App Enhancement - Microsoft Intune
Use the Microsoft service to protect data by adding Intune policies and the Microsoft Authentication Library to a mobile app without writing code. You can optionally configure an additional Blue Cedar Connect for standards-based IKEv2 gateways to add in-app VPN functionality to the app.
Microsoft Intune subscription
An account with Application administrator privileges to register apps in the Azure Active Directory admin center
App registered in Microsoft with API permissions (as described below)
Before using this step
Adding the Intune App SDK with the Microsoft Authentication Library to your apps allows the Microsoft identity platform to provide authentication and authorization services for your app and its users. To do this, you need to have done these steps once for each mobile app on your Azure Active Directory tenant:
Register the mobile app on the Microsoft portal
- Using an account with Application administrator privileges, log into the Azure Active Directory admin center:
- Search for an existing app or, to create a new registration, follow these steps:
- Click + New registration.
- On the "Register an application" screen, enter a name.
- Under "Supported account types," select "Accounts in this organizational directory only."
Note: This is the setting for single-tenant registrations. If you are offering the app to many organizations as a service provider (such as an ISV), see Setting up multi-tenant Intune enrollment for MSAL users.
- Click Register.
Configure API permissions for the mobile app
- On the screen for your app registration, copy these values from the Essentials section and save them to use on the Blue Cedar Platform for configuration:
- Application (client) ID
- Directory (tenant) ID
- On the same application screen, click API permissions, and add the following permissions:
- Microsoft Graph API:
- Microsoft Mobile Application Management
- Intune API:
- Microsoft Graph API:
Using this step in a workflow
On the Blue Cedar Platform, in the workflow builder for your app:
- Add the App Enhancement stage
- Add the Microsoft Intune step to the workflow.
You must also customize the Azure AD Application ID and your Tenant Name. The Intune service gives you app protection and a single sign-on (SSO) experience that authenticates to cloud or on-premises Active Directory (AD).
Click on the options gear next to Intune in the workflow outline. Configure the Azure AD Authentication options:
|Azure AD Application ID|
Required. The app’s Azure AD application ID, specific to that app. This can be retrieved from the app properties in the Azure AD admin center.
|Use Microsoft Authenticator App|
Enable to use Microsoft Authenticator, which is a separate external authentication broker app.
Redirecting authentication flows to an authentication broker allows apps that do not have the same signer to use the MSAL cache in the authentication broker to achieve Single Sign-On (SSO), for example between Microsoft apps and third-party apps. Using an authentication broker also allows Multi-Factor Authentication (MFA) flows to be used.
|Azure AD Cache Identifier Override|
Optional, iOS only. The platform-specific identifier used to control where Azure AD cache information is stored to allow sharing between apps.
Note: This is an advanced option to customize token sharing between specific apps. Most scenarios for sharing tokens are better satisfied by using the Microsoft Authenticator app.
On iOS, this is used as a Shared Keychain ID. Note that apps must have the same signer (Team ID) to share Azure AD cache information directly.
This option is unavailable if Use Microsoft Authenticator App is enabled.
Add URLs to this list to use OAuth authentication for app requests to those URLs. For example, if the app requests a URL within the bluecedar.com domain and
If the app requests a URL that isn't on this list, there is no effect—the app attempts to connect to the URL as usual.
Format: You can use hostnames or IP addresses, as long as each entry starts with
Optionally, you can add an in-app VPN to Intune-enabled apps. This service lets you designate an IKEv2 gateway with options for proxy servers and private certificates. To configure this with the Blue Cedar Connect step connectivity option for a gateway, see the step:
Microsoft Intune-integrated apps can be managed with the Microsoft Endpoint Manager. Once an app has been integrated with Microsoft, you can push the app manually or automatically to the Microsoft Endpoint Manager for distribution. Enable and configure the Microsoft Endpoint Manager distribution extension to access this service.