With the release of iOS 11.0, the native mail client has now support for OAuth 2.0. OAuth 2.0 is often mentioned as modern authentication and provides some new capabilities like Microsoft Azure Multi-factor Authentication support and allows to using certificates for authentications. Modern Authentication uses a secure token instead of relying on a username and password (Active Authentication).
When configuring a new profile the users have the option to choose between the traditional authentication with username and password, which Apple refers as the manual approach or the using “Sign In” which uses OAuth 2.0 authentication using a safari browser (SFViewController).
See how in works:
A bit of history
Since the release of iOS 10.3 beta there has been a lot of hype around the newly introduced OAuth 2.0 support in the native mail app. For some reason only know to Apple it didn’t make it to the final release. Based on what I have heard they struggled with some issues and decided to postpone the support for a later release. Alex Simons mentioned that Microsoft is working with Apple to get it working.
The support was re-introduced in iOS 11 beta 2 and beta 3, which is a very pleasant surprise for many people with a passion for enterprise mobilty and security.
- iOS beta 2 introduced the support for modern authentication for federated users.
- iOS beta 3 added the support for modern authentication for both federated and cloud-only users.
- iOS beta 6 allowed the users to select the type of authentication to use during profile configuration.
- iOS 11 finale version introduced the support for OAuth in the native mail.
References:
- Practicing Safe Security with iOS 11 and Office 365 (oauth 2.0)
- Single Sign-on and iOS 11
- Exciting new stuff coming in iOS 10.3. Native Mail now support modern auth
- Active Authentication Flow (See the flow)
- Announcing Exchange ActiveSync v16
- Announcing Exchange ActiveSync version 16.1
/Peter
Surprised how clunky it looks. All the flipputy flip of displays just for a silly login. Kinda looks like script kiddy work.
Surprised how clunky it looks. All the flipputy flip of displays just for a silly login. Kinda looks like script kiddy work.
Does Selective Wipe works?
The newly introduced authentication support have nothing to do with “Selective Wipe”. You have to use a MDM tool for performing a “Selective Wipe”.
[…] iOS 11 and above does not use ActiveSync for authentication, instead it uses modern authentication (reference article). This is because iOS 11 provides support for OAuth 2.0 in the native mail app. This means that if […]
I do agree with all of the ideas you’ve introduced on your post.
They’re very convincing and can definitely work. Nonetheless,
the posts are too quick for beginners. May just you please prolong them a bit
from subsequent time? Thank you for the post.
[…] then up to licensees to update the mail apps for their devices to support modern authentication (Apple already has for iOS 11 onward). However, just because a mail app proclaims its support for modern authentication, software must […]