iPadOS (iOS 13+) still not compatible with MAM enforced by Conditional accessAlex Fields
Update 11/18/2019: This issue has now been fixed.
I wrote about this before the update dropped, and in my testing since then I am afraid the situation has not improved.
Create a Conditional access policy for iOS that requires an approved client app. In other words, users cannot use the native mail app (or other third party apps). They must use the approved Microsoft apps such as Outlook. This works perfectly on iPhone and iPad (prior to 13.x).
Now take an iPad, update it to iOS 13+, and it becomes iPadOS rather than just iOS. This means that Azure AD will incorrectly identify it as macOS with certain apps like Safari and the native mail app.
When you go to add a mail profile to the native mail app, you will find that you have open access, and the Conditional access policy is not enforced.
What’s worse, is that you cannot fix this problem simply by adding macOS to the device platforms under Conditions. Attempting to do so will result in an error message, and it will not allow you to Save the policy.
Since the access controls “Require approved client app” and “Require app protection policy” are only supported on Android and iOS, we have no way of enforcing MAM against iPadOS. This is a big problem, and Microsoft needs to figure out how to fix it.
MAM is so attractive precisely because we do not have to manage the device itself. It’s easier from an admin perspective:
- Don’t have to setup an iOS management certificate
- Don’t have to manage enrollment and life-cycle on all those personal devices out there
- Only have to support a single set of apps (don’t have to support native mail and other third party apps)
And it’s easier from an end-user perspective:
- MAM is hands down easier to use–just install the approved app, set a PIN if required, etc.; by contrast the enrollment process for MDM can be grueling and confusing, especially on iOS, where you have to manually leave the Company portal app during the process to enter Settings and complete the management profile installment, then return to the Company portal app to complete other setup tasks–ick!
- The approved / supported apps give the richest and best experience anyway, supporting native features like email encryption, shared mailboxes and calendars, etc.
The new screen…
My MAM policy is setup to target both web browsers and client apps by default. Separately, I added a policy targeting mac and iOS devices that would require device compliance OR an approved app, just to see what would happen. When using Safari to access OWA, I found that there is now an additional screen during the enrollment process that asks you to identify whether the device is an iPad or a Mac. Kind of hokey that the software can’t figure it out for me, but at least it’s a workaround–I assume this is so that the correct compliance policy can be assigned to my device (if you’re doing MDM).
Unfortunately, having identified my device as an iPad, it still will not enforce the MAM policy (instead it compelled me to enroll the device for MDM–even though my policy said to require only approved app OR compliant device). And with that new policy in place, I’m simply pushed down the MDM path, every time, whether I approach it from Safari or the native Apple mail app. It does not respect the MAM requirement.
Therefore, as of today at least, folks who were previously enforcing MAM instead of MDM for iOS devices will have open access on iPadOS–and no possible way to close that hole (except for maybe MDM). It is not possible to create a similar Conditional access policy targeted to macOS, nor is there any other way to make it recognize the device as an iPad and not a Mac. That extra screen didn’t seem to do the trick!
I am not a developer and I don’t pretend to know the solution. But Microsoft and Apple really should get together on this to provide a more seamless experience for users (for both MDM and MAM).