Blue Cedar Platform Release Notes - August 18, 2021
Blue Cedar Platform 5.2.0
Blue Cedar No-code Integration - Microsoft Intune
New support for Microsoft Intune and Microsoft Endpoint Manager. Blue Cedar's No-Code Integration Service for Microsoft Intune allows you to integrate the Microsoft Intune policies and the Microsoft Authentication Library (MSAL) into your mobile apps, with user authentication through Microsoft's Azure Active Directory. Additional options allow authentication using the Microsoft Authenticator app, and/or a secure microtunnel gateway connection (also called in-app VPN) to connect to resources behind a firewall.
- The Microsoft Authenticator app helps with Single Sign-On (SSO) for third-party apps, as well as Multi-Factor Authentication (MFA) flows.
- The secure microtunnel option lets you designate any standards-based IKEv2 gateway, including using the Blue Cedar Connect Gateway.
What do I need to do?
To use the Microsoft no-code integration, first enable the corresponding extensions and then add the steps to your workflows.
To add Intune to a mobile app:
- Enable the Intune extension listed under No-Code integration, as described in Extension - Microsoft Intune. You don't need to add any extension configurations for Intune.
- Add the Intune workflow step to an App container under the App Enhancement stage in the Workflow Builder. Configure the step as described in App Enhancement - Microsoft Intune.
To use the secure microtunnel option, follow the instructions in Blue Cedar Connect for Microsoft Intune. You only need a microtunnel if you're connecting to firewalled resources.
Additional notes on the Microsoft integrations:
- While you can add Intune without having to include the Endpoint Manager in your Blue Cedar integration, you cannot add the Endpoint Manager step unless you've first added the Intune step.
- The Microsoft and BlackBerry no-code integrations are mutually exclusive. Adding either of these steps to a workflow disables the other options. You can see options in new workflows for any extensions that have been enabled.
- See Open issues/limitations with this MSAL release below for notes about MSAL feature support and migrating from the Active Directory Authentication Library (ADAL) to MSAL.
Microsoft Endpoint Manager distribution
You can push Intune-enabled mobile apps to the Microsoft Endpoint Manager either manually or automatically, using Blue Cedar's distribution service for Microsoft. Use the manual download option if you want to prepare the app for Endpoint Manager distribution without automatically pushing it.
What do I need to do?
To enable distribution through the Microsoft Endpoint Manager:
- Enable the Microsoft Endpoint Manager extension listed under Distribution, as described in Extension - Microsoft Endpoint Manager.
- Add the corresponding workflow step under the Testing or Production stage in the Workflow Builder as described in Distribution - Microsoft Endpoint Manager.
To use the automatic deployment option, see Automatically deploying Intune-enabled apps for additional details.
Notice and Consent
New feature to display a Blue Cedar Platform user notification required for governmental compliance standards such as FedRAMP and other similar programs. Notice and Consent is required for government standards such as FedRAMP, which is the U.S. government standard that all cloud providers serving U.S. government agencies must meet. Users of the Blue Cedar Platform who are working for organizations that are subject to a compliance notification requirement will be required to acknowledge a standard "Notice and Consent" form, every time they log into the Platform. A non-government example could be a bank who wants to show customers a disclaimer each time the user uses the Blue Cedar Platform. The actual text of that consent form can be customized by organization, with assistance from Blue Cedar Customer Support.
See the referenced online documentation pages for more information, or click Help when you’re logged into the Blue Cedar platform.
What do I need to do?
Blue Cedar Platform users won't need to do much, other than review the information and click OK whenever they see the Notice and Consent pop-up.
What is the process to set it up?
If your organization needs to show the FedRAMP or other similar Notice and Consent, contact Blue Cedar Customer Support to add that capability.
The Notice & Consent text can be viewed under Admin > Organization > Notice & Consent, for organization administrators. Customer-side organizational admins can see the settings for their own organization, but can't change them.
Only Blue Cedar Customer Support can make changes, including setting a default that applies to all organizations on the Blue Cedar Platform. Even with this default, there's also an Override for an individual organization, if you need to substitute a different boilerplate text that you want only your own users to see.
For more information, see Setting Notice and Consent messages for platform users.
