{"id":404,"date":"2023-06-28T16:11:41","date_gmt":"2023-06-28T08:11:41","guid":{"rendered":"https:\/\/www.ruianding.com\/blog\/?p=404"},"modified":"2023-08-31T01:51:25","modified_gmt":"2023-08-30T17:51:25","slug":"apple-device-workplace-join-broker-authentication","status":"publish","type":"post","link":"https:\/\/www.ruianding.com\/blog\/apple-device-workplace-join-broker-authentication\/","title":{"rendered":"Apple Device Workplace Join & Broker Authentication"},"content":{"rendered":"\n

IOS Microsoft 1st Party App Auth Flow<\/h2>\n\n\n\n

1. The 1st party application use the MSAL to Acquire token<\/p>\n\n\n\n

2. The request will direct to ESTS (Microsoft Security Token Service) for authentication <\/p>\n\n\n\n

3. User Account and Applicaiton Identity will be verified from the MSODS (Microsoft Online Directory Service)<\/p>\n\n\n\n

*For step 2 & 3, in the context of user experience, it essentially refers to the process of logging in and obtaining a token.<\/p>\n\n\n\n

4. Once done with the user Account\/App verification, ESTS will further redirect to ADRS (Azure Device Registration Service). And will return the necessary OAuth tokens (Access, ID, or Refresh token).<\/p>\n\n\n\n

5. Due to security considerations, Apple restricts the storage of the keychain. Therefore, the validated token will be stored in a shared keychain<\/strong>.<\/p>\n\n\n\n

How does the shared keychain facilitate Single Sign-On (SSO)?<\/h2>\n\n\n\n

As mentioned above that all app tokens are stored in the shared keychain. Additionally, apps from the same developer (e.g. Microsoft) can share those tokens which stored in the keychain.<\/p>\n\n\n\n

1. Can user check the keychain?<\/h3>\n\n\n\n

On IOS, user do not have ability to check it. However, reinstall the app in IOS does not eliminate the keychain<\/strong>. The deletion of it can only be performed on the UX of the application.<\/p>\n\n\n\n

*This post Clearing the Mobile Edge Browser User Account Cache \u2013 Ruian’s Tech Troubleshooting Toolbox (ruianding.com)<\/a> illustrates a scenario that existing token cannot be cleaned even we delete all the 1st party app. The solution is running the caching cleaning in the application UX itself. <\/p>\n\n\n\n

On Mac, user do have ability to check it.<\/p>\n\n\n\n

2. What’s the type of keychains in Apple Device?<\/h3>\n\n\n\n

On IOS, there is only 1 type of keychains, login keychain<\/strong>, aka iCloud.<\/p>\n\n\n\n

On Mac, there are 2 types of keychains, login keychain<\/strong> and iOS-style keychain<\/strong>, aka iCloud key chain and Local Items keychains, respectively.<\/p>\n\n\n\n

*Since where’s 2 types of keychains in MAC. In workplace join experience the login keychain will be used, and in 1st party MSAL sign-in scenario the iOS-style keychain will be used.<\/p>\n\n\n\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

