Forum Discussion
dawahby
Microsoft
Microsoft<Conditional access> LOB Application No SaaS Gallery App - Require device to be marked as compliant
Customer has a LOB Application (No SAS Gallery). I created the application on Enterprise Applications, based on its URL. I created a CA rule for that Cloud App enforcing MFA if the device is not co...
dawahbyMicrosoft
MicrosoftThanks pvanberlo for answering. We have the default setting on:
"This setting determines how Intune treats devices that haven't been assigned a device compliance policy. This setting has two values:
Compliant (default): This security feature is off. Devices that aren’t sent a device compliance policy are considered compliant.
Not compliant: This security feature is on. Devices that haven’t received a device compliance policy are considered noncompliant."
Source: https://docs.microsoft.com/en-us/mem/intune/protect/device-compliance-get-started
"This setting determines how Intune treats devices that haven't been assigned a device compliance policy. This setting has two values:
Compliant (default): This security feature is off. Devices that aren’t sent a device compliance policy are considered compliant.
Not compliant: This security feature is on. Devices that haven’t received a device compliance policy are considered noncompliant."
Source: https://docs.microsoft.com/en-us/mem/intune/protect/device-compliance-get-started
Then I suppose that it theoretically should just work as expected. A lot of the functionality depends on the app sending the right information, like a proper user agent string to determine type of device and so on. Can't really say if this is expected behaviour or not, I would say that from a "high level view", one would expect it to work because that's exactly why you can use a CA policy with device state as a signal. Sorry I can't provide more help here!