You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Apple mail authentication for Exchange accounts - MacOS and iOS

I've been told by two of my different work accounts (I'm "plural") that they will no longer accept Apple Mail on either MacOS or iOS (or iPadOS) for use with their Exchange mail accounts as none of the Apple native mail apps support AIP. (Azure Information Protection) authentication. Only Microsoft Outlook does but that has a major flaw for me in that it does NOT work with iCloud calendars.

Is there any way to retrofit AIP to Apple Mail apps or when will this, now problematic, constraint be fixed?

Any ideas very welcome.

iPhone 13 Pro

Posted on Mar 9, 2022 5:47 AM

Reply
Question marked as Top-ranking reply

Posted on Mar 9, 2022 3:56 PM

Welcome to the world of enterprise IT, security and data loss prevention. AIP prevents data loss prevention and doesn't have much to do with actual authentication. If they are worried about data loss then they are never going to let you sync Outlook with iCloud Calendars nor Apple Mail. Authentication is handled via either Microsoft Authenticator and some form of Ping, Okta, AzureAD, or other Identity Provider or if an Apple device is managed via the Microsoft Company Portal App. There's a mix of BYOD solutions plus full control MDM - Mobile Device Management that can be employed using Microsoft Intune, JAMF, Vmware Workspace ONE or many other tools that enterprise decides upon.


Things could be locked down to the point of an iPad, iPhone, or Mac being hardly recognizable as an Apple product. As an example, I've witnessed a company owned iPad fully managed by an MDM, missing ALL the Apple things we take for granted. Having only Microsoft Edge, Outlook, Word, Excel, PowerPoint, Office, Teams, OneNote, OneDrive, AIP, Microsoft Company Portal, Zscaler VPN (TLS Inspecting Proxy), Zimperium zIPS. All the Apple Apps hidden and locked down. No copy/paste nor transfer of corporate data into or out of the managed environment. No way to connect to a computer with Lightning nor USB-C. No iCloud backups, etc. If the user wants any additional Apps, they have to request them from IT and the Apps either magically appear on the device or appear as optional installs in the Company Portal App.


There are levels of access when it comes to BYOD (Bring Your Own Device) that have layers of control and privacy. Apple has a wonderful new BYOD MDM capability with federated corporate Apple IDs and the user can have their own Apple ID at the same time and sandbox the work Apps and limit the amount of data collection the employer can accomplish outside of corporate apps. In that case, they cannot even pull the devices serial number. But most companies have yet to adopt these new BYOD MDM features. Other BYOD methods might authenticate you with multi-factor cloud based login and control Apps such as Outlook, etc. but not interfere with personal use.


Bottom line, the moment you let an IT department start managing your device you need to pay attention to just what they have access to if you own the device. Depending on the employer and the technology they employ, your privacy may be at risk.


My opinion? If they are using an MDM Configuration Profile then the device ought to be owned by the employer and not you. I would never install an MDM Configuration Profile on my personally owned devices. If the device is not owned by you then you have no choice


Watch out with two employers both requiring restrictions like this. They will not both be able to manage your device at the same time. It's one or the other not both. You may require more than one device.



1 reply
Question marked as Top-ranking reply

Mar 9, 2022 3:56 PM in response to drtj

Welcome to the world of enterprise IT, security and data loss prevention. AIP prevents data loss prevention and doesn't have much to do with actual authentication. If they are worried about data loss then they are never going to let you sync Outlook with iCloud Calendars nor Apple Mail. Authentication is handled via either Microsoft Authenticator and some form of Ping, Okta, AzureAD, or other Identity Provider or if an Apple device is managed via the Microsoft Company Portal App. There's a mix of BYOD solutions plus full control MDM - Mobile Device Management that can be employed using Microsoft Intune, JAMF, Vmware Workspace ONE or many other tools that enterprise decides upon.


Things could be locked down to the point of an iPad, iPhone, or Mac being hardly recognizable as an Apple product. As an example, I've witnessed a company owned iPad fully managed by an MDM, missing ALL the Apple things we take for granted. Having only Microsoft Edge, Outlook, Word, Excel, PowerPoint, Office, Teams, OneNote, OneDrive, AIP, Microsoft Company Portal, Zscaler VPN (TLS Inspecting Proxy), Zimperium zIPS. All the Apple Apps hidden and locked down. No copy/paste nor transfer of corporate data into or out of the managed environment. No way to connect to a computer with Lightning nor USB-C. No iCloud backups, etc. If the user wants any additional Apps, they have to request them from IT and the Apps either magically appear on the device or appear as optional installs in the Company Portal App.


There are levels of access when it comes to BYOD (Bring Your Own Device) that have layers of control and privacy. Apple has a wonderful new BYOD MDM capability with federated corporate Apple IDs and the user can have their own Apple ID at the same time and sandbox the work Apps and limit the amount of data collection the employer can accomplish outside of corporate apps. In that case, they cannot even pull the devices serial number. But most companies have yet to adopt these new BYOD MDM features. Other BYOD methods might authenticate you with multi-factor cloud based login and control Apps such as Outlook, etc. but not interfere with personal use.


Bottom line, the moment you let an IT department start managing your device you need to pay attention to just what they have access to if you own the device. Depending on the employer and the technology they employ, your privacy may be at risk.


My opinion? If they are using an MDM Configuration Profile then the device ought to be owned by the employer and not you. I would never install an MDM Configuration Profile on my personally owned devices. If the device is not owned by you then you have no choice


Watch out with two employers both requiring restrictions like this. They will not both be able to manage your device at the same time. It's one or the other not both. You may require more than one device.



Apple mail authentication for Exchange accounts - MacOS and iOS

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.