17-04-2021

Microsoft Azure For Macos



-->

Get all the features of Windows 10 Home operating system plus Remote Desktop, Windows Information Protection., BitLocker. and a suite of tools designed for business use. Licensed for one PC or Mac.Windows Information Protection requires either Mobile Device Management or System Center Configuration Manager to manage settings. Azure Pipelines, our hosted CI/CD solution, has been offering developers the ability to build and test applications using Microsoft-hosted macOS and Xcode agents, including apps for iOS and watchOS. Earlier this year, we were excited to share with you that the Hosted macOS agents were going to be upgraded to OS X 10.14 (Mojave). Build web apps and deploy them to Azure using open-source tools and features. Create cloud-connected, cross-platform mobile applications and games for iOS, Android, and macOS, with Xamarin.NET, and Unity.

Alongside the introduction of Windows Azure Web Sites and exciting new Virtual Machine capabilities, we recently released a set of open source command line tools that allow you to manage and deploy these new services from the command line on any operating system, including for the first time Apple OS X and Linux. There are very hackish ways to get Mac OS X to run on VMware or VirtualBox, but they tend to be unstable and it's against Apple's licensing agreement. Don't waste your time trying to get this to work in Azure. If you want to be able to create a Windows or Linux Azure VM from a Mac OS X client then.

Important

This feature is in public preview. This preview is provided without a service level agreement and isn't recommended for production workloads. Certain features might be unsupported or have constrained capabilities. For more information, see Supplemental Terms of Use for Microsoft Azure Previews.

The Microsoft Enterprise SSO plug-in for Apple devices provides single sign-on (SSO) for Azure Active Directory (Azure AD) accounts across all applications that support Apple's Enterprise Single Sign-On feature. Microsoft worked closely with Apple to develop this plug-in to increase your application's usability while providing the best protection that Apple and Microsoft can provide.

In this Public Preview release, the Enterprise SSO plug-in is available only for iOS devices and is distributed in certain Microsoft applications.

Features

The Microsoft Enterprise SSO plug-in for Apple devices offers the following benefits:

  • Provides SSO for Azure AD accounts across all applications that support Apple's Enterprise Single Sign-On feature.
  • Delivered automatically in the Microsoft Authenticator and can be enabled by any mobile device management (MDM) solution.

Requirements

To use Microsoft Enterprise SSO plug-in for Apple devices:

  • iOS 13.0 or higher must be installed on the device.
  • A Microsoft application that provides the Microsoft Enterprise SSO plug-in for Apple devices must be installed on the device. For Public Preview, these applications include the Microsoft Authenticator app.
  • Device must be MDM-enrolled (for example, with Microsoft Intune).
  • Configuration must be pushed to the device to enable the Microsoft Enterprise SSO plug-in for Apple devices on the device. This security constraint is required by Apple.
Azure

Enable the SSO plug-in with mobile device management (MDM)

To enable the Microsoft Enterprise SSO plug-in for Apple devices, your devices need to be sent a signal through an MDM service. Since Microsoft includes the Enterprise SSO plug-in in the Microsoft Authenticator app, use your MDM to configure the app to enable the Microsoft Enterprise SSO plug-in.

Use the following parameters to configure the Microsoft Enterprise SSO plug-in for Apple devices:

  • Type: Redirect
  • Extension ID: com.microsoft.azureauthenticator.ssoextension
  • Team ID: (this field is not needed for iOS)
  • URLs:
    • https://login.microsoftonline.com
    • https://login.microsoft.com
    • https://sts.windows.net
    • https://login.partner.microsoftonline.cn
    • https://login.chinacloudapi.cn
    • https://login.microsoftonline.de
    • https://login.microsoftonline.us
    • https://login.usgovcloudapi.net
    • https://login-us.microsoftonline.com
For

Additional configuration options

Additional configuration options can be added to extend SSO functionality to additional apps.

Enable SSO for apps that don't use MSAL

The SSO plug-in allows any application to participate in single sign-on even if it was not developed using a Microsoft SDK like the Microsoft Authentication Library (MSAL).

The SSO plug-in is installed automatically by devices that have downloaded the Microsoft Authenticator app and registered their device with your organization. Your organization likely uses the Authenticator app today for scenarios like multi-factor authentication, password-less authentication, and conditional access. It can be turned on for your applications using any MDM provider, although Microsoft has made it easy to configure inside the Microsoft Endpoint Manager of Intune. An allow list is used to configure these applications to use the SSO plugin installed by the Authenticator app.

Only apps that use native Apple network technologies or webviews are supported. If an application ships its own network layer implementation, Microsoft Enterprise SSO plug-in is not supported.

