Apple recently announced that it will release iPadOS (new OS for iPad) on September 30, 2019. We have discovered that this release introduces a change that could affect Microsoft Azure AD and Intune customers who use Conditional Access policies in their organization. This notice is intended to help you understand the breaking change from Apple and evaluate the impacts on your organization. This notice also provides recommendations from Microsoft.
Overview of the breaking change
All iPads that update to iOS 13+ will have their OS updated from iOS to iPadOS. While the iPadOS will behave similarly to iOS, there are some key apps that behave differently. Safari, for example, will present itself as macOS to ensure that iPadOS users have a full desktop browser experience.
Because Conditional Access policies are often applied on an OS- or app-specific basis, this change could affect your security and compliance of any iPad device that upgrades to iPadOS.
Apps that may be affected by the breaking change
This change affects apps that use Conditional Access and that identify as macOS apps instead of iOS apps. In reviewing your Conditional Access policies, you’ll want to focus on whether you provide a different app experience between macOS and iOS. In addition, you’ll want to review Conditional Access policies in Azure AD that use the affected app categories.
The breaking change affects enforcement of your Conditional Access policies on iPad running iPadOS in the following scenarios:
- Web application access using Safari browser
- Apple Native Mail access
- Native application access that uses Safari View Controller
In these cases, Azure AD Conditional Access treats any access request as a macOS access request.
It is very essential that your organization has a Conditional Access policy for macOS. Not having a policy for macOS could result in open access to your organization’s resources for the previously identified scenarios.
There is no effect to the following access scenarios:
- All Microsoft native application access (such as Outlook, Word, or Edge)
- Web application access using a browser other than Safari (such as Chrome)
- Apps that use Intune App SDK/App wrapping tool for iOS/Microsoft identity platform v2.0 authentication libraries or v1.0 authentication libraries
Let’s walk through a few scenarios that could be affected before we look at Microsoft’s recommendations:
|You’ve set up a Conditional Access policy that “requires an approved client app” for email access on an iOS device, and you have no policy configured for macOS.||In this case, after an iPad updates to iPadOS, the approved client app policy will not be enforced for the affected app categories, as described previously.|
|You’ve set up a Conditional Access policy that “requires a compliant device” in order to use an iOS device to access company resources. However, you have not configured a macOS policy.||After the iPads update to iPadOS, users can access company resources by using apps in the affected app categories from non-compliant iPads.|
|You’ve set up a Conditional Access policy that “requires MFA” on an iOS device in order to access Office365 websites such as Outlook Web Access. However, you have not configured a corresponding macOS policy.||After the iPads update to iPadOS, users can access such Office365 websites by using apps from the affected app categories without being prompted for multi-factor authentication (MFA).|
|You’ve set up a Conditional Access policy that “requires a compliant device” for iOS devices and “requires MFA” for macOS devices.||Now, after the iPads update to iPadOS, users can access company resources by using apps in the affected app categories from non-compliant iPads.|
These are just some examples of cases in which the Conditional Access Policy for iOS could be different from the Conditional Access policy for macOS. You will want to identify all such cases in your policy.
We recommend that you take the following actions:
- Evaluate whether you have browser-based Azure AD CA policies for iOS that govern access from iPad devices. If so, follow these steps:
- Create an equivalent macOS Azure AD browser access policy. We recommend that you use the ‘require a compliant device” policy. This policy enrolls your iPad and Mac devices into Microsoft Intune (or JAMF Pro if you have selected that as your macOS management tool) and ensures that browser apps have access only from compliant devices (most secure option). You will also need to create an Intune device compliance policy for macOS.
- In the event that you cannot “require a compliant device” for macOS and iPadOS for browser access, ensure that you are “requiring MFA” for such access.
We are continuing to explore other alternatives that will minimize the effects of this breaking change from Apple that will affect our customers’ Conditional Access policies. We will provide additional information in this article as it becomes available..
For more information, contact Microsoft Support.