Jun 23 2018 07:03 AM
Having issues setting up a Device Configuration Profile with intune. I created a Profile to deploy a Mail Profile for iOS devices to connect to Office 365 mailbox. The profile deploys properly but when the profile deploys, I am asked to enter my credentials but they do not work.
The iOS Mail Profile is never able to verify the exchange account. After entering the password it says "Unable to verify account information".
We do have MFA enabled and our domain is federated with ADFS.
Does intune iOS Mail Profile configuration work with Azure MFA? What could possibly be the issue?
Jun 25 2018 12:39 AM
The native iOS mail app doesn't support MFA. You have to use app passwords for that app.
My advise because you are also using Office365 is, go for the Outlook for iOS app. Email account push is not needed for this app and this app supports MFA.
Jun 25 2018 01:36 PM
The Native iOS mail app actually does support MFA but not for deployment scenarios. That is not available in the current build of iOS. If I understand correctly, version 12 (in current Beta) does support MFA (oAuth/Modern authentication) I am not certain if it is in the current build and if intune will need to add additional code once iOS 12 is released. You will have to manually configure the native app or use Outlook for iOS with accounts that have MFA enabled.
Sep 24 2018 02:45 PM
I updated my phone to iOS 12 and attempted the Intune Company Portal deployment again, but it still does not seem to support MFA. Am I doing something wrong, or is an Intune Company Portal update required to support MFA? Has anyone gotten deployment of MFA accounts to work since iOS 12 was released?
Sep 25 2018 08:58 PM
we tried applying Intune Company Portal deployment also Today after updating all IT dept phones to iOS 12. Can confirm it still does not work. We fell back to conditional access for mfa based on Intune policy compliance instead, which is easier on the phone users anyways.
Sep 26 2018 04:41 AM
Sep 26 2018 05:49 AM
Sep 26 2018 07:18 AM
Our experience - Users updated to iOS 12 and latest version of comp portal available.
Intune profiles to add mail to default app and comp portal were installed on all devices and in use for the past 6 mos. I did not make the users delete the policy and re-enroll.
I go to the portal and Enforce MFA on selected users.
Users proactively go to https://aka.ms/MFASetup and enroll authenticator with push notification. Setup is successful.
Users open mail app on LTE or away from known good IP's and it fails to connect to server. NO popup Approval from Authenticator.
Users open outlook app for testing and are prompted for MFA immediately in authenticator.
Oct 02 2018 11:26 AM
Oct 02 2018 11:32 AM - edited Oct 02 2018 11:33 AM
I followed this blog by the Great Paul Cunningham
at the bottom, there is an addendum, need to also consider this:
https://practical365.com/blog/azure-active-directory-conditional-access-device-state/
Oct 02 2018 11:47 AM
Robert when you say you fell back what was the mechanism you used? Powershell?
Thanks
Oct 02 2018 11:52 AM
When I say fell back I mean we reconfigured the conditional access policy via the gui to the previous config.
Jan 09 2019 04:18 AM
I was able to get an in tune deployed iOS mail profile to successfully support Office 365 multi-factor authentication through the built in iOS mail app. To do so, you must enable oauth within the intune mail profile. Previous commenters have mentioned iOS 12 as a requirement. The above was tested and successful on iOS 12.1.1 and 12.1.2
Jan 09 2019 07:51 AM
Is there a way to enable oauth for Office 365 MDM? My deployment is configured through Office 365 MDM, and I don't see an option to enable oauth.
Jan 09 2019 08:08 AM
It's a setting in the device configuration profiles.
Jan 09 2019 08:30 AM
That is the Intune configuration, which I don't have access to. The Office 365 MDM configuration uses the same back-end infrastructure (and the Intune Company Portal app), but the configuration is done here:
https://protection.office.com/?rfr=AdminCenter#/devicev2
May 09 2019 08:46 AM
Has anyone had any success with Office 365 MDM? I still have no way to "enable oauth within the intune mail profile" for this product, so all MFA/Modern Auth users' email profiles deployed to iOS through Office 365 MDM won't connect.