azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
935b6995e53f11cfca81c3d1774d68cdf4ce4c87
claudetools/clients/cascades-tucson/session-logs/2026-05-08-howard-cascades-sdm-token-success-and-alis-sso.md
Howard Enos 935b6995e5 sync: auto-sync from HOWARD-HOME at 2026-05-08 19:53:03 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-05-08 19:53:03
2026-05-08 19:53:06 -07:00

16 KiB
Raw Blame History

Cascades — SDM token-type enrollment cracked + ALIS SSO infrastructure live

Date: 2026-05-08 Client: Cascades of Tucson (Syncro 20149445, Tenant 207fa277-e9d8-4eb7-ada1-1064d2221498)

User

  • User: Howard Enos (howard)
  • Machine: Howard-Home
  • Role: tech
  • Session span: ~9 hours, full work day. End-to-end SDM rollout breakthrough.

Session Summary

Investigated and resolved Cascades caregiver phone Shared Device Mode (SDM) issues by identifying a misconfigured enrollment profile using the default token type instead of the required "Corporate-owned dedicated device with Microsoft Entra ID shared mode" token type. A new enrollment profile was created and the old one deleted to ensure proper SDM configuration. The dynamic group rule was updated to allow automatic inclusion of devices from the new profile. Two test phones were wiped and re-enrolled using the new SDM token QR, successfully registering as shared devices. The end-to-end caregiver workflow was validated, confirming correct behavior of Microsoft Teams, Outlook, and sign-out functionality. ALIS SSO infrastructure was configured with Entra app registration values and credentials were vaulted. Web shortcuts were replaced with Android Enterprise type links to ensure visibility on kiosks. Device restrictions were updated with the Cascades-of-Tucson logo. A project update was added to the Cascades Entra setup ticket. Phones remain powered on for web link tile propagation and ALIS SSO testing in the next session.

Key Decisions

  • Chose to replace the existing enrollment profile with a new one using the correct SDM token type to align with Microsoft's recommended configuration for Android Enterprise dedicated devices in SDM.
  • Updated the dynamic group rule from exact-match to startsWith to ensure compatibility with the new enrollment profile and automatic device grouping.
  • Replaced basic Intune web links with Android Enterprise type (Managed Google Play web links) to ensure visibility on Android Enterprise kiosks.
  • Vaulted Inbound Connections Basic Auth credentials for future Microsoft-to-ALIS API integrations.
  • Wallpaper field uses the existing landscape Cascades logo URL on cascadestucson.com — known to stretch on portrait phone screens but acceptable as a starting visual; portrait-format file deferred until someone with WordPress access can upload one.

Problems Encountered

  • Initial SDM activation failures from prior sessions traced to incorrect token type on the enrollment profile. Resolved by identifying the correct token type from Microsoft documentation (https://learn.microsoft.com/en-us/intune/device-enrollment/android/setup-dedicated) and replacing the old profile.
  • Old "Web link" type apps (microsoft.graph.webApp) did not render as tiles on Android Enterprise dedicated kiosks. Resolved by deleting and re-creating as Managed Google Play web links (androidManagedStoreWebApp type) which surface automatically as tiles.
  • Web link tiles still not visible on phones at end of day; configuration verified correct (assignments, group membership, publishingState=published, isAssigned=true). Diagnosed as Google Managed Play distribution lag (typical 30 min to a few hours, sometimes overnight). Phones left powered on at Cascades to receive distribution overnight.

Configuration Changes

New Intune enrollment profile

  • CSC - Android Shared Phones (Entra SDM) (id 9a0fcc6d-0a88-466e-aa53-44401bb74fca)
    • Token type: Corporate-owned dedicated device with Microsoft Entra ID shared mode
    • Token: KJCFJUWKRCOGATEHBTGYJZXM
    • Token expires: 2027-05-07
    • Naming template: CSC-{{SERIAL}}

Old enrollment profile removed

  • CSC - Android Shared Phones (was id 3345721a-d9c3-4c79-9b3a-5c5e68849a9f) — DELETED via Graph API. Profile used the default "Corporate-owned dedicated device" token type which doesn't activate SDM.

