SimpleMDM: Oauth2 Support for Exchange Accounts?
We've been using SimpleMDM to push Mail Profiles for Exchange accounts to 20 iPhones, all of which use the Apple Mail app. It's worked great for years.
However, Microsoft will be disabling support for Basic Authentication on October 1st, 2022, requiring that OAuth2 be used instead for all protocols, including ActiveSync.
PDQ has provided us with instructions on how to modify the Mail Provider profile to use OAuth2, specifically:
SSL = Checked
OAuth Authentication = Yes
OAuth Sign In URL = https://login.microsoftonline.com/{tenant ID}/oauth2/v2.0/authorize
OAuth Token Request URL = https://login.microsoftonline.com/{tenant ID}/oauth2/v2.0/token
There are various required changes on the Azure side as well, which we've made.
However, in reviewing the logs, our phones continue to authenticate using Basic Authentication. There are no errors, the phones connect successfully, but seem to be ignoring the OAuth settings entirely.
Any ideas why? Has anyone else managed to use SimpleMDM to authenticate to Exchange accounts using Oauth2?
Comments
I don't use SimpleMDM, but I'd suggest that it may be related to the application itself using basic auth. Would it be possible to use a different application like Outlook? I believe uses modern auth.
Thanks, yes that's a good backup plan. Users resist change though lol, so we're trying to avoid if possible. Odd thing is setting up Apple Mail for Exchange accounts manually works fine - it uses OAuth in that case, so the app in theory can do it - it's just when it's set up by pushing a SimpleMDM Mail Profile, it uses Basic Auth even though OAuth is specified :(
Hi Kate,
Thanks for reaching out.
SimpleMDM is working on this now as the way we use to do this is no longer working.
Currently the underlying issue is that Microsoft OAuth settings do not seem to be able to communicate with the Apple Mail App via the Apple Exchange ActiveSync MDM Payload (In SimpleMDM this is the email provider profile).
We have also been in communications with customers of other MDM services (including Jamf and others) who are reporting similar issues, and in doing so, we have confirmed that this profile is always defaulting to basic authentication, even when OAuth information is entered.
Our focus is currently on this, as Apple's documentation leads us to believe that this should not be the case:
Pulled from: https://support.apple.com/guide/deployment/exchange-activesync-eas-payload-settings-depa9c22f8c/web
One odd thing we have discovered is that when manually adding an account to an iOS device, an Enterprise Application called 'Apple Internet Accounts' is automatically created in Azure, something that was not happening earlier in the summer. Unfortunately because its an enterprise application, we have not been able to utilize it for our own configuration.
If you would like to continue using your current email configuration for deployment via SimpleMDM, you can go to the link below and follow the directions under 'Diagnostic Options' to re-enable basic authentication:
https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-deprecation-in-exchange-online-september/ba-p/3609437
Please note we have not been able to test this and it isn’t necessarily our official recommendation - we don’t have an official stance at this point, but it was brought to our attention as an option for a short-term solution/workaround.
We understand how important the ability to configure email profiles for devices is and we appreciate your patience while we continue to work on this. If you have any other questions on this, please feel free to reach out to support@simplemdm.com.
Thank you,
Cory
Has there been any update on this? I know we were able to turn Basic Auth back on for a bit, but know it will not be an option. We tried the same oauth settings before, as well, to no avail. If we need to kick over to Outlook we can, but were hoping this may be resolved soon.