Enhance Service
Updated the Blue Cedar Mobile Client version 4.10.15 to include updates to OpenSSL and Curl, plus support for the Microsoft Authentication Library (MSAL).
OpenSSL upgrade
Blue Cedar Mobile Client 4.10.15 is updated to include OpenSSL 1.1.1k, released on 25 March 2021. This update provides a stronger encryption key for Data at Rest protection.
What do I need to do?
You don't need to do anything to migrate DAR-protected apps and their files to the new version of OpenSSL and encryption key. Note that once those files are migrated, they cannot be used by previous versions if you want to downgrade the app for any reason.
Curl upgrade
Blue Cedar Mobile Client 4.10.15 is updated to include curl 7.76.1. This update picks up any security-related fixes curl has made.
What do I need to do?
This curl update is transparent to platform users and mobile users; no action is needed.
Microsoft Authentication Library (MSAL)
The Blue Cedar Accelerator for Microsoft now includes the Microsoft Authentication Library (MSAL) instead of the Azure Active Directory Authentication Library (ADAL). MSAL supports all Microsoft identities, not just Azure AD accounts, and is standards compatible with OAuth v2.0 and OpenID Connect. For more information about ADAL vs MSAL, see the Microsoft documentation:
- iOS: https://docs.microsoft.com/en-us/azure/active-directory/develop/migrate-objc-adal-msal
- Android: https://docs.microsoft.com/en-us/azure/active-directory/develop/migrate-android-adal-msal
What do I need to do?
Review the Open issues/limitations with this MSAL release section below.
Open issues/limitations with this MSAL release
Support for these MSAL features is not implemented in this release of the Blue Cedar mobile client:
- Sovereign Cloud Registration (MOB-1860)
- Multiple trusted authorities (MOB-2012)
- Scope specification (MOB-2283)
Some mobile apps that include ADAL or MSAL packages before any integration via the Blue Cedar Platform cannot be integrated with the Blue Cedar Accelerator for Microsoft. Apps with incompatibilities in this area may encounter issues during integration, or at run time. This is a limitation of the Microsoft packages and Objective-C namespaces that causes the MSAL package added by Blue Cedar's Microsoft Accelerator to potentially collide with the pre-existing Microsoft authentication library.
Refer to this compatibility table for basic guidance:
Mobile OS | Pre-existing authentication library | Successful integration |
|---|---|---|
| iOS | MSAL | Yes |
| Android | ADAL | Yes |
| iOS | ADAL | No |
| Android | MSAL | No |
For more information from Microsoft, see these pages:
- https://docs.microsoft.com/en-us/azure/active-directory/develop/migrate-objc-adal-msal#msal-and-adal-in-the-same-app
- https://docs.microsoft.com/en-us/azure/active-directory/develop/migrate-objc-adal-msal
- https://docs.microsoft.com/en-us/azure/active-directory/develop/migrate-android-adal-msal
Resolved in Mobile Client 4.10.15
Item | Mobile OS | Accelerator/Service | Description |
|---|---|---|---|
| BBY-104 | Android | BlackBerry | Image and video capture on the device is now allowed even when App Kinetics with Data Loss Prevention is enabled. |
| BBY-105 | Android | BlackBerry | Added support for javascript Navigator.sendBeacon() command. |
| BBY-106 | Android | BlackBerry | Fixed an issue where WebView handling was not accessing the secure container correctly for downloaded files. |
| SPT-2347 | Android, iOS | Signing | Fixed an issue where the signing script failed when run on apps with spaces in the filenames. |
| SPT-2548 | iOS | Signing | Resolved an issue with external code signing on iOS with Python 3.9 |
| SPT-2570 | iOS | Microsoft | Fixed a rare hang in an app integrated with Intune. |
Platform Resolved issues
Apps and workflows
Item | Description |
|---|---|
| BCP-6160 | Uploading an invalid binary as a signed binary during the signing step now fails with a relevant message displayed via a tooltip on the step. The step still allows you to upload another binary after failed attempts. |
| BCP-6505 | Fixed a bug where uploading a version to an app immediately after creating the app caused the upload to fail. |
| BCP-6427 | App name validations are now consistent when creating or updating the app name. |
| BCP-6321 | Fixed a bug where the status tooltip on the App List showed incorrect timestamps. |