Dynamic group rule update

Cascades - Shared Phones (id ea96f4b7-3000-45da-ab1f-ddb28f509526) — membershipRule changed from (device.enrollmentProfileName -eq "CSC - Android Shared Phones") to (device.enrollmentProfileName -startsWith "CSC - Android Shared Phones") so phones from either old or new profile name auto-join. Confirmed both new test phones (CSC-R92W310H31N, CSC-R9TW207FSXA) became members within ~5 min of registration.

Device restrictions profile (CSC - Android Shared Phones Restrictions, id 070a76c2-a8c3-4f7f-9ba7-1f4ac5084184)

  • Bumped to version 14 today
  • Added: kioskModeWallpaperUrl: https://cascadestucson.com/wp-content/uploads/2023/06/CascadesOfTucson-logo.png

Mobile apps — replaced wrong-type web shortcuts

App OLD (deleted) NEW (created today) New ID
ALIS / Alis fcbf803d-ceb7-4f4e-93ed-2be1b91a05f3 (webApp, wrong type) androidManagedStoreWebApp 8c0ae9bf-000d-4ae4-9b41-74afd186ad37
Helpany / HelpAny 97c294de-03ec-4053-b272-a4c956e408e9 (webApp) androidManagedStoreWebApp cbb9404b-2413-40c1-823d-e10337d5238f
LinkRx e4157faf-c47d-443d-96b3-59d7c4ba9ac2 (webApp) androidManagedStoreWebApp c70f62bc-a2ff-4744-925a-a409e38c6690

All three new web links: intent: required, target: Cascades - Shared Phones group, publishingState: published.

Test phones re-enrolled (clean Shared Devices)

Serial Intune ID (today) Entra device profileType
R92W310H31N a46a2daf-b8c5-4c19-ac71-0fdc7341928a CSC-R92W310H31N Shared
R9TW207FSXA 41345e4a-c58f-4b0d-9678-cd6da47acf6a CSC-R9TW207FSXA Shared

Both trustType: Workplace, registeredOwners: 0, registeredUsers: 0, joinType: azureADRegistered.

ALIS App Store / Microsoft SSO app configuration (on cascadestucson.alisonline.com)

Configured by Howard via the ALIS admin UI:

  • Outbound Connections → Provider Parameters: Directory ID, Application ID, Client Secret Value populated from Entra App Registration
  • Inbound Connections (ALIS API): generated Basic Auth credentials (vaulted)
  • ALIS install key: d796539d-356b-4190-9c17-35f0f1129376

Cascades Entra setup ticket #32214 — customer-visible comment posted

Comment id 409911490 — "Project update 2026-05-08" — hidden: false, do_not_email: true.

Vault updates

  • clients/cascades-tucson/alis-sso-app-registration.sops.yaml — extended with ALIS Inbound Connections Basic Auth credentials + ALIS install key. Vault commit 25b0ed7.

Credentials & Secrets

ALIS App Store SSO app — Inbound Connections (Basic Auth)

  • Username: microsoft@cascadestucson
  • Password: nvw3JCL3VY8401N
  • Auth Header: Basic bWljcm9zb2Z0QGNhc2NhZGVzdHVjc29uOm52dzNKQ0wzVlk4NDAxTg==
  • Vault: clients/cascades-tucson/alis-sso-app-registration.sops.yaml (vault commit 25b0ed7)
  • Purpose: Credentials for any future Microsoft → ALIS API call (currently unused; SSO sign-in itself doesn't require these — that's pure OIDC).

Entra App Registration (unchanged from yesterday, listed for completeness)

  • Application ID: d5108493-cba8-4f08-90b6-1bb0bc09eb2a
  • Directory ID: 207fa277-e9d8-4eb7-ada1-1064d2221498
  • Client Secret Value: cCf8Q~eT3uKOqtW2DtLWxxP1uCSHUWFYimXYvdiJ
  • Secret expires: 2028-05-06
  • Vault: clients/cascades-tucson/alis-sso-app-registration.sops.yaml

devices@cascadestucson.com (provisioning account, unchanged)

  • Password Gptf*77ttb!. Cloud Device Administrator role.
  • Note: Today's SDM-token enrollment did NOT actually require devices@ to register the phones — the platform handled registration automatically using the enrollment token's authority. The account is still useful for any future operations that need a CDA.

