search

microsoftconnect / ms-intune-app-sdk-ios

Intune App SDK for iOS enables data protection and mobile app management features in iOS mobile apps with Microsoft Intune
90 stars 27 forks source link

Issue implementing App Protection CA #438

Open macdja38 opened 5 months ago

macdja38 commented 5 months ago

Describe the bug: After implementing App Protection CA support when the app is opened, even though the Microsoft Authenticator is installed, and the device is shown as registered, login is blocked.

To Reproduce Steps to reproduce the behavior:

  1. Create a conditional access policy with "Require app protection policy." enabled.
  2. Login to the app with Microsoft

Expected behavior: The first time the app should redirect to Microsoft Authenticator so the device can be registered. Subsequent login attempts should work smoothly

Screenshots and logs:

Smartphone (please complete the following information):

Intune App SDK for iOS (please complete the following information):

wangxiaoms commented 5 months ago

Hi can you follow below procedure to support brokered authentication with Microsoft Authenticator, Redirect URI format is msauth.://auth. https://learn.microsoft.com/en-us/entra/msal/objc/single-sign-on-macos-ios#sso-through-authentication-broker-on-ios

macdja38 commented 5 months ago

We already have both the Redirect URI and the callback implemented.

I also tried copying the chatr sample app's configuration 

    <key>CFBundleURLTypes</key>
    <array>
        <dict>
            <key>CFBundleTypeRole</key>
            <string>Viewer</string>
            <key>CFBundleURLIconFile</key>
            <string>logo</string>
            <key>CFBundleURLName</key>
            <string>xxxxxxxxxxx</string>
            <key>CFBundleURLSchemes</key>
            <array>
                <string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
                <string>$(PRODUCT_BUNDLE_IDENTIFIER)-intunemam</string>
                <string>msauth.$(PRODUCT_BUNDLE_IDENTIFIER)</string>
                <string>msauth.$(PRODUCT_BUNDLE_IDENTIFIER)-intunemam</string>
            </array>
        </dict>
    </array>
byhkalo commented 5 months ago

@wangxiaoms @macdja38 we have exactly the same issue on our side. CFBundleURLSchemes configured properly.

Precondition:

Steps to reproduce from our side:

  1. User logs in first time properly. MSAL -> MAM -> Application restart requested from IntuneMAM side
  2. Users logs out from the application (we are logging him out from IntuneMAM too)
  3. User Logs in again (without app restart)
  4. User will see this screen with

Workaround: If user kills the application after the step 2 - everything will be fine.

byhkalo commented 5 months ago

For the user without Conditional Access everything is working fine

wangxiaoms commented 5 months ago

@macdja38 can you provide a sample app, I can test to see if I can repro

wangxiaoms commented 4 months ago

Closing because of inactivity, you can still reply to reopen, will need a sample app for us to test and troubleshoot.

macdja38 commented 4 months ago

We'll be providing a sample app soon!

How much documentation do you need about setting up the sample app / configuring the IDs required in the microsoft azure portal?

wangxiaoms commented 4 months ago

Hi please provide detailed information.

macdja38 commented 4 months ago

https://github.com/fellowapp/intune-demo-project

Hopefully the instructions in the readme are clear enough, if you have any problems / questions let me know!

wangxiaoms commented 4 months ago

From your Info.plist, need to configure MSAL settings for the SDK https://learn.microsoft.com/en-us/mem/intune/developer/app-sdk-ios-phase2#configure-msal-settings-for-the-intune-app-sdk I did not find where you call the MSAL and Intune MAM SDK API for user login and app enrollment, you may clarify.

macdja38 commented 3 months ago

@wangxiaoms I updated the repo to configure the MSAL settings, and ran the IntuneMAMConfigurator.

The calls to MSAL / Intune are started from the src/js/capacitor-welcome.js file, and then are run in

MSAL: https://github.com/fellowapp/capacitor-plugin-msauth/blob/main/ios/Plugin/Plugin.swift#L11 Intune: https://github.com/fellowapp/intune/blob/8f5805de62882c4dcf4ad12a4448d39998364cde/ios/Plugin/Intune.swift

macdja38 commented 3 months ago

I'm not sure if this is helpful but here's the debug screen from the MVP image

wangxiaoms commented 3 months ago

In the IntuneMAMSettings can you change ADALRedirectScheme to ADALRedirectUri (msauth.://auth), then try it again, if problem still happens, get logs from the Intune diagnostic console, click on the Get Started button. https://learn.microsoft.com/en-us/mem/intune/developer/app-sdk-ios-appendix#how-can-i-troubleshoot-my-app

macdja38 commented 3 months ago

Scheme has been updated to Uri.

I used the Share with Microsoft option, Reference ID 307E36

wangxiaoms commented 3 months ago

From the logs there are many errors of missing dependency libraries, you can download the logs, search for "dependency" for the errors, are you able to fix those?

