O365 & Multi-Factor Auth with iOS Mail.app

Currently iOS supports O365 modern authentication only when it's a user-driven account setup.

From: https://blogs.technet.microsoft.com/intunesupport/2017/09/12/support-tip-intune-support-for-ios-11/

With iOS 11, Apple has provided modern authentication (Oauth) to users when manually setting up an Exchange account for the Mail app. However, Exchange Profiles setup via MDM will only continue to work with traditional (basic) and Cert based authentication.

I've had a few of my customers ask about this and I've gotten no (decent) response from our Apple SEs on if it will be supported via MDM in iOS 12.

Thanks @jedi1yoda1 for clarification.

"Plan B"...

-Does Microsoft Intune provide the "glue" I need to integrate iOS, MDM and Exchange with O365 MFA?

-Can Outlook for iOS be configured with Exchange profiles? I don't see any Outlook app payload options in Apple's Configurator 2 or Meraki MDM.

My situation seems pretty generic - I can't believe more businesses/schools aren't having the same challenges I am with MFA/Oauth on managed iOS devices.

After more investigation, it appears that Apple plans on providing Oauth 2.0 support in iOS 12 for managed devices.

From MobileIron (https://www.mobileiron.com/en/blog/ios-12-what-enterprises-oauth-know):

"Based on the first iOS 12 developer beta build, Apple has now added OAuth 2.0 support for Microsoft Exchange accounts that can be deployed through MDM. For those who have been following the OAuth saga, this isn’t the first time we’ve seen OAuth 2.0 in the wild. In iOS 11, OAuth 2.0 for Microsoft exchange accounts became generally available. With the general availability, enterprises faced challenges securing their Office 365 email on iOS 11 because OAuth 2.0 was first introduced as a user-driven feature. For those interested in understanding how OAuth works or simply in need of a refresher, you can find my past blog posts here (Part 1/Part 2). If the first iOS 12 beta is any indication of future enhancements, the OAuth capability is now a part of the exchange payload, meaning administrators can deploy an iOS native email account to their iOS fleet with OAuth capability. This post will go into why enterprises are considering OAuth, how to configure OAuth for email, and what the user will see after exchange has been deployed."

Apple PDF: https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf

Apple Video: Apple confirms OAuth at WWDC in 'Managing Apple Devices' session 302 (scrub to ~17:37) https://developer.apple.com/videos/play/wwdc2018/302/

I now have iOS 12 dev beta 6 installed, and Im using Apple Configurator 2.8 to generate a ActiveSync payload that contains the new OAuth 2.0 settings.

The deployment and setup of the Exchange/ActiveSync profile is smooth and easy in iOS 12 as expected.

The final end-user step is the GUI prompt to enter a MFA code (via SMS or the MS Authenticator app). Pretty much performs as expected too (other than a couple extra taps and 'hops' to the MS cloud).

The problem I am experiencing is that Mail/Contacts/Calendar stop syncing after a couple hours of deployment. At this time, I see a generic "Failed to connect to server" error.

There is no way to force a new session/token. No way to re-authenticate again (i.e.; no password field). All ActiveSync-based services stop working until the MDM profile is removed and re-deployed again.

Rinse & repeat.

I'm deploying the Apple .mobileconfig (XML) profile to my test iOS 12 devices via USB (Apple Configurator) and via Meraki MDM. Both yield the same results.

The problem is not related to deployment. The problem clearly appears to be a session time-out or a token refresh failure.

MFA (multi-factor authentication) works great on our Macs and Windows PCs (including Outlook 2016, Skype for Business, Outlook Webmail, etc). Both SMS and the Microsoft Authenticator app work fine for one-time passcodes too.

No App Passwords are used in my environment (other than the initial App Password generated automatically by MS when an account transitions from 'Enabled' to 'Enforced'.

I have been able to reproduce this issue on multiple iOS devices running iOS 12 betas #5 and #6.

I have rebuilt the MDM .mobileconfig profile numerous times (including creating it by hand in a text editor). Profile and payloads look perfect.

I am digging into O365 server/tenant logs now, but I don't see anything interesting yet.

Has anyone else experienced this issue? Any help or feedback is greatly appreciated.

Did you end up having luck in getting your O365/OAuth issues resolved?

Not sure when it was introduced, but there is a "Use OAuth for authentication" in the Exchange ActiveSync section of a Configuration Profile now. Enabling this prompts the user to go through the 2FA authentication process, so we can now use O365 with a Configuration Profile.