Wrapped applications are not using the Authenticator App for brokered authentication
alexk-84 opened this issue · 5 comments
Describe the bug:
We do have a few custom built apps which a wrapped with the wrapping tool.
The unwrapped apps do not need any authentication.
We are wrapping them so we are able to use application protection policies.
After wrapping we are deploying them as "Managed iOS line-of-bsiness app" to the devices.
On launch the the Popup appears as it is necessary to sign in to protect the data.
In the background it seems the app tries to authenticate to AzureAD and is redirected to our onPremise (federated) Identity Provider.
We are using certificate based authentication only, and it seems the app can not access the user certificate as non is delivered to our IDP.
Microsoft Apps are using the Authenticator App for authentication, because as I unterstand only the Authenticator App can access the user certificate.
Is it possible to tell the Intune Wrapping Toolkit to use the Authenticator App for brokered authentication?
Expected behavior:
Authenticator App is used for brokered authentication
Screenshots and logs:
Smartphone (please complete the following information):
- iPhone (15.2), iPad (15.3)
Thanks
Hi @alexk-84,
You can use the -aa, -ac, and -ar command line parameters to specify you app's Authority URI, AAD Client Id, and Redirect URI. This will allow the wrapped application to use the Authenticator application. See the Command-line parameters section in the App Wrapper Tool documentation for more details: https://docs.microsoft.com/en-us/mem/intune/developer/app-wrapper-prepare-ios
Thanks,
Neil
Hi,
we have created an App registration in AzureAD with the BundleID and the Redirect Uri (same as configured with the -ar parameter) and gave the app the Permission "DeviceManagementManagedApps.ReadWrite)
-ac https://login.microsoftonline.com/"our TenantID"
-ac "our client id of the created application in AzureAD"
-ar msauth."our bundle id of the app"://auth
Now we do get the following error message:
I have traced the network traffic with fiddler, but the wrapped app does not do any traffic / connection attempt.
Part from the IntuneMAMDiagnosticsFiles.txt
intuneMAMDiagnostic-log.txt
As there is an entry "Failed to instantiate MSALPublicClientApplication" did we missspell one of the parameters?
Or Is there any other parameter we need to configure?
Thanks,
alex
@alexk-84 If I recall correctly, I ran into this same issue, and it was because of the Supported account types. I needed to change it to "Accounts in any organizational directory (Any Azure AD directory - Multitenant)" from the Single tenant.
Hi @alexk-84,
The "Failed to instantiate MSALPublicClientApplication" error can occur if one of the three MSAL parameters is missing or in the wrong format. I noticed above you listed the -ac parameter twice. Was that just a typo in your message? If so, could you send me the Info.plist of app after wrapping? You can email it to neiljac@microsoft.com.
Thank you,
Neil
Hi,
@jamgarci-MSFT I tried your suggestion, but did get the same error.
@neiljac1 took a look at our Info.plist and we were missing some settings.
We had to add msauthv2 and msauthv3 to LSAApplicationQueriesSchemas
and msauth."bundle id of the app" to the URL Schemes under URL Types.
Now it is working as expected.
Thank you guys for your help!