Pilot caregiver test user (unchanged)

  • pilot.test@cascadestucson.com / 8ajau==j2_MeBdW5XccKUEwx
  • Vault: clients/cascades-tucson/pilot-test-user.sops.yaml

Infrastructure & Servers

Tenant

  • Tenant ID: 207fa277-e9d8-4eb7-ada1-1064d2221498
  • Default domain: cascadestucson.com
  • Cascades Named Location: 061c6b06-b980-40de-bff9-6a50a4071f6f (IPs 72.211.21.217/32 and 184.191.143.62/32)

Intune objects (current state)

Object ID Notes
Enrollment profile 9a0fcc6d-0a88-466e-aa53-44401bb74fca CSC - Android Shared Phones (Entra SDM)
Dynamic group ea96f4b7-3000-45da-ab1f-ddb28f509526 Cascades - Shared Phones (rule = startsWith)
Device restrictions profile 070a76c2-a8c3-4f7f-9ba7-1f4ac5084184 v14, includes wallpaper URL
Compliance policy 27eeaeda-8390-462e-a514-7d2a558f412c CSC - Android Compliance
Authenticator MSDM app config a1bfbda0-a36c-45e5-8844-8470f80ecc8d Manual config, redundant under SDM-token enrollment but kept
Teams MSDM app config 3c6a354c-1616-434b-ac81-4dad7795e67b Manual config, redundant under SDM-token enrollment but kept

Mobile apps assigned to Cascades - Shared Phones group

Native: Microsoft Authenticator, Microsoft Teams, Microsoft Outlook, Microsoft Edge, Managed Home Screen, Intune Company Portal. Managed Google Play web links (new today): Alis, HelpAny, LinkRx.

Commands & Outputs

Confirm SDM activation on phones (Microsoft canonical marker)

curl -sk -H "Authorization: Bearer $TOK_TA" \
  "https://graph.microsoft.com/beta/devices?\$filter=startswith(displayName,'CSC')&\$top=10" | \
  jq '.value[] | {displayName, profileType, trustType, enrollmentProfileName}'

Result for today's phones: profileType: "Shared" on both — confirms SDM is genuinely active. (Yesterday's failed attempts had profileType: RegisteredDevice instead.)

Force Managed Google Play sync (to pull new web links into Intune)

curl -sk -X POST -H "Authorization: Bearer $TOK" \
  -H "Content-Type: application/json" --data '{}' \
  "https://graph.microsoft.com/beta/deviceManagement/androidManagedStoreAccountEnterpriseSettings/syncApps"
# HTTP 200 — new web links appeared in Intune apps list within 30 sec

Update CA policy state (caregiver scope) — pattern for flipping Report-only -> Enforced

curl -X PATCH -H "Authorization: Bearer $TOK_TA" -H "Content-Type: application/json" \
  --data '{"state":"enabled"}' \
  "https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/$ID"
# Sleep 6+ seconds before verifying read (eventual consistency).

Sign-in test result (Phone A, pilot.test)

  • Microsoft Teams sign-in: clean, no AADSTS50097, no register-device prompt
  • Microsoft Outlook: silent broker sign-in (no password)
  • Teams "Sign out": cleared all M365 sessions device-wide

Pending / Incomplete Tasks

Resume next session

  • Verify the three Managed Google Play web link tiles (Alis, HelpAny, LinkRx) have appeared on both phones (they were propagating from Google when Howard left for the day; phones left powered on at Cascades to receive distribution overnight)
  • End-to-end ALIS SSO sign-in test from phone:
    • Make sure phone has pilot.test signed in (Teams + Outlook silent)
    • Tap Alis tile in MHS
    • Expected: ALIS detects SSO config server-side → redirects to Entra → broker silent-auth → ALIS opens with pilot.test logged in (no password)
    • If working: SSO is fully functional, ready for staged caregiver rollout

