Support Tip: Intune Support for iOS 11


By Derrick Isoka | Sr. PM & Andy Cerat | Sr. PM

Updated 9/13 with a comment on modern auth. Updated 9/20 with a known issue with the Apple mail app in iOS 11 and O365. Updated 10/3 with confirmation that 11.0.1 fixes the known client issue. Updated 10/16 with a new known issue.

As announced today, Apple will soon release iOS 11. Through our testing with each beta release, all existing Intune mobile device management (MDM) and Intune App Protection (also known as mobile app management or MAM) scenarios are compatible with this latest version of iOS. Based upon our testing of preview versions, and our experience from past platform updates, please be aware of the following:

  • As with other major platform updates, check app compatibility with your app providers to confirm your users' apps work with iOS 11. You’ll see a What’s new for the app note in the Apple store or in app details online. Some apps provide day 0 support; others update over time. Ensure your users' managed apps that are deployed through Intune have been updated to a version that supports iOS 11. The list of Microsoft applications that support the Intune SDK are highlighted at the end of this blog post, below.
  • Encourage your users to update to Intune's latest version of the Company Portal, Managed Browser, and MAM-supported apps. An updated version of the Managed Browser was released to the Apple store in late August. The latest version is required to work with iOS 11.
  • Fixed! See https://support.apple.com/HT208136 for more information. Due to an incompatibility in the new release of iOS, users of the built-in Apple Mail app in iOS 11 may be unable to sync their Office 365 mailbox or login to their accounts. iOS 9 or iOS 10 users are not affected. Microsoft and Apple are working on a fix. This was also posted in the Office Message Center as post MC119966 and a support KB article is here: https://support.microsoft.com/help/4043473/you-can-t-send-or-reply-from-outlook-com-office-365-or-exchange-2016-i.
  • iOS 11 changes how the "Open in app filtering" functionality works in Intune. Intune MAM-managed apps will encrypt files before transferring data to unmanaged apps.
  • The Outlook Groups app will not be updated to support the iOS 11 changes in the Intune SDK. For more information on the roadmap for Outlook Groups please visit this Office blog here.
  • When signing in to an Exchange account in the iOS Mail app, end-users will see a sign-in prompt hosted in a web view control similar to the sign-in experience on Office mobile apps. End users will no longer receive a quarantine email. Upon enrollment, users are prompted to allow the Mail app to access a certificate. Admins should ensure that conditional access policies are set for mobile client apps on iOS (i.e. apps that support modern authentication). This is in addition to conditional access for Exchange ActiveSync. If you would like more information on this topic, we communicated this in advance in both the Office Message Center (OMC post #MC117271) and included screen shots for you to use in your end-user guidance in What’s New in the UI.
  • With iOS 11, Apple has provided modern authentication (Oauth) to users when manually setting up an Exchange account for the Mail app. However, Exchange Profiles setup via MDM will only continue to work with traditional (basic) and Cert based authentication.
  • The Intune App Wrapping tool for iOS was updated to support iOS 11. As we shared already, iOS 11 requires that previously wrapped LOB apps be rewrapped with the latest Intune App Wrapping tool version. We requested that customers with LOB apps on iOS rewrap their apps through a communication in the Office Message Center back in July - OMC post #MC110419.
  • The Intune App SDK was updated and released to app owners to ensure that Intune managed apps are compatible with iOS 11. Microsoft app teams are working to update apps for compatibility with both Intune and iOS 11.
  • Drag and drop is a new feature in iOS 11. The latest version of the Intune App SDK disables this feature while we design a data containment solution for this new capability.
  • We recommend using the Warning or Blocking by App Version policy setting to help ensure your users are using apps with the latest version of the Intune SDK.
  • The Files App lets you view, preview, organize, store, and share files from iCloud and other cloud-based providers such as OneDrive for Business. Files App is fully supported for OneDrive for Business with your organization's Intune App Protection Policy controls.
  • With the release of iOS 11, Microsoft Intune will end the support of iOS 8. Managed apps and the Company Portal app for iOS will require iOS 9.0 and higher to access company resources. Devices that aren't updated will no longer be able to access the Company Portal or those apps. We communicated about this in both the Office Message Center OMC post #MC 108155 and in What’s New.
  • System Center Configuration Manager 1702 and 1706 will support existing scenarios on iOS 11 for hybrid MDM.
  • There’s a new reported known issue we’re working with Apple to resolve. If the device management setting for ‘Viewing corporate documents in unmanaged apps’ is set to 'Block', users may be unable to share unmanaged app data such as photos and contacts through the Messages app.

