BlueFletch Enterprise
  • BlueFletch Enterprise
  • Product Guides
    • BlueFletch Launcher
      • Configurable Layouts
        • Layouts
        • Orientation Options
        • Criteria
        • Widgets
        • Implied Groups
        • Kiosk Mode
        • Persistent Foreground App
        • Password Protected Applications
        • Quick Start Applications Folder
        • Layout Custom Actions
        • Replacement Values
        • Assets Manager
      • Theming
        • Configure Theme
        • Site-Specific Theming
        • Custom Field Display
      • Site Information Service
      • Custom Intents
        • Standard Android Intents
        • Platform Actions
        • Filtering
        • Technical Guide
      • Security and Safety
        • Clear App Data on Logout
        • Application Enabler
        • Disable Packages
        • Key Management
        • NFC Enable/Disable
        • Secure Notifications
        • Wi-Fi UI Settings Enable/Disable
        • Motion Activated Device Lock
        • Unique Login
        • Local Admin Password
        • Device Remote Lock
      • Device Loss Prevention
        • Low Battery Mode
        • Luggage Tag Mode
        • Secure Device Mode
      • Launcher Provider SDK
      • Load Configurations via QR Code Scan
      • Getting Started
      • Technical Guide
      • Release Notes
    • Authentication and SSO
      • Features
        • Secondary Authentication
          • PIN
          • Face Recognition
          • NFC Tag
          • Barcode
          • Alternate Secondary Authentication
      • Technical Guide
        • LDAP
        • AppAuth/OIDC
        • Okta (Session)
        • MSAL
        • ADFS 3.0/2012 Using ADAL
      • Release Notes
    • Support Application
      • Features
        • Events to Splunk
        • Logs to Azure
        • External Configuration Support
        • Application Usage History
        • Generating RxLogger Log Files
      • Technical Guide
        • Event Information
        • Event Examples
      • Support Installer
      • Getting Started
      • Release Notes
    • Device Finder
      • Features
        • Device Details
        • Device Status
        • View Site Devices
      • Technical Guide
      • Getting Started
      • Release Notes
    • Browser
      • Features
        • Custom Scripts
        • FIDO2 / Webauthn Support
        • URL AllowList and BlockList
      • Technical Guide
        • Configuring Browser
        • All Configuration
        • Available Intents
        • APIs and Page Actions
      • Release Notes
    • Chat
      • Features
      • Technical Guide
      • Getting Started
      • Release Notes
    • Playbook Agent
      • Features
      • Getting Started
      • Release Notes
    • Portal
      • Login & Logout
      • Navigation & Account Settings
      • Support Agent
        • Home
        • Device Details
        • Dashboards
        • Cards
        • Event Explorer
        • Reports
      • Enterprise Launcher
        • Creating a Configuration
        • Sending a Notification
        • Managing Sites
      • Playbook MDM
        • Playbooks
        • Plays
        • Devices
        • Deployment Groups
        • Zebra StageNow
      • EMM Console
        • Overview
        • Setup
          • Enroll Org in EMM
          • Policy Management
          • Provisioning
          • Device Management
          • Installing Playbook in EMM
        • Troubleshooting
          • Device Issues
          • Policy Issues
      • Chat Manager
        • Overview
        • Chat Roles
        • Chat Channels
        • Chat Audio Transcription
        • Message Logs
      • Admin
        • Organization
        • Single Sign On
          • Azure Setup
          • Okta Setup
          • Google Workspace Setup
          • Portal Setup
        • Users
        • Roles
          • Overview
          • Predefined Roles
          • Permissions
          • Manage Roles
        • Downloads
        • Agents
        • Key Management
          • Overview
          • API Keys
          • Device Keys
          • Device Restrictions
          • Allowed IP Addresses
        • Enterprise
        • Audit Logs
      • Event Forwarding
      • Remote Control
      • Getting Started
      • Release Notes
    • Other Applications
      • Messaging
        • Features
        • Technical Guide
        • Release Notes
      • Keyboard
        • Features
        • Technical Guide
          • How to: Set Keyboard as default
        • Release Notes
      • Bluetooth
        • Features
        • Release Notes
      • Voice Chat
        • Features
        • Release Notes
      • Device Remote Control
        • Features
        • Technical Guide
        • Release Notes
      • Device ID
        • Features
        • Technical Guide
        • Release Notes
      • Suite Installer
        • Technical Guide
        • Release Notes
      • Accessibility Enabler
        • Release Notes
      • EPM Plugin
        • Features
        • Technical Guide
        • Release Notes
    • Workforce Identity
  • Technical Documentation
    • Updating License Key
    • Commonly Reported Issues
    • Deploying BlueFletch Enterprise
      • Android 10 and 11
      • MDMs
        • Workspace One (VMWare AirWatch)
        • SOTI
        • Microsoft Intune
          • Microsoft Intune + Playbook
      • From Portal to Playbook Agent
Powered by GitBook
On this page
  1. Product Guides
  2. Authentication and SSO
  3. Technical Guide

