Skip to content

Commit e4de9a8

Browse files
authored
Merge pull request #217205 from MicrosoftDocs/main
Publish to live, Friday 4 AM PST 11/04
2 parents 38a5980 + 2c6e86b commit e4de9a8

File tree

152 files changed

+2609
-1084
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

152 files changed

+2609
-1084
lines changed

.openpublishing.redirection.azure-productivity.json

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,11 @@
2929
"source_path_from_root": "/articles/devtest-labs/scripts/set-allowed-vm-sizes-in-lab.md",
3030
"redirect_url": "/azure/devtest-labs/samples-powershell",
3131
"redirect_document_id": false
32-
}
32+
},
33+
{
34+
"source_path": "articles/dev-box/tutorial-connect-to-dev-box-with-remote-desktop-app.md",
35+
"redirect_url": "/azure/dev-box/quickstart-connect-to-dev-box-with-remote-desktop-app",
36+
"redirect_document_id": false
37+
}
3338
]
3439
}

articles/active-directory/develop/msal-ios-shared-devices.md

Lines changed: 94 additions & 43 deletions
Original file line numberDiff line numberDiff line change
@@ -9,20 +9,20 @@ ms.service: active-directory
99
ms.subservice: develop
1010
ms.topic: conceptual
1111
ms.workload: identity
12-
ms.date: 03/31/2020
12+
ms.date: 11/03/2022
1313
ms.author: brandwe
1414
ms.reviewer: brandwe
1515
ms.custom: aaddev
1616
---
1717

1818
# Shared device mode for iOS devices
1919

20-
>[!IMPORTANT]
20+
> [!IMPORTANT]
2121
> This feature [!INCLUDE [PREVIEW BOILERPLATE](../../../includes/active-directory-develop-preview.md)]
2222
2323
Frontline workers such as retail associates, flight crew members, and field service workers often use a shared mobile device to perform their work. These shared devices can present security risks if your users share their passwords or PINs, intentionally or not, to access customer and business data on the shared device.
2424

25-
Shared device mode allows you to configure an iOS 13 or higher device to be more easily and securely shared by employees. Employees can sign in and access customer information quickly. When they're finished with their shift or task, they can sign out of the device and it's immediately ready for use by the next employee.
25+
Shared device mode allows you to configure an iOS 13 or higher device to be more easily and securely shared by employees. Employees can sign in and access customer information quickly. When they're finished with their shift or task, they can sign out of the device, and it's immediately ready for use by the next employee.
2626

2727
Shared device mode also provides Microsoft identity-backed management of the device.
2828

@@ -32,13 +32,13 @@ This feature uses the [Microsoft Authenticator app](https://support.microsoft.co
3232

3333
To create a shared device mode app, developers and cloud device admins work together:
3434

35-
1. **Application developers** write a single-account app (multiple-account apps are not supported in shared device mode) and write code to handle things like shared device sign-out.
35+
1. **Application developers** write a single-account app (multiple-account apps aren't supported in shared device mode) and write code to handle things like shared device sign-out.
3636

3737
1. **Device administrators** prepare the device to be shared by using a mobile device management (MDM) provider like Microsoft Intune to manage the devices in their organization. The MDM pushes the Microsoft Authenticator app to the devices and turns on "Shared Mode" for each device through a profile update to the device. This Shared Mode setting is what changes the behavior of the supported apps on the device. This configuration from the MDM provider sets the shared device mode for the device and enables the [Microsoft Enterprise SSO plug-in for Apple devices](apple-sso-plugin.md) which is required for shared device mode.
3838

3939
1. [**Required during Public Preview only**] A user with [Cloud Device Administrator](../roles/permissions-reference.md#cloud-device-administrator) role must then launch the [Microsoft Authenticator app](https://support.microsoft.com/account-billing/how-to-use-the-microsoft-authenticator-app-9783c865-0308-42fb-a519-8cf666fe0acc) and join their device to the organization.
4040

41-
To configure the membership of your organizational roles in the Azure portal: **Azure Active Directory** > **Roles and Administrators** > **Cloud Device Administrator**
41+
To configure the membership of your organizational roles in the Azure portal: **Azure Active Directory** > **Roles and Administrators** > **Cloud Device Administrator**
4242

4343
The following sections help you update your application to support shared device mode.
4444

@@ -51,40 +51,40 @@ Your device needs to be configured to support shared device mode. It must have i
5151

5252
1. In the Intune Configuration Portal, tell the device to enable the [Microsoft Enterprise SSO plug-in for Apple devices](apple-sso-plugin.md) with the following configuration:
5353

54-
- **Type**: Redirect
55-
- **Extension ID**: com.microsoft.azureauthenticator.ssoextension
56-
- **Team ID**: (this field is not needed for iOS)
57-
- **URLs**:
58-
- `https://login.microsoftonline.com`
59-
- `https://login.microsoft.com`
60-
- `https://sts.windows.net`
61-
- `https://login.partner.microsoftonline.cn`
62-
- `https://login.chinacloudapi.cn`
63-
- `https://login.microsoftonline.de`
64-
- `https://login.microsoftonline.us`
65-
- `https://login.usgovcloudapi.net`
66-
- `https://login-us.microsoftonline.com`
67-
- **Additional Data to configure**:
68-
- Key: sharedDeviceMode
69-
- Type: Boolean
70-
- Value: true
71-
72-
For more information about configuring with Intune, see the [Intune configuration documentation](/intune/configuration/ios-device-features-settings).
54+
- **Type**: Redirect
55+
- **Extension ID**: com.microsoft.azureauthenticator.ssoextension
56+
- **Team ID**: (this field isn't needed for iOS)
57+
- **URLs**:
58+
- `https://login.microsoftonline.com`
59+
- `https://login.microsoft.com`
60+
- `https://sts.windows.net`
61+
- `https://login.partner.microsoftonline.cn`
62+
- `https://login.chinacloudapi.cn`
63+
- `https://login.microsoftonline.de`
64+
- `https://login.microsoftonline.us`
65+
- `https://login.usgovcloudapi.net`
66+
- `https://login-us.microsoftonline.com`
67+
- **Additional Data to configure**:
68+
- Key: sharedDeviceMode
69+
- Type: Boolean
70+
- Value: true
71+
72+
For more information about configuring with Intune, see the [Intune configuration documentation](/intune/configuration/ios-device-features-settings).
7373

7474
1. Next, configure your MDM to push the Microsoft Authenticator app to your device through an MDM profile.
7575

76-
Set the following configuration options to turn on Shared Device mode:
76+
Set the following configuration options to turn on Shared Device mode:
7777

78-
- Configuration 1:
79-
- Key: sharedDeviceMode
80-
- Type: Boolean
81-
- Value: true
78+
- Configuration 1:
79+
- Key: sharedDeviceMode
80+
- Type: Boolean
81+
- Value: true
8282

8383
## Modify your iOS application to support shared device mode
8484

8585
Your users depend on you to ensure their data isn't leaked to another user. The following sections provide helpful signals to indicate to your application that a change has occurred and should be handled.
8686

87-
You are responsible for checking the state of the user on the device every time your app is used, and then clearing the previous user's data. This includes if it is reloaded from the background in multi-tasking.
87+
You're responsible for checking the state of the user on the device every time your app is used, and then clearing the previous user's data. This includes if it's reloaded from the background in multi-tasking.
8888

8989
On a user change, you should ensure both the previous user's data is cleared and that any cached data being displayed in your application is removed. We highly recommend you and your company conduct a security review process after updating your app to support shared device mode.
9090

@@ -128,7 +128,7 @@ application.getDeviceInformation(with: nil, completionBlock: { (deviceInformatio
128128
129129
### Get the signed-in user and determine if a user has changed on the device
130130
131-
Another important part of supporting shared device mode is determining the state of the user on the device and clearing application data if a user has changed or if there is no user at all on the device. You are responsible for ensuring data isn't leaked to another user.
131+
Another important part of supporting shared device mode is determining the state of the user on the device and clearing application data if a user has changed or if there's no user at all on the device. You're responsible for ensuring data isn't leaked to another user.
132132
133133
You can use `getCurrentAccountWithParameters:completionBlock:` API to query the currently signed-in account on the device.
134134
@@ -175,31 +175,27 @@ parameters.loginHint = self.loginHintTextField.text;
175175

