Updated 10/22/24 - We've developed and successfully deployed a fix across all Intune tenants. If you are still experiencing issues, please ensure affected devices complete at least one check-in with Intune to fully resolve this issue.
Previously for iOS/iPadOS, you had to manually configure the IntuneMAMUPN, IntuneMAMOID, and IntuneMAMDeviceID app configuration values in order for Intune mobile application management (MAM) to determine if the device was enrolled with Intune per Create and deploy app protection policies. Based on customer feedback to simplify the admin experience, we’ve begun to automatically send these values to managed applications on Intune enrolled iOS devices. Starting with Intune’s September (2409) service release, we’ve enabled this change for the following apps: Microsoft Excel, Microsoft Outlook, Microsoft PowerPoint, Microsoft Teams and Microsoft Word. We’ll continue to expand this to additional managed apps over the coming months.
We were recently alerted that users may be incorrectly blocked in a specific scenario if these values weren’t configured. If you have iOS devices “Enrolled without User Affinity” and an app protection policy is enforced for a user in one of the listed applications, then the user may encounter a “Misconfiguration Alert” dialog with the following message:
“Your organization’s support team wants you to login with this account:. But you tried to login with user@company.com. Contact your organization’s support team for help.”
While you likely already have the app configuration values configured to correctly enforce app protection policies based on management type, in the rare case that it’s not, this change will correct the MAM device management type state from “Unmanaged” to “Managed”. This means you may notice a change for MAM users with Intune enrolled devices in the following scenarios:
- When using the managed apps deviceManagementType filter to customize your deployment of app protection policies (APP), if all user-targeted policies are for “unmanaged” iOS/iPadOS devices, the user will transition to a “no policy” state and APP won’t be enforced. To fix this, apply an app protection policy to all device types or specifically to managed devices.
- You use the APP Open-in management data transfer settings to allow data sharing with other managed applications per Manage transferring data between iOS apps. These settings will now correctly apply to Intune MAM users. Please review the documentation, iOS/iPadOS app protection policy settings, for Send Org data to other apps and Receive data from other apps and ensure you’ve configured the MDM data sharing settings as appropriate to your organization.
This issue is now resolved. If you have questions or comments for the Intune team, reply to this post or reach out on X @IntuneSuppTeam.
Post updates:
10/10/24: We've developed a fix and are actively deploying it across all Intune tenants. Once the deployment is complete, affected devices will need to perform at least one check-in with Intune to fully resolve this issue.
10/22/24: We've developed and successfully deployed a fix across all Intune tenants. If you are still experiencing issues, please ensure affected devices complete at least one check-in with Intune to fully resolve this issue.
