Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Intune SDK keychain error #417

Open
yanfenz opened this issue Mar 29, 2024 · 15 comments
Open

Intune SDK keychain error #417

yanfenz opened this issue Mar 29, 2024 · 15 comments
Assignees
@ChismanRaheem
Labels
Needs more information

Comments

@yanfenz
Copy link

yanfenz commented Mar 29, 2024
edited
Loading

Hello,

After integrated the Intune MAM in iOS app, it is not working, and we find out this error in the apps logs.

IntuneMAM: WARNING: App might display unpredictable behavior as protected group B5RVXC4CG6.com.microsoft.intune.mam is the first access group in keychain entitlements. Please fix this by making any other keychain group as the first access group in keychain entitlements.

We have already put the com.microsoft.intune.mam as the second keychain group. But it stills show this error.

Screenshot 2024-02-09 at 12 46 07 PM

Can anyone pls help on this? Thanks!
@ChismanRaheem ChismanRaheem self-assigned this Apr 1, 2024
@ChismanRaheem
Copy link

ChismanRaheem commented Apr 1, 2024
edited
Loading

Hi @yanfenz Thanks for reaching out. Within the entitlement file try adding your bundle id as the first string in the array.

 <key>keychain-access-groups</key>
<array>
<string>YOURBUNDLESEEDID.*</string>
</array>

@yanfenz
Copy link
Author

yanfenz commented Apr 1, 2024

Hi @ChismanRaheem

Please see the below screenshot of the entitlement file, we have already added our bundle id (which I strikethrough in red) as the first string in the array. But the error is still shown.

Screenshot 2024-04-01 at 8 27 26 PM

@ChismanRaheem
Copy link

@yanfenz Could you please supply the logs containing the complete error message? In some instances, this particular symptom may arise from a different underlying issue.

@yanfenz
Copy link
Author

yanfenz commented Apr 11, 2024

Hi @ChismanRaheem Please see the attached Intune logs. I have hidden the actual bundle ID with "bundle-id". in the logs.
Intune logs.txt

@ChismanRaheem
Copy link

ChismanRaheem commented Apr 25, 2024
edited
Loading

HI @yanfenz I have not been able to reproduce this issue please let me know if this occurs for every project and if you have a sample for my team and I to review?

@yanfenz
Copy link
Author

yanfenz commented May 2, 2024

Hi @ChismanRaheem We have only implemented the Intune MAM into one project. If it works, we will replicate it into other projects. But we have encountered this error and can't proceed. Is there any way that we can troubleshoot and what other information do you require to troubleshoot? Thanks!

@ChismanRaheem
Copy link

@yanfenz I appreciate the update. To further assist with the troubleshooting process, it would be beneficial if you could share a sample GitHub repository with us. Currently, I'm unable to replicate the problem, and it may prove challenging without the precise steps to recreate it. Additionally, I suggest you clone our sample code from the provided link and integrate your business logic to determine if the same issue arises, https://github.com/msintuneappsdk/Chatr-Sample-Intune-iOS-App.git

@ChismanRaheem
Copy link

Addition troubleshooting as requested: Please provide the codesign output of ' codesign -d --entitlements - path_to_app'

Note: The codesign command will be used to display code signatures, as well as inquire into the dynamic status of signed code in the system.

codesign -d [-v] [path|pid ...]
-d, --display
             Display information about the code at the path(s) given. Increas-
             ing levels of verbosity produce more output.  The format is
             designed to be moderately easy to parse by simple scripts while
             still making sense to human eyes.  In addition, the -r, --file-
             list, --extract-certificates, and --entitlements options can be
             used to retrieve additional information.
--entitlements path
             When signing, take the file at the given path and embed its con-
             tents in the signature as entitlement data. If the data at path
             does not already begin with a suitable binary ("blob") header,
             one is attached automatically.
             When displaying a signature, extract any entitlement data from
             the signature and write it to the path given. Use "-" to write to
             standard output.  By default, the binary "blob" header is
             returned intact; prefix the path with a colon ":" to automati-
             cally strip it off.  If the signature has no entitlement data,
             nothing is written (this is not an error).

