microsoftconnect / ms-intune-app-sdk-android

Intune App SDK for Android enables data protection features and mobile app management via Microsoft Intune
45 stars 18 forks source link

Android - Getting "You can get there from Here message" #206

Closed rashidkhan2487 closed 7 months ago

rashidkhan2487 commented 10 months ago

Intune Android App SDK Policy Enforcement Issue

Questions to Ask Before Submission

  1. Have you completed the exit criteria for each phase in the Intune App SDK for Android Integration Guide? Yes
  2. Have you checked the Microsoft Intune App SDK for Android repository for similar issues? Yes
  3. Are you using the latest version of the SDK? yes

Summary

Each phase of the Intune App SDK for Android Integration Guide outlines specific exit criteria for proceeding to subsequent phases.

Please reference the specific exit criteria scenario that is failing.

Repro Steps

Implemented the intune sdk in android. Assign the conditional access to the app level "Require approved client apps or app protection policy". Install the app on the android device On startup app asked microsoft login. After entering valid microsoft credential getting this error

MicrosoftTeams-image (1)

Please provide concrete steps to reproduce the issue you are encountering.

  1. Implemented the intune sdk in android. Assign the conditional access to the app level "Require approved client apps or app protection policy". Install the app on the android device On startup app asked microsoft login. After entering valid microsoft credential getting this error

Expectation: Should have logged in the user or should have asked a valid app to install.

Observation: Device not supporting the conditional access policies.

Details

Logs

Log.zip

Company Portal Logs

Incident ID:

For guidance, see Report a problem in Company Portal or Intune app for Android.

Screenshots and Recordings

Log.zip

If screenshots and/or recordings would help explain the behavior, please include them here.

AndroidX Dependencies

If your app includes any AndroidX libraries, please list them here, along with the version info:

Third-Party Library Dependencies

If your app includes any third-party libraries, please list them here, along with the version info:

mcsimons commented 9 months ago

Hi @rashidkhan2487, it appears you have opened this issue before and were given some steps to follow to support the Conditional Access requirements. Can you confirm that you followed that guidance? Those requirements can be found here: https://github.com/msintuneappsdk/ms-intune-app-sdk-android/issues/195#issuecomment-1839513775

rashidkhan2487 commented 9 months ago

@mcsimons yes I followed all the guidance from the previous ticket still no success.

The actual scenario is something like this

We are a product-based company let's say A We have our android app we have implemented Android MSAL and MAM sdk. Now company B who is using our app has their own intune configuration when they try to login into the app they are getting the above error. Error code we are getting is

53002 | ApplicationUsedIsNotAnApprovedApp.

mcsimons commented 9 months ago

@rashidkhan2487 thanks for clarifying. Can you share the incident ID for the Company Portal logs after reproducing the scenario? That will just be the ID that appears after you click "Upload Logs Only". The attached zip file above seems to be missing some of the key files we use to investigate. https://learn.microsoft.com/en-us/mem/intune/user-help/send-logs-to-your-it-admin-by-email-android

rashidkhan2487 commented 9 months ago

@mcsimons incident ID is 8S522Y9D

mcsimons commented 9 months ago

@rashidkhan2487 from the logs provided it appears that the redirect URI is incorrect. See "Declaring support for App Protection CA" in our integration guide: https://learn.microsoft.com/en-us/mem/intune/developer/app-sdk-android-phase7#declaring-support-for-app-protection-ca

Please check you have declared support for App Protection CA correctly.

From logs {"error":"invalid_client","error_description": The redirect URI '********' specified in the request does not match the redirect URIs configured for the application '*******'. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this.

rashidkhan2487 commented 9 months ago

@mcsimons if this is the case shouldn't I be getting this error or exception in the android code when we call PublicClientApplication.create() under MSAL Exception.

Interestingly when I run this code under work profile where I install the app via managed google play I am able to login succesfully. Only issue is when I installed the app on the public profile and try to login to intune portal which is called through acquireToken() call I am not able to login

rashidkhan2487 commented 9 months ago

@mcsimons any comment on exception to be caught on app code side?

mcsimons commented 9 months ago

@rashidkhan2487 That is not something that is in our control that is within MSAL. You should double check what I am linked above and your MSAL implementation - https://learn.microsoft.com/en-us/mem/intune/developer/app-sdk-android-phase2#brokered-authentication

rashidkhan2487 commented 9 months ago

@mcsimons I applied the above solution as provided by you now after that I am getting this error

"com.microsoft.identity.client.exception.MsalIntuneAppProtectionPolicyRequiredException: AADSTS53005: Application needs to enforce Intune protection policies. Trace ID: 944df5ff-cce4-4a51-8594-fc94ddf33000 Correlation ID: 279abea2-e6ea-45f8-8d9f-876b0cddad58 Timestamp: 2024-02-02 17:34:10Z"

I also called the remidiateCompliance

val complianceManager = MAMComponents.get(MAMComplianceManager::class.java) complianceManager!!.remediateCompliance(upn, aadId, tenantId, authority, true mEnrollmentManager?.registerAccountForMAM(upn, aadId, tenantId, authorityURL)

   But I don't see the policies have been applied. For e.g I have a policy in place to restrict user from copy and paste but I am able to copy paste data from my app to another app.

Any solution how to handle this

rashidkhan2487 commented 9 months ago

@mcsimons any suggestion for the above scenario

rashidkhan2487 commented 9 months ago

@mcsimons I tried with other user on different device I am still getting the error (I did applied all the changes you suggested) Attached is the log Logs.zip

Incident are HKYDCBSN and QECW4Y7V

@mcsimons can you please look at this incident and let me know what is the issue

bannus commented 9 months ago

@rashidkhan2487 The logs don't show any evidence that remediateCompliance() is being called. Please ensure the code that calls this method is getting invoked in your app after receiving the MsalIntuneAppProtectionPolicyRequiredException, and also ensure that you are providing the correct parameter values.

meghandaly commented 7 months ago

@rashidkhan2487 closing this issue since it has not been updated. Please refer to @bannus' response.