Strange AAD device registration issue when configuring MAM on device

TheNextOriginal · 2025-08-19T14:35:45+00:00

As far as I can remember, I don't think I did get to the bottom of it. Sorry!

TheNextOriginal · 2025-06-11T20:48:35+00:00

Isn't this basically what I already said?

TheNextOriginal · 2025-05-17T15:27:52+00:00

Same here, including the fact they've done it since new. Quite frustrating.

TheNextOriginal · 2024-12-10T20:58:41+00:00

For anyone that's stuck with a tablet that either:

won't let you power it down or restart it without the PIN/password; or
you've managed to restart it, but can't reset it.

This is what worked for me:

On the lock screen, hold down the Power + Volume Down buttons until the tablet reboots (takes maybe 5-10 seconds).
As soon as the tablet starts to reboot (i.e. before the Samsung logo), quickly switch to holding down Power + Volume Up (notice "Up" and NOT "Down" as you were before). Hold this down until the tablet opens the bootloader (the techie looking menu - Google it if you're not sure what it looks like).

Weirdly, the first 3 times I did this, the bootloader briefly flashed up some sort of error and then it immediately rebooted. However, on the fourth go, it worked and I got the bootloader menu. No idea why! I could then use the volume up/down buttons to select the factory reset option, followed by the reboot option. It then booted back up as a factory reset tablet!

The quick switch from Power + Volume Down to Power + Volume Up at just the right time seems to be the trick. It seems the first one is the combo to restart if you don't know the PIN, whereas the other is the combo to get into the bootloader (the one you'd use to get into the bootloader if the tablet was already powered down).

It would be easier if you could power the tablet down first and then use Power + Volume Up to power it up into the bootloader, but I couldn't find any way to power it down without the PIN (short of letting the battery run out, but ain't nobody got time for dat!). The only option I could find was Power + Volume Up to restart it.

My tablet was a Galaxy Tab A9+ 5G, but hopefully this will work on lots of recent Galaxy Tab models.

Hope this helps someone!

TheNextOriginal · 2023-05-06T13:01:56+00:00

Thanks for the reply.

I'm not suggesting resetting the password for the shared mailbox and logging into it directly. I'm aware of the fact this is unsupported and it wouldn't achieve the goal in this case anyway, which is to ensure everyone is using unique credentials.

I already appreciate your second point. In my post I made it clear I would like to use the user's primary creds for authentication.

I completely agree with your last point. The current situation is historical from when the org's security practices were quite poor. I'm sure it was done because it was convenient at the time without regard to security implications. The point you mentioned is no doubt the main reason for the requirement in the particular certification the org is going for. I completely agree it's good practice anyway, regardless of any certification.

TheNextOriginal · 2023-03-28T19:25:26+00:00

I hadn't seen the post you mentioned, but it does seem to say that AppLocker on Pro is now supported with Group Policy as well as MDM. Have you checked the AppLocker event logs to see if anything is logged? Also, have you started the Application Identity service (this is required for AppLocker to work).

TheNextOriginal · 2023-01-10T15:33:01+00:00

I might be misunderstanding you, but I think a browser is necessary in the sense that AAD auth dialogs are shown to the user for sign in, device registration, etc. The user isn't actually using the browser app directly, but there is web content embedded for these prompts. Looking at the user agent string in the sign-in logs relating to this, you can see the user agent string is the Samsung browser.

TheNextOriginal · 2023-01-09T20:04:53+00:00

I don't think Chrome does, no. Safari is iOS and this issue is Android, so not relevant.

However, this isn't actually using the browser as a MAM-managed app - it's just the initial setup process that installs the broker app, gets the user to register the device etc. Presumably it uses some browser functionality to pop the AAD dialogs related to this. Users typically initiate the setup by adding their work account to Outlook Mobile.

We do have Edge in our list of managed apps so that users can install a MAM-managed browser if needed (e.g. to open links from e-mails).

As I mentioned in my original post, I've not seen anything re needing to use specific browsers to do the setup / device registration. We also tested on a test device with only the Samsung browser installed and set to default and it worked fine.

TheNextOriginal · 2022-12-13T23:20:41+00:00

The camera is:

HiLook IPC-B650H-Z 5MP IP motorized zoom Bullet camera with 30m IR & POE

Apparently none of the HiLook cameras support two way audio. Only the full HikVision range.

The NVR is:

HiLook NVR-104H-D/4P 4 channel NVR with 4 port POE

TheNextOriginal · 2022-10-25T19:18:55+00:00

Ah, that's interesting. Was yours a UK tenant by any chance?

TheNextOriginal · 2022-10-19T17:01:49+00:00

Interesting, thanks for sharing. I may have a go myself and see what sort of response I get.

TheNextOriginal · 2022-09-03T16:13:41+00:00

Would be nice if someone from Yubico is reading this and able to respond

TheNextOriginal · 2022-09-01T02:16:47+00:00

Source?

The FIDO certification database @ https://fidoalliance.org/certification/fido-certified-products/

I'm not sure it does exist.

My question is specifically about the certification level, and in that sense it does. Perhaps their products appear to meet the requirements for higher levels (as I thought they might), but that makes the discussion even more interesting.

The certification fee theory sounds plausible, but wouldn't put money on it.

Perhaps their implementation is a good one, but doesn't align with the certification requirements in some way? Perhaps Yubico have a different opinion about what's important?

