Authenticate to Microsoft Apps on iOS Devices

NOTE: This topic applies to iOS devices. To configure authentication to Microsoft apps on Android devices, see this topic.

Imprivata Mobile Access Management integrates with Microsoft in several ways to streamline sign in and out:

  • Two-tap sign-in: eliminate dozens of key presses at the start of each shift, skip realm discovery, seed the users’ email addresses, and autofill passwords

  • Automatic sign-out: Cleanly close all apps supporting the Microsoft Authentication Library (MSAL) and shared device mode

These benefits save significant time for your workers each day, increase mobile adoption, and remove private data once no longer needed. As a secondary benefit, password management allows your organization to increase password complexity, and increase security, without creating additional burden on your staff.

Requirements

There are strict requirements, which may limit when this feature may be used:

  • Microsoft’s apps must be aware of Microsoft’s Shared Device Mode.

    • Supported apps:

      • Microsoft Teams (in public preview)

      • Microsoft Power BI Mobile (in public preview)

      • Microsoft Edge browser (in public preview)

      NOTE:

      At the time of writing, some of these apps are part of Microsoft's public preview, and will launch for general availability in the future. See your Microsoft documentation for more information.

  • Devices must be in Microsoft’s "shared device mode," which typically requires touching each device to authenticate once as an Azure admin user. If using Microsoft Intune, the process is streamlined significantly, however you will need to erase and re-provision each device.

Expected Behavior

  1. On device check out, users will see the standard white Check Out screen with their name. However, this screen now includes a blue button to continue to sign into Microsoft’s authentication system.

  2. Users may swipe up to skip Microsoft authentication, in which case they will be prompted when opening their first Microsoft app. If they do tap the button, they will be presented with a standard Microsoft authentication screen, with your organization’s branding.

  3. Note that Mobile Access Management has already added the user’s UPN (email address) so the system skips this initial screen and routes directly to password entry. Users may then use Mobile Access Management’s Password AutoFill to enter their password with a single tap.

    TIP:

    Use Azure Conditional Access to disable MFA for shared devices.

  4. Users will then open the Microsoft Teams app to complete the sign in to Teams. Microsoft Teams will not recognize the login until the app is opened once. When opened, Teams does not prompt for a login.

  5. When the device is returned to the Launchpad, Mobile Access Management automatically signs out of Teams and the Microsoft authentication system with no prompt and no action required by the user.

There are several tasks required to set up this behavior.

Microsoft’s Shared Device Mode

Unlike most apps, Microsoft uses device-wide authentication, saving an authentication token (for iPhones, this is to the iPhone’s keychain). This way, a single sign-in can be shared among multiple apps. Similarly, a single sign-out should cause all apps in the group to be signed out. But Microsoft’s authentication system is generally optimized for 1:1 mobile devices.

To modify these behaviors for shared use, Microsoft has introduced what it calls shared device mode. Microsoft’s shared device mode modifies the Microsoft sign-in workflow to be more suitable for shared devices. In addition, apps can be built to be aware of Microsoft’s shared device mode, and can modify their behavior to be optimized for shared device workflows.

Microsoft Intune Only - Create a DEP Profile for Shared Mode

You may streamline Microsoft Shared Device Mode if you use a preview feature of Microsoft Intune. Microsoft has built streamlined enrollment as a specialized iOS enrollment profile.

This is available only for DEP devices.

  1. Open Devices > iOS/iPadOS > iOS/iPadOS enrollment > Enrollment program tokens > (token name) > Profiles. Create a new profile for iOS/iPadOS.

  2. Enter a name for the profile, such as “Shared Mode.” If you are using the preview, you will see the User Affinity option of Enroll with Microsoft Entra shared mode.

  3. You must also set Sync with computers to Allow Apple Configurator by certificate and upload your Mobile Access Management supervision identity here.

    Remember to rename the supervision identity from ".crt" to ".cer".

  4. Assign your shared iOS devices to this new enrollment profile. Then erase and re-provision your devices. Intune pushes the required configuration to the Authenticator app to enable shared device mode.

    TIP:

    In Devices > Filters, create a filter based on device.enrollmentProfileName to easily assign configurations to your shared devices. Intune filters are more efficient than device groups for enrollment-time configurations. You may then use this filter below to assign:

    • The Authenticator app

    • The shared mode configuration for Authenticator

    • The Enterprise SSO profile

    • Other configurations specific to shared devices

Install and Configure Microsoft Authenticator

Microsoft requires its Authenticator app to be installed to enable shared device mode.

  • For iOS devices, "purchase" the app (for free) using Apple Business Manager and distribute it to all your shared devices.