Production rollout (after pilot SSO verified)

  • Each Cascades caregiver who uses ALIS needs their ALIS staff record's Email field set to match their Entra UPN exactly (e.g., firstname.lastname@cascadestucson.com). This is the SSO join key. Without exact email match → ALIS errors "user not found" on SSO sign-in.
  • Plan staged caregiver rollout — flip ONE user at a time. Per Medtelligent's docs: "once a user account is linked to SSO, they will not be able to log in with their ALIS credentials unless a company administrator edits their login settings." Linking is admin-reversible per-user but not user-reversible.
  • Provision the remaining 30 phones using the proven SDM-token enrollment profile playbook (factory reset → scan QR for CSC - Android Shared Phones (Entra SDM) → wait ~15 min → done).

Cosmetic / nice-to-have

  • Replace wallpaper with a portrait-format Cascades logo image when someone with cascadestucson.com WordPress access can upload one. The current landscape image stretches on portrait phone screens.
  • Investigate (carefully) MHS welcome-screen branding logo — would require an MHS app config policy with documented keys only (not the speculative-key approach that crashed the install loop earlier in the project).
  • Flip the third caregiver CA policy CSC - Block caregivers on non-compliant device from Report-only to Enforced once pilot SSO is verified working and joinType propagation is reliable across all phones (currently in Report-only because some sign-ins evaluated as reportOnlyFailure due to device.isCompliant not always being true on the user's session).
  • Login PINs feature — Medtelligent supports it but it's "limited release." When ALIS support call resumes, ask about enabling Login PINs for Cascades. PINs allow caregivers to re-auth via 6-digit PIN after timeout instead of full SSO redirect — meaningful UX improvement for shared phones.

Optional cleanup

  • Two stale Entra Android device records still exist (samsungSM-A146U and 31fb90e5bbc239ba_AndroidEnterprise_5/8/2026_12:12 AM) — Tenant Admin SP returns 403 on Entra device DELETE (lacks Device.ReadWrite.All). To clean up: portal delete by Howard (or grant the SP that scope). Non-blocking — orphans are inert.

Long-term

  • Disable devices@cascadestucson.com once production rollout completes. Account preserves audit trail; devices stay in shared mode after.

Reference Information

Microsoft documentation (the docs that mattered today)

Vault paths

  • clients/cascades-tucson/alis-sso-app-registration.sops.yaml — Entra App Reg, ALIS Inbound creds, install key (vault commit 25b0ed7)
  • clients/cascades-tucson/devices-account.sops.yaml — devices@ provisioning account
  • clients/cascades-tucson/pilot-test-user.sops.yaml — pilot.test caregiver test user
  • clients/cascades-tucson/wifi-cscnet.sops.yaml — Wi-Fi PSK
  • clients/cascades-tucson/cs-server.sops.yaml — domain controller

URLs

  • Cascades ALIS tenant: https://cascadestucson.alisonline.com
  • Entra portal: https://entra.microsoft.com
  • Intune admin center: https://intune.microsoft.com
  • ALIS support: support@go-alis.com / 888-404-ALIS (2547)

Syncro tickets

  • #32214 — "Entra setup" (In Progress) — comment 409911490 posted today with project update
  • #32263 — Kittle Joshua Sutherland onsite (separate session log)

Microsoft support ticket

  • #2605070040009774 — Authenticator SDM activation troubleshooting (open from yesterday). Today's outcome (token type fix) is the resolution; will update + close on next session if pilot SSO test passes.

Session duration: ~9 hours, 2026-05-08 ~07:00 PT through ~16:36 PT (last action: Cascades ticket comment post) End-of-day phone state: Both test phones (R9TW207FSXA, R92W310H31N) physically left at Cascades, powered on, on Wi-Fi, awaiting Google Managed Play distribution to land the three web link tiles overnight. Resume: Verify web tiles present + run end-to-end ALIS SSO test.

Reference in New Issue View Git Blame Copy Permalink