Intune MAM Sign-In failure with 19.20
Closed this issue · 4 comments
Describe the bug:
When launching an app wrapped with 19.2.0 and the new required iOS parameters (-ar, -ac, -aa) the app throws an error "Unexpected Failure".
NOTE:
- The mobile app itself is unchanged. We only rewrapped it using the new required parameters and new wrapping tool.
- The app uses Microsoft Tunnel for access to the required resources. Tunnel is operating fine with the Prod App that was been wrapped with 18.x.x and does not have the new required parameters.
To Reproduce
Steps to reproduce the behavior:
- Launch the App results in the following message (see attached).
NOTE: The mobile app throws the error before you are presented with the Microsoft Sign-In dialog on first launch.
Expected behavior:
Mobile app launches, prompts for Intune MAM login, user signs in or does brokered auth, applies App Protection Policy, closes and opens mobile app to splash screen
Screenshots and logs:
The wrapping process with 19.2.0 is successful. The mobile app itself has not changed. We are updating iOS apps to accommodate the new requirement for MAM enabled iOS apps to be wrapped with -ar, -ac, -aa parameters.
Configuration scan completed
2024-03-21T11:12:21.128Z INFO com.sanitized tid=1 id=(nil),ui=(nil),io=(nil) IntuneMAM: MAM_CHECKPOINT: Starting login.
2024-03-21T11:12:21.129Z ERRO com.sanitized tid=1 id=(nil),ui=(nil),io=(nil) IntuneMAM: Failed to instantiate MSALPublicClientApplication
2024-03-21T11:12:21.129Z ERRO com.sanitized tid=1 id=(nil),ui=(nil),io=(nil) IntuneMAM: Failed to instantiate CMARADAuthenticationContext. Ensure the appropriate version of ADAL is included in the application
2024-03-21T11:12:21.129Z WARN com.sanitized tid=11 id=(nil),ui=(nil),io=(nil) IntuneMAM: TID=14010 MSAL 1.2.18 iOS 17.2.1 [2024-03-21 11:12:21] Encountered error with code -51118, description Masked(not-null), (null), error code: 0
2024-03-21T11:12:21.130Z INFO com.sanitized tid=1 id=(nil),ui=(nil),io=(nil) IntuneMAM: MAM_CHECKPOINT: Login/Logout failed with error: Error Domain=com.microsoft.intunemam.authentication Code=3 "(null)" UserInfo={CMARScrubbedUserInfo=6e8f35280386d26f5b485c936e45cbfdebf8013414972aeddf44c04cfb22e22d}
2024-03-21T11:12:21.130Z ERRO com.sanitized tid=1 id=(nil),ui=(nil),io=(nil) IntuneMAM: Login/Logout failed with error: Error Domain=com.microsoft.intunemam.authentication Code=3 "(null)" UserInfo={CMARScrubbedUserInfo=6e8f35280386d26f5b485c936e45cbfdebf8013414972aeddf44c04cfb22e22d}
2024-03-21T11:12:21.132Z INFO com.sanitized tid=1 id=(nil),ui=(nil),io=(nil) IntuneMAM: MAM_CHECKPOINT: Alert - Unexpected failure. Contact your organization's support team for help.
2024-03-21T11:12:21.133Z INFO com.sanitized tid=1 id=(nil),ui=(nil),io=(nil) IntuneMAM: MAMAlert reason: 3, context:com.microsoft.intunemam.authentication : 3
2024-03-21T11:12:21.139Z INFO com.sanitized tid=1 id=(nil),ui=(nil),io=(nil) IntuneMAM: Displaying the alert view controller
2024-03-21T11:12:44.635Z INFO com.sanitized tid=1 id=(nil),ui=(nil),io=(nil) IntuneMAM: MAM_CHECKPOINT: Starting login.
