ms-intune-app-sdk-ios
ms-intune-app-sdk-ios copied to clipboard
msintuneappsdk
Loop between protection_policy_required error and remediateCompliance.
Describe the bug: A clear and concise description of what the bug is. MSAL return protection_policy_required even after successfully received policy and installed / App is protected / .compliant
To Reproduce Steps to reproduce the behavior: Application use MSAL to login using applicationContext.acquireToken User selects account from authenticator protection_policy_required error is received remediateCompliance silent false is called Policy is installed Intune SDK asks to restart app Open application again Application use MSAL to login using applicationContext.acquireToken protection_policy_required error is received .... loop continues
Expected behavior: A clear and concise description of what you expected to happen. MSAL should not return "protection_policy_required" error after the policy was successfully installed when trying to get a token with applicationContext.acquireToken.
Screenshots and logs: DEBUG ➯ 2024-02-08T17:46:48.790Z ⇨ MSALAuthTokenService ⇨ getAuthToken(completion:) : 163 ⇨ getAuthToken(completion:): IntuneMAMComplianceManager remediateCompliance invoked. ERROR ➯ 2024-02-08T17:52:28.173Z ⇨ IntuneManager ⇨ policyRequest(with:) : 78 ⇨ policyRequest status: Optional("The policy request was successful, no policies have changed.") code: 101 error: nil ERROR ➯ 2024-02-08T17:52:28.190Z ⇨ IntuneManager ⇨ identity(:hasComplianceStatus:withErrorMessage:andErrorTitle:) : 32 ⇨ identity status: 0 title: Success / error message: Your app is protected. DEBUG ➯ 2024-02-08T17:52:37.615Z ⇨ MSALAuthTokenService ⇨ getAuthToken(completion:) : 163 ⇨ getAuthToken(completion:): IntuneMAMComplianceManager remediateCompliance invoked. ERROR ➯ 2024-02-08T17:52:48.757Z ⇨ IntuneManager ⇨ policyRequest(with:) : 78 ⇨ policyRequest status: Optional("The policy request was successful, no policies have changed.") code: 101 error: nil ERROR ➯ 2024-02-08T17:52:48.770Z ⇨ IntuneManager ⇨ identity(:hasComplianceStatus:withErrorMessage:andErrorTitle:) : 32 ⇨ identity status: 0 title: Success / error message: Your app is protected.
Smartphone (please complete the following information):
- Device: iPhone 11
- OS: iOS 17
Intune App SDK for iOS (please complete the following information):
-
What version of the Intune SDK are you using? Are you using the latest version? Intune SDK 19.9.1, it is the latest version.
-
What platform is your app based in (native, Xamarin based, Cordova, etc)? Native
-
Who is the customer?
-
Do you see a trend with it only being reproduced on a specific device? Not specific device but it is happening only to some accounts.
Additional context: Add any other context about the problem here. Only some users are experiencing this issue, we have not identified the difference in configuration.
Also wanted to share that after receiving compliant status in the identity(:hasComplianceStatus:withErrorMessage:andErrorTitle:) function, I tried to get the token silently and got the following error:
Error Domain=MSALErrorDomain Code=-50002 "(null)" UserInfo={MSALErrorDescriptionKey=User interaction is required, MSALOAuthErrorKey=invalid_grant, MSALOAuthSubErrorKey=basic_action, MSALCorrelationIDKey=6A24AD2B-1883-4191-8477-D33ECD831523, NSUnderlyingError=0x2835c99b0 {Error Domain=MSALErrorDomain Code=-50000 "(null)" UserInfo={MSALErrorDescriptionKey=AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000003-0000-0000-c000-000000000000'. Trace ID: ddd49855-0451-43fc-ae19-386890bdbe00 Correlation ID: 6a24ad2b-1883-4191-8477-d33ecd831523 Timestamp: 2024-02-08 19:38:20Z, MSALOAuthErrorKey=invalid_grant, MSALOAuthSubErrorKey=basic_action, MSALCorrelationIDKey=6A24AD2B-1883-4191-8477-D33ECD831523, MSALInternalErrorCodeKey=-42004}}}
Note1 : I'm able to login perfectly fine in other device using the same account. Note 2: I'm only able to troubleshoot and debug with 1 account so not sure if the above is happening also with the other users that are experiencing the loop.
@JonathanFuentesF Could you attach MAM logs from the device that repros? You can access them with the IntuneMAMDiagnosticConsole API
Hi @gastaffo, Diagnostics have been shared.
Let me know if you need more info.
Hi @JonathanFuentesF In the logs I do not see normal MSAL information, there is also an error: "Failed to instantiate MSALPublicClientApplication. Error: The operation couldn’t be completed. (MSALErrorDomain error -50000.)" Can you provide some details on how you integrate MSAL into the app? What is the MSAL version? Did you follow below procedure? https://learn.microsoft.com/en-us/mem/intune/developer/app-sdk-ios-phase2
When an app receives a ERROR_SERVER_PROTECTION_POLICY_REQUIRED from ADAL, or MSALErrorServerProtectionPoliciesRequired from MSAL it should call [[IntuneMAMComplianceManager instance] remediateComplianceForIdentity] to let Intune enroll the app and apply policy. From your description the app receives "protection_policy_required", can you share the code where you handle the the exception and remediate the compliance?
