IBM Security MaaS360

 View Only

Setting up Modern Authentication for MaaS360 - Part1 (Mail Access)

By Margaret Radford posted Fri December 17, 2021 08:19 PM

  

Setting up Modern Authentication for MaaS360 – Part1 (Mail Access)

In this blog we’ll help you to prepare for transitioning from Basic Authentication to Modern Authentication, specifically focusing on MaaS360’s support of modern authentication for Exchange Online email access and cloud based SharePoint and One Drive access.  Part 2 of this blog will cover Modern Authentication for enrollments, pin resets, end user portal and docs.

Basic Authentication vs. Modern Authentication

First, let’s briefly discuss the difference between basic and modern authentication.  In simplest terms basic authentication uses a username and password which is transmitted from the requesting application each time access requests are made to a service. For example, a service can be Exchange Online, Salesforce, or Box to name a few.  The username/password is typically stored on the requesting device, for example in the browser.  

Modern authentication is a term that describes Federated Identity Management. Federated Identity Management moves away from username and passwords being directly transmitted from the requester to the service, in favor of token based claims that are generated by Identity Providers (IdP) such as IBM Verify, Microsoft Azure AD, Okta, and Ping.  IdPs transmit these tokens to the service via the requesting user/device. The tokens are stored at the device rather than the username and password. Multifactor Authentication (MFA), Passwordless, and Single Sign-On (SSO), are all components of modern authentication.  

Basic Authentication: How can you determine if you are using basic authentication in MaaS360?

Note: If you are not an existing MaaS360 customer, you can skip to the Modern Authentication section.

You can usually determine that you are using basic authentication because the screen provided for username and password entry is part of the requesting application’s user interface. If you are using modern authentication, you are redirected to your IdP’s external login screen.

  • Email Access with basic authentication
    • iOS MDM ActiveSync Policy has Enable OAuth Authentication set to No

    • Android MDM ActiveSync Policy has Authentication Mode set to Basic

    • WorkPlace Persona Policy for Secure Mail has Enable SSO set to No

    • In each case, the user enters their credentials in the requesting application. For mail configuration through the MDM policy, the native iOS (Apple Mail) and Android (Gmail) email account configuration prompt for the username and password. When using Secure Mail, the user is prompted for credentials as part of the Secure Mail Apps account configuration.
  • Sharepoint and OneDrive access through the MaaS360 secure container’s Docs application with basic authentication
    • WorkPlace Persona Policy for Secure Mail has Enable SSO set to No
    • The user is prompted for credentials through the MaaS360 Doc application and there is no SSO between Secure Mail, SharePoint and OneDrive.

Modern Authentication: How to set up modern authentication for MaaS360 Secure Mail and MaaS360 Docs

In this section we describe the configurations needed for MaaS360 to use MaaS360 Secure Mail with modern authentication to access Exchange Online email and cloud based Sharepoint and OneDrive.

If you are using our MaaS360 Secure Mail app and Sharepoint and OneDrive in our Docs app, when you enable modern auth in the MaaS360 Persona Policy for Secure Mail, this will also enable SSO across these 3 services when you use the MaaS360 container apps.

Configure modern auth access for Secure Mail and Exchange Online and SSO for mail, Sharepoint and OneDrive access

MaaS360 Secure Mail uses the WorkPlace Persona policy for email configurations. You can change your existing Workplace Persona policy that is set up for basic auth, but you should consider creating a new Workplace Persona Policy configured for Modern Auth and try it out on a test group of users to make sure everything is working before you change the policy that is assigned to all of your users.

  1. Register the MaaS360 app in your Azure AD tenant

https://www.ibm.com/docs/en/maas360?topic=authentication-registering-maas360-app-in-azure-ad-tenant

  1. Configure modern auth in the MaaS360 Workplace Persona Policy

https://www.ibm.com/docs/en/maas360?topic=sign-configuring-office-365-mail-single

  1. Configure SharePoint for single sign-on (if you are accessing Sharepoint from MaaS360 Docs)

https://www.ibm.com/docs/en/maas360?topic=sign-configuring-office-365-sharepoint-single

  1. Configure OneDrive for single sign-on (if you are access OneDrive from MaaS360 Docs)

https://www.ibm.com/docs/en/maas360?topic=sign-configuring-office-365-onedrive-single

 

User Experience Changes

If you are switching from basic authentication to modern authentication to access Exchange Online, Sharepoint and One Drive, the user experience is going to change. As noted in the Basic Authentication section if you are currently using basic auth to access these services, the sign in uses the source app’s account log in screen. When you configure modern authentication, the user is  prompted to authenticate by being redirected to the IdP’s log in screen when the policy settings are applied on the device. For example, the IdP can be Azure AD, ADFS, Okta, Ping or IBM Verify to name a few.