2024-03-21T11:12:44.636Z ERRO com.sanitized tid=1 id=(nil),ui=(nil),io=(nil) IntuneMAM: Failed to instantiate MSALPublicClientApplication
2024-03-21T11:12:44.636Z ERRO com.sanitized tid=1 id=(nil),ui=(nil),io=(nil) IntuneMAM: Failed to instantiate CMARADAuthenticationContext. Ensure the appropriate version of ADAL is included in the application
2024-03-21T11:12:44.636Z WARN com.sanitized tid=4 id=(nil),ui=(nil),io=(nil) IntuneMAM: TID=14010 MSAL 1.2.18 iOS 17.2.1 [2024-03-21 11:12:44] Encountered error with code -51118, description Masked(not-null), (null), error code: 0
2024-03-21T11:12:44.636Z INFO com.sanitized tid=1 id=(nil),ui=(nil),io=(nil) IntuneMAM: MAM_CHECKPOINT: Login/Logout failed with error: Error Domain=com.microsoft.intunemam.authentication Code=3 "(null)" UserInfo={CMARScrubbedUserInfo=6e8f35280386d26f5b485c936e45cbfdebf8013414972aeddf44c04cfb22e22d}
2024-03-21T11:12:44.636Z ERRO com.sanitized tid=1 id=(nil),ui=(nil),io=(nil) IntuneMAM: Login/Logout failed with error: Error Domain=com.microsoft.intunemam.authentication Code=3 "(null)" UserInfo={CMARScrubbedUserInfo=6e8f35280386d26f5b485c936e45cbfdebf8013414972aeddf44c04cfb22e22d}
2024-03-21T11:12:44.639Z INFO com.sanitized tid=1 id=(nil),ui=(nil),io=(nil) IntuneMAM: MAM_CHECKPOINT: Alert - Unexpected failure. Contact your organization's support team for help.
2024-03-21T11:12:44.639Z INFO com.sanitized tid=1 id=(nil),ui=(nil),io=(nil) IntuneMAM: MAMAlert reason: 3, context:com.microsoft.intunemam.authentication : 3
2024-03-21T11:12:44.646Z INFO com.sanitized tid=1 id=(nil),ui=(nil),io=(nil) IntuneMAM: Displaying the alert view controller
Smartphone (please complete the following information):
- iOS devices, various models and OS'
Intune app wrapping tool (please complete the following information):
- What version of the wrapper are you using? Are you using the latest version? 19.2.0
- What platform is your app based in (Java, Xamarin based, Cordova, etc)? unknown. owned by 3rd party.
- For pre-wrapping errors, does the app build without being wrapped? none
- For post-wrapping errors, does the app launch without being wrapped? none
- Who is the customer? Business users.
- Do you see a trend with it only being reproduced on a specific device? This occurs across all iOS/iPadOS devices with the app wrapped with the new required parameters.
Additional context:
Confirmed the -aa, -ar, -ac parameters are correct in the App Registration, Redirect URI's are correct, API Permissions are set on the App Registration and there were no issues with wrapping.
We only have an App Registration, no Enterprise App.
@ChismanRaheem, @Kyle-Reis - Any thoughts on this?
Confirmed this is in-place - https://learn.microsoft.com/en-us/mem/intune/developer/app-sdk-get-started#give-your-app-access-to-the-intune-mobile-app-management-service
Thank you for reaching out. Could you please provide us with the complete logs? Looking at the snippet provided It seems that your application is currently facing an issue creating an instance of the PCA (Public Client App) which indicate a possible issue with msal being initialized. I kindly recommend upgrading to the latest version of MSAL, which is 1.3.1. I noticed that you are currently four versions behind.
I've attached the full log file.
We have asked the partner doing the wrapping to ensure the latest version of MSAL is included on the build machine before wrapping.
Note: We took an unwrapped version of this app and wrapped using our enterprise build machine and certificate; it worked normally. The issue seems to be related to MSAL and not the App Registration. Still investigating what might be causing the issue... xcode version, msal version, enterprise cert, other deps, etc.
@ChismanRaheem - We resolved this but I believe we also found a bug in 19.2.0.
The iOS wrapping tool doesn't seem to properly handle quotes on some CLI parameters even though it's documented to use quotes for -ar (https://learn.microsoft.com/en-us/mem/intune/developer/app-wrapper-prepare-ios#command-line-parameters).
Check your IntuneMAMSettings in the IntuneMAMDiagnosticFiles.txt. The ADALAuthority (aa) and ADALRedirectUri (ar) have double, double quotes. It appears that the wrapping tool doesn't properly handle this during the wrapping process.
"IntuneMAMSettings" : {
"ADALClientId" : "CMARScrubbedOID:scrubbed7",
"OrigAppIdPrefix" : "scrubbed",
"ADALAuthority" : "“https:\/\/login.microsoftonline.com\/scrubbedtenantid”",
"AutoEnrollOnLaunch" : true,
"AppIdPrefix" : "scrubbed",
"OrigBundleIdPrefix" : "com.bundeid",
"MultiIdentity" : false,
"BundleIdPrefix" : "com.bundleid",
"IsAppPackagedByIntunePackager" : true,
"MAMPolicyRequired" : true,
"ADALRedirectUri" : "“msauth.com.com.bundeid:\/\/auth”"
},