Pass Work Profile existence, OS Version, and Manufacturer to ESTS, Fixes AB#3138815 (#2627)

Feature Spec:
https://microsoft-my.sharepoint-df.com/:w:/p/jukollin/EW3bntSipC1Ek8gY7sIX_yUBXip16NxHN-mge53O1V0K7Q?e=vxoEue

Contract with ESTS for query parameter names:
https://microsoft-my.sharepoint-df.com/:w:/r/personal/fadidurah_microsoft_com/_layouts/15/doc2.aspx?sourcedoc=%7B7F727CCE-ECB4-4790-B4B9-369B8BD14A5D%7D&file=Document.docx&action=editnew&mobileredirect=true&wdPreviousSession=640fdd8a-c8fd-4983-fd56-29908be02022&wdNewAndOpenCt=1740713103250&wdo=4&wdOrigin=TEAMS-MAGLEV.p2p_ns.rwc&wdPreviousCorrelation=3a1b8576-c30c-4b46-9f9e-7cfde7fb9cbe&wdnd=1&wdTpl=blankNew&share=IQHOfHJ_tOyQR7S5NpuL0UpdAYK9OGBqj-cKpGfw7kJbcPk&wdExp=TEAMS-TREATMENT&wdhostclicktime=1744341352978&web=1

Msal-only Authorize request:

/login.microsoftonline.com/organizations/oAuth2/v2.0/authorize?prompt=select_account&client-request-id=de149d0e-9a9e-4f42-accf-c43e209b1b35&x-client-CPU=arm64-v8a&x-client-DM=Pixel&**x-client-MN=Google**&**x-client-OS=29**&x-client-SKU=MSAL.Android&x-client-Ver=5.10.0&login_hint=&instance_aware=false&code_challenge=8sy252i6gSVaCyONbgVYS9qhatnWyybwGzqs35bPwYQ&code_challenge_method=S256&**x-client-WPAvailable=true**&claims=%7B%7D&client_id=4b0db8c2-9f26-4417-8bde-3f0e3656f8e0&redirect_uri=msauth%3A%2F%2Fcom.msft.identity.client.sample.local%2F1wIqXSqBj7w%252Bh11ZifsnqwgyKrY%253D&response_type=code&scope=user.read%20%20openid%20offline_access%20profile&state=NzM6ZmIzZWFkZTctNDRmNC00YjBkLWEzODItOGVhYzc2ZTlkM2E1LWRiNmNlMzg2LTQ2NzktNGE2Ni1hMWVhLTk0Y2IzYmQ1NWJlZg

Msal-broker Authorize request:

/login.microsoftonline.com/organizations/oAuth2/v2.0/authorize?prompt=login&client-request-id=ef4e33b5-b8ae-45e9-a9ff-d0ea51487db2&x-client-CPU=arm64-v8a&x-client-DM=Pixel&**x-client-MN=Google**&**x-client-OS=29**&x-client-SKU=MSAL.Android&x-client-Ver=6.0.0&login_hint=&instance_aware=true&code_challenge=rax8IWFnE_OtZlr1p7GKgWZk9cF2gl6o1fGKS3gmx5U&code_challenge_method=S256&**x-client-WPAvailable=true**&client_id=29d9ed98-a469-4536-ade2-f981bc1d605e&redirect_uri=msauth%3A%2F%2FMicrosoft.AAD.BrokerPlugin&response_type=code&scope=aza%20openid%20email%20profile%20offline_access%20urn%3Aaad%3Atb%3Aupdate%3Aprt%2F.default&state=MTI3OjVjNGIwMjFmLWM5NTYtNDk4Yy1iNTVhLThlNWVjZjcwZjg2OC03NzU2NjljOC05NTRhLTQ2MjktYjVlMC1kMmZiNDY5YWRhYWE&temp-param=Temporary&webauthn=1&brkr=1&x-client-brkrver=8.1.20250423-1ESdev.6&x-app-name=com.msft.identity.client.sample.local&x-app-ver=1.0-local&domain_hint=organizations&caller_app_client_id=4b0db8c2-9f26-4417-8bde-3f0e3656f8e0&caller_app_redirect_uri=msauth%3A%2F%2Fcom.msft.identity.client.sample.local%2F1wIqXSqBj7w%252Bh11ZifsnqwgyKrY%253D&prt_protocol_version=3.0

Note `x-client-MN=Google`, `x-client-OS=29`, and
`x-client-WPAvailable=true`

We were already passing OS version (x-client-OS), this PR makes changes
to common to include Device manufacturer and an additional parameter
denoting if we are making a request from personal profile, but a work
profile managed by clouddpc (NOT MANAGED BY COMPANY PORTAL, the intent
will not be found if work profile is managed by Company Portal).

Validation: Manual validation done with JAmes, setup Android Enterprise
work profile on test device, and was getting a success when querying for
intent. Did this for MSAL, MSAL/Broker, and OneAuth/Broker. Separate
work must be done to get these parameters sent in oneuath only scenarios


[AB#3138815](https://identitydivision.visualstudio.com/fac9d424-53d2-45c0-91b5-ef6ba7a6bf26/_workitems/edit/3138815)

Author: fadidurah

changelog.txt

@@ -1,5 +1,6 @@
 vNext
 ----------
+- [MINOR] Pass Work Profile existence, OS Version, and Manufacturer to ESTS (#2627)
 - [MINOR] Add telemetry for the switch browser protocol (#2612)
 
 Version 21.0.0

common/src/main/java/com/microsoft/identity/common/components/AndroidPlatformComponentsFactory.java

@@ -36,6 +36,7 @@
 import com.microsoft.identity.common.internal.providers.oauth2.AndroidTaskStateGenerator;
 import com.microsoft.identity.common.internal.ui.AndroidAuthorizationStrategyFactory;
 import com.microsoft.identity.common.internal.ui.browser.AndroidBrowserSelector;
+import com.microsoft.identity.common.internal.util.WorkProfileUtil;
 import com.microsoft.identity.common.java.WarningType;
 import com.microsoft.identity.common.java.interfaces.IPlatformComponents;
 import com.microsoft.identity.common.java.interfaces.PlatformComponents;
@@ -67,6 +68,10 @@ public static synchronized void initializeGlobalStates(@NonNull final Context co
         if (!sGlobalStateInitalized) {
             HttpCache.initialize(context);
             Device.setDeviceMetadata(new AndroidDeviceMetadata());
+
+            // Denotes whether or not request is from personal profile but device has a Work Profile Available
+            Device.setIsInPersonalProfileButClouddpcWorkProfileAvailable(
+                    WorkProfileUtil.checkIfIsInPersonalProfileButClouddpcWorkProfileAvailable(context));
             Logger.setAndroidLogger();
 
             final File cacheDir = context.getCacheDir();

common/src/main/java/com/microsoft/identity/common/internal/util/WorkProfileUtil.java

@@ -0,0 +1,70 @@
+// Copyright (c) Microsoft Corporation.
+// All rights reserved.
+//
+// This code is licensed under the MIT License.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files(the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions :
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+package com.microsoft.identity.common.internal.util;
+
+import android.content.Context;
+import android.content.Intent;
+import android.content.pm.ResolveInfo;
+import android.os.Build;
+
+import com.microsoft.identity.common.logging.Logger;
+
+import java.util.List;
+
+import lombok.NonNull;
+
+public class WorkProfileUtil {
+    private static final String TAG = WorkProfileUtil.class.getSimpleName();
+
+    /**
+     * Helper method to check if we are in personal profile but a work profile managed by clouddpc
+     * is available.
+     * <a href="https://developers.google.com/android/management/work-profile-detection#detect_if_the_device_has_a_work_profile">Google Docs for intent used</a>
+     * @param context context needed to check for intent
+     * @return true if called in personal profile and a work profile managed by clouddpc exists, false otherwise
+     */
+    public static boolean checkIfIsInPersonalProfileButClouddpcWorkProfileAvailable(@NonNull final Context context) {
+        try {
+            final Intent intent = new Intent("com.google.android.apps.work.clouddpc.ACTION_DETECT_WORK_PROFILE");
+            final List<ResolveInfo> activities = context.getPackageManager().queryIntentActivities(intent, 0);
+
+            if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.R) {
+                return activities.stream()
+                        .anyMatch(
+                                (ResolveInfo resolveInfo) -> resolveInfo.isCrossProfileIntentForwarderActivity());
+            } else {
+                if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.N) {
+                    return activities.stream()
+                            .anyMatch(
+                                    (ResolveInfo resolveInfo) -> resolveInfo.activityInfo.name.equals("com.android.internal.app.ForwardIntentToManagedProfile"));
+                }
+            }
+
+            return false;
+        } catch (Exception e) {
+            // If we run into exception for any reason, we'll just return false
+            Logger.warn(TAG, "Received an exception while trying to check if clouddpc work profile is available: " + e.getMessage());
+            return false;
+        }
+    }
+}

common4j/src/main/com/microsoft/identity/common/java/platform/Device.java

@@ -50,6 +50,11 @@ public class Device {
 
     private static IDeviceMetadata sDeviceMetadata;
 
+    /**
+     * Denotes whether or not request is from personal profile but device has a Work Profile Available
+     */
+    private static boolean sIsInPersonalProfileButClouddpcWorkProfileAvailable = false;
+
     private static final ReentrantReadWriteLock sLock = new ReentrantReadWriteLock();
 
     @GuardedBy("sLock")
@@ -73,6 +78,26 @@ public static void clearDeviceMetadata(){
         }
     }
 
+    @GuardedBy("sLock")
+    public static void setIsInPersonalProfileButClouddpcWorkProfileAvailable(final boolean isWorkProfileAvailable) {
+        sLock.writeLock().lock();
+        try {
+            sIsInPersonalProfileButClouddpcWorkProfileAvailable = isWorkProfileAvailable;
+        } finally {
+            sLock.writeLock().unlock();
+        }
+    }
+
+    @GuardedBy("sLock")
+    public static boolean isInPersonalProfileButClouddpcWorkProfileAvailable() {
+        sLock.readLock().lock();
+        try {
+            return sIsInPersonalProfileButClouddpcWorkProfileAvailable;
+        } finally {
+            sLock.readLock().unlock();
+        }
+    }
+
     @NonNull
     @GuardedBy("sLock")
     public static Map<String, String> getPlatformIdParameters() {
@@ -84,10 +109,12 @@ public static Map<String, String> getPlatformIdParameters() {
                 platformParameters.put(PlatformIdParameters.CPU_PLATFORM, sDeviceMetadata.getCpu());
                 platformParameters.put(PlatformIdParameters.OS, sDeviceMetadata.getOsForEsts());
                 platformParameters.put(PlatformIdParameters.DEVICE_MODEL, sDeviceMetadata.getDeviceModel());
+                platformParameters.put(PlatformIdParameters.MANUFACTURER, sDeviceMetadata.getManufacturer());
             } else {
                 platformParameters.put(PlatformIdParameters.CPU_PLATFORM, NOT_SET);
                 platformParameters.put(PlatformIdParameters.OS, NOT_SET);
                 platformParameters.put(PlatformIdParameters.DEVICE_MODEL, NOT_SET);
+                platformParameters.put(PlatformIdParameters.MANUFACTURER, NOT_SET);
             }
 
             return Collections.unmodifiableMap(platformParameters);
@@ -246,6 +273,11 @@ public static final class PlatformIdParameters {
          */
         public static final String OS = "x-client-OS";
 
+        /**
+         * The String representing the device Manufacturer.
+         */
+        public static final String MANUFACTURER = "x-client-MN";
+
         /**
          * The String representing the device model.
          */

common4j/src/main/com/microsoft/identity/common/java/providers/microsoft/MicrosoftAuthorizationRequest.java

@@ -123,6 +123,12 @@ public abstract class MicrosoftAuthorizationRequest<T extends MicrosoftAuthoriza
     @SerializedName("x-client-DM")
     private final String mDiagnosticDM;
 
+    @Expose()
+    @Getter
+    @Accessors(prefix = "m")
+    @SerializedName("x-client-MN")
+    private final String mDiagnosticMN;
+
     @Expose()
     @Getter
     @Accessors(prefix = "m")
@@ -135,6 +141,12 @@ public abstract class MicrosoftAuthorizationRequest<T extends MicrosoftAuthoriza
     @SerializedName("pc")
     private final String mPreferredAuthMethodCode;
 
+    @Expose()
+    @Getter
+    @Accessors(prefix = "m")
+    @SerializedName("x-client-WPAvailable")
+    private final Boolean mWorkProfileAvailable;
+
 
     /**
      * Constructor of MicrosoftAuthorizationRequest.
@@ -162,6 +174,8 @@ protected MicrosoftAuthorizationRequest(@SuppressWarnings(WarningType.rawtype_wa
         mDiagnosticOS = Device.getOsForEsts();
         mDiagnosticDM = Device.getModel();
         mDiagnosticCPU = Device.getCpu();
+        mDiagnosticMN = Device.getManufacturer();
+        mWorkProfileAvailable = Device.isInPersonalProfileButClouddpcWorkProfileAvailable();
     }
 
     public abstract static class Builder<B extends MicrosoftAuthorizationRequest.Builder<B>> extends AuthorizationRequest.Builder<B> {

common4j/src/test/com/microsoft/identity/common/java/platform/DeviceTest.java

@@ -51,10 +51,11 @@ public void tearDown() {
     public void testGetDataWhenMetadataIsNotSet(){
         // Shouldn't crash.
         final Map<String, String> platformParameter = Device.getPlatformIdParameters();
-        Assert.assertEquals(3, platformParameter.size());
+        Assert.assertEquals(4, platformParameter.size());
         Assert.assertEquals(NOT_SET, platformParameter.get(Device.PlatformIdParameters.CPU_PLATFORM));
         Assert.assertEquals(NOT_SET, platformParameter.get(Device.PlatformIdParameters.DEVICE_MODEL));
         Assert.assertEquals(NOT_SET, platformParameter.get(Device.PlatformIdParameters.OS));
+        Assert.assertEquals(NOT_SET, platformParameter.get(Device.PlatformIdParameters.MANUFACTURER));
 
         Assert.assertEquals(NOT_SET, Device.getManufacturer());
         Assert.assertEquals(NOT_SET, Device.getModel());
@@ -66,10 +67,11 @@ public void testGetPlatformIdParameters(){
         Device.setDeviceMetadata(new MockDeviceMetadata());
 
         final Map<String, String> platformParameter = Device.getPlatformIdParameters();
-        Assert.assertEquals(3, platformParameter.size());
+        Assert.assertEquals(4, platformParameter.size());
         Assert.assertEquals(MockDeviceMetadata.TEST_CPU, platformParameter.get(Device.PlatformIdParameters.CPU_PLATFORM));
         Assert.assertEquals(MockDeviceMetadata.TEST_DEVICE_MODEL, platformParameter.get(Device.PlatformIdParameters.DEVICE_MODEL));
         Assert.assertEquals(MockDeviceMetadata.TEST_OS_ESTS, platformParameter.get(Device.PlatformIdParameters.OS));
+        Assert.assertEquals(MockDeviceMetadata.TEST_MANUFACTURER, platformParameter.get(Device.PlatformIdParameters.MANUFACTURER));
     }
 
     @Test

common4j/src/test/com/microsoft/identity/common/java/providers/microsoft/MicrosoftAuthorizationRequestTest.java

