03/05/2023 09:36:00 AM (GMT)
NHSmail Reference : INC35639226
Microsoft Reference : IT549491
Issue Status : RESOLVED
Issue Description : Admins may experience issues within Microsoft Intune with Rapid Security Response version of iOS/iPadOS and macOS.
More Information : Impact in specific scenarios are limited to Apple devices that take the Rapid Security Responses update iOS: 16.4.1 (a) and macOS: 13.3.1 (a) with an alpha “(a)” character in the OS. Examples of impact may include:https://support.apple.com/en-ca/guide/deployment/dep93ff7ea78/webSpecifics for MDM Update controls – https://learn.microsoft.com/mem/intune/protect/software-updates-ios– Admins can’t create new compliance policies to check for the new iOS update which has an “(a)” added to the version string. Existing policy checks are unaffected. – Admins can’t create a policy to block conditional launches based on OS version with the character “(a)” for Mobile Application Management (MAM), is unable to check for the new version and can”t validate whether an application can launch or not. – Enrollment restriction policies may not work as intended with non-numerical character versions for Apple products. – Reports with build-specific values will report OS without the “(a)”. – For Mobile Device Management (MDM) admins can use Intune update controls to set the required version to latest to get the security update. -For Mobile Application Management (MAM), users should update to the latest version when possible while we continue to engineer supported solutions. For more details on the Rapid Security Response update mentioned above, please read the following article:
Final Update : 15/05/2023 08:30:00 AM – Further investigation confirmed that enrollment restrictions don’t support Rapid Security Response, and this functionality isn’t actually impacted by this event. Microsoft have released a fix in SDK version 17.4.2 which will allow blocking and validating conditional launches based on OS version and restores admins” ability to create new compliance policy checks for the new iOS updates when an “(a)” in version string, ultimately resolving MAM impact as it’s integrated in Microsoft apps in the Apple App Store. While their fixes were able to address the bulk of impact outlined in the More info section of this communication, they determined that the problem in which reports with build-specific values will report OS without the “(a)” isn”t yet resolved and will be best treated as independent from this event moving forward. Architectural work is underway to enable this capability, and once information regarding these changes is available, it’ll be provided here: https://aka.ms/intunewhatsnewtoday
Scope of impact : This issue affects any admin attempting to perform the actions outlined in the More info section of this update.
Root cause : Apple recently introduced a change to how their versions are specified, causing a need to change how our originally supported processes work in relation to iOS/iPadOS, and macOS.
Next steps : Microsoft are assessing how their versions are specified so they can ensure compatibility in the way their supported processes interact with iOS/iPadOS and macOS devices and prevent similar future impact.