Blog Post

Intune Customer Success
3 MIN READ

Support tip: Intune MAM users on iOS/iPadOS userless devices may be blocked in rare cases

Intune_Support_Team's avatar
Intune_Support_Team
Icon for Microsoft rankMicrosoft
Sep 24, 2024

Updated 10/22/24 - We've developed and successfully deployed a fix across all Intune tenants. If you are still experiencing issues, please ensure affected devices complete at least one check-in with Intune to fully resolve this issue.

 

Previously for iOS/iPadOS, you had to manually configure the IntuneMAMUPN, IntuneMAMOID, and IntuneMAMDeviceID app configuration values in order for Intune mobile application management (MAM) to determine if the device was enrolled with Intune per Create and deploy app protection policies. Based on customer feedback to simplify the admin experience, we’ve begun to automatically send these values to managed applications on Intune enrolled iOS devices. Starting with Intune’s September (2409) service release, we’ve enabled this change for the following apps: Microsoft Excel, Microsoft Outlook, Microsoft PowerPoint, Microsoft Teams and Microsoft Word. We’ll continue to expand this to additional managed apps over the coming months.

 

We were recently alerted that users may be incorrectly blocked in a specific scenario if these values weren’t configured. If you have iOS devices “Enrolled without User Affinity” and an app protection policy is enforced for a user in one of the listed applications, then the user may encounter a “Misconfiguration Alert” dialog with the following message:

 

Your organization’s support team wants you to login with this account:.  But you tried to login with user@company.com. Contact your organization’s support team for help.

 

While you likely already have the app configuration values configured to correctly enforce app protection policies based on management type, in the rare case that it’s not, this change will correct the MAM device management type state from “Unmanaged” to “Managed”. This means you may notice a change for MAM users with Intune enrolled devices in the following scenarios:

  • When using the managed apps deviceManagementType filter to customize your deployment of app protection policies (APP), if all user-targeted policies are for “unmanaged” iOS/iPadOS devices, the user will transition to a “no policy” state and APP won’t be enforced. To fix this, apply an app protection policy to all device types or specifically to managed devices.

  • You use the APP Open-in management data transfer settings to allow data sharing with other managed applications per Manage transferring data between iOS apps. These settings will now correctly apply to Intune MAM users. Please review the documentation, iOS/iPadOS app protection policy settings, for Send Org data to other apps and Receive data from other apps and ensure you’ve configured the MDM data sharing settings as appropriate to your organization.

 

This issue is now resolved. If you have questions or comments for the Intune team, reply to this post or reach out on X @IntuneSuppTeam.

 

Post updates:

10/10/24: We've developed a fix and are actively deploying it across all Intune tenants. Once the deployment is complete, affected devices will need to perform at least one check-in with Intune to fully resolve this issue.

10/22/24: We've developed and successfully deployed a fix across all Intune tenants. If you are still experiencing issues, please ensure affected devices complete at least one check-in with Intune to fully resolve this issue.

Updated Oct 22, 2024
Version 3.0
Support Tip
  • Intune_Support_Team's avatar
    Intune_Support_Team
    Icon for Microsoft rankMicrosoft
    Oct 10, 2024

    Thank you everyone for your patience as we work to resolve this issue and for your feedback in the comments above. We wanted to provide an update: We’ve developed a fix and are currently deploying it across all Intune tenants to address this issue. Once the deployment is complete, affected devices will need to perform at least one check-in with Intune to fully resolve this issue. More information will be added to our post above once the deployment is complete. Thanks!

  • rcarey1850's avatar
    rcarey1850
    Copper Contributor
    Oct 01, 2024

    Microsoft, please let us know this issue is being worked on. There has been no update since the original post, and clearly many organizations are affected. 

  • MarkTaylor2's avatar
    MarkTaylor2
    Copper Contributor
    Oct 01, 2024

    We are also experiencing this issue. The fix that A1-diegor suggested does work, but leaves us in a a bad spot. Commenting with the hope that more voices will expedite the issue.

  • ViktorNorstrom's avatar
    ViktorNorstrom
    Copper Contributor
    Sep 27, 2024

    I eventually got a "fix" to work on our Shared iPads.
    what i did:

    1. Created a device configuration profile (Device Features).
    2. Configured the profile for Single sign-on app extension with the settings:
      • SSO app extension type = Microsoft Entra ID
      • Enable shared device mode = Yes
      • Additional Settings 
        • AppPrefixAllowList (String) = com.microsoft.,com.apple.
        • browser_sso_interaction_enabled (integer) = 1
        • disable_explicit_app_prompt (integer) = 1
    3. Assigned the profile to our device group (dynamic device group based on enrollment profile)
    4. Wait for the profile to apply on the device (You should see the device configuration profile be succeeded on for user account)
    5. Open Authenticator app and make sure its registered to your organisation (we did not get promoted to sign in)
    6. Test SSO with Safari, go to Office365.com (login should be automatic)
    7. Test SSO with Teams/word etc. (Login should be automatic)

    (If SSO does not work after the device configuration has been successful try a reset of the device and wait until all settings have been applied)

    The iPads we are using are joined to Intune using ABM and enrollment profile (without user affinity) with the settings for "Supervised=Yes, Locked enrollment=Yes, Shared iPad=Yes".
    We also use Managed AppleIDs synced and federated with EntraID so same credentials in EntraID can be used for the Managed AppleID.

  • rcarey1850's avatar
    rcarey1850
    Copper Contributor
    Oct 04, 2024

    Agreed, steale2360 . Given that the workaround is to disable app protection policies for users, I can't consider that a proper workaround. 

  • Intune_Support_Team's avatar
    Intune_Support_Team
    Icon for Microsoft rankMicrosoft
    Oct 22, 2024

    Hi, JRingkamp! Confirmed with the team that the fix was successfully deployed across all Intune tenants. If you are still experiencing issues, please ensure affected devices complete at least one check-in with Intune to fully resolve this issue.

     

    Should anyone continue to experience any further impact, please send us a message so we can talk though your scenario in more detail. Thanks!

  • Ian_Hearnes's avatar
    Ian_Hearnes
    Copper Contributor
    Sep 25, 2024

    Hi there,
    We seem to be experiencing this issue on iOS Shared iPads (no user affinity).
    We are keen for a work around.
    For us this is affecting in particular the Microsoft Teams and Outlook, which are core Apps.
    Ta, Ian Hearnes

  • JRingkamp's avatar
    JRingkamp
    Copper Contributor
    Sep 25, 2024

    Hello everyone,

     

    we also have the error in our company and have already opened a ticket with MS.

    MS Teams and Outlook are also important programmes for us and we need a solution as soon as possible, as company processes are extremely restricted.

     

    BR J.Ringkamp

  • Damat83's avatar
    Damat83
    Copper Contributor
    Sep 25, 2024

    Is it still possible to create separate app protection policies for managed and unmanaged devices?