Non-Intune - Authorize Microsoft Authenticator

NOTE:

Skip this task if you use Microsoft Intune as your MDM.

  1. Open the Authenticator app on each device. Authenticator prompts you to set up Shared Device Mode and will request an Organization email and password. These credentials must be for a user with Azure Cloud Device administrator privileges.

  2. You must enter these credentials once, on every device, but the registration persists until you erase the device. This is an important step that can not be automated at this time.

Create the Enterprise SSO Profile

For all MDMs, you must create and deploy a specialized configuration profile to enable in-app authentication. This profile intercepts the standard Microsoft authentication workflow, and substitutes an authentication extension embedded in the Microsoft Authenticator app. This step is required for the shared device SSO experience.

  1. Visit Devices > iOS/iPadOS > Configuration Profiles.

    1. Create a new profile of the type “Templates” and then select Device features. Enter a profile name such as “Shared Mode SSO Extension”.

  2. On the next screen, scroll down to Single sign-on app extension. Select an SSO app extension type of Microsoft Entra ID and enable shared device mode.

  3. In the Additional configuration section, add a key:

    device_registration     String            {{DEVICEREGISTRATION}}

    sharedDeviceMode     String            true

  4. Assign this profile to your group of shared devices (the filter described above can help here).

For other MDMs, there is a little more work to create the profile, but the work is straightforward. Microsoft has documented the generic requirements.

For example, here’s a screenshot of the proper configuration in Omnissa Workspace ONE.

Enable Azure for Mobile Access Management Integration

In Azure, create an App Registration to allow Mobile Access Management API access.

NOTE:

If you have already integrated Intune with Mobile Access Management, you may reuse the app you previously created. Just be sure to add the permission User.Read to the app.

  1. Log into your Azure tenant at portal.azure.com.

  2. Search for the service App registrations.

  3. Create a new registration.

  4. Name the application “GroundControl API Access” or something similar.

  5. Select the most limited account type.

  6. In the Redirect URI box, type msauth.com.imprivata.b2b.locker://auth.

  7. Click OK to create the application.

  8. In the vertical navigation bar, select API permissions.

  9. Select the Microsoft Graph API.

  10. Select Delegated permissions.

  11. Add permissions for: User.Read.

  12. Click Add Permissions.

  13. Now that you have created the application, you need to grant permissions to it. At the top of the permission list is an action Grant admin consent for <company name>.

  14. Consent to allow the application to access your Azure AD registered devices.

  15. In the vertical navigation bar, click Overview.

  16. Copy both the Application (client) ID and the Directory (tenant) IDs to a safe place.

    You will use these in the next task.

Configure Imprivata Locker iOS

Add a Locker Custom Option with the Azure keys for Imprivata Locker iOS.

  1. In MAM’s admin console, navigate to Admin > Check Out > Locker Custom Options, click Configure.

  2. In the Locker Custom Options field, enter the Azure key/value pairs in JSON format and click Save.

    JSON syntax

    Copy 
    "AzureClientID": "<yourAzureApplicationID>"
    "AzureTenantID": "<yourAzureDirectoryID>"
    "AzureGraphEndpoint": "https://graph.microsoft.com/"
    "AzurePrimaryDomain": "<yourDomain>"
    "AzureSignInEnabled": true
    "AzureSignOutDelay": 10
    "AzureSignOutEnabled": true

    where

    • <yourAzureApplicationID> is the Azure application ID you recorded in the previous step

    • <yourAzureDirectoryID> is the Azure directory ID you recorded in the previous step

    • <yourDomain> is the Azure domain to append to all usernames to create the UPN.

      NOTE:

      Beginning in Mobile Access Management 6.4, by default, the Imprivata Locker app automatically populates the user's email address from Imprivata Enterprise Access Management (formerly Imprivata OneSign) and Password Autofill populates the password.

      Alternatively, you can define a custom email string by defining the key AzurePrimaryDomain; this key will override the user's email address retrieved from EAM.

    Example

    Copy 
    "AzureClientID": "9999999-abcd-1234-1111111"
    "AzureTenantID": "8888888-2222-3333-5555"
    "AzureGraphEndpoint": "https://graph.microsoft.com/"
    "AzurePrimaryDomain": "mydomain.onmicrosoft.com"
    "AzureSignInEnabled": true
    "AzureSignOutDelay": 10
    "AzureSignOutEnabled": true

Add a Locker Custom Option with the Azure keys for Imprivata Locker iOS.

NOTE:

In 6.1 and later, Imprivata recommends that use Locker Custom Options to configure the Azure keys.