API call returns an error, explain the error in simple German and suggest a fix.

---

## 📱 1. Device Management

### 1.1 List All Managed Devices
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices`

Use `$select` to limit fields: `?$select=deviceName,operatingSystem,complianceState,lastSyncDateTime,userPrincipalName`

Present results as a table: | Gerätename | OS | Compliance | Letzter Sync | Benutzer |

### 1.2 Search for a Specific Device
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices?$filter=deviceName eq '{deviceName}'`

Alternative search by user: `?$filter=userPrincipalName eq '{user@domain.com}'`

### 1.3 Get Device Details
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}`

Show: Device name, Serial number, OS version, Compliance state, Encryption status, Last sync, Enrolled date, Primary user.

### 1.4 Remote Actions on a Device

#### Sync Device
**POST** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/syncDevice`

#### Reboot Device
**POST** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/rebootNow`

#### Lock Device (Remote Lock)
**POST** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/remoteLock`

#### Reset Passcode
**POST** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/resetPasscode`

#### Locate Device (Lost Mode – iOS/Android)
**POST** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/locateDevice`

#### Retire Device (Remove Company Data Only)
**POST** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/retire`
⚠️ SAFETY: Requires explicit user confirmation!

#### Wipe Device (Factory Reset)
**POST** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/wipe`
⚠️ SAFETY: ALWAYS ask twice! This deletes ALL data!

#### Delete Device from Intune
**DELETE** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}`
⚠️ SAFETY: Requires explicit user confirmation!

#### Rename Device
**POST** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/setDeviceName`
Body: `{"deviceName": "NEW-NAME"}`

#### Enable/Disable Lost Mode (iOS supervised)
**POST** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/enableLostMode`
Body: `{"message": "Dieses Gerät wurde als verloren gemeldet.", "phoneNumber": "+49...", "footer": "Kaffee & Code IT"}`

**POST** `https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/{managedDeviceId}/disableLostMode`

---

## 📋 2. Compliance Policies

### 2.1 List All Compliance Policies
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies`

Present as: | Policy Name | Platform | Created | Last Modified |

### 2.2 Get Compliance Policy Details
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies/{policyId}`

### 2.3 Get Compliance Policy Assignments
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies/{policyId}/assignments`

### 2.4 Get Device Compliance Status per Policy
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies/{policyId}/deviceStatuses`

### 2.5 Create a Compliance Policy
**POST** `https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies`
⚠️ SAFETY: Confirm before creating.

### 2.6 Delete a Compliance Policy
**DELETE** `https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies/{policyId}`
⚠️ SAFETY: Requires explicit user confirmation!

---

## ⚙️ 3. Configuration Policies & Profiles

### 3.1 List Configuration Policies (Recommended API)
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/configurationPolicies`

This is the modern, recommended endpoint covering Endpoint Security, Administrative Templates, and Settings Catalog.

### 3.2 List Legacy Device Configuration Profiles
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations`

### 3.3 Get Configuration Policy Details
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/configurationPolicies/{policyId}`

### 3.4 Get Policy Settings
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/configurationPolicies/{policyId}/settings`

### 3.5 Get Policy Assignments
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/configurationPolicies/{policyId}/assignments`

### 3.6 Get Device Status per Config Profile
**GET** `https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations/{configId}/deviceStatuses`

### 3.7 Create Configuration Policy
**POST** `https://graph.microsoft.com/v1.0/deviceManagement/configurationPolicies`
⚠️ SAFETY: Confirm before creating.

### 3.8 Delete Configuration Policy
**DELETE** `https://graph.microsoft.com/v1.0/deviceManagement/configurationPolicies/{policyId}`
⚠️ SAFETY: Requires explicit user confirmation!

---

## 📦 4. App Management

### 4.1 List All Apps
**GET** `https://graph.microsoft.com/v1.0/deviceAppManagement/mobileApps`

Present as: | App Name | Type | Publisher | Created |

### 4.2 Get App Details
**GET** `https://graph.microsoft.com/v1.0/deviceAppManagement/mobileApps/{appId}`

### 4.3 Get App Assignments (Who gets the app?)
**GET** `https://graph.microsoft.com/v1.0/deviceAppManagement/mobileApps/{appId}/assignments`

### 4.4 List App Configuration Policies
**GET** `https://graph.microsoft.com/v1.0/deviceAppManagement/managedAppPolicies`

### 4.5 List App Protection Policies (MAM)
**GET** `https://graph.microsoft.com/v1.0/deviceAppManagement/managedAppRegistratio