Managed configuration enhancement pushed to Authenticator app to ignore/invalidate the authentication tokens exist on re-install

[smudireddy]

Requirement: In MDM world app will be removed from devices in certain cases and expect the persisted auth context to be removed along with it. Authenticator app persist sign-in context data in key-chain that will expose the sign-in context when Authenticator app re-installed, it will allow to use the previous context with out forcing the Auth. This behavior is fine from SSO point of view but from security aspect should be configurable on a corporate owned device and Admin removed the device control to clean all apps and data.

[jasoncoolmax]

Thank you for the suggestion. We will take a look at the request.

[jpsweet]

Now that Apple Ext SSO plug-in is available in MS Authenticator, this should be possible if the MS Authenticator plug-in signs out during MDM unenrollment or removal of SSO payload. Apple leaves time for this cleanup work to occur but the plug-in needs to handle the sign out logic.

[oldalton]

@jpsweet, can you give a bit more information about how could SSO extension detect unenrollment event?

[jpsweet]

This Ext SSO feature was covered in the WWDC 2020 session "Leverage enterprise identity and authentication" at https://developer.apple.com/wwdc20/10139. See new feature summary slide at the 8:20 mark. Note the last bullet "Profile removal operation" support. This is also discussed further later in the session.

[oldalton]

Awesome, thanks for pointing to it.

extension ASAuthorizationProviderAuthorizationOperation {

    
    /** @abstract Operation which is invoked when the extension configuration is removed from the system.
    */
    @available(iOS 14.0, *)
    public static let configurationRemoved: ASAuthorizationProviderAuthorizationOperation
}

[jpsweet]

Thanks Olga. Good to see you were able to locate it. Logout on unenroll would be a very helpful addition to the MS Authenticator SSO Extension.

[jpsweet]

Olga, thank you again for responding before.

Since the SSO extension is still in preview, I wanted to call out one additional property that was introduced along side the MDM unenrollment time out that would be helpful for enterprises using this Microsoft SDK and SSO Extension.

Apple also introduced a property "IsCallerManaged" which is helpful to determine which apps are actively managed by the MDM in iOS/iPadOS/macOS.

Today the Microsoft SSO Extension Preview extension only allows explicit app bundle IDs to be added to a manually curated list. This is also how Apple's Kerberos SSO extension used to work but the IsCallerManaged property was added for both extension types so that enterprises could simply limit SSO to managed apps vs having to maintain a manually curated list.

It would be great to see this feature also come to the Microsoft SDK and SSO extension.

See screenshot below of the feature referenced from the same WWDC overview session.

[antrix1989]

@brandwe please take a look at this feature request.

[brandwe]

I'll assign this to @iambmelt going forward. I find the fact that we get a signal when the device is unenrolled interesting but the original ask was to delete the tokens when Authenticator is uninstalled and I want to be clear that we get no signal from the OS when Authenticator is un-installed and cannot clear the cache. This clearing is up to Apple.

[iambmelt]

Tracking here (MSFT corpnet required).