MicrosoftDocs
diff --git a/‎.openpublishing.redirection.json‎
Lines changed: 10 additions & 0 deletions b/‎.openpublishing.redirection.json‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎memdocs/intune/apps/apps-supported-intune-apps.md‎
Lines changed: 69 additions & 69 deletions b/‎memdocs/intune/apps/apps-supported-intune-apps.md‎
Lines changed: 69 additions & 69 deletions
diff --git a/‎memdocs/intune/configuration/vpn-settings-windows-10.md‎
Lines changed: 5 additions & 2 deletions b/‎memdocs/intune/configuration/vpn-settings-windows-10.md‎
Lines changed: 5 additions & 2 deletions
diff --git a/‎memdocs/intune/developer/app-sdk-android-appendix.md‎
Lines changed: 334 additions & 0 deletions b/‎memdocs/intune/developer/app-sdk-android-appendix.md‎
Lines changed: 334 additions & 0 deletions
diff --git a/‎memdocs/intune/developer/app-sdk-android-phase1.md‎
Lines changed: 282 additions & 0 deletions b/‎memdocs/intune/developer/app-sdk-android-phase1.md‎
Lines changed: 282 additions & 0 deletions
diff --git a/‎memdocs/intune/developer/app-sdk-android-phase2.md‎
Lines changed: 204 additions & 0 deletions b/‎memdocs/intune/developer/app-sdk-android-phase2.md‎
Lines changed: 204 additions & 0 deletions
@@ -1,5 +1,15 @@
 {
     "redirections": [
+        {
+            "source_path": "memdocs/intune/developer/app-sdk-android.md",
+            "redirect_url": "/mem/intune/developer/app-sdk-android-phase1",
+            "redirect_document_id": false
+        }, 
+        {
+            "source_path": "memdocs/intune/developer/app-sdk-android-testing-guide.md",
+            "redirect_url": "/mem/intune/developer/app-sdk-android-phase1",
+            "redirect_document_id": false
+        }, 
         {
             "source_path": "memdocs/intune/fundamentals/end-user-company-portal-messages.md",
             "redirect_url": "/mem/intune/user-help/sign-in-to-the-company-portal",
 
@@ -7,7 +7,7 @@ keywords:
 author: MandiOhlinger
 ms.author: mandia
 manager: dougeby
-ms.date: 05/12/2022
+ms.date: 08/22/2022
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: configuration
@@ -108,6 +108,9 @@ The following settings are shown depending on the connection type you select. No
 
   - **Derived credential**: Use a certificate that's derived from a user's smart card. If no derived credential issuer is configured, Intune prompts you to add one. For more information, see [Use derived credentials in Intune](../protect/derived-credentials.md).
 
+    > [!NOTE]
+    > Currently, derived credentials as an authentication method for VPN profiles isn't working as expected on Windows devices. This behavior only impacts VPN profiles on Windows devices and will be fixed in a future release (no ETA).
+
   - **EAP** (IKEv2 only): Select an existing Extensible Authentication Protocol (EAP) client certificate profile to authenticate. Enter the authentication parameters in the **EAP XML** setting.
 
     For more information on EAP authentication, see [Extensible Authentication Protocol (EAP) for network access](/windows-server/networking/technologies/extensible-authentication-protocol/network-access) and [EAP configuration](/windows/client-management/mdm/eap-configuration).
@@ -239,7 +242,7 @@ Example:
 
 - **DNS suffix search list**: In **DNS suffixes**, enter a DNS suffix, and **Add**. You can add many suffixes.
 
-  When using DNS suffixes, you can search for a network resource using its short name, instead of the fully qualified domain name (FQDN). When searching using the short name, the suffix is automatically determined by the DNS server. For example, `utah.contoso.com` is in the DNS suffix list. You ping `DEV-comp`. In this scenario, it resolves to `DEV-comp.utah.contoso.com`.
+  When using DNS suffixes, you can search for a network resource using its short name, instead of the fully qualified domain name (FQDN). When you search using the short name, the suffix is automatically determined by the DNS server. For example, `utah.contoso.com` is in the DNS suffix list. You ping `DEV-comp`. In this scenario, it resolves to `DEV-comp.utah.contoso.com`.
 
