User impact: Admins may have experienced issues within Microsoft Intune with Rapid Security Response version of iOS/iPadOS and macOS.

More info: Impact was specific to Apple devices compatible with the Rapid Security Response updates including iOS version16.4.1 (a) and macOS version 13.3.1 (a). Examples of identified impact included:

– Admins may have been unable to create new compliance policies to check for the new iOS update with an “(a)” added to the version string. Existing policy checks were unaffected.

– Admins may have been unable to create a policy to block conditional launches based on OS version with the character “(a)” for Mobile Application Management (MAM) and were unable to check for the new version or validate whether an application can launch or not. 

– Reports with build-specific values will continue to report OS without the “(a)”. This issue will be addressed as a separate issue moving forward. Architectural work is underway to enable this capability. Check aka.ms/intunewhatsnewtoday for when reports are made available.

For Mobile Device Management (MDM) admins could have used Microsoft Intune compliance policies to set the required version to the latest to enforce the security update.

In order to set an Apple Rapid Security Response build as the minimum or maximum OS build in an Intune compliance policy for iOS/iPadOS or macOS, admins could have included the supplemental build version in the Minimum OS build version or Maximum OS build version in the policies.

Example value for iOS: 20E772520a
Example value for macOS: 22E772610a

For more details on the Rapid Security Response update mentioned above, please read the following article: support.apple.com/en-ca/guide/deployment/dep93ff7ea78/web

Final status: Further investigation confirmed that enrollment restrictions don’t support Rapid Security Response, and this functionality isn’t actually impacted by this event. We released a fix in SDK version 17.4.2 which will allow blocking and validating conditional launches based on OS version and restores admins’ ability to create new compliance policy checks for the new iOS updates when an “(a)” in version string, ultimately resolving MAM impact as it’s integrated in Microsoft apps in the Apple App Store. An example of this is Outlook app version 4.2316.1. While our fixes were able to address the bulk of impact outlined in the More info section of this communication, we determined that the problem in which reports with build-specific values will report OS without the “(a)” isn’t yet resolved and will be best treated as independent from this event moving forward. Architectural work is underway to enable this capability, and once information regarding these changes is available, it’ll be provided here: aka.ms/intunewhatsnewtoday 

Scope of impact: This issue may have impacted any admin attempting to perform the actions outlined in the More info section of this update.

Start time: Monday, May 1, 2023, at 12:00 AM UTC

End time: Friday, May 12, 2023, at 11:45 AM UTC

Root cause: Apple recently introduced a change to how their versions are specified, causing a need to change how our originally supported processes work in relation to iOS/iPadOS, and macOS.

Next steps:
– We’re assessing how our versions are specified so we can ensure compatibility in the way our supported processes interact with iOS/iPadOS and macOS devices and prevent similar future impact.

This is the final update for the event.