How to understand if customer's domain licenced for intune or not before enrollment method

[cihanerd]

Our application has many customers and not all of them apply intune policies to their own users. We need to understand after login operation and before enroll operation if customer's domain has intune licence. If no then we won't try to enroll user via Intune Manager.

Could you please help me to understand whether customer has intune licence or not?

Or do we need to have two different app release for Intune Customers and non-intune customers

[wangxiaoms]

For the scenario where the application may be used by both customers who do and don't use Intune MAM policies, the application should call registerAndEnrollAccountId immediately after successfully authenticating the user with MSAL. registerAndEnrollAccountId will attempt a silent enrollment using Entra ID tokens cached by MSAL from the application's authentication of the user. If the silent enrollment fails, the user should not be blocked from using the application and Intune will automatically retry the enrollment periodically in case the user's IT admin begins targeting Intune policies at any point. To support customers that would like to ensure users receive app protection policies before they are allowed to access the app, the app developer should implement support for "Require App Protection Policy" Conditional Access policy. When customers enable this CA policy, users won't be allowed to access the app unless they've successfully MAM enrolled and received app protection policies. https://learn.microsoft.com/en-us/mem/intune/developer/app-sdk-ios-phase6

[cihanerd]

Thank you for your response. I will use that part to force user about intune policies. But my question actually points out the beginning of process. Here is the logic I implemented

and to control status of enrollment I am using below method of enrollmentDelegate

In above scenario I can not understand why auth required. So I am using loginAndEnrollAccount method of Intune, at this point it asks users consent of GraphApi DeviceManagement scopes. Try to get consent about DeviceManagement for the customers which do not know about Intune is really disturbing. So I need to prevent this scenario and somehow I need to know whether customer is on Intune side or not.

Actually I need this method (isUserNotFromIntuneCustomer) and I dont know how to do that.

Thanks in advance

[wangxiaoms]

Auth required means SDK is unable to access user's tokens. Before calling registerAndEnrollAccount, is the user authenticated? do you use MSAL to handle user login?

[cihanerd]

Yes user already signed in with MSAL but again for non intune customers it asks intune api permissions like DeviceManagement. Right now I am using Graph API licencedetails endpoint to understand if customer is intune or not. Is it OK to query with GraphAPI to understand situation.

[wangxiaoms]

A user with Intune license might not be targeted by MAM policy, and a user without license might be targeted by MAM policy. With App Protection Conditional Access(CA), when app makes acquire token call, if CA is not enabled, token is granted normally, if CA is enabled, app will receive a specific error and then call the remediation API to get MAM enrollment. This way by default MAM is not applied and user will not see the Intune permission prompt. For the tenant/user that requires MAM enrollment they need to enable the CA policy. https://learn.microsoft.com/en-us/mem/intune/developer/app-sdk-ios-phase6#mam-ca-remediation-flow remediateComplianceForIdentity provides all the functionality of registerAndEnrollAccount and loginAndEnrollAccount. Therefore, app doesn't need to use either of these older APIs.

[cihanerd]

So what is the Android equivalent of Compliance Manager?

[cihanerd]

Below is the description of CA

App Protection Conditional Access blocks access to server tokens until Intune has confirmed app protection policy has been applied. This feature requires changes to your add user flows. Once a customer enables App Protection CA, applications in that customer's tenant that access protected resources won't be able to acquire an access token unless they support this feature.

What I understand is, App Protection CA is optional for the customers. What if customer does not enable App Protection CA? And the question is, should I use remediateComplianceForIdentity instead of registerAndEnrollAccount?

[wangxiaoms]

What I understand is, App Protection CA is optional for the customers. What if customer does not enable App Protection CA? And the question is, should I use remediateComplianceForIdentity instead of registerAndEnrollAccount?

If CA not enabled,

• with remediateCompliance only, the API is not called, no MAM enforcement attempt.
• with both remediateCompliance and registerAndEnroll, app still try the MAM enrollment via registerAndEnroll.

[cihanerd]

I implemented App Protection CA and I tried to login with non-intune user. But it shows login page for Intune like below

are you sure If CA not enabled, with remediateCompliance only, the API is not called, no MAM enforcement attempt.

Here what I did

[wangxiaoms]

Please follow the document, When an app receives a MSALErrorServerProtectionPoliciesRequired from MSAL it should call [[IntuneMAMComplianceManager instance] remediateCompliance] to let Intune enroll the app and apply policy.

[cihanerd]

now it works. Thank you @wangxiaoms