We're trying to automate device creation using the Graph API.
What is our situation: We don't have intune. We use another 3rd party MDM solution and have a API there to extract information. We have Azure and we use conditional access to allow access to cloud ressources from managed and compliant devices only.
So far only Intune can report compliance status to Azure AD of a managed iOS device. So we were trying to automate ths process by creating devices in Azure AD using Graph API and stuck on the value to use for deviceID in the JSON (documentation).
The general UUID and UDID, what we can get from our MDM API are not working, so the device is not recognized because the deviceID read from the OneDrive App for example is not matching with UUID/UDID we extracted, during authentication in Azure as compliant/managed.
Can anyone help how to correctly generate/use the Create Device API in Graph to have the right deviceID so the device will be recognized correctly when accessing cloud resources?
Related
一:I would like to ask some questions about our IOS mobile access to Google IOT Core permission scope authentication. We are planning to use API services from Google IOT Core to access device-specific data;
But we encountered the problem of OAuth authentication, requesting the scope of Google API, it may take up to several weeks, I wonder if this is the case?
OAuth image
My application will use the following request scopes: https://www.googleapis.com/auth/cloudiot, https://www.googleapis.com/ auth / cloud-platform I want to be able to view and manage and manage and Create a registered device.
https://www.googleapis.com/auth/pubsub Want to use this API to publish subscriptions / topics on your phone, receive device data, and assume: temperature, humidity, alarm values, etc. Mobile terminals can access IoT data through HTTPS (https://cloudiot.googleapis.com/v1/{name=projects//locations//registries/*}) nodes.
二:Use Google Cloud Functions to connect to the cloud platform to get device data from IOS;
Google Cloud and the device have been successfully bound and deployed through the console, but it is impossible to understand how to write the Google core API from the cloud function so that the device connects to the cloud, IAM grants permissions, or the private key to access the Google API (Purpose: IOS mobile phone calls Google API through cloud functions, implements JSON interface, and gets device data for IOS) Thank you in advance, thank you!
My article might be helpful for your problem if you're still having this issue, It shows how to connect to IoT Core using CocoaMQTT and SwiftJWT, you can do something similar but instead of connecting to the specific device you could register the device with a given ES256 public key.
Controlling you phone from the cloud
We are using the iOS Intune SDK to build a native MAM app. This app needs to access the Graph API to read the user profile and other data. What we did:
(1) We registered a app and gave the permissions: User.Read (for Graph and Windows Azure AD), DeviceManagementManagedApp.ReadWrite
Login and enrollment to Intune is working, the app gets enrolled. But, when trying to obtain the access token for the Graph API using the ADAL SDK I need to sign in again a then I am blocked with the message that the device needs to be managed to access this resource.
Do I need another permission? Where to I get the access token from? Is anything else missing?
From your description it appears you have a Conditional Access policy enabled that requires mobile devices are Intune MDM managed. When you call the Graph API from an unmanaged device it will ask you to enroll the device. If you remove the Conditional Access policy you should be able to confirm this.
Does anyone know what happens to an enrolled InTune device if the device is deleted via the Microsoft Graph API? Does that wipe the managed data on the device and remove it from InTune?
I cannot seem to find any documentation that answers this question.
The instructions in your link are used to delete a Azure AD registered device, not used to delete the managed devices in Intune. So the answer for your question is "No", if you want to delete managed devices and wipe data in Intune using Microsoft Graph API, you should run the DELETE & POST requests as the followings:
POST https://graph.microsoft.com/beta/managedDevices/{id}/wipe
DELETE https://graph.microsoft.com/beta/managedDevices/{id}
For more details about the Intune Graph API, please refer to docs here.
If you "Delete" The managed device (enrolled device), it will remove the device from list All Devices.
And the most important, you can't manage the device again, for example if you use Windows Autopilot your device will be stuck - cannot login.
both Graph API or Direct from Azure AD give same result
We build an iOS app using Apple Push Notification feature. We integrated everything the Apple docs told including provisioning profiles etc... A test in development mode worked fine with Apple tools. Same should be in near future with Google, but I´m talking here just about iOS implementation...
Our backend on Azure collects the registration ids from all iOS apps proper. I mean: We are storing the token retrieved from registration directly at Apple services.
Now we want to use Azure to send Push Notifications to all our apps. But I´m confused from reading the Microsoft documentation:
Must my mobile apps register to Apple or to Microsoft with corresponding SDK?
We don't use the MS SDK on app side. We just register at Apple. Can we send Push Notifications to our iOS apps (just simple broadcast to all registered apps) with Azure?
Our backend on Azure collects the registration ids from all iOS apps proper. I mean: We are storing the token retrieved from registration directly at Apple services.
Where are you storing them? You have to store/register the device tokens at your Azure Notification Hub.
Must my mobile apps register to Apple or to Microsoft with corresponding SDK?
Your app has to get a device token from APNS and then register this token at your Azure Notification Hub, so basically you have to do both.
Have a look at the documentation here. On a high level the whole process looks like this:
We don't use the MS SDK on app side.
You don't have to use the SDK, you can use the REST API.
I am creating a web portal that controls the devices (like switching it on/off), visualize the data sent by those devices(endpoints). I have generated a java sdk. Do i use that sdk in my web portal or is it just for a device that sends telemetry data?
It is desirable to use generated sdk only for device that sends telemetry data.
There is no point in attaching sdk to your web application, as far as this part of the system doesn't treated as endpoint. It is bad practice to include endpoint sdk into the places, where lion's share of functionality would be ignored.