I see you are using plugins e.g. capacitor-plugin-msauth, this makes testing and debugging much harder. To further isolate the issue, suggest you to firstly test the Microsoft Chatr sample, get it working with Authenticator, then you can further debug the plugins. https://github.com/microsoftconnect/Chatr-Sample-Intune-iOS-App Note you will need to add IntuneMAMSettings configurations to the Chatr sample app.

macdja38 commented 3 months ago

I don't see any instances of IntuneMAMComplianceDelegate in the Microsoft Chatr sample, or the "ProtApp" capability. Does it implement the App Protection CA feature?

wangxiaoms commented 3 months ago

I don't see any instances of IntuneMAMComplianceDelegate in the Microsoft Chatr sample, or the "ProtApp" capability. Does it implement the App Protection CA feature?

You can still test the login flow with Authenticator, make sure to add IntuneMAMSettings.

macdja38 commented 3 months ago

I've tried with the Chatr example app. With IntuneMAMSettings set, but I get an error whenever I try and login with it.

I submitted the logs, Reference ID: 9D21CF

Potentially I'm missing some setup step?

(I added a diagnose button, since generally the diagnose button is only accessible after the LOGIN succeeds) IMG_1447

wangxiaoms commented 3 months ago

There are many library dependency errors in the log, e.g. below error for MSAL. Please check and fix those libraries errors. 2024-08-07T08:57:21.050Z WARN com.fellow.Intune.chatr tid=11 id=(nil),ui=(nil),io=(nil) IntuneMAM: Package Manager: Failed to find dependency: /System/Library/Frameworks/SafariServices.framework/SafariServices for: @rpath/MSAL.framework/MSAL.

The chatr sample app already included the libraries needed. chatr-libs

macdja38 commented 3 months ago

That's very strange. I haven't changed anything from the defaults in the Chatr demo.

Are we sure the dependency errors are not a false positive? image image

wangxiaoms commented 3 months ago

For the library errors, will need you to check your development and testing environments, what is the Xcode/MacOs version? Can you also share you Info.plist, make sure to configure an app registration in Microsoft Entra ID -> add an iOS/macOS platform -> add the app bundle ID in Redirect URIs.

macdja38 commented 3 months ago

macOS Sonoma 14.6 (23G80) Xcode 15.4 (15F31d)

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>CFBundleDevelopmentRegion</key>
    <string>$(DEVELOPMENT_LANGUAGE)</string>
    <key>CFBundleExecutable</key>
    <string>$(EXECUTABLE_NAME)</string>
    <key>CFBundleIdentifier</key>
    <string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
    <key>CFBundleInfoDictionaryVersion</key>
    <string>6.0</string>
    <key>CFBundleName</key>
    <string>$(PRODUCT_NAME)</string>
    <key>CFBundlePackageType</key>
    <string>APPL</string>
    <key>CFBundleShortVersionString</key>
    <string>1.0</string>
    <key>CFBundleURLTypes</key>
    <array>
        <dict>
            <key>CFBundleTypeRole</key>
            <string>Viewer</string>
            <key>CFBundleURLIconFile</key>
            <string>logo</string>
            <key>CFBundleURLName</key>
            <string>chatr</string>
            <key>CFBundleURLSchemes</key>
            <array>
                <string>chatr</string>
                <string>chatr-intunemam</string>
                <string>msauth.com.microsoft.intunemam</string>
                <string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
                <string>$(PRODUCT_BUNDLE_IDENTIFIER)-intunemam</string>
                <string>capacitor</string>
                <string>capacitor-intunemam</string>
                <string>msauth.$(PRODUCT_BUNDLE_IDENTIFIER)</string>
                <string>msauth.$(PRODUCT_BUNDLE_IDENTIFIER)-intunemam</string>
                <string>msauth.com.microsoft.intunemam</string>
                <string>msauth.com.microsoft.intunemam-intunemam</string>
            </array>
        </dict>
    </array>
    <key>CFBundleVersion</key>
    <string>1</string>
    <key>IntuneMAMSettings</key>
    <dict>
        <key>ADALClientId</key>
        <string>$(MICROSOFT_CLIENT_ID)</string>
        <key>ADALRedirectUri</key>
        <string>msauth.$(PRODUCT_BUNDLE_IDENTIFIER)://auth</string>
        <key>VerboseLoggingEnabled</key>
        <true/>
    </dict>
    <key>LSApplicationQueriesSchemes</key>
    <array>
        <string>mvisionmobile</string>
        <string>microsoft-edge-http</string>
        <string>microsoft-edge-http-intunemam</string>
        <string>scmx</string>
        <string>lookoutwork-ase</string>
        <string>microsoft-edge-https</string>
        <string>microsoft-edge-https-intunemam</string>
        <string>lacoonsecurity</string>
        <string>zips</string>
        <string>skycure</string>
        <string>smsec</string>
        <string>smart-ns</string>
        <string>betteractiveshield</string>
        <string>companyportal</string>
        <string>ms-outlook</string>
        <string>ms-outlook-intunemam</string>
        <string>wandera</string>
        <string>https-intunemam</string>
        <string>http-intunemam</string>
    </array>
    <key>LSRequiresIPhoneOS</key>
    <true/>
    <key>UILaunchStoryboardName</key>
    <string>LaunchScreen</string>
    <key>UIMainStoryboardFile</key>
    <string>Main</string>
    <key>UIRequiredDeviceCapabilities</key>
    <array>
        <string>armv7</string>
    </array>
    <key>UISupportedInterfaceOrientations</key>
    <array>
        <string>UIInterfaceOrientationPortrait</string>
    </array>
    <key>UISupportedInterfaceOrientations~ipad</key>
    <array>
        <string>UIInterfaceOrientationPortrait</string>
        <string>UIInterfaceOrientationPortraitUpsideDown</string>
        <string>UIInterfaceOrientationLandscapeLeft</string>
        <string>UIInterfaceOrientationLandscapeRight</string>
    </array>
    <key>UIUserInterfaceStyle</key>
    <string>Light</string>
</dict>
</plist>