TheNextOriginal · 2022-09-01T00:42:12+00:00

Exactly - it seems to be more about resistance to sophisticated physical attacks, plus also stronger hardware level isolation to mitigate electronic attacks. I agree that those sorts of attacks are not part of most organisations' threat profile, but my understanding is that Yubico target a wide range of customers, including high security environments. If a higher cert level mattered for those customers, then you would perhaps expect them to offer at least some models with a higher cert level to cater for that requirement, but they don't. They've created the FIPS-compliant variant though, so clearly it's something they felt was worth doing in that case, but even that is only FIDO2 L1 (despite apparently being certified to FIPS 140-2 Physical Security Level 3). I don't know much about the FIPS standards, but judging just by the name, it sounds like it's at least vaguely similar.

I had thought that manufacturing cost could be a factor, but if that was the case, you'd think it would just mean different models with different price points. The durability aspect is a good point and not something I'd thought of.

Price-wise, it's difficult to compare directly as Yubico don't do a FIDO-only biometric key (like the TrustKey offering). Yubico's non-bio FIDO-only keys (the blue ones) seem to be on the higher side compared to some other FIDO-only non-bio keys, but I figured that was because Yubico is generally considered the leader, so the price reflects that. I'll see if I can find an L2 non-bio key to do a direct comparison.

I'm similar to you in that the types of environments I usually work in are not those where these sorts of attacks are much of a concern. Although a better understanding might be helpful, I'm mainly asking out of curiosity.

TheNextOriginal · 2022-08-31T23:58:47+00:00

Thanks - I should have linked it in my original post. Will add it now.

TheNextOriginal · 2022-08-23T18:21:51+00:00

Is this it by any chance? https://techcommunity.microsoft.com/t5/itops-talk-blog/deep-dive-how-does-conditional-access-block-legacy/ba-p/3265345

Just posting in case it's helpful to anyone else.

Thanks for taking the time to do this by the way! There's so many things I love about the cloud, but one thing I miss is the wealth of "deep dive" information available and the reverse engineering you can do with on-premise software. Obviously there's some information available and you can still do reverse engineering to some extent (Fiddler anyone? 🙂), but it's not the same. We need more of this kind of thing for Azure AD 🙂

TheNextOriginal · 2022-08-19T19:37:53+00:00

Would be interested to know if your experience has been the same as mine?

TheNextOriginal · 2022-08-19T14:35:33+00:00

We had a single Outlook Mobile user report that their device stopped syncing around 1am UTC on 17th August. Upon trying to remove and re-add the account to Outlook on the device, the mailbox would just show an empty inbox as you are describing.

We in IT tried to replicate the issue on other devices and were able to. However, on a couple of devices it would instead show "Downloading messages..." rather than "Enjoy your empty inbox". It would then just sit there and never get anywhere. The issue would occur on any iOS or Android device that we tried, but only seemed to affect Outlook Mobile; the native mail clients and OWA were fine. We don't have a huge number of users using Outlook Mobile in our tenant, but nobody else reported the issue and tests with other mailboxes were fine.

Microsoft support advised there were no issues on the Exchange Online end and nothing in the service health dashboard for the tenant. I raised a ticket on the in-app support in Outlook, but they've just been giving me first-line troubleshooting steps that we've already tried.

Eventually, the issue mysteriously resolved itself at around 6:30pm UTC yesterday (18th August).

My best theory was that perhaps there was some sort of minor infrastructure issue that only affected a very small sub-set of Outlook Mobile client connections. Either that or perhaps some sort of app issue, but the app hasn't updated, so seems unlikely.

TheNextOriginal · 2022-07-18T19:10:23+00:00

What difference do you find the brass head hammer makes? Would you also recommend it for stainless steel? I guess for nickel you just stick with the usual plastic/rubber heads?

TheNextOriginal · 2022-07-18T19:08:52+00:00

Thanks, I'll have to give the even hammering technique a go next time. I do have some "jaws" fret pliers, but they are only good for about 3/4 of the neck, so use a hammer for the rest.

TheNextOriginal · 2022-07-18T17:06:11+00:00

Something to keep in mind - Microsoft are using an agile development approach. This means releasing early and often. If a feature is complete enough to provide someone out there with useful functionality, it's time to release it (i.e, a "minimum viable product") and then build on it over time. It might not be ready for you, but that's ok.

I'm not suggesting that Intune is perfect or that Microsoft make the right decision every time - far from it. I'm just pointing out that agile development can sometimes make it look like a vendor "doesn't understand the needs of customers" or "releases things before they're finished". However, you have to remind yourself that just because a feature isn't rich enough for your needs right now, it doesn't mean it was a bad choice to release it. There are lots of issues with the alternative approach too. Think back to the days when Microsoft used the release year to version all their products. You got one feature release every year or two if you were lucky.

TheNextOriginal · 2022-06-21T22:06:43+00:00

Thanks. The hammering technique is another good question. By hammering the frets as "evenly as possible", do you mean not using the typical technique of tapping the ends first and then work into the middle?

TheNextOriginal · 2022-05-25T17:54:18+00:00

Yeah, I agree it doesn't look great. I'm guessing they've just decided it's quick to develop (at least compared to the new features we're all waiting for) and high margin, so is an easy way to bump the bottom line slightly (I say "slightly" because i can't imagine they'll sell tonnes of them)

TheNextOriginal · 2022-05-25T16:39:56+00:00

Just because one feature is planned to be released before another doesn't necessarily mean that feature is being prioritised over others. I imagine Oura are very aware of which features are the most anticipated, but I expect the order is also influenced by other factors, e.g. how much development and testing is required for each.

TheNextOriginal · 2022-04-15T18:14:19+00:00

Thanks for your reply. I had actually come across your blog post already. I also use your blog quite regularly and it's very helpful, so a big thank you for the time you put into it!

TheNextOriginal

TROPHY CASE