OAuth Support for native Mail on Apple devices
Overview
Starting with iOS 12 and macOS 10.14, Apple has added OAuth 2.0 support for Exchange ActiveSync accounts that can be deployed through an Enterprise Mobility Management. For iOS, iPadOS, and macOS, the OAuth checkbox is part of the Exchange ActiveSync Settings, meaning that you can deploy a native email account to your iOS, iPadOS , and macOS fleet with the OAuth capability. The OAuth option might be a good fit for you if your organization is using:
- Modern authentication for Exchange Online and/or in combination with
- Enabled multifactor authentication
- A third-party identity provider, like MyWorkspace or Ping Identity
Configuration
- Create a new Tag and configure your Exchange ActiveSync Profile
- Enter a Label, e.g. Matrix42 OAuth
- Enter your Server Name, e.g. outlook.office365.com
- Enable Use OAuth
- Configure additional settings (optional)
- Press Save
- Assign the Tag to your devices
Review Profile Installation
From the Devices Tab, open the device overview of one of your assigned devices. Select Actions and Pending commands. Locate the InstallProfile command for Exchange.
User Experience
After the OAuth enabled exchange profile is deployed to the device, the user flow is the following:
- First, users face a popup asking to enter their password for the Exchange account
- By tapping Edit Settings the end user will see the Password & Account settings page
- In the Password & Account settings page the user needs to select the Corporate Account (e.g. Matrix42 OAuth)
- In the Settings page, the user selects Re-enter password.
- Once selected, the user will be forwarded to authenticate with your Identity Provider (e.g. MyWorkspace).
- Once the user enters the correct credentials and taps Sign In, their native exchange account will start syncing email.
On newer operating system versions, the user might be directly forwarded to the authentication page after pressing the edit settings button.
Please use this functionality only if you don't have any Shared or Group Mailboxes distributed to your end users. OAuth will prevent that other credentials can be used for other accounts
Additional Notes
- If users are not prompted with the Enter the password for the Exchange account, users can open Settings > Mail > Accounts > Corporate Account (e.g. Matrix42 OAuth) and press the Re-enter Password button
- If the account is present on the device, but the authentication process has not been accomplished, users will see the Corporate Account in the native Mail application the account, but won't be able to connect to it.