Resolved - Conditional access unexpectedly blocking macOS 10.15.4 native mail client/other apps

Published 04-20-2020 12:28 PM 10.7K Views

Update: A fix for this issue has been rolled out with the latest release of macOS 10.15.5.


We were recently alerted to a scenario whereby after an end user updated to macOS 10.15.4, they experienced unexpected access app prompts or blocks to applications such as native mail. The macOS device was enrolled in Intune and there was a conditional access policy requiring a compliant device. Working with Apple, we discovered that upgrading to macOS 10.15.4 exposed a bug in auth for several apps including mail and calendar (despite existing enrollment or compliance). Microsoft and Apple are working on a resolution and we’ll update this post when new information is available.


In the interim, if you use conditional access on macOS, be aware that not all apps will be available after updating to macOS 10.15.4. As an admin, if you're wondering if your end users have run into this known issue, you can tell by validating that 1) you have set conditional access rules requiring a compliant device, then 2) you'll likely see conditional access failures in the Azure AD blade under sign-ins. 


Again, we'll keep this post updated as we receive additional information.


Blog post updates:

  • 5/6/20: A fix for this issue will be included in the macOS 10.15.5 Beta.
  • 5/7/20: Clarifying that a fix is included in the macOS 10.15.5 Beta 4 release. If you continue to experience an issue after updating to this version, please let us know!
  • 5/27/20: We received reports that this has been resolved with the latest release of macOS 10.15.5.
Regular Visitor

Is this affecting all 10.15.4 builds or just the recent supplemental update?

Occasional Contributor

@glennmnz It's affecting all 10.15.4 builds. 

Regular Visitor

thanks for the update 

New Contributor

Is there any update on this or do we need to turn off conditional access?? Meantime our users cant work as we speak


Hi @Ola B Larsson ,
We are currently working on this issue. Please open a case so that we may assist you.

New Contributor


Regular Visitor

Is there an estimated date for a fix?

Regular Visitor

Thanks for the update.

Senior Member

@nathannakao There is a subscribe function on the posting's drop-down menu for that.

Occasional Visitor

my problems since an update, as well.

is this primarily a problem on the mac side or the microsoft side?  do i need my microsoft teams administrator to do anything?

Hi @Ola B Larsson@ihindi@bruceb161, in working closely with Apple, a fix for this issue will be included in an upcoming version of the macOS 10.15.5 Beta 4. If you continue to experience authentication issues after updating, please let us know! We'll also continue to keep this blog updated as we learn more.


I saw one issue on 10.15.4  CA policy not getting applied and shows the the sign in as "success" and CA as "Not applied"
Is this related or am I getting things mixed up?


Hi @Azhar1519, this sounds like it may be unrelated to this issue and have followed up with you directly for additional follow-up. Thanks for the feedback!

Occasional Visitor

Could it be that this is also for iOS? 


I have configured a conditional Access policy which says that - when I try to add my mailbox to iOS native mail app, it forces me to use an approved app (= Outlook for iOS). I then get forced to "enrol in intune", but when I press on "Enroll", I get the screen "This page is not supported on your device". On top I can see that it's "". 


But then when I surf to the same page on safari, It DOES work. 


When I check my sign logs in the Azure Active Directory, I can see the following: 

5/11/2020, 7:17:58 PM
Michiel S
Apple Internet Accounts

Hi @michielunlimit, there may be other Conditional Access policies applied to the impacted user causing the issue. The What If tool can help validate which policies are applied and assist with remediation. Also, if you haven't already, have a look over our doc on best practices for Conditional Access on configuring the policy suited for your organization.


Once configured and you are still experiencing issues with sign-in, lets get you over to our support folks for further investigation. Please open a support request from within the Intune admin console, or any of the methods here. Once created, feel free direct message us with your support case number so we can have an eye on the case. Thanks!

Occasional Visitor

@Intune Support Team - issue is still persisting with a user following upgrade to 10.15.5 Beta (19F83c), which according to the link should be release 4. Any suggestions?

Hi @CV-NTT, thanks for the feedback and sorry that this is still occurring within your environment. If after upgrading to the latest macOS Beta 4 and are still experiencing Conditional Access failures in the Azure Active Directory blade under sign-ins, let's get you over to our support folks over in Azure for further investigation. You can raise a new support request via the Help + support blade in the Azure portal, or any of the methods here.

Occasional Contributor

I can confirm that the issue was solved with the release of macOS 10.15.5. 

Exchange integration with Intune works as expected. 

Regular Visitor

The last update of MACOS fixed it.

Thank you .

Occasional Visitor

resolved for me.  thank you.

New Contributor

confirmed resolved for myself (and a Team Member) as well.

Occasional Visitor

Hi Support,


After upgrading my client's MacBook from 10.15.4 to 10.15.5, the "Require Exchange password" pop up on MacOS Mail seems gone.


However there have another issue, that when the client moves the exchange email from her Exchange Inbox in MacOS Mail to the folder in Mail under "On My Mac", the email contents are not displaying, even double click to open.   We have discussed with Apple Support, what the senior support have mentioned is there has a new security setting on Office 365 side, which causing content to be blocked for showing in the mac. And the same reason that affects the other old emails on the local folders because there's exchange emails on the same folder.


Can you please advise which setting we can change to fix it?

Hi @werneryue1004, tagging our Exchange guru @Ross Smith IV for additional insight.

Occasional Visitor

Thanks @Intune Support Team , I hope the team can provide more details and advise about how we can fix the issue asap.   There had MacOS Mail issue with Office 365 Exchange from 10.15.4, sadly in original issue is fixed in 10.15.5, but the mentioned new issue is happened.

On Apple side they said MS updated something on Office 365, what they said is "a security settings in o365 that blocks it's content to be shown in the mac mail server. And the same reason that affects the other old emails on the local folders because there's exchange emails on the same folder."


Our client had a local Mailbox (Folder) created in MacOS Mail very long time ago, she was using NetSol email system with POP connection before.  Few months ago we helped to migrate to Office 365.  The local Mailbox (Folder) used to keep the emails which from NetSol and also Office365. Not sure how it can define it is email from exchange but the issue start to appear after 10.15.4 MacOS update.   It will be nice if someone can let us know which security setting has been updated on Office 365 during Apple release 10.15.4 and 10.15.5 update, then we can try to enable/disable for testing.




@werneryue1004 - I've asked around and based on limited information we're not sure what the cause could be. Please open a support case with Microsoft Support so they can investigate further.

Version history
Last update:
‎Dec 18 2020 09:21 AM
Updated by: