My App works for different clients (based on the configurations after the actual login).
I want to integrate Intune MAM SDK into a specific client. It need not affect the other clients (meaning should not affect the MAM policy to other clients)
Scenario:
let's take two clients A and B.
A wants to integrate Intune MAM SDK
B doesn't want to integrate the SDK
Expecting:
if B downloads an app from the google play store or apple store, he can able to use an app with a normal login flow.
but if A download app from stores, he should not able to use the app with normal login flow. (he needs to download an app from the company portal to control the app. Then login needs to work)
is there any way we can get to know that app downloads from the company portal not from stores (make sure that it should affect the other client's login flow)
Can anyone tell me how can I achieve this?
Related
I have integrated Microsoft Intune SDK in iOS application. Able to perform all operation mainly sharing files from Outlook to my application.
I installed my application, outlook,etc on fresh device from company portal. When I share any file from Outlook to My application it shows Microsoft login screen only once as below:
It ask for login credential only once at first time share file.
I don't want to show Microsoft login screen, it must automatically authenticate using broker app like Company portal, outlook, etc.
As per Intune documentation, I have already added configuration in iOS info.plist i.e. "AutoEnrollOnLaunch" to true.
How do I completely avoid showing MS login screen?
We have our iOS app which has its own login mechanism and one of our customer uses SSO login (use MS account) in our app. And now they asked to integrate MS Intune in the app as they want to apple app protection policies on our app.
I've started integrated the ms Intune iOS SDK along with MSAL library as described in the documentation.
But I'm stuck with a issue which is described in the document (https://learn.microsoft.com/en-us/mem/intune/developer/app-sdk-ios#apps-that-do-not-use-adal-or-msal)
"Apps that do not use ADAL or MSAL
Apps that do not sign in the user using ADAL or MSAL can still receive app protection policy from the Intune MAM service by calling the API to have the SDK handle that authentication. Apps should use this technique when they have not authenticated a user with Azure AD but still need to retrieve app protection policy to help protect data. An example is if another authentication service is being used for app sign-in, or if the app does not support signing in at all. To do this, the application can call the loginAndEnrollAccount method on the IntuneMAMEnrollmentManager instance:"
According to it, in order for the app to receive the policies, it has to do login and enroll by calling the loginAndEnrollAccount API. But once I call this API, it takes me to MS login page where I can input email/password and if success delegate method gets called.
But my question, I end up with two login flow in my app (one by our own login and another from ms Intune), so not sure whether it is correct behavior or not.
Please let me know if you already worked on ms Intune in iOS.
Thanks.
We are developing an iOS application in Xamarin, which will be distributed via MobileIron. We are also developing the Backend WebServices (rest).
What I need to know is, when a web service call comes to my API, I want to make sure, that the call is coming from a client who is logged-in to my app with his Active-Directory credentials, using MobileIron.
The MobileIron website has plenty of information, but is also a bit chaotic.
What MobileIron products are needed for my use case?
Whats the best way to protect my WebServices and allow just requests from our iOS Application with correct AD-Credentials?
Do I need the AppConnect SDK or can I just wrap the iOS Application in MobileIron? If I need the SDK, are there any examples?
Thanks in advance!
Cheers
Immi
Here is one way how it should work, we have this built up in our environment.
Assuming that the target devices are managed by the MobileIron MDM system with MobileIron Core (MDM) & MobileIron Sentry (Gateway -> Intranet).
You can configure MobileIron Sentry in this way, that a webrequest from an AppConnect enabled app (no matter if SDK included or wrapped!) will be authenticated with user certificate from device, Sentry obtains Kerberos ticket from domain controller for the user and then forwards the web request to a website / webservice where Kerberos authentication is enabled and the user has access granted.
There are many things to configure for this to work (CA, user certificate -> device, service account with delegation configured in AD, SPN for website configured in AD,...) and there is a good support document available from MobileIron to make this up & running.
It's to extensive to describe here all steps.
If this is already setup in the target environment (if there is already another AppConnect app), there are only a few steps left (SPN and MI app-specific AppConnect Config).
The good news is, that the app itself does not have to take care of the authentication. The MobileIron stuff does this on its own...
I have went through the OneDrive API documentation but couldn't find anything on what I needed. Basically, we have developed two apps, one webapp and one mobile app for our product. We want to share the tokens between the two apps (if the user has already authorized for one app, he shouldn't need to re-authorize the second app).
The API settings page in Microsoft Account Developer Center states that
Mobile client applications use a different OAuth 2.0 authentication flow.
What is the recommended way to achieve this in OneDrive? Can the two apps use the same client id/secret and share the tokens? Or can they use different id/secrets and OneDrive provides a way to sync these tokens?
You can not do this since the registration for web apps are different from the mobile app. You can do this if both are web or mobile apps.
When registering an app in Azure AD, the first option is to specify is your app web or mobile app, and then the flow and settings will be different based on the selected app type.
Hope this helps.
We have a web application that supports Facebook and Twitter login/signup via oAuth (and can also post to FB/TW). Now we are building a mobile client and naturally we want people to be able to login-signup via FB-Twitter on mobile as well, on iOS even using system-integrated accounts.
Now mobile app and our server app are two different apps, however, and if I get oAuth correctly, we'll need to have two authentications: one for a mobile client (system account can be used), another one for a server (we'll have to show WebView for it).
Yet some existing apps seem to be fine with single authentication only (e.g. Flickr and Foursquare! At least 4sq seems to be fine with iOS system FB account only. How is it possible?
Do they share consumer key/secret between mobile and web app making it essentially the same app?
Do they use some FB-specific extension to oAuth
Do they only use auth token wherever it comes from making it a user ID?
Something completely different?
Old question, but this may help someone who finds their way here.
Twitter Reverse Auth