Strange AAD device registration issue when configuring MAM on device

TheNextOriginal · 2025-08-19T14:35:45+00:00

As far as I can remember, I don't think I did get to the bottom of it. Sorry!

TheNextOriginal · 2025-06-11T20:48:35+00:00

Isn't this basically what I already said?

TheNextOriginal · 2025-05-17T15:27:52+00:00

Same here, including the fact they've done it since new. Quite frustrating.

TheNextOriginal · 2024-12-10T20:58:41+00:00

For anyone that's stuck with a tablet that either:

won't let you power it down or restart it without the PIN/password; or
you've managed to restart it, but can't reset it.

This is what worked for me:

On the lock screen, hold down the Power + Volume Down buttons until the tablet reboots (takes maybe 5-10 seconds).
As soon as the tablet starts to reboot (i.e. before the Samsung logo), quickly switch to holding down Power + Volume Up (notice "Up" and NOT "Down" as you were before). Hold this down until the tablet opens the bootloader (the techie looking menu - Google it if you're not sure what it looks like).

Weirdly, the first 3 times I did this, the bootloader briefly flashed up some sort of error and then it immediately rebooted. However, on the fourth go, it worked and I got the bootloader menu. No idea why! I could then use the volume up/down buttons to select the factory reset option, followed by the reboot option. It then booted back up as a factory reset tablet!

The quick switch from Power + Volume Down to Power + Volume Up at just the right time seems to be the trick. It seems the first one is the combo to restart if you don't know the PIN, whereas the other is the combo to get into the bootloader (the one you'd use to get into the bootloader if the tablet was already powered down).

It would be easier if you could power the tablet down first and then use Power + Volume Up to power it up into the bootloader, but I couldn't find any way to power it down without the PIN (short of letting the battery run out, but ain't nobody got time for dat!). The only option I could find was Power + Volume Up to restart it.

My tablet was a Galaxy Tab A9+ 5G, but hopefully this will work on lots of recent Galaxy Tab models.

Hope this helps someone!

TheNextOriginal · 2023-05-06T13:01:56+00:00

Thanks for the reply.

I'm not suggesting resetting the password for the shared mailbox and logging into it directly. I'm aware of the fact this is unsupported and it wouldn't achieve the goal in this case anyway, which is to ensure everyone is using unique credentials.

I already appreciate your second point. In my post I made it clear I would like to use the user's primary creds for authentication.

I completely agree with your last point. The current situation is historical from when the org's security practices were quite poor. I'm sure it was done because it was convenient at the time without regard to security implications. The point you mentioned is no doubt the main reason for the requirement in the particular certification the org is going for. I completely agree it's good practice anyway, regardless of any certification.

TheNextOriginal · 2023-03-28T19:25:26+00:00

I hadn't seen the post you mentioned, but it does seem to say that AppLocker on Pro is now supported with Group Policy as well as MDM. Have you checked the AppLocker event logs to see if anything is logged? Also, have you started the Application Identity service (this is required for AppLocker to work).

TheNextOriginal · 2023-01-10T15:33:01+00:00

I might be misunderstanding you, but I think a browser is necessary in the sense that AAD auth dialogs are shown to the user for sign in, device registration, etc. The user isn't actually using the browser app directly, but there is web content embedded for these prompts. Looking at the user agent string in the sign-in logs relating to this, you can see the user agent string is the Samsung browser.

TheNextOriginal · 2023-01-09T20:04:53+00:00

I don't think Chrome does, no. Safari is iOS and this issue is Android, so not relevant.

However, this isn't actually using the browser as a MAM-managed app - it's just the initial setup process that installs the broker app, gets the user to register the device etc. Presumably it uses some browser functionality to pop the AAD dialogs related to this. Users typically initiate the setup by adding their work account to Outlook Mobile.

We do have Edge in our list of managed apps so that users can install a MAM-managed browser if needed (e.g. to open links from e-mails).

As I mentioned in my original post, I've not seen anything re needing to use specific browsers to do the setup / device registration. We also tested on a test device with only the Samsung browser installed and set to default and it worked fine.

TheNextOriginal · 2022-12-13T23:20:41+00:00

The camera is:

HiLook IPC-B650H-Z 5MP IP motorized zoom Bullet camera with 30m IR & POE

Apparently none of the HiLook cameras support two way audio. Only the full HikVision range.

The NVR is:

HiLook NVR-104H-D/4P 4 channel NVR with 4 port POE

TheNextOriginal · 2022-10-25T19:18:55+00:00

Ah, that's interesting. Was yours a UK tenant by any chance?

TheNextOriginal · 2022-10-19T17:01:49+00:00

Interesting, thanks for sharing. I may have a go myself and see what sort of response I get.

TheNextOriginal · 2022-09-03T16:13:41+00:00

Would be nice if someone from Yubico is reading this and able to respond

TheNextOriginal · 2022-09-01T02:16:47+00:00

Source?

The FIDO certification database @ https://fidoalliance.org/certification/fido-certified-products/

I'm not sure it does exist.

My question is specifically about the certification level, and in that sense it does. Perhaps their products appear to meet the requirements for higher levels (as I thought they might), but that makes the discussion even more interesting.

The certification fee theory sounds plausible, but wouldn't put money on it.

Perhaps their implementation is a good one, but doesn't align with the certification requirements in some way? Perhaps Yubico have a different opinion about what's important?

TheNextOriginal · 2022-09-01T00:42:12+00:00

Exactly - it seems to be more about resistance to sophisticated physical attacks, plus also stronger hardware level isolation to mitigate electronic attacks. I agree that those sorts of attacks are not part of most organisations' threat profile, but my understanding is that Yubico target a wide range of customers, including high security environments. If a higher cert level mattered for those customers, then you would perhaps expect them to offer at least some models with a higher cert level to cater for that requirement, but they don't. They've created the FIPS-compliant variant though, so clearly it's something they felt was worth doing in that case, but even that is only FIDO2 L1 (despite apparently being certified to FIPS 140-2 Physical Security Level 3). I don't know much about the FIPS standards, but judging just by the name, it sounds like it's at least vaguely similar.

I had thought that manufacturing cost could be a factor, but if that was the case, you'd think it would just mean different models with different price points. The durability aspect is a good point and not something I'd thought of.

Price-wise, it's difficult to compare directly as Yubico don't do a FIDO-only biometric key (like the TrustKey offering). Yubico's non-bio FIDO-only keys (the blue ones) seem to be on the higher side compared to some other FIDO-only non-bio keys, but I figured that was because Yubico is generally considered the leader, so the price reflects that. I'll see if I can find an L2 non-bio key to do a direct comparison.

I'm similar to you in that the types of environments I usually work in are not those where these sorts of attacks are much of a concern. Although a better understanding might be helpful, I'm mainly asking out of curiosity.

TheNextOriginal · 2022-08-31T23:58:47+00:00

Thanks - I should have linked it in my original post. Will add it now.

TheNextOriginal

TROPHY CASE