Use the Microsoft Graph API and the Android Device Provisioning Partner API to automatic replace profile tokens for Android Enterprise dedicated devices

Posted on by

As a follow up to my last blog post about automatic replace profile tokens for Android Enterprise dedicated devices, I’ve now done the same, but instead of using the Samsung KME API I’m using the Android Device Provisioning Partner API.

Components

  • Azure Key Vault
  • Logic Apps

Get-ZeroTouchRefreshToken

<#
.SYNOPSIS
    Script to get a refresh token to Android Device Provisioning Partner API for unattended access.
.DESCRIPTION
    This script uses the client_id and the client_secret from the client_secret*.json with interactive login to generate a authorization code. The authorization code is used with the client_id and the client_secret to get a refresh token. To use this script you first need to set up API access in the Google cloud console portal and create credentials and download the client_secret*.json file. 

    Run this script manually. Start part 1 by adding the path to the downloaded client_secret*.json file. Start part 2 by adding the authorization code from the redirected url in the browser.

    Follow the instructions on the Google developer homepage to turn on the zero-touch enrollment API. https://developers.google.com/zero-touch/guides/customer/quickstart/dotnet
.NOTES
    Written by: Tobias Renström
    Blog: https://cloudnstuff.com/
    Version: 1.0
#>

## Part 1
# Path to the downloaded client_secret*.json file 
$authJsonPath = ""

$zeroTouchAuthJson = Get-Content -Path $authJsonPath -Raw | ConvertFrom-Json
$zeroTouchClientId = $zeroTouchAuthJson.web.client_id
$zeroTouchClientSecret = $zeroTouchAuthJson.web.client_secret
$redirectUrl = "http://localhost/oauth2callback"
$scope = "https://www.googleapis.com/auth/androidworkzerotouchemm"

$authUrl = "https://accounts.google.com/o/oauth2/auth?redirect_uri=$redirectUrl&client_id=$zeroTouchClientId&scope=$scope&include_granted_scopes=true&prompt=consent&access_type=offline&response_type=code"
start msedge.exe -ArgumentList "$authUrl -inprivate"

## Part 2
# Copy the 'code' (authorization code) from the redirected url in the browser and put it here
$authorizationCode = ""

$requestUri = "https://oauth2.googleapis.com/token"
$requestBody = @{
    code = $authorizationCode
    client_id = $zeroTouchClientId
    client_secret = $zeroTouchClientSecret
    redirect_uri = $redirectUrl
    grant_type = "authorization_code"
}

$tokens = Invoke-RestMethod -Method Post -Uri $requestUri -Body $requestBody
$refreshToken = $tokens.refresh_token
$refreshToken | Set-Clipboard

Logic Apps

Note: See my last blog post that i’m mention in the beginning of this blog post about how to set up the Microsoft Graph API part for the Logic Apps

uupdatezerotouchtoken-logicapps

Android Device Provisioning Partner API

HTTP – Get Zero Touch Google token

The HTTP methodPOST
The request URLhttps://oauth2.googleapis.com/token
The content-type header application/x-www-form-urlencoded
The request bodygrant_type=refresh_token&client_id=zeroTouchClientId (Compose)&client_secret=zeroTouchClientSecret (Compose)&refresh_token=zeroTouchRefreshToken (Get secret)?[‘value’]}

Compose – customerName

first(body('Parse_JSON_-_Parse_Zero_Touch_customer_name_response_body_')?['customers'])?['name']

HTTP – Get Zero Touch customer name

The HTTP methodGET
The request URLhttps://androiddeviceprovisioning.googleapis.com/v1/customers?pageSize=1
The Authorization headerBearer Parse JSON – Parse Intune Graph token response body (body)?[‘access_token’]

Filter array – Get Zero Touch configuration

From
Parse JSON – Parse Zero Touch configurations response body (body)?[‘configurations’]
item()?[‘configurationName’]is equal tozeroTouchConfigurationName (Initialize variable)

Compose – configurationId

first(body('Filter_array_-_Get_Zero_Touch_configuration'))?['configurationId']

Compose – zeroTouchEnrollmentToken

json(first(body('Filter_array_-_Get_Zero_Touch_configuration'))?['dpcExtras'])?['android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE']?['com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN']

Compose – Replace token value in dpcExtras

replace(first(body('Filter_array_-_Get_Zero_Touch_configuration'))?['dpcExtras'], outputs('Compose_-_zeroTouchEnrollmentToken'), outputs('Compose_-_intuneEnrollmentToken'))

HTTP – Update Intune token for Zero Touch configuration

The HTTP methodPATCH
The request URLhttps://androiddeviceprovisioning.googleapis.com/v1/customerName (Compose)/configurations/configurationId (Compose)?updateMask=dpcExtras
The Authorization headerBearer Parse JSON – Parse Zero Touch Google token response body (body)?[‘access_token’]
The request bodyUpdate Intune token for Zero Touch configuration JSON body (Compose)

Summary

This is an example how you can automate this and if you not want to use Logic Apps you can build this with PowerShell and use Azure Automation to run it. I have also workable solution built with PowerShell but I prefer to use Logic Apps for automating this. To understand all the parts, I recommend that you read my first blog post that I linked at the beginning of this blog post.

Thanks and inspiration

Ruud – Connect to Google API with Powershell — LazyAdmin

Post Views: 790