Forum Discussion

NexusEgo's avatar
NexusEgo
Copper Contributor
Mar 30, 2026

IOS - Embedded Webkit - Not Reporting Correct Device info

It appears that with the latest iOS versions (26.3.1 through 26.4), applications that rely on an embedded WebKit for sign-in are no longer reporting accurate device details within Device Info. Users...
ios
mobile device management (mdm)
MarcussenThomas's avatar
MarcussenThomas
MCT
Mar 30, 2026

Hi NexusEgo,

 

We've been seeing the same behavior in our environment after users updated to iOS 26.x. The root cause appears to be that Apple's embedded WebKit (used by Apple Mail and other apps that rely on ASWebAuthenticationSession or WKWebView for sign-in) is still sending a legacy-style user agent string that reports the OS version as 18.7.0 instead of the actual 26.x version. Because Conditional Access evaluates device compliance based on what the authentication broker reports, the mismatched OS version and blank device attributes cause the policy to fail.

 

The key reason Outlook works fine on the same device is that it uses the Microsoft Authenticator app as an authentication broker, which correctly reads and reports the actual device info and OS version. Apple Mail, on the other hand, goes through an embedded WebKit flow that doesn't leverage the broker — hence the incorrect data.

 

A few things you can try while waiting for a permanent fix:

 

  1. Redirect users to Outlook for iOS — since it authenticates through the Authenticator broker, it will pass Conditional Access correctly.
  2. 2. Check the Intune Service Health dashboard and Microsoft 365 Message Center for any advisories related to iOS 26.x compatibility. This type of user agent mismatch after a major iOS version renumbering is something Microsoft typically addresses in an Intune service update.
  3. 3. Open a support ticket with Microsoft — if you haven't already, filing a case will help escalate awareness and may get you access to a targeted fix or workaround sooner.
  4. 4. As a temporary measure, you could create a separate Conditional Access policy that excludes the Apple Mail client app or adjusts the device platform filter for iOS, but be cautious about relaxing security posture.

This is likely a transient issue that will be resolved once either Apple updates the embedded WebKit user agent string or Microsoft updates Intune's device evaluation logic to account for the new iOS versioning scheme. I'd recommend monitoring the Intune blog and release notes closely.

 

Hope this helps!