VMware Workspace ONE Community
DBnowDC
Contributor
Contributor
‎06-26-2020 02:08 PM

Native iOS mail app + OAUTH + Office 365 = Confusion. Help?

Hi Community,

I'm running into an issue with the proper configuration of a profile that pushes OAUTH as a setting for Exchange ActiveSync. We have MFA setup through Azure AD and we've enabled OAUTH in a test profile, and have pushed that out to test devices. This is what the profile looks like (note: After saving the profile with blank Domain and Username fields, Domain auto-populates with {EmailDomain} and {EmailUserName}):

Screen Shot 2020-06-26 at 1.35.43 PM.png

So this setup works fine for the first try, except for the Exchange account name coming over to the device as "(null)" instead of Exchange ActiveSync as defined. OK, not a big deal.

2C5E9BBE-D062-41CA-B5AD-7F9C04AFF03B_4_5005_c.jpeg

The real issues come when it's time for the user to re-authenticate after changing their AD password. The Exchange account name has inexplicably changed from "(null)" to "domain\username", which MFA fails to find as an account (as it should). It doesn't remember username@domain.com for the authentication.

9AA3CD7D-056E-4C26-BA5D-6F4DED15AF8E_4_5005_c.jpeg

E314B4CE-FD0F-41D2-AD90-8046FCBA2D8F_1_201_a.jpeg

So I tried to fix this by specifying @domain.com on the end of the username field, and that fixed a myriad of issues. The Exchange account is named correctly, MFA passes through the correct username format, and users can connect just fine...

D9136A3B-F183-429E-BE7C-12B15ADFD1FB_1_201_a.jpeg

Until their OAUTH token appears to expire instead of renewing...  Once it does that, Mail just says there is an error with the Exchange account. And since there's no way to initiate a new token authorization by re-authenticating the account (thank you, oversimplified iOS settings...), the account is useless until I pull the profile then push it again.

F83B1B7E-923F-45FB-A376-F2BFF113B3B3_4_5005_c.jpeg

I came across this issue in Microsoft's Tech Community, and despite it being related to iOS 12, we are having the same issue in iOS 13. A reply in that thread stated by blanking the username and domain, it worked for their organization, but that's where I started this whole process from.

So I'm not sure what's wrong here. MFA for other apps we have configured is working perfectly. Based on the MFA attempting to pass through a specific combination of username and password (and the weird Exchange account names) depending on the profile settings, I'm thinking the profile config is needing to be tuned. I haven't been able to find much on how to set it up for Office 365 + OAUTH + Native iOS Mail client on the web, so I'm hoping I can get some feedback in here as to your setups.

Reply
2 Replies
MorsePacific
Contributor
Contributor
‎07-28-2021 11:46 AM

Did you ever figure this out?
Having similar issues with Okta configured as our IdP.

Reply
0 Kudos
CamilleDebay
VMware Employee
VMware Employee
‎01-27-2022 12:41 PM

Old thread, but came across it thought I would give the answer to that 🙂

The Username and Email Address need to be at EmailAddress and the domain should be empty.

CamilleDebay_0-1643316014011.png

 

Reply
0 Kudos