Use the following parameters to configure the Microsoft Enterprise SSO plug-in for apps that don't use MSAL:

  • Key: AppAllowList
  • Type: String
  • Value: Comma-delimited list of application bundle IDs for the applications that are allowed to participate in the SSO
  • Example: com.contoso.workapp, com.contoso.travelapp

Consented apps that are allowed by the MDM admin to participate in the SSO can silently get a token for the end user. Therefore, it is important to only add trusted applications to the allow list.

You don't need to add applications that use MSAL or ASWebAuthenticationSession to this list. Those applications are enabled by default.

Allow creating SSO session from any application

By default, the Microsoft Enterprise SSO plug-in provides SSO for authorized apps only when the SSO plug-in already has a shared credential. The Microsoft Enterprise SSO plug-in can acquire a shared credential when it is called by another ADAL or MSAL-based application during token acquisition. Most of the Microsoft apps use Microsoft Authenticator or SSO plug-in. That means that by default SSO outside of native app flows is best effort. 

Enabling browser_sso_interaction_enabled flag enables non-MSAL apps and Safari browser to do the initial bootstrapping and get a shared credential. If the Microsoft Enterprise SSO plug-in doesn’t have a shared credential yet, it will try to get one whenever a sign-in is requested from an Azure AD URL inside Safari browser, ASWebAuthenticationSession, SafariViewController, or another permitted native application. 

Microsoft
  • Key: browser_sso_interaction_enabled
  • Type: Integer
  • Value: 1 or 0

We recommend enabling this flag to get more consistent experience across all apps. It is disabled by default.

Disable OAuth2 application prompts

The Microsoft Enterprise SSO plug-in provides SSO by appending shared credentials to network requests coming from allowed applications. Some OAuth2 applications might be enforcing end-user prompt on the protocol layer. Shared credential would be ignored for those apps.

Microsoft Azure For Mac

Enabling disable_explicit_app_prompt flag restricts ability of both native and web applications to force an end-user prompt on the protocol layer and bypass SSO.

  • Key: disable_explicit_app_prompt
  • Type: Integer
  • Value: 1 or 0

We recommend enabling this flag to get more consistent experience across all apps. It is disabled by default.

Use Intune for simplified configuration

You can use Microsoft Intune as your MDM service to ease configuration of the Microsoft Enterprise SSO plug-in. For more information, see the Intune configuration documentation.

Using the SSO plug-in in your application

The Microsoft Authentication Library (MSAL) for Apple devices version 1.1.0 and higher supports the Microsoft Enterprise SSO plug-in for Apple devices.

Microsoft Azure For Macos 7

If you're building an application for Frontline Worker scenarios, see Shared device mode for iOS devices for additional setup of the feature.

How the SSO plug-in works

The Microsoft Enterprise SSO plug-in relies on the Apple's Enterprise Single Sign-On framework. Identity providers that onboard to the framework can intercept network traffic for their domains and enhance or change how those requests are handled. For example, the SSO plug-in can show additional UI to collect end-user credentials securely, require MFA, or silently provide tokens to the application.

Microsoft Azure For Machine Learning

Native applications can also implement custom operations and talk directly to the SSO plug-in.You can learn about Single Sign-in framework in this 2019 WWDC video from Apple

Applications that use MSAL

The Microsoft Authentication Library (MSAL) for Apple devices version 1.1.0 and higher supports the Microsoft Enterprise SSO plug-in for Apple devices natively for work and school accounts.

There's no special configuration needed if you've followed all recommended steps and used the default redirect URI format. When running on a device that has the SSO plug-in present, MSAL will automatically invoke it for all interactive and silent token requests, as well as account enumeration and account removal operations. Since MSAL implements native SSO plug-in protocol that relies on custom operations, this setup provides the smoothest native experience to the end user.

If the SSO plug-in is not enabled by MDM, but the Microsoft Authenticator app is present on the device, MSAL will instead use the Microsoft Authenticator app for any interactive token requests. The SSO plug-in shares SSO with the Microsoft Authenticator app.

Applications that don't use MSAL

Applications that don't use MSAL can still get SSO if an administrator adds them to the allow list explicitly.

