How To
Summary
MaaS360 provides single sign-on (SSO) access for Azure AD accounts using identity certificates.
Environment
- Supported only on iOS 13 or later
- Requires MaaS360 for Android app version 7.40 or later and MaaS360 for iOS app version 4.20 or later.
- Supported only on MDM-enrolled devices. SPS-enrolled devices are not supported.
Steps
iOS
In iOS, MaaS360 uses Microsoft Enterprise SSO plug-in to provide single sign-on (SSO) access for Azure AD accounts using identity certificates.
Admin setup
Deploying identity certificates to the device
Administrators must push identity certificates through the following path:
MDM policies > Advanced Settings > Certificates > Identity Certificates for Safari.
Deploying Microsoft Enterprise SSO plug-in
MaaS360 requires a Microsoft Enterprise SSO plug-in for device registration in the certificate-based authentication. For more information, see https://docs.microsoft.com/en-us/azure/active-directory/develop/apple-sso-plugin
Follow these steps to deploy the Microsoft Enterprise SSO plug-in:
- Download the Microsoft Enterprise SSO plug-in.
- Deploy the plug-in to the devices through MDM policies > Advanced Settings > Import MobileConfig.
Note: This feature is not available by default. Reach out to the MaaS360 Support team to get this feature enabled for your account.
User steps
- Ensure that the identity certificate and Microsoft Enterprise plug-in are installed on the device.
Known issues
- With the Microsoft Single Sign On extension, when the Microsoft Authenticator app is installed on the device, the MaaS360 for iOS app shows a blue splash screen whenever user authentication token is required through the extension to the MaaS360 for iOS app.
- End-users could not continue to access Office 365 services due to the below issues when Azure AD Conditional Access is enabled. Customers with ADFS-based setup (certificate or password) may face the above issues more often.
- The device registration to Azure AD fails if Azure AD does not provide the required information through the Microsoft Authenticator app to the MaaS360 for iOS app to update the compliance state.
- MaaS360 for iOS app fails to receive a valid response from the Microsoft Authenticator app in case Azure AD Conditional Access is enabled. Reference: https://github.com/AzureAD/microsoft-authentication-library-for-objc/issues/1156
- Intermittent token invalidation causes multiple authentication prompts to be shown in the MaaS360 for iOS app.
- Workaround: Whenever users encounter the above issues, they must sign out from the active session in the Microsoft Authenticator app, reset and reconfigure services from the MaaS360 for iOS app.
Note: For all MSAL and Microsoft issues, the corresponding tickets have been created and reported to Microsoft.
Android
Admin setup
Deploying identity certificates to the device
Follow these steps to deploy an identity certificate:
- Navigate to Security > Policies and then open an Android MDM policy.
- Select Android Enterprise Settings > Certificates.
- Enable Configure Identity Certificates and then select an identity certificate.
- Select Grant KeyChain access to an application and then provide the application ID: com.azure.authenticator. This setting allows Profile Owner and Device Owner devices running OS version 11 or later to locate the identity certificate that will be used for authentication. Note: The Device Admin and Android Enterprise (Profile Owner and Device Owner) devices running OS version 10 or earlier do not require this policy to locate the identity certificate.
User steps
Ensure that the identity certificate is installed on the device.
Document Location
Worldwide
Was this topic helpful?
Document Information
More support for:
IBM MaaS360
Component:
COMPLIANCE, POLICY, SETUP
Software version:
All Version(s)
Operating system(s):
Android, iOS
Document number:
6437393
Modified date:
29 March 2021
UID
ibm16437393