MSAL

Auth - MSAL supports shared device mode from Microsoft. This connection supports Brokered authentication via MS Authenticator and Browser based authentication.

Field
Description

client_id

string The client ID used to register this application in Azure AD.

authorization_user_agent

string Set to "DEFAULT", or set to "BROWSER" to use the BlueFletch Browser. Support for BlueFletch Browser introduced in Auth version 4.8.0.

redirect_uri

string The configured redirect callback URI for this application. For the MSAL library, the redirect must use the application ID and its signature. Use "msauth://com.bluefletch.ems.auth/KUKEusfKtqAOu9UB6jgjtTMKYas%3D".

authority_type

string Set to "AAD" for Azure AD.

authority_url

string The directory from which MSAL can request tokens. Typically, set to "https://login.microsoftonline.com/<audience_tenant_id>", where <audience_tenant_id> is the Azure Tenant ID.

logout_url

string Set to "https://login.microsoftonline.com/common/oauth2/logout?post_logout_redirect_uri=https%3A%2F%2Fwww.office.com%2F%3Fref%3Dlogout", which will also log the user out of office365.

limit_to_launcher_groups

scopes

string OIDC scope values required for the identity provider. For MSAL, the values should be "openid email profile User.Read GroupMember.Read.All".

audience_tenant_id

string Set to the Azure Tenant ID. Replaces tenant_id starting in Auth version 4.5.9.

shared_device_mode_supported

boolean Set to true if using the Microsoft Authenticator application in Shared Device Mode on the device. Default is false.

broker_redirect_uri_registered

boolean If true, brokered authentication is applied; the Auth module will validate the redirect URI and return an exception if the Auth module is not formatted to communicate with the broker. Set to true if using the Microsoft Authenticator application in Shared Device Mode on the device. Default is false.

limit_groups_to_direct_membership

boolean If set to true, only direct group membership information will be returned from Azure. If false, all inherited/related group information (indentified as transitiveMemberOf in Azure) is returned. Default is false. Introduced in Auth version 4.7.8.

ignoreAccountChangeBroadcast

boolean if set to true, Auth will ignore the change account broadcast coming from the shared device broker, and will prevent Launcher from performing a force logout when a user signs out from MS Edge or other MS application. Default is false, which is the Microsoft recommended setting. Introduced in Auth version 4.8.31.

audience_type

string If set, overrides the default audience type of "AzureADMyOrg".

default_group

string If set, is the default group assigned to a logged in user.

account_mode

string If set, overrides the default account mode of "SINGLE".

idpPasswordChangePolicyDays

string The number of days set in the IdP after which the password needs to be changed.

idpPasswordChangeReminderDays

string Number of days prior to password expiration to start notifying users of upcoming password expirations.

Auth4 Example:

...
"auth_msal" : {
    "client_id": "<client_id during registration>",
    "authorization_user_agent" : "DEFAULT",
    "redirect_uri": "msauth://com.bluefletch.ems.auth/KUKEusfKtqAOu9UB6jgjtTMKYas%3D",
    "authority_type": "AAD",
    "authority_url": "https://login.microsoftonline.com/<audience_tenant_id>",
    "audience_tenant_id" : "<audience_tenant_id>",
    "logout_url": "https://login.microsoftonline.com/common/oauth2/logout?post_logout_redirect_uri=https%3A%2F%2Fwww.office.com%2F%3Fref%3Dlogout",
    "limit_to_launcher_groups": true,
    "scopes": "openid email profile User.Read GroupMember.Read.All",
    "shared_device_mode_supported": true,
    "broker_redirect_uri_registered": true,
    "limit_groups_to_direct_membership": true
}
...
PreviousOkta (Session)NextADFS 3.0/2012 Using ADAL

Last updated 4 months ago

boolean If set to true, only the groups identified in the and in the launcher configuration file will be passed into the session.

For more information on configuring, see the section.

AppAuth/OIDC IdP
group_inclusion
layouts