   DNS suffixes are resolved in the order listed, and the order can be changed. For example, `colorado.contoso.com` and `utah.contoso.com` are in the DNS suffix list, and both have a resource called `DEV-comp`. Since `colorado.contoso.com` is first in the list, it resolves as `DEV-comp.colorado.contoso.com`.
   
 
@@ -0,0 +1,204 @@
+---
+# required metadata
+
+title: Microsoft Intune App SDK for Android developer integration and testing guide - MSAL Prerequisite
+description: Understand the MSAL prerequisite to incorporate Intune mobile app management (MAM) into your Android app.
+keywords: SDK
+author: Erikre
+ms.author: erikre
+manager: dougeby
+ms.date: 08/24/2022
+ms.topic: reference
+ms.service: microsoft-intune
+ms.subservice: developer
+ms.localizationpriority: medium
+ms.technology:
+ms.assetid: 0100e1b5-5edd-4541-95f1-aec301fb96af
+
+# optional metadata
+
+#ROBOTS:
+#audience:
+
+ms.reviewer: jamiesil
+ms.suite: ems
+search.appverid: MET150
+#ms.tgt_pltfrm:
+ms.collection:
+- M365-identity-device-management
+- Android
+ms.custom: intune-classic
+---
+
+# Intune App SDK for Android - Understand the MSAL Prerequisite
+
+The Microsoft Intune App SDK for Android lets you incorporate Intune app protection policies (also known as **APP** or MAM policies) into your native Java/Kotlin Android app. An Intune-managed application is one that is integrated with the Intune App SDK. Intune administrators can easily deploy app protection policies to your Intune-managed app when Intune actively manages the app.
+
+> [!NOTE]
+> This guide is divided into several distinct stages. Start by reviewing [Plan the Integration](..\developer\app-sdk-android-phase1.md).
+
+## Stage 2: The MSAL Prerequisite
+
+## Stage Goals
+
+- Register your application with Azure Active Directory (AAD).
+- Integrate MSAL into your Android application.
+- Verify that your application can obtain a token that grants access to protected resources.
+
+## Background
+
+The [Microsoft Authentication Library (MSAL)] gives your application the ability to use the Microsoft Cloud by supporting [Microsoft Azure Active Directory (AAD)] and [Microsoft accounts].  
+
+MSAL isn't- specific to Intune.
+Intune has a dependency on AAD; all Intune user accounts are AAD accounts.
+**As a result, the vast majority of Android applications that integrate the Intune App SDK will need to integrate MSAL as a prerequisite.**
+
+This stage of the SDK guide overviews the MSAL integration process as it relates to Intune; **follow the linked MSAL guides in their entirety**.
+
+To simplify the Intune App SDK integration process, **Android app developers are strongly encouraged to fully integrate and test MSAL before downloading the Intune App SDK.**
+The Intune App SDK integration process *does- require code changes around MSAL token acquisition.
+It will be significantly easier to test the Intune-specific token acquisition changes if you've already confirmed your app's original token acquisition implementation works as expected.
+
+To learn more about AAD, see [What is Azure Active Directory?]
+
+To learn more about MSAL, see the [MSAL Wiki] and [list of MSAL libraries].
+
+## Register your Application with AAD
+
+Before integrating MSAL into your Android application, follow the instructions to [register your application with Azure Active Directory].
+This will generate a **Client ID** for your application.
+
+Next, follow the instructions to [give your app access to the Intune app protection service].
+
+## Configure Microsoft Authentication Library (MSAL)
+
+First, read the MSAL integration guidelines found in the [MSAL repository on GitHub], specifically the section [using MSAL].
+
+This guide describes how to:
+
+- Add MSAL as a dependency to your Android application.
+- Create an MSAL configuration file.
+- Configure your application's `AndoridManifest.xml`.
+- Add code to acquire a token.
+
+### Brokered Authentication
+
