cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

<Conditional access> LOB Application No SaaS Gallery App - Require device to be marked as compliant

David Wahby
Microsoft

‎Jul 20 2021 03:15 AM

‎Jul 20 2021 03:15 AM

<Conditional access> LOB Application No SaaS Gallery App - Require device to be marked as compliant

Customer  has a LOB Application (No SAS Gallery).  I created the application on Enterprise Applications, based on its URL. I created a CA rule for that Cloud App enforcing MFA if the device is not compliant.

 

The affected device has been enrolled and it is compliance (Intune view).

 

Customer is  accessing the cloud app with a client mobility app (IBM Cognos available in Google Play Store) but this client app is not sending any info to the CA rule to evaluate its state.

 

First: is this scenario supported?

Second: if it is, What would be the best approach to achieve the goal?

 

Thanks and Best Regards

David Wahby

Senior CE

Microsoft Corporation

 

Labels:
2,193 Views
0 Likes
3 Replies
Reply
3 Replies
pvanberlo

‎Jul 20 2021 06:20 AM

‎Jul 20 2021 06:20 AM

Re: <Conditional access> LOB Application No SaaS Gallery App - Require device to be marked as

Device compliance (which is the condition you're basing the CA policy on) requires the device to be enrolled into MDM and device compliance policies should be configured. Based on your post, I do not see if this is the case?
0 Likes
Reply
David Wahby

‎Jul 21 2021 03:37 AM

‎Jul 21 2021 03:37 AM

Re: <Conditional access> LOB Application No SaaS Gallery App - Require device to be marked as

Thanks @pvanberlo for answering. We have the default setting on:

"This setting determines how Intune treats devices that haven't been assigned a device compliance policy. This setting has two values:

Compliant (default): This security feature is off. Devices that aren’t sent a device compliance policy are considered compliant.
Not compliant: This security feature is on. Devices that haven’t received a device compliance policy are considered noncompliant."

Source: https://docs.microsoft.com/en-us/mem/intune/protect/device-compliance-get-started
0 Likes
Reply
pvanberlo

‎Jul 21 2021 03:51 AM

‎Jul 21 2021 03:51 AM

Re: <Conditional access> LOB Application No SaaS Gallery App - Require device to be marked as

Then I suppose that it theoretically should just work as expected. A lot of the functionality depends on the app sending the right information, like a proper user agent string to determine type of device and so on. Can't really say if this is expected behaviour or not, I would say that from a "high level view", one would expect it to work because that's exactly why you can use a CA policy with device state as a signal. Sorry I can't provide more help here!
1 Like
Reply