There are no code changes needed in those apps as long as following conditions are satisfied:

  • Application is using Apple frameworks to execute network requests (for example, WKWebView, NSURLSession)
  • Application is using standard protocols to communicate with Azure AD (for example, OAuth2, SAML, WS-Federation)
  • Application doesn't collect plaintext username and password in the native UI

In this case, SSO is provided when the application creates a network request and opens a web browser to sign the user in. When a user is redirected to an Azure AD login URL, the SSO plug-in validates the URL and checks if there is an SSO credential available for that URL. If there is one, the SSO plug-in passes the SSO credential to Azure AD, which authorizes the application to complete the network request without asking the user to enter their credentials. Additionally, if the device is known to Azure AD, the SSO plug-in will also pass the device certificate to satisfy the device-based conditional access check.

To support SSO for non-MSAL apps, the SSO plug-in implements a protocol similar to the Windows browser plug-in described in What is a Primary Refresh Token?.

Microsoft Azure Macos

Compared to MSAL-based apps, the SSO plug-in acts more transparently for non-MSAL apps by integrating with the existing browser login experience that apps provide. The end user would see their familiar experience, with the benefit of not having to perform additional sign-ins in each of the applications. For example, instead of displaying the native account picker, the SSO plug-in adds SSO sessions to the web-based account picker experience.

Next steps

For more information about shared device mode on iOS, see Shared device mode for iOS devices.

Last week Microsoft finally released their new Azure Virtual Machine series Dv3 and Ev3, besides being based on the latest Intel hardware, these machine are also running Windows Server 2016 as the host OS which supports nested virtualization. Why is that interesting you might ask? Well, it is interesting because now it is possible to run hyper visors inside an Azure VM. To me as a developer that is pretty cool, because now I can actually create a development machine in the cloud, install hyper-v on it and run my mobile emulators or even use docker for Windows, which is dependent on Hyper-V. Furthermore, as I’m going to show in this blog post, I can also install an open source Hypervisor like VirtualBox and use that to emulate a Mac, of course that can also be done on a local machine, but the benefit of running it in the cloud is that it can be online 24×7 which is great if you need a build or test server. (Beware that Apple licensing is probably not going to approve of this, but let’s save that concern for another day).

So what do you need:

  • You need 1 Azure VM based on Ev3 or Dv3, for my testing I used a Standard_E2_v3 hosted in West Europe (Currently the new machine are only in West US2, East US2, Southeast Asia and West Europe). I just picked Windows Data Center 2016 and installed everything from the azure portal. No ARM templates for my testing purpose.
  • Once the machine is provisioned, you need VirtualBox. You can download that from https://www.virtualbox.org/wiki/Downloads. For some reason it downloaded super slow from Azure, so I downloaded i on my local machine and uploaded it through remote desktop.
  • With VirtualBox installed it is time, to install the operation system of your choice on your nested virtual machine. As I promised I’m going to install MacOS Sierra. Luckily, some more Apple Savy people have described how to do, the guide I followed are https://techsviewer.com/install-macos-sierra-virtualbox-windows. Basically the guide boils down to download a base image, then setup a VM in virtual box and do a few tweaks to it, to trick MacOS into thinking it is running on a Mac, and the boot the machine.
  • You can download the image from https://goo.gl/OKgCeH
  • When you create your new VM from the downloaded image select MacOS as type, and El Captain 64bit as the Version
  • The commands you are required to run using VBoxManage (which is found in C:Program FilesOracleVirtualBox) are VBoxManage.exe modifyvm 'macos' --cpuidset 00000001 000106e5 00100800 0098e3fd bfebfbff
    VBoxManage setextradata 'macos' 'VBoxInternal/Devices/efi/0/Config/DmiSystemProduct' 'iMac11,3'
    VBoxManage setextradata 'macos' 'VBoxInternal/Devices/efi/0/Config/DmiSystemVersion' '1.0'
    VBoxManage setextradata 'macos' 'VBoxInternal/Devices/efi/0/Config/DmiBoardProduct' 'Iloveapple'
    VBoxManage setextradata 'macos' 'VBoxInternal/Devices/smc/0/Config/DeviceKey' 'ourhardworkbythesewordsguardedpleasedontsteal(c)AppleComputerInc'
    VBoxManage setextradata 'macos' 'VBoxInternal/Devices/smc/0/Config/GetKeyFromRealSMC' 1
    Replace 'macos' with the name of the virtual machine you created.
  • Before you try to boot the machine be sure to increase the Video memory of the VM 128 MB, it will not boot with less.

This is all it takes to get MacOS up and running on Azure using nested virtualization and Virtual Box. If you are planning to do a lot of work on MacOS, I can recommend using a machine with SSD. Also note that the image linked to is not the latest version of Sierra, so you will have to run an update after the installation. If someone can point me to a public downloadable image of a more recent version please let me know in the comments.

Microsoft Azure For Macos X

Categories: SoftwareWindows Azure