Merge pull request #109407 from mmacy/brandwe-shared-device-mode-109112

[MSAL] shared device mode + SSO plug-in

Author: megvanhuygen

.openpublishing.redirection.json

@@ -5110,6 +5110,11 @@
       "redirect_url": "/azure/active-directory/develop/msal-overview",
       "redirect_document_id": true
     },
+    {
+      "source_path": "articles/active-directory/develop/shared-device-mode.md",
+      "redirect_url": "/azure/active-directory/develop/msal-android-shared-devices",
+      "redirect_document_id": true
+    },
     {
       "source_path": "articles/azure-resource-manager/resource-group-authenticate-service-principal.md",
       "redirect_url": "/azure/active-directory/develop/howto-authenticate-service-principal-powershell",

articles/active-directory/develop/TOC.yml

@@ -223,8 +223,12 @@
         href: scenario-mobile-app-configuration.md
       - name: Mobile platforms specific config
         items:
+        - name: Microsoft Enterprise SSO plug-in for Apple devices
+          href: apple-sso-plugin.md
         - name: Shared device mode for Android devices
-          href: shared-device-mode.md
+          href: msal-android-shared-devices.md
+        - name: Shared device mode for iOS devices
+          href: msal-ios-shared-devices.md
         - name: Xamarin Android
           href: msal-net-xamarin-android-considerations.md
         - name: System browser on Android
@@ -312,6 +316,17 @@
       href: msal-handling-exceptions.md
     - name: Logging
       href: msal-logging.md
+    - name: Shared devices
+      items:
+      - name: Overview - shared devices
+        href: msal-shared-devices.md
+        displayName: shared device mode, firstline worker, frontline worker
+      - name: Shared device mode for iOS devices
+        href: msal-ios-shared-devices.md
+        displayName: firstline worker, frontline worker
+      - name: Shared device mode for Android devices
+        href: msal-android-shared-devices.md
+        displayName: firstline worker, frontline worker
     - name: Single sign-on
       displayName: SSO
       items:

articles/active-directory/develop/apple-sso-plugin.md

@@ -0,0 +1,79 @@
+---
+title: Microsoft Enterprise SSO plug-in for Apple devices
+titleSuffix: Microsoft identity platform | Azure
+description: Learn about Microsoft's Azure Active Directory SSO plug-in for iOS and macOS devices.
+services: active-directory
+author: brandwe
+manager: CelesteDG
+
+ms.service: active-directory
+ms.subservice: develop
+ms.topic: conceptual
+ms.workload: identity
+ms.date: 03/31/2020
+ms.author: brandwe
+ms.reviewer: brandwe
+ms.custom: aaddev
+---
+
+# Microsoft Enterprise SSO plug-in for Apple devices (Preview)
+
+> [!NOTE]
+> This feature is in public preview.
+> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
+> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+
+The *Microsoft Enterprise SSO plug-in for Apple devices* provides single sign-on (SSO) for Active Directory accounts across all applications that support Apple's [Enterprise Single Sign-On](https://developer.apple.com/documentation/authenticationservices) feature. Microsoft worked closely with Apple to develop this plug-in to increase your application's usability while providing the best protection that Apple and Microsoft can provide.
+
+In this Public Preview release, the Enterprise SSO plug-in is available only for iOS devices and is distributed in certain Microsoft applications.
+
+Our first use of the Enterprise SSO plug-in is with our new [shared device mode](msal-ios-shared-devices.md) feature.
+
+## Features
+
+The Microsoft Enterprise SSO plug-in for Apple devices offers the following benefits:
+
+- Provides SSO for Active Directory accounts across all applications that support Apple's Enterprise Single Sign-On feature.
+- Delivered automatically in the Microsoft Authenticator and can be enabled by any mobile device management (MDM) solution.
+
+## Requirements
+
+To use Microsoft Enterprise SSO plug-in for Apple devices:
+
+- iOS 13.0 or higher must be installed on the device.
+- A Microsoft application that provides the Microsoft Enterprise SSO plug-in for Apple devices must be installed on the device. For Public Preview, these applications include the [Microsoft Authenticator app](../user-help/user-help-auth-app-overview.md).
+- Device must be MDM-enrolled (for example, with Microsoft Intune).
+- Configuration must be pushed to the device to enable the Microsoft Enterprise SSO plug-in for Apple devices on the device. This security constraint is required by Apple.
+
+## Enable the SSO extension with mobile device management (MDM)
+
+To enable the Microsoft Enterprise SSO plug-in for Apple devices, your devices need to be sent a signal through an MDM service. Since Microsoft includes the Enterprise SSO plug-in in the [Microsoft Authenticator app](..//user-help/user-help-auth-app-overview.md), use your MDM to configure the app to enable the Microsoft Enterprise SSO plug-in.
+
+Use the following parameters to configure the Microsoft Enterprise SSO plug-in for Apple devices:
+
+- **Type**: Redirect
+- **Extension ID**: `com.microsoft.azureauthenticator.ssoextension`
+- **Team ID**: `SGGM6D27TK`
+- **URLs**:
+  - `https://login.microsoftonline.com`
+  - `https://login.windows.net`
+  - `https://login.microsoft.com`
+  - `https://sts.windows.net`
+  - `https://login.partner.microsoftonline.cn`
+  - `https://login.chinacloudapi.cn`
+  - `https://login.microsoftonline.de`
+  - `https://login.microsoftonline.us`
+  - `https://login.usgovcloudapi.net`
+  - `https://login-us.microsoftonline.com`
+
+You can use Microsoft Intune as your MDM service to ease configuration of the Microsoft Enterprise SSO plug-in. For more information, see the [Intune configuration documentation](https://docs.microsoft.com/intune/configuration/ios-device-features-settings).
+
+## Using the SSO extension in your application
+
+The [Microsoft Authentication Library (MSAL) for Apple devices](https://github.com/AzureAD/microsoft-authentication-library-for-objc) version 1.1.0 and higher supports the Microsoft Enterprise SSO plug-in for Apple devices.
+
+If you'd like to support shared device mode provided by the Microsoft Enterprise SSO plug-in for Apple devices, ensure your applications use the specified minimum required version of MSAL.
+
+## Next steps
+
+For more information about shared device mode on iOS, see [Shared device mode for iOS devices](msal-ios-shared-devices.md).