Below is the current release status of Microsoft apps with the iOS 11 supported SDK.

App App Version Status
Outlook 2.37 Released
OneDrive 9.1 Released
OneNote 16.4 Released
Word, Excel, PowerPoint 2.4 Released
Visio Viewer 1.8 Released
Teams 1.0.18 Released
Managed Browser 1.2.5 Released
Skype for Business 6.17.2 Released
Power BI 14.0 Released
Yammer TBD Expecting Mid-Sept Release
Dynamics CRM TBD Expecting October Release

 

If you have any lessons learned or experience "gotchas" with iOS 11 and Intune, let us know. To contact support, head here.


Comments (18)

  1. John Nestore says:

    With the Intune profile installed, Messages is missing from the iOS share sheet in many locations. Is there a fix for this?

    1. Travis says:

      John, we have the same issue. If you’re using Intune Hybrid Management Authority, what version is your site server at? If it’s 1610, Microsoft advised us that we should not have the same problem on 1702.

      If you wouldn’t mind, what version is your site server?

      1. John Nestore says:

        We are fully online.

    2. Hi John, are you managing ‘open in’ functionality through MDM policy?

      1. John says:

        We are not.
        I just installed iOS 11.1 beta 2 and the functionality seems to be restored.
        Going through Intune reenrollment on iOS 11 temporarily fixed it before it disappeared again, so I’m hopeful this beta proves to be an actual fix.

  2. Pratik says:

    Is there any know issues with Exchange on-premise certificate based authentication?

    1. Pratik, there are no known issues with this but if you are having an issue we encourage you to open a support case so we can assist you with your investigation.

  3. Jim Nordahl says:

    We currently deploy a configuration profile to provision the iOS mail App for our On-prem Exchange users. Will a future Intune update allow us to do the same for Exchange Online mailboxes(w/ modern auth enabled), or will we need to move to certificate authentication?

    1. Jim, currently modern authentication email profiles cannot be deployed over the MDM channel. As Apple adds additional options to the MDM channel, we strive to include the capabilities in the Intune service.”

      1. Daniel says:

        Just curious if there have been any updates on enabling OAuth2/Modern Auth support when deploying an email configuration from Intune. Any info would be appreciated.

        1. Daniel, the situation remains the same as before. Apple will have to add this functionality to the MDM channel.

  4. Joel says:

    any known issues with SCEP certificate enrollment in hybrid 1702 on iOS 11?

    1. Joel, no known issues here, but we encourage you to open a support case if you have an issue so we can assist you with your investigation.

  5. Tom says:

    We use Intune and Apple DEP. Since iOS 11, we have been unable to activate DEP-enrolled phones via Intune. We use ADFS, and we can see in the logs that the authentication request is coming in to our ADFS servers and then going to a domain controller. The domain controller always says the password is bad, even though we’re sure it isn’t. Doesn’t matter what user account we use. Enrolling a non-DEP phone by just logging into Company Portal works fine. Is this a known issue? Anything we can do? Thank you.

    1. Hi Tom! There’s no known issue here that we know of. Please contact support as this may be an ADFS problem.

  6. Amandeep Singh says:

    We are using Hybrid SCCM with Intune but Users on IOS can’t get emails Devices successfully enrolled
    We are getting messages on IOS connot get email”The Connection to the Server Failed”

    1. Hi, there – we recommend contacting support – if there’s a settings issue with the Mail Profile, Intune support can help troubleshoot. You can contact support directly by opening a ticket from the Intune on Azure console or through any of the ways here: https://docs.microsoft.com/intune/get-support

  7. Nate Kubenik says:

    Heads up that the following bug has been fixed in iOS 11.1!

    “There’s a new reported known issue we’re working with Apple to resolve. If the device management setting for ‘Viewing corporate documents in unmanaged apps’ is set to ‘Block’, users may be unable to share unmanaged app data such as photos and contacts through the Messages app.”

Skip to main content