Issue implementing App Protection CA

[macdja38]

Describe the bug: After implementing App Protection CA support when the app is opened, even though the Microsoft Authenticator is installed, and the device is shown as registered, login is blocked.

To Reproduce Steps to reproduce the behavior:

1. Create a conditional access policy with "Require app protection policy." enabled.
2. Login to the app with Microsoft

Expected behavior: The first time the app should redirect to Microsoft Authenticator so the device can be registered. Subsequent login attempts should work smoothly

Screenshots and logs:

• If applicable, add screenshots to help explain your problem. (blurred out the registered with part but it is the correct domain.

Smartphone (please complete the following information):

• Device: iPhone 13 Pro Max
• OS: iOS 17.5.1

Intune App SDK for iOS (please complete the following information):

• What version of the Intune SDK are you using? Tested with 19.3.1 and 19.4.0

• What platform is your app based in?: Capacitor

• Who is the customer?

• This is in the development phase, implementing phase 6 specifically.

[wangxiaoms]

Hi can you follow below procedure to support brokered authentication with Microsoft Authenticator, Redirect URI format is msauth.://auth. https://learn.microsoft.com/en-us/entra/msal/objc/single-sign-on-macos-ios#sso-through-authentication-broker-on-ios

[macdja38]

We already have both the Redirect URI and the callback implemented.

I also tried copying the chatr sample app's configuration

    <key>CFBundleURLTypes</key>
    <array>
        <dict>
            <key>CFBundleTypeRole</key>
            <string>Viewer</string>
            <key>CFBundleURLIconFile</key>
            <string>logo</string>
            <key>CFBundleURLName</key>
            <string>xxxxxxxxxxx</string>
            <key>CFBundleURLSchemes</key>
            <array>
                <string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
                <string>$(PRODUCT_BUNDLE_IDENTIFIER)-intunemam</string>
                <string>msauth.$(PRODUCT_BUNDLE_IDENTIFIER)</string>
                <string>msauth.$(PRODUCT_BUNDLE_IDENTIFIER)-intunemam</string>
            </array>
        </dict>
    </array>

[byhkalo]

@wangxiaoms @macdja38 we have exactly the same issue on our side. CFBundleURLSchemes configured properly.

Precondition:

• Enable MAM policies for user
• Enable Conditional Access for user
• User has installed MS Authenticator and successfully logged in

Steps to reproduce from our side:

1. User logs in first time properly. MSAL -> MAM -> Application restart requested from IntuneMAM side
2. Users logs out from the application (we are logging him out from IntuneMAM too)
3. User Logs in again (without app restart)
4. User will see this screen with

Workaround: If user kills the application after the step 2 - everything will be fine.

[byhkalo]

For the user without Conditional Access everything is working fine

[wangxiaoms]

@macdja38 can you provide a sample app, I can test to see if I can repro

[wangxiaoms]

Closing because of inactivity, you can still reply to reopen, will need a sample app for us to test and troubleshoot.

[macdja38]

We'll be providing a sample app soon!

How much documentation do you need about setting up the sample app / configuring the IDs required in the microsoft azure portal?

[wangxiaoms]

Hi please provide detailed information.

[macdja38]

https://github.com/fellowapp/intune-demo-project

Hopefully the instructions in the readme are clear enough, if you have any problems / questions let me know!

[wangxiaoms]

From your Info.plist, need to configure MSAL settings for the SDK https://learn.microsoft.com/en-us/mem/intune/developer/app-sdk-ios-phase2#configure-msal-settings-for-the-intune-app-sdk I did not find where you call the MSAL and Intune MAM SDK API for user login and app enrollment, you may clarify.