App Access Blocked: Your Organization requires confirmation that you are clocked in

Copper Contributor

Hello,

 

I am trying to onboard BYOD mobile devices(Android/iPhone) using intune's MAM(Mobile Application Management) without enrollment deployment option but failing for iPhone devices.

 

Andoid devices are working fine and can able to sign-in to Microsoft Apps like oulook, teams, OneDrive etc.

AppAccess Blocked_iPhone.pngEdge_access-blocked_IMG_0003 (1).PNG

Error Message: App Access Blocked: To Access your data associated with Account Email address removed, your Organization requires confirmation that you are clocked in. We are unable to verify this. Please try again later or Contact your Admin.

 

Regards,

16 Replies
Hi were those ios devices previously enrolled into another mdm ? or are those new shiny clean devices?
Hi Rudy_Ooms,

Yes, I have tried on new devices only and all iPhone devices are failing with same error message.


Error message: App Access Blocked: To Access your data associated with Account Email address removed, your Organization requires confirmation that you are clocked in. We are unable to verify this. Please try again later or Contact your Admin.

Thank you,

Hello Team,

 

Please let me know if you have any update on this issue.

 

Thank you,

To be honest I have never seen this message before. looks like a custom made message. Do you even seen a login attempt in the sign in logs? It looks like app protection trying to kick in but that doesn't correspond with the message..

Could you show us some more information.. are there conditional access rules configured? any app protection policies applied. what happens when you enroll the device instead of using without enrollment.
Is the mfa authenticator app installed? is the company portal installed.

I am seeing the same issue in messaging on accounts with two different tenants. It happened once a few days ago and then went away on its own. But happened again last night on my Android device and I've been messaged now by two other users with iPhones who are experiencing the same thing. I know that there is a clock in / clock out function through the shifts app in teams but neither of these tenants have ever been set up to use that. I actually set one of them up and clocked in through it today and I am still not able to log in to outlook, teams, etc on my mobile device. Both of these tenants do have mobile application management enabled through InTune and everyone is licensed to use that. MAM was deployed through the guided setup scenario using the less strict policy. I've gone through all the settings in those two policies and don't see anything regarding conditional access based on clock-in status. There aren't any standalone CA policies setup for these accounts as they are both using security defaults currently. I've been searching the web using different phrasing and reviewing the docs since last night and haven't seen a single mention of this anywhere until I came across this thread. I took a bunch of screenshots and can upload those if they would help. Like I said, same messaging as OP stated.

markup_139396699.pngScreenshot_20220211-175141.pngScreenshot_20220211-175148.pngScreenshot_20220211-175159.png

 

I have also tried removing/readding these accounts from the apps, reinstalling apps, etc. I forgot to mention that occasionally it will just work when when you open the apps but then blocks access shortly after.

 

My next step is to remove assignment of the MAM policies but these have been deployed and working correctly for a little while so I'm not sure what's changed. I this must to be a bug? I have set these same policies up on quite a few other tenants and never seen these messages before. As far as I can tell, there's no mention of CA or MAM requiring being clocked-in in the docs. 

 

 

Thats indeed very odd... as stated before it looks very much like app protection policies applying.. But (until now?) it never mentioned the "clocked" part... did you already opened a support ticket ?

 

Could you let us know if it fixes the issue when you decide to disable/remove the mam policies?

I know there is something wrong with app protection and teams .. maybe they are trying to fix that... and creating a new issue?

 

Rudy Ooms | MVP :netherlands: on Twitter: "@IntuneSuppTeam .. Is this a notification due to App prot...

Been having this issue since the last 10days, has to do something with admin accounts or groups or roles, overlapping policies regulating data storage and access on android or ios devices.
Thing is disabled shifts app, surprised that it's still throwing the same error.

@Rudy_Ooms_MVP,

 

Yes, I have also opened a support case(29509939). As per latest update from support team, They are still testing this issue in their lab envirnment.

 

Please let me kow if you need any further detail from my end.

 

Regards,

Hello @Rudy_Ooms_MVP,

 

When I am checking the App protection status logs(Under Troubleshooting + support) during login process into iOS(outlook app), It's showing checked-in successfully.

 

But issue remains the same, outlook app access blocked with same error message.

 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Error message: App Access Blocked: To Access your data associated with Account Email address removed, your Organization requires confirmation that you are clocked in. We are unable to verify this. Please try again later or Contact your Admin.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 

Attaching screenshot for your reference.

 

outlook_check_in.JPG

 

Regards,

Okay so app protection works.. and the device could check in...it's such a strange error/warning as it is mentioning clocked in instead of checked in :)
No Idea! :)

There might be some communication delay between Mobile device and Intune platform while Device is syncing with intune to update app protection policy.

If possible, Can you pls assist me to capture the device logs?

Regards.
Ah you're probably right. That's more likely a typo than an access requirement. Threw me bc I had just talked about Shifts, Approvals, Bulletins in Teams with the org before this happened. I also think there was some kind of lag in the policy retrieval. It started working fine on my Android phone on Sunday. The iPhone users were still having issues as of yesterday. They may be today as well and I just haven't heard from them yet.

Dear Team,

 

Last week, I started facing same issue for Android device as well. But Managed to fix it after modifying the Conditional Launch setting - 'SafetyNet device attestation' to WARN from Block Action.

 

Setting- SafetyNet device attestation
Value- Basic integrity and certified devices
Action- Warn
 
I hope it might assist if you might be having same issue.
 
Regards,