Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Getting MSALErrorWorkplaceJoinRequired error with Latest Company portal in macOS #2380

Open
parora9594 opened this issue Nov 5, 2024 · 10 comments
Open

Getting MSALErrorWorkplaceJoinRequired error with Latest Company portal in macOS #2380

parora9594 opened this issue Nov 5, 2024 · 10 comments
Assignees
@ameyapat
Labels
question

Comments

@parora9594
Copy link

parora9594 commented Nov 5, 2024
edited
Loading

We are using the MSAL library in our macOS app for Conditional Access and Compliance Policy, but we've recently encountered the following issue with the Company Portal app while registering the device on Azure. The error started appearing with some of the latest versions, whereas it was functioning correctly on the older version (5.2205.0).
info=Error Domain=MSALErrorDomain Code=-50001 "(null)" UserInfo={MSALErrorDescriptionKey=Workplace join is required, [email protected], MSALCorrelationIDKey=07EF1D50-70F4-4FE3-A520-49407BCDE089, MSALBrokerVersionKey=5.2409.1, MSALHomeAccountIdKey=7382108e-18bc-44d0-8698-30232e855696.8770389d-4e0b-4cb8-82c8-120bdc88581a, MSIDTokenProtectionRequired=false

Could you provide guidance on addressing this issue with the newer versions?
@ameyapat ameyapat self-assigned this Nov 5, 2024
@ameyapat
Copy link
Contributor

ameyapat commented Nov 5, 2024

Hi @parora9594, Can you provide the incident id from your company portal app? I can look up the logs using that. Can you elaborate on what you mean by 'registering the device on Azure'?

@parora9594
Copy link
Author

parora9594 commented Nov 7, 2024
edited
Loading

@ameyapat, I can share more detail info for the same See below logs:
Mac SSO Extension 2024-10-23 13:28:45:057 | E | ADB v3.3.17/WPJ v3.5.32 | TID=19904 MSAL 1.4.1 Mac 14.6.1 [2024-10-23 11:28:45] Failed to query WPJ registration with error Error Domain=com.microsoft.workplacejoin.errordomain Code=-400 "no registration exists for tenant: (null), domain name: (null)" UserInfo={NSLocalizedDescription=no registration exists for tenant: (null), domain name: (null)} förval 13:28:45.057768+0200 Mac SSO Extension -[SOAuthorizationRequest completeWithError:] extension API called, error = Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=-6000 "(null)" UserInfo={NSUnderlyingError=0x7fb3c5315ac0 {Error Domain=MSALErrorDomain Code=-50001 "(null)" UserInfo={MSALErrorDescriptionKey=Workplace join is required, [email protected], MSALCorrelationIDKey=07EF1D50-70F4-4FE3-A520-49407BCDE089, MSALBrokerVersionKey=5.2409.1, MSALHomeAccountIdKey=7382108e-18bc-44d0-8698-30232e855696.8770389d-4e0b-4cb8-82c8-120bdc88581a, MSIDTokenProtectionRequired=false}}} on <private> förval 13:28:45.057945+0200 Mac SSO Extension [0x7fb3c53193c0] invalidated because the current process cancelled the connection by calling xpc_connection_cancel() fel 13:28:45.058392+0200 Mac SSO Extension 2024-10-23 13:28:45:058 | E | ADB v3.3.17/WPJ v3.5.32 | TID=19904 MSAL 1.4.1 Mac 14.6.1 [2024-10-23 11:28:45] Failed to handle SSO request, error Error Domain=MSALErrorDomain Code=-50001 "(null)" UserInfo={MSALErrorDescriptionKey=Workplace join is required, [email protected], MSALCorrelationIDKey=07EF1D50-70F4-4FE3-A520-49407BCDE089, MSALHomeAccountIdKey=7382108e-18bc-44d0-8698-30232e855696.8770389d-4e0b-4cb8-82c8-120bdc88581a, MSIDTokenProtectionRequired=false} förval 13:28:45.058556+0200 Mac SSO Extension 0x7fb3c2073820 - [pageProxyID=6, webPageID=7, PID=1886] WebPageProxy::decidePolicyForNavigationAction: listener called: frameID=2, isMainFrame=1, navigationID=8, policyAction=2, safeBrowsingWarning=0, isAppBoundDomain=0, wasNavigationIntercepted=0 förval 13:28:45.058693+0200 Mac SSO Extension 0x7fb3c2073820 - [pageProxyID=6, webPageID=7, PID=1886] WebPageProxy::receivedNavigationPolicyDecision: frameID=2, isMainFrame=1, navigationID=8, policyAction=2 förval 13:28:45.058917+0200 AppSSOAgent [0x7f8cf0f05040] invalidated after getting a no-senders notification - client is gone

We are sending a SSO payload via MDM onto device for company portal app, till 5.2205.0, it was working fine and we were able register the device in Azure portal for conditional access. but with latest version we have started facing issue.

