Overview of the breaking change
Apple released iPadOS (the new OS for iPad) on September 30, 2019. Before the release, we discovered that this release introduces a change that could affect Microsoft Azure Active Directory (Azure AD) and Intune customers who use Conditional Access policies in their organization. This notice is intended to help you understand the breaking change from Apple and evaluate the effects on your organization. This notice also provides recommendations from Microsoft.
All iPads that update to iOS 13+ had their OS updated from iOS to iPadOS. While the iPadOS will behave similarly to iOS, there are some key apps that behave differently. Safari, for example, will present itself as macOS to make sure that iPadOS users have a full desktop browser experience.
Caution
Because Conditional Access policies are often applied on an OS- or app-specific basis, this change could affect your security and compliance of any iPad device that upgrades to iPadOS.
Apps that may be affected by the breaking change
This change affects apps that use Conditional Access and that identify themselves as macOS apps instead of iOS apps. In reviewing your Conditional Access policies, you should focus on whether you provide a different app experience between macOS and iOS. Additionally, we recommend that you review Conditional Access policies in Azure Azure AD that use the affected app categories.
The breaking change affects enforcement of your Conditional Access policies on iPad devices that are running iPadOS in the following scenarios:
- Web application access using Safari browser
- Apple Native Mail access
- Native application access that uses Safari View Controller
In these cases, Azure AD Conditional Access treats any access request as a macOS access request.
Important
It is essential that your organization has a Conditional Access policy for macOS. Not having a policy for macOS could cause an open access condition in your organization’s resources for the previously identified scenarios.
There is no effect to the following access scenarios:
Before you examine the recommendations by Microsoft, consider the following scenarios that could be affected.
| Scenario |
Results |
| You’ve set up a Conditional Access policy that “requires an approved client app” for email access on an iOS device, and you have no policy configured for macOS. |
After an iPad updates to iPadOS, the approved client app policy will not be enforced for the affected app categories, as described previously. |
| You’ve set up a Conditional Access policy that “requires a compliant device” in order to use an iOS device to access company resources. However, you have not configured a macOS policy. |
After the iPads update to iPadOS, users can access company resources by using apps in the affected app categories from non-compliant iPads. |
| You’ve set up a Conditional Access policy that “requires MFA” on an iOS device in order to access Office365 websites such as Outlook Web Access. However, you have not configured a corresponding macOS policy. |
After the iPads update to iPadOS, users can access such Office365 websites by using apps from the affected app categories without being prompted for multi-factor authentication (MFA). |
| You’ve set up a Conditional Access policy that “requires a compliant device” for iOS devices and “requires MFA” for macOS devices. |
After the iPads update to iPadOS, users can access company resources by using apps in the affected app categories from non-compliant iPads. |
These are just some examples of cases in which the Conditional Access Policy for iOS might differ from the Conditional Access policy for macOS. You should identify all such cases in your policy.
Microsoft recommendations
We recommend that you take the following actions:
- Evaluate whether you have browser-based Azure AD CA policies for iOS that govern access from iPad devices. If you do, follow these steps:
- Create an equivalent macOS Azure AD browser access policy. We recommend that you use the "require a compliant device” policy. This policy enrolls your iPad and Mac devices into Microsoft Intune (or JAMF Pro, if you have selected that as your macOS management tool). This policy also makes sure that browser apps have access only from compliant devices (most secure option). You will also have to create an Intune device compliance policy for macOS.
- In the event that you cannot “require a compliant device” for macOS and iPadOS for browser access, make nsure that you are “requiring MFA” for such access.
- Determine whether a Terms of Use (consent per device)-based Azure AD Conditional Access policy is configured for iOS. If it is, create an equivalent policy for macOS.
For more information, contact Microsoft Support.