SDK not working in an iOS credential provider extension

[anmipo]

I struggle to get Intune SDK to work in a credential provider extension on iOS.

The SDK is successfully integrated both the in the main app and the extension:

• IntuneMAMSwift.xcframework and IntuneMAMSwiftStub.xcframework are linked to both targets;
• MSAL is added as a Swift package to both;
• URL schemes set up.
• Keychain sharing and a shared app group container are enabled, entitlements granted, and they successfully work for the app/appex exchange.
• I have also walked through the troubleshooting steps in 'Open In' non-UI Action extension not appearing in Share UI #63, without any success.

The integrated Intune SDK works fine in the app itself: the user is prompted to enroll (MAM-WE), the app restarts, the APP are applied (the user is prompted to define a PIN), app config received, the user stays enrolled across restarts — everything works just fine.

However, the extension does not see any enrolled user, does not receive APP, and generally looks like Intune SDK does not do anything at all. I mean, my calls to the SDK work and return, so it's not a compilation/linking issue. But IntuneMAMEnrollmentManager.instance().enrolledAccount() just always returns nil.

Am I missing something? Maybe there is a magic method to "activate" the SDK in the extension? Or the SDK is not supposed to work in AutoFill extensions at all?

Screenshots and logs:

Keychain sharing entitlement granted in both targets, with the following config in both .entitlements files:

<key>keychain-access-groups</key>
<array>
	<string>$(AppIdentifierPrefix)com.myapp.intune</string>
	<string>$(AppIdentifierPrefix)com.microsoft.intune.mam</string>
	<string>$(AppIdentifierPrefix)com.microsoft.adalcache</string>
</array>

Shared app group container configured in entitlements for both targets:

<key>com.apple.security.application-groups</key>
<array>
	<string>group.com.myapp.intuneShared</string>
</array>

Here are the Intune settings section of extensions' Info.plist:

<key>IntuneMAMSettings</key>
<dict>
    <key>AppGroupIdentifiers</key>
    <array>
        <string>group.com.myapp.intuneShared</string>
    </array>
    <key>ContainingAppBundleId</key>
    <string>com.myapp.intune</string>
</dict>

The extension has access to the app group container (can write/read files there). It also has the access to the keychain group, here's the list of items the extension sees in the keychain:

Keychain contents as seen by the extension

[12345ABCDE.com.microsoft.adalcache] 8feae304-****-a6186de252be-login.windows.net = {
    "secret":"eyJ0****Yl2A",
    "target":"https:\/\/msmamservice.api.application\/DeviceManagementManagedApps.ReadWrite https:\/\/msmamservice.api.application\/.default",
    "home_account_id":"8feae304-****-a6186de252be",
    "application_cache_identifier":"com.myapp.intune",
    "credential_type":"AccessToken",
    "environment":"login.windows.net",
    "realm":"4db3a165-****-a6186de252be",
    "expires_on":"1679004716",
    "extended_expires_on":"1679004716",
    "client_id":"292a80b3-****-b2d2e764e538",
    "cached_at":"1679000542"
}
[12345ABCDE.com.microsoft.adalcache] 8feae304-****-a6186de252be-login.windows.net = {
    "client_info":"eyJ1****lIn0",
    "local_account_id":"8feae304-****-900b99953cba",
    "home_account_id":"8feae304-****-a6186de252be",
    "username":"AdeleV@myapp.onmicrosoft.com",
    "environment":"login.windows.net",
    "realm":"4db3a165-****-a6186de252be",
    "authority_type":"MSSTS",
    "name":"Adele Vance"
}
[12345ABCDE.com.microsoft.adalcache] 8feae304-****-a6186de252be-login.windows.net = {
    "client_id":"292a80b3-****-b2d2e764e538",
    "secret":"eyJ0****L6NA",
    "environment":"login.windows.net",
    "credential_type":"IdToken",
    "home_account_id":"8feae304-****-a6186de252be",
    "realm":"4db3a165-****-a6186de252be"
}
[12345ABCDE.com.microsoft.adalcache] login.windows.net = {
    "client_id":"292a80b3-****-b2d2e764e538",
    "family_id":"",
    "environment":"login.windows.net"
}
[12345ABCDE.com.microsoft.adalcache] authority_map = {
    "client_id":"292a80b3-****-b2d2e764e538",
    "account_metadata_map":{
        "8feae304-****-a6186de252be":{
            "client_id":"292a80b3-****-b2d2e764e538",
            "athority_map":{
                "URLMap-":{
                    "https:\/\/login.windows.net\/common":"https:\/\/login.microsoftonline.com\/4db3a165-****-a6186de252be"
                }
            },
            "home_account_id":"8feae304-****-a6186de252be",
            "sign_in_state":"signed_in"
        }
    }
}
[12345ABCDE.com.microsoft.adalcache] 8feae304-****-a6186de252be-login.windows.net = {
    "client_id":"292a80b3-****-b2d2e764e538",
    "secret":"0.AU****XJWg",
    "environment":"login.windows.net",
    "credential_type":"RefreshToken",
    "home_account_id":"8feae304-****-a6186de252be"
}
[12345ABCDE.com.microsoft.intune.mam] com.myapp.intune.private = nil
[12345ABCDE.com.microsoft.intune.mam] AutoEnroll-lastchecktimestamp = nil
[12345ABCDE.com.microsoft.intune.mam] AutoEnroll-successtimestamp = nil
[12345ABCDE.com.microsoft.intune.mam] AlphanumericPasscodeEnabled-lastchecktimestamp = nil
[12345ABCDE.com.microsoft.intune.mam] DeviceComplianceEnabled-lastchecktimestamp = nil
[12345ABCDE.com.microsoft.intune.mam] AcceptEULA-lastchecktimestamp = nil
[12345ABCDE.com.microsoft.intune.mam] AccessRecheckOfflineTimeout-successtimestamp = nil
[12345ABCDE.com.microsoft.intune.mam] com.microsoft.intune.mam.offlinegraceperiod.lastknownconnectionstatus = nil
[12345ABCDE.com.microsoft.intune.mam] DeviceComplianceEnabled-successtimestamp = nil
[12345ABCDE.com.microsoft.intune.mam] AuthenticationEnabled-lastchecktimestamp = nil
[12345ABCDE.com.microsoft.intune.mam] AuthenticationEnabled-successtimestamp = nil
[12345ABCDE.com.microsoft.intune.mam] AlphanumericPasscodeKey = nil
[12345ABCDE.com.microsoft.intune.mam] NumAlphanumericPasscodeAttempts = nil
[12345ABCDE.com.microsoft.intune.mam] AlphanumericPasscodeEnabled-successtimestamp = nil
[12345ABCDE.com.microsoft.intune.mam] OfflineWipeConfirm-lastchecktimestamp = nil
[12345ABCDE.com.microsoft.intune.mam] AccessRecheckOfflineTimeout-lastchecktimestamp = nil
[12345ABCDE.com.microsoft.intune.mam] com.myapp.intune.AutoFill.private = nil
[12345ABCDE.com.microsoft.intune.mam] com.myapp.intune.MAMPolicies = nil
[12345ABCDE.com.microsoft.intune.mam] com.myapp.intune.private = nil
[12345ABCDE.com.microsoft.intune.mam] com.myapp.intune.DiagnosticDataOnLaunch = nil
[12345ABCDE.com.microsoft.intune.mam] com.microsoft.intunemam.IDMGR_OID_CACHE = nil
[12345ABCDE.com.microsoft.intune.mam] com.microsoft.intunemam.IDMGR_UPN_CACHE = nil
[12345ABCDE.com.microsoft.intune.mam] mamCache.deviceId = nil
[12345ABCDE.com.microsoft.intune.mam] mamCache.internalSharedCache.v3 = nil
[12345ABCDE.com.microsoft.intune.mam] mamCache.devicePrimaryAccountIdV2 = nil
[12345ABCDE.com.microsoft.intune.mam] AutoEnroll-lastchecktimestamp = nil
[12345ABCDE.com.microsoft.intune.mam] AutoEnroll-successtimestamp = nil
[12345ABCDE.com.microsoft.intune.mam] com.myapp.intune.com.microsoft.intune.mam.DontShowManagementStatement = nil
[12345ABCDE.com.microsoft.intune.mam] IntuneMAMFirstSignedInUser = nil
[12345ABCDE.com.microsoft.intune.mam] com.myapp.intune.AutoFill.private = nil
[12345ABCDE.com.microsoft.intune.mam] com.myapp.intune.intune_app_protection_enrollment_id_V1 = nil
[12345ABCDE.com.microsoft.intune.mam] com.myapp.intune.AllKnownIdentities = nil

