cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Problem with Conditional Access rule Use app-enforced Restrictions for browser access.

RonaldvdMeer
Iron Contributor

‎Mar 26 2020 06:45 AM - edited ‎Mar 26 2020 06:46 AM

‎Mar 26 2020 06:45 AM - edited ‎Mar 26 2020 06:46 AM

Problem with Conditional Access rule Use app-enforced Restrictions for browser access.

I have a problem with a conditional Access rule called:
Use app-enforced Restrictions for browser access.
 
I can't get it to work properly. I followed all the documentation i could find, but it doesn't work.
 
In the conditions i have set the following.
1. locations to all locations and excluding trusted locations.
2. Client Apps i selected Browser and Other Clients.
3. Device state All device state excluding devices marked compliant.
 
Under access control i selected app Use app enforced restrictions.
 
The weird about this Conditional Access Rule does function as expected on an compliant Mac but not on Windows 10 Devices.
 
In the signin logs i noticed the following.
 
When i login on a Mac with for example the Chrome Browser in Device Info of the SignIn logs all fields such as Compliant are filled with info. But when i sign in from a any browser on a compliant Windows 10 device, only the fields browser and Operating System are filled.
 
I somehow get the feeling that because of missing info in the device info, the conditional access rule thinks that the windows 10 device is not compliant.
 
In Google Chrome i have the Windows 10 Accounts Extension and in Edge i am signed in.
Aantekening 2020-03-26 134634.pngAantekening 2020-03-26 134418.png
Labels:
6,443 Views
0 Likes
21 Replies
Reply
21 Replies
Thijs Lecomte

‎Mar 27 2020 01:19 AM

‎Mar 27 2020 01:19 AM

Re: Problem with Conditional Access rule Use app-enforced Restrictions for browser access.

Is this device fully enrolled into Intune?
0 Likes
Reply
Thijs Lecomte

‎Mar 27 2020 01:21 AM

‎Mar 27 2020 01:21 AM

Re: Problem with Conditional Access rule Use app-enforced Restrictions for browser access.

If you log into an Office app like Outlook, does this show correctly?
0 Likes
Reply
RonaldvdMeer

‎Mar 27 2020 01:31 AM

‎Mar 27 2020 01:31 AM

Re: Problem with Conditional Access rule Use app-enforced Restrictions for browser access.

No it doesn't

But when i look at the device, Hardware under Monitor and look at the Conditional Access properties i see this.


3/27/2020, 8:32:06 AM
Conditional access

Activation lock bypass code
Azure AD registered Yes
Compliance Compliant
EAS activated Yes
EAS activation ID ***********************
EAS activation time 16-12-2019 1:56:19 p.m.
Supervised No
Encrypted Yes

0 Likes
Reply
Thijs Lecomte

‎Mar 27 2020 01:34 AM

‎Mar 27 2020 01:34 AM

Re: Problem with Conditional Access rule Use app-enforced Restrictions for browser access.

But this is an iOS device, not a Windows device?
0 Likes
Reply
Thijs Lecomte

‎Mar 27 2020 01:41 AM

‎Mar 27 2020 01:41 AM

Re: Problem with Conditional Access rule Use app-enforced Restrictions for browser access.

Have you tested with a different device?

If you run the command dsregcmd /status, you can find the deviceID.
Does this correspond with the device you have in Azure AD?
0 Likes
Reply
RonaldvdMeer

‎Mar 27 2020 01:48 AM

‎Mar 27 2020 01:48 AM

Re: Problem with Conditional Access rule Use app-enforced Restrictions for browser access.

@Thijs Lecomte 

 

Yes i tested it on a other device and there works a expected.

The device id i got from dsregcmd is the same as in Azure.

 

I'd like to know why this partical device doesn't show the device info properly and how to fix it, whithout resetting the device. I have had two other devices with the same issue. 

 

0 Likes
Reply
Thijs Lecomte

‎Mar 27 2020 01:51 AM

‎Mar 27 2020 01:51 AM

Re: Problem with Conditional Access rule Use app-enforced Restrictions for browser access.

If you run the dsregcmd /status command.
What does the 'device state' say?
0 Likes
Reply
Thijs Lecomte

‎Mar 27 2020 01:53 AM

‎Mar 27 2020 01:53 AM

Re: Problem with Conditional Access rule Use app-enforced Restrictions for browser access.

Pleae share the entire Device State bit.

EnterpriseJoined : x
AzureADJoined: x
...
0 Likes
Reply
RonaldvdMeer

‎Mar 27 2020 01:55 AM

‎Mar 27 2020 01:55 AM

Re: Problem with Conditional Access rule Use app-enforced Restrictions for browser access.

@Thijs Lecomte 

 

+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+

AzureAdJoined : YES
EnterpriseJoined : NO
DomainJoined : NO

0 Likes
Reply
Thijs Lecomte

‎Mar 27 2020 01:56 AM

‎Mar 27 2020 01:56 AM

Re: Problem with Conditional Access rule Use app-enforced Restrictions for browser access.

That looks good...

If you try using the 'old' Edge or IE, does it report back then?
0 Likes
Reply
RonaldvdMeer

‎Mar 27 2020 02:07 AM

‎Mar 27 2020 02:07 AM

Re: Problem with Conditional Access rule Use app-enforced Restrictions for browser access.

@Thijs Lecomte 

 

Same result. 

Only Operating System and Browser version are reported back

0 Likes
Reply
Thijs Lecomte

‎Mar 27 2020 03:51 AM

‎Mar 27 2020 03:51 AM

Re: Problem with Conditional Access rule Use app-enforced Restrictions for browser access.

Are you logged in with a local user or an AAD user?
0 Likes
Reply
RonaldvdMeer

‎Mar 27 2020 03:52 AM

‎Mar 27 2020 03:52 AM

Re: Problem with Conditional Access rule Use app-enforced Restrictions for browser access.

@Thijs Lecomte 

 

I always login as a AAD user. Our devices do not have a local account.

0 Likes
Reply
Peter Klapwijk

‎Mar 27 2020 04:10 AM

‎Mar 27 2020 04:10 AM

Re: Problem with Conditional Access rule Use app-enforced Restrictions for browser access.

@RonaldvdMeer seems that something is wrong with the AAD registration as no Device ID is send and without that compliance status isn`t checked (and fails).

You should compare the outcome of dsregcmd /status as Thijs says, from a working Windows device with a none working. See if there is a difference which can point you in the right direction.

You can also try

dsregcmd /leave

dsregcmd /join

Restart the laptop and try again.

0 Likes
Reply
RonaldvdMeer

‎Mar 27 2020 04:32 AM

‎Mar 27 2020 04:32 AM

Re: Problem with Conditional Access rule Use app-enforced Restrictions for browser access.

@Peter Klapwijk 

I will do that next Monday. I am working from home right now due to..... You know.

I will roll out a new device. See what happens. 

 

I will get back to you next Monday

0 Likes
Reply
RonaldvdMeer

‎Mar 31 2020 01:18 AM

‎Mar 31 2020 01:18 AM

Re: Problem with Conditional Access rule Use app-enforced Restrictions for browser access.

@Peter Klapwijk 

I did not see any difference between the dsregcmd status of a working device and the device that didn't work.

dsregcmd /leave did work

but dsregcmd /join didn't i got the message failed to complete task.

The only option left after that was a clean install of the device.

After complete rollout of the device the conditional access rules work as expected.

So problem is solved, although i am curious how this could have happened.

0 Likes
Reply