Closed rashidkhan2487 closed 2 months ago
mcsimons
commented
5 months ago Hi @rashidkhan2487, it appears you have opened this issue before and were given some steps to follow to support the Conditional Access requirements. Can you confirm that you followed that guidance? Those requirements can be found here: https://github.com/msintuneappsdk/ms-intune-app-sdk-android/issues/195#issuecomment-1839513775
rashidkhan2487
commented
5 months ago @mcsimons yes I followed all the guidance from the previous ticket still no success.
The actual scenario is something like this
We are a product-based company let's say A We have our android app we have implemented Android MSAL and MAM sdk. Now company B who is using our app has their own intune configuration when they try to login into the app they are getting the above error. Error code we are getting is
53002 | ApplicationUsedIsNotAnApprovedApp.
mcsimons
commented
5 months ago @rashidkhan2487 thanks for clarifying. Can you share the incident ID for the Company Portal logs after reproducing the scenario? That will just be the ID that appears after you click "Upload Logs Only". The attached zip file above seems to be missing some of the key files we use to investigate. https://learn.microsoft.com/en-us/mem/intune/user-help/send-logs-to-your-it-admin-by-email-android
rashidkhan2487
commented
5 months ago @mcsimons incident ID is 8S522Y9D
mcsimons
commented
5 months ago @rashidkhan2487 from the logs provided it appears that the redirect URI is incorrect. See "Declaring support for App Protection CA" in our integration guide: https://learn.microsoft.com/en-us/mem/intune/developer/app-sdk-android-phase7#declaring-support-for-app-protection-ca
Please check you have declared support for App Protection CA correctly.
From logs
{"error":"invalid_client","error_description": The redirect URI '********' specified in the request does not match the redirect URIs configured for the application '*******'. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this.
rashidkhan2487
commented
5 months ago @mcsimons if this is the case shouldn't I be getting this error or exception in the android code when we call PublicClientApplication.create(
Interestingly when I run this code under work profile where I install the app via managed google play I am able to login succesfully. Only issue is when I installed the app on the public profile and try to login to intune portal which is called through acquireToken() call I am not able to login
rashidkhan2487
commented
5 months ago @mcsimons any comment on exception to be caught on app code side?
mcsimons
commented
5 months ago @rashidkhan2487 That is not something that is in our control that is within MSAL. You should double check what I am linked above and your MSAL implementation - https://learn.microsoft.com/en-us/mem/intune/developer/app-sdk-android-phase2#brokered-authentication
rashidkhan2487
commented
5 months ago @mcsimons I applied the above solution as provided by you now after that I am getting this error
"com.microsoft.identity.client.exception.MsalIntuneAppProtectionPolicyRequiredException: AADSTS53005: Application needs to enforce Intune protection policies. Trace ID: 944df5ff-cce4-4a51-8594-fc94ddf33000 Correlation ID: 279abea2-e6ea-45f8-8d9f-876b0cddad58 Timestamp: 2024-02-02 17:34:10Z"
I also called the remidiateCompliance
val complianceManager = MAMComponents.get(MAMComplianceManager::class.java) complianceManager!!.remediateCompliance(upn, aadId, tenantId, authority, true mEnrollmentManager?.registerAccountForMAM(upn, aadId, tenantId, authorityURL)
But I don't see the policies have been applied. For e.g I have a policy in place to restrict user from copy and paste but I am able to copy paste data from my app to another app.Any solution how to handle this
rashidkhan2487
commented
4 months ago @mcsimons any suggestion for the above scenario
rashidkhan2487
commented
4 months ago @mcsimons I tried with other user on different device I am still getting the error (I did applied all the changes you suggested) Attached is the log Logs.zip
Incident are HKYDCBSN and QECW4Y7V
@mcsimons can you please look at this incident and let me know what is the issue
bannus
commented
4 months ago @rashidkhan2487 The logs don't show any evidence that remediateCompliance() is being called. Please ensure the code that calls this method is getting invoked in your app after receiving the MsalIntuneAppProtectionPolicyRequiredException, and also ensure that you are providing the correct parameter values.
meghandaly
commented
2 months ago @rashidkhan2487 closing this issue since it has not been updated. Please refer to @bannus' response.
Intune Android App SDK Policy Enforcement Issue
Questions to Ask Before Submission
Summary
Each phase of the Intune App SDK for Android Integration Guide outlines specific exit criteria for proceeding to subsequent phases.
Please reference the specific exit criteria scenario that is failing.
Repro Steps
Implemented the intune sdk in android. Assign the conditional access to the app level "Require approved client apps or app protection policy". Install the app on the android device On startup app asked microsoft login. After entering valid microsoft credential getting this error
Please provide concrete steps to reproduce the issue you are encountering.
Expectation: Should have logged in the user or should have asked a valid app to install.
Observation: Device not supporting the conditional access policies.
Details
Logs
Log.zip
Company Portal Logs
Incident ID:
For guidance, see Report a problem in Company Portal or Intune app for Android.
Screenshots and Recordings
Log.zip
If screenshots and/or recordings would help explain the behavior, please include them here.
AndroidX Dependencies
If your app includes any AndroidX libraries, please list them here, along with the version info:
Third-Party Library Dependencies
If your app includes any third-party libraries, please list them here, along with the version info: