Support Tip: Known Issue occasionally occurring with iOS MAM and Office apps

Published Aug 05 2021 05:57 PM 3,955 Views

We received a few cases and have been working with our peers in Office to troubleshoot and resolve. After investigation, we discovered an issue that does not affect the majority of users, however it can affect a few users in an organization. In iOS Mobile Application Management (MAM, also known as App Protection Policies, APP), we received reports that on occasion, a user may see Office apps sign out automatically. When signed out, APP no longer applies (since policies are assigned to users and the user has signed out). The user can then sign back in, and policies are re-applied. This behavior can repeat. Through case troubleshooting we discovered that if one of the iOS Office apps sees something that makes it think a sign out occurred in another Office app, it then triggers the sign out in other Office apps.

 

The user will receive a message that states “Org Data Removal – Your organization has removed its data associated with this app. (607) To continue you must restart this app. To reconnect to your organization, sign-in to your work or school account.” This message is expected when a user manually signs out of an Office app. However, in the cases escalated for further investigation, the user landed in an authentication loop, and would see this message multiple times, despite single sign on across the apps.

 

To work around this issue if you have a user seeing an authentication loop, you’ll want to clear the credentials on the affected device. Using OneNote as an example, on the affected device, head to Settings > OneNote > Reset OneNote > Delete Login Credentials.

 

We’ll keep this post updated once Office releases new app versions that address this bug. In the interim, most customers will not run into this issue. Please use the workaround if you do!

 

3 Comments
Senior Member

Why doesn't Outlook have this option...  Will clearing the app data for one of the MAM office apps resolve the issue for them all?

Senior Member

The workaround isn't really working.  The users we've tested with that are experiencing this issue, after clearing the data, work for approximately 20 seconds, and then receive the same message and get stuck in a loop again.  Our org has opened up a support ticket as there appears to be no way out of this for the affected users.

Visitor

@GitToDeChoppah iOS MS Word has a reset credentials in Settings.  I had to use it to fix a MS Office Mobile installation once, and continue to use it when I run into issues.  I requested the same for Outlook in UserVoice.

 

We've had a few users with this issue in Outlook Mobile on iOS (unknown if Android has the same issue) and continue to get tickets for it.  It hasn't affected the entire population so far.

 

In our case, Support identified an issue with the Conditional Launch Max PIN attempts/Wipe Data Action.  My current solution removes them from the problem APP and assigns a temporary APP with the Conditional Launch Max PIN attempts/Reset PIN setting.  I have the user logout of Authenticator, delete Outlook and Authenticator from the device choosing the option to remove the creds from all apps on the device.  I also revoke the user's auth refresh tokens using PowerShell to be sure.  APP can take 24h to apply so nuking the creds could force a completely new policy read.  This causes other apps to require a reauth, including some desktop apps.  User downloads and configures the apps as new, and then I move them back to the original APP.

 

MS says they are issuing a hotfix to developers, meaning it's not going to be solved quickly IMO.

%3CLINGO-SUB%20id%3D%22lingo-sub-2617909%22%20slang%3D%22en-US%22%3ESupport%20Tip%3A%20Known%20Issue%20occasionally%20occurring%20with%20iOS%20MAM%20and%20Office%20apps%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2617909%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20received%20a%20few%20cases%20and%20have%20been%20working%20with%20our%20peers%20in%20Office%20to%20troubleshoot%20and%20resolve.%20After%20investigation%2C%20we%20discovered%20an%20issue%20that%20does%20not%20affect%20the%20majority%20of%20users%2C%20however%20it%20can%20affect%20a%20few%20users%20in%20an%20organization.%20In%20iOS%20Mobile%20Application%20Management%20(MAM%2C%20also%20known%20as%20App%20Protection%20Policies%2C%20APP)%2C%20we%20received%20reports%20that%20on%20occasion%2C%20a%20user%20may%20see%20Office%20apps%20sign%20out%20automatically.%20When%20signed%20out%2C%20APP%20no%20longer%20applies%20(since%20policies%20are%20assigned%20to%20users%20and%20the%20user%20has%20signed%20out).%20The%20user%20can%20then%20sign%20back%20in%2C%20and%20policies%20are%20re-applied.%20This%20behavior%20can%20repeat.%20Through%20case%20troubleshooting%20we%20discovered%20that%20if%20one%20of%20the%20iOS%20Office%20apps%20sees%20something%20that%20makes%20it%20think%20a%20sign%20out%20occurred%20in%20another%20Office%20app%2C%20it%20then%20triggers%20the%20sign%20out%20in%20other%20Office%20apps.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20user%20will%20receive%20a%20message%20that%20states%20%E2%80%9COrg%20Data%20Removal%20%E2%80%93%20Your%20organization%20has%20removed%20its%20data%20associated%20with%20this%20app.%20(607)%20To%20continue%20you%20must%20restart%20this%20app.%20To%20reconnect%20to%20your%20organization%2C%20sign-in%20to%20your%20work%20or%20school%20account.%E2%80%9D%20This%20message%20is%20expected%20when%20a%20user%20manually%20signs%20out%20of%20an%20Office%20app.%20However%2C%20in%20the%20cases%20escalated%20for%20further%20investigation%2C%20the%20user%20landed%20in%20an%20authentication%20loop%2C%20and%20would%20see%20this%20message%20multiple%20times%2C%20despite%20single%20sign%20on%20across%20the%20apps.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20work%20around%20this%20issue%20if%20you%20have%20a%20user%20seeing%20an%20authentication%20loop%2C%20you%E2%80%99ll%20want%20to%20clear%20the%20credentials%20on%20the%20affected%20device.%20Using%20OneNote%20as%20an%20example%2C%20on%20the%20affected%20device%2C%20head%20to%20Settings%20%26gt%3B%20OneNote%20%26gt%3B%20Reset%20OneNote%20%26gt%3B%20Delete%20Login%20Credentials.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%E2%80%99ll%20keep%20this%20post%20updated%20once%20Office%20releases%20new%20app%20versions%20that%20address%20this%20bug.%20In%20the%20interim%2C%20most%20customers%20will%20not%20run%20into%20this%20issue.%20Please%20use%20the%20workaround%20if%20you%20do!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2617909%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20had%20a%20few%20cases%20on%20this%20recently%20and%20after%20investigation%2C%20decided%20to%20share%20this%20known%20issue%20that%20affects%20sign%20in%20on%20iOS%20Mobile%20Application%20Management%20(MAM%2C%20also%20known%20as%20APP).%20It%20does%20not%20impact%20the%20majority%20of%20users%2C%20but%20for%20the%20one%20that%20it%20does%20impact%2C%20it%20prompts%20for%20sign%20in%20when%20an%20Office%20app%20is%20opened.%20Office%20has%20a%20fix%20in%20their%20backlog%3B%20in%20the%20interim%2C%20read%20this%20post%20for%20a%20way%20to%20clear%20it%20up%20if%20you%20have%20a%20user%20running%20into%20this%20scenario.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2617909%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EKnown%20Issue%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESupport%20Tip%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2631825%22%20slang%3D%22en-US%22%3ERe%3A%20Support%20Tip%3A%20Known%20Issue%20occasionally%20occurring%20with%20iOS%20MAM%20and%20Office%20apps%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2631825%22%20slang%3D%22en-US%22%3E%3CP%3EWhy%20doesn't%20Outlook%20have%20this%20option...%26nbsp%3B%20Will%20clearing%20the%20app%20data%20for%20one%20of%20the%20MAM%20office%20apps%20resolve%20the%20issue%20for%20them%20all%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2632309%22%20slang%3D%22en-US%22%3ERe%3A%20Support%20Tip%3A%20Known%20Issue%20occasionally%20occurring%20with%20iOS%20MAM%20and%20Office%20apps%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2632309%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20workaround%20isn't%20really%20working.%26nbsp%3B%20The%20users%20we've%20tested%20with%20that%20are%20experiencing%20this%20issue%2C%20after%20clearing%20the%20data%2C%20work%20for%20approximately%2020%20seconds%2C%20and%20then%20receive%20the%20same%20message%20and%20get%20stuck%20in%20a%20loop%20again.%26nbsp%3B%20Our%20org%20has%20opened%20up%20a%20support%20ticket%20as%20there%20appears%20to%20be%20no%20way%20out%20of%20this%20for%20the%20affected%20users.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2670128%22%20slang%3D%22en-US%22%3ERe%3A%20Support%20Tip%3A%20Known%20Issue%20occasionally%20occurring%20with%20iOS%20MAM%20and%20Office%20apps%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2670128%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F398681%22%20target%3D%22_blank%22%3E%40GitToDeChoppah%3C%2FA%3E%26nbsp%3BiOS%20MS%20Word%20has%20a%20reset%20credentials%20in%20Settings.%26nbsp%3B%20I%20had%20to%20use%20it%20to%20fix%20a%20MS%20Office%20Mobile%20installation%20once%2C%20and%20continue%20to%20use%20it%20when%20I%20run%20into%20issues.%26nbsp%3B%20I%20requested%20the%20same%20for%20Outlook%20in%20UserVoice.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe've%20had%20a%20few%20users%20with%20this%20issue%20in%20Outlook%20Mobile%20on%20iOS%20(unknown%20if%20Android%20has%20the%20same%20issue)%20and%20continue%20to%20get%20tickets%20for%20it.%26nbsp%3B%20It%20hasn't%20affected%20the%20entire%20population%20so%20far.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20our%20case%2C%20Support%20identified%20an%20issue%20with%20the%20Conditional%20Launch%20Max%20PIN%20attempts%2FWipe%20Data%20Action.%26nbsp%3B%20My%20current%20solution%20removes%20them%20from%20the%20problem%20APP%20and%20assigns%20a%20temporary%20APP%20with%20the%20Conditional%20Launch%20Max%20PIN%20attempts%2FReset%20PIN%20setting.%26nbsp%3B%20I%20have%20the%20user%20logout%20of%20Authenticator%2C%20delete%20Outlook%20and%20Authenticator%20from%20the%20device%20choosing%20the%20option%20to%20remove%20the%20creds%20from%20all%20apps%20on%20the%20device.%26nbsp%3B%20I%20also%20revoke%20the%20user's%20auth%20refresh%20tokens%20using%20PowerShell%20to%20be%20sure.%26nbsp%3B%20APP%20can%20take%2024h%20to%20apply%20so%20nuking%20the%20creds%20could%20force%20a%20completely%20new%20policy%20read.%26nbsp%3B%20This%20causes%20other%20apps%20to%20require%20a%20reauth%2C%20including%20some%20desktop%20apps.%26nbsp%3B%20User%20downloads%20and%20configures%20the%20apps%20as%20new%2C%20and%20then%20I%20move%20them%20back%20to%20the%20original%20APP.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMS%20says%20they%20are%20issuing%20a%20hotfix%20to%20developers%2C%20meaning%20it's%20not%20going%20to%20be%20solved%20quickly%20IMO.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Aug 05 2021 05:57 PM
Updated by: