Apple Device Workplace Join & Broker Authentication

1 year ago
Ruian Ding
2 minutes

IOS Microsoft 1st Party App Auth Flow

1. The 1st party application use the MSAL to Acquire token

2. The request will direct to ESTS (Microsoft Security Token Service) for authentication

3. User Account and Applicaiton Identity will be verified from the MSODS (Microsoft Online Directory Service)

*For step 2 & 3, in the context of user experience, it essentially refers to the process of logging in and obtaining a token.

4. Once done with the user Account/App verification, ESTS will further redirect to ADRS (Azure Device Registration Service). And will return the necessary OAuth tokens (Access, ID, or Refresh token).

5. Due to security considerations, Apple restricts the storage of the keychain. Therefore, the validated token will be stored in a shared keychain.

How does the shared keychain facilitate Single Sign-On (SSO)?

As mentioned above that all app tokens are stored in the shared keychain. Additionally, apps from the same developer (e.g. Microsoft) can share those tokens which stored in the keychain.

1. Can user check the keychain?

On IOS, user do not have ability to check it. However, reinstall the app in IOS does not eliminate the keychain. The deletion of it can only be performed on the UX of the application.

*This post Clearing the Mobile Edge Browser User Account Cache – Ruian’s Tech Troubleshooting Toolbox (ruianding.com) illustrates a scenario that existing token cannot be cleaned even we delete all the 1st party app. The solution is running the caching cleaning in the application UX itself.

On Mac, user do have ability to check it.

2. What’s the type of keychains in Apple Device?

On IOS, there is only 1 type of keychains, login keychain, aka iCloud.

On Mac, there are 2 types of keychains, login keychain and iOS-style keychain, aka iCloud key chain and Local Items keychains, respectively.

*Since where’s 2 types of keychains in MAC. In workplace join experience the login keychain will be used, and in 1st party MSAL sign-in scenario the iOS-style keychain will be used.