Impacts to Mobile SSO in Workspace ONE UEM with iOS 13 and iPadOS 13

Note: VMware Workspace ONE Access is the new name for what used to be called VMware Identity Manager (read here for further details). The product will reflect the name change in a coming release. Until the changes are reflected in the product, knowledge base information will continue to reference VMware Identity Manager to ensure consistency.

 

Overview

As part of iOS 13 and iPad OS 13, Apple has introduced two changes which impact Mobile SSO: 

  • With iPadOS 13, Apple changed the default behavior of the Safari browser so that it requests the Desktop version of web pages on an iPad rather than the Mobile version. This behavior impacts the Mobile SSO (for iOS) feature in Workspace ONE Access because the iPad identifies itself, via the User-Agent HTTP header, as a macOS device rather than an iOS device.
  • With the native app SDK (webkit) in iOS 13 and iPadOS 13, Apple provides a new method for native apps to generate the User-Agent string. This new method involves passing in a parameter with one of three values: Desktop, Mobile, or Recommended, as well as a name and version number for the app. Based on the user agent that is passed, here is the impact by default:
    iOS Device Type User agent passed by app Result

    Any

    Mobile

    Mobile SSO will work

    iPhone

    Mobile or Recommended

    Mobile SSO will work

    iPad

    Recommended

    Mobile SSO will not work

    Any

    Desktop

    Mobile SSO will not work

 

Customer Impact

Existing implementations of Mobile SSO (for iOS) will cease to function for iPad’s that upgrade to iPadOS 13.

In order for Mobile SSO to work within mobile browsers on iPad’s upgraded to iPadOS 13, one of the following steps must be taken: 

  1. Create a new or update an existing macOS access policy to include the Mobile SSO (for iOS) as the first authentication method; this will ensure that Mobile SSO (for iOS) will be successfully evaluated for iPad's on iPadOS 13. For macOS devices this access policy will result in a momentary delay before the next authentication method in the policy chain is evaluated. 
    Example:
    1.jpg
    Note: This option requires an upcoming of VMware Identify Manager scheduled for release later in 2019 for On-Premises deployments. If VMware Identity Manager is deployed as a broker, the primary IdP will also need to be configured to route macOS traffic along with iOS traffic to VMware Identity Manager.
  2. Users can select Request Mobile Site from the font size menu (aA) in Safari
  3. In the Safari settings, the Request Desktop Website option can be turned off
    Note: This setting is turned on by default on iPad

Note: We have requested that Apple allow setting the Request Desktop Website option via Workspace ONE UEM. Customers should reach out to Apple directly as well if they would like the functionality.

If Mobile SSO is impacted by the user agent passed by the native app, there are a few ways to remediate the situation:

  • App developers should use Mobile for the user agent and design a UI that works well for all iOS devices including large form-factor devices such as the iPad.
  • If the app is sending Recommended for the user agent, then consider having users navigate to Safari settings and turn off Request Desktop Site when using an iPad.  
  • If the app is sending Desktop for the user agent, then an option is to create an authentication policy for macOS device types as detailed in step 1 above.

Other Languages: 日本語

Have more questions? Submit a request

0 Comments

Article is closed for comments.