below is the ESSO Payload:

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Inc//DTD PLIST 1.0//EN" "
[http://www.apple.com/DTDs/PropertyList-1.0.dtd">](http://www.apple.com/DTDs/PropertyList-1.0.dtd%22%3E)
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadType</key>
<string>com.apple.extensiblesso</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadIdentifier</key>
<string>XXXXXX-XXXX</string>
<key>PayloadUUID</key>
<string>84dd3570-c77b-48da-a3e2-956ec660fd6b</string>
<key>PayloadDisplayName</key>
<string>ExtensibleSingleSignOn Usage</string>
<key>PayloadDescription</key>
<string>ExtensibleSingleSignOn Configuration</string>
<key>PayloadOrganization</key>
<string>XXXXXXXXX</string>
<key>ExtensionIdentifier</key>
<string>com.microsoft.CompanyPortalMac.ssoextension</string>
<key>Type</key>
<string>Redirect</string>
<key>URLs</key>
<array>
<string>
https://login.microsoftonline.com</string>
<string>
https://login.microsoft.com</string>
<string>
https://sts.windows.net</string>
<string>
https://login.partner.microsoftonline.cn</string>
<string>
https://login.chinacloudapi.cn</string>
<string>
https://login.microsoftonline.de</string>
<string>
https://login.microsoftonline.us</string>
<string>
https://login.usgovcloudapi.net</string>
<string>
https://login-us.microsoftonline.com</string>
</array>
<key>TeamIdentifier</key>
<string>UBF8T34XXX</string>
<key> Enable_SSO_On_All_ManagedApps</key>
<integer>1</integer>
<key>browser_sso_interaction_enabled</key>
<integer>1</integer>
<key>disable_explicit_app_prompt</key>
<integer>1</integer>
<key>AppAllowList</key>
<string> com.microsoft.skydrive,com.apple.mobilesafari,com.microsoft.azureauthenticator,com.microsoft.CompanyPortalMac,com.google.Chrome</string>
</dict>
</array>
</dict>
</plist>

`

@parora9594
Copy link
Author

@ameyapat Can you please help

@ameyapat
Copy link
Contributor

ameyapat commented Nov 8, 2024

@parora9594 Please provide incident Id from Company Portal app after reproducing the issue. See instructions for getting incident id here: https://learn.microsoft.com/en-us/mem/intune/user-help/send-errors-macos#send-diagnostic-report-to-microsoft

@parora9594
Copy link
Author

@ameyapat here is the required details:
Company Portal diagnostic information

Incident ID: 33E1F270

Operating system: OSX 14.5.0
App Store version: 5.2409.1
Build version: 53.2409926.002

@ameyapat
Copy link
Contributor

@parora9594 From the logs, it fails to retrieve Identity (device certificate + private key) from your keychain. The registration might have been messed up in keychain for some reason. Do you see any warnings when you open Company Portal app? When you open it should show you notification about repairing registration. Or you can remove device and re-enroll it.

Also, do you have multiple iCloud/Apple accounts operating keychain? One might be overwriting the other

@parora9594
Copy link
Author

Thanks for update @ameyapat. there is no warning in Company portal app. My question here is :

  1. If there is a device/keychain issue, it should not come on all the device, even all the customer who has update the company portal app has started facing this issue.
  2. How I can remove a device if it not registered?
  3. Why this is not happening with older company portal app, when we downgrade the company portal it start working fine.

@ameyapat
Copy link
Contributor

@parora9594

  1. From the logs that were provided, that is what I observed.
  2. Enrolled device would still show up if not registered. Here are the steps: https://learn.microsoft.com/en-us/mem/intune/user-help/unenroll-your-device-from-intune-macos#remove-a-device
  3. Can you provide incident id from newer version of company portal where it is not working and incident id from older version of company portal where it is working?

@parora9594
Copy link
Author

parora9594 commented Nov 21, 2024
edited
Loading

@ameyapat Here is the Incident id for success case:
Incident ID: 337E05DB
Operating system: OSX 14.5.0
App Store version: 5.2205.0
Build version: 52.2205273.001

For failure case:
Incident ID: 33E1F270
Operating system: OSX 14.5.0
App Store version: 5.2409.1
Build version: 53.2409926.002

@ameyapat
Copy link
Contributor

@parora9594 Thanks for the logs. We did have a regression from Apple that caused similar issue. We had to hack a fix but hasn't shipped in production yet. It is available in beta though. Can you check if the beta version of company portal resolves your issue?

For updating company portal to beta use Microsoft AutoUpdater and switch to beta channel : https://support.microsoft.com/en-us/office/update-office-for-mac-automatically-bfd1e497-c24d-4754-92ab-910a4074d7c1?ui=en-us&rs=en-us&ad=us

Once switched to beta channel, newer version of company portal should show up as updateable version

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ameyapat ameyapat

Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ameyapat @parora9594