We are using the iOS Intune SDK to build a native MAM app. This app needs to access the Graph API to read the user profile and other data. What we did:
(1) We registered a app and gave the permissions: User.Read (for Graph and Windows Azure AD), DeviceManagementManagedApp.ReadWrite
Login and enrollment to Intune is working, the app gets enrolled. But, when trying to obtain the access token for the Graph API using the ADAL SDK I need to sign in again a then I am blocked with the message that the device needs to be managed to access this resource.
Do I need another permission? Where to I get the access token from? Is anything else missing?
From your description it appears you have a Conditional Access policy enabled that requires mobile devices are Intune MDM managed. When you call the Graph API from an unmanaged device it will ask you to enroll the device. If you remove the Conditional Access policy you should be able to confirm this.
Related
We have our iOS app which has its own login mechanism and one of our customer uses SSO login (use MS account) in our app. And now they asked to integrate MS Intune in the app as they want to apple app protection policies on our app.
I've started integrated the ms Intune iOS SDK along with MSAL library as described in the documentation.
But I'm stuck with a issue which is described in the document (https://learn.microsoft.com/en-us/mem/intune/developer/app-sdk-ios#apps-that-do-not-use-adal-or-msal)
"Apps that do not use ADAL or MSAL
Apps that do not sign in the user using ADAL or MSAL can still receive app protection policy from the Intune MAM service by calling the API to have the SDK handle that authentication. Apps should use this technique when they have not authenticated a user with Azure AD but still need to retrieve app protection policy to help protect data. An example is if another authentication service is being used for app sign-in, or if the app does not support signing in at all. To do this, the application can call the loginAndEnrollAccount method on the IntuneMAMEnrollmentManager instance:"
According to it, in order for the app to receive the policies, it has to do login and enroll by calling the loginAndEnrollAccount API. But once I call this API, it takes me to MS login page where I can input email/password and if success delegate method gets called.
But my question, I end up with two login flow in my app (one by our own login and another from ms Intune), so not sure whether it is correct behavior or not.
Please let me know if you already worked on ms Intune in iOS.
Thanks.
I have usecase to fetch login cache from Microsoft Intune Company Portal App.
My app already has Azure Ad Sdk integrated. However after looking inside the code, I am wondering Azure ad sdk works only with Authenticator App rather than any other.
As the callback fails and no token is fetched.
Can anyone help me on this. How to invoke a token from Company Portal App. As this is issue only with iOS and working perfectly with Android.
Note: Keychain Id is also mentioned for 'adalcache'
We're trying to automate device creation using the Graph API.
What is our situation: We don't have intune. We use another 3rd party MDM solution and have a API there to extract information. We have Azure and we use conditional access to allow access to cloud ressources from managed and compliant devices only.
So far only Intune can report compliance status to Azure AD of a managed iOS device. So we were trying to automate ths process by creating devices in Azure AD using Graph API and stuck on the value to use for deviceID in the JSON (documentation).
The general UUID and UDID, what we can get from our MDM API are not working, so the device is not recognized because the deviceID read from the OneDrive App for example is not matching with UUID/UDID we extracted, during authentication in Azure as compliant/managed.
Can anyone help how to correctly generate/use the Create Device API in Graph to have the right deviceID so the device will be recognized correctly when accessing cloud resources?
While getting managed apps from Intune using the graph api is no problem, every time I try to delete an app from intune, i get 403 forbidden.
DELETE https://graph.microsoft.com/beta/deviceAppManagement/{appID} - returns 403
GET https://graph.microsoft.com/beta/deviceAppManagement/{appID} - returns 200
I've tried adding the application in the app registration portal and adding it as a app in the Azure AD.
First I get an auth code using from here
https://login.microsoftonline.com/{TenantID}/oauth2/authorize?response_type=code
&redirect_uri=localhost
&client_id={MyAppID}
&resource={ "https://graph.microsoft.com"}
&prompt=admin_consent
&scope=DeviceManagementApps.ReadWrite.All
And then obtain a jwt token from here, using the code
POST https://login.microsoftonline.com/{TenantID}/oauth2/token
-Body grant_type=authorization_code&redirect_uri={redirectURI}client_id={App/ClientID}&client_secret={App/ClientSecret}&code={MyAuthCode}&resource=https://graph.microsoft.com
I then use the returned token to make calls to the graph api.
I've also tried using the common endpoint, but to no avail.
Am i missing some permission scope I need to set? I have the following delegeted perimissions set for the app and im authenticating using an admin account on a MS demo account.
Read and write Microsoft Intune apps (preview)
Sign in and read user profile
Read and write directory data
If it's a "Managed" app - those are built-in apps that Intune ships, and can't be deleted. Can you verify that it works if you create/delete a standard iOS store app via Graph API?
I'm trying with iOS Outlook SDK introduced at dev.outlook.com, their source code at https://github.com/OfficeDev/Outlook-SDK-iOS
I tried to register an application via Application registration tool with both an Office365 developer account and Outlook development account(request from Outlook) to get clientId, but none of them is working, I try to authenticate user but get error Application 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' is not supported for this API version
Could anyone let me know how to get a valid clientId to work with this SDK?
That sample requires the use of the Azure v1 app model, which requires that you register the app in Azure AD, per these instructions: https://msdn.microsoft.com/en-us/office/office365/howto/add-common-consent-manually.