Forum Discussion

RonaldvdMeer's avatar
RonaldvdMeer
Iron Contributor
Mar 26, 2020

Problem with Conditional Access rule Use app-enforced Restrictions for browser access.

I have a problem with a conditional Access rule called:
Use app-enforced Restrictions for browser access.
 
I can't get it to work properly. I followed all the documentation i could find, but it doesn't work.
 
In the conditions i have set the following.
1. locations to all locations and excluding trusted locations.
2. Client Apps i selected Browser and Other Clients.
3. Device state All device state excluding devices marked compliant.
 
Under access control i selected app Use app enforced restrictions.
 
The weird about this Conditional Access Rule does function as expected on an compliant Mac but not on Windows 10 Devices.
 
In the signin logs i noticed the following.
 
When i login on a Mac with for example the Chrome Browser in Device Info of the SignIn logs all fields such as Compliant are filled with info. But when i sign in from a any browser on a compliant Windows 10 device, only the fields browser and Operating System are filled.
 
I somehow get the feeling that because of missing info in the device info, the conditional access rule thinks that the windows 10 device is not compliant.
 
In Google Chrome i have the Windows 10 Accounts Extension and in Edge i am signed in.
  • Unfortunately I have a client with the exact same issue, already on two devices. After opening a case with Intune support it got closed eventually because the MFA device state is (still) in preview.

     

    The user is currently using Chrome to workaround to make sure app enforced restrictions are not applied.

Resources