Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: Replicate intune-portals device enrollment steps and mimic ms-identity-broker dbus-interface #259

Open
2 tasks done
APokorny opened this issue Dec 16, 2024 · 0 comments
Open
2 tasks done

Feature: Replicate intune-portals device enrollment steps and mimic ms-identity-broker dbus-interface #259

APokorny opened this issue Dec 16, 2024 · 0 comments

Comments

@APokorny
Copy link

Is there an existing request for this feature?

  • I have searched the existing issues and found none that matched mine

Describe the feature

So when you are in a company that has been infested by ms you not only login via azure but also your device has to be enrolled prior to being able to login.

The existing closed source solution is comprised of:

  • microsoft-identity-broker that runs for the user and distributes the authenticated client token to any other user application
  • microsoft-identtiy-device-broker which runs on the system level -- its role is not clear to me - maybe it plays a role in device enrollment
  • intune-portal an electron application to perform the login, but also device enrollment

So intune is a secondary login application, that you execute after being already logged in. The whole system has
has stability issues, and even if it works it needs several retries.
Usually the identity brokers fail to recover any stored client data, and then fails to recover until you remove any relevant data. If that happens you spent roughly half an hour to reset and re-enroll. It is insane that

Right now the authd based solution cannot be used because of two reasons:

  • Missing device enrollment: even though the login flow works, the tenant will not allow me to log in if the device has not been enrolled prior - and the device key is sent with the login.
  • Different identity broker dbus interface: Due to the spread of the existing ms solution there are already a bunch of plugins, i.e. for firefox that rely on the dbus interface of the (broken) ms-identity-broker

The later should be easy to fix - or could even be solved externally with another broker that relays the auth data..
The former is a blocker.

Describe the ideal solution

Implement a robust device enrollment system for azure tennants, that follows the behavior of intune wo the bugs.
Please take slow tennant reaction times for device approval of over 15 minutes into account.

Implement a the ms-id-broker dbus protocol to support existing plugins

Alternatives and current workarounds

not applicable

System information and logs

not applicable

Relevant information

No response

Double check your logs

  • I have redacted any sensitive information from the logs
@APokorny APokorny changed the title Feature: Replicate intune-portals device enrollment steps and mimic ms-id-borker dbus-interface Feature: Replicate intune-portals device enrollment steps and mimic ms-identity-broker dbus-interface Dec 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@APokorny