You’ve set up a Conditional Access policy that “requires a compliant device” in order to use an iOS device to access company resources. You’ve set up a Conditional Access policy that “requires an approved client app” for email access on an iOS device, and you have no policy configured for macOS.Īfter an iPad updates to iPadOS, the approved client app policy will not be enforced for the affected app categories, as described previously. Web application access by using a browser other than Safari (such as Chrome)Īpps that use Intune App SDK/ App wrapping tool for iOS/Microsoft identity platform v2.0 authentication libraries or v1.0 authentication librariesīefore you examine the recommendations by Microsoft, consider the following scenarios that could be affected. There is no effect to the following access scenarios:Īll Microsoft native application access (such as Outlook, Word, or Edge) Not having a policy for macOS could cause an open access condition in your organization’s resources for the previously identified scenarios. Important: It is essential that your organization has a Conditional Access policy for macOS. Safari, for example, will present itself as macOS to make sure that iPadOS users have a full desktop browser experience. While the iPadOS will behave similarly to iOS, there are some key apps that behave differently. This notice also provides recommendations from Microsoft.Īll iPads that update to iOS 13+ had their OS updated from iOS to iPadOS. This notice is intended to help you understand the breaking change from Apple and evaluate the effects on your organization. Before the release, we discovered that this release introduces a change that could affect Microsoft Azure Active Directory (Azure AD) and Intune customers who use Conditional Access policies in their organization. Summary Overview of the breaking changeĪpple released iPadOS (the new OS for iPad) on September 30, 2019. You can disable or delete the temporary Conditional Access policy to avoid prompting users to sign in every 20 hours. After they sign in again, Apple Native Mail will be blocked from accessing any company resources if you have enabled the “Require approved client app” or “Require app protection policy” grant control. Note Setting this policy requires users of Apple Native Mail on iPadOS (previously identified as a mac device because of the modern desktop browser on iPadOS) to sign in after 20 hours. To automate this process, set a temporary Conditional Access policy by using the “Sign-in frequency” session control, and then set a temporary Conditional Access policy that applies to Client apps that are identified as “Mobile apps and desktop client.” In this policy, set the device platform to “macOS” and the sign-in frequency to 20 hours.įor more information about how to set this policy, see the documentation Configure authentication session management with Conditional Access. If you see a difference in behavior between Safari and Apple Native Mail access, ask your users to sign out of Apple Native Mail and then sign in again. You might notice that your Conditional Access policies for iOS are now being honored for iPadOS, similar to the behavior before the iPadOS upgrade.Ī quick way to verify this updated behavior is to access resources from Safari on an iPadOS device that is protected by Conditional Access policies. We have been working to mitigate this issue for our customers, and we have been rolling out changes to our platform.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |