Intune registerAndEnroll method Not Working after OneDrive SDK Integration

[DavidB948]

@Kyle-Reis

Our app was using MSAL and Intune. The intune enrolment was working consistently. However, after integrating with OneDrive SDK, we are facing an intune enrolment error.

We are getting an error message of:-
"The operation failed because the SDK could not access the user's AAD token. The application should prompt the user for credentials to refresh the user's AAD token."

We have already done
" 6. Under Delegated Permissions, select the DeviceManagementManagedApps.ReadWrite: Read and Write the User's App Management Data* checkbox. "
in https://docs.microsoft.com/en-us/mem/intune/developer/app-sdk-get-started#give-your-app-access-to-the-intune-app-protection-service-optional

MSAL Version: 1.1.11
Intune SDK Version: 14.1.3
OneDrive SDK Version: 1.3.0

Any ideas to fix this? We need to upload files to OneDrive. Please help.

[Kyle-Reis]

Hi @DavidB948 - Prior to integrating the OneDrive SDK, was the app calling registerAndEnrollAccount? Or was a switch made from loginAndEnrollAccount after integrating with OneDrive?

[DavidB948]

Hi @Kyle-Reis - registerAndEnrollAccount was being used for intune enrolment, both before and after the OneDrive SDK integration. No method switching was made.

[Kyle-Reis]

Thanks @DavidB948, then I assume the app does it's own authentication with MSAL before calling registerAndEnrollAccount? Has anything changed there? Is a different client ID being used? The error suggests that MSAL was unable to find a cached token that it could use for silent Intune enrollment.

[DavidB948]

Hi @Kyle-Reis, yes MSAL login is being used before calling the registerAndEnrollAccount for silent intune enrollment. There is no different clientID being used(still same app and same clientID). This happens after the one drive sdk integration.

My concern is could it be Intune silent enrolment now is linked to the one drive login? This is because there will be a one drive login UI prompt when user trigger to upload file to OneDrive. However, this one drive login shouldn't be prompted before intune enrolment at the beginning of the app launch. The current flow is just MSAL login> Intune Enrolment and one drive login will only be prompted after whenever user trigger to upload files to OneDrive.

Any suggestion on how to fix this? We are expecting intune silent enrolment should be successful after a successful MSAL login.

[Kyle-Reis]

Hey @DavidB948 - is Intune configured to use the same AAD client ID and redirect URI as the app as mentioned here: https://docs.microsoft.com/mem/intune/developer/app-sdk-ios#configure-msal-settings-for-the-intune-app-sdk

Note: The IntuneMAMSettings Info.plist dictionary keys are case sensitive

[DavidB948]

@Kyle-Reis Yes, same AAD client ID and redirect URI are used for Intune configuration. As mentioned, the silent intune enrolment, through calling registerAndEnrollAccount method was working as expected before the one drive sdk integration? Is the oneDrive login affecting the adalcache keychain sharing, thus causing the Intune enrolment to fail?

[Kyle-Reis]

@DavidB948 - If OneDrive SDK auth isn't happening until after the app's auth and Intune enrollment, I don't think it would impact Intune enrollment. I'm wondering if some other factor might be involved. Were both versions tested on the same device? Or was each tested on a different device? Could you also confirm that the app configures MSAL to use a WKWebView when prompting the user for credentials as mentioned here: https://docs.microsoft.com/mem/intune/developer/app-sdk-ios#special-considerations-when-using-msal-for-app-initiated-authentication. Also, is the com.microsoft.adalcache keychain sharing group configured for both versions of the app?

[DavidB948]

@Kyle-Reis - Thank you for your prompt reply.

1. Yes, both app versions are tested on the same device. The version before integrating onedrive sdk and after integrating onedrive sdk.

2. Following your advice, we had just explicitly specified the webview type for MSAL to WKWebView. Unfortunately, this still does not solve the issue as the same error prompt is still observed.

• In the previous version (without onedrive SDK), enrolment will be successful after calling the registerAndEnrollAccount method. And when switching to a different user account, a misconfiguration alert with message "Your it administrator wants you to login with this account: But you tried to login with . Contact your IT administrator for help." will be prompted.
• However, in the current version (with onedrive SDK), intune enrolment will fail. The only solution to this currently, is to prompt the loginAndEnrolAccount method or the onedrive login programmatically for user to login before restarting the app to allow a successful Intune enrolment. (This isn't what we want as we expect enrolment to be successful like before after the first MSAL login.)
  PS: Upon trying to switch to a different user account after a successful intune enrolment, this time, there is no misconfiguration alert like the one in the previous version being prompted. Instead, the same intune-enrolment-fail message is prompted.

Above are some behaviours I noticed with both versions of the app. We would like the intune enrolment to work consistently like the one in the previous version.

3. Upon checking from issues in one drive sdk, there is one issue relating to oneDrive sdk not using WKWebView. Urgent :: Use of deprecated ADAL version OneDrive/onedrive-sdk-ios#214 Unsure if this is causing the issue?

[Kyle-Reis]

Hey @DavidB948 - I've been looking into this, and I think the root cause may be that the OneDrive SDK directly links to an old version of ADAL, and Intune detects the presence of ADAL and attempts to use it to silently enroll the user. However, this version of ADAL can't parse the tokens written by MSAL when your application authenticated. We'll be looking into making a change to have Intune use MSAL if both MSAL and ADAL are detected in the app. However, I don't think this would be the right approach for your app, as linking to both ADAL and MSAL in the same application is not supported. Furthermore, I noticed that there haven't been any recent commits to the OneDrive SDK repo (last one was over 2 years ago), so I reached out to some contacts on the OneDrive team and confirmed that the SDK is no longer being maintained or supported. I think the right way forward would be to access OneDrive via the Microsoft Graph API. Hope this helps!

[DavidB948]

Dear @Kyle-Reis, thank you very much for checking. I think you are right.

1. Yes, it would be nice if Intune can choose to use tokens from the authenticated MSAL instead. We were kinda hoping the OneDrive SDK could update to support MSAL authentication instead of ADAL. Maybe a silent authentication as well since the app is already authenticated via MSAL. We weren't intending to use both ADAL and MSAL in one app.
2. Would it be possible for the Intune SDK to integrate saving online files to OneDrive for business instead of local storage option in the future? This is already available for Intune SDK in Android.
3. After reading the Microsoft Graph API, it'd be helpful if you could provide us any iOS/Swift sample that utilizes the API for one drive authentication and file uploading to OneDrive for business. We would like to know is it possible to bypass OneDrive Authentication and use tokens from the authenticated MSAL. Thanks in advance.

[ShruthiAchutha]

Closing stale issues. Please reopen if you still need help with this.