Action Required: Evaluate and update Conditional Access policies after new iPadOS release

Applies to: Azure Active Directory

Update


We have been working to mitigate this issue for our customers, and we have been rolling out changes to our platform. You might notice that your Conditional Access policies for iOS are now being honored for iPadOS, similar to the behavior before the iPadOS upgrade.

A quick way to verify this updated behavior is to access resources from Safari on an iPadOS device that is protected by Conditional Access policies. If you see a difference in behavior between Safari and Apple Native Mail access, ask your users to sign out of Apple Native Mail and then sign in again.

To automate this process, set a temporary Conditional Access policy by using the “Sign-in frequency” session control, and then set a temporary Conditional Access policy that applies to Client apps that are identified as “Mobile apps and desktop client.” In this policy, set the device platform to “macOS” and the sign-in frequency to 20 hours.

For more information about how to set this policy, see the documentation Configure authentication session management with Conditional Access.

Note Setting this policy requires users of Apple Native Mail on iPadOS (previously identified as a mac device because of the modern desktop browser on iPadOS) to sign in after 20 hours. After they sign in again, Apple Native Mail will be blocked from accessing any company resources if you have enabled the “Require approved client app” or “Require app protection policy” grant control. You can disable or delete the temporary Conditional Access policy to avoid prompting users to sign in every 20 hours.

Summary


Overview of the breaking change

Apple released iPadOS (the new OS for iPad) on September 30, 2019. Before the release, we discovered that this release introduces a change that could affect Microsoft Azure Active Directory (Azure AD) and Intune customers who use Conditional Access policies in their organization. This notice is intended to help you understand the breaking change from Apple and evaluate the effects on your organization. This notice also provides recommendations from Microsoft.

All iPads that update to iOS 13+ had their OS updated from iOS to iPadOS. While the iPadOS will behave similarly to iOS, there are some key apps that behave differently. Safari, for example, will present itself as macOS to make sure that iPadOS users have a full desktop browser experience.

Apps that may be affected by the breaking change

This change affects apps that use Conditional Access and that identify themselves as macOS apps instead of iOS apps. In reviewing your Conditional Access policies, you should focus on whether you provide a different app experience between macOS and iOS. Additionally, we recommend that you review Conditional Access policies in Azure Azure AD that use the affected app categories.

The breaking change affects enforcement of your Conditional Access policies on iPad devices that are running iPadOS in the following scenarios:

  • Web application access using Safari browser
  • Apple Native Mail access
  • Native application access that uses Safari View Controller

In these cases, Azure AD Conditional Access treats any access request as a macOS access request.

There is no effect to the following access scenarios:

Before you examine the recommendations by Microsoft, consider the following scenarios that could be affected.

Scenario Results
You’ve set up a Conditional Access policy that “requires an approved client app” for email access on an iOS device, and you have no policy configured for macOS. After an iPad updates to iPadOS, the approved client app policy will not be enforced for the affected app categories, as described previously.
You’ve set up a Conditional Access policy that “requires a compliant device” in order to use an iOS device to access company resources. However, you have not configured a macOS policy. After the iPads update to iPadOS, users can access company resources by using apps in the affected app categories from non-compliant iPads.
You’ve set up a Conditional Access policy that “requires MFA” on an iOS device in order to access Office365 websites such as Outlook Web Access. However, you have not configured a corresponding macOS policy. After the iPads update to iPadOS, users can access such Office365 websites by using apps from the affected app categories without being prompted for multi-factor authentication (MFA).
You’ve set up a Conditional Access policy that “requires a compliant device” for iOS devices and “requires MFA” for macOS devices. After the iPads update to iPadOS, users can access company resources by using apps in the affected app categories from non-compliant iPads.


These are just some examples of cases in which the Conditional Access Policy for iOS might differ from the Conditional Access policy for macOS. You should identify all such cases in your policy.
 

Microsoft recommendations

We recommend that you take the following actions:

  1. Evaluate whether you have browser-based Azure AD CA policies for iOS that govern access from iPad devices. If you do, follow these steps:
    1. Create an equivalent macOS Azure AD browser access policy. We recommend that you use the "require a compliant device” policy. This policy enrolls your iPad and Mac devices into Microsoft Intune (or JAMF Pro, if you have selected that as your macOS management tool). This policy also makes sure that browser apps have access only from compliant devices (most secure option). You will also have to create an Intune device compliance policy for macOS.
    2. In the event that you cannot “require a compliant device” for macOS and iPadOS for browser access, make nsure that you are “requiring MFA” for such access.
  2. Determine whether a Terms of Use (consent per device)-based Azure AD Conditional Access policy is configured for iOS. If it is, create an equivalent policy for macOS.

For more information, contact Microsoft Support.