Device passcode required - iOS - Mobile Application Management Policy

%3CLINGO-SUB%20id%3D%22lingo-sub-1487784%22%20slang%3D%22en-US%22%3EDevice%20passcode%20required%20-%20iOS%20-%20Mobile%20Application%20Management%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1487784%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHoping%20someone%20can%20assist.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBeen%20testing%20MAM%20with%20an%20iPhone%20on%20which%20I%20intentionally%20removed%20the%20passcode%20from%20the%20device.%20In%20MEM%20I%20created%20and%20App%20Protection%20Policy%20targeting%20Outlook%20on%20unmanaged%20devices.%20I%20was%20hoping%20that%20the%20Outlook%20app%20would%20see%20that%20the%20phone%20has%20no%20passcode%20and%20then%20prompt%20me%20for%20an%20application%20PIN%20in%20order%20to%20access%20company%20data%20within%20the%20app.%20Instead%2C%20I%20just%20keep%20getting%20this%20message%20%22Device%20Passcode%20Required%20-%26nbsp%3Byour%20organization%20requires%20you%20to%20enable%20a%20device%20passcode%20to%20access%20this%20app%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1487784%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Application%20Management%20(MAM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1491038%22%20slang%3D%22en-US%22%3ERe%3A%20Device%20passcode%20required%20-%20iOS%20-%20Mobile%20Application%20Management%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1491038%22%20slang%3D%22en-US%22%3ENavishkar%20Sadheo%2C%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20is%20normal%20behavior.%20MAM%20policy%20cannot%20invoke%20the%20system%20to%20force%20the%20user%20to%20create%20passcode%2C%20instead%20blocks%20the%20access%20to%20the%20app%20until%20user%20assigns%20passcode.%3CBR%20%2F%3E%3CBR%20%2F%3EWith%20MDM%2C%20you%20should%20be%20able%20to%20invoke%20the%20system%20and%20force%20the%20user%20to%20create%20pin.%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20this%20helps!%3CBR%20%2F%3EMoe%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1496991%22%20slang%3D%22en-US%22%3ERe%3A%20Device%20passcode%20required%20-%20iOS%20-%20Mobile%20Application%20Management%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1496991%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20layman%20terms%2C%20how%20do%20I%20do%20this%3F%26nbsp%3B%20My%20phone%20tells%20me%20I%20need%20to%20create%20a%20passcode%2C%20the%20only%20option%20is%20to%20click%20%22okay%22%20and%20then%20glitches%20out%2C%20so%20there's%20no%20option%20to%20set%20a%20passcode.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F119208%22%20target%3D%22_blank%22%3E%40Navishkar%20Sadheo%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1752244%22%20slang%3D%22en-US%22%3ERe%3A%20Device%20passcode%20required%20-%20iOS%20-%20Mobile%20Application%20Management%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1752244%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20experiencing%20the%20same.%20Based%20on%20Navishkar%20reply%2C%20I%20would%20expect%20the%20same.%20MAM%20should%20allow%20the%20user%20to%20leave%20device%20without%20passcode%20and%20enforce%20PIN%20only%20when%20opening%20the%20MAM%20app.%20That%20is%20the%20whole%20principle%20of%20MAM.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20my%20case%2C%20iPhone%208%20(iOS%2014.0.1)%20with%20no%20device%20management%20at%20all%20(just%20wiped).%20Company%20has%20implemented%20MAM.%20Installed%20Teams.%20Tried%20to%20configure%20work%20account.%20Prompted%20to%20install%20Authenticator.%20Installed%20Authenticator.%20Received%202%20Factor%20authentication%20request%2C%20approved%20it.%20Then%2C%20it%20continued%20to%20check%20on%20the%20App%20Status..%20and%20then%20the%20message%20came%20up%20%3CSTRONG%3E%3CEM%3E%22Device%20Passcode%20Required%20-%26nbsp%3Byour%20organization%20requires%20you%20to%20enable%20a%20device%20passcode%20to%20access%20this%20app%22%3C%2FEM%3E%3C%2FSTRONG%3E.%20I%20tried%20Outlook%20and%20received%20the%20exact%20same%20result.%20I%20do%20not%20have%20access%20to%20the%20InTune%20admin%20console.%20I%20do%20have%20access%20to%20another%20MDM%20tool%20(Workspace%20ONE).%20After%20doing%20some%20reading%2C%20I%20wonder%20if%20the%20device%20passcode%20requirement%20is%20linked%20to%20the%20the%20BioMetrics%20being%20allowed.%20Face%20ID%20or%20Touch%20ID%20can%20be%20allowed%20to%20access%20the%20MAM%20Apps.%20However%2C%20for%20that%20to%20take%20place%2C%20the%20MAM%20App%20has%20to%20talk%20to%20the%20OS%20on%20the%20device.%20If%20the%20device%20does%20not%20have%20Face%20ID%20or%20Touch%20ID%20set%2C%20then%20the%20Microsoft%20MAM%20app%20detects%20that%2C%20and%20requires%20it%20(%3F).%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENeed%20to%20think%20of%20a%20way%20to%20test%20that%2C%20without%20access%20to%20the%20InTune%20admin%20console.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1818727%22%20slang%3D%22en-US%22%3ERe%3A%20Device%20passcode%20required%20-%20iOS%20-%20Mobile%20Application%20Management%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1818727%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F822798%22%20target%3D%22_blank%22%3E%40RicardoPa001%3C%2FA%3E%26nbsp%3BI%20have%20a%20user%20exhibiting%20this%20behavior%20after%20the%2010%2F26%2F2020%20update%20of%20Outlook.%20I'm%20interested%20in%20the%20%22%3CSPAN%3EApp%20PIN%20when%20device%20PIN%20is%20set%22%3DRequire%20I%20have%20set%20currently.%20I%20wonder%20if%20(provided%20this%20isn't%20a%20one-off)%20I%20set%20it%20to%20%22Not%20Required%22%20would%20the%20issue%20drop%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EEdit%3A%20Updating%20all%20apps%20and%20restarting%20the%20iOS%20device%20fixed%20the%20issue.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Regular Contributor

Hi all

 

Hoping someone can assist.

 

Been testing MAM with an iPhone on which I intentionally removed the passcode from the device. In MEM I created and App Protection Policy targeting Outlook on unmanaged devices. I was hoping that the Outlook app would see that the phone has no passcode and then prompt me for an application PIN in order to access company data within the app. Instead, I just keep getting this message "Device Passcode Required - your organization requires you to enable a device passcode to access this app"

 

 

 

 

4 Replies
Navishkar Sadheo,

This is normal behavior. MAM policy cannot invoke the system to force the user to create passcode, instead blocks the access to the app until user assigns passcode.

With MDM, you should be able to invoke the system and force the user to create pin.

Hope this helps!
Moe

In layman terms, how do I do this?  My phone tells me I need to create a passcode, the only option is to click "okay" and then glitches out, so there's no option to set a passcode. @Navishkar Sadheo 

I am experiencing the same. Based on Navishkar reply, I would expect the same. MAM should allow the user to leave device without passcode and enforce PIN only when opening the MAM app. That is the whole principle of MAM. 

 

In my case, iPhone 8 (iOS 14.0.1) with no device management at all (just wiped). Company has implemented MAM. Installed Teams. Tried to configure work account. Prompted to install Authenticator. Installed Authenticator. Received 2 Factor authentication request, approved it. Then, it continued to check on the App Status.. and then the message came up "Device Passcode Required - your organization requires you to enable a device passcode to access this app". I tried Outlook and received the exact same result. I do not have access to the InTune admin console. I do have access to another MDM tool (Workspace ONE). After doing some reading, I wonder if the device passcode requirement is linked to the the BioMetrics being allowed. Face ID or Touch ID can be allowed to access the MAM Apps. However, for that to take place, the MAM App has to talk to the OS on the device. If the device does not have Face ID or Touch ID set, then the Microsoft MAM app detects that, and requires it (?). 

 

Need to think of a way to test that, without access to the InTune admin console. 

@Ricardo_PaX I have a user exhibiting this behavior after the 10/26/2020 update of Outlook. I'm interested in the "App PIN when device PIN is set"=Require I have set currently. I wonder if (provided this isn't a one-off) I set it to "Not Required" would the issue drop?

 

Edit: Updating all apps and restarting the iOS device fixed the issue.