-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Intune registerAndEnroll method Not Working after OneDrive SDK Integration #158
Comments
Hi @DavidB948 - Prior to integrating the OneDrive SDK, was the app calling registerAndEnrollAccount? Or was a switch made from loginAndEnrollAccount after integrating with OneDrive? |
Hi @Kyle-Reis - registerAndEnrollAccount was being used for intune enrolment, both before and after the OneDrive SDK integration. No method switching was made. |
Thanks @DavidB948, then I assume the app does it's own authentication with MSAL before calling registerAndEnrollAccount? Has anything changed there? Is a different client ID being used? The error suggests that MSAL was unable to find a cached token that it could use for silent Intune enrollment. |
Hi @Kyle-Reis, yes MSAL login is being used before calling the registerAndEnrollAccount for silent intune enrollment. There is no different clientID being used(still same app and same clientID). This happens after the one drive sdk integration. My concern is could it be Intune silent enrolment now is linked to the one drive login? This is because there will be a one drive login UI prompt when user trigger to upload file to OneDrive. However, this one drive login shouldn't be prompted before intune enrolment at the beginning of the app launch. The current flow is just MSAL login> Intune Enrolment and one drive login will only be prompted after whenever user trigger to upload files to OneDrive. Any suggestion on how to fix this? We are expecting intune silent enrolment should be successful after a successful MSAL login. |
Hey @DavidB948 - is Intune configured to use the same AAD client ID and redirect URI as the app as mentioned here: https://docs.microsoft.com/mem/intune/developer/app-sdk-ios#configure-msal-settings-for-the-intune-app-sdk Note: The IntuneMAMSettings Info.plist dictionary keys are case sensitive |
@Kyle-Reis Yes, same AAD client ID and redirect URI are used for Intune configuration. As mentioned, the silent intune enrolment, through calling registerAndEnrollAccount method was working as expected before the one drive sdk integration? Is the oneDrive login affecting the adalcache keychain sharing, thus causing the Intune enrolment to fail? |
@DavidB948 - If OneDrive SDK auth isn't happening until after the app's auth and Intune enrollment, I don't think it would impact Intune enrollment. I'm wondering if some other factor might be involved. Were both versions tested on the same device? Or was each tested on a different device? Could you also confirm that the app configures MSAL to use a WKWebView when prompting the user for credentials as mentioned here: https://docs.microsoft.com/mem/intune/developer/app-sdk-ios#special-considerations-when-using-msal-for-app-initiated-authentication. Also, is the com.microsoft.adalcache keychain sharing group configured for both versions of the app? |
@Kyle-Reis - Thank you for your prompt reply.
Above are some behaviours I noticed with both versions of the app. We would like the intune enrolment to work consistently like the one in the previous version.
|
Hey @DavidB948 - I've been looking into this, and I think the root cause may be that the OneDrive SDK directly links to an old version of ADAL, and Intune detects the presence of ADAL and attempts to use it to silently enroll the user. However, this version of ADAL can't parse the tokens written by MSAL when your application authenticated. We'll be looking into making a change to have Intune use MSAL if both MSAL and ADAL are detected in the app. However, I don't think this would be the right approach for your app, as linking to both ADAL and MSAL in the same application is not supported. Furthermore, I noticed that there haven't been any recent commits to the OneDrive SDK repo (last one was over 2 years ago), so I reached out to some contacts on the OneDrive team and confirmed that the SDK is no longer being maintained or supported. I think the right way forward would be to access OneDrive via the Microsoft Graph API. Hope this helps! |
Dear @Kyle-Reis, thank you very much for checking. I think you are right.
|
Closing stale issues. Please reopen if you still need help with this. |
@Kyle-Reis
Our app was using MSAL and Intune. The intune enrolment was working consistently. However, after integrating with OneDrive SDK, we are facing an intune enrolment error.
We are getting an error message of:-
"The operation failed because the SDK could not access the user's AAD token. The application should prompt the user for credentials to refresh the user's AAD token."
We have already done
" 6. Under Delegated Permissions, select the DeviceManagementManagedApps.ReadWrite: Read and Write the User's App Management Data* checkbox. "
in https://docs.microsoft.com/en-us/mem/intune/developer/app-sdk-get-started#give-your-app-access-to-the-intune-app-protection-service-optional
MSAL Version: 1.1.11
Intune SDK Version: 14.1.3
OneDrive SDK Version: 1.3.0
Any ideas to fix this? We need to upload files to OneDrive. Please help.
The text was updated successfully, but these errors were encountered: