Office 365 / Exchange Online Protection Certificate Issue

shaunpbrowne
New Contributor

Hi all,

In our institution we have moved to Office 365 and recently activated Exchange Online Protection. When a user receives an email from EOP the user can click on a link to "Release to inbox". When they click on it in Safari it prompts with: The website "emea01-quarantine.dataservice.protection.outlook.com" requires a client certificate. It then asks to select the certificate to use when you connect to this website. (see attached image)

In the list it shows 1 certificate that exists in MDM profile which Casper applies and seems directly linked to the SCEP Enrollment Request. Our users are not admins so cannot continue as it then requires access to the System keychain. If the certificate is deleted as this link states: my link text then I notice that management command problems can be seen in the Casper interface for that computer and I have to remove the mdm profile and re-add it to get it to work again.

If I click on the "Release to inbox" link in Chrome it works fine.

Is this a problem with Casper and the SCEP or Safari being more security savvy than Chrome? I'm not to savvy on certificates so I'm feeling a little out of my depth here...

Any help greatly appreciated.

7 REPLIES 7

nateburt
New Contributor III

@shaunpbrowne Any progress on this issue? We are seeing a similar issue, and aren't in the position to direct all users to set a default browser other than Safari.

cbartley
New Contributor II

Apologies for digging up an old thread, but...

I'm curious if anyone ever found anything out about this issue? We just started getting reports this morning about this and the symptoms are the same - Safari asks to select a cert to validate identity, but Chrome works just fine.

Thanks in advance!

r0blee
New Contributor II

Not looked into this in any detail but the link you sent suggests that delete the certificate fixes the issue. If that's correct (?) you could create a policy that deletes this from the keychain for them and put it in Self Service so they can choose to run it themselves.

On the opposite side of that you could always create a policy to install and trust a specific certificate if needed.

Look into the 'security' commands in terminal for how to do this or google some examples. There are quite a lot of options for 'security' if you look at the man page in terminal.

Rob

takayuki
New Contributor III

F.Y.I

We escalated this issue to Apple, and the latest version of Safari in macOS 10.12.6 already fixed the issue (the certificate selection window is no longer prompted for the Exchange Online Protection).

NowAllTheTime
Contributor III

Looks like this issue is back. We are experiencing it even on Macs running 10.12.6 and Safari 11.0. Issue was not occurring as of last week. I opened a support case with Apple and we are also working on opening one with Microsoft. We'll see where this goes...

msemertzides
New Contributor II

+1 on this issue. I know this thread is ages old by now, but I'm on 10.14.4 beta, with Safari 12.1, and we're stilling this issue as well.

lunddal
Contributor

And it's back again in the last couple of Safari 13.x versions.

Clicking Cancel works though.