Azure device ID is not selected by AnyConnect on iPhone

Advent965 1 Reputation point
2022-02-16T10:57:40.387+00:00

Team, This is a Two years old problem as per the below link. Now I would like to check with you. is this issue fixed?, because we have the same problem in our organization.

https://social.msdn.microsoft.com/Forums/azure/en-US/a13a9d64-7409-410f-8b80-f9567bb6ae85/azure-ad-indentity-certificate-sharing-with-other-apps-in-iphone?forum=WindowsAzureAD

We are trying to connect the VPN (AnyConnect) from iPhone with SAML+2FA (Compliant devices only), but the Azure device id is not selected by AnyConnect. But the same link is working when we try to connect from the browser (safari) and it's clearly prompting us to choose the azure device id.

We have tried to push the profile with NAC (device id) selection, but still not working. We have raised technical tickets with Cisco & Microsoft as well, but both are saying it's not their issue and playing a ping pong game.

174859-image.png

Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,953 questions
Microsoft Intune Application management
Microsoft Intune Application management
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Application management: The process of creating, configuring, managing, and monitoring applications.
969 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,649 questions
{count} votes

4 answers

Sort by: Most helpful
  1. VipulSparsh-MSFT 16,281 Reputation points Microsoft Employee
    2022-02-23T13:19:44.97+00:00

    @Advent965 Thanks for explaining your setup, I understand the situation now. In order for me to help you understand where the problem lies I will have to explain you how conditional access work in depth. So here we go :

    1) When you enroll a device in Intune (MDM), we do Azure AD registration for that device in AAD and create a device object in AAD that you see in Azure AD Device portal. And at this time Azure AD signs a device certificate which is in name of the Device Public key and is stored in Devices Keychain in IOS.

    2) We then pass on the device to Intune service where it follows the enrollment process and gets enrolled into Intune service and depending on the compliance policies created in Intune portal, it evaluates the device and store Device Compliance status - true or false in that Azure AD device Object.

    3) When a user tries to sign into any application which is protected by conditional access for devices (compliant, hybrid etc) the Azure AD needs to be aware of the device the user is signing from. For this reason the client needs to send the AAD Device ID to the AAD during sign in so that AAD can do further checks.

    4) Different operating system have different Client side brokers for accessing the device certificate from device store and present to the Azure AD. For examples browser will prompt a user to select a certificate as they cannot access the certificate directly under normal scenarios.

    5) In your example on IOS, for cisco any connect app to succeed in conditional access, at some point of time it will need to pass that Device ID to Azure AD so that AAD can do further check. But since the Device certificate is stored in keychain where only broker app like MS authenticator can only have access, it is not able to do so. Also, it is the responsibility of the client app to talk to broker app to get the certificate. This process is coded in the client App when they are integrated with MSAL : https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-net-use-brokers-with-xamarin-apps

    If the native client like Cisco Any connect app is not coded to perform this step, this is going to fail anyway as there is no way it can get access to that device certificate on its own.
    On Android the broker is Company portal App.

    Your setup will work fine without conditional access on devices and just with user MFA but will fail if you are checking compliance.
    There are many other apps which fail to do so and in that case the client company needs to update their app code to work with Device compliance part.

    If CISCO confirms that they have already updated the code to talk to MS Authenticator App on IOS which they can do by following : https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-net-use-brokers-with-xamarin-apps and if it still does not work, I will be happy to escalate the case for you.

    Hope you understand where the problem is and trust us we also do not like to keep you hanging in between. Do let us know if you have any questions will be happy to discuss further with you on this.

    -----------------------------------------------------------------------------------------------------------------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    1 person found this answer helpful.

  2. Advent965 1 Reputation point
    2022-02-23T14:38:05.22+00:00

    Thanks a lot for the detailed explanation & procedures. Actually, I have raised a TAC case as well and got the below answer from them. However, I will ask them about these broker app permissions and let you know the status.

    177205-image.png


  3. Michael Maier 0 Reputation points
    2024-10-14T05:29:25.4366667+00:00

    I have the exact same problem. However, in my case the vpn connection with cisco anyconnect works fine when I am connect to a in-house/campus WLAN of the company (not the corporate network). But if does not work, when connected to any other network (i.e. mobile internet or my network at home).

    Therefore at least under a certain condition the device ID is handled properly. In other cases it's empty.

    I.e. it cannot be a general software problem.

    Any ideas?

    0 comments No comments

  4. Ricardo Salvador 11 Reputation points
    2024-11-28T23:40:33.05+00:00

    Hi,

    Any update regarding this subject?

    Thanks,

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.