Important: If you already have users with Persona Policies using Basic Auth to access Exchange online and you are applying a new Persona Policy or updating the existing one with the Modern Auth configuration, you must force a reset of the policy in order for Modern Auth access to replace Basic Auth. You can do this in one of two ways after applying the new Persona Policy updates:

  • Initiate selective wipes on all the devices you want to change to Modern Auth, and then revoke the selective wipe. After the process completes, the user will be prompted to sign into mail again.

       OR

  • Instruct users to Tap Settings in the MaaS360 App, then tap Mail,Contact,Calendar,Tasks and then Tap Reset Account. The user will be prompted to sign into mail again.

Basic Auth Secure Mail Login: This is what the user sees when accessing mail using Basic Auth with Secure Mail


Modern Auth Secure Mail Log in:
This is what the user sees when accessing mail using Modern Auth with Secure Mail when Azure AD is the IdP. If you use another IdP, you are redirected to that IdP’s log-screen**


Prior to enabling SSO for Secure Mail, Sharepoint and OneDrive, the user has to log in to Sharepoint and OneDrive after logging into Secure Mail. When you enable modern auth (SSO) for all 3, the user will only have to log in once.  The following is the prompt the user will see for Sharepoint access.

Modern Authentication: How to set up modern authentication in MaaS360 MDM policies to access mail

If you are switching from basic authentication to modern authentication to access Exchange Online using MaaS360 MDM policies, the user experience is going to change. As noted in the Basic Authentication section if you are currently using basic auth to access these services, the sign in uses the source OS’ native mail account log in screen. When you configure modern authentication, the user is  prompted to authenticate by being redirected to the IdP’s log in screen when the policy settings are applied on the device. The IdP can be Azure AD, ADFS, Okta, Ping or IBM Verify to name a few.

In this section we describe the configurations needed in MaaS360 MDM policies to access Exchange Online mail using Modern Auth based on device OS.

MaaS360 MDM policies are used to configure mail access for native mail applications (Android Enterprise– Gmail, iOS – Apple Mail) You can change your existing MDM policy that is set up for basic auth, but you should consider creating a new MDM Policy configured for Modern Auth and try it out on a test group of users to make sure everything is working before you change the policy that is assigned to all of your users.

 

Configuring the MaaS360 Android MDM policy for modern authentication access to Exchange Online

In the Android MDM policy go to Android Enterprise Settings > Active Sync and set Authentication Mode to Modern.
Note: In the Android MDM Policy App Compliance, Enable Configure allowed system applications and Allow Google Chrome/Samsung browser, Allow Gmail. In the Browser settings, Set Allow Browser (Chrome) to yes.


Configuring the MaaS360 iOS MDM policy for modern authentication access to Exchange Online

In the iOS MDM policy go to Device Settings > Active Sync and set Enable OAuth Authentication to Yes.
Note: Leave the OAuth Sign-in URL and the OAuth Token Request URL blank. This is not required when accessing Exchange Online.

User Experience Changes

If you are switching from basic authentication to modern authentication to access Exchange Online the user experience is going to change for mail access. As noted in the Basic Authentication section if you are currently using basic auth to access these services, the sign in uses the OS’ native mail account log in screen: Android – Gmail, iOS – Apple Mail. When you configure modern authentication, the user is  prompted to authenticate by being redirected to the IdP’s log in screen when the policy settings are applied on the device.

If you have the Azure SSO authentication custom property enabled in your MaaS360 portal, the Gmail app will ignore the Basic Authentication Mode configured in the ActiveSync settings, and redirect to the IDP. Therefore, before enabling this customer property, consider the effect it will have on native mail access for your users.

 

iOS MDM Basic Auth Mail Access

iOS MDM Modern Auth Mail Access

When you select Edit Settings, you are redirected to the IdP login.


Android Enterprise MDM Basic Auth Mail Access

When policy settings are applied, you are prompted to apply corporate settings and directed to the Configure Android enterprise mail prompt with your email address prefilled. When you select Configure, you are presented with the Gmail screen to enter your password




Android Enterprise MDM Modern Auth Mail Access

When policy settings are applied, you are prompted to apply corporate settings and directed to the Configure Android enterprise mail prompt. The Enter your Corporate credentials screen is displayed with the username prefilled. When you select Configure, you are redirected to the IdP login (In this example, AAD).

Note: If you have the Azure SSO Custom property set, you are not prompted to enter your credentials again.


Resources

For your reference, Microsoft has announced their timeline for the deprecation of basic authentication support for Exchange Online here:

https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-and-exchange-online-september-2021-update/ba-p/2772210

If you are an existing MaaS360 customer currently using Microsoft Active Directory and you are transitioning to use Microsoft Azure AD, whether hybrid or full cutover, please review our blog Migrating from On Premise AD to Azure AD with IBM MaaS360

If you are an existing MaaS360 customer currently using Exchange On Premise and you are transitioning to use Exchange Online, please review our blog Migrating to Office 365 with IBM MaaS360


0 comments
90 views

Permalink