Allow RSA SecurID token import via Outlook/Intune/MAM on iOS

4 Replies

One issue we ran into during our Intune/Outlook pilot for Android/iOS devices was the inability to click RSA SecurID token links used to import tokens. We will eventually be moving away from RSA, but in the meantime this was a challenge. I was able to come up with a workaround that allowed an import from Intune/Outlook into RSA SecurID while using MAM policies an iOS device.

  • In the MAM policy (Application Protection policy) that targets Outlook/Edge create a ‘Data Transfer‘ exemption for ‘com.rsa.securid
  • Email the RSA SecurID token to the user using the format: com.rsa.securid://ctf?ctfData=xxxxxxxxxxxxxxxxxxxxxx
  • Copy this link (be sure to not copy any spaces or) into Edge and hit ‘go

After hitting ‘go‘ Edge should prompt you to open up the token in RSA SecurID.

4 thoughts on “Allow RSA SecurID token import via Outlook/Intune/MAM on iOS

  1. rgaffin

    Hi
    Thanks for this, but this didn’t work for me.

    In my RSA console, when i selected the CFT option it gives me…

    http://127.0.0.1/securid/ctf?ctfData=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

    Which i converted to…
    com.rsa.securid://127.0.0.1/securid/ctf?ctfData=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

    It obviously failed as Edge cant resolve the localhost IP. But what should we be putting in, in place of the IP? As far as i know, our RSA server is internal, so the Edge browser wont be able to reach it.
    Thanks
    Rich

    1. Mark DePalma Post author

      Hello,

      You have the URL wrong. Per my post it should be: com.rsa.securid://ctf?ctfData=xxxxxxxxxxxxxxxxxxxxxx. You have the extra ‘127.0.0.1/securid’. You just need ‘cft?…’

      Let me know if that works for you.

      -Mark

  2. rgaffin

    Hi Mark
    I should have said, but com.rsa.securid://ctf?ctfData=xxxxxx was that first thing i tried and i get the error “Token Import Failed, Invalid Binding ID”

    My intune data protection settings, under App Protection Policy, read as follows…

    “Select apps to exempt
    Default: tel;telprompt;skype;app-settings;calshow;itms;itmss;itms-apps;itms-appss;itms-services;
    RSA Secure ID: com.rsa.securid”

    Rich

    1. Mark DePalma Post author

      Hm, so Edge is passing into the RSA SecurID app, but RSA isn’t accepting it. It seems to have to do with device ID binding. Do you restrict tokens to specific devices?

Leave a Reply