+Single sign-on (SSO) allows users to only enter their credentials once and have those credentials automatically work across applications.
+MSAL can enable SSO across your suite of apps; by using a broker application (either the Microsoft Authenticator or Microsoft Intune Company Portal), you can extend SSO across the entire device.
+Brokered authentication is also required for Conditional Access.
+See [Enable cross-app SSO on Android using MSAL] for more details on brokered authentication.
+
+This guide assumes that you're enabling brokered authentication within your application(s) following the steps at the link above, especially [Generate a redirect URI for a broker] and [Configure MSAL to use a broker] for configuration and [Verify broker integration] for testing.
+
+**If you are not enabling brokered authentication in your application, pay extra attention to [Intune-specific MSAL configuration]**.
+
+### Intune-specific MSAL configuration
+
+Intune has up to four settings you may need to add to your application's `AndroidManifest.xml`.
+These settings help ensure that Intune's authentication policy can be properly enforced and prevent unnecessary authentication prompts for end users.
+
+These settings include:
+
+```xml
+<meta-data
+    android:name="com.microsoft.intune.mam.aad.ClientID"
+    android:value="your-client-ID-GUID" />
+<meta-data
+    android:name="com.microsoft.intune.mam.aad.Authority"
+    android:value="https://AAD authority/" />
+<meta-data
+    android:name="com.microsoft.intune.mam.aad.SkipBroker"
+    android:value="[true | false]" />
+<meta-data
+    android:name="com.microsoft.intune.mam.aad.NonBrokerRedirectURI"
+    android:value="your-redirect-URI" />
+```
+
+| Setting | Description | Required for MSAL? | Required by Intune? |
+| - | - | - | - |
+| `ClientID`             | The AAD ClientID (also known as the "Application ID") for your app. <br> There's no default `ClientID`. Use the `ClientID` from [Register your Application with AAD] for your app. |  Yes | No |
+| `Authority`            | The AAD authority to issue a token. <br> By default, this value is the AAD public environment. If overridden, the AAD authority entered will issue the token for your application, which allows authentication to non-default environments, such as Sovereign clouds. | No | If your application requires a non-default authority, yes. **Most apps should not set the Authority parameter.** |
+| `SkipBroker`           | Boolean value for altering the default MSAL SSO behavior. <br> By default, this value is "false". | No | If your app doesn't support brokered authentication/device-wide SSO, yes and set `SkipBroker` to "true". **Most apps should not set the SkipBroker parameter.** |
+| `NonBrokerRedirectURI` | [AAD redirect URI] to use in broker-less cases. By default, this value isn't present. | No | If the `SkipBroker` setting is set to "true" and your app requires a redirect URI, yes. **Most apps should not set the NonBrokerRedirectURI parameter.** |
+
+> [!CAUTION]
+> Applications that do not integrate MSAL **must not** include any of these 4 properties in the manifest.
+
+For more detail on non-Intune-specific MSAL configuration options, see [Android Microsoft Authentication Library configuration file].
+
+For more detail on Sovereign clouds, see [Use MSAL in a national cloud environment].
+
+
+## Exit Criteria
+
+- Have you integrated MSAL into your application?
+- Have you enabled broker authentication by generating a redirect URI and setting it in the MSAL configuration file?
+- Have you configured the Intune-specific MSAL settings in the `AndroidManifest.xml`?
+- Have you tested brokered authentication, confirmed that a work account is added to Android's Account Manager, and tested SSO with other Microsoft 365 apps?
+- If you implemented Conditional Access, have you tested both device-based CA and app-based CA to validate your CA implementation?
+
+## FAQ
+
+### What about ADAL?
+
