<Conditional access> LOB Application No SaaS Gallery App - Require device to be marked as compliant

%3CLINGO-SUB%20id%3D%22lingo-sub-2565175%22%20slang%3D%22en-US%22%3E%3CCONDITIONAL%20access%3D%22%22%3E%20LOB%20Application%20No%20SaaS%20Gallery%20App%20-%20Require%20device%20to%20be%20marked%20as%20compliant%3C%2FCONDITIONAL%3E%3CLINGO-BODY%20id%3D%22lingo-body-2565175%22%20slang%3D%22en-US%22%3E%3CP%3ECustomer%26nbsp%3B%20has%20a%20LOB%20Application%20(No%20SAS%20Gallery).%26nbsp%3B%20I%20created%20the%20application%20on%20Enterprise%20Applications%2C%20based%20on%20its%20URL.%20I%20created%20a%20CA%20rule%20for%20that%20Cloud%20App%20enforcing%20MFA%20if%20the%20device%20is%20not%20compliant.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20affected%20device%20has%20been%20enrolled%20and%20it%20is%20compliance%20(Intune%20view).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECustomer%20is%26nbsp%3B%20accessing%20the%20cloud%20app%20with%20a%20client%20mobility%20app%20(IBM%20Cognos%20available%20in%20Google%20Play%20Store)%20but%20this%20client%20app%20is%20not%20sending%20any%20info%20to%20the%20CA%20rule%20to%20evaluate%20its%20state.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFirst%3A%20is%20this%20scenario%20supported%3F%3C%2FP%3E%0A%3CP%3ESecond%3A%20if%20it%20is%2C%20What%20would%20be%20the%20best%20approach%20to%20achieve%20the%20goal%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%20and%20Best%20Regards%3C%2FP%3E%0A%3CP%3EDavid%20Wahby%3C%2FP%3E%0A%3CP%3ESenior%20CE%3C%2FP%3E%0A%3CP%3EMicrosoft%20Corporation%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2565175%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3C%2FLINGO-SUB%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2565842%22%20slang%3D%22en-US%22%3ERe%3A%20%3CCONDITIONAL%20access%3D%22%22%3E%20LOB%20Application%20No%20SaaS%20Gallery%20App%20-%20Require%20device%20to%20be%20marked%20as%3C%2FCONDITIONAL%3E%3CLINGO-BODY%20id%3D%22lingo-body-2565842%22%20slang%3D%22en-US%22%3EDevice%20compliance%20(which%20is%20the%20condition%20you're%20basing%20the%20CA%20policy%20on)%20requires%20the%20device%20to%20be%20enrolled%20into%20MDM%20and%20device%20compliance%20policies%20should%20be%20configured.%20Based%20on%20your%20post%2C%20I%20do%20not%20see%20if%20this%20is%20the%20case%3F%3C%2FLINGO-BODY%3E%3C%2FLINGO-SUB%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2569776%22%20slang%3D%22en-US%22%3ERe%3A%20%3CCONDITIONAL%20access%3D%22%22%3E%20LOB%20Application%20No%20SaaS%20Gallery%20App%20-%20Require%20device%20to%20be%20marked%20as%3C%2FCONDITIONAL%3E%3CLINGO-BODY%20id%3D%22lingo-body-2569776%22%20slang%3D%22en-US%22%3EThanks%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F960791%22%20target%3D%22_blank%22%3E%40pvanberlo%3C%2FA%3E%20for%20answering.%20We%20have%20the%20default%20setting%20on%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%22This%20setting%20determines%20how%20Intune%20treats%20devices%20that%20haven't%20been%20assigned%20a%20device%20compliance%20policy.%20This%20setting%20has%20two%20values%3A%3CBR%20%2F%3E%3CBR%20%2F%3ECompliant%20(default)%3A%20This%20security%20feature%20is%20off.%20Devices%20that%20aren%E2%80%99t%20sent%20a%20device%20compliance%20policy%20are%20considered%20compliant.%3CBR%20%2F%3ENot%20compliant%3A%20This%20security%20feature%20is%20on.%20Devices%20that%20haven%E2%80%99t%20received%20a%20device%20compliance%20policy%20are%20considered%20noncompliant.%22%3CBR%20%2F%3E%3CBR%20%2F%3ESource%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fprotect%2Fdevice-compliance-get-started%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fprotect%2Fdevice-compliance-get-started%3C%2FA%3E%3C%2FLINGO-BODY%3E%3C%2FLINGO-SUB%3E
Microsoft

Customer  has a LOB Application (No SAS Gallery).  I created the application on Enterprise Applications, based on its URL. I created a CA rule for that Cloud App enforcing MFA if the device is not compliant.

 

The affected device has been enrolled and it is compliance (Intune view).

 

Customer is  accessing the cloud app with a client mobility app (IBM Cognos available in Google Play Store) but this client app is not sending any info to the CA rule to evaluate its state.

 

First: is this scenario supported?

Second: if it is, What would be the best approach to achieve the goal?

 

Thanks and Best Regards

David Wahby

Senior CE

Microsoft Corporation

 

3 Replies
Device compliance (which is the condition you're basing the CA policy on) requires the device to be enrolled into MDM and device compliance policies should be configured. Based on your post, I do not see if this is the case?
Thanks @pvanberlo for answering. We have the default setting on:

"This setting determines how Intune treats devices that haven't been assigned a device compliance policy. This setting has two values:

Compliant (default): This security feature is off. Devices that aren’t sent a device compliance policy are considered compliant.
Not compliant: This security feature is on. Devices that haven’t received a device compliance policy are considered noncompliant."

Source: https://docs.microsoft.com/en-us/mem/intune/protect/device-compliance-get-started
Then I suppose that it theoretically should just work as expected. A lot of the functionality depends on the app sending the right information, like a proper user agent string to determine type of device and so on. Can't really say if this is expected behaviour or not, I would say that from a "high level view", one would expect it to work because that's exactly why you can use a CA policy with device state as a signal. Sorry I can't provide more help here!