| BCP-6198 | Fixed a bug where creating or updating an app with an unusually long name failed. |
| BCP-6367 | Fixed an issue where importing a GitHub version to an app with an unusually long name failed. |
| BCP-6313 | Fixed a bug where running a workflow on an app with an unusually long name failed. |
| BCP-6454 | Fixed a bug where an app binary continued uploading after the app was deleted. Deleting an app now auto-cancels any ongoing uploads under that app. |
| BCP-6495, BCP-6471 | Fixed an issue where deleting all versions from the App Versions screen didn't auto-refresh the list. |
| BCP-5679 | Added support for including one or more Approval steps after an existing Approval step. |
| BCP-6046 | Fixed an issue which limited the number of workflows that would run when choosing the "Run All Workflows" action on the App Versions screen. This option now triggers a workflow run for all the versions within the app without any limit. |
BlackBerry
Item | Description |
|---|---|
| BCP-6130 | Fixed a bug where the "Revert Changes" button did not revert an uploaded but unsaved mobile provisioning profile. |
| BCP-5985 | When pushing apps to the BlackBerry UEM as part of your workflow, the app created now contains the name of the binary that the workflow runs on. |
| BCP-6405 | PLATFORM ADMINISTRATORS Added the ability to add and remove the No-Code Integration Extension for BlackBerry for a given organization. It could previously be added, but not removed. |
| BCP-6164 | ORGANIZATION ADMINISTRATORS Added the ability to add and remove the No-Code Integration extension for BlackBerry. Previously, the No-Code Integration extension for BlackBerry was always enabled. |
General
Item | Description |
|---|---|
| BCP-6183 | Minor fixes to handle the scroll behavior on the dashboard widgets when resizing the window. |
| SPT-2577 | Updated email address restrictions to follow standard formats. Most valid formats and characters are now allowed except for the disallowed characters per standard format: - <>()[\]\\.,;:\s@" |
| BCP-6221 | Rebranded Blue Cedar login and reset password screens. |
| BCP-6220 | Fixed a bug where search results weren't paginated properly. |
| BCP-6398 | Minor updates to the time format across platform. |
| BCP-6345 | Added a confirmation dialog when deleting any extension configurations. |
| BCP-5350 | Added a confirmation dialog when cancelling an app version upload. |
| BCP-5830 | Fixed an issue where exporting events to a PDF file created an empty PDF file. |
Organizations
Item | Description |
|---|---|
| BCP-6091 | Added support for svg images for organization logos. |
| BCP-6026 | Increased the file size limit for organization logos to 300 MB. |
Signing
Item | Description |
|---|---|
| BCP-6112 | Fixed an issue where the name of the zip file (bundle) generated during the Signing step was incorrectly set to undefined. |
| BCP-6453 | Signed bundle name now contains the app's name at the point of bundle creation, taking into account any updates to the app name. |
| BCP-6646 | A Signing step configured to run before the BlackBerry UEM distribution step now generates a signing bundle in which the signed binary now has the correct the GDApplicationID specified in the BlackBerry UEM step. |
Open issues/limitations with this MSAL release
Support for these MSAL features is not implemented in this release of the Blue Cedar mobile client:
- Sovereign Cloud Registration (MOB-1860)
- Multiple trusted authorities (MOB-2012)
- Scope specification (MOB-2283)
Some mobile apps that include ADAL or MSAL packages before any integration via the Blue Cedar Platform cannot be integrated with the No-Code Integration Service for Microsoft Intune. Apps with incompatibilities in this area may encounter issues during integration, or at run time. This is a limitation of the Microsoft packages and Objective-C namespaces that causes the MSAL package added by Blue Cedar's Intune extension to potentially collide with the pre-existing Microsoft authentication library.
Refer to this compatibility table for basic guidance:
| Mobile OS | Pre-existing authentication library | Successful integration |
|---|---|---|
| iOS | MSAL | Yes |
| Android | ADAL | Yes |
| iOS | ADAL | No |
| Android | MSAL | No |
For more information from Microsoft, see these pages: