- Jamf Nation Community
- Products
- Jamf Pro
- Exchange Profile Bypasses Multi-Factor Authenticat...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Exchange Profile Bypasses Multi-Factor Authentication
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-17-2018 07:29 AM
My company uses Office 365 for email and Ping Identity for multi-factor authentication.
When an end-user manually creates the O365 mail account on an iOS device, the user gets the OAuth/Modern Auth windows that use Ping Identity perform multi-factor authentication. It goes like this:
1. User adds account in settings
2. OAuth prompts launches ping identification process
2a. Ping prompts for email address and password of user
2b. Ping prompts for second-factor security code
3. Account setup is completed.
If I use a configuration profile with the exchange payload to setup the user's account, it seems to bypass the multi-factor authentication. It goes more like this:
1. profile with exchange payload is deployed to iOS device (profile has server and username for account, but not password)
2. Modal notification appears on iOS device, asking user to enter account password
3. User enters account password into Modal notification.
4. Account setup is completed
It seems this method bypasses OAuth multi-factor authentication.
Is this by design, or a limitation? Anyone else experiencing this?
Labels:
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-18-2018 09:40 AM
What are you populating in the Exchange ActiveSync MDM payloads for "User" and "Email Address"? Are you logging in any $ % variables or are they blank?
What tool or MDM are you building the profile with? If you use Apple Configurator you will need 2.8 beta or higher I think. I don't think many MDMs have OAuth built-in natively yet (since iOS 12 just came out yesterday).
Keep in mind...
-iOS 12 is required for OAuth to be managed via MDM.
-If you are a O365 customer, your O365 Exchange tenant, you must enable MFA for the target user(s).
-I think O365 users have to choose a MFA method (SMS, MS Authenticator app etc) from their O365 portal page.
I have a similar issue: I can manually install a OAuth-enabled Exchange profile to my devices over USB (from Apple Configurator), but if I deploy via a MDM (Jamf, Intune, Meraki - doesn't matter), the user gets a prompt to authenticate, but the account is named "null" and the auth process doesn't complete (never gets redirected to authenticate and two-factor never occurs.)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-20-2018 04:02 PM
@dstranathan I'm using $ROOM as the username (this is the variable we mapped to UPN - don't ask) and $EMAIL as the email address in the exchange payload. I'm using Jamf Pro to build the profile and deploy it. Tested under last release of 10.6.x but not yet in 10.7. My users are MFA-enabled it works as expected if the account is setup manually rather than via payload.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-11-2018 12:04 PM
Not sure when it was introduced, but there is a "Use OAuth for authentication" in the Exchange ActiveSync section of a Configuration Profile now. Enabling this prompts the user to go through the 2FA authentication process, so we can now use O365 with a Configuration Profile.
