How to prepare your LOB app for Intune?
One of the aspects I struggled with Intune is to wrap an LOB app. In the first cut, it feels like just wrapping the app is enough. But, you need to understand some subtle architectural aspects to get your wrapping right.
App features
To get started, let's start with app features.- App uses Azure AD authentication
- App is a hybrid and uses Cordova (Supports iOS and Android)
- App communicates with Sharpoint online (via REST) and set up as a Azure AD native application. Thus, conditional access is involved here.
- "Send logs via email" - this feature is important as wrapping the application will restrict the email/data sharing capabilities based on the policy
Intune Way
You can wrap the application in two ways
- Using Intune Wrapping Tool
- Use the Cordova plugin
Please visit the link for more details
Intune wrapping tool is pretty straightforward. But, I had issues while wrapping Salesforce SDK based application. I could sail through iOS issues and make the application work. I could never get to make Android version work, as there are conflicts. I will share that experience for another post.
When it came to Intune SDK, the integration experience was better. If you see the feature comparison, SDK has a little more to offer. But, I suggest you weigh your options based on the checklist provided in the article.
There are two ways you can do this.
- Pure MAM (configured in Azure Portal)
- MAM with MDM (configured in Intune portal manage.microsoft.com)
Pure MAM is a straight forward thing and your job is done once you wrap the app. Tricky aspect here is to enable brokered authentication because the app access Sharepoint Online data and conditional access is enabled.
But, the first things first. I need to use https://github.com/AzureAD/azure-activedirectory-library-for-cordova to wrap the application.
Gotchas!
- Always install ADAL plugin and Intune-mam plugin separately.
- cordova plugin add cordova-plugin-ms-adal
- cordova plugin add cordova-plugin-ms-intune-mam
- For android I couldn't find a way to wrap the application using Android Studio. I got to do it the cordova CLI way - "cordova build"
- Don't update gradle from 2.2.1 to 2.14.1. It ran me into multiple issues. Refer to https://developer.android.com/studio/releases/gradle-plugin.html#updating-gradle for more details.
- The bug is listed @https://github.com/AzureAD/azure-activedirectory-library-for-android/issues/724. The bug should be fixed in Android Studio 2.3. I was using Android Studio 2.2.1
- Finally, error looks like this "com.microsoft.aad.adal.AuthenticationCallback"'s signer information does not match signer information of other classes in the same package"
- Other issue is with intune plugins conflict with already existing push notification plugin in Android. http://stackoverflow.com/questions/27043933/install-failed-duplicate-permission-c2d-message
- One important aspect is to setup your keystore for signing Android APK. Please follow the instructions @ https://docs.microsoft.com/en-us/intune/develop/intune-app-sdk-cordova#how-to-build-the-plugin-into-your-android-app
- If you need to reinstall the plugin for some reason always remove and add iOS platform. It will solve lot of issues.
- cordova platform remove ios
- cordova platform add ios
- If you are facing build issues, it means you have NOT installed ADAL and Intune-MAM plugin one after another. In Xcode navigate to Target's build settings and navigate to Other Linker Flags and try removing the some of the -force_load parameters
Your Plist file looks as below.
Brokered Authentication
- Please read https://docs.microsoft.com/en-us/intune/deploy-use/use-apps-with-mam-ca to understand how it actually works.
- Android works with Company Portal App. iOS needs Azure Authenticator and Company Portal App to make it work.
- Android (app identifier: com.jda.internal.mytestapp)
- Microsoft.ADAL.AuthenticationSettings.setUseBroker(true) works only with Android. iOS doesn't need this. iOS works with URISchemes to get things done
- Next step is to prepare a redirect URI. Modified full code is @https://gist.github.com/pradeepkumargali/70322dd0270e386f98686674fdbb10af .
- The above command will give you Base64UrlencodedSignature. But the actual url will look like msauth://com.jda.internal.mytestapp/ga0RGNYHvNM5d0SLGQfpQWAPGJ8=
- If your url is not right, please check your js console. An error will see right into you stating which URL should be configured in Azure AD redirect URI.
- iOS
- There is nothing that should be at the app level for iOS. But, make sure you have Azure Authenticator app on the device along with Company Portal App. Otherwise, app will redirect adal to O365 login page and ask you to enroll. Once you click on enroll, it takes you to Company Portal erroring the app is not setup in Intune Portal. There is no additional setup required on Azure Authenticator App.
- But, the redirect URI should be configured in Azure AD redirect URI
- x-msauth-com-jda-internal-mytestapp://com.jda.internal.mytestapp
****Don't update gradle from 2.2.1 to 2.14.1. It ran me into multiple issues. Refer to https://developer.android.com/studio/releases/gradle-plugin.html#updating-gradle for more details.
ReplyDelete******* When we update the android studio 3.0.1 it automatically update the gradle. I also face an issues while developing the app build.
After decode the error is find the solution. its pretty much look simple, we can try it this in build.gradle file in android studio.
dependencies {
// compile fileTree(dir: 'libs', include: '*.jar')
classpath 'com.android.tools.build:gradle:3.0.1'
}
// ADDED THESE LINES
configurations.all {
resolutionStrategy {
force 'com.android.support:support-v4:27.1.0'
}
}