• BLOG
  • iOS 12: What enterprises OAuth to know

iOS 12: What enterprises OAuth to know

June 20, 2018
iOS 12

Background

Based on the first iOS 12 developer beta build, Apple has now added OAuth 2.0 support for Microsoft Exchange accounts that can be deployed through MDM. For those who have been following the OAuth saga, this isn’t the first time we’ve seen OAuth 2.0 in the wild. In iOS 11, OAuth 2.0 for Microsoft exchange accounts became generally available. With the general availability, enterprises faced challenges securing their Office 365 email on iOS 11 because OAuth 2.0 was first introduced as a user-driven feature. For those interested in understanding how OAuth works or simply in need of a refresher, you can find my past blog posts here (Part 1/Part 2). If the first iOS 12 beta is any indication of future enhancements, the OAuth capability is now a part of the exchange payload, meaning administrators can deploy an iOS native email account to their iOS fleet with OAuth capability. This post will go into why enterprises are considering OAuth, how to configure OAuth for email, and what the user will see after exchange has been deployed.

A brief history of iOS’s OAuth capability

Before iOS 11, the iOS native email client could only be deployed via active authentication for Office 365 email creation. With active authentication, the email client would need to present its credentials— either basic or certificate-based authentication— directly to Microsoft Azure.  In iOS 11, the native email client allowed enterprises to support more modern authentication and authorization standards such as SAML 2.0, OpenID Connect, OAuth 2.0, and WS-Federation. These standards allowed users to securely access cloud services while also allowing enterprises to maintain control over their credentials through an Identity Provider (IdP).

When iOS 11 introduced the OAuth 2.0 capability, many enterprises were initially excited about the prospect of leveraging a more modern way to authenticate when accessing their Office 365 email. The OAuth capability allowed enterprises to authenticate to their IdP securely, but  also allowed for more capabilities such as multi-factor authentication(MFA) and conditional access than did a traditional active flow. The excitement quickly turned into nervousness as OAuth was originally introduced in iOS 11 for user-driven account creation, and administrators lost many of the access and enforcement controls they depended on such as restricting attachments to only managed apps and removing corporate email accounts after a retire and/or device compliance state.

iOS 12 OAuth and the enterprise

With the release of iOS 12, much of the newly planned MDM capabilities are in the exchange payload. In the iOS 12 developer beta, Apple has added OAuth as an optional boolean value and also added a bit more support for S/MIME. To learn more about the new capabilities with iOS and macOS, I’ve provided Apple’s configuration profile reference link1 as well as some sample exchange profiles with OAuth turned on below.2

Key

Type

Value

 

OAuth

 

Boolean

Optional. Specifies whether the connection should use OAuth for authentication. If enabled, a password should not be specified. This defaults to false. Availability: Available only in iOS 12.0 and later.

 

 

 

After the OAuth enabled exchange profile is deployed to the device, the end user flow depicted in this video is as follows:

  1. The user is presented with a popup asking to enter their password for the Exchange account by tapping on Edit  Settings.

  2. In the Settings page, the user selects Re-enter password.

  3. Once selected, they are brought to a system browser called Safari View Controller(SFVC) to authenticate with their Identity Provider(IdP).

  4. If this is the first time they are attempting this, a new app called iOS Accounts will be presented to the user for authorization. This is an Azure app created by Apple that leverages Azure AD for authorization (OAuth 2.0).

  5. Once the user approves the permissions of iOS Accounts, their native exchange account will start syncing email.

Securing OAuth in the enterprise

Provisioning a managed email profile is really just the start for an enterprise deployment. With GDPR in full swing, enterprises need to also ensure data stays in their company domain. Every device that accesses sensitive material needs to have the appropriate safeguards in place.  Stay tuned for a follow-up post on deployment considerations when investigating OAuth support with iOS 12.


1 Apple’s configuration profile reference

2 MobileIron Cloud, MobileIron Core

 

Rich Festante

Rich Festante, Technical Marketing Engineer at MobileIron