O365 & Multi-Factor Auth with iOS Mail.app

dstranathan
Valued Contributor II

Anyone out there using O365 & Multi-Factor Auth (MFA) with the iOS Mail.app for Exchange email?

I am getting ready to enable/require MFA for O365. I'm having issues getting MFA to work on iOS devices that are managed with a Exchange MDM profile.

Example:

Currently, if I deploy a Meraki Exchange Profile to an iOS 11 device, users who has been set up for MFA in O365 never get prompted for MFA (other than filling out his/her password string). Therefore, users won't receive email because the Apple Mail.app is not trusted.

However, if that same user manually creates his/her Exchange O365 account in Mail.app, he/she will get challenged via MFA to complete the app trust as expected.

My environment:

-All iOS devices are running iOS 11.
-All iOS devices are managed in Cisco's Meraki MDM (migrating to Jamf...eventually).
-Our devices are not Supervised.
-We use Apple's iOS Mail.app (not the MS Outlook app).
-Users can choose to use SMS or the MS Authenticator app for MFA.
-IT director does not want to use App Passwords (too messy and complicated), so we must use OAuth.
-My MDM profile provisions devices with the user's name, email address, server information, and password criteria.

Does anyone have any suggestions on how to manage iOS Exchange accounts in MDM and enable O365 MFA?

6 REPLIES 6

jedi1yoda1
New Contributor III

Currently iOS supports O365 modern authentication only when it's a user-driven account setup.

From: https://blogs.technet.microsoft.com/intunesupport/2017/09/12/support-tip-intune-support-for-ios-11/

With iOS 11, Apple has provided modern authentication (Oauth) to users when manually setting up an Exchange account for the Mail app. However, Exchange Profiles setup via MDM will only continue to work with traditional (basic) and Cert based authentication.

I've had a few of my customers ask about this and I've gotten no (decent) response from our Apple SEs on if it will be supported via MDM in iOS 12.

dstranathan
Valued Contributor II

Thanks @jedi1yoda1 for clarification.

"Plan B"...

-Does Microsoft Intune provide the "glue" I need to integrate iOS, MDM and Exchange with O365 MFA?

-Can Outlook for iOS be configured with Exchange profiles? I don't see any Outlook app payload options in Apple's Configurator 2 or Meraki MDM.

My situation seems pretty generic - I can't believe more businesses/schools aren't having the same challenges I am with MFA/Oauth on managed iOS devices.

dstranathan
Valued Contributor II

After more investigation, it appears that Apple plans on providing Oauth 2.0 support in iOS 12 for managed devices.

From MobileIron (https://www.mobileiron.com/en/blog/ios-12-what-enterprises-oauth-know):

"Based on the first iOS 12 developer beta build, Apple has now added OAuth 2.0 support for Microsoft Exchange accounts that can be deployed through MDM. For those who have been following the OAuth saga, this isn’t the first time we’ve seen OAuth 2.0 in the wild. In iOS 11, OAuth 2.0 for Microsoft exchange accounts became generally available. With the general availability, enterprises faced challenges securing their Office 365 email on iOS 11 because OAuth 2.0 was first introduced as a user-driven feature. For those interested in understanding how OAuth works or simply in need of a refresher, you can find my past blog posts here (Part 1/Part 2). If the first iOS 12 beta is any indication of future enhancements, the OAuth capability is now a part of the exchange payload, meaning administrators can deploy an iOS native email account to their iOS fleet with OAuth capability. This post will go into why enterprises are considering OAuth, how to configure OAuth for email, and what the user will see after exchange has been deployed."

Apple PDF: https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf

Apple Video: Apple confirms OAuth at WWDC in 'Managing Apple Devices' session 302 (scrub to ~17:37) https://developer.apple.com/videos/play/wwdc2018/302/

dstranathan
Valued Contributor II

I now have iOS 12 dev beta 6 installed, and Im using Apple Configurator 2.8 to generate a ActiveSync payload that contains the new OAuth 2.0 settings.

The deployment and setup of the Exchange/ActiveSync profile is smooth and easy in iOS 12 as expected.

The final end-user step is the GUI prompt to enter a MFA code (via SMS or the MS Authenticator app). Pretty much performs as expected too (other than a couple extra taps and 'hops' to the MS cloud).

The problem I am experiencing is that Mail/Contacts/Calendar stop syncing after a couple hours of deployment. At this time, I see a generic "Failed to connect to server" error.

There is no way to force a new session/token. No way to re-authenticate again (i.e.; no password field). All ActiveSync-based services stop working until the MDM profile is removed and re-deployed again.

Rinse & repeat.

I'm deploying the Apple .mobileconfig (XML) profile to my test iOS 12 devices via USB (Apple Configurator) and via Meraki MDM. Both yield the same results.

The problem is not related to deployment. The problem clearly appears to be a session time-out or a token refresh failure.

MFA (multi-factor authentication) works great on our Macs and Windows PCs (including Outlook 2016, Skype for Business, Outlook Webmail, etc). Both SMS and the Microsoft Authenticator app work fine for one-time passcodes too.

No App Passwords are used in my environment (other than the initial App Password generated automatically by MS when an account transitions from 'Enabled' to 'Enforced'.

I have been able to reproduce this issue on multiple iOS devices running iOS 12 betas #5 and #6.

I have rebuilt the MDM .mobileconfig profile numerous times (including creating it by hand in a text editor). Profile and payloads look perfect.

I am digging into O365 server/tenant logs now, but I don't see anything interesting yet.

Has anyone else experienced this issue? Any help or feedback is greatly appreciated.

mnickels
New Contributor III

Did you end up having luck in getting your O365/OAuth issues resolved?

jamesandre
Contributor

Not sure when it was introduced, but there is a "Use OAuth for authentication" in the Exchange ActiveSync section of a Configuration Profile now. Enabling this prompts the user to go through the 2FA authentication process, so we can now use O365 with a Configuration Profile.