Updated 10/10/18 - Outlook (version 9.0.3) and other Microsoft apps have either shipped with the updated APP SDK or didn't run into the bug to begin with. The only app still in testing is Skype for Business.
Updated: 9/20/18 with additional bug details.
Intune App Protection Policies (APP, also known as MAM) introduced a product enhancement to request the user PIN when biometric information changes on iOS (TouchID/FaceID) to further protect organizational data. The change introduced a bug that causes Intune APP to incorrectly detect a biometric change and prompt the user with a PIN challenge. This PIN challenge will only occur when switching between two APP managed apps and if the apps have adopted the SDK with this bug.
The bug was introduced in the Intune APP SDK for iOS v. 8.1.0. The bug has been fixed in the Intune APP SDK for iOS v 9.0.1. App teams adopt the new SDK and then run the apps through their testing and release processes. We will update this post when we hear all the new app teams have adopted the new SDK.
The bug is related to the detection of biometric changes on iOS. iOS reports a representation of the current biometrics stored on the device to applications in a manner that is app specific. The bug treated this information as shared across all apps of the same publisher resulting in the APP SDK incorrectly detecting biometric changes. The fix is to treat the representation of the biometric information as app specific.
Here’s an example of how the bug occurs:
- An end-user opens Outlook first thing in the morning and Intune APP prompts for user biometric. Intune APP records the representation of the biometric information for Outlook in a shared location.
- The user takes a long coffee break which closes/suspends all Intune APP managed apps until the inactivity timeout occurs. The inactivity timeout is configured by the “Recheck the access requirements after (minutes)” APP setting.
- The end user then opens a different Intune APP managed application, say OneDrive. Intune APP will check the representation of the Outlook biometric information against the OneDrive information, incorrectly detect the biometrics have changed and prompt the User for their PIN. Intune APP then records the representation of the biometric information for OneDrive in a shared location.
- Finally, the end users will only see the PIN prompt in the event the inactivity timeout occurs and then the user launches a different app than previously recorded.