Office 365 OAuth issue with mail.app on iOS 12

mnickels
New Contributor III

Hello everyone,

My organization uses Office 365 with ADFS/Modern Authentication to control access. Basically, we use our MDM to place a certificate on the device, and when the device attempts to login, they are redirected to our ADFS server which validates that the certificate is valid before allowing access to any Office 365 application. This configuration works perfectly for all of the Microsoft apps (Outlook/Excel/etc.).

iOS 11 introduced support for user-driven Modern Authentication using the native iOS mall.app, and iOS 12 introduced an MDM configuration - I am seeing an issue with either method.

My issue is that my ADFS server states that no certificate was presented, when a user tries to re-authenticate. Here is the flow:
1. I deploy a certificate to the iOS device via MDM
2. I deploy an email profile with the key OAuth=True configured so iOS knows to use modern authentication
3. On the iOS device, I get prompted to enter my credentials. The pop-up has a button called edit-settings
4. The settings app opens
5. I find my email account, and click on it
6. In the top, there is a link called "re-authenticate"
7. When I click re-authenticate, I am directed to Office 365, which sees my domain as federated, and directs me to my ADFS server
8. For this initial time, the certificate is presented correctly, I am able to complete the logon process and my email starts flowing.
9. Some time later, my access token expires, and I get the prompt to enter credentials again (#3 above)
10. I go through steps 4-7 above
11. When I hit step 8, ADFS now tells me that no certificate was presented, and I am unable to login.

The work-around for this is to force-close the Settings app, and re-launch it -> my certificate is then successfully presented. I don't want to have to provide this work-around to my end users.

My ADFS guys are telling me that this is a client issue as the client is not presenting the certificate. Has anyone seen this behavior before? Does anyone have ideas on what could possibly cause this behavior?

Thanks,

  • Mike
1 REPLY 1

jchiriac
New Contributor

Hi Mike

Are you still having issues with OAuth and iOS?

We are having a very similar issue except the certificate saves however the user is prompted to reenter their password after a couple of days, and because our devices are managed they are unable to unless we exclude them.
Unfortunately I haven't been able to precisely pin point the problem to a singular version of iOS and in face I've noticed it happen to devices that are managed but have no restrictions, and so I doubt it's a Jamf issue.

If anyone has any advice I'd appreciate it because I've been racking my brain for months trying to troubleshoot it.

best
Jason