176176
### Globally sign out a user
177177

178-
The following code removes the signed-in account and clears cached tokens from not only the app, but also from the device that's in shared device mode. It does not, however, clear the *data* from your application. You must clear the data from your application, as well as clear any cached data your application may be displaying to the user.
179-
180-
#### Clear browser state
181-
182-
> [!NOTE]
183-
> The following step is required only during public preview.
184-
185-
In this public preview version, the [Microsoft Enterprise SSO plug-in for Apple devices](apple-sso-plugin.md) clears state only for applications. It does not clear state on the Safari browser. We recommend you manually clear browser session to ensure no traces of user state are left behind. You can use the optional `signoutFromBrowser` property shown below to clear any cookies. This will cause the browser to briefly launch on the device.
178+
The following code removes the signed-in account and clears cached tokens from not only the app, but also from the device that's in shared device mode. It doesn't, however, clear the _data_ from your application. You must clear the data from your application, as well as clear any cached data your application may be displaying to the user.
186179

187180
#### Swift
188181

189182
```swift
190183
let account = .... /* account retrieved above */
191184

192185
let signoutParameters = MSALSignoutParameters(webviewParameters: self.webViewParamaters!)
193-
signoutParameters.signoutFromBrowser = true // Only needed for Public Preview.
186+
signoutParameters.signoutFromBrowser = true // To trigger a browser signout in Safari.
194187

195188
application.signout(with: account, signoutParameters: signoutParameters, completionBlock: {(success, error) in
196-
197189
if let error = error {
190+
198191
// Signout failed
192+
199193
return
194+
200195
}
201196

202197
// Sign out completed successfully
198+
203199
})
204200
```
205201

@@ -209,22 +205,77 @@ application.signout(with: account, signoutParameters: signoutParameters, complet
209205
MSALAccount *account = ... /* account retrieved above */;
210206

211207
MSALSignoutParameters *signoutParameters = [[MSALSignoutParameters alloc] initWithWebviewParameters:webViewParameters];
212-
signoutParameters.signoutFromBrowser = YES; // Only needed for Public Preview.
208+
209+
signoutParameters.signoutFromBrowser = YES; // To trigger a browser signout in Safari.
213210

214211
[application signoutWithAccount:account signoutParameters:signoutParameters completionBlock:^(BOOL success, NSError * _Nullable error)
212+
215213
{
214+
216215
if (!success)
216+
217217
{
218+
218219
// Signout failed
220+
219221
return;
222+
220223
}
221224

222225
// Sign out completed successfully
226+
223227
}];
224228
```
225229
230+
The [Microsoft Enterprise SSO plug-in for Apple devices](apple-sso-plugin.md) clears state only for applications. It doesn't clear state on the Safari browser. You can use the optional signoutFromBrowser property shown in code snippets above to trigger a browser signout in Safari. This will cause the browser to briefly launch on the device.
231+
232+
### Receive broadcast to detect global sign out initiated from other applications
233+
234+
To receive the account change broadcast, you'll need to register a broadcast receiver. When an account change broadcast is received, immediately [get the signed in user and determine if a user has changed on the device](#get-the-signed-in-user-and-determine-if-a-user-has-changed-on-the-device). If a change is detected, initiate data cleanup for previously signed-in account. It's recommended to properly stop any operations and do data cleanup.
235+
236+
The following code snippet shows how you could register a broadcast receiver.
237+
238+
```objectivec
239+
NSString *const MSID_SHARED_MODE_CURRENT_ACCOUNT_CHANGED_NOTIFICATION_KEY = @"SHARED_MODE_CURRENT_ACCOUNT_CHANGED";
240+
241+
- (void) registerDarwinNotificationListener 
242+
243+
{ 
244+
245+
   CFNotificationCenterRef center =
246+
247+
CFNotificationCenterGetDarwinNotifyCenter(); 
248+
249+
   CFNotificationCenterAddObserver(center, nil,
250+
251+
sharedModeAccountChangedCallback,
252+
253+
(CFStringRef)MSID_SHARED_MODE_CURRENT_ACCOUNT_CHANGED_NOTIFICATION_KEY, 
254+
255+
nil, CFNotificationSuspensionBehaviorDeliverImmediately); 
256+
257+
} 
258+
259+
// CFNotificationCallbacks used specifically for Darwin notifications leave userInfo unused 
260+
261+
void sharedModeAccountChangedCallback(CFNotificationCenterRef center, void * observer, CFStringRef name, void const * object, __unused CFDictionaryRef userInfo) 
262+
263+
{ 
264+
265+
    // Invoke account cleanup logic here 
266+
267+
} 
268+
```
269+
270+
For more information about the available options for CFNotificationAddObserver or to see the corresponding method signatures in Swift, see:
271+
272+
- [CFNotificationAddObserver](https://developer.apple.com/documentation/corefoundation/1543316-cfnotificationcenteraddobserver?language=objc)
273+
- [CFNotificationCallback](https://developer.apple.com/documentation/corefoundation/cfnotificationcallback?language=objc)
274+
275+
For iOS, your app will require a background permission to remain active in the background and listen to Darwin notifications. The background capability must be added to support a different background operation – your app may be subject to rejection from the Apple App Store if it has a background capability only to listen for Darwin notifications. If your app is already configured to complete background operations, you can add the listener as part of that operation. For more information about iOS background capabilities, see [Configuring background execution modes](https://developer.apple.com/documentation/xcode/configuring-background-execution-modes)
276+
226277
## Next steps
227278

228279
To see shared device mode in action, the following code sample on GitHub includes an example of running a frontline worker app on an iOS device in shared device mode:
229280

230-
[MSAL iOS Swift Microsoft Graph API Sample](https://github.com/Azure-Samples/ms-identity-mobile-apple-swift-objc)
281+
[MSAL iOS Swift Microsoft Graph API Sample](https://github.com/Azure-Samples/ms-identity-mobile-apple-swift-objc)

articles/active-directory/develop/tutorial-v2-shared-device-mode.md

Lines changed: 51 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ ms.service: active-directory
99
ms.subservice: develop
1010
ms.topic: tutorial
1111
ms.workload: identity
12-
ms.date: 1/15/2020
12+
ms.date: 11/03/2022
1313
ms.author: henrymbugua
1414
ms.reviewer: brandwe
1515
ms.custom: aaddev, identityplatformtop40
@@ -22,13 +22,14 @@ In this tutorial, Android developers and Azure Active Directory (Azure AD) tenan
2222
In this tutorial:
2323

2424
> [!div class="checklist"]
25-
> * Download a code sample
26-
> * Enable and detect shared-device mode
27-
> * Detect single or multiple account mode
28-
> * Detect a user switch, and enable global sign-in and sign-out
29-
> * Set up tenant and register the application in the Azure portal
30-
> * Set up an Android device in shared-device mode
31-
> * Run the sample app
25+
>
26+
> - Download a code sample
27+
> - Enable and detect shared-device mode
28+
> - Detect single or multiple account mode
29+
> - Detect a user switch, and enable global sign-in and sign-out
30+
> - Set up tenant and register the application in the Azure portal
31+
> - Set up an Android device in shared-device mode
32+
> - Run the sample app
3233
3334
## Prerequisites
3435

@@ -64,21 +65,21 @@ Here's an example of the auth_config.json file included in the **app**>**main**>
6465

6566
```json
6667
{
67-
"client_id":"Client ID after app registration at https://aka.ms/MobileAppReg",
68-
"authorization_user_agent":"DEFAULT",
69-
"redirect_uri":"Redirect URI after app registration at https://aka.ms/MobileAppReg",
70-
"account_mode":"SINGLE",
71-
"broker_redirect_uri_registered": true,
72-
"shared_device_mode_supported": true,
73-
"authorities":[
74-
{
75-
"type":"AAD",
76-
"audience":{
77-
"type": "AzureADandPersonalMicrosoftAccount",
78-
"tenant_id":"common"
79-
}
80-
}
81-
]
68+
"client_id": "Client ID after app registration at https://aka.ms/MobileAppReg",
69+
"authorization_user_agent": "DEFAULT",
70+
"redirect_uri": "Redirect URI after app registration at https://aka.ms/MobileAppReg",
71+
"account_mode": "SINGLE",
72+
"broker_redirect_uri_registered": true,
73+
"shared_device_mode_supported": true,
74+
"authorities": [
75+
{
76+
"type": "AAD",
77+
"audience": {
78+
"type": "AzureADandPersonalMicrosoftAccount",
79+
"tenant_id": "common"
80+
}
81+
}
82+
]
8283
}
8384
```
8485

@@ -88,7 +89,7 @@ Shared-device mode allows you to configure Android devices to be shared by multi
8889

8990
Use `isSharedDevice()` to determine if an app is running on a device that is in shared-device mode. Your app could use this flag to determine if it should modify UX accordingly.
9091

91-
Here's a code snippet that shows how you could use `isSharedDevice()`. It's from the `SingleAccountModeFragment` class in the sample app:
92+
Here's a code snippet that shows how you could use `isSharedDevice()`. It's from the `SingleAccountModeFragment` class in the sample app:
9293

9394
```Java
9495
deviceModeTextView.setText(mSingleAccountApp.isSharedDevice() ? "Shared" : "Non-Shared");
@@ -204,6 +205,31 @@ private void onSignOutClicked()
204205
}
205206
```
206207

208+
### Receive broadcast to detect global sign out initiated from other applications
209+
210+
To receive the account change broadcast, you'll need to register a broadcast receiver.  It’s recommended to register your broadcast receiver via the [Context-registered receivers](https://developer.android.com/guide/components/broadcasts#context-registered-receivers).
211+
212+
When an account change broadcast is received, immediately [get the signed in user and determine if a user has changed on the device](#get-the-signed-in-user-and-determine-if-a-user-has-changed-on-the-device). If a change is detected, initiate data cleanup for previously signed-in account. It is recommended to properly stop any operations and do data cleanup.
213+
214+
The following code snippet shows how you could register a broadcast receiver.
215+
216+
```java
217+
private static final String CURRENT_ACCOUNT_CHANGED_BROADCAST_IDENTIFIER = "com.microsoft.identity.client.sharedmode.CURRENT_ACCOUNT_CHANGED";
218+
private BroadcastReceiver mAccountChangedBroadcastReceiver;
219+
private void registerAccountChangeBroadcastReceiver(){
220+
    mAccountChangedBroadcastReceiver = new BroadcastReceiver() {
221+
        @Override
222+
        public void onReceive(Context context, Intent intent) {
223+
            //INVOKE YOUR PRIOR ACCOUNT CLEAN UP LOGIC HERE      
224+
        }
225+
    };
226+
    IntentFilter filter = new
227+
228+
IntentFilter(CURRENT_ACCOUNT_CHANGED_BROADCAST_IDENTIFIER);
229+
    this.registerReceiver(mAccountChangedBroadcastReceiver, filter);
230+
}
231+
```
232+
207233
## Administrator guide
208234
209235
The following steps describe setting up your application in the Azure portal and putting your device into shared-device mode.
@@ -257,7 +283,7 @@ The device is now in shared mode.
257283

258284
:::image type="content" source="media/tutorial-v2-shared-device-mode/shared-device-mode-screen.png" alt-text="App screen showing shared device mode enabled":::
259285

260-
Any sign-ins and sign-outs on the device will be global, meaning they apply to all apps that are integrated with MSAL and Microsoft Authenticator on the device. You can now deploy applications to the device that use shared-device mode features.
286+
Any sign-ins and sign-outs on the device will be global, meaning they apply to all apps that are integrated with MSAL and Microsoft Authenticator on the device. You can now deploy applications to the device that use shared-device mode features.
261287

262288
## View the shared device in the Azure portal
263289

0 commit comments

Comments
 (0)