IOS Microsoft 1st Party App Auth Flow 1. The 1st party application use the MSAL to Acquire token 2. The request will direct to ESTS (Microsoft Security Token Service) for authentication 3. User Account and Applicaiton Identity will be verified from the MSODS (Microsoft Online Directory Service) *For step 2 & 3, in the context […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_themeisle_gutenberg_block_has_review":false,"footnotes":""},"categories":[37],"tags":[],"class_list":["post-404","post","type-post","status-publish","format-standard","hentry","category-drs-apple"],"yoast_head":"\nApple Device Workplace Join & Broker Authentication - \u6781\u7b80IT\uff5cSimpleIT<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.ruianding.com\/blog\/apple-device-workplace-join-broker-authentication\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Apple Device Workplace Join & Broker Authentication - \u6781\u7b80IT\uff5cSimpleIT\" \/>\n<meta property=\"og:description\" content=\"IOS Microsoft 1st Party App Auth Flow 1. The 1st party application use the MSAL to Acquire token 2. The request will direct to ESTS (Microsoft Security Token Service) for authentication 3. User Account and Applicaiton Identity will be verified from the MSODS (Microsoft Online Directory Service) *For step 2 & 3, in the context […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.ruianding.com\/blog\/apple-device-workplace-join-broker-authentication\/\" \/>\n<meta property=\"og:site_name\" content=\"\u6781\u7b80IT\uff5cSimpleIT\" \/>\n<meta property=\"article:published_time\" content=\"2023-06-28T08:11:41+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-08-30T17:51:25+00:00\" \/>\n<meta name=\"author\" content=\"Ruian Ding\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Ruian Ding\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/apple-device-workplace-join-broker-authentication\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/apple-device-workplace-join-broker-authentication\/\"},\"author\":{\"name\":\"Ruian Ding\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b\"},\"headline\":\"Apple Device Workplace Join & Broker Authentication\",\"datePublished\":\"2023-06-28T08:11:41+00:00\",\"dateModified\":\"2023-08-30T17:51:25+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/apple-device-workplace-join-broker-authentication\/\"},\"wordCount\":332,\"publisher\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b\"},\"articleSection\":[\"Apple\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/apple-device-workplace-join-broker-authentication\/\",\"url\":\"https:\/\/www.ruianding.com\/blog\/apple-device-workplace-join-broker-authentication\/\",\"name\":\"Apple Device Workplace Join & Broker Authentication - \u6781\u7b80IT\uff5cSimpleIT\",\"isPartOf\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/#website\"},\"datePublished\":\"2023-06-28T08:11:41+00:00\",\"dateModified\":\"2023-08-30T17:51:25+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/apple-device-workplace-join-broker-authentication\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.ruianding.com\/blog\/apple-device-workplace-join-broker-authentication\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/apple-device-workplace-join-broker-authentication\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.ruianding.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Apple Device Workplace Join & Broker Authentication\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/#website\",\"url\":\"https:\/\/www.ruianding.com\/blog\/\",\"name\":\"Ruian's Tech Troubleshooting Toolbox\",\"description\":\"Debug the World.\",\"publisher\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b\"},\"alternateName\":\"\u4e01\u777f\u5b89\u7684\u6280\u672f\u5206\u4eab\u535a\u5ba2\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.ruianding.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b\",\"name\":\"Ruian Ding\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/logo.png\",\"contentUrl\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/logo.png\",\"width\":284,\"height\":284,\"caption\":\"Ruian Ding\"},\"logo\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/image\/\"},\"description\":\"I am currently a Support Specialist at NIO, focusing on cloud-related issues for NIO Power. Previously, at Microsoft Entra ID, I specialized in identity and access management (IAM), including device registration, Windows Hello for Business (WHfB), multi-factor authentication (MFA), and single sign-on (SSO). In addition to my core expertise, I have a strong foundation in Active Directory, Servers, Cloud Computing, Network Administration, and Front-end Web Development. This diverse technical skill set enables me to effectively handle a wide range of challenges in a fast-paced IT environment.\",\"sameAs\":[\"https:\/\/www.ruianding.com\"],\"url\":\"https:\/\/www.ruianding.com\/blog\/author\/ruiand\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Apple Device Workplace Join & Broker Authentication - \u6781\u7b80IT\uff5cSimpleIT","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.ruianding.com\/blog\/apple-device-workplace-join-broker-authentication\/","og_locale":"en_US","og_type":"article","og_title":"Apple Device Workplace Join & Broker Authentication - \u6781\u7b80IT\uff5cSimpleIT","og_description":"IOS Microsoft 1st Party App Auth Flow 1. The 1st party application use the MSAL to Acquire token 2. The request will direct to ESTS (Microsoft Security Token Service) for authentication 3. User Account and Applicaiton Identity will be verified from the MSODS (Microsoft Online Directory Service) *For step 2 & 3, in the context […]","og_url":"https:\/\/www.ruianding.com\/blog\/apple-device-workplace-join-broker-authentication\/","og_site_name":"\u6781\u7b80IT\uff5cSimpleIT","article_published_time":"2023-06-28T08:11:41+00:00","article_modified_time":"2023-08-30T17:51:25+00:00","author":"Ruian Ding","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Ruian Ding","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.ruianding.com\/blog\/apple-device-workplace-join-broker-authentication\/#article","isPartOf":{"@id":"https:\/\/www.ruianding.com\/blog\/apple-device-workplace-join-broker-authentication\/"},"author":{"name":"Ruian Ding","@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b"},"headline":"Apple Device Workplace Join & Broker Authentication","datePublished":"2023-06-28T08:11:41+00:00","dateModified":"2023-08-30T17:51:25+00:00","mainEntityOfPage":{"@id":"https:\/\/www.ruianding.com\/blog\/apple-device-workplace-join-broker-authentication\/"},"wordCount":332,"publisher":{"@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b"},"articleSection":["Apple"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.ruianding.com\/blog\/apple-device-workplace-join-broker-authentication\/","url":"https:\/\/www.ruianding.com\/blog\/apple-device-workplace-join-broker-authentication\/","name":"Apple Device Workplace Join & Broker Authentication - \u6781\u7b80IT\uff5cSimpleIT","isPartOf":{"@id":"https:\/\/www.ruianding.com\/blog\/#website"},"datePublished":"2023-06-28T08:11:41+00:00","dateModified":"2023-08-30T17:51:25+00:00","breadcrumb":{"@id":"https:\/\/www.ruianding.com\/blog\/apple-device-workplace-join-broker-authentication\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.ruianding.com\/blog\/apple-device-workplace-join-broker-authentication\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.ruianding.com\/blog\/apple-device-workplace-join-broker-authentication\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.ruianding.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Apple Device Workplace Join & Broker Authentication"}]},{"@type":"WebSite","@id":"https:\/\/www.ruianding.com\/blog\/#website","url":"https:\/\/www.ruianding.com\/blog\/","name":"Ruian's Tech Troubleshooting Toolbox","description":"Debug the World.","publisher":{"@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b"},"alternateName":"\u4e01\u777f\u5b89\u7684\u6280\u672f\u5206\u4eab\u535a\u5ba2","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.ruianding.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b","name":"Ruian Ding","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/logo.png","contentUrl":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/logo.png","width":284,"height":284,"caption":"Ruian Ding"},"logo":{"@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/image\/"},"description":"I am currently a Support Specialist at NIO, focusing on cloud-related issues for NIO Power. Previously, at Microsoft Entra ID, I specialized in identity and access management (IAM), including device registration, Windows Hello for Business (WHfB), multi-factor authentication (MFA), and single sign-on (SSO). In addition to my core expertise, I have a strong foundation in Active Directory, Servers, Cloud Computing, Network Administration, and Front-end Web Development. This diverse technical skill set enables me to effectively handle a wide range of challenges in a fast-paced IT environment.","sameAs":["https:\/\/www.ruianding.com"],"url":"https:\/\/www.ruianding.com\/blog\/author\/ruiand\/"}]}},"_links":{"self":[{"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/posts\/404","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/comments?post=404"}],"version-history":[{"count":3,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/posts\/404\/revisions"}],"predecessor-version":[{"id":407,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/posts\/404\/revisions\/407"}],"wp:attachment":[{"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/media?parent=404"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/categories?post=404"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/tags?post=404"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}