+Microsoft's previous authentication library, [Azure Active Directory Authentication Library (ADAL)], is **deprecated**.
+
+If your application has already integrated ADAL, see [Update your applications to use Microsoft Authentication Library (MSAL)].
+To migrate your app from ADAL to MSAL, see [Migrate Android ADAL to MSAL] and [Differences between ADAL and MSAL].
+
+**It is recommended to migrate from ADAL to MSAL prior to integrating the Intune App SDK.**
+
+## Next Steps
+
+After you've completed all the [Exit Criteria] above, continue to [Stage 3: Getting Started with MAM].
+
+<!-- Stage 2 links -->
+<!-- internal links -->
+[Register your Application with AAD]:#register-your-application-with-aad
+[Intune-specific MSAL configuration]:#intune-specific-msal-configuration
+[Exit Criteria]:#exit-criteria
+
+<!-- Other SDK Guide Markdown docs -->
+[Stage 1: Planning the Integration]:app-sdk-android-phase1.md
+[Stage 3: Getting Started with MAM]:app-sdk-android-phase3.md
+
+<!-- Microsoft docs: AAD -->
+[Microsoft Azure Active Directory (AAD)]:https://azure.microsoft.com/services/active-directory/
+[Microsoft accounts]:https://account.microsoft.com/
+[What is Azure Active Directory?]:/azure/active-directory/fundamentals/active-directory-whatis
+[register your application with Azure Active Directory]:/azure/active-directory/active-directory-app-registration
+
+<!-- Microsoft docs: MSAL-->
+[Microsoft Authentication Library (MSAL)]:/azure/active-directory/develop/msal-overview
+[list of MSAL libraries]:/azure/active-directory/develop/reference-v2-libraries
+[MSAL Wiki]:https://github.com/AzureAD/
+[using MSAL]: https://github.com/AzureAD/microsoft-authentication-library-for-android#using-msal
+[Enable cross-app SSO on Android using MSAL]:/azure/active-directory/develop/msal-android-single-sign-on
+[Generate a redirect URI for a broker]:/azure/active-directory/develop/msal-android-single-sign-on#generate-a-redirect-uri-for-a-broker
+[Configure MSAL to use a broker]:/azure/active-directory/develop/brokered-auth#configure-msal-to-use-a-broker
+[Verify broker integration]:/azure/active-directory/develop/msal-android-single-sign-on#verify-broker-integration 
+[AAD redirect URI]:/azure/active-directory/develop/msal-client-application-configuration#redirect-uri
+[Use MSAL in a national cloud environment]:/azure/active-directory/develop/msal-national-cloud
+[Android Microsoft Authentication Library configuration file]:/azure/active-directory/develop/msal-configuration
+[MSAL repository on GitHub]: https://github.com/AzureAD/microsoft-authentication-library-for-android
+
+<!-- Microsoft docs: ADAL -->
+[Azure Active Directory Authentication Library (ADAL)]:/azure/active-directory/azuread-dev/active-directory-authentication-libraries
+
+<!-- Microsoft docs: ADAL to MSAL -->
+[Update your applications to use Microsoft Authentication Library (MSAL)]:https://techcommunity.microsoft.com/t5/azure-active-directory-identity/update-your-applications-to-use-microsoft-authentication-library/ba-p/1257363
+[Migrate Android ADAL to MSAL]:/azure/active-directory/develop/migrate-android-adal-msal
+[Differences between ADAL and MSAL]:/azure/active-directory/develop/msal-overview#differences-between-adal-and-msal
+
+<!-- Microsoft docs: CA -->
+[Conditional Access (CA)]:/azure/active-directory/develop/active-directory-conditional-access-developer
+[device-based CA]:/mem/intune/protect/conditional-access-intune-common-ways-use#device-based-conditional-access
+[app-based CA]:/mem/intune/conditional-access-intune-common-ways-use#app-based-conditional-access
+[configuring app-based CA]:/mem/intune/protect/app-based-conditional-access-intune-create
+
+
+<!-- Microsoft docs -->
+[give your app access to the Intune app protection service]:/mem/intune/developer/app-sdk-get-started#give-your-app-access-to-the-intune-app-protection-service-optional
+
+<!-- Other Microsoft links -->
+[Microsoft Endpoint Manager admin center]:https://go.microsoft.com/fwlink/?linkid=2109431