microsoftconnect / intune-app-wrapping-tool-ios

This is the software for the Intune App Wrapping Tool for iOS.
55 stars 12 forks source link

[question] LOB App Always Wants Microsoft Logon #102

Closed berkanaslan closed 1 year ago

berkanaslan commented 1 year ago

I have been implemented my Flutter project with wrapping tool of Microsoft Intune for both Android and iOS and added them to the Intune as LOB apps.

When I open the wrapped app, Microsoft login page opens over the web view and if I log in to my Microsoft account, I can continue to use the application with no issues. Yey!

The wrapped app has already been automatically installed on the device thanks to the Company Portal application, and all the management certificates that Company Portal needs are installed on the device. That's why the Microsoft login page is a burden for app policy control.

Is there any way to get rid of this?

I wrapped apps as below:

Android:

Import-Module "C:\Program Files (x86)\Microsoft Intune Mobile Application Management\Android\App Wrapping Tool\IntuneAppWrappingTool.psm1"
flutter build apk
invoke-AppWrappingTool -InputPath build/app/outputs/apk/release/app-release.apk -OutputPath build/app/outputs/apk/release/wrapped.apk -Verbose
zipalign.exe -p -f -v 4 build/app/outputs/apk/release/wrapped.apk build/app/outputs/apk/release/latest.apk
apksigner.bat sign --ks \android\upload-keystore.jks build/app/outputs/apk/release/latest.apk

iOS:

flutter build ipa --export-options-plist ios/export.plist
./IntuneMAMPackager/Contents/MacOS/IntuneMAMPackager -i ../build/ios/ipa/tpi_leading_edge_mobile.ipa -o ../build/ios/ipa/latest.ipa -p ".mobileprovision file path here" -c "SHA1_HERE"  -v true

Additional information: App does not use MSAL. It has own authentication type via Okta.

gastaffo commented 1 year ago

Wrapped apps require MAM policy to be applied before the SDK will allow access. For the SDK to get policy it must have the user log in with their AAD account so we can get their policy configuration and apply it.

The company portal management certs don't really interact with the SDK much. In this particular case you install the app via CP or any app deployment solution and we would still require the log in so we can enforce policy.

If you want to have the flexibility to not have the user log into their Intune account until policy is needed to protect app data, then I would suggest integrating the SDK manually instead of wrapping.

berkanaslan commented 1 year ago

As I understand it, if a policy is needed to protect app data, even the app with the manually integrated Intune SDK would ask for AAD login, right?

gastaffo commented 1 year ago

Yes. The users Intune account would be in an AAD tenant and show we would need to have them sign in to get an AAD token. I think there might be ways to integrate the AAD flow into your custom auth but I'm not 100% on that.

@vigavadi Do you know if thats possible?

berkanaslan commented 1 year ago

It would be great to know the email used to login to AAD, as they log in to both the AAD and the mobile app with Okta. Knowing the token obtained after logging into Okta would be even more awesome! Using Email and Access Token I can completely replace the in-app log-in process.

But I thought, if there is a way for it, I don't think it is possible using with Wrapping Tool, I think you are talking about a way that on manually integrated SDK. I have successfully integrated the Intune SDK for iOS but for Android the documentation is too complex and not suitable for Flutter. Yes I know, there is a way to integrate Android SDK into Flutter but... How.. (That's not a question for you. :))

gastaffo commented 1 year ago

It appears that there isn't currently support for seamless auth between Okta and AAD. The user will have to enter the credentials at least once.

berkanaslan commented 1 year ago

It appears that there isn't currently support for seamless auth between Okta and AAD. The user will have to enter the credentials at least once.

So, how long is the authentication is not required for app policy once logged in? (I mean cached) Is there any way to increase that time?

Feel free close the issue If there is no way to achieve it. Thanks.

gastaffo commented 1 year ago

It is configurable and its can be quite long. Though Im no expert in that area in particular.

These docs would be a good starting place. https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-tokens?pivots=b2c-user-flow