@JonathanFuentesF I also see in logs: "Detected use of default redirect URI. The developer should specify a valid redirect URI value for key "ADALRedirectUri", under IntuneMAMSettings in this app's info.plist. See ADAL/MSAL documentation for more info on redirect URIs.", you can follow below guide: https://learn.microsoft.com/en-us/mem/intune/developer/app-sdk-ios-phase2#configure-msal-settings-for-the-intune-app-sdk
Hi @JonathanFuentesF In the logs I do not see normal MSAL information, there is also an error: "Failed to instantiate MSALPublicClientApplication. Error: The operation couldn’t be completed. (MSALErrorDomain error -50000.)" Can you provide some details on how you integrate MSAL into the app? What is the MSAL version? Did you follow below procedure? https://learn.microsoft.com/en-us/mem/intune/developer/app-sdk-ios-phase2
When an app receives a ERROR_SERVER_PROTECTION_POLICY_REQUIRED from ADAL, or MSALErrorServerProtectionPoliciesRequired from MSAL it should call [[IntuneMAMComplianceManager instance] remediateComplianceForIdentity] to let Intune enroll the app and apply policy. From your description the app receives "protection_policy_required", can you share the code where you handle the the exception and remediate the compliance?
Hi @wangxiaoms, thanks for reviewing the issue. We are following the documentation and using IntuneMamComplianceManager to remediate we have been using this for couple of years without issues and actually it still works for most of the users.
The reported issue is that there's is a loop and part of it is that I'm always receiving ERROR_SERVER_PROTECTION_POLICY_REQUIRED even though policy is installed, user is able to see "Policy installation" screen and even the device is restarted by the Intune SDK... after that the app try to get the token using applicationContext.acquireToken but I'm receiving the same error ERROR_SERVER_PROTECTION_POLICY_REQUIRED
` applicationContext.acquireToken(with: parameters) { msalResult, error in
if let error = error {
let msalError = error as NSError
if let errorKey = msalError.userInfo["MSALOAuthSubErrorKey"] as? String, errorKey.lowercased().elementsEqual("protection_policy_required") {
if let upn = msalError.userInfo["MSALDisplayableUserIdKey"] as? String {
print("\(#function): IntuneMAMComplianceManager remediateCompliance invoked.", logLevel: .DEBUG)
IntuneManager.shared.completionHandlerx = { (code, title, errorDescription) in
completion(.failure(LoginError.intune(errorCode: code, internalErrorCode: nil, errorDescription: "\(title)\n\(errorDescription)")))
}
IntuneMAMComplianceManager.instance().remediateCompliance(forIdentity: upn, silent: false)
return
}
} else {
print("\(#function): MSALOAuthSubErrorKey value is not equal to protection_policy_required.", logLevel: .ERROR )
print("\(#function): Could not acquire token: \(error)", logLevel: .ERROR)
let internalErrorCode = msalError.userInfo["MSALInternalErrorCodeKey"] as? Int
let errorDescription = msalError.userInfo["MSALErrorDescriptionKey"] as? String
completion(.failure(LoginError.intune(errorCode: msalError.code, internalErrorCode: internalErrorCode, errorDescription: errorDescription)))
LogsManager.shared.log(error: "MSAL acquireToken error code:\(internalErrorCode), description: \(errorDescription)")
return
}
}`
@JonathanFuentesF I also see in logs: "Detected use of default redirect URI. The developer should specify a valid redirect URI value for key "ADALRedirectUri", under IntuneMAMSettings in this app's info.plist. See ADAL/MSAL documentation for more info on redirect URIs.", you can follow below guide: https://learn.microsoft.com/en-us/mem/intune/developer/app-sdk-ios-phase2#configure-msal-settings-for-the-intune-app-sdk
@wangxiaoms redirectURI is set on code before trying to login. NOTE: The same app version we have on the App Store works for most of the users.
IntuneMAMSettings.aadClientIdOverride = clientId
IntuneMAMSettings.aadRedirectUriOverride = redirectUri
IntuneMAMSettings.aadAuthorityUriOverride = authorityUri
let authority = try MSALAADAuthority(url: authorityURL)
let msalConfiguration = MSALPublicClientApplicationConfig(clientId: clientId, redirectUri: redirectUri, authority: authority)
msalConfiguration.clientApplicationCapabilities = ["ProtApp"]
self.applicationContext = try MSALPublicClientApplication(configuration: msalConfiguration)
@JonathanFuentesF What is the MSAL version you are using, from logs I only see "Assuming an MSAL version 1.2.5 or higher is linked".
@JonathanFuentesF I did not receive email from you, closing because of inactivity, you can still reply to reopen later.