iOS Failed to check in the device（Hurry）

Question

question

shuaikuncao-0046 asked Mar 10, '22 LuDaiMSFT-0289 commented Mar 14, '22

iOS Failed to check in the device（Hurry）

Problem:
1、After an iOS device is successfully registered, the application protection policy fails. What is the cause of the check-in failure
2、Device check-in must be registered with Azure Active Directory platform
3、Are these operation procedures the same as the background configuration of Intune after uploading to App Store (download link is configured in App Store)"

Integration:
1、The framework：
（1）IntuneMAMSwift.xcframework
（2）IntuneMAMSwiftStub.xcframework
（3）MSAL（Since our app needs to be sent to the App Store later, this framework will not be used in the future, but for testing, we tested the two cases of using and not using）

2、Configure Schmes, etc., according to the documentation, and configure “ADALClientId” or not for application registration. There are tests for both

3、Packaged using a “Company account”, packaged with a Hoc certificate, uploaded to the “Microsoft Endpoint Manager” Manager and configured as a line of business application

The background configuration:
1、Add groups and users for testing

2、User configuration
（1）Configure roles global administrator and Intune administrator
（2）The two configuration licenses are “Azure Active Directory Premium P2” and “Enterprise Mobility + Security E5”

3、Application configuration
（1）Configure a protection policy to prevent copying, pasting, and third-party keyboards

The test results:
1、The device is registered successfully
2、The application is installed successfully
3、Background deletion and other operations are successful
4、Failed to apply the protection policy
（1）View the process: Application > Monitor > Application Protection Status > iOS User Status > Select User
（2） Check the results:
Status: Unavailable
Delivered policy: None
Status: Not checked in, next synchronization...
Last synced time: never
5、Android is a success
6、Succeeded in adding a public application by checking in

From the test, it can be seen that the code should be wrong, the configuration is ok

If use MSAL：

Debug Message: The operation failed because the SDK could not access the user's AAD token. The application should prompt the user for credentials to refresh the user's AAD token.

NSString kClientID = @"";
NSString kGraphEndpoint = @"https://graph.microsoft.com/";
NSString kAuthority = @"https://login.microsoftonline.com/common";
NSString kRedirectUri = @"";

 MSALPublicClientApplicationConfig *config = [[MSALPublicClientApplicationConfig alloc]
                                              initWithClientId:kClientID
                                              redirectUri:kRedirectUri
                                              authority:nil];
 MSALPublicClientApplication *application = [[MSALPublicClientApplication alloc] initWithConfiguration:config error:nil];
 MSALWebviewParameters *webParameters = [[MSALWebviewParameters alloc] initWithAuthPresentationViewController:self];
 webParameters.webviewType = MSALWebviewTypeWKWebView;
 webParameters.presentationStyle = UIModalPresentationFullScreen;
 MSALInteractiveTokenParameters *parameters = [[MSALInteractiveTokenParameters alloc] initWithScopes:@[@"User.Read", @"Calendars.Read"] webviewParameters:webParameters];
 [IntuneMAMEnrollmentManager instance].delegate = self;
 [application acquireTokenWithParameters:parameters completionBlock:^(MSALResult *result, NSError *error) {
     if (error) {
         return;
     }
     MSALAccount *account = result.account;
     [[NSUserDefaults standardUserDefaults] setValue:account.homeAccountId.identifier forKey:""];
     [[IntuneMAMEnrollmentManager instance] registerAndEnrollAccount:account.identifier];
 }];


(void)enrollmentRequestWithStatus:(IntuneMAMEnrollmentStatus*)status
{
NSLog(@"enrollment result for identity %@ with status code %ld", status.identity, (unsigned long)status.statusCode);
NSLog(@"Debug Message: %@", status.errorString);
}

(void)policyRequestWithStatus:(IntuneMAMEnrollmentStatus*)status
{
NSLog(@"policy check-in result for identity %@ with status code %ld", status.identity, (unsigned long)status.statusCode);
NSLog(@"Debug Message: %@", status.errorString);
}

(void)unenrollRequestWithStatus:(IntuneMAMEnrollmentStatus*)status
{
NSLog(@"un-enroll result for identity %@ with status code %ld", status.identity, (unsigned long)status.statusCode);
NSLog(@"Debug Message: %@", status.errorString);
}

If don't use MSAL：

If you do not use MSAL below the method completely do not know which method to call

[IntuneMAMEnrollmentManager instance].delegate = self;
[[IntuneMAMEnrollmentManager instance] loginAndEnrollAccount:nil];

mem-intune-general mem-intune-device-configurations mem-intune-enrollment

· 5

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LuDaiMSFT-0289 · Mar 11 at 12:37 AM

@shuaikuncao-0046 For this issue, the environment is more complex. It is difficult to find the root cause without log analysis.
For IntuneMAMSwift.xcframework, it is more related to develop scope. With Q&A limitation resources, it is suggested to create an online support ticket to get more accurate help. Here is the support link:
https://docs.microsoft.com/en-us/mem/get-support

0 ·

shuaikuncao-0046 LuDaiMSFT-0289 · Mar 13 at 02:28 PM

Thank you for your reply. The problem has been solved. There are still questions to ask:
1. Can the ios platform protect users if they do not log in with the account protection policy?
2, testing Microsoft Word found that after logging in Microsoft Word can apply protection strategy, there is no pop-up similar to our own APP test login interface, Microsoft Word login and hosted APP should not be in the process of it

0 ·

LuDaiMSFT-0289 shuaikuncao-0046 · Mar 14 at 06:23 AM

@shuaikuncao-0046 If the user account isn't included in the App protection policy's assignment group, the user account will not be affected by this policy.

0 ·

Show more comments

question