AMAGE Shell - Azure AD connection setup

Introduction

The document describes how the AMAGE Shell application communicates during authorization with external Microsoft Azure AD (Active Directory) authorization servers when the user profile has additional security established for the company profile and device verification through Microsoft Intune.

Principles of use

In the event that enterprise administrators establish additional security mechanisms for accessing corporate resources from mobile devices, additional communication requirements may arise. One of such cases is having a company profile on the phone, the Microsoft Intune application installed, and the implementation by enterprise administrators of the so-called additional security policies. One of them is that the servers will only accept connections from mobile devices that are marked as verified by the IT department and safe - i.e. they have, for example, a password / blocking pin set and no malware installed.

To ensure this, the Micosoft Intune app is installed on devices in the work profile. In the case of connections to company servers, mobile applications must present their identity to the servers, i.e. they are registered company devices.

To do this, support for this type of authorization and communication has been added to the AMAGE Shell application.

Configuration

The AMAGE Shell application has been developed in such a way as to support such an extended authorization mechanism in the most transparent way. On some devices, you may find that logging in goes smoothly without additional configuration. However, on some of them it may turn out that additional messages will appear and you should follow their content as below.

During connections to servers that require extended identification, the following message may appear.

common amageshell authentication ad c336f

Figure 1. extended identification message.

The application detects that the server requires this additional authorization and informs the user about it. After confirming this message, the system saves in the configuration the option of additional authorization and displaying the message about the selection of the authorization certificate.

We can do it manually in the application settings. We go there from the drawer by selecting Settings

common amageshell authentication ad 593b5

Figure 2. Configuration view

then select the General section

common amageshell authentication ad 92667

Figure 3. Configuration section selection

In this section you should ENABLE the Use client certificates option

common amageshell authentication ad 45e9a

Figure 4. Use client certificates option

After exiting the settings, turn on the application again and from now on the application will include an additional certificate for user authorization.

Usage

When these options are enabled, the device ID (certificate) will be used when starting communication with the Microsoft authorization server. It is selected when the application starts (or when the request starts). Then as below the certificate selection window appears. You must select the appropriate certificate (usually microsoft workaccount or similar) to continue with the authorization.

common amageshell authentication ad 26808

Figure 5. Selection of the certificate

The application tries to make these operations performed in the background, but depending on the device, the operation may be different. Hence the addition of configuration options that add such a possibility.

The Howto is based on system version 1.17.0.2 (03.2022) and presents features that may not be available in your system. Ask AMAGE about making this functionality available.

Due to ongoing development of the system, some screens or configuration files may look slightly different, but will still retain the full functionality described here. This does not affect the core functionality described in this document.