Skip to content

Steps to create config for MAM (Conditional access)

SameerK-MSFT edited this page Feb 15, 2022 · 22 revisions

This is a DRAFT. Please do not use.

Scenario

There can be a scenario with a client App and a backend enterprise app. The user of the client app wants to access certain scopes defined in the backend enterprise app. The scope is accessible only when certain app protection policy and access conditions are met.
This article describes steps to create the required configuration for the above scenario.

Setup User and Group for testing

In Azure Active Directory:

  • Create a test user (e.g. XamTestuser@XamTester.onmicrosoft.com)
  • In the user - Licenses -> Click on assignments
  • Select the following
    • Azure Active Directory Premium License
    • Enterprise Mobility + Security
    • Intune
    • Microsoft 365 Business standard
      Note: The policies do not apply to the guest user
  • Create a test group (e.g. MAM_Test_Users) Note the name of the group. This will need to be assigned at later stages.
  • Add the user to the test group

Setup Enterprise App and Conditional Acces policy

In Azure Active Directory:

  • In the Enterpise Applications section:
    1. Create New Application
    2. Click Create your own application
    3. Select "Register an application to integrate with Azure AD (App you're developing)" option
    4. After Create, it will take you to Register An Application screen. (This navigates to another screen).
    5. Select Multitenant and click Register.
    6. This will take you to the screen in #1
  • Navigate to Enterprise Applications
  • Select The application that you created
  • Assign user group created earlier
  • Click on Conditional Access
  • Click New policy. Here are the options to select
    • Users workload identities -> Select the group that was created earlier
    • Cloud Apps or actions -> This would have the Enterprise app that was created
    • Conditions. Select multiple options as follows
      • Device Platforms - Yes and iOS + Android
      • Client Apps -> Yes and select all the options
    • Grant -> Select "Require app protection policy"
    • At the bottom of the screen in Enable Policy select On
    • Create
  • Navigate to App Registrations (Note: NOT Enterprise.Need to do at two places)
  • Select the app you created.
  • Click on "Add Application ID URI"
  • Click on Add a scope (e.g. Hello.World)
  • It will generate a guid and App ID Uri and ask you to create a scope
  • Note the URI of the scope. This is needed in the client application
  • Click on API Permissions section
    • If permission created in the previous is missing,
      • Click on Add a permission
        • Select the permission created in the earlier stage and click Add Permission
      • Click Add a permission again
        • Select APIs my organization uses
        • Select Microsoft Mobile Application Management - DeviceManagementManagedApps.ReadWrite
        • Click Add permission
    • Grant Admin consent


You are done with setting up the Enterprise App and Conditional Acces policy

Setup Client App

In Azure Active Directory:

  • In App registration, create a new App - Choose Multi-tenant option
  • Add platform URI for iOS
  • In API Permissions
    • Add permissions for the scope created in the Entreprise App
      • Click on Add a Permission
      • Choose My APIs
      • Select the one that was added in the Enterprise App (i.e. Hello.World)
    • Click Add a permission again
      • Select APIs my organization uses
      • Select Microsoft Mobile Application Management - DeviceManagementManagedApps.ReadWrite
      • Click Add permission
    • Select "Grant admin consent for " (Even if Admin Consent required column shows no)


You are done with setting up the Client App

Build the Client iOS App

  • Build a skeleton app.
  • Make sure that the iOS has Xamarin.Intune.MAM.SDK.iOS packaged with it.
  • To set up the app protection policy, you need to build the client App with the corresponding clientID
  • For iOS, the .ipa file should be built

Setup App in Intune

In Intune Portal:

  • Click on Apps -> iOS Apps section
  • Select Add
  • Select App Type as Line of Business App
  • Select the .ipa file that was built
  • You may need to add some data in th App information to go the next screen i.e. Assignments
  • In the Assignments screen under Available for enrolled devices
    • Select Add all users
  • In the Assignments screen under Available with or without enrollment
    • Select Add Group
    • Select the group that was created for testing
  • Select Create -> This will create the Client App
    Congratulations, you created App in the Intune

Setup App Protection Policy in Intune

In Intune Portal:

  • Click on Apps -> App Protection policies -> Create Policy iOS/MacOS
  • After the Basic screen, it will lead to the Apps screen
  • Apps Screen -> Select Target policy to = Selected Apps

  • Data Protection screen -> You can select the options you want, I selected the following options.
    • Send org data to other apps = Policy managed apps
    • Save copies of org data = block
    • Left other options to defualt and clicked next -> leads to Access requirements screen
  • Access requirements screen -> Kept the defaults
  • Conditional Launch -> Kept the defaults
  • Assignments -> Included groups -> Add the group you created
    Your creates App protection policy

Getting started with MSAL.NET

Acquiring tokens

Web Apps / Web APIs / daemon apps

Desktop/Mobile apps

Advanced topics

FAQ

Other resources

Clone this wiki locally