articles/active-directory/develop/shared-device-mode.md renamed to articles/active-directory/develop/msal-android-shared-devices.md

@@ -1,20 +1,19 @@
 ---
-title: Shared device mode for Android devices | Azure
-description: Learn about shared device mode, which allows firstline workers to share an Android device 
+title: Shared device mode for Android devices
+titleSuffix: Microsoft identity platform | Azure
+description: Learn how to enable shared device mode to allow Firstline Workers to share an Android device
 services: active-directory
-documentationcenter: dev-center-name
 author: mmacy
 manager: CelesteDG
+
 ms.service: active-directory
 ms.subservice: develop
-ms.devlang: na
 ms.topic: conceptual
-ms.tgt_pltfrm: na
 ms.workload: identity
-ms.date: 1/15/2020
+ms.date: 03/31/2020
 ms.author: marsma
-ms.reviwer: hahamil
-ms.custom: aaddev, identityplatformtop40
+ms.reviewer: hahamil
+ms.custom: aaddev, identitypla | Azuretformtop40
 ---
 
 # Shared device mode for Android devices
@@ -24,7 +23,7 @@ ms.custom: aaddev, identityplatformtop40
 > This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
 > For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
 
-Firstline workers, such as retail associates, flight crew members, and field service workers, often use a shared mobile device to do their work. That becomes problematic when they start sharing passwords or pin numbers to access customer and business data on the shared device.
+Firstline Workers such as retail associates, flight crew members, and field service workers often use a shared mobile device to do their work. That becomes problematic when they start sharing passwords or pin numbers to access customer and business data on the shared device.
 
 Shared device mode allows you to configure an Android device so that it can be easily shared by multiple employees. Employees can sign in and access customer information quickly. When they are finished with their shift or task, they can sign out of the device and it will be immediately ready for the next employee to use.
 
@@ -33,14 +32,14 @@ Shared device mode also provides Microsoft identity backed management of the dev
 To create a shared device mode app, developers and cloud device admins work together:
 
 - Developers write a single-account app (multiple-account apps are not supported in shared device mode), add `"shared_device_mode_supported": true` to the app's configuration, and write code to handle things like shared device sign-out.
-- Device admins prepare the device to be shared by installing the authenticator app, and setting the device to shared mode using the authenticator app. Only users who are in the [Cloud Device Administrator](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles#cloud-device-administrator) role can put a device into shared mode by using the [Authenticator app](https://docs.microsoft.com/azure/active-directory/user-help/user-help-auth-app-overview). You can configure the membership of your organizational roles in the Azure portal via:
+- Device admins prepare the device to be shared by installing the authenticator app, and setting the device to shared mode using the authenticator app. Only users who are in the [Cloud Device Administrator](../users-groups-roles/directory-assign-admin-roles.md#cloud-device-administrator-permissions) role can put a device into shared mode by using the [Authenticator app](../user-help/user-help-auth-app-overview.md). You can configure the membership of your organizational roles in the Azure portal via:
 **Azure Active Directory** > **Roles and Administrators** > **Cloud Device Administrator**.
 
  This article focuses primarily what developers should think about.
 
 ## Single vs multiple-account applications
 
-Applications written using the Microsoft Authentication Library SDK (MSAL) can manage a single account or multiple accounts. For details, see [single-account mode or multiple-account mode](https://docs.microsoft.com/azure/active-directory/develop/single-multi-account). Microsoft identity platform features available to your app vary depending on whether the application is running in single-account mode or multiple-account mode.
+Applications written using the Microsoft Authentication Library SDK (MSAL) can manage a single account or multiple accounts. For details, see [single-account mode or multiple-account mode](single-multi-account.md). Microsoft identity platform features available to your app vary depending on whether the application is running in single-account mode or multiple-account mode.
 
 **Shared device mode apps only work in single-account mode**.
 
@@ -55,7 +54,7 @@ Your app can be built to support running on both personal devices and shared dev
 
 You may also want your app to change its behavior depending on the type of device it is running on. Use `ISingleAccountPublicClientApplication.isSharedDevice()` to determine when to run in single-account mode.
 
-There are two different interfaces that represent the type of device your application is on. When you request an application instance from MSAL’s application factory, the correct  application object is provided automatically.
+There are two different interfaces that represent the type of device your application is on. When you request an application instance from MSAL's application factory, the correct  application object is provided automatically.
 
 The following object model illustrates the type of object you may receive and what it means in the context of a shared device: