Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to enroll another account after the previous account is signed out of Company Portal #479

Open
MAgungHKM opened this issue Oct 17, 2024 · 7 comments
Open

Unable to enroll another account after the previous account is signed out of Company Portal #479

MAgungHKM opened this issue Oct 17, 2024 · 7 comments
Assignees
@kanishkaBagga

Comments

@MAgungHKM
Copy link

MAgungHKM commented Oct 17, 2024
edited
Loading

Describe the bug:
Unable to proceed to our App after the user signed in to Company Portal using another account. It seems that the Intune SDK is trying to enroll using the previous account email, and we need to click on "sign in with another account" option. But, after signing in using the current account it will show an error, refer to the screenshot below.

Both accounts is able to use the App on a fresh device.

Uninstalling the app doesn't help to fix this at all. The previous account seems to be cached from the Keychain, that means the only way to clear it is to factory reset the device.

We have tried to implement a data wipe logic during the App first launch after install. But, the Intune SDK runs first before our code, so that doesn't work either.

To Reproduce
Steps to reproduce the behavior:

  1. Setup Company Portal with Account ABC
  2. Install the App from Company Portal
  3. Open the App and enroll Account ABC
  4. Sign out Account ABC from Company Portal
  5. Setup Company Portal with Account XYZ
  6. Open the App and try to enroll Account XYZ

Expected behavior:
Able to replace the enrolled account. At least clear the cached account on uninstall or using a switch in the Settings App similar to intune wrapping tool.

Screenshots and logs:
image
Screenshot 2024-10-17 at 3 21 26 PM

Smartphone (please complete the following information):

  • Device: iPhone 13 Pro
  • OS: iOS 17.6.1

Intune App SDK for iOS (please complete the following information):

  • What version of the Intune SDK are you using? Are you using the latest version? Latest

  • What platform is your app based in (native, Xamarin based, Cordova, etc)? Native

  • For errors during build, does the app build without Intune SDK integration? No

  • For errors post build, does the app launch without being Intune SDK integrated? No

  • Who is the customer? Our user

  • Do you see a trend with it only being reproduced on a specific device? Happens on all devices
@kanishkaBagga kanishkaBagga self-assigned this Oct 17, 2024
@kanishkaBagga
Copy link

@MAgungHKM
Cause of this error -
Intune detects the user attempted to sign in with second work or school account that is different from the MAM enrolled account for the device. Only one work or school account can be managed by MAM at a time per device.

Remediation -
Have the user sign in with the account whose username is pre-populated by the sign-in screen. You may need to configure the user UPN setting for Intune.

Or, have the user sign in with the new work or school account and remove the existing MAM enrolled account.

@MAgungHKM
Copy link
Author

MAgungHKM commented Oct 24, 2024
edited
Loading

Hi @kanishkaBagga,
I don't think the user can sign in with the previous pre-populated email account, because there will be a case where they lost their access to that account.

For your second suggestion, how do you remove the existing MAM enrolled account (without resetting the device)? they've tried to sign in with the new account but met with the screenshot that I was referring to on my first post.

@MAgungHKM
Copy link
Author

Hi @kanishkaBagga, any update on this?
And is it possible to bring these settings from Intune Wrapping Tool to Intune SDK?
Screenshot 2024-10-17 at 3 21 26 PM

@kanishkaBagga
Copy link

@MAgungHKM - Selective wipe - When the app is selectively wiped, the SDK will call the wipeDataForAccountId method in IntuneMAMPolicyDelegate. The app is responsible for removing the specified user's account and any data associated with it. The SDK is capable of removing all files owned by the user and will do so if the app returns FALSE from the wipeDataForAccountId call.

Please refer - https://learn.microsoft.com/en-us/mem/intune/developer/app-sdk-ios-phase5

@MAgungHKM
Copy link
Author

@kanishkaBagga We have tried to implement the selective wipe logic, but since Intune Auto-Enrollment runs first before our selective wipe code, this method wouldn't work either.

@kanishkaBagga
Copy link

kanishkaBagga commented Nov 20, 2024
edited
Loading

@MAgungHKM - are you using AutoEnrollOnLaunch Option? https://learn.microsoft.com/en-us/mem/intune/developer/app-sdk-ios-phase3#let-intune-handle-authentication-and-enrollment-at-launch
If yes Applications with IntuneMAMSettings AutoEnrollOnLaunch=YES can enroll on next launch with a different account by setting IntuneAutoUnenrollEnabled=YES in NSUserDefaults. - https://github.com/microsoftconnect/ms-intune-app-sdk-ios/releases/tag/19.7.0

@MAgungHKM
Copy link
Author

Okay noted, we'll try it first, thanks @kanishkaBagga!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kanishkaBagga kanishkaBagga

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MAgungHKM @kanishkaBagga