Alchemy
@alchemynz.bsky.social
Kiwi | IT Systems Engineer | Gamer | Caffeine Addict | Far too much Warhammer
Been working on these guys alongside my kill team.
December 4, 2024 at 11:18 AM
Been working on these guys alongside my kill team.
MDM is great for corporate owned devices, but not appropriate on personally owned so we must use MAM. I can change the CA policy from all apps, but gaps would then exist. If we had an app id for auth enrollment to exclude form the CA policy this would resolve it. Temp exclusions would be painful.
November 28, 2024 at 12:01 AM
MDM is great for corporate owned devices, but not appropriate on personally owned so we must use MAM. I can change the CA policy from all apps, but gaps would then exist. If we had an app id for auth enrollment to exclude form the CA policy this would resolve it. Temp exclusions would be painful.
The CA policy is documented as all applications for iOS and android devices to enforce MAM on unmanaged device. We can't excluded authenticator client or any of the endpoints used for enrollment so I'm not sure how else this could be configured to not produce security gaps for unmanaged mobile.
November 27, 2024 at 9:35 PM
The CA policy is documented as all applications for iOS and android devices to enforce MAM on unmanaged device. We can't excluded authenticator client or any of the endpoints used for enrollment so I'm not sure how else this could be configured to not produce security gaps for unmanaged mobile.
MAM uses a broker app (authenticator or previously company portal). To enforce MAM usage on unmanaged mobiles we use the CA Policy (This is the templated one). This has never tripped up authenticator enrollment until passkeys. So has not been in scope of this policy until now (likely reg endpoints).
November 27, 2024 at 9:01 PM
MAM uses a broker app (authenticator or previously company portal). To enforce MAM usage on unmanaged mobiles we use the CA Policy (This is the templated one). This has never tripped up authenticator enrollment until passkeys. So has not been in scope of this policy until now (likely reg endpoints).
I believe from my limited understanding that authenticator has been safeguarded from the CA policy that is enforcing MAM as otherwise MAM doesn’t function as documented. Ita sounding like MAM and Passkeys can’t coexist?
November 27, 2024 at 8:00 PM
I believe from my limited understanding that authenticator has been safeguarded from the CA policy that is enforcing MAM as otherwise MAM doesn’t function as documented. Ita sounding like MAM and Passkeys can’t coexist?
Customers can’t exclude the application or the client in the CA policy today. Authenticator requiring MAM would be an onboarding conflict as MAM uses authenticator as the broker and is not a valid target itself as per docs. We are MAM not MDM mobiles and this CA policy was good until passkeys.
November 27, 2024 at 7:53 PM
Customers can’t exclude the application or the client in the CA policy today. Authenticator requiring MAM would be an onboarding conflict as MAM uses authenticator as the broker and is not a valid target itself as per docs. We are MAM not MDM mobiles and this CA policy was good until passkeys.
All resources - Same as the template in CA. I have tried with both grant controls as solo with same outcome. Apparently targeting office 365 is a workaround from a reply to a previous post I made but is far from ideal for our environment and would produce gaps.
November 27, 2024 at 4:17 AM
All resources - Same as the template in CA. I have tried with both grant controls as solo with same outcome. Apparently targeting office 365 is a workaround from a reply to a previous post I made but is far from ideal for our environment and would produce gaps.
Enabled passkeys using attestation. All auth method enrollment results in error due to this CA Policy in place for MAM enforcement. User can cancel and will see all methods enrolled except passkeys. Have had to disable passkeys for now.
November 27, 2024 at 4:09 AM
Enabled passkeys using attestation. All auth method enrollment results in error due to this CA Policy in place for MAM enforcement. User can cancel and will see all methods enrolled except passkeys. Have had to disable passkeys for now.
The urge to reunite these brothers with Magnus is strong now.
November 25, 2024 at 2:44 AM
The urge to reunite these brothers with Magnus is strong now.
Is this documented anywhere? as this has only occurred with passkey enrolment and all other methods enrol still. We have attestation and require MAM. My understanding is authenticator is required for onboarding and to be a broker so is meant to be safeguarded from this policy.
November 22, 2024 at 5:48 AM
Is this documented anywhere? as this has only occurred with passkey enrolment and all other methods enrol still. We have attestation and require MAM. My understanding is authenticator is required for onboarding and to be a broker so is meant to be safeguarded from this policy.
If you have the CA Policy: Require approved client apps or app protection policies, then all users get a sign-in error and enrollment fails. Support being as helpful as expected.
November 22, 2024 at 4:54 AM
If you have the CA Policy: Require approved client apps or app protection policies, then all users get a sign-in error and enrollment fails. Support being as helpful as expected.