@yanfenz
Copy link
Author

yanfenz commented May 7, 2024

Addition troubleshooting as requested: Please provide the codesign output of ' codesign -d --entitlements - path_to_app'

Note: The codesign command will be used to display code signatures, as well as inquire into the dynamic status of signed code in the system.

codesign -d [-v] [path|pid ...]
-d, --display
             Display information about the code at the path(s) given. Increas-
             ing levels of verbosity produce more output.  The format is
             designed to be moderately easy to parse by simple scripts while
             still making sense to human eyes.  In addition, the -r, --file-
             list, --extract-certificates, and --entitlements options can be
             used to retrieve additional information.
--entitlements path
             When signing, take the file at the given path and embed its con-
             tents in the signature as entitlement data. If the data at path
             does not already begin with a suitable binary ("blob") header,
             one is attached automatically.
             When displaying a signature, extract any entitlement data from
             the signature and write it to the path given. Use "-" to write to
             standard output.  By default, the binary "blob" header is
             returned intact; prefix the path with a colon ":" to automati-
             cally strip it off.  If the signature has no entitlement data,
             nothing is written (this is not an error).

Hi @ChismanRaheem this is the output:
Executable=/Users/venpep/Library/Developer/CoreSimulator/Devices/A103C039-774A-43D2-8C31-1EDDE6FEE679/data/Containers/Bundle/Application/6A7DDB19-04D3-42EF-A081-B25CD1618B24/BoardVision.app/BoardVision
[Dict]
[Key] com.apple.security.get-task-allow
[Value]
[Bool] true

@ChismanRaheem
Copy link

HI @yanfenz Thank you for the quick response, I noticed that your action was completed on CoreSimulator, I am respectfully requesting if you can complete the same action items on a device build and upload the output at your earliest convenience.

@yanfenz
Copy link
Author

yanfenz commented May 8, 2024

HI @yanfenz Thank you for the quick response, I noticed that your action was completed on CoreSimulator, I am respectfully requesting if you can complete the same action items on a device build and upload the output at your earliest convenience.

Hi @ChismanRaheem this is the output, I have hidden the actual bundle ID with *****
[Dict]
[Key] application-identifier
[Value]
[String] B5RVXC4CG6.sg.com.tr******.b******
[Key] aps-environment
[Value]
[String] development
[Key] com.apple.developer.team-identifier
[Value]
[String] B5RVXC4CG6
[Key] get-task-allow
[Value]
[Bool] true
[Key] keychain-access-groups
[Value]
[Array]
[String] B5RVXC4CG6.sg.com.tr******.b******
[String] B5RVXC4CG6.com.microsoft.intune.mam
[String] B5RVXC4CG6.com.microsoft.adalcache

@yanfenz
Copy link
Author

yanfenz commented May 20, 2024

@yanfenz I appreciate the update. To further assist with the troubleshooting process, it would be beneficial if you could share a sample GitHub repository with us. Currently, I'm unable to replicate the problem, and it may prove challenging without the precise steps to recreate it. Additionally, I suggest you clone our sample code from the provided link and integrate your business logic to determine if the same issue arises, https://github.com/msintuneappsdk/Chatr-Sample-Intune-iOS-App.git

Hi @ChismanRaheem May I check if there is any update on this issue? Our app is already following the same github repo to implement the Intune MAM.

@ChismanRaheem
Copy link

ChismanRaheem commented May 30, 2024
edited
Loading

Hi @yanfenz we need more information to help you, as of now when using the code sample please let me know how you are reproducing the issue. Please create a service ticket and provide me the case number so that we can capture more information to better assist you.
Thanks

@yanfenz
Copy link
Author

yanfenz commented Jun 2, 2024

Hi @ChismanRaheem we have followed this guide to integrate the Intune SDK into our ios app: https://learn.microsoft.com/en-us/mem/intune/developer/app-sdk-ios-phase3

Can you please let me know where should I create the service ticket? Thanks!

@ChismanRaheem
Copy link

@yanfenz Please email me directly at raheem.chisman@microsoft.com so that I can start collecting data that can be securely transferred to your case.

Collect logs:

  1. https://learn.microsoft.com/en-us/mem/intune/user-help/send-logs-to-microsoft-ios
  2. https://learn.microsoft.com/en-us/mem/intune/user-help/retrieve-ios-app-logs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ChismanRaheem ChismanRaheem

Labels
Needs more information
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@yanfenz @ChismanRaheem