Config

MICROSOFT_CLIENT_ID = 9ff3dfcc-f518-4383-8ef4-4ce9724084d9

PRODUCT_BUNDLE_IDENTIFIER = com.fellow.Intune.chatr
PRODUCT_APP_LABEL = Chatr
wangxiaoms commented 3 months ago

The ADALClientId/ADALRedirectUri settings look fine. The Chatr sample app is the starting point to test Intune SDK functions, able to be tested without code changes and can be tested on simulator or real device. I do not see those library dependency errors in my tests or reported from other users. Please check the development environment related to library and linking, may try different Mac/phone if possible.

macdja38 commented 3 months ago

I'll test on a different Mac & iPhone, then get back to you 👍

macdja38 commented 1 month ago

I tested on a 2018 intel MacBook Pro. Same warning.

2024-10-02T20:28:33.071Z    WARN    com.fellow.Intune.chatr tid=4       id=(nil),ui=(nil),io=(nil)       IntuneMAM: Package Manager: Failed to find dependency: /System/Library/Frameworks/WebKit.framework/WebKit for: @rpath/MSAL.framework/MSAL.
2024-10-02T20:28:33.074Z    VERB    com.fellow.Intune.chatr tid=1       id=(nil),ui=(nil),io=(nil)       IntuneMAM: MAMError: "Package Manager: Failed to find dependency: RDScrubbedDylib for: RDScrubbedDylib."
2024-10-02T20:28:33.080Z    ERRO    com.fellow.Intune.chatr tid=4       id=(nil),ui=(nil),io=(nil)       IntuneMAM: Package Manager: Failed to find dependency: RDScrubbedDylib for: RDScrubbedDylib.
2024-10-02T20:28:33.080Z    WARN    com.fellow.Intune.chatr tid=4       id=(nil),ui=(nil),io=(nil)       IntuneMAM: Package Manager: Failed to find dependency: /System/Library/Frameworks/SafariServices.framework/SafariServices for: @rpath/MSAL.framework/MSAL.
2024-10-02T20:28:33.082Z    VERB    com.fellow.Intune.chatr tid=1       id=(nil),ui=(nil),io=(nil)       IntuneMAM: MAMError: "Package Manager: Failed to find dependency: RDScrubbedDylib for: RDScrubbedDylib."
2024-10-02T20:28:33.168Z    ERRO    com.fellow.Intune.chatr tid=4       id=(nil),ui=(nil),io=(nil)       IntuneMAM: Package Manager: Failed to find dependency: RDScrubbedDylib for: RDScrubbedDylib.

That said I also noticed another line that seems to suggest it was in fact loaded? 

2024-10-02T20:30:08.533Z    VERB    com.fellow.Intune.chatr tid=1       id=(nil),ui=(nil),io=(nil)       IntuneMAM: Loaded application dylib: @rpath/IntuneMAMSwift.framework/IntuneMAMSwift
2024-10-02T20:30:08.533Z    VERB    com.fellow.Intune.chatr tid=1       id=(nil),ui=(nil),io=(nil)       IntuneMAM: Loaded application dylib: @rpath/MSAL.framework/MSAL
wangxiaoms commented 1 month ago

Hi with your new Mac, when you test the Chatr sample app, can you provide the MAM logs https://learn.microsoft.com/en-us/mem/intune/developer/app-sdk-ios-appendix#how-can-i-troubleshoot-my-app

macdja38 commented 1 month ago

Sure, I just shared with Microsoft, reference ID AD50EE

wangxiaoms commented 1 month ago

Sure, I just shared with Microsoft, reference ID AD50EE

There is still development environment issue, I see all those "Failed to find linked binary", "Failed to find dependency" errors.