Skip to main content
Matrix42 Self-Service Help Center

OAuth Support for native Mail on Apple devices

  1. Last updated
  2. Save as PDF

Overview

Starting with iOS 12 and macOS 10.14, Apple has added OAuth 2.0 support for Exchange ActiveSync accounts that can be deployed through an Enterprise Mobility Management. For iOS, iPadOS, and macOS, the OAuth checkbox is part of the Exchange ActiveSync Settings, meaning that you can deploy a native email account to your iOS, iPadOS , and macOS fleet with the OAuth capability. The OAuth option might be a good fit for you if your organization is using:

  • Modern authentication for Exchange Online and/or in combination with
  • Enabled multifactor authentication
  • A third-party identity provider, like MyWorkspace or Ping Identity

Configuration

  • Create a new Tag and configure your Exchange ActiveSync Profile 
  • Enter a Label, e.g. Matrix42 OAuth
  • Enter your Server Name, e.g. outlook.office365.com
  • Enable Use OAuth 
  • Configure additional settings (optional)
  • Press Save
  • Assign the Tag to your devices

clipboard_e573b737e4858094c8a723419ac913aed.png

Review Profile Installation

From the Devices Tab, open the device overview of one of your assigned devices. Select Actions and Pending commands. Locate the InstallProfile command for Exchange. 

clipboard_e0de68b1f0e9fa27d6d89db1033e8852d.png

User Experience

After the OAuth enabled exchange profile is deployed to the device, the user flow is the following:

  1. First, users face a popup asking to enter their password for the Exchange account
  2. By tapping Edit Settings the end user will see the Password & Account settings page 
  3. In the Password & Account settings page the user needs to select the Corporate Account (e.g. Matrix42 OAuth)
  4. In the Settings page, the user selects Re-enter password.
  5. Once selected, the user will be forwarded to authenticate with your Identity Provider (e.g. MyWorkspace).
  6. Once the user enters the correct credentials and taps Sign In, their native exchange account will start syncing email.

On newer operating system versions, the user might be directly forwarded to the authentication page after pressing the edit settings button. 

Please use this functionality only if you don't have any Shared or Group Mailboxes distributed to your end users. OAuth will prevent that other credentials can be used for other accounts 

Silverback_ReleaseNotes_1900_07.png Silverback_ReleaseNotes_1900_08.png Silverback_ReleaseNotes_1900_09.png Silverback_ReleaseNotes_1900_10.png
Silverback_ReleaseNotes_1900_11.png Silverback_ReleaseNotes_1900_15.png Silverback_ReleaseNotes_1900_16.png  

Additional Notes 

  • If users are not prompted with the Enter the password for the Exchange account, users can open Settings > Mail > Accounts > Corporate Account (e.g. Matrix42 OAuth) and press the Re-enter Password button
  • If the account is present on the device, but the authentication process has not been accomplished, users will see the Corporate Account in the native Mail application the account, but won't be able to connect to it.