Forum Discussion

Dan Stranathan's avatar
Dan Stranathan
Copper Contributor
Aug 10, 2018

Configuring iOS 12 for O365 Exchange using MFA (OAuth)

I have iOS 12 beta 6 installed, and Im using Apple Configurator 2.8 to generate a ActiveSync payload that contains the new OAuth 2.0 settings.   The deployment and setup of the Exchange/ActiveSync ...
Authentication
exchange
mobile
office 365
StephanBrisson's avatar
StephanBrisson
Copper Contributor
May 17, 2019

Dan StranathanHave you fond anything about this?

 

I have a similar issue and I am deploying on IOS12.2+ with Native Mail App and MFA. Deployment and first registration are working well but after a couple of hours mail stop syncing and I have an "Account error" message:

 

 

 

 

  • webber1979's avatar
    webber1979
    Copper Contributor
    Jun 04, 2019

    StephanBrisson 

     

    We are also having the exact same issue, since around iOS 12.2

    We've extracted logs from a device and they talk about oAuth tokens failing to refresh.

    Raised support ticket with Microsoft but they havent been able to assist.

    Have you had any progress or luck with your issue?

     

    Error>: DAEASOAuthTokenRefreshResponse response is not NSHTTPURLResponse. Game over

    <Notice>: Received a Transient Network Error: refrehing OAuth Token failed with Error Error Domain=NSURLErrorDomain Code=-1002 "unsupported URL" UserInfo={NSLocalizedDescription=unsupported URL, NSUnderlyingError=0x102bc0ce0 {Error Domain=kCFErrorDomainCFNetwork Code=-1002}}

    May 13 11:45:26 iPhone accountsd(DAAccountAuthenticator)[1296] <Error>: Authenticator FAILED Trying To Refresh OAuth2 credentials for account <private> Networking Error

    • StephanBrisson's avatar
      StephanBrisson
      Copper Contributor
      Jun 04, 2019

      webber1979Yes we were able to make it work properly. We are using Airwatch (VMware Workspace One) and we had to change our email profiles deployment parameters. We had to add the OAuth parameter to the email profile but then the user name in the profile was the following: domain\user@domain. It was working in the initial logon (for about an hour) but when the refresh token was expiring the profile was unable to match the user name with anything.

       

      We had to delete the username and the domain from the Email profile (pushed by Airwatch) and then it worked fine.

      • webber1979's avatar
        webber1979
        Copper Contributor
        Jun 05, 2019

         Thanks for the reply.

        Think your issue might be different to ours, we already have oAuth turned on and we use UPN as the username. I've changed this to primarysmtpaddress and hope this may help.

        I've also tried removing their activesync device partnership prior to the migration to see if this helps.

         

  • Jim Hill's avatar
    Jim Hill
    Brass Contributor
    May 29, 2019

    StephanBrisson  so far I have had mixed results on IOS12 devices.  On one of the first devices the native mail asked for a password.  I created an App password.  Would not accept it.  So I found an article online which suggested just deleting that account and adding it back, leaving whatever contacts and notes were already on the device. That took care of it.  On my iPhone I just entered the app password.  But then on my iPad that would not work, so I just removed the account and added it back.  

    • snorma01's avatar
      snorma01
      Copper Contributor
      May 29, 2019

      Jim Hill It's supposed to work with Modern Authentication/OAuth, without the need to use an app password. Needing an app password for email on a phone for all users that are on MFA is absurd in 2019. It's supposed to be best practice to turn on MFA for all users these days, but Office 365 MDM doesn't support it? I'm astounded this hasn't gotten more attention.

Resources