IBM Support

Microsoft ADAL to MSAL Migration for Android

Preventive Service Planning


Abstract

Android Version 7.50 of MaaS360 Mail and MaaS350 Docs (Beta Late June 2021, GA Early July 2021)

Starting with MaaS360 Android version 7.50, support for the new Microsoft Authentication Library (MSAL) will replace the Active Directory Authentication Library (ADAL). This will provide a more secure and enhanced single sign-on experience with Exchange Online, SharePoint, and OneDrive services from the MaaS360 Mail App.

In order to enable authentication to Office 365 services (Exchange Online, OneDrive for Business) from the MaaS360 App (Mail, Docs) after users upgrade to the 7.50 version, changes to the Azure AD App Registration are required.

Content

For reference, the original ADAL configuration guide can be found at  https://www.ibm.com/docs/en/maas360?topic=authentication-registering-maas360-app-in-azure-ad-tenant

MaaS360 Azure AD App Registration URI Changes

Note:

  • The following changes to the App Registration for the App Client ID referenced in the Persona Policy are required for access to Exchange Online, OneDrive, and SharePoint will stop working for users using the Android 7.50 MaaS360 Mail app to access these services.
  • These changes need to be made before users upgrade to the Android MaaS360 Mail App Version 7.50.
  • When the MaaS360 for Android app upgrades to version 7.50, users might need to enter their corporate credentials manually to complete the migration (if prompted).

The App Registration being used to support Modern Auth can be found by looking at the App Client ID in the Persona Policy.

Example:image-20210611125700-2

1. Log in to the Azure AD console and locate and select the appropriate application in Azure AD under Azure Active Directory/App Registrations/All Applications.

Example: image-20210611125700-4

2. Select Redirect URIs and scroll to the Android Platform Section. The URI "com.fiberlink.maas360.android.control" with a Signature hash of  "CmEXJHMZd6jmCFu2ZnAknF3r4VA=" should have been previously configured.
3. Use the Add URI workflow and add the following URIs to the list:

Package Name

Signature hash

com.fiberlink.maas360.android.pim

CmEXJHMZd6jmCFu2ZnAknF3r4VA=

com.fiberlink.maas360.android.docs

CmEXJHMZd6jmCFu2ZnAknF3r4VA=

com.fiberlink.maas360.android.secureviewer

CmEXJHMZd6jmCFu2ZnAknF3r4VA=

com.fiberlink.maas360.android.secureeditor

CmEXJHMZd6jmCFu2ZnAknF3r4VA=
Save the modified App Registration.

The result should be similar to the following:

image 11333

If the redirect URIs are not configured in the Azure portal, MaaS360 will display the following screen when users open any of the first party apps: Secure Mail, Docs, Secure Viewer, or Secure Editor.

image-20210611125700-6

Changes Required to Support MSAL Migration

When the MaaS360 for Android app upgrades to 7.50, users will need to enter their corporate credentials manually to complete the migration (if prompted). For this purpose, MSAL requires a native Browser or Google Chrome installed on the Android devices to allow re-authentication to Microsoft services. If the use of browsers is restricted, administrators must deploy the Microsoft Authenticator app from the App Catalog and enable the use of the Microsoft Authenticator app for re-authentication from the Persona policies.

Note:

  • The Microsoft Authenticator app is supported only on Android devices running OS version 6 or later.
  • Applies only to MaaS360 for Android app version 7.50 or later. The flag Office365AuthenticatorAppAllowed must be added to the policies only when all devices have upgraded to version 7.50 as it can cause issues in earlier versions.

Follow these steps to enable the use of the Microsoft Authenticator app for re-authentication:

  1. Go to Security > Policies and then open a Persona policy.
  2. Navigate to WorkPlace > Security > Configure Other Settings > Advanced Configuration Details.
  3. Add the following key and value:

Key

Value

Office365AuthenticatorAppAllowed 

Yes

Not

For the browser-based approach, administrators must ensure that:

  • JavaScript and Browser Cookies are not disabled for the Native Browser in the Android MDM policy for the re-authentication to work on the Samsung devices that are enrolled in the Device Admin mode.
    • Path: MDM Policy > Advance Settings > Browser Restrictions
      • Allow Javascript > Yes
      • Accept Cookies > Yes
  • Google Chrome and Native Browser are not disabled through Android MDM policies.
    • MDM Policy > Device Settings >  Native App Compliance > Allow Browser > Yes
    • MDM Policy > Android Enterprise Settings > App Compliance > Allow Google Chrome / Samsung Browser > Yes

The following steps are required to support Certificate Based Authentication after users upgrade to MaaS360 for Android app version 7.50.

Related Information

Original ADAL Configuration Guide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYSXX","label":"IBM MaaS360"},"ARM Category":[{"code":"a8m3p000000LPP4AAO","label":"N\/A"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
20 August 2021

UID

ibm16459929

Page Feedback