Loading

Salesforce Mobile Apps on iOS & Microsoft Intune Incompatibility

Дата публикации: Apr 9, 2026
Описание

Microsoft Intune is a Mobile Device Management (MDM) solution. When used with iOS devices, it may conflict with Salesforce Mobile App authentication.

 

Customers using Microsoft Intune as their Mobile Device Management (MDM) solution for iOS devices report that their users are unable to log in to the Salesforce Mobile App or Salesforce Field Service Mobile App.

 

The authentication process fails because Intune's security policies are configured to require the use of the Microsoft Edge browser for all authentication flows. The Salesforce mobile apps, following Apple's platform requirements, use the native iOS web authentication service, which is based on Safari. This creates a direct policy conflict, blocking login.

 

This issue is not a bug in the Salesforce Mobile App. It is a fundamental incompatibility between Microsoft's Intune policy enforcement and Apple's iOS security architecture. Salesforce is positioned between these two differing vendor philosophies.

 

Microsoft Intune is a Mobile Device Management (MDM) solution that allows IT administrators to manage and secure corporate devices and apps. When Intune is configured to require Microsoft Edge for all authentication flows, it conflicts with Apple's iOS security model, which requires all apps to use the native ASWebAuthenticationSession API — a service tied to Safari and its underlying WebKit engine. Apple does not allow app developers to substitute a third-party browser for this secure authentication session.

 

A. Apple's iOS Security Model:

  • For secure, in-app browser-based authentication, Apple requires all applications to use their native ASWebAuthenticationSession API.
  • This API is a core part of the iOS operating system and is fundamentally tied to Safari and its underlying WebKit engine.
  • Critically, Apple does not provide a mechanism for app developers (like Salesforce) to choose an arbitrary third-party browser (like Microsoft Edge or Firefox) to handle this secure authentication session.
  • This is a deliberate security and platform control decision by Apple to ensure a consistent, trusted, and secure authentication experience managed by the operating system itself.

B. Microsoft's Intune MDM Policy:

  • Microsoft Intune allows administrators to create security policies that force all managed applications to use Microsoft Edge for authentication
  • This policy is intended to ensure that all web traffic related to corporate data is funneled through Microsoft's managed browser environment.
  • This "require Edge" policy is a specific choice by Microsoft. Other MDM providers do not enforce a similar single-browser requirement and instead are compatible with Apple's native ASWebAuthenticationSession.

C. Salesforce's Position: Trust is Our #1 Value

  • At Salesforce, Trust is our most important value. We build our products, including the Salesforce Mobile App, in close partnership with platform providers like Apple, adhering strictly to their security best practices and official APIs.
  • Bypassing Apple's recommended ASWebAuthenticationSession to build a custom, non-standard workaround that forces authentication through Edge would introduce significant and unnecessary security risks. Such a workaround would be fragile, difficult to maintain, and would not be supported or vetted by Apple.
  • While we are aware that some other app providers may have implemented such workarounds, Salesforce will not compromise our security posture or violate platform guidelines. The potential for security vulnerabilities is too high. Therefore, we will not be building a custom workaround to support this Microsoft-specific MDM configuration.
Решение

Customers have three primary paths to resolve this issue. The first two are long-term industry change requests, while the third provides immediate, actionable solutions.

 

Path 1: Petition Microsoft

  • Customer can request that Microsoft enhances its Intune MDM for iOS to be compatible with Apple's native ASWebAuthenticationSession. This would align Intune with other MDM providers and resolve the conflict for all apps, not just Salesforce.

Path 2: Petition Apple

  • Customer can request that Apple enhances iOS to allow ASWebAuthenticationSession to work with other trusted, user-designated browsers, similar to how the Android operating system functions.

Path 3: Create an Intune Policy Exception & Apply Compensating Controls (Recommended)

  • This is the most immediate and practical solution. The customer's Intune administrator can create an exception in their security policy that specifically allows the Salesforce Mobile App to authenticate using the native iOS flow without being blocked.
  • To address any perceived security gap from this exception, the customer can and should implement one or more of the following compensating controls:

Certificate-Based Authentication (Most Secure): The MDM can provision a unique, trusted device certificate onto all managed iOS devices.

 

  • The customer's SSO provider (e.g., Okta, Azure AD) can then be configured to require this certificate upon login. This ensures that even though the login isn't forced through Edge, the device itself is cryptographically verified as being managed and trusted by the company. This is the industry-standard best practice and is how Salesforce secures its own employee devices.
  • Salesforce Mobile App Plus: For customers who require enhanced Mobile Application Management (MAM) without a full MDM solution, this SKU provides additional security features to enforce policies directly within the Salesforce app itself.
  • Standard Salesforce Mobile Security: The base Salesforce app includes numerous security features that help secure customer data.
Дополнительные ресурсы

Q: Other apps on our devices work with Intune's Edge requirement. Why can't Salesforce?

A: Any app that accommodates this Intune policy on iOS has built a custom, non-standard authentication workaround that bypasses Apple's recommended security frameworks. Salesforce prioritizes security and adherence to platform standards and will not adopt these methods due to the inherent risks.

 

Q: Is Salesforce planning to add support for Edge on iOS in a future release?

A: No. Due to the security risks and Apple's platform restrictions, building a custom workaround is not on our product roadmap. Our development efforts are focused on solutions that benefit all customers and align with industry security best practices, such as the upcoming App Attestation feature. App Attestation is planned to be adopted by Salesforce mobile apps during FY27 and will assure the mobile app has not been tampered with, further providing compensating security controls.

 

Q: Why does the authentication fail within the app but succeed in the standalone Safari browser?
A: Unfortunately we only control the Salesforce mobile apps. Authentication is a complex setup and interplay between the mobile app, their Identity Provider (SSO), the MDM solution, the mobile operating system etc.
We're not able to provide guidance on issues outside of what we control at Salesforce, which is the mobile app.
Номер статьи базы знаний

005225693

 
Загрузка
Salesforce Help | Article