Here are the log files returned by IntuneMAMDiagnosticConsole (called from the extension): https://gist.github.com/anmipo/f6581e269a2eacef057280128130777f

Remarkably, Intune-com.myapp.intune-0.txt does not even mention extension's bundle ID (com.myapp.intune.AutoFill)

Smartphone:

• iPhone SE 2016 (iOS 15.7.1)
• iPhone 11 (iOS 16.4 beta)

Intune App SDK for iOS:

• Intune SDK: 17.3.2 (latest)
• Platform: native, Swift, Xcode 14.2 (also tried 14.3 beta 2), macOS 13.2.1

[Kyle-Reis]

Hi @anmipo, would you be able to share a screenshot of the "Frameworks, Libraries, and Embedded Content" section under the "General" tab for the extension target's properties in Xcode?

[anmipo]

Thank you for looking into this, @Kyle-Reis. Here's the screenshot:

I can make a demo project, if this helps.

Also, not sure if relevant: I am testing the extension on unmanaged Safari.

[Kyle-Reis]

Hi @anmipo, So far everything with your config looks OK. A demo project would be great. Thanks!

[chasemac]

Are the intune frameworks supposed to be "Embed & Sign" instead of "Do Not Embed"

[anmipo]

@Kyle-Reis , it took longer than expected, but here's the demo project to illustrate the issue: https://github.com/anmipo/AppExDemo

It's a barebones iOS app with a credential provider extension, both integrated with the Intune SDK. A user can successfully enroll in the main app, but that account is not visible to the extension.

As a side note, IntuneMAMDiagnosticConsole.display() does not show any UI in the extension. I guess it tries to create a new UIWindow, but that API is not allowed for app extensions.

@chasemac , the frameworks are indeed "Embed & Sign" for the app itself. The app extension, however, does not need to embed them — this would be unnecessary duplication. Instead, the extension links to the frameworks embedded in the parent app bundle. At least that's my understanding :)

[anmipo]

@Kyle-Reis , are there any updates, by any chance? Unfortunately, this is a blocking issue for me…

[anmipo]

3 months without response, it starts to get a bit lonely here…

This seems closely related to #332. @vigavadi , @gastaffo , maybe you can help?

[Kyle-Reis]

Hi @anmipo - I did some digging into this and as it turns out, the SDK only supports s specific set of extension types, and that set currently does not include credential provider extensions. The list of currently supported extension types is:

UI Action Extensions
Non-UI Action Extensions
Custom KeyBoard Extensions
Document Provider Extensions
File Provider Extensions
Photo Editing Extensions
Share Extensions
Today Extensions
iMessage Extensions
UI FileProvider Extensions
UI Intents Extensions
Non-UI Intents Extensions
WidgetKit Extensions

[anmipo]

@Kyle-Reis, thank you for the response. Consider this a feature request then :)