In our work environment, there are special requirements regarding data protection and data security.
Therefore, we consistently use Microsoft 2FA with Conditional Access for all our devices.
Situation Description:
Conditional Access works without issues on Windows devices via the browser. However, on construction sites, using Apple iOS phones and tablets, it is more practical to use an app rather than the browser, especially when a convenient solution for small screens without a notebook is required for construction documentation and error/problem descriptions.
Problem Description:
On Apple devices, Conditional Access is only supported by the Edge browser. The native Apple WebKit implementation cannot query the device ID, which makes using the ACC app impossible.
Error messages from logon process in the app:
- Browser not supported
- "You can’t get there from here" after logging on
Problem Background:
The ACC app uses the device’s native WebKit implementation. Due to technical limitations related to the device ID, it cannot meet Azure security requirements.
The mobile app seems to call a webview to handle the SSO authentication. This webview always appears as Mobile Safari (the OS default browser setting makes no difference). Mobile Safari cannot retrieve any Intune device information (DeviceID), so the Conditional Access policy cannot determine whether the device is compliant. Furthermore, the webview does not display as the calling app.
Possible Solutions:
- Relax IT security settings to allow the app to function, or
- Use a web browser when accessing data from the ACC, or
- Update the ACC app to use Edge for SSO.
The first solution is not feasible in our environment. The second solution is very cumbersome for users. The third solution would benefit all ACC customers with higher security requirements.
The feasibility is demonstrated by various applications such as Citrix, Microsoft itself, or Zoom.
Refer to: Webex Conditional Access for Intune with Entra ID
