Introduction
Your users carry iPhones but spend most of their workday on Windows devices. When Apple releases an iOS update, Intune can flag non-compliance – but the built-in notifications on iOS are often overlooked and don’t have the same visibility or urgency as alerts on a user’s primary work device.
The solution: cross-platform automation. By combining two PowerShell solutions – one that monitors iOS versions in Microsoft Intune and maintains dynamic user groups, and another that delivers branded Windows toast notifications – you can automatically alert Windows users when their iOS devices need updating.
The Challenge
- iOS devices must stay updated to meet security and compliance requirements
- Many users spend most of their workday on Windows devices
- Native iOS notifications often lack visibility and urgency, leading to missed updates
- Organizations need an automated, cross-platform solution to ensure timely updates
The Solution
Component 1: Get-IntuneUsersAndDevicesFromGroups.ps1
Repository: https://github.com/imabdk/Get-IntuneUsersAndDevicesFromGroups
Purpose: Identify iOS devices below a specified OS version and add their primary users to a dedicated Entra ID security group for targeted notifications.
Credit: Developed in collaboration with Christian Frohn (https://christianfrohn.dk)
Key Features:
- Queries Microsoft Intune for enrolled iOS devices
- Filters devices based on an iOS version threshold (e.g., iOS 26)
- Extracts primary user details for accurate targeting
- Dynamically updates Entra ID security groups
- Provides the foundation for delivering Windows toast notifications to the right users
Component 2: Toast Notification Script
Repository: https://github.com/imabdk/Toast-Notification-Script
Purpose: Delivers Windows toast notifications via Intune Remediations.
Key Features:
- Native Windows toast notifications with actionable buttons
- Seamless integration with Intune Remediations
- Multi-language support for global environments
- Flexible scheduling using the WeeklyMessage feature
- Professional UI with custom branding for corporate consistency
Technical Implementation
Azure Automation Account Configuration
To run Get-IntuneUsersAndDevicesFromGroups.ps1 automated on a schedule, you’ll need an Azure Automation Account.
- Create the Automation Account
- Follow Microsoft’s official guide: Create a standalone Azure Automation account | Microsoft Learn
- Enable Managed Identity
- The script requires a system-assigned managed identity for authentication.
Reference: Using a system-assigned managed identity for an Azure Automation account | Microsoft Learn
- The script requires a system-assigned managed identity for authentication.
- Assign Microsoft Graph Permissions
-
- After enabling the managed identity, grant the necessary Graph API permissions for iOS device management
- Use the helper script here: Set-ManagedIdentityGraphPermissions.ps1
- Update the
managedIdentityNamevariable with the name of your Automation Account
- Update the
- Use the helper script here: Set-ManagedIdentityGraphPermissions.ps1
- After enabling the managed identity, grant the necessary Graph API permissions for iOS device management
-
- Add the required modules to the Automation Account:
- Microsoft.Graph.Authentication
- Microsoft.Graph.DeviceManagement
- Microsoft.Graph.Groups
- Microsoft.Graph.Users
- Create a new runbook:
- Paste the Full Script
- Copy the entire script from: Get-IntuneUsersAndDevicesFromGroups.ps1 into your Azure Automation Account runbook.
- Configure Variables
- Modify the variables in the script to match your environment or pass them as parameters via the Automation Account.
Tip: For simplicity, you can hardcode them directly in the runbook.
- Modify the variables in the script to match your environment or pass them as parameters via the Automation Account.
- Create a Schedule
- Set up a schedule that fits your needs.
Example: Run daily before the toast notification deployment from Intune. This ensures device discovery happens first, followed by user notifications.
- Set up a schedule that fits your needs.
Toast Notification Script
Next up is to use the complete Toast Notification Script with Microsoft Intune.
- Configure the Detection script file to the Detect-ToastNotification.ps1: Toast-Notification-Script/Detect-ToastNotification.ps1 at master · imabdk/Toast-Notification-Script
- Configure the Remediation script file to the Remediate-ToastNotification.ps1: Toast-Notification-Script/Remediate-ToastNotification.ps1 at master · imabdk/Toast-Notification-Script
- Make sure the $Config parameter is pointing to a new config dedicated to the purpose in both scripts
- Feel free to use my example at: https://toast.imab.dk/config-toast-iosupdate.xml
- Assign the script to the $TargetGroupName used with Get-IntuneUsersAndDevicesFromGroups.ps1. Configure the script to run daily, but AFTER the schedule selected for the Automation Account
- Example: If you run the Get-IntuneUsersAndDevicesFromGroups.ps1 at 8AM, run the Toast Notification Script at 1PM
ENJOY 🙂