iPadOS and Conditional Access

Apple has announced iPadOS – Release date is 30th September 2019.

In short, this will mean that if iPad updates to IOS 13.1+ OS change to iPadOS. The significant change is that some apps will behave differently. If any CA-policies target macOS it will now apply to iPadOS with the following scenarios:

  • Web application access using Safari browser
  • Apple Native Mail access
  • Native application access that uses Safari View Controller

If you don’t have any CA-policies applied to macOS Platform users will now be able to access company data without being hit by CA on iPadOS or if you block access on macOS then iPadOS will be denied access in above scenarios.

I recommend you make a CA-policies that applies to All Cloud Apps. I will now show you a CA-policy that will only grant access if any device is complaint or MFA is prompted trying to access all cloud apps.

NOTE important that you test any CA-policy before you go in prod.

Prequestion check

  • Microsoft 365 E5 > Microsoft 365 E3 > EM+S E3 > EM+E5 > Intune + Azure AD P1(Conditional access)
  • Compliance policy for each Platform


  • Name = Grant access IF Compliant or MFA ON All Cloud apps, All Platforms
  • Assignment = Test-Group
  • Cloud apps or actions = All Cloud apps
  • Conditions = Device platforms > Any Device & Device State > All device state and exclude Device marked as compliant + Client apps > Configure > Yes > Select > All except “Apply policy only to supported platforms”
  • Grant access = Require multi-factor authentication OR Require Device to be marked as compliant

Microsoft’s recommendations

We recommend that you take the following actions:

  1. Evaluate whether you have browser-based Azure AD CA policies for iOS that govern access from iPad devices. If so, follow these steps:
    1. Create an equivalent macOS Azure AD browser access policy. We recommend that you use the ‘require a compliant device” policy. This policy enrolls your iPad and Mac devices into Microsoft Intune (or JAMF Pro if you have selected that as your macOS management tool) and ensures that browser apps have access only from compliant devices (most secure option). You will also need to create an Intune device compliance policy for macOS.
    2. In the event that you cannot “require a compliant device” for macOS and iPadOS for browser access, ensure that you are “requiring MFA” for such access.
  2. Determine whether a Terms of Use (consent per device)-based Azure AD Conditional Access policy is configured for iOS. If so, create an equivalent policy for macOS.

from https://support.microsoft.com/en-us/help/4521038/action-required-update-conditional-access-policies-for-ipados

Fast Work Around on Supervised IOS Devices

http://devicemanagement.microsoft.com > Device configurations – Profiles > Create Profile > Device restrictions > Enable > input days

Defer software update until you have addressed this new change BUT if you allow BYOD > IOS, then iPadOS will have access in some scenarios. Since you cant defer the update on personal owned devices.

Best practices for Conditional Access in Azure Active Directory





You may also like...