Forum Discussion
IOS - Embedded Webkit - Not Reporting Correct Device info
It appears that with the latest iOS versions (26.3.1 through 26.4), applications that rely on an embedded WebKit for sign-in are no longer reporting accurate device details within Device Info.
Users have company-issued phones that are successfully enrolled in Intune, but when they attempt to sign in to Apple Mail, Conditional Access is denying the login. After reviewing the logs, iOS is reporting the OS version as 18.7.0 to Intune, even though the device is actually running iOS 26.4. Additionally, the device information is coming through as blank, so attributes are not being evaluated. When looking at other logins via the outlook app on that device it all appears normal and works.
Has anyone else observed this behavior where WebKit is sending incorrect data to Intune? Does anyone know of a workaround other than relaxing Conditional Access policies?
4 Replies
Hi,
Since mid‑March, we have consistently observed the same behavior across our fresh enrolled iOS devices. Is there any formal statement or official acknowledgement from Apple or Microsoft confirming that this issue is related to WebKit, and whether a resolution is available or planned?
Our company is also experiencing the issue.
Topic shared over X as well to promote the escalation between Apple and Microsoft: https://x.com/AxelGauliard/status/2039714107515953207Thanks for the feedback. I’m glad we’re not the only ones seeing this issue. I don’t have any direct channels to Microsoft support, so I guess we’ll have to wait and see. I’m assuming that since we’re on iOS 26.4, Apple isn’t going to release an update anytime soon. We’ll see if Intune can adapt, or if this just remains a broken experience.
Hi NexusEgo,
We've been seeing the same behavior in our environment after users updated to iOS 26.x. The root cause appears to be that Apple's embedded WebKit (used by Apple Mail and other apps that rely on ASWebAuthenticationSession or WKWebView for sign-in) is still sending a legacy-style user agent string that reports the OS version as 18.7.0 instead of the actual 26.x version. Because Conditional Access evaluates device compliance based on what the authentication broker reports, the mismatched OS version and blank device attributes cause the policy to fail.
The key reason Outlook works fine on the same device is that it uses the Microsoft Authenticator app as an authentication broker, which correctly reads and reports the actual device info and OS version. Apple Mail, on the other hand, goes through an embedded WebKit flow that doesn't leverage the broker — hence the incorrect data.
A few things you can try while waiting for a permanent fix:
- Redirect users to Outlook for iOS — since it authenticates through the Authenticator broker, it will pass Conditional Access correctly.
- 2. Check the Intune Service Health dashboard and Microsoft 365 Message Center for any advisories related to iOS 26.x compatibility. This type of user agent mismatch after a major iOS version renumbering is something Microsoft typically addresses in an Intune service update.
- 3. Open a support ticket with Microsoft — if you haven't already, filing a case will help escalate awareness and may get you access to a targeted fix or workaround sooner.
- 4. As a temporary measure, you could create a separate Conditional Access policy that excludes the Apple Mail client app or adjusts the device platform filter for iOS, but be cautious about relaxing security posture.
This is likely a transient issue that will be resolved once either Apple updates the embedded WebKit user agent string or Microsoft updates Intune's device evaluation logic to account for the new iOS versioning scheme. I'd recommend monitoring the Intune blog and release notes closely.
Hope this helps!