@@ -49,6 +49,7 @@ public class MicrosoftAuthorizationRequestTest {
     @After
     public void tearDown() {
         Device.clearDeviceMetadata();
+        Device.setIsInPersonalProfileButClouddpcWorkProfileAvailable(false);
     }
 
     public static final String MOCK_AUTHORITY = "http://mock_authority";
@@ -85,13 +86,51 @@ public void testCreateUriFromAuthorizationRequest() throws MalformedURLException
                         "&x-client-OS=" + MockDeviceMetadata.TEST_OS_ESTS +
                         "&x-client-CPU=" + MockDeviceMetadata.TEST_CPU +
                         "&x-client-DM=" + MockDeviceMetadata.TEST_DEVICE_MODEL +
+                        "&x-client-MN=" + MockDeviceMetadata.TEST_MANUFACTURER +
                         "&instance_aware=" + MOCK_MULTIPLE_CLOUD_AWARE +
+                        "&x-client-WPAvailable=false" +
                 // Base class fields start here.
                         "&response_type=code" +
                         "&state=" + MOCK_STATE_ENCODED,
                 request.getAuthorizationRequestAsHttpRequest().toString());
     }
 
+    @Test
+    public void testCreateUriFromAuthorizationRequestWithWPAvailable() throws MalformedURLException, ClientException {
+        Device.setDeviceMetadata(new MockDeviceMetadata());
+
+        Device.setIsInPersonalProfileButClouddpcWorkProfileAvailable(true);
+
+        final MockMicrosoftAuthorizationRequest request = new MockMicrosoftAuthorizationRequest.Builder()
+                .setAuthority(new URL(MOCK_AUTHORITY))
+                .setLibraryVersion(MOCK_LIBRARY_VERSION)
+                .setLibraryName(MOCK_LIBRARY_NAME)
+                .setMultipleCloudAware(MOCK_MULTIPLE_CLOUD_AWARE)
+                .setCorrelationId(MOCK_CORRELATION_ID)
+                .setLoginHint(MOCK_LOGIN_HINT)
+                .setPkceChallenge(MOCK_PKCE_CHALLENGE)
+                .setState(MOCK_STATE)
+                .build();
+
+        Assert.assertEquals(MockAuthorizationRequest.MOCK_AUTH_ENDPOINT +
+                        "?login_hint=" + MOCK_LOGIN_HINT +
+                        "&client-request-id=" + MOCK_CORRELATION_ID +
+                        "&code_challenge=" + MOCK_PKCE_CHALLENGE.getCodeChallenge() +
+                        "&code_challenge_method=" + MOCK_PKCE_CHALLENGE.getCodeChallengeMethod() +
+                        "&x-client-Ver=" + MOCK_LIBRARY_VERSION +
+                        "&x-client-SKU=" + MOCK_LIBRARY_NAME +
+                        "&x-client-OS=" + MockDeviceMetadata.TEST_OS_ESTS +
+                        "&x-client-CPU=" + MockDeviceMetadata.TEST_CPU +
+                        "&x-client-DM=" + MockDeviceMetadata.TEST_DEVICE_MODEL +
+                        "&x-client-MN=" + MockDeviceMetadata.TEST_MANUFACTURER +
+                        "&instance_aware=" + MOCK_MULTIPLE_CLOUD_AWARE +
+                        "&x-client-WPAvailable=true" +
+                        // Base class fields start here.
+                        "&response_type=code" +
+                        "&state=" + MOCK_STATE_ENCODED,
+                request.getAuthorizationRequestAsHttpRequest().toString());
+    }
+
     // If state is not provided, MicrosoftAuthorizationRequest should generate a default one.
     @Test
     public void testDefaultStateGenerated(){

common4j/src/test/com/microsoft/identity/common/java/providers/microsoft/microsoftsts/MicrosoftStsAuthorizationRequestTests.java

@@ -95,6 +95,7 @@ public class MicrosoftStsAuthorizationRequestTests {
     @After
     public void tearDown() {
         Device.clearDeviceMetadata();
+        Device.setIsInPersonalProfileButClouddpcWorkProfileAvailable(false);
     }
 
     static URL getValidRequestUrl() throws MalformedURLException {
@@ -139,6 +140,61 @@ public void testCreateUriFromAuthorizationRequest() throws MalformedURLException
                         "&x-client-OS=" + MockDeviceMetadata.TEST_OS_ESTS +
                         "&x-client-CPU=" + MockDeviceMetadata.TEST_CPU +
                         "&x-client-DM=" + MockDeviceMetadata.TEST_DEVICE_MODEL +
+                        "&x-client-MN=" + MockDeviceMetadata.TEST_MANUFACTURER +
+                        "&x-client-WPAvailable=false" +
+                        "&response_type=code" +
+                        "&client_id=" + DEFAULT_TEST_CLIENT_ID +
+                        "&redirect_uri=" + DEFAULT_TEST_REDIRECT_URI_ENCODED +
+                        "&state=" + MOCK_STATE_ENCODED +
+                        "&scope=" + DEFAULT_TEST_SCOPE_ENCODED +
+                        "&" + MOCK_FLIGHT_QUERY_1 + "=" + MOCK_FLIGHT_VALUE_1 +
+                        "&" + MOCK_FLIGHT_QUERY_2 + "=" + MOCK_FLIGHT_VALUE_2 +
+                        "&slice=" + DEFAULT_TEST_SLICE_PARAMETER +
+                        "&dc=" + DEFAULT_TEST_DATA_CENTER,
+                request.getAuthorizationRequestAsHttpRequest().toString());
+
+        Assert.assertEquals(DEFAULT_TEST_DISPLAYABLEID, request.getDisplayableId());
+    }
+
+    @Test
+    public void testCreateUriFromAuthorizationRequestWithWPAvailable() throws MalformedURLException, URISyntaxException, ClientException {
+        Device.setDeviceMetadata(new MockDeviceMetadata());
+        Device.setIsInPersonalProfileButClouddpcWorkProfileAvailable(true);
+
+        final MicrosoftStsAuthorizationRequest request = new MicrosoftStsAuthorizationRequest.Builder()
+                .setPrompt(DEFAULT_TEST_PROMPT)
+                .setUid(DEFAULT_TEST_UID)
+                .setUtid(DEFAULT_TEST_UTID)
+                .setInstalledCompanyPortalVersion(TEST_CP_VERSION)
+                .setSlice(DEFAULT_TEST_SLICE)
+                .setFlightParameters(DEFAULT_FLIGHT_PARAMETER)
+                .setDisplayableId(DEFAULT_TEST_DISPLAYABLEID)
+
+                // Values from base class.
+                .setCorrelationId(DEFAULT_TEST_CORRELATION_ID)
+                .setPkceChallenge(MOCK_PKCE_CHALLENGE)
+                .setAuthority(getValidRequestUrl())
+
+                .setClientId(DEFAULT_TEST_CLIENT_ID)
+                .setRedirectUri(DEFAULT_TEST_REDIRECT_URI)
+                .setState(MOCK_STATE)
+                .setScope(DEFAULT_TEST_SCOPE)
+                .build();
+
+        Assert.assertEquals(DEFAULT_TEST_AUTHORIZATION_ENDPOINT +
+                        "?prompt=" + DEFAULT_TEST_PROMPT +
+                        "&login_req=" + DEFAULT_TEST_UID +
+                        "&domain_req=" + DEFAULT_TEST_UTID +
+                        "&cpVersion=" + TEST_CP_VERSION +
+                        // Base class fields start here.
+                        "&client-request-id=" + DEFAULT_TEST_CORRELATION_ID +
+                        "&code_challenge=" + MOCK_PKCE_CHALLENGE.getCodeChallenge() +
+                        "&code_challenge_method=" + MOCK_PKCE_CHALLENGE.getCodeChallengeMethod() +
+                        "&x-client-OS=" + MockDeviceMetadata.TEST_OS_ESTS +
+                        "&x-client-CPU=" + MockDeviceMetadata.TEST_CPU +
+                        "&x-client-DM=" + MockDeviceMetadata.TEST_DEVICE_MODEL +
+                        "&x-client-MN=" + MockDeviceMetadata.TEST_MANUFACTURER +
+                        "&x-client-WPAvailable=true" +
                         "&response_type=code" +
                         "&client_id=" + DEFAULT_TEST_CLIENT_ID +
                         "&redirect_uri=" + DEFAULT_